@ -1,17 +0,0 @@ | |||
name: Check Markdown links | |||
on: | |||
push: | |||
branches: | |||
- master | |||
pull_request: | |||
branches: [master] | |||
jobs: | |||
markdown-link-check: | |||
runs-on: ubuntu-latest | |||
steps: | |||
- uses: actions/checkout@master | |||
- uses: gaurav-nelson/github-action-markdown-link-check@1.0.13 | |||
with: | |||
check-modified-files-only: 'yes' |
@ -0,0 +1,36 @@ | |||
# Runs randomly generated E2E testnets nightly on master | |||
# manually run e2e tests | |||
name: e2e-manual | |||
on: | |||
workflow_dispatch: | |||
jobs: | |||
e2e-nightly-test: | |||
# Run parallel jobs for the listed testnet groups (must match the | |||
# ./build/generator -g flag) | |||
strategy: | |||
fail-fast: false | |||
matrix: | |||
group: ['00', '01', '02', '03'] | |||
runs-on: ubuntu-latest | |||
timeout-minutes: 60 | |||
steps: | |||
- uses: actions/setup-go@v2 | |||
with: | |||
go-version: '1.17' | |||
- uses: actions/checkout@v2.4.0 | |||
- name: Build | |||
working-directory: test/e2e | |||
# Run make jobs in parallel, since we can't run steps in parallel. | |||
run: make -j2 docker generator runner tests | |||
- name: Generate testnets | |||
working-directory: test/e2e | |||
# When changing -g, also change the matrix groups above | |||
run: ./build/generator -g 4 -d networks/nightly/ | |||
- name: Run ${{ matrix.p2p }} p2p testnets | |||
working-directory: test/e2e | |||
run: ./run-multiple.sh networks/nightly/*-group${{ matrix.group }}-*.toml |
@ -0,0 +1,18 @@ | |||
# Currently disabled until all links have been fixed | |||
# name: Check Markdown links | |||
# on: | |||
# push: | |||
# branches: | |||
# - master | |||
# pull_request: | |||
# branches: [master] | |||
# jobs: | |||
# markdown-link-check: | |||
# runs-on: ubuntu-latest | |||
# steps: | |||
# - uses: actions/checkout@master | |||
# - uses: gaurav-nelson/github-action-markdown-link-check@1.0.13 | |||
# with: | |||
# check-modified-files-only: 'yes' |
@ -0,0 +1,46 @@ | |||
package commands | |||
import ( | |||
"fmt" | |||
"github.com/spf13/cobra" | |||
) | |||
// NewCompletionCmd returns a cobra.Command that generates bash and zsh | |||
// completion scripts for the given root command. If hidden is true, the | |||
// command will not show up in the root command's list of available commands. | |||
func NewCompletionCmd(rootCmd *cobra.Command, hidden bool) *cobra.Command { | |||
flagZsh := "zsh" | |||
cmd := &cobra.Command{ | |||
Use: "completion", | |||
Short: "Generate shell completion scripts", | |||
Long: fmt.Sprintf(`Generate Bash and Zsh completion scripts and print them to STDOUT. | |||
Once saved to file, a completion script can be loaded in the shell's | |||
current session as shown: | |||
$ . <(%s completion) | |||
To configure your bash shell to load completions for each session add to | |||
your $HOME/.bashrc or $HOME/.profile the following instruction: | |||
. <(%s completion) | |||
`, rootCmd.Use, rootCmd.Use), | |||
RunE: func(cmd *cobra.Command, _ []string) error { | |||
zsh, err := cmd.Flags().GetBool(flagZsh) | |||
if err != nil { | |||
return err | |||
} | |||
if zsh { | |||
return rootCmd.GenZshCompletion(cmd.OutOrStdout()) | |||
} | |||
return rootCmd.GenBashCompletion(cmd.OutOrStdout()) | |||
}, | |||
Hidden: hidden, | |||
Args: cobra.NoArgs, | |||
} | |||
cmd.Flags().Bool(flagZsh, false, "Generate Zsh completion script") | |||
return cmd | |||
} |
@ -1,76 +0,0 @@ | |||
//go:build !libsecp256k1 | |||
// +build !libsecp256k1 | |||
package secp256k1 | |||
import ( | |||
"math/big" | |||
secp256k1 "github.com/btcsuite/btcd/btcec" | |||
"github.com/tendermint/tendermint/crypto" | |||
) | |||
// used to reject malleable signatures | |||
// see: | |||
// - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93 | |||
// - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/crypto.go#L39 | |||
var secp256k1halfN = new(big.Int).Rsh(secp256k1.S256().N, 1) | |||
// Sign creates an ECDSA signature on curve Secp256k1, using SHA256 on the msg. | |||
// The returned signature will be of the form R || S (in lower-S form). | |||
func (privKey PrivKey) Sign(msg []byte) ([]byte, error) { | |||
priv, _ := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey) | |||
sig, err := priv.Sign(crypto.Sha256(msg)) | |||
if err != nil { | |||
return nil, err | |||
} | |||
sigBytes := serializeSig(sig) | |||
return sigBytes, nil | |||
} | |||
// VerifySignature verifies a signature of the form R || S. | |||
// It rejects signatures which are not in lower-S form. | |||
func (pubKey PubKey) VerifySignature(msg []byte, sigStr []byte) bool { | |||
if len(sigStr) != 64 { | |||
return false | |||
} | |||
pub, err := secp256k1.ParsePubKey(pubKey, secp256k1.S256()) | |||
if err != nil { | |||
return false | |||
} | |||
// parse the signature: | |||
signature := signatureFromBytes(sigStr) | |||
// Reject malleable signatures. libsecp256k1 does this check but btcec doesn't. | |||
// see: https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93 | |||
if signature.S.Cmp(secp256k1halfN) > 0 { | |||
return false | |||
} | |||
return signature.Verify(crypto.Sha256(msg), pub) | |||
} | |||
// Read Signature struct from R || S. Caller needs to ensure | |||
// that len(sigStr) == 64. | |||
func signatureFromBytes(sigStr []byte) *secp256k1.Signature { | |||
return &secp256k1.Signature{ | |||
R: new(big.Int).SetBytes(sigStr[:32]), | |||
S: new(big.Int).SetBytes(sigStr[32:64]), | |||
} | |||
} | |||
// Serialize signature to R || S. | |||
// R, S are padded to 32 bytes respectively. | |||
func serializeSig(sig *secp256k1.Signature) []byte { | |||
rBytes := sig.R.Bytes() | |||
sBytes := sig.S.Bytes() | |||
sigBytes := make([]byte, 64) | |||
// 0 pad the byte arrays from the left if they aren't big enough. | |||
