zolfa
/
tendermint

# RFC 004: ReverseSync - fetching historical data

## Changelog

- 2021-04-19: Use P2P to gossip necessary data for reverse sync.- 2021-03-03: Simplify proposal to the state sync case.- 2021-02-17: Add notes on asynchronicity of processes.- 2020-12-10: Rename backfill blocks to reverse sync.- 2020-11-25: Initial draft.
## Author(s)

- Callum Waters (@cmwaters)
## Context

Two new features: [Block pruning](https://github.com/tendermint/tendermint/issues/3652)and [State sync](https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-042-state-sync.md)meant nodes no longer needed a complete history of the blockchain. Thisintroduced some challenges of its own which were covered and subsequentlytackled with [RFC-001](https://github.com/tendermint/spec/blob/master/rfc/001-block-retention.md).The RFC allowed applications to set a block retention height; an upper bound onwhat blocks would be pruned. However nodes who state sync past this upper bound(which is necessary as snapshots must be saved within the trusting period forthe assisting light client to verify) have no means of backfilling the blocksto meet the retention limit. This could be a problem as nodes who state sync andthen eventually switch to consensus (or fast sync) may not have the block andvalidator history to verify evidence causing them to panic if they see 2/3commit on what the node believes to be an invalid block.
Thus, this RFC sets out to instil a minimum block history invariant amongsthonest nodes.
## Proposal

A backfill mechanism can simply be defined as an algorithm for fetching,verifying and storing, headers and validator sets of a height prior to thecurrent base of the node's blockchain. In matching the terminology used forother data retrieving protocols (i.e. fast sync and state sync), wecall this method **ReverseSync**.
We will define the mechanism in four sections:
- Usage- Design- Verification- Termination
### Usage

For now, we focus purely on the case of a state syncing node, whom aftersyncing to a height will need to verify historical data in order to be capableof processing new blocks. We can denote the earliest height that the node willneed to verify and store in order to be able to verify any evidence that mightarise as the `max_historical_height`/`time`. Both height and time are necessaryas this maps to the BFT time used for evidence expiration. After acquiring`State`, we calculate these parameters as:
```gomax_historical_height = max(state.InitialHeight, state.LastBlockHeight - state.ConsensusParams.EvidenceAgeHeight)max_historical_time = max(GenesisTime, state.LastBlockTime.Sub(state.ConsensusParams.EvidenceAgeTime))```
Before starting either fast sync or consensus, we then run the followingsynchronous process:
```gofunc ReverseSync(max_historical_height int64, max_historical_time time.Time) error```
Where we fetch and verify blocks until a block `A` where`A.Height <= max_historical_height` and `A.Time <= max_historical_time`.
Upon successfully reverse syncing, a node can now safely continue. As thisfeature is only used as part of state sync, one can think of this as merely anextension to it.
In the future we may want to extend this functionality to allow nodes to fetchhistorical blocks for reasons of accountability or data accessibility.
### Design

This section will provide a high level overview of some of the more importantcharacteristics of the design, saving the more tedious details as an ADR.
#### P2P

Implementation of this RFC will require the addition of a new channel and twonew messages.
```protomessage LightBlockRequest {  uint64 height = 1;}```
```protomessage LightBlockResponse {  Header header = 1;  Commit commit = 2;  ValidatorSet validator_set = 3;}```
The P2P path may also enable P2P networked light clients and a state sync thatalso doesn't need to rely on RPC.
### Verification

ReverseSync is used to fetch the following data structures:
- `Header`- `Commit`- `ValidatorSet`
Nodes will also need to be able to verify these. This can be achieved by firstretrieving the header at the base height from the block store. From this trustedheader, the node hashes each of the three data structures and checks that they are correct.
1. The trusted header's last block ID matches the hash of the new header
   ```go   header[height].LastBlockID == hash(header[height-1])   ```
2. The trusted header's last commit hash matches the hash of the new commit
	```go	header[height].LastCommitHash == hash(commit[height-1])	```
3. Given that the node now trusts the new header, check that the header's validator set   hash matches the hash of the validator set
	```go	header[height-1].ValidatorsHash == hash(validatorSet[height-1])	```
### Termination

ReverseSync draws a lot of parallels with fast sync. An important considerationfor fast sync that also extends to ReverseSync is termination. ReverseSync willfinish it's task when one of the following conditions have been met:
1. It reaches a block `A` where `A.Height <= max_historical_height` and`A.Time <= max_historical_time`.2. None of it's peers reports to have the block at the height below theprocesses current block.3. A global timeout.
This implies that we can't guarantee adequate history and thus the term"invariant" can't be used in the strictest sense. In the case that the firstcondition isn't met, the node will log an error and optimistically attemptto continue with either fast sync or consensus.
## Alternative Solutions

The need for a minimum block history invariant stems purely from the need tovalidate evidence (although there may be some application relevant needs aswell). Because of this, an alternative, could be to simply trust whatever the2/3+ majority has agreed upon and in the case where a node is at the head of theblockchain, you simply abstain from voting.
As it stands, if 2/3+ vote on evidence you can't verify, in the same manner if2/3+ vote on a header that a node sees as invalid (perhaps due to a differentapp hash), the node will halt.
Another alternative is the method with which the relevant data is retrieved.Instead of introducing new messages to the P2P layer, RPC could have been usedinstead.
The aforementioned data is already available via the following RPC endpoints:`/commit` for `Header`'s' and `/validators` for `ValidatorSet`'s'. It wasdecided predominantly due to the instability of the current RPC infrastructurethat P2P be used instead.
## Status

Proposed
## Consequences

### Positive

- Ensures a minimum block history invariant for honest nodes. This will allow  nodes to verify evidence.
### Negative

- Statesync will be slower as more processing is required.
### Neutral

- By having validator sets served through p2p, this would make it easier toextend p2p support to light clients and state sync.- In the future, it may also be possible to extend this feature to allow fornodes to freely fetch and verify prior blocks
## References

- [RFC-001: Block retention](https://github.com/tendermint/spec/blob/master/rfc/001-block-retention.md)- [Original issue](https://github.com/tendermint/tendermint/issues/4629)