Introduces heuristics that track the amount of no responses or unavailable blocks a provider has for more robust provider handling by the light client. Use concurrent calls to all witnesses when a new primary is needed.
Closes#4934
* light: do not compare trusted header w/ witnesses
we don't have trusted state to bisect from
* check header before checking height
otherwise you can get nil panic
fix bug so that PotentialAmnesiaEvidence is being gossiped
handle inbound amnesia evidence correctly
add method to check if potential amnesia evidence is on trial
fix a bug with the height when we upgrade to amnesia evidence
change evidence to using just pointers.
More logging in the evidence module
Co-authored-by: Marko <marbar3778@yahoo.com>
- Move core stateless validation of the Header type to a ValidateBasic method.
- Call header.ValidateBasic during a SignedHeader validation.
- Call header.ValidateBasic during a PhantomValidatorEvidence validation.
- Call header.ValidateBasic during a LunaticValidatorEvidence validation.
lite tests are skipped since the package is deprecated, no need to waste time on it
closes: #4572
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
Closes: #4530
This PR contains logic for both submitting an evidence by the light client (lite2 package) and receiving it on the Tendermint side (/broadcast_evidence RPC and/or EvidenceReactor#Receive). Upon receiving the ConflictingHeadersEvidence (introduced by this PR), the Tendermint validates it, then breaks it down into smaller pieces (DuplicateVoteEvidence, LunaticValidatorEvidence, PhantomValidatorEvidence, PotentialAmnesiaEvidence). Afterwards, each piece of evidence is verified against the state of the full node and added to the pool, from which it's reaped upon block creation.
* rpc/client: do not pass height param if height ptr is nil
* rpc/core: validate incoming evidence!
* only accept ConflictingHeadersEvidence if one
of the headers is committed from this full node's perspective
This simplifies the code. Plus, if there are multiple forks, we'll
likely to receive multiple ConflictingHeadersEvidence anyway.
* swap CommitSig with Vote in LunaticValidatorEvidence
Vote is needed to validate signature
* no need to embed client
http is a provider and should not be used as a client
Closes: #4537
Uses SignedHeaderBefore to find header before unverified header and then bisection to verify the header. Only when header is between first and last trusted header height else if before the first trusted header height then regular backwards verification is used.
error itself is not enough since it only signals if there were any
errors. Either (types.SignedHeader) or (success bool) is needed to
indicate the status of the operation. Returning a header is optimal
since most of the clients will want to get a newly verified header
anyway.
We first introduced auto-update as a separate struct AutoClient, which
was wrapping Client and calling Update periodically.
// AutoClient can auto update itself by fetching headers every N seconds.
type AutoClient struct {
base *Client
updatePeriod time.Duration
quit chan struct{}
trustedHeaders chan *types.SignedHeader
errs chan error
}
// NewAutoClient creates a new client and starts a polling goroutine.
func NewAutoClient(base *Client, updatePeriod time.Duration) *AutoClient {
c := &AutoClient{
base: base,
updatePeriod: updatePeriod,
quit: make(chan struct{}),
trustedHeaders: make(chan *types.SignedHeader),
errs: make(chan error),
}
go c.autoUpdate()
return c
}
// TrustedHeaders returns a channel onto which new trusted headers are posted.
func (c *AutoClient) TrustedHeaders() <-chan *types.SignedHeader {
return c.trustedHeaders
}
// Err returns a channel onto which errors are posted.
func (c *AutoClient) Errs() <-chan error {
return c.errs
}
// Stop stops the client.
func (c *AutoClient) Stop() {
close(c.quit)
}
func (c *AutoClient) autoUpdate() {
ticker := time.NewTicker(c.updatePeriod)
defer ticker.Stop()
for {
select {
case <-ticker.C:
lastTrustedHeight, err := c.base.LastTrustedHeight()
if err != nil {
c.errs <- err
continue
}
if lastTrustedHeight == -1 {
// no headers yet => wait
continue
}
newTrustedHeader, err := c.base.Update(time.Now())
if err != nil {
c.errs <- err
continue
}
if newTrustedHeader != nil {
c.trustedHeaders <- newTrustedHeader
}
case <-c.quit:
return
}
}
}
Later we merged it into the Client itself with the assumption that most clients will want it.
But now I am not sure. Neither IBC nor cosmos/relayer are using it. It increases complexity (Start/Stop methods).
That said, I think it makes sense to remove it until we see a need for it (until we better understand usage behavior). We can always introduce it later 😅. Maybe in the form of AutoClient.
* lite2: fix tendermint lite sub command
- better logging
- chainID as an argument
- more examples
* one more log msg
* lite2: fire update right away after start
* turn off auto update in verification tests
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
closes#4469
Improved speed of cleanup by using SignedHeaderAfter instead of TrustedHeader to jump from header to header.
Prune() is now called when a new header and validator set are saved and is a function dealt by the database itself
## Commits:
* prune headers and vals
* modified cleanup and tests
* fixes after my own review
* implement Prune func
* make db ops concurrently safe
* use Iterator in SignedHeaderAfter
we should iterate from height+1, not from the end!