copy(sigBytes[32-len(rBytes):32], rBytes) | |||
copy(sigBytes[64-len(sBytes):64], sBytes) | |||
return sigBytes | |||
} |
@ -1,4 +1,4 @@ | |||
#!/bin/bash | |||
cp -a ../rpc/openapi/ .vuepress/public/rpc/ | |||
git clone https://github.com/tendermint/spec.git specRepo && cp -r specRepo/spec . && rm -rf specRepo | |||
cp -r ../spec . |
@ -0,0 +1,257 @@ | |||
<<<<<<< HEAD:docs/rfc/rfc-011-abci++.md | |||
# RFC 011: ABCI++ | |||
======= | |||
# RFC 013: ABCI++ | |||
>>>>>>> a895a8ea5f (Rename and renumber imported RFCs.):docs/rfc/rfc-013-abci++.md | |||
## Changelog | |||
- 2020-01-11: initialized | |||
- 2021-02-11: Migrate RFC to tendermint repo (Originally [RFC 004](https://github.com/tendermint/spec/pull/254)) | |||
## Author(s) | |||
- Dev (@valardragon) | |||
- Sunny (@sunnya97) | |||
## Context | |||
ABCI is the interface between the consensus engine and the application. | |||
It defines when the application can talk to consensus during the execution of a blockchain. | |||
At the moment, the application can only act at one phase in consensus, immediately after a block has been finalized. | |||
This restriction on the application prohibits numerous features for the application, including many scalability improvements that are now better understood than when ABCI was first written. | |||
For example, many of the scalability proposals can be boiled down to "Make the miner / block proposers / validators do work, so the network does not have to". | |||
This includes optimizations such as tx-level signature aggregation, state transition proofs, etc. | |||
Furthermore, many new security properties cannot be achieved in the current paradigm, as the application cannot enforce validators do more than just finalize txs. | |||
This includes features such as threshold cryptography, and guaranteed IBC connection attempts. | |||
We propose introducing three new phases to ABCI to enable these new features, and renaming the existing methods for block execution. | |||
#### Prepare Proposal phase | |||
This phase aims to allow the block proposer to perform more computation, to reduce load on all other full nodes, and light clients in the network. | |||
It is intended to enable features such as batch optimizations on the transaction data (e.g. signature aggregation, zk rollup style validity proofs, etc.), enabling stateless blockchains with validator provided authentication paths, etc. | |||
This new phase will only be executed by the block proposer. The application will take in the block header and raw transaction data output by the consensus engine's mempool. It will then return block data that is prepared for gossip on the network, and additional fields to include into the block header. | |||
#### Process Proposal Phase | |||
This phase aims to allow applications to determine validity of a new block proposal, and execute computation on the block data, prior to the blocks finalization. | |||
It is intended to enable applications to reject block proposals with invalid data, and to enable alternate pipelined execution models. (Such as Ethereum-style immediate execution) | |||
This phase will be executed by all full nodes upon receiving a block, though on the application side it can do more work in the even that the current node is a validator. | |||
#### Vote Extension Phase | |||
This phase aims to allow applications to require their validators do more than just validate blocks. | |||
Example usecases of this include validator determined price oracles, validator guaranteed IBC connection attempts, and validator based threshold crypto. | |||
This adds an app-determined data field that every validator must include with their vote, and these will thus appear in the header. | |||
#### Rename {BeginBlock, [DeliverTx], EndBlock} to FinalizeBlock | |||
The prior phases gives the application more flexibility in their execution model for a block, and they obsolete the current methods for how the consensus engine relates the block data to the state machine. Thus we refactor the existing methods to better reflect what is happening in the new ABCI model. | |||
This rename doesn't on its own enable anything new, but instead improves naming to clarify the expectations from the application in this new communication model. The existing ABCI methods `BeginBlock, [DeliverTx], EndBlock` are renamed to a single method called `FinalizeBlock`. | |||
#### Summary | |||
We include a more detailed list of features / scaling improvements that are blocked, and which new phases resolve them at the end of this document. | |||
<image src="images/abci.png" style="float: left; width: 40%;" /> <image src="images/abci++.png" style="float: right; width: 40%;" /> | |||
On the top is the existing definition of ABCI, and on the bottom is the proposed ABCI++. | |||
## Proposal | |||
Below we suggest an API to add these three new phases. | |||
In this document, sometimes the final round of voting is referred to as precommit for clarity in how it acts in the Tendermint case. | |||
### Prepare Proposal | |||
*Note, APIs in this section will change after Vote Extensions, we list the adjusted APIs further in the proposal.* | |||
The Prepare Proposal phase allows the block proposer to perform application-dependent work in a block, to lower the amount of work the rest of the network must do. This enables batch optimizations to a block, which has been empirically demonstrated to be a key component for scaling. This phase introduces the following ABCI method | |||
```rust | |||
fn PrepareProposal(Block) -> BlockData | |||
``` | |||
where `BlockData` is a type alias for however data is internally stored within the consensus engine. In Tendermint Core today, this is `[]Tx`. | |||
