Skip to content

Check the execution receipt received from network properly #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
liuchengxu merged 13 commits into from
Feb 9, 2022
Merged

Check the execution receipt received from network properly #236

liuchengxu merged 13 commits into from
Feb 9, 2022

Conversation

@liuchengxu
Copy link
Contributor

@liuchengxu liuchengxu commented Jan 29, 2022
edited
Loading

This PR is mainly for making the locally produced execution receipt persistent for a while so that the executor can compare it with the external ER and propose a fraud proof in case of any invalid state transition in the external ER.

The first 3 commits are basically about some refactorings, and then the core of this PR follows. Making it a draft due to these TODOs, but the other commits are ready to be reviewed.

TODOs:

i1i1
i1i1 reviewed Jan 29, 2022
View reviewed changes
nazar-pc
nazar-pc reviewed Jan 29, 2022
View reviewed changes
Copy link
Member

@nazar-pc nazar-pc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, I think we need something like orphan ERs in this case to handle it gracefully, but it is definitely tricky to do in a way that is DoS resistant

cumulus/client/cirrus-executor/src/lib.rs
rx.recv()??
};

// TODO: What happens for this obvious error?
Copy link
Member

@nazar-pc nazar-pc Jan 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as in any other case, you compare trace item one by one and generate fraud proof for item that is wrong or missing

Copy link
Contributor Author

@liuchengxu liuchengxu Jan 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a possible case that an external ER that contains all the valid roots and some extra ones? In that case comparing on the iterator won't detect it, but I believe the block will still fail in the verification somewhere else.

Copy link
Member

@nazar-pc nazar-pc Jan 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything is possible, adversary can create whatever ER they want 🙂

liuchengxu added a commit that referenced this pull request Jan 30, 2022
@liuchengxu
Use Merkle Tree instead of Merkle Patricia Tree for execution trace
efd84d7 
Fixes #236 (comment)
liuchengxu added a commit that referenced this pull request Jan 30, 2022
@liuchengxu
Use Merkle Tree instead of Merkle Patricia Tree for execution trace
e0631d3 
Fixes #236 (comment)
nazar-pc
nazar-pc reviewed Jan 31, 2022
View reviewed changes
@liuchengxu liuchengxu force-pushed the check-external-ER branch 2 times, most recently from 67f06be to 65320d4 Compare January 31, 2022 10:05
liuchengxu added a commit that referenced this pull request Feb 2, 2022
@liuchengxu
Use Merkle Tree instead of Merkle Patricia Tree for execution trace
2800f46 
Fixes #236 (comment)
@liuchengxu liuchengxu marked this pull request as ready for review February 2, 2022 06:06
liuchengxu added a commit that referenced this pull request Feb 2, 2022
@liuchengxu
Use Merkle Tree instead of Merkle Patricia Tree for execution trace
511f5ce 
Fixes #236 (comment)
@liuchengxu liuchengxu force-pushed the check-external-ER branch 2 times, most recently from 7e0b1d9 to 7381b67 Compare February 2, 2022 18:47
liuchengxu added a commit that referenced this pull request Feb 4, 2022
@liuchengxu
Use Merkle Tree instead of Merkle Patricia Tree for execution trace
d4fc857 
Fixes #236 (comment)
liuchengxu added a commit that referenced this pull request Feb 8, 2022
@liuchengxu
Use Merkle Tree instead of Merkle Patricia Tree for execution trace
c1f9e49 
Fixes #236 (comment)
@liuchengxu
Copy link
Contributor Author

liuchengxu commented Feb 8, 2022

@nazar-pc This PR is ready for another review, the last 4 commits are new since your last review.

nazar-pc
nazar-pc reviewed Feb 9, 2022
View reviewed changes
Copy link
Member

@nazar-pc nazar-pc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments, but nothing critical

cumulus/client/cirrus-executor/src/aux_schema.rs Outdated
Comment on lines 62 to 63
let mut to_delete_block_number = first_saved_receipt;
while to_delete_block_number < new_first_saved_receipt {
Copy link
Member

@nazar-pc nazar-pc Feb 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to_delete_block_number is basically from and new_first_saved_receipt is basically to.

