core: grandpa: restrict genesis on forced authority set change

core/finality-grandpa/primitives/src/lib.rs

@@ -95,7 +95,7 @@ decl_runtime_apis! {
 		/// the digest type it should return the same result regardless of the current
 		/// state.
 		fn grandpa_forced_change(digest: &DigestFor<Block>)
-			-> Option<ScheduledChange<NumberFor<Block>>>;
+			-> Option<(NumberFor<Block>, ScheduledChange<NumberFor<Block>>)>;
 
 		/// Get the current GRANDPA authorities and weights. This should not change except
 		/// for when changes are scheduled and the corresponding delay has passed.

core/finality-grandpa/src/authorities.rs

@@ -205,7 +205,7 @@ where
 		E:  std::error::Error,
 	{
 		match pending.delay_kind {
-			DelayKind::Best => {
+			DelayKind::Best { .. } => {
 				self.add_forced_change(pending, is_descendent_of)
 			},
 			DelayKind::Finalized => {
@@ -244,7 +244,7 @@ where
 		best_hash: H,
 		best_number: N,
 		is_descendent_of: &F,
-	) -> Result<Option<Self>, E>
+	) -> Result<Option<(N, Self)>, E>
 		where F: Fn(&H, &H) -> Result<bool, E>,
 	{
 		let mut new_set = None;
@@ -259,12 +259,17 @@ where
 				info!(target: "finality", "Applying authority set change forced at block #{:?}",
 					  change.canon_height);
 
-				new_set = Some(AuthoritySet {
+				let median_last_finalized = match change.delay_kind {
+					DelayKind::Best { ref median_last_finalized } => median_last_finalized.clone(),
+					_ => unreachable!("pending_forced_changes only contains forced changes; forced changes have delay kind Best; qed."),
+				};
+
+				new_set = Some((median_last_finalized, AuthoritySet {
 					current_authorities: change.next_authorities.clone(),
 					set_id: self.set_id + 1,
 					pending_standard_changes: ForkTree::new(), // new set, new changes.
 					pending_forced_changes: Vec::new(),
-				});
+				}));
 
 				break;
 			}
@@ -358,11 +363,11 @@ where
 
 /// Kinds of delays for pending changes.
 #[derive(Debug, Clone, Encode, Decode, PartialEq)]
-pub(crate) enum DelayKind {
+pub(crate) enum DelayKind<N> {
 	/// Depth in finalized chain.
 	Finalized,
 	/// Depth in best chain.
-	Best,
+	Best { median_last_finalized: N },
 }
 
 /// A pending change to the authority set.
@@ -381,7 +386,7 @@ pub(crate) struct PendingChange<H, N> {
 	/// The announcing block's hash.
 	pub(crate) canon_hash: H,
 	/// The delay kind.
-	pub(crate) delay_kind: DelayKind,
+	pub(crate) delay_kind: DelayKind<N>,
 }
 
 impl<H: Decode, N: Decode> Decode for PendingChange<H, N> {

core/finality-grandpa/src/import.rs

@@ -22,6 +22,7 @@ use futures::sync::mpsc;
 use parking_lot::RwLockWriteGuard;
 
 use client::{blockchain, CallExecutor, Client};
+use client::blockchain::HeaderBackend;
 use client::backend::Backend;
 use client::runtime_api::ApiExt;
 use consensus_common::{
@@ -194,12 +195,12 @@ impl<B, E, Block: BlockT<Hash=H256>, RA, PRA> GrandpaBlockImport<B, E, Block, RA
 					},
 				},
 				Ok(None) => {},
-				Ok(Some(change)) => return Ok(Some(PendingChange {
+				Ok(Some((median_last_finalized, change))) => return Ok(Some(PendingChange {
 					next_authorities: change.next_authorities,
 					delay: change.delay,
 					canon_height: *header.number(),
 					canon_hash: hash,
-					delay_kind: DelayKind::Best,
+					delay_kind: DelayKind::Best { median_last_finalized },
 				})),
 			}
 		}
@@ -290,7 +291,7 @@ impl<B, E, Block: BlockT<Hash=H256>, RA, PRA> GrandpaBlockImport<B, E, Block, RA
 			let old = guard.as_mut().clone();
 			guard.set_old(old);
 