The application may read the entire block proposal, and mutate the block data fields. Mutated transactions will still get removed from the mempool later on, as the mempool rechecks all transactions after a block is executed. | |||
The `PrepareProposal` API will be modified in the vote extensions section, for allowing the application to modify the header. | |||
### Process Proposal | |||
The Process Proposal phase sends the block data to the state machine, prior to running the last round of votes on the state machine. This enables features such as allowing validators to reject a block according to whether state machine deems it valid, and changing block execution pipeline. | |||
We introduce three new methods, | |||
```rust | |||
fn VerifyHeader(header: Header, isValidator: bool) -> ResponseVerifyHeader {...} | |||
fn ProcessProposal(block: Block) -> ResponseProcessProposal {...} | |||
fn RevertProposal(height: usize, round: usize) {...} | |||
``` | |||
where | |||
```rust | |||
struct ResponseVerifyHeader { | |||
accept_header: bool, | |||
evidence: Vec<Evidence> | |||
} | |||
struct ResponseProcessProposal { | |||
accept_block: bool, | |||
evidence: Vec<Evidence> | |||
} | |||
``` | |||
Upon receiving a block header, every validator runs `VerifyHeader(header, isValidator)`. The reason for why `VerifyHeader` is split from `ProcessProposal` is due to the later sections for Preprocess Proposal and Vote Extensions, where there may be application dependent data in the header that must be verified before accepting the header. | |||
If the returned `ResponseVerifyHeader.accept_header` is false, then the validator must precommit nil on this block, and reject all other precommits on this block. `ResponseVerifyHeader.evidence` is appended to the validators local `EvidencePool`. | |||
Upon receiving an entire block proposal (in the current implementation, all "block parts"), every validator runs `ProcessProposal(block)`. If the returned `ResponseProcessProposal.accept_block` is false, then the validator must precommit nil on this block, and reject all other precommits on this block. `ResponseProcessProposal.evidence` is appended to the validators local `EvidencePool`. | |||
Once a validator knows that consensus has failed to be achieved for a given block, it must run `RevertProposal(block.height, block.round)`, in order to signal to the application to revert any potentially mutative state changes it may have made. In Tendermint, this occurs when incrementing rounds. | |||
**RFC**: How do we handle the scenario where honest node A finalized on round x, and honest node B finalized on round x + 1? (e.g. when 2f precommits are publicly known, and a validator precommits themself but doesn't broadcast, but they increment rounds) Is this a real concern? The state root derived could change if everyone finalizes on round x+1, not round x, as the state machine can depend non-uniformly on timestamp. | |||
The application is expected to cache the block data for later execution. | |||
The `isValidator` flag is set according to whether the current node is a validator or a full node. This is intended to allow for beginning validator-dependent computation that will be included later in vote extensions. (An example of this is threshold decryptions of ciphertexts.) | |||
### DeliverTx rename to FinalizeBlock | |||
After implementing `ProcessProposal`, txs no longer need to be delivered during the block execution phase. Instead, they are already in the state machine. Thus `BeginBlock, DeliverTx, EndBlock` can all be replaced with a single ABCI method for `ExecuteBlock`. Internally the application may still structure its method for executing the block as `BeginBlock, DeliverTx, EndBlock`. However, it is overly restrictive to enforce that the block be executed after it is finalized. There are multiple other, very reasonable pipelined execution models one can go for. So instead we suggest calling this succession of methods `FinalizeBlock`. We propose the following API | |||
Replace the `BeginBlock, DeliverTx, EndBlock` ABCI methods with the following method | |||
```rust | |||
fn FinalizeBlock() -> ResponseFinalizeBlock | |||
``` | |||
where `ResponseFinalizeBlock` has the following API, in terms of what already exists | |||
```rust | |||
struct ResponseFinalizeBlock { | |||
updates: ResponseEndBlock, | |||
tx_results: Vec<ResponseDeliverTx> | |||
} | |||
``` | |||
`ResponseEndBlock` should then be renamed to `ConsensusUpdates` and `ResponseDeliverTx` should be renamed to `ResponseTx`. | |||
### Vote Extensions | |||
The Vote Extensions phase allow applications to force their validators to do more than just validate within consensus. This is done by allowing the application to add more data to their votes, in the final round of voting. (Namely the precommit) | |||
This additional application data will then appear in the block header. | |||
First we discuss the API changes to the vote struct directly | |||
```rust | |||
fn ExtendVote(height: u64, round: u64) -> (UnsignedAppVoteData, SelfAuthenticatingAppData) | |||
fn VerifyVoteExtension(signed_app_vote_data: Vec<u8>, self_authenticating_app_vote_data: Vec<u8>) -> bool | |||
``` | |||
There are two types of data that the application can enforce validators to include with their vote. | |||
There is data that the app needs the validator to sign over in their vote, and there can be self-authenticating vote data. Self-authenticating here means that the application upon seeing these bytes, knows its valid, came from the validator and is non-malleable. We give an example of each type of vote data here, to make their roles clearer. | |||
- Unsigned app vote data: A use case of this is if you wanted validator backed oracles, where each validator independently signs some oracle data in their vote, and the median of these values is used on chain. Thus we leverage consensus' signing process for convenience, and use that same key to sign the oracle data. | |||
