consensus: Wait for proposal or timeout before prevote

[milosevic]

• Fix Receiving 2f+1 Prevotes before Proposal might affect termination #1745.
• Improve tests.

[codecov-io]

Codecov Report

Merging #2540 into develop will decrease coverage by 0.14%.
The diff coverage is 89.65%.

@@             Coverage Diff             @@
##           develop    #2540      +/-   ##
===========================================
- Coverage    61.38%   61.24%   -0.15%     
===========================================
  Files          203      203              
  Lines        16776    16816      +40     
===========================================
+ Hits         10298    10299       +1     
- Misses        5609     5642      +33     
- Partials       869      875       +6

Impacted Files	Coverage Δ
state/metrics.go	25% <ø> (ø)	⬆️
p2p/metrics.go	17.94% <ø> (ø)	⬆️
node/node.go	66.05% <0%> (ø)	⬆️
config/config.go	69.28% <100%> (ø)	⬆️
state/execution.go	75.45% <100%> (ø)	⬆️
consensus/state.go	75.64% <92%> (-1.35%)	⬇️
consensus/reactor.go	71.48% <0%> (-1.04%)	⬇️
libs/db/util.go	71.42% <0%> (+0.69%)	⬆️
libs/db/remotedb/remotedb.go	41.52% <0%> (+4.68%)	⬆️

[xla]

Just some formatting nits.

[xla]

This breaking is a bit clunky, it would be better to use this pattern:

	ensureNoNewEvent(
		ch,
		ensureTimeout,
		"We should be stuck waiting, not receiving new event on the channel",
	)

[xla]

The space between the ] and ( will not render the link correctly.

[xla]

Same as above.

[xla]

Same as above.

[xla]

Same as above.

[xla]

Should be broken up by param per line with trailing comma and newline behind the last one.

[xla]

Same as above.

[ebuchman]

Initial review - let's chat about it

[ebuchman]

Oh, what about the comment claiming this must be in seconds?

[milosevic]

I guess it was because of this line

tendermint/consensus/mempool_test.go

Line 41 in 69ecda1

config.Consensus.CreateEmptyBlocksInterval = ensureTimeout

as it used to be

tendermint/consensus/mempool_test.go

Line 41 in 0c9c329

config.Consensus.CreateEmptyBlocksInterval = int(ensureTimeout.Seconds())

. Probably comment can be removed.

[ebuchman]

Weird that we can get here without having done enterPrecommit already

[milosevic]

It's possible as you might receive 2/3+ Precommit any so you trigger timeout. In the meantime you don't receive Polka and timeoutPrevote hasn't expired, so you precommit nil before going to the next round.

[ebuchman]

Let's open an issue for it? This isn't a bug, afawk, right? Just an optimization that would complicate the spec/proofs?

[milosevic]

There is already an issue open: #2529. It's a bug; we need to propose validBlock, not lockedBlock. I will remove TODO as there is issue open.

[ebuchman]

Why this change?

[ebuchman]

Need to confirm these always match - a test was failing.

[ebuchman]

Isn't this comment still true?

[milosevic]

We could maybe move comment before enterNewRound, L1656.

[ebuchman]

Why remove?

[milosevic]

It's too early to Precommit at this point, as it would mean Precommiting nil. We wait either prevote based condition to be true or timeoutPrecommit to expire.

[ebuchman]

Right. I think we need to update the enter condition on enterPrecommit then which currently says:

// Enter: any +2/3 precommits for next round.

[melekes]

Great work 🍑

[melekes]

Shouldn't this be expected header's hash %X, got %X?

[melekes]

no need for break

[melekes]

comment needs to be updated to reflect it's no longer about "step". maybe %v/%v (timeoutPrecommit: %v)

[ebuchman]

Looks good, thanks @milosevic . And thanks for the great update to the tests!

[ebuchman]

Maybe we should keep the Step in this output, for completeness/debugging.

[ebuchman]

So the reason we don't enterPrevote or enterPrecommit here anymore is because we have to see the entire propose step through before prevoting, right?

Either we will:

• receive the whole proposal, and then prevote block
• receive +2/3-prevotes for nil, and then prevote nil
• timeout propose, and then prevote nil

Whereas before, we just prevoted right away on seeing +2/3-prevote-any

[milosevic]

In the spec, the second condition (receiving +2/3-prevotes for nil) is conditioned by step=prevote (which means a process always wait for the other two conditions to be true) and we precommit nil at that point. It is probably fine also to prevote nil upon receiving +2/3-prevotes for nil even if step != prevote, but we need to check the proofs for this.

[ebuchman]

And the reason we add cstypes.RoundStepPrevote <= cs.Step and drop the enterPrevote from here is because

• if cs.Step < RoundStepPrevote, we still have to wait out the full propose step, so +2/3-prevote-any can't trigger anything. Even if we receive +2/3-prevote-block, we still have to wait until addProposalBlock gets the last part and calls enterPrevote, or we finally timeoutPropose
• if cs.Step >= RoundStepPrevote`, we've already prevoted

So now addVote will only call enterPrevote if it just received the last vote in a POL it was waiting for to complete a proposal

[ebuchman]

Right. I think we need to update the enter condition on enterPrecommit then which currently says:

// Enter: any +2/3 precommits for next round.

[ebuchman]

maybe these should just be ensurePrevote and ensurePrecommit and we can drop the last arg

[ebuchman]

A few more notes based on discussion from the issue #1745

[ebuchman]

@jaekwon was suggesting we call enterPropose here instead of enterPrevote. But since we already guarantee the round matches and the cs.Step >= PrevoteStep, we shouldn't need to.

[ebuchman]

Jae was suggesting we also call enterPropose and enterPrevoteWait here, instead of the enterPrecommit. Note enterNewRound calls enterPropose, so it shouldn't be needed. And we want to wait the whole proposal step before doing any prevoting, so I don't think we need the enterPrevoteWait here either (it will happen latter if it needs to).

But then calling enterPrecommitWait right away means we now only have TimeoutPrecommit to receive the proposal block. Is that right?

In this case, we could be in any step, and may even be jumping to a later round, but then we only give ourselves TimeoutPrecommit to receive the proposal block for that round.

[milosevic]

But then calling enterPrecommitWait right away means we now only have TimeoutPrecommit to receive the proposal block. Is that right?
In this case, we could be in any step, and may even be jumping to a later round, but then we only give ourselves TimeoutPrecommit to receive the proposal block for that round.

That's why in Lemma 5 we need to assume that timeoutPropose(r) > 2Delta + timeoutPrecommit(r-1), i.e., timeoutPropose need to be big enough so we will wait for a process that jump to a higher round to receive Proposal. So we don't wait timeoutPrecommit to receive the proposal block. We wait timeoutPrecommit to set validBlock in the current round. And we wait timeoutPropose to receive the proposal, but there is dependency on the duration of timeoutPropose on timeoutPrecommit. Does this answer your question?

Addressed

[zsystm]

@milosevic @ebuchman
Hey guys. Late to follow up this code, but I have a question for line 1668.
Thanks in advance.

Why should we enter precommit wait? we already checked majority for nil so we don't have to wait because consensus already achieved for nil.
I think 1668 should be enterNewRound because it don't need to wait more precommit votes.

[BrendanChou]

cometbft/cometbft#1431