abci++: Vote extension cleanup

[thanethomson]

Follows from #8141. Relates to #8272, but does not close it.

I realized that we're signing prevotes' vote extensions too, which is incorrect (we should only be signing and verifying/validating precommits' vote extensions).

After trying to work with #8375 and discussion with @tychoish, we realized that we should rather expose different validation methods than introduce a boolean flag into the ValidateBasic method for Vote.

I'll be submitting several separate PRs that build on this one and each other (eventually including some commits from #8375) in order to implement RFC 017 (#8317).

[creachadair]

A couple nits and a couple questions, but this seems on the right track to me.

[creachadair]

As a general rule, please don't inject nil checks for these. The pointer is the actionable type for a protobuf message, so if the caller passes nil here it's not a recoverable error and should probably be allowed to panic.

(A program that calls this function with a nil Vote message is already statically incorrect. If there needs to e a check, it should be on the caller's side. But the way we use it, that isn't necessary).

[thanethomson]

I just kept the existing code as-is as far as possible, but I agree - I'll change this.

[creachadair]

Some of this is pre-existing, but I'd like to put in a plug for getting rid of this loop (instead test each vote separately). I'd also suggest separating these test cases into batches: "ok", "basic validation errors", "prevote errors", and "precommit errors" that do not require flags in the test case.

The fiddly logic to check "is this the specially designated good case" and the various legerdemain with computing Booleans makes it really hard to decipher what is going on when a test fails. The check per vote is short, it's ok to copy paste. It'll all be on the same screenful. 🙂

It would make a little more code, but IMO tests are a good place to strongly favor legibility and obviousness over compactness IMO.

Schematically:

type testCase struct {
  name         string
  malleateVote func(*Vote)
}

okTests := []testCase{
  // …
}
for _, test := range okTests {
   t.Run(test.name, func(t *testing.T) {
      require.NoError(t, examplePrevote(t).ValidateBasic(), "valid prevote")
      require.NoError(t, examplePrecommit(t).ValidateBasic(), "valid precommit")
   })
}
basicErrTests := []testCase{
  // …
}
for _, test := range basicErrTests {
   t.Run(test.name, func(t *testing.T) {
      require.Error(t, examplePrevote(t).ValidateBasic(), "invalid prevote")
      require.Error(t, examplePrecommit(t).ValidateBasic(), "invalid precommit")      
   })
}

// etc.

[thanethomson]

Sounds good 👍

[creachadair]

This name tickles me. 😀

[creachadair]

Is there some reason these are assert instead of require?

[thanethomson]

It seems as though different authors had different conventions throughout the history of the codebase. Do you have a preference for one of them?

[creachadair]

The answer is complicated.

With t.Error (analogous to assert) and t.Fatal (analogous to require), I prefer Error where practical so that the test can keep providing useful feedback while it's running anyway. When I write tests with the standard handlers I usually only Fatal for cases where it doesn't make sense to continue.

But with testify, I default to "require" (the fatal form) because it obviates the need to check the result and explicitly continue (which defeats the point of the assertion). Since the standard case already has the condition it's not a big addition.

If it were up to me we wouldn't use either, but on the above rationale I usually default "require". YMMV.

[creachadair]

I find the names of these two slightly misleading: "VoteFromProto" suggests I'm getting the entire vote, implying all its parts (including the extension). Reading "VoteWithExtensionFromProto" feels like "this one HAS the extension, the other doesn't".

But both return the extension—it's just this one doesn't verify it while the other does.

If this were Java, we'd just say ExtractAndVerifyVoteWithoutExtensionFromProto and ExtractAndVerifyVoteWithExtensionFromProto. But here, I wonder if maybe we should consider separating "extract" and "verify", i.e., just let the caller call ValidateBasic or ValidateWithExtension as they prefer. I don't think we're adding much value by hiding that call, when they already have to know which they want.

[thanethomson]

Yes, it does make sense to rather separate the logic for extracting and validating votes. I think it's usually better to have each function just do one thing. I'll separate them 👍

[thanethomson]

I think I've addressed all of the outstanding comments here. Let me know if there's anything else that anyone feels needs to be improved here.

[creachadair]

Looks good to me! I don't know the answer to your TODO, though.

[thanethomson]

I don't know the answer to your TODO, though.

No problem! The idea was to address it in a follow-up PR. The approach implemented in this PR doesn't change the existing behavior.

[sergio-mena]

Thanks for this patch. It improves upon my eleventh-hour introduction of a boolean before my vacation break.
However, I still don't clearly see how we can guarantee we check the extensions at all callsites where it is needed.

[sergio-mena]

Is it also the case with prevotes?
I mean... may they also come in a VoteMessage

[thanethomson]

I'll update the comment. The ValidateWithExtension method ensures (through its internal call to ValidateBasic) that prevotes don't have extensions, but precommits do.

[sergio-mena]

I think we should, as long as they are precommits
The only case we don't want precommits to have extensions is when embedded into an evidence, which is what complicates this problem.
Would it make sense to also requires extensions in evidences (as long as they refer to precommits) ?
If yes, then all this logic would be greatly simplified

[thanethomson]

It doesn't look like VoteSet is used in relation to evidence. I've now updated the code to use ValidateWithExtension instead and it seems to work, but we'll see when we enforce the vote extension requirement in a subsequent PR.

[sergio-mena]

Thanks. I still don't 100% the validation of votes w.r.t vote extensions, but I understand from your answers this will only be possible after the whole #8375 is completed

[williambanfield]

It seems like this could be just a separate function, is there a strong reason to inject this? I think it's a bit more clear if this is separately called directly after the sign vote method.

[thanethomson]

Sure, I've separated it out now. I originally did it like this because it seemed slightly neater to have this functionality handled on a single line, but I see your point.