Turn ChainManager's pending_blobs into proposed/locked specific pending blobs

[ndr-ds]

Motivation

We were adding stuff to the chain manager's pending blobs, but never removing them. We were also not properly associating the lifecycle of the pending blobs with the locked and proposed blocks

Proposal

Associate the lifecycle of the pending blobs with the locked and proposed blocks, separately

Test Plan

CI + will add some tests

Release Plan

• These changes should be backported to the latest devnet branch
• These changes should be backported to the latest testnet branch

[ndr-ds]

• Turn ChainManager's pending_blobs into proposed/locked specific pending blobs #2813 👈 (View in Graphite)
• Split rust CI into more jobs #2786
• Fix lint CI and split it into multiple jobs #2785
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[afck]

Would it be better to turn these into Vec<Blob>s? (In the ChainManagerInfo, not in the ChainManager.) The recipient can't trust that the blob ID → blob association is correct anyway.

[ndr-ds]

Sure! Good point

[deuszx]

Not in this PR but instead of returning the missing_blob_ids as the error, we could instead return Vec<BlobId> from this method and it'd contain all the missing blobs.

[ndr-ds]

And then error out on the caller? I'm not sure I get it 🤔 We have retry logic that relies on the missing blobs being returned as this error, so we can't remove it AFAIU

[deuszx]

The caller would check if the returned vector is non-empty and act as required.

[deuszx]

IIUC in storage we have blobs from confirmed blocks and in the proposed_blobs we have blobs that haven't been validated even (they'd be part of locked_blobs). Isn't it possible that the blobs from proposed_blobs will be forgotten (if we confirm another proposal)? Yet the caller of this method might be told that we do have all the blobs (which we'll later delete). Isn't that a problem?

[afck]

blobs that haven't been validated even

(They have been validated by us, but not yet by a quorum, yes.)

I'm also a bit confused, yes.

Whenever we set the proposed block, we need to make sure that the blobs we store with the proposal are exactly the ones published by it. (Whether they were provided by the client or we already had them. But maybe we should just require for now that the client provide them all regardless.)

And analogously for the locked block: We need to store with it all the blobs that it publishes or reads! (Read blobs that we already have in storage we can probably omit, since we currently never remove blobs from storage, and since that might end up being too many blobs for the chain manager.)

[afck]

(Ah, I guess in the second case we never need to store any blobs in the chain manager that aren't being published by this block, because we presumably already asked for and processed a confirmed block that used them?)

[ndr-ds]

I guess now that we don't have proposed_blobs anymore and we just point to the blobs in the BlockProposal, we should be fine here, right? Or am I missing something?

[afck]

I think you're right:

• We should check that the blobs provided in the proposal are all published by that block (and don't contain duplicates).
• The published blobs that aren't provided in the proposal must be confirmed for us locally.

That's both already the case, is it?

[afck]

since we're controlling how it gets created

In a distributed fault-tolerant network, you can never trust what you receive from another node! In general, validators can't trust clients and vice-versa. Concretely, someone could run a modified client or an alternative implementation.

And that method is run on the client side, if I understand correctly, before sending the proposal over the network.

[ndr-ds]

Right, of course, my bad. I'll add the duplicated blobs check!

[ndr-ds]

Actually, on the server side we also always get the blobs for the block either by calling published_blob_ids or required_blob_ids. So I don't think we'll have duplicates.
The question is: should these functions error out if they detect a duplicate? For published_blob_ids I would say maybe, but for required_blob_ids I don't think so

[afck]

Sorry, I'm still confused: In ChainWorkerState::check_for_unneeded_blobs, at least, we don't seem to check for duplicates. It would be easy to add, though, by replacing contains with remove.

[ndr-ds]

I think I finally understand what you mean 😅 Good point! Will add. I think I'll do it differently though so we can have separate errors for unneeded and duplicated

[deuszx]

This method needs a comprehensive test coverage with each test case clearly showing what we're trying to achieve. I don't think the "requirements"/rules for these are written down anywhere? i.e. It should be clear to the team (and based on the code) when a blob is expected to be in one of the collections (locked_blobs, proposed_blobs, storage).

[afck]

I think you're right:

• We should check that the blobs provided in the proposal are all published by that block (and don't contain duplicates).
• The published blobs that aren't provided in the proposal must be confirmed for us locally.

That's both already the case, is it?