- Self-authenticating vote data: A use case of this is in threshold random beacons. Every validator produces a threshold beacon share. This threshold beacon share can be verified by any node in the network, given the share and the validators public key (which is not the same as its consensus public key). However, this decryption share will not make it into the subsequent block's header. They will be aggregated by the subsequent block proposer to get a single random beacon value that will appear in the subsequent block's header. Everyone can then verify that this aggregated value came from the requisite threshold of the validator set, without increasing the bandwidth for full nodes or light clients. To achieve this goal, the self-authenticating vote data cannot be signed over by the consensus key along with the rest of the vote, as that would require all full nodes & light clients to know this data in order to verify the vote. | |||
The `CanonicalVote` struct will acommodate the `UnsignedAppVoteData` field by adding another string to its encoding, after the `chain-id`. This should not interfere with existing hardware signing integrations, as it does not affect the constant offset for the `height` and `round`, and the vote size does not have an explicit upper bound. (So adding this unsigned app vote data field is equivalent from the HSM's perspective as having a superlong chain-ID) | |||
**RFC**: Please comment if you think it will be fine to have elongate the message the HSM signs, or if we need to explore pre-hashing the app vote data. | |||
The flow of these methods is that when a validator has to precommit, Tendermint will first produce a precommit canonical vote without the application vote data. It will then pass it to the application, which will return unsigned application vote data, and self authenticating application vote data. It will bundle the `unsigned_application_vote_data` into the canonical vote, and pass it to the HSM to sign. Finally it will package the self-authenticating app vote data, and the `signed_vote_data` together, into one final Vote struct to be passed around the network. | |||
#### Changes to Prepare Proposal Phase | |||
There are many use cases where the additional data from vote extensions can be batch optimized. | |||
This is mainly of interest when the votes include self-authenticating app vote data that be batched together, or the unsigned app vote data is the same across all votes. | |||
To allow for this, we change the PrepareProposal API to the following | |||
```rust | |||
fn PrepareProposal(Block, UnbatchedHeader) -> (BlockData, Header) | |||
``` | |||
where `UnbatchedHeader` essentially contains a "RawCommit", the `Header` contains a batch-optimized `commit` and an additional "Application Data" field in its root. This will involve a number of changes to core data structures, which will be gone over in the ADR. | |||
The `Unbatched` header and `rawcommit` will never be broadcasted, they will be completely internal to consensus. | |||
#### Inter-process communication (IPC) effects | |||
For brevity in exposition above, we did not discuss the trade-offs that may occur in interprocess communication delays that these changs will introduce. | |||
These new ABCI methods add more locations where the application must communicate with the consensus engine. | |||
In most configurations, we expect that the consensus engine and the application will be either statically or dynamically linked, so all communication is a matter of at most adjusting the memory model the data is layed out within. | |||
This memory model conversion is typically considered negligible, as delay here is measured on the order of microseconds at most, whereas we face milisecond delays due to cryptography and network overheads. | |||
Thus we ignore the overhead in the case of linked libraries. | |||
In the case where the consensus engine and the application are ran in separate processes, and thus communicate with a form of Inter-process communication (IPC), the delays can easily become on the order of miliseconds based upon the data sent. Thus its important to consider whats happening here. | |||
We go through this phase by phase. | |||
##### Prepare proposal IPC overhead | |||
This requires a round of IPC communication, where both directions are quite large. Namely the proposer communicating an entire block to the application. | |||
However, this can be mitigated by splitting up `PrepareProposal` into two distinct, async methods, one for the block IPC communication, and one for the Header IPC communication. | |||
Then for chains where the block data does not depend on the header data, the block data IPC communication can proceed in parallel to the prior block's voting phase. (As a node can know whether or not its the leader in the next round) | |||
Furthermore, this IPC communication is expected to be quite low relative to the amount of p2p gossip time it takes to send the block data around the network, so this is perhaps a premature concern until more sophisticated block gossip protocols are implemented. | |||
##### Process Proposal IPC overhead | |||
This phase changes the amount of time available for the consensus engine to deliver a block's data to the state machine. | |||
Before, the block data for block N would be delivered to the state machine upon receiving a commit for block N and then be executed. | |||
The state machine would respond after executing the txs and before prevoting. | |||
The time for block delivery from the consensus engine to the state machine after this change is the time of receiving block proposal N to the to time precommit on proposal N. | |||