-			if let DelayKind::Best = change.delay_kind {
+			if let DelayKind::Best { .. } = change.delay_kind {
 				do_pause = true;
 			}
 
@@ -305,19 +306,32 @@ impl<B, E, Block: BlockT<Hash=H256>, RA, PRA> GrandpaBlockImport<B, E, Block, RA
 				.map_err(|e| ConsensusErrorKind::ClientImport(e.to_string()))
 				.map_err(ConsensusError::from)?;
 
-			if let Some(new_set) = forced_change_set {
+			if let Some((median_last_finalized_number, new_set)) = forced_change_set {
 				let new_authorities = {
 					let (set_id, new_authorities) = new_set.current();
 
+					let best_finalized_number = self.inner.backend().blockchain().info()
+						.map_err(|e| ConsensusErrorKind::ClientImport(e.to_string()))?
+						.finalized_number;
+
+					let canon_number = best_finalized_number.min(median_last_finalized_number);
+
+					let canon_hash =
+						self.inner.backend().blockchain().header(BlockId::Number(canon_number))
+							.map_err(|e| ConsensusErrorKind::ClientImport(e.to_string()))?
+							.expect("the given block number is less or equal than the current best finalized number; \
+									 current best finalized number must exist in chain; qed.")
+							.hash();
+
 					// we start the new authority assuming the block that enacted the
 					// change is the canonical one. we could use the block that signalled
 					// the change instead, but this would make verification of
 					// justifications more complicated, since we'd need to check if
 					// there's any pending forced change (since forced changes would
 					// finalize "backwards")
 					NewAuthoritySet {
-						canon_number: number,
-						canon_hash: hash,
+						canon_number,
+						canon_hash,
 						set_id,
 						authorities: new_authorities.to_vec(),
 					}
@@ -377,8 +391,6 @@ impl<B, E, Block: BlockT<Hash=H256>, RA, PRA> BlockImport<Block>
 	fn import_block(&self, mut block: ImportBlock<Block>, new_authorities: Option<Vec<Ed25519AuthorityId>>)
 		-> Result<ImportResult, Self::Error>
 	{
-		use client::blockchain::HeaderBackend;
-
 		let hash = block.post_header().hash();
 		let number = block.header.number().clone();
 

node/runtime/src/lib.rs

@@ -302,21 +302,21 @@ impl_runtime_apis! {
 				Log(InternalLog::grandpa(grandpa_signal)) => Some(grandpa_signal),
 				_=> None
 			}) {
-				if let Some(change) = Grandpa::scrape_digest_change(log, false) {
+				if let Some(change) = Grandpa::scrape_digest_change(log) {
 					return Some(change);
 				}
 			}
 			None
 		}
 
 		fn grandpa_forced_change(digest: &DigestFor<Block>)
-			-> Option<ScheduledChange<NumberFor<Block>>>
+			-> Option<(NumberFor<Block>, ScheduledChange<NumberFor<Block>>)>
 		{
 			for log in digest.logs.iter().filter_map(|l| match l {
 				Log(InternalLog::grandpa(grandpa_signal)) => Some(grandpa_signal),
 				_=> None
 			}) {
-				if let Some(change) = Grandpa::scrape_digest_change(log, true) {
+				if let Some(change) = Grandpa::scrape_digest_forced_change(log) {
 					return Some(change);
 				}
 			}

srml/grandpa/src/lib.rs

@@ -66,7 +66,7 @@ pub trait GrandpaChangeSignal<N> {
 	/// Try to cast the log entry as a contained signal.
 	fn as_signal(&self) -> Option<ScheduledChange<N>>;
 	/// Try to cast the log entry as a contained forced signal.
-	fn as_forced_signal(&self) -> Option<ScheduledChange<N>>;
+	fn as_forced_signal(&self) -> Option<(N, ScheduledChange<N>)>;
 }
 