* simplify cleanup
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
closes: #4455
Verifying backwards checks that the trustedHeader hasn't expired both before and after the loop in case of verifying many headers (a longer operation), but not during the loop itself.
TrustedHeader() no longer checks whether the header saved in the store has expired.
Tests have been updated to reflect the changes
## Commits:
* verify headers backwards out of trust period
* removed expiration check in trusted header func
* modified tests to reflect changes
* wrote new tests for backwards verification
* modified TrustedHeader and TrustedValSet functions
* condensed test functions
* condensed test functions further
* fix build error
* update doc
* add comments
* remove unnecessary declaration
* extract latestHeight check into a separate func
Co-authored-by: Callum Waters <cmwaters19@gmail.com>
Before we were storing trustedHeader (height=1) and trustedNextVals
(height=2).
After this change, we will be storing trustedHeader (height=1) and
trustedVals (height=1). This a) simplifies the code b) fixes#4399
inconsistent pairing issue c) gives a relayer access to the current
validator set #4470.
The only downside is more jumps during bisection. If validator set
changes between trustedHeader and the next header (by 2/3 or more), the
light client will be forced to download the next header and check that
2/3+ signed the transition. But we don't expect validator set change too
much and too often, so it's an acceptable compromise.
Closes#4470 and #4399
closes#4426
The sequence and bisection methods no longer save the intermediate headers and validator sets that they require to verify a currently untrusted header.
## Commits:
* sequence and bisection don't save intermediate headers and vals
* check the next validator hash matches the header
* check expired header at start of backwards verification
* added tests
* handled cleanup warning
* lint fix
* removed redundant code
* tweaked minor errors
* avoided premature trusting of nextVals
* fix test error
* updated trustedHeader and Vals together
* fixed bisection error
* fixed sequence error for different vals and made test
* fixes after my own review
* reorder vars to be consistent
with the rest of the code
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
closes#4413 and #4419
When VerifyHeaderAtHeight() is called, TrustedHeader is initially run to check if the header has already been verified and returns the Header.
If the new header height is less than the lite clients latestTrustedHeader height, than backwards verification is performed else either sequence or bisection
Refactored a test to reflect the changes
* use trustedHeader func for already verified Headers
* remove fetch missing header from TrustedHeader
* check for already trusted Header in VerifyHeaderAtHeight
* replace updateTrustedHeaderAndVals to updateTrustedHeaderAndNextVals
* rename trustedHeader and trustedNextVals
* refactored backwards and included it in VerifyHeader
* cleaned up test to match changes
* lite2: fixes after my own review
Refs https://github.com/tendermint/tendermint/pull/4428#pullrequestreview-361730169
* fix ineffectual assignment
* lite2: check that header exists in VerifyHeader
* extract function
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
refs #4329
As opposed to using recursion to implement the bisection method of verifying a header, which could have problems with memory allocation (especially for smaller devices), the bisection algorithm now uses a for loop.
* modified bisection to loop
* made lint changes
* made lint changes
* move note to VerifyHeader
since it applies both for sequence and bisection
* test bisection jumps to header signed by 1/3+
of old validator set
* update labels in debug log calls
* copy tc
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
Closes#4385
* extract TrustOptions into its own file
* print trusted hash before asking whenever to rollback or not
so the user could reset the light client with the trusted header
* do not return an error if rollback is aborted
reason: we trust the old header presumably, so can continue from it.
* add note about time of initial header
* improve logging and add comments
* cross-check newHeader after LC verified it
* check if header is not nil
so we don't crash on the next line
* remove witness if it sends us incorrect header
* require at least one witness
* fix build and tests
* rename tests and assert for specific error
* wrote a test
* fix linter errors
* only check 1/3 if headers diverge
* witnesses are dropped after no response
* test witness dropout
* corrected import structure
* moved non responsiveness check to compare function
* removed dropout test as witnesses are never dropped
* created test to compare witnesses
* validate trust options
* add NewClientFromTrustedStore func
* make maxRetryAttempts an option
Closes#4370
* hash size should be equal to tmhash.Size
* make maxRetryAttempts uint
* make maxRetryAttempts uint16
maxRetryAttempts possible - 68 years
* we do not store trustingPeriod
* added test to create client from trusted store
* remove header and vals from primary
to make sure we're restoring them from the DB
Closes#4328
When TrustedHeader(height) is called, if the height is less than the trusted height but the header is not in the trusted store then a function finds the previous lowest height with a trusted header and performs a forwards sequential verification to the header of the height that was given. If no error is found it updates the trusted store with the header and validator set for that height and can then return them to the user.
Commits:
* drafted trusted header
* created function to find previous trusted height
* updates missing headers less than the trusted height
* minor cosmetic tweaks
* incorporated suggestions
* lite2: implement Backwards verification
and add SignedHeaderAfter func to Store interface
Refs https://github.com/tendermint/tendermint/issues/4328#issuecomment-581878549
* remove unused method
* write tests
* start with next height in SignedHeaderAfter func
* fix linter errors
* address Callum's comments
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
Closes issue #4338
Uses a wrapper function around both the signedHeader and validatorSet calls to the primary provider which attempts to retrieve the information 5 times before deeming the provider unavailable and replacing the primary provider with the first alternative before trying recursively again (until all alternatives are depleted)
Employs a mutex lock for any operations involving the providers of the light client to ensure no operations occurs whilst the new primary is chosen.