It is expected that this difference is unimportant in practice, as this time is in parallel to one round of p2p communication for prevoting, which is expected to be significantly less than the time for the consensus engine to deliver a block to the state machine. | |||
##### Vote Extension IPC overhead | |||
This has a small amount of data, but does incur an IPC round trip delay. This IPC round trip delay is pretty negligible as compared the variance in vote gossip time. (the IPC delay is typically on the order of 10 microseconds) | |||
## Status | |||
Proposed | |||
## Consequences | |||
### Positive | |||
- Enables a large number of new features for applications | |||
- Supports both immediate and delayed execution models | |||
- Allows application specific data from each validator | |||
- Allows for batch optimizations across txs, and votes | |||
### Negative | |||
- This is a breaking change to all existing ABCI clients, however the application should be able to have a thin wrapper to replicate existing ABCI behavior. | |||
- PrepareProposal - can be a no-op | |||
- Process Proposal - has to cache the block, but can otherwise be a no-op | |||
- Vote Extensions - can be a no-op | |||
- Finalize Block - Can black-box call BeginBlock, DeliverTx, EndBlock given the cached block data | |||
- Vote Extensions adds more complexity to core Tendermint Data Structures | |||
- Allowing alternate alternate execution models will lead to a proliferation of new ways for applications to violate expected guarantees. | |||
### Neutral | |||
- IPC overhead considerations change, but mostly for the better | |||
## References | |||
Reference for IPC delay constants: <http://pages.cs.wisc.edu/~adityav/Evaluation_of_Inter_Process_Communication_Mechanisms.pdf> | |||
### Short list of blocked features / scaling improvements with required ABCI++ Phases | |||
| Feature | PrepareProposal | ProcessProposal | Vote Extensions | | |||
| :--- | :---: | :---: | :---: | | |||
| Tx based signature aggregation | X | | | | |||
| SNARK proof of valid state transition | X | | | | |||
| Validator provided authentication paths in stateless blockchains | X | | | | |||
| Immediate Execution | | X | | | |||
| Simple soft forks | | X | | | |||
| Validator guaranteed IBC connection attempts | | | X | | |||
| Validator based price oracles | | | X | | |||
| Immediate Execution with increased time for block execution | X | X | X | | |||
| Threshold Encrypted txs | X | X | X | |
@ -0,0 +1,162 @@ | |||
# RFC 011: Remove Gas From Tendermint | |||
## Changelog | |||
- 03-Feb-2022: Initial draft (@williambanfield). | |||
- 10-Feb-2022: Update in response to feedback (@williambanfield). | |||
- 11-Feb-2022: Add reflection on MaxGas during consensus (@williambanfield). | |||
## Abstract | |||
In the v0.25.0 release, Tendermint added a mechanism for tracking 'Gas' in the mempool. | |||
At a high level, Gas allows applications to specify how much it will cost the network, | |||
often in compute resources, to execute a given transaction. While such a mechanism is common | |||
in blockchain applications, it is not generalizable enough to be a maintained as a part | |||
of Tendermint. This RFC explores the possibility of removing the concept of Gas from | |||
Tendermint while still allowing applications the power to control the contents of | |||
blocks to achieve similar goals. | |||
## Background | |||
The notion of Gas was included in the original Ethereum whitepaper and exists as | |||
an important feature of the Ethereum blockchain. | |||
The [whitepaper describes Gas][eth-whitepaper-messages] as an Anti-DoS mechanism. The Ethereum Virtual Machine | |||
provides a Turing complete execution platform. Without any limitations, malicious | |||
actors could waste computation resources by directing the EVM to perform large | |||
or even infinite computations. Gas serves as a metering mechanism to prevent this. | |||
Gas appears to have been added to Tendermint multiple times, initially as part of | |||
a now defunct `/vm` package, and in its most recent iteration [as part of v0.25.0][gas-add-pr] | |||
as a mechanism to limit the transactions that will be included in the block by an additional | |||
parameter. | |||
Gas has gained adoption within the Cosmos ecosystem [as part of the Cosmos SDK][cosmos-sdk-gas]. | |||
The SDK provides facilities for tracking how much 'Gas' a transaction is expected to take | |||
and a mechanism for tracking how much gas a transaction has already taken. | |||
Non-SDK applications also make use of the concept of Gas. Anoma appears to implement | |||
[a gas system][anoma-gas] to meter the transactions it executes. | |||
While the notion of gas is present in projects that make use of Tendermint, it is | |||
not a concern of Tendermint's. Tendermint's value and goal is producing blocks | |||
via a distributed consensus algorithm. Tendermint relies on the application specific | |||
code to decide how to handle the transactions Tendermint has produced (or if the | |||
application wants to consider them at all). Gas is an application concern. | |||
Our implementation of Gas is not currently enforced by consensus. Our current validation check that | |||
occurs during block propagation does not verify that the block is under the configured `MaxGas`. | |||
Ensuring that the transactions in a proposed block do not exceed `MaxGas` would require | |||
input from the application during propagation. The `ProcessProposal` method introduced | |||
as part of ABCI++ would enable such input but would further entwine Tendermint and | |||
the application. The issue of checking `MaxGas` during block propagation is important | |||
because it demonstrates that the feature as it currently exists is not implemented | |||