Instead of transforming those into Block::Header::Number, I'd convert them into subspace_core_primitives::BlockNumber and iterated over the range of numbers instead, that would be easier to read rather than manually incrementing stuff.

Copy link
Contributor Author

@liuchengxu liuchengxu Feb 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Converting to subspace_core_primitives::BlockNumber might be helpful to simplify the loop, but you have to convert it back to Number as the encode for u32 and Block::Header::Number is different(discovered by the existing test, perhaps the compact of codec is related, I didn't look into this) unless you want to use u32 as the part of the final key to insert into the store.

Copy link
Member

@nazar-pc nazar-pc Feb 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is fine to use BlockNumber as a final key. Also it might be different in tests (I see that often tests use u64 for block number), but should be the same in production since we use u32 everywhere as a block number otherwise.

cumulus/client/cirrus-executor/src/aux_schema.rs
let mut new_first_saved_receipt = first_saved_receipt;

if block_number - first_saved_receipt >= PRUNING_DEPTH.saturated_into() {
new_first_saved_receipt = block_number.saturating_sub((PRUNING_DEPTH - 1).saturated_into());
Copy link
Member

@nazar-pc nazar-pc Feb 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In these cases I would honestly prefer .expect() since we don't expect these numbers to ever be beyond u32::MAX.

Copy link
Contributor Author

@liuchengxu liuchengxu Feb 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel free to refactor it directly as I don't see another style that is satisfying to me using expect() :P.

i1i1
i1i1 previously approved these changes Feb 9, 2022
View reviewed changes
@liuchengxu
Include the list of storage roots in ExecutionReceipt
8e11150 
Refactor `ExecutionReceipt`:

- Rename `state_transition_root` to `trace_root`.
- Include the list of all storage roots in the execution as `trace`.
@liuchengxu
Only authorty executors are allowed to broadcast ER
7493a63 
Only the authority executors are allowed to participate the election,
the winner of which will be able to broadcast the exeuction recepit to
the network, and then we could run an authority executor node and
a full executor node locally.
@liuchengxu
Reduce Executor generics by merging runtime_api into client
4934c1c
@liuchengxu
Write local ER to disk and check external ER against the local one
2856ded
@liuchengxu
Remove the validated local execution receipt from disk
d983d4d
@liuchengxu
Apply the suggestions from code review
992cfb2
@liuchengxu
Use Merkle Tree instead of Merkle Patricia Tree for execution trace
0098a20 
Fixes #236 (comment)
@liuchengxu
Prune the too old execution receipts while writing a new one
c383418 
We have to use the block number as key because the time is measured in
block number only.
@liuchengxu
Store Execution Receipt Keyed by block hash
6eb1c30 
Store the execution receipt by block hash, use another storage for
tracking the associated block number to have knowledge of if it's too
old and should be pruned.

This commit also removes the deletion of local ER even it's correctly
validated, now the obsolete ERs will be removed soly according to the
prune depth.
@liuchengxu
Replicate the state root when constructing the trace merkle tree from…
b22f827 
… the root list
@liuchengxu
Merge the BS generic parameter into Client in Executor struct
9ccc995
@liuchengxu
Use the new best_hash instead of parent_hash when calling `intermedia…
be7a07c 
…te_roots()`

Using `parent_hash` is wrong because we need to call the api on top of
the newly created best block to get the intermediate roots for this
just executed block.
@liuchengxu liuchengxu merged commit adffe34 into main Feb 9, 2022
@liuchengxu liuchengxu deleted the check-external-ER branch February 9, 2022 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nazar-pc nazar-pc nazar-pc approved these changes

@rg3l3dr rg3l3dr Awaiting requested review from rg3l3dr

@ozgunozerk ozgunozerk Awaiting requested review from ozgunozerk

+1 more reviewer

@i1i1 i1i1 i1i1 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@liuchengxu @nazar-pc @i1i1