Commits:
* created swapProvider function
* eliminates old primary provider after replacement. Uses a mutex when changing providers
* renamed to replaceProvider
* created wrapped functions for signed header and val set
* created test for primary provider replacement
* implemented suggested revisions
* created Witnesses() and Primary()
* modified backoffAndJitterTime
* modified backoffAndJitterTime
* changed backoff base and jitter to functional arguments
* implemented suggested changes
* removed backoff function
* changed exp function to match go version
* halved the backoff time
* removed seeding and added comments
* fixed incorrect test
* extract backoff timeout calc into a function
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
* lite2: add Start method
There are few reasons to do that:
1) separation of state and dynamics (some users will want to delay
starting the light client; does not matter we should not allow them
to create a light client object)
2) less important, but some users might not need autoUpdateRoutine and
removeNoLongerTrustedHeadersRoutine routines
* lite2: wait till routines are finished in Stop
because they are started in Start, it feels more natural to wait for
them to finish in Stop.
* lite2: add TrustedValidatorSet func
* lite2: advance to latest header
without any exponential steps
rename autoUpdate to autoUpdateRoutine
* lite2: wait in Cleanup until goroutines finished running
* lite2: move AutoClient into Client
Most of the users will want auto update feature, so it makes sense to
move it into the Client itself, rather than having a separate
abstraction (it makes the code cleaner, but introduces an extra thing
the user will need to learn).
Also, add `FirstTrustedHeight` func to Client to get first trusted height.
* fix db store tests
* separate examples for auto and manual clients
* AutoUpdate tries to update to latest state
NOT 1 header at a time
* fix errors
* lite2: make Logger an option
remove SetLogger func
* fix lite cmd
* lite2: make concurrency assumptions explicit
* fixes after my own review
* no need for nextHeightFn
sequence func will download intermediate headers
* correct comment
Refs #1771
ADR: https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-044-lite-client-with-weak-subjectivity.md
## Commits:
* add Verifier and VerifyCommitTrusting
* add two more checks
make trustLevel an option
* float32 for trustLevel
* check newHeader time
* started writing lite Client
* unify Verify methods
* ensure h2.Header.bfttime < h1.Header.bfttime + tp
* move trust checks into Verify function
* add more comments
* more docs
* started writing tests
* unbonding period failures
* tests are green
* export ErrNewHeaderTooFarIntoFuture
* make golangci happy
* test for non-adjusted headers
* more precision
* providers and stores
* VerifyHeader and VerifyHeaderAtHeight funcs
* fix compile errors
* remove lastVerifiedHeight, persist new trusted header
* sequential verification
* remove TrustedStore option
* started writing tests for light client
* cover basic cases for linear verification
* bisection tests PASS
* rename BisectingVerification to SkippingVerification
* refactor the code
* add TrustedHeader method
* consolidate sequential verification tests
* consolidate skipping verification tests
* rename trustedVals to trustedNextVals
* start writing docs
* ValidateTrustLevel func and ErrOldHeaderExpired error
* AutoClient and example tests
* fix errors
* update doc
* remove ErrNewHeaderTooFarIntoFuture
This check is unnecessary given existing a) ErrOldHeaderExpired b)
h2.Time > now checks.
* return an error if we're at more recent height
* add comments
* add LastSignedHeaderHeight method to Store
I think it's fine if Store tracks last height
* copy over proxy from old lite package
* make TrustedHeader return latest if height=0
* modify LastSignedHeaderHeight to return an error if no headers exist
* copy over proxy impl
* refactor proxy and start http lite client
* Tx and BlockchainInfo methods
* Block method
* commit method
* code compiles again
* lite client compiles
* extract updateLiteClientIfNeededTo func
* move final parts
* add placeholder for tests
* force usage of lite http client in proxy
* comment out query tests for now
* explicitly mention tp: trusting period
* verify nextVals in VerifyHeader
* refactor bisection
* move the NextValidatorsHash check into updateTrustedHeaderAndVals
+ update the comment
* add ConsensusParams method to RPC client
* add ConsensusParams to rpc/mock/client
* change trustLevel type to a new cmn.Fraction type
+ update SkippingVerification comment
* stress out trustLevel is only used for non-adjusted headers
* fixes after Fede's review
Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com>
* compare newHeader with a header from an alternative provider
* save pivot header
Refs https://github.com/tendermint/tendermint/pull/3989#discussion_r349122824
* check header can still be trusted in TrustedHeader
Refs https://github.com/tendermint/tendermint/pull/3989#discussion_r349101424
* lite: update Validators and Block endpoints
- Block no longer contains BlockMeta
- Validators now accept two additional params: page and perPage
* make linter happy