as fully as it perhaps should be. | |||
Our implementation of Gas is causing issues for node operators and relayers. At | |||
the moment, transactions that overflow the configured 'MaxGas' can be silently rejected | |||
from the mempool. Overflowing MaxGas is the _only_ way that a transaction can be considered | |||
invalid that is not directly a result of failing the `CheckTx`. Operators, and the application, | |||
do not know that a transaction was removed from the mempool for this reason. A stateless check | |||
of this nature is exactly what `CheckTx` exists for and there is no reason for the mempool | |||
to keep track of this data separately. A special [MempoolError][add-mempool-error] field | |||
was added in v0.35 to communicate to clients that a transaction failed after `CheckTx`. | |||
While this should alleviate the pain for operators wishing to understand if their | |||
transaction was included in the mempool, it highlights that the abstraction of | |||
what is included in the mempool is not currently well defined. | |||
Removing Gas from Tendermint and the mempool would allow for the mempool to be a better | |||
abstraction: any transaction that arrived at `CheckTx` and passed the check will either be | |||
a candidate for a later block or evicted after a TTL is reached or to make room for | |||
other, higher priority transactions. All other transactions are completely invalid and can be discarded forever. | |||
Removing gas will not be completely straightforward. It will mean ensuring that | |||
equivalent functionality can be implemented outside of the mempool using the mempool's API. | |||
## Discussion | |||
This section catalogs the functionality that will need to exist within the Tendermint | |||
mempool to allow Gas to be removed and replaced by application-side bookkeeping. | |||
### Requirement: Provide Mempool Tx Sorting Mechanism | |||
Gas produces a market for inclusion in a block. On many networks, a [gas fee][cosmos-sdk-fees] is | |||
included in pending transactions. This fee indicates how much a user is willing to | |||
pay per unit of execution and the fees are distributed to validators. | |||
Validators wishing to extract higher gas fees are incentivized to include transactions | |||
with the highest listed gas fees into each block. This produces a natural ordering | |||
of the pending transactions. Applications wishing to implement a gas mechanism need | |||
to be able to order the transactions in the mempool. This can trivially be accomplished | |||
by sorting transactions using the `priority` field available to applications as part of | |||
v0.35's `ResponseCheckTx` message. | |||
### Requirement: Allow Application-Defined Block Resizing | |||
When creating a block proposal, Tendermint pulls a set of possible transactions out of | |||
the mempool to include in the next block. Tendermint uses MaxGas to limit the set of transactions | |||
it pulls out of the mempool fetching a set of transactions whose sum is less than MaxGas. | |||
By removing gas tracking from Tendermint's mempool, Tendermint will need to provide a way for | |||
applications to determine an acceptable set of transactions to include in the block. | |||
This is what the new ABCI++ `PrepareProposal` method is useful for. Applications | |||
that wish to limit the contents of a block by an application-defined limit may | |||
do so by removing transactions from the proposal it is passed during `PrepareProposal`. | |||
Applications wishing to reach parity with the current Gas implementation may do | |||
so by creating an application-side limit: filtering out transactions from | |||
`PrepareProposal` the cause the proposal the exceed the maximum gas. Additionally, | |||
applications can currently opt to have all transactions in the mempool delivered | |||
during `PrepareProposal` by passing `-1` for `MaxGas` and `MaxBytes` into | |||
[ReapMaxBytesMaxGas][reap-max-bytes-max-gas]. | |||
### Requirement: Handle Transaction Metadata | |||
Moving the gas mechanism into applications adds an additional piece of complexity | |||
to applications. The application must now track how much gas it expects a transaction | |||
to consume. The mempool currently handles this bookkeeping responsibility and uses the estimated | |||
gas to determine the set of transactions to include in the block. In order to task | |||
the application with keeping track of this metadata, we should make it easier for the | |||
application to do so. In general, we'll want to keep only one copy of this type | |||
of metadata in the program at a time, either in the application or in Tendermint. | |||
The following sections are possible solutions to the problem of storing transaction | |||
metadata without duplication. | |||
#### Metadata Handling: EvictTx Callback | |||
A possible approach to handling transaction metadata is by adding a new `EvictTx` | |||
ABCI method. Whenever the mempool is removing a transaction, either because it has | |||
reached its TTL or because it failed `RecheckTx`, `EvictTx` would be called with | |||
the transaction hash. This would indicate to the application that it could free any | |||
metadata it was storing about the transaction such as the computed gas fee. | |||
Eviction callbacks are pretty common in caching systems, so this would be very | |||
well-worn territory. | |||
#### Metadata Handling: Application-Specific Metadata Field(s) | |||
An alternative approach to handling transaction metadata would be would be the | |||
addition of a new application-metadata field in the `ResponseCheckTx`. This field | |||
would be a protocol buffer message whose contents were entirely opaque to Tendermint. | |||
The application would be responsible for marshalling and unmarshalling whatever data | |||
