state: Use last height changed if validator set is empty

[melekes]

What happened:

New code v0.31.4 was supposed to fall back to last height changed when/if it
fails to find validators at checkpoint height (to make release
non-breaking).

But because we did not check if validator set is empty (only checking if we have
an info is not enough, we save info for every block), the fall back
logic was never executed => resulting in LoadValidators returning an
empty validator set for cases where lastStoredHeight is checkpoint
height (i.e. almost all heights if the application does not change
validator set often).

How it was found:

one of our users - @sunboshan reported a bug here
#3537 (comment)

• Updated all relevant documentation in docs
• Updated all code comments where relevant
• Wrote tests
• Updated CHANGELOG_PENDING.md

[liamsi]

we are seeing #2723 again; restarting the build to be certain all other tests pass
full output: build_54473_step_105_container_3.txt.zip

[liamsi]

This code would never be reached, right? Because panic("empty validator set") would happen before? I like that these two lines make this more explicit! (keep them, I'm just asking).

[melekes]

If you remove || valInfo2.ValidatorSet == nil check, it will reach this code and fail.

With || valInfo2.ValidatorSet == nil, the code does not panic and returns non-empty validator set.

[liamsi]

OK, just tried it locally: I did not add the || valInfo2.ValidatorSet == nil check but added the changes in the test. The function will panic before the loadedVals.Size() == 0-check can be reached because LoadValidators calls IncrementProposerPriority anyways. Which will panic with empty validator set:

tendermint/types/validator_set.go

Lines 82 to 85 in a453628

	func (vals *ValidatorSet) IncrementProposerPriority(times int) {
	if vals.IsNilOrEmpty() {
	panic("empty validator set")
	}

[melekes]

You're right!

[melekes]

I think it's still fine to leave the check just in case.

[liamsi]

Thanks @melekes! LGTM 👍 I did not verify querying the rpc returns a non-empty validator set. Looking at the changes and the modifications in the test, my understanding is that it indeed fixes #3537 (comment)

[liamsi]

Now failing:

=== RUN   TestSIGHUP
MustReadFile failed: open /tmp/sighup_test259331718: no such file or directory
FAIL	github.com/tendermint/tendermint/libs/autofile	0.052s
Exited with code 1

[codecov-io]

Codecov Report

Merging #3560 into develop will increase coverage by 0.02%.
The diff coverage is 50%.

@@            Coverage Diff             @@
##           develop   #3560      +/-   ##
==========================================
+ Coverage    64.17%   64.2%   +0.02%     
==========================================
  Files          213     213              
  Lines        17373   17356      -17     
==========================================
- Hits         11149   11143       -6     
+ Misses        5301    5291      -10     
+ Partials       923     922       -1

Impacted Files	Coverage Δ
state/store.go	71.23% <50%> (+2.05%)	⬆️
libs/clist/clist.go	66.66% <0%> (-1.52%)	⬇️
consensus/reactor.go	72.13% <0%> (-0.83%)	⬇️
libs/db/remotedb/grpcdb/server.go	0% <0%> (ø)	⬆️
consensus/state.go	80% <0%> (+0.58%)	⬆️
p2p/pex/pex_reactor.go	79.44% <0%> (+0.61%)	⬆️
rpc/client/httpclient.go	66.51% <0%> (+0.89%)	⬆️
consensus/replay.go	70.47% <0%> (+2.05%)	⬆️

[liamsi]

Thanks for adding a changelog entry 👍