feat(hfork): rewrite hard fork detector based on #7087

Author: lidatong

book/api/metrics-generated.md

@@ -1195,5 +1195,9 @@
 | <span class="metrics-name">tower_&#8203;lockout_&#8203;fail</span> | counter | Locked out (can't vote) |
 | <span class="metrics-name">tower_&#8203;threshold_&#8203;fail</span> | counter | Did not pass threshold check (can't vote) |
 | <span class="metrics-name">tower_&#8203;propagated_&#8203;fail</span> | counter | Prev leader block did not propagate (can't vote) |
+| <span class="metrics-name">tower_&#8203;hard_&#8203;forks_&#8203;seen</span> | counter | Number of hard forks we've seen (block ids with multiple candidate bank hashes) |
+| <span class="metrics-name">tower_&#8203;hard_&#8203;forks_&#8203;pruned</span> | counter | Number of hard forks (candidate bank hashes) we've pruned |
+| <span class="metrics-name">tower_&#8203;hard_&#8203;forks_&#8203;active</span> | gauge | Currently active hard forks |
+| <span class="metrics-name">tower_&#8203;hard_&#8203;forks_&#8203;max_&#8203;width</span> | gauge | The max width of hard forks (block id with most candidate bank hashes) we've ever seen |
 
 </div>

src/app/firedancer/config/default.toml

@@ -1371,15 +1371,15 @@ user = ""
     [tiles.tower]
         # Solana reaches consensus via replay, but can "cluster confirm"
         # slots ahead of the replay tip by listening to vote txns from
-        # gossip or TPU.  The larger max_lookahead_conf, the further
+        # gossip or TPU.  The larger max_vote_lookahead, the further
         # ahead slots can be cluster confirmed before they are replayed.
         #
         # Specifically, tower will ignore gossip or TPU votes that are
-        # more than max_lookahead_conf slots ahead of the root.
+        # more than max_vote_lookahead slots ahead of the root.
         #
-        # Note max_lookahead_conf must be >= max_live_slots and
+        # Note max_vote_lookahead must be >= max_live_slots and
         # Firedancer will ignore a value where this is not the case.
-        max_lookahead_conf = 4096
+        max_vote_lookahead = 4096
 
     [tiles.send]
         # The port the send tile uses for QUIC, to send votes and other

src/app/firedancer/topology.c

@@ -345,7 +345,6 @@ fd_topo_initialize( config_t * config ) {
 
   fd_topob_wksp( topo, "funk"         );
   fd_topob_wksp( topo, "progcache"    );
-  fd_topob_wksp( topo, "bh_cmp"       );
   fd_topob_wksp( topo, "fec_sets"     );
   fd_topob_wksp( topo, "txncache"     );
   fd_topob_wksp( topo, "banks"        );
@@ -1199,9 +1198,9 @@ fd_topo_configure_tile( fd_topo_tile_t * tile,
 
   } else if( FD_UNLIKELY( !strcmp( tile->name, "tower" ) ) ) {
 
-    tile->tower.fork_fatal         = config->firedancer.development.hard_fork_fatal;
+    tile->tower.hard_fork_fatal    = config->firedancer.development.hard_fork_fatal;
     tile->tower.max_live_slots     = config->firedancer.runtime.max_live_slots;
-    tile->tower.max_lookahead_conf = config->tiles.tower.max_lookahead_conf;
+    tile->tower.max_vote_lookahead = config->tiles.tower.max_vote_lookahead;
     strncpy( tile->tower.identity_key, config->paths.identity_key, sizeof(tile->tower.identity_key) );
     strncpy( tile->tower.vote_account, config->paths.vote_account, sizeof(tile->tower.vote_account) );
     strncpy( tile->tower.base_path, config->paths.base, sizeof(tile->tower.base_path) );

src/app/shared/fd_config.h

@@ -490,7 +490,7 @@ struct fd_config {
     } shredcap;
 
     struct {
-      ulong max_lookahead_conf;
+      ulong max_vote_lookahead;
     } tower;
 
   } tiles;

src/app/shared/fd_config_parse.c

@@ -259,7 +259,7 @@ fd_config_extract_pod( uchar *       pod,
 
   CFG_POP      ( ushort, tiles.send.send_src_port                         );
 