it stored in this field. During `PrepareProposal`, the application would be passed | |||
this metadata along with the transaction, allowing the application to use it to perform | |||
any necessary filtering. | |||
If either of these proposed metadata handling techniques are selected, it's likely | |||
useful to enable applications to gossip metadata along with the transaction it is | |||
gossiping. This could easily take the form of an opaque proto message that is | |||
gossiped along with the transaction. | |||
## References | |||
[eth-whitepaper-messages]: https://ethereum.org/en/whitepaper/#messages-and-transactions | |||
[gas-add-pr]: https://github.com/tendermint/tendermint/pull/2360 | |||
[cosmos-sdk-gas]: https://github.com/cosmos/cosmos-sdk/blob/c00cedb1427240a730d6eb2be6f7cb01f43869d3/docs/basics/gas-fees.md | |||
[cosmos-sdk-fees]: https://github.com/cosmos/cosmos-sdk/blob/c00cedb1427240a730d6eb2be6f7cb01f43869d3/docs/basics/tx-lifecycle.md#gas-and-fees | |||
[anoma-gas]: https://github.com/anoma/anoma/blob/6974fe1532a59db3574fc02e7f7e65d1216c1eb2/docs/src/specs/ledger.md#transaction-execution | |||
[cosmos-sdk-fee]: https://github.com/cosmos/cosmos-sdk/blob/c00cedb1427240a730d6eb2be6f7cb01f43869d3/types/tx/tx.pb.go#L780-L794 | |||
[issue-7750]: https://github.com/tendermint/tendermint/issues/7750 | |||
[reap-max-bytes-max-gas]: https://github.com/tendermint/tendermint/blob/1ac58469f32a98f1c0e2905ca1773d9eac7b7103/internal/mempool/types.go#L45 | |||
[add-mempool-error]: https://github.com/tendermint/tendermint/blob/205bfca66f6da1b2dded381efb9ad3792f9404cf/rpc/coretypes/responses.go#L239 |
@ -0,0 +1,98 @@ | |||
<<<<<<< HEAD:docs/rfc/rfc-012-semantic-versioning.md | |||
# RFC 012: Semantic Versioning | |||
======= | |||
# RFC 014: Semantic Versioning | |||
>>>>>>> a895a8ea5f (Rename and renumber imported RFCs.):docs/rfc/rfc-014-semantic-versioning.md | |||
## Changelog | |||
- 2021-11-19: Initial Draft | |||
- 2021-02-11: Migrate RFC to tendermint repo (Originally [RFC 006](https://github.com/tendermint/spec/pull/365)) | |||
## Author(s) | |||
- Callum Waters @cmwaters | |||
## Context | |||
We use versioning as an instrument to hold a set of promises to users and signal when such a set changes and how. In the conventional sense of a Go library, major versions signal that the public Go API’s have changed in a breaking way and thus require the users of such libraries to change their usage accordingly. Tendermint is a bit different in that there are multiple users: application developers (both in-process and out-of-process), node operators, and external clients. More importantly, both how these users interact with Tendermint and what's important to these users differs from how users interact and what they find important in a more conventional library. | |||
This document attempts to encapsulate the discussions around versioning in Tendermint and draws upon them to propose a guide to how Tendermint uses versioning to make promises to its users. | |||
For a versioning policy to make sense, we must also address the intended frequency of breaking changes. The strictest guarantees in the world will not help users if we plan to break them with every release. | |||
Finally I would like to remark that this RFC only addresses the "what", as in what are the rules for versioning. The "how" of Tendermint implementing the versioning rules we choose, will be addressed in a later RFC on Soft Upgrades. | |||
## Discussion | |||
We first begin with a round up of the various users and a set of assumptions on what these users expect from Tendermint in regards to versioning: | |||
1. **Application Developers**, those that use the ABCI to build applications on top of Tendermint, are chiefly concerned with that API. Breaking changes will force developers to modify large portions of their codebase to accommodate for the changes. Some ABCI changes such as introducing priority for the mempool don't require any effort and can be lazily adopted whilst changes like ABCI++ may force applications to redesign their entire execution system. It's also worth considering that the API's for go developers differ to developers of other languages. The former here can use the entire Tendermint library, most notably the local RPC methods, and so the team must be wary of all public Go API's. | |||
2. **Node Operators**, those running node infrastructure, are predominantly concerned with downtime, complexity and frequency of upgrading, and avoiding data loss. They may be also concerned about changes that may break the scripts and tooling they use to supervise their nodes. | |||
3. **External Clients** are those that perform any of the following: | |||
- consume the RPC endpoints of nodes like `/block` | |||
- subscribe to the event stream | |||
- make queries to the indexer | |||
This set are concerned with chain upgrades which will impact their ability to query state and block data as well as broadcast transactions. Examples include wallets and block explorers. | |||
4. **IBC module and relayers**. The developers of IBC and consumers of their software are concerned about changes that may affect a chain's ability to send arbitrary messages to another chain. Specifically, these users are affected by any breaking changes to the light client verification algorithm. | |||
Although we present them here as having different concerns, in a broader sense these user groups share a concern for the end users of applications. A crucial principle guiding this RFC is that **the ability for chains to provide continual service is more important than the actual upgrade burden put on the developers of these chains**. This means some extra burden for application developers is tolerable if it minimizes or substantially reduces downtime for the end user. | |||