[ndr-ds]

I believe so. We create the proposal's blobs based on the blobs being published by that block. We also enforce that all blobs being published must be provided in the proposal, which means they must be in some pending location locally when proposing the block.
Right now, if we're trying to publish a blob again that is already confirmed in storage, we do technically need to add that blob to pending. Later on that'll be optimized away as we will ignore blobs that are already in storage, but maybe we can do that optimization earlier as well. Let me try that.

[afck]

Is this still needed? I thought I boxed all the large error fields.

[ndr-ds]

Good point! It's not, will remove

[afck]

Does the chain manager now always contain all blobs the block uses, or only the published ones? I think we went with the latter, didn't we? Then we also need to read them from storage here after all.

[ndr-ds]

The chain manager's proposed blobs are always the published ones. The locked blobs have all the used ones, AFAIU. Maybe both should just have the published ones? 🤔

[afck]

Sorry, I'm still confused: In ChainWorkerState::check_for_unneeded_blobs, at least, we don't seem to check for duplicates. It would be easy to add, though, by replacing contains with remove.

[ndr-ds]

If we're gonna keep all used blobs in the locked blobs, we actually need to distinct here between published and used locked blobs 😅

[afck]

Right, good point, this should filter them and use only the published ones.

[afck]

We should rename this function, too.

[ndr-ds]

Good catch! Will do

[afck]

(Maybe remove all the These are.)

[afck]

We could avoid reading those if the proposal doesn't have a validated block.

[afck]

(In theory this should be unreachable, shouldn't it?)

[ndr-ds]

In theory, yes, but I think if for some weird reason this happens we should definitely at least error out 😅

[afck]

Suggested change

	/// and check that they are otherwise in storage.
	/// and checks that they are otherwise in storage.

[afck]

Actually, this is unnecessary: At the (only) call site, in ChainClient::propose_block, we only get into this situation when we already just looked up in the chain manager that we are re-proposing a locked block. In that case, just use the corresponding blobs that are already in the chain manager. Only call read_local_blobs in the else case, when we do BlockProposal::new_initial.

[ndr-ds]

Good catch!

[afck]

And this is also unnecessary: We are looking for the published blobs, aren't we?

[afck]

We should create an issue, though: If the locked block is using blobs that we don't have in storage, we need to find another way to send them to the validator.
(Currently the validator wouldn't accept them, I think, because it expects the blobs in BlockProposal to be only the published ones?)

[ndr-ds]

This whole maybe_blob block can be removed I think. Since this will now only be called for a new block proposal, when this maybe_blob block is removed then that means this will only fail if someone forgets to call add_pending_blobs to add this blob to the ChainClient's pending blobs, which is the expected behavior, is it not?

[afck]

I see, we're already doing that anyway! Then the change to read_local_blobs isn't necessary, and the call should move into the else branch here, shouldn't it?

[afck]

Suggested change

	/// If the validated block certificate is more recent, return that certificate
	/// If the validated block certificate is more recent, returns that certificate

[afck]

This doesn't actually update the locked block. Maybe validated_block_if_newer_than_locked?

[afck]

(Maybe return early.)

Suggested change

	if let Some(lite_cert) = validated_block_certificate {
	let lite_cert = validated_block_certificate?;

[afck]

Why this change? Now we pass in the same block twice, basically.

[ndr-ds]

Now instead of building the ExecutedBlock here we do it outside the function. This was done to make the whole maybe_update_locked work and not pass used_blobs that won't be used here. Maybe there's a better way? This was the best I could think of.
I could also pass in the round, the content and the blobs as separate arguments, instead of the whole proposal
Nvm, can't do that 🤔 Open to suggestions on this!

[afck]

Suggested change

	/// chain manager. If they're not there, try to download the missing ones from this validator.
	/// chain manager. If they're not there, tries to download the missing ones from this validator.

[afck]

Then that's not a LocalNodeError but a NodeError. I tried to move these things to the right place in #2895; let's not mix them up again.

[ndr-ds]

Right 🤦🏻‍♂️ my bad! We do the check in the local node but it is related to the validator. Was trying to code past the brain mush stage, seems like it was a bad idea 😅

[afck]

Same here. Actually, even added exactly those two error variants to NodeError in #2895. Please check if we're doing these tests already, and don't re-introduce them to local_node.

[ndr-ds]

This one should be fine, right? The validator was missing some blobs, then we try to find them in the local node, and some are also missing from the local node, so we return a local error 🤔