-  CFG_POP      ( ulong,  tiles.tower.max_lookahead_conf                   );
+  CFG_POP      ( ulong,  tiles.tower.max_vote_lookahead                   );
 
   CFG_POP      ( bool,   tiles.archiver.enabled                           );
   CFG_POP      ( ulong,  tiles.archiver.end_slot                          );

src/choreo/fd_choreo_base.h

@@ -36,5 +36,6 @@ typedef uchar fd_block_id_t[ 32UL ];
 typedef fd_slot_hash_t fd_slot_pubkey_t;
 
 static const fd_pubkey_t pubkey_null = {{ 0 }};
+static const fd_hash_t hash_null = {{ 0 }};
 
 #endif /* HEADER_fd_src_choreo_fd_choreo_base_h */

src/choreo/ghost/fd_ghost.c

@@ -271,18 +271,18 @@ fd_ghost_insert( fd_ghost_t      * ghost,
 void
 fd_ghost_count_vote( fd_ghost_t *        ghost,
                      fd_ghost_blk_t *    blk,
-                     fd_pubkey_t const * vtr_addr,
+                     fd_pubkey_t const * vote_acc,
                      ulong               stake,
                      ulong               slot ) {
 
   fd_ghost_blk_t const * root = fd_ghost_root( ghost );
   fd_ghost_blk_t *       pool = ghost->pool;
-  fd_ghost_vtr_t *       vtr  = vtr_map_query( ghost->vtr_map, *vtr_addr, NULL );
+  fd_ghost_vtr_t *       vtr  = vtr_map_query( ghost->vtr_map, *vote_acc, NULL );
 
   if( FD_UNLIKELY( slot == ULONG_MAX  ) ) return; /* hasn't voted */
   if( FD_UNLIKELY( slot <  root->slot ) ) return; /* vote older than root */
 
-  if( FD_UNLIKELY( !vtr ) ) vtr = vtr_map_insert( ghost->vtr_map, *vtr_addr );
+  if( FD_UNLIKELY( !vtr ) ) vtr = vtr_map_insert( ghost->vtr_map, *vote_acc );
   else {
 
     /* Only process the vote if it is not the same as the previous vote

src/choreo/hfork/Local.mk

@@ -0,0 +1,8 @@
+$(call add-hdrs,fd_hfork.h)
+$(call add-objs,fd_hfork,fd_choreo)
+ifdef FD_HAS_HOSTED
+ifdef FD_HAS_SECP256K1
+$(call make-unit-test,test_hfork,test_hfork,fd_choreo fd_flamenco fd_tango fd_ballet fd_util)
+$(call run-unit-test,test_hfork)
+endif
+endif