### Modes of Interprocess Communication | |||
Tendermint has two primary mechanisms to communicate with other processes: RPC and P2P. The division marks the boundary between the internal and external components of the network: | |||
- The P2P layer is used in all cases that nodes (of any type) need to communicate with one another. | |||
- The RPC interface is for any outside process that wants to communicate with a node. | |||
The design principle here is that **communication via RPC is to a trusted source** and thus the RPC service prioritizes inspection rather than verification. The P2P interface is the primary medium for verification. | |||
As an example, an in-browser light client would verify headers (and perhaps application state) via the p2p layer, and then pass along information on to the client via RPC (or potentially directly via a separate API). | |||
The main exceptions to this are the IBC module and relayers, which are external to the node but also require verifiable data. Breaking changes to the light client verification path mean that all neighbouring chains that are connected will no longer be able to verify state transitions and thus pass messages back and forward. | |||
## Proposal | |||
Tendermint version labels will follow the syntax of [Semantic Versions 2.0.0](https://semver.org/) with a major, minor and patch version. The version components will be interpreted according to these rules: | |||
For the entire cycle of a **major version** in Tendermint: | |||
- All blocks and state data in a blockchain can be queried. All headers can be verified even across minor version changes. Nodes can both block sync and state sync from genesis to the head of the chain. | |||
- Nodes in a network are able to communicate and perform BFT state machine replication so long as the agreed network version is the lowest of all nodes in a network. For example, nodes using version 1.5.x and 1.2.x can operate together so long as the network version is 1.2 or lower (but still within the 1.x range). This rule essentially captures the concept of network backwards compatibility. | |||
- Node RPC endpoints will remain compatible with existing external clients: | |||
- New endpoints may be added, but old endpoints may not be removed. | |||
- Old endpoints may be extended to add new request and response fields, but requests not using those fields must function as before the change. | |||
- Migrations should be automatic. Upgrading of one node can happen asynchronously with respect to other nodes (although agreement of a network-wide upgrade must still occur synchronously via consensus). | |||
For the entire cycle of a **minor version** in Tendermint: | |||
- Public Go API's, for example in `node` or `abci` packages will not change in a way that requires any consumer (not just application developers) to modify their code. | |||
- No breaking changes to the block protocol. This means that all block related data structures should not change in a way that breaks any of the hashes, the consensus engine or light client verification. | |||
- Upgrades between minor versions may not result in any downtime (i.e., no migrations are required), nor require any changes to the config files to continue with the existing behavior. A minor version upgrade will require only stopping the existing process, swapping the binary, and starting the new process. | |||
A new **patch version** of Tendermint will only contain bug fixes and updates that impact the security and stability of Tendermint. | |||
These guarantees will come into effect at release 1.0. | |||
## Status | |||
Proposed | |||
## Consequences | |||
### Positive | |||
- Clearer communication of what versioning means to us and the effect they have on our users. | |||
### Negative | |||
- Can potentially incur greater engineering effort to uphold and follow these guarantees. | |||
### Neutral | |||
## References | |||
- [SemVer](https://semver.org/) | |||
- [Tendermint Tracking Issue](https://github.com/tendermint/tendermint/issues/5680) |
@ -1,3 +0,0 @@ | |||
# Consensus | |||
See the [consensus spec](https://github.com/tendermint/spec/tree/master/spec/consensus). |
@ -1,31 +0,0 @@ | |||
package sync | |||
import "sync" | |||
// Closer implements a primitive to close a channel that signals process | |||
// termination while allowing a caller to call Close multiple times safely. It | |||
// should be used in cases where guarantees cannot be made about when and how | |||
// many times closure is executed. | |||
type Closer struct { | |||
closeOnce sync.Once | |||
doneCh chan struct{} | |||
} | |||
// NewCloser returns a reference to a new Closer. | |||
func NewCloser() *Closer { | |||
return &Closer{doneCh: make(chan struct{})} | |||
} | |||
// Done returns the internal done channel allowing the caller either block or wait | |||
// for the Closer to be terminated/closed. | |||
func (c *Closer) Done() <-chan struct{} { | |||
return c.doneCh | |||
} | |||
// Close gracefully closes the Closer. A caller should only call Close once, but | |||
// it is safe to call it successive times. | |||
func (c *Closer) Close() { | |||
c.closeOnce.Do(func() { | |||
close(c.doneCh) | |||
}) | |||
} |
@ -1,28 +0,0 @@ | |||
package sync_test | |||
import ( | |||
"testing" | |||
"time" | |||
"github.com/stretchr/testify/require" | |||
tmsync "github.com/tendermint/tendermint/internal/libs/sync" | |||
) | |||
func TestCloser(t *testing.T) { | |||
closer := tmsync.NewCloser() | |||
var timeout bool | |||
select { | |||
case <-closer.Done(): | |||
case <-time.After(time.Second): | |||
timeout = true | |||
} | |||
for i := 0; i < 10; i++ { | |||
closer.Close() | |||
} | |||
require.True(t, timeout) | |||
<-closer.Done() | |||
} |