 /// A logs in this module.
@@ -76,24 +76,25 @@ pub enum RawLog<N, SessionKey> {
 	/// Authorities set change has been signalled. Contains the new set of authorities
 	/// and the delay in blocks _to finalize_ before applying.
 	AuthoritiesChangeSignal(N, Vec<(SessionKey, u64)>),
-	/// A forced authorities set change. Contains the new set of authorities and the
-	/// delay in blocks _to import_ before applying.
-	ForcedAuthoritiesChangeSignal(N, Vec<(SessionKey, u64)>),
+	/// A forced authorities set change. Contains in this order: the median last
+	/// finalized block when the change was signaled, the delay in blocks _to import_
+	/// before applying and the new set of authorities.
+	ForcedAuthoritiesChangeSignal(N, N, Vec<(SessionKey, u64)>),
 }
 
 impl<N: Clone, SessionKey> RawLog<N, SessionKey> {
 	/// Try to cast the log entry as a contained signal.
 	pub fn as_signal(&self) -> Option<(N, &[(SessionKey, u64)])> {
 		match *self {
-			RawLog::AuthoritiesChangeSignal(ref n, ref signal) => Some((n.clone(), signal)),
-			RawLog::ForcedAuthoritiesChangeSignal(_, _) => None,
+			RawLog::AuthoritiesChangeSignal(ref delay, ref signal) => Some((delay.clone(), signal)),
+			RawLog::ForcedAuthoritiesChangeSignal(_, _, _) => None,
 		}
 	}
 
 	/// Try to cast the log entry as a contained forced signal.
-	pub fn as_forced_signal(&self) -> Option<(N, &[(SessionKey, u64)])> {
+	pub fn as_forced_signal(&self) -> Option<(N, N, &[(SessionKey, u64)])> {
 		match *self {
-			RawLog::ForcedAuthoritiesChangeSignal(ref n, ref signal) => Some((n.clone(), signal)),
+			RawLog::ForcedAuthoritiesChangeSignal(ref median, ref delay, ref signal) => Some((median.clone(), delay.clone(), signal)),
 			RawLog::AuthoritiesChangeSignal(_, _) => None,
 		}
 	}
@@ -112,14 +113,14 @@ impl<N, SessionKey> GrandpaChangeSignal<N> for RawLog<N, SessionKey>
 		})
 	}
 
-	fn as_forced_signal(&self) -> Option<ScheduledChange<N>> {
-		RawLog::as_forced_signal(self).map(|(delay, next_authorities)| ScheduledChange {
+	fn as_forced_signal(&self) -> Option<(N, ScheduledChange<N>)> {
+		RawLog::as_forced_signal(self).map(|(median, delay, next_authorities)| (median, ScheduledChange {
 			delay,
 			next_authorities: next_authorities.iter()
 				.cloned()
 				.map(|(k, w)| (k.into(), w))
 				.collect(),
-		})
+		}))
 	}
 }
 
@@ -156,14 +157,15 @@ pub struct StoredPendingChange<N, SessionKey> {
 	pub delay: N,
 	/// The next authority set.
 	pub next_authorities: Vec<(SessionKey, u64)>,
-	/// Whether the change was forced.
-	pub forced: bool,
+	/// If defined it means the change was forced and the given block number
+	/// indicates the median last finalized block when the change was signaled.
+	pub forced: Option<N>,
 }
 
 impl<N: Decode, SessionKey: Decode> Decode for StoredPendingChange<N, SessionKey> {
 	fn decode<I: codec::Input>(value: &mut I) -> Option<Self> {
 		let old = OldStoredPendingChange::decode(value)?;
-		let forced = bool::decode(value).unwrap_or(false);
+		let forced = <Option<N>>::decode(value).unwrap_or(None);
 