src/choreo/hfork/fd_hfork.c

@@ -0,0 +1,282 @@
+#include "fd_hfork.h"
+#include "fd_hfork_private.h"
+
+static void
+check( fd_hfork_t *  hfork,
+       ulong         total_stake,
+       candidate_t * candidate,
+       int           invalid,
+       fd_hash_t *   our_bank_hash ) {
+
+  if( FD_LIKELY( candidate->checked ) ) return; /* already checked this bank hash against our own */
+  if( FD_LIKELY( candidate->stake * 100UL / total_stake < 52UL ) ) return; /* not enough stake to compare */
+
+  if( FD_UNLIKELY( invalid ) ) {
+    char msg[ 4096UL ];
+    FD_BASE58_ENCODE_32_BYTES( candidate->key.block_id.uc, _block_id );
+    FD_TEST( fd_cstr_printf_check( msg, sizeof( msg ), NULL,
+                                  "HARD FORK DETECTED: our validator has marked slot %lu with block ID `%s` dead, but %lu validators with %.1f of stake have voted on it",
+                                  candidate->slot,
+                                  _block_id,
+                                  candidate->cnt,
+                                  100.0*(double)candidate->stake/(double)total_stake ) );
+
+    if( FD_UNLIKELY( hfork->fatal ) ) FD_LOG_ERR    (( "%s", msg ));
+    else                              FD_LOG_WARNING(( "%s", msg ));
+  } else if( FD_UNLIKELY( 0!=memcmp( our_bank_hash, &candidate->key.bank_hash, 32UL ) ) ) {
+    char msg[ 4096UL ];
+    FD_BASE58_ENCODE_32_BYTES( our_bank_hash->uc, _our_bank_hash );
+    FD_BASE58_ENCODE_32_BYTES( candidate->key.block_id.uc, _block_id );
+    FD_BASE58_ENCODE_32_BYTES( candidate->key.bank_hash.uc, _bank_hash );
+    FD_TEST( fd_cstr_printf_check( msg, sizeof( msg ), NULL,
+                                  "HARD FORK DETECTED: our validator has produced bank hash `%s` for slot %lu with block ID `%s`, but %lu validators with %.1f of stake have voted on a different bank hash `%s` for the same slot",
+                                  _our_bank_hash,
+                                  candidate->slot,
+                                  _block_id,
+                                  candidate->cnt,
+                                  100.0*(double)candidate->stake/(double)total_stake,
+                                  _bank_hash ) );
+
+    if( FD_UNLIKELY( hfork->fatal ) ) FD_LOG_ERR    (( "%s", msg ));
+    else                              FD_LOG_WARNING(( "%s", msg ));
+  }
+  candidate->checked = 1;
+}
+
+ulong
+fd_hfork_align( void ) {
+  return 128UL;
+}
+
+ulong
+fd_hfork_footprint( ulong max_live_slots,
+                    ulong max_vote_accounts ) {
+  int lg_blk_max       = fd_ulong_find_msb( fd_ulong_pow2_up( max_live_slots * max_vote_accounts ) ) + 1;
+  int lg_vtr_max       = fd_ulong_find_msb( fd_ulong_pow2_up( max_vote_accounts ) ) + 1;
+
+  ulong l = FD_LAYOUT_INIT;
+  l = FD_LAYOUT_APPEND( l, alignof(fd_hfork_t),   sizeof(fd_hfork_t)                    );
+  l = FD_LAYOUT_APPEND( l, blk_map_align(),       blk_map_footprint( lg_blk_max )       );
+  l = FD_LAYOUT_APPEND( l, vtr_map_align(),       vtr_map_footprint( lg_vtr_max )       );
+  l = FD_LAYOUT_APPEND( l, candidate_map_align(), candidate_map_footprint( lg_blk_max ) );
+  for( ulong i = 0UL; i < fd_ulong_pow2( lg_vtr_max ); i++ ) {
+    l = FD_LAYOUT_APPEND( l, votes_align(), votes_footprint( max_live_slots ) );
+  }
+  return FD_LAYOUT_FINI( l, fd_hfork_align() );
+}
+
+void *
+fd_hfork_new( void * shmem,
+              ulong  max_live_slots,
+              ulong  max_vote_accounts,
+              ulong  seed,
+              int    fatal ) {
+  (void)seed; /* TODO map seed */
+
+  if( FD_UNLIKELY( !shmem ) ) {
+    FD_LOG_WARNING(( "NULL mem" ));
+    return NULL;
+  }
+
+  if( FD_UNLIKELY( !fd_ulong_is_aligned( (ulong)shmem, fd_hfork_align() ) ) ) {
