Skip to content

Strengthen CometBFT's internal checks on vote extension enablement #546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Mar 21, 2023
Merged

Strengthen CometBFT's internal checks on vote extension enablement #546

merged 11 commits into from
Mar 21, 2023

Conversation

sergio-mena
Copy link
Contributor

Contributes to #10

While troubleshooting #539, I had to navigate the production code dealing with vote extensions quite a bit. I realized we are not doing enough validation at key points: our checks tend to focus on making sure the vote extensions are there when they are needed, but less so on making sure we don't get vote extensions while they are disabled.

I started progressively adding the missing checks while investigating #539 to exclude various hypothesis. The end result is this PR.

How I tested it:

  • Notice the commit named "Added TODO DIAGNOSE panics for e2e testing", where I converted all checks for vote extensions performed on input from the network (so we should NOT panic in production, as then we'd be easily DOS-able) into panics.
  • Then, I ran our nightly tests locally (i.e., ./build/generator -g 5 -d networks/nightly/ && ./run-multiple.sh networks/nightly/*-group*-*.toml) on that version of the code. The idea being that the introduced panics should not be triggered as we have no byzantine nodes in our e2e tests ATM.
  • All nightly tests passed with that version of the code.
  • Finally, I reverted that commit to get the code in this PR production-ready

PR checklist

  • Tests written/updated
  • Changelog entry added in .changelog (we use unclog to manage our changelog)
  • Updated relevant documentation (docs/ or spec/) and code comments

@sergio-mena sergio-mena added the abci Application blockchain interface label Mar 17, 2023
@sergio-mena sergio-mena requested a review from a team as a code owner March 17, 2023 18:56
@sergio-mena sergio-mena self-assigned this Mar 17, 2023
@sergio-mena sergio-mena mentioned this pull request Mar 17, 2023
Closed
16 tasks
lasarojc
lasarojc reviewed Mar 21, 2023
View reviewed changes
consensus/types/height_vote_set_test.go
if err != ErrGotVoteFromUnwantedRound {
t.Errorf("expected GotVoteFromUnwantedRoundError, but got %v", err)
}
if added {
t.Error("Expected to *not* add vote from peer, too many catchup rounds.")
}

added, err = hvs.AddVote(vote1001_0, "peer2")
added, err = hvs.AddVote(vote1001_0, "peer2", true)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a test for the new condition in addVote?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point!

lasarojc
lasarojc approved these changes Mar 21, 2023
View reviewed changes
consensus/common_test.go
if extEnabled {
if voteType != cmtproto.PrecommitType {
panic(fmt.Errorf("vote type is not precommit but extensions enabled"))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the following test does not need voteType -- cmtproto.PrecommitType since it was already tested. Is the recheck a Go idiom?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's an oversight :-)
Fixing it

consensus/state.go
if !cs.state.ConsensusParams.ABCI.VoteExtensionsEnabled(vote.