 		Some(StoredPendingChange {
 			scheduled_at: old.scheduled_at,
@@ -223,13 +225,14 @@ decl_module! {
 		fn on_finalise(block_number: T::BlockNumber) {
 			if let Some(pending_change) = <PendingChange<T>>::get() {
 				if block_number == pending_change.scheduled_at {
-					if !pending_change.forced {
-						Self::deposit_log(RawLog::AuthoritiesChangeSignal(
+					if let Some(median) = pending_change.forced {
+						Self::deposit_log(RawLog::ForcedAuthoritiesChangeSignal(
+							median,
 							pending_change.delay,
 							pending_change.next_authorities.clone(),
 						));
 					} else {
-						Self::deposit_log(RawLog::ForcedAuthoritiesChangeSignal(
+						Self::deposit_log(RawLog::AuthoritiesChangeSignal(
 							pending_change.delay,
 							pending_change.next_authorities.clone(),
 						));
@@ -260,23 +263,24 @@ impl<T: Trait> Module<T> {
 	/// `in_blocks` after the current block. This value may be 0, in which
 	/// case the change is applied at the end of the current block.
 	///
-	/// If the `forced` flag is set to true, this indicates that the current
+	/// If the `forced` parameter is defined, this indicates that the current
 	/// set has been synchronously determined to be offline and that after
-	/// `in_blocks` the given change should be applied.
+	/// `in_blocks` the given change should be applied. The given block number
+	/// indicates the median last finalized block number.
 	///
 	/// No change should be signalled while any change is pending. Returns
 	/// an error if a change is already pending.
 	pub fn schedule_change(
 		next_authorities: Vec<(T::SessionKey, u64)>,
 		in_blocks: T::BlockNumber,
-		forced: bool,
+		forced: Option<T::BlockNumber>,
 	) -> Result {
 		use primitives::traits::As;
 
 		if Self::pending_change().is_none() {
 			let scheduled_at = system::ChainContext::<T>::default().current_height();
 
-			if forced {
+			if let Some(_) = forced {
 				if Self::next_forced().map_or(false, |next| next > scheduled_at) {
 					return Err("Cannot signal forced change so soon after last.");
 				}
@@ -306,15 +310,18 @@ impl<T: Trait> Module<T> {
 }
 
 impl<T: Trait> Module<T> where Ed25519AuthorityId: core::convert::From<<T as Trait>::SessionKey> {
-	/// See if the digest contains any scheduled change.
-	pub fn scrape_digest_change(log: &Log<T>, forced: bool)
+	/// See if the digest contains any standard scheduled change.
+	pub fn scrape_digest_change(log: &Log<T>)
 		-> Option<ScheduledChange<T::BlockNumber>>
 	{
-		if forced {
-			<Log<T> as GrandpaChangeSignal<T::BlockNumber>>::as_forced_signal(log)
-		} else {
-			<Log<T> as GrandpaChangeSignal<T::BlockNumber>>::as_signal(log)
-		}
+		<Log<T> as GrandpaChangeSignal<T::BlockNumber>>::as_signal(log)
+	}
+
+	/// See if the digest contains any forced scheduled change.
+	pub fn scrape_digest_forced_change(log: &Log<T>)
+		-> Option<(T::BlockNumber, ScheduledChange<T::BlockNumber>)>
+	{
+		<Log<T> as GrandpaChangeSignal<T::BlockNumber>>::as_forced_signal(log)
 	}
 }
 
@@ -352,7 +359,7 @@ impl<X, T> session::OnSessionChange<X> for SyncedAuthorities<T> where
 		// instant changes
 		let last_authorities = <Module<T>>::grandpa_authorities();
 		if next_authorities != last_authorities {
-			let _ = <Module<T>>::schedule_change(next_authorities, Zero::zero(), false);
+			let _ = <Module<T>>::schedule_change(next_authorities, Zero::zero(), None);
 		}
 	}
 }
@@ -377,7 +384,9 @@ impl<T> finality_tracker::OnFinalizationStalled<T::BlockNumber> for SyncedAuthor
 			.map(|key| (key, 1)) // evenly-weighted.
 			.collect::<Vec<(<T as Trait>::SessionKey, u64)>>();
 
+		let median = <finality_tracker::Module<T>>::median();
+
 		// schedule a change for `further_wait` blocks.
-		let _ = <Module<T>>::schedule_change(next_authorities, further_wait, true);
+		let _ = <Module<T>>::schedule_change(next_authorities, further_wait, Some(median));
 	}
 }