+    FD_LOG_WARNING(( "misaligned mem" ));
+    return NULL;
+  }
+
+  ulong footprint = fd_hfork_footprint( max_live_slots, max_vote_accounts );
+  if( FD_UNLIKELY( !footprint ) ) {
+    FD_LOG_WARNING(( "bad max_live_slots (%lu) or max_vote_accounts (%lu)", max_live_slots, max_vote_accounts ));
+    return NULL;
+  }
+
+  fd_memset( shmem, 0, footprint );
+
+  int lg_blk_max       = fd_ulong_find_msb( fd_ulong_pow2_up( max_live_slots * max_vote_accounts ) ) + 1;
+  int lg_vtr_max       = fd_ulong_find_msb( fd_ulong_pow2_up( max_vote_accounts ) ) + 1;
+
+  FD_SCRATCH_ALLOC_INIT( l, shmem );
+  fd_hfork_t * hfork         = FD_SCRATCH_ALLOC_APPEND( l, fd_hfork_align(),      sizeof( fd_hfork_t )                        );
+  void *       blk_map       = FD_SCRATCH_ALLOC_APPEND( l, blk_map_align(),       blk_map_footprint( lg_blk_max )             );
+  void *       vtr_map       = FD_SCRATCH_ALLOC_APPEND( l, vtr_map_align(),       vtr_map_footprint( lg_vtr_max )             );
+  void *       candidate_map = FD_SCRATCH_ALLOC_APPEND( l, candidate_map_align(), candidate_map_footprint( lg_blk_max )       );
+
+  hfork->blk_map       = blk_map_new( blk_map, lg_blk_max );
+  hfork->vtr_map       = vtr_map_new( vtr_map, lg_vtr_max );
+  hfork->candidate_map = candidate_map_new( candidate_map, lg_blk_max );
+  for( ulong i = 0UL; i < fd_ulong_pow2( lg_vtr_max ); i++ ) {
+    void *  votes = FD_SCRATCH_ALLOC_APPEND( l, votes_align(), votes_footprint( max_live_slots ) );
+    vtr_t * join  = vtr_map_join( hfork->vtr_map );
+    join[i].votes = votes_new( votes, max_live_slots );
+  }
+  FD_TEST( FD_SCRATCH_ALLOC_FINI( l, fd_hfork_align() ) == (ulong)shmem + footprint );
+  hfork->fatal = fatal;
+  return shmem;
+}
+
+fd_hfork_t *
+fd_hfork_join( void * shhfork ) {
+  fd_hfork_t * hfork = (fd_hfork_t *)shhfork;
+
+  if( FD_UNLIKELY( !hfork ) ) {
+    FD_LOG_WARNING(( "NULL hfork" ));
+    return NULL;
+  }
+
+  if( FD_UNLIKELY( !fd_ulong_is_aligned((ulong)hfork, fd_hfork_align() ) ) ) {
+    FD_LOG_WARNING(( "misaligned hfork" ));
+    return NULL;
+  }
+
+  hfork->blk_map       = blk_map_join( hfork->blk_map );
+  hfork->vtr_map       = vtr_map_join( hfork->vtr_map );
+  hfork->candidate_map = candidate_map_join( hfork->candidate_map );
+  for( ulong i = 0UL; i < vtr_map_slot_cnt( hfork->vtr_map ); i++ ) {
+    hfork->vtr_map[i].votes = votes_join( hfork->vtr_map[i].votes );
+  }
+
+  return hfork;
+}
+
+void *
+fd_hfork_leave( fd_hfork_t const * hfork ) {
+
+  if( FD_UNLIKELY( !hfork ) ) {
+    FD_LOG_WARNING(( "NULL hfork" ));
+    return NULL;
+  }
+
+  return (void *)hfork;
+}
+
+void *
+fd_hfork_delete( void * hfork ) {
+
+  if( FD_UNLIKELY( !hfork ) ) {
+    FD_LOG_WARNING(( "NULL hfork" ));
+    return NULL;
+  }
+
+  if( FD_UNLIKELY( !fd_ulong_is_aligned((ulong)hfork, fd_hfork_align() ) ) ) {
+    FD_LOG_WARNING(( "misaligned hfork" ));
+    return NULL;
+  }
+
+  return hfork;
+}
+
+void
+fd_hfork_count_vote( fd_hfork_t *         hfork,
+                     fd_hash_t const *    vote_acc,
+                     fd_hash_t const *    block_id,
+                     fd_hash_t const *    bank_hash,
+                     ulong                slot,
+                     ulong                stake,
+                     ulong                total_stake,
+                     fd_hfork_metrics_t * metrics ) {
+
+  /* Get the vtr. */
+
+  vtr_t * vtr = vtr_map_query( hfork->vtr_map, *vote_acc, NULL );
+  if( FD_UNLIKELY( !vtr ) ) vtr = vtr_map_insert( hfork->vtr_map, *vote_acc );
+
+  /* Ignore out of order or duplicate votes. */
+
+  if( FD_UNLIKELY( !votes_empty( vtr->votes ) ) ) {
+    vote_t const * tail = votes_peek_tail_const( vtr->votes );
+    if( FD_UNLIKELY( tail && tail->slot >= slot ) ) return;
+  }
+
+  /* Evict the candidate's oldest vote (by vote slot). */
+
+  if( FD_UNLIKELY( votes_full( vtr->votes ) ) ) {
+    vote_t          vote      = votes_pop_head( vtr->votes );
+    candidate_key_t key       = { .block_id = vote.block_id, .bank_hash = vote.bank_hash };
+    candidate_t *   candidate = candidate_map_query( hfork->candidate_map, key, NULL );
+    candidate->stake -= vote.stake;
+    candidate->cnt--;
+    if( FD_UNLIKELY( candidate->cnt==0 ) ) {
+      candidate_map_remove( hfork->candidate_map, candidate );
+      blk_t * blk = blk_map_query( hfork->blk_map, vote.block_id, NULL );
+      blk->bank_hashes_cnt--;
+      if( FD_UNLIKELY( blk->bank_hashes_cnt == 0 ) ) {
+        blk_map_remove( hfork->blk_map, blk );
+        if( FD_UNLIKELY( blk->forked ) ) {
+          metrics->active--;
+          metrics->pruned++;
+        }
+      }
+    }
+  }
+
+  /* Push the vote onto the vtr. */
+
+  vote_t vote = { .block_id = *block_id, .bank_hash = *bank_hash, .slot = slot, .stake = stake };
+  vtr->votes  = votes_push_tail( vtr->votes, vote );
+
+  /* Update the hard fork candidate for this block id. */
+
+  candidate_key_t key       = { .block_id = *block_id, .bank_hash = *bank_hash };
+  candidate_t *   candidate = candidate_map_query( hfork->candidate_map, key, NULL );
+  if( FD_UNLIKELY( !candidate ) ) {
+    candidate        = candidate_map_insert( hfork->candidate_map, key );
+    candidate->slot  = slot;
+    candidate->stake = 0UL;
+    candidate->cnt   = 0UL;
+  }
+  candidate->cnt++;
+  candidate->stake += stake;
+
+  /* Update the list of bank hashes for this block_id. */
+
+  blk_t * blk = blk_map_query( hfork->blk_map, *block_id, NULL );
+  if( FD_UNLIKELY( !blk ) ) {
+    FD_TEST( blk_map_key_cnt( hfork->blk_map ) < blk_map_key_max( hfork->blk_map ) ); /* invariant violation: blk_map full */
+    blk                  = blk_map_insert( hfork->blk_map, *block_id );
+    FD_TEST( blk );
+    blk->bank_hashes_cnt = 0;
+    blk->replayed        = 0;
+    blk->invalid         = 0;
+  }
+  int found = 0;
+  for( ulong i=0UL; i<blk->bank_hashes_cnt; i++ ) {
+    if( FD_LIKELY( 0==memcmp( &blk->bank_hashes[i], bank_hash, 32UL ) ) ) found = 1;
+  }
+  if( FD_UNLIKELY( !found ) ) {
+    blk->bank_hashes[ blk->bank_hashes_cnt++ ] = *bank_hash;
+
+    /* Found a hard fork. */
+
+    if( FD_UNLIKELY( !blk->forked && blk->bank_hashes_cnt > 1 ) ) {
+      blk->forked = 1;
+      metrics->seen++;
+      metrics->active++;
+    }
+  }
+  metrics->max_width = fd_ulong_max( metrics->max_width, blk->bank_hashes_cnt );
+
+  /* Check for hard forks. */
+
+  if( FD_LIKELY( blk->replayed ) ) check( hfork, total_stake, candidate, blk->invalid, &blk->our_bank_hash );
+}
+
+void
+fd_hfork_record_our_bank_hash( fd_hfork_t * hfork,
+                               fd_hash_t  * block_id,
+                               fd_hash_t  * bank_hash,
+                               ulong        total_stake ) {
+  blk_t * blk = blk_map_query( hfork->blk_map, *block_id, NULL );
+  if( FD_UNLIKELY( !blk ) ) {
+    blk                  = blk_map_insert( hfork->blk_map, *block_id );
+    FD_TEST( blk );
+    blk->bank_hashes_cnt = 0UL;
+    blk->replayed        = 1;
+  }
+  if( FD_LIKELY( bank_hash ) ) { blk->invalid = 0; blk->our_bank_hash = *bank_hash; }
+  else                           blk->invalid = 1;
+
+  for( ulong i=0UL; i<blk->bank_hashes_cnt; i++ ) {
+    candidate_key_t key       = { .block_id = *block_id, .bank_hash = blk->bank_hashes[i] };
+    candidate_t *   candidate = candidate_map_query( hfork->candidate_map, key, NULL );
+    if( FD_LIKELY( candidate ) ) check( hfork, total_stake, candidate, blk->invalid, &blk->our_bank_hash );
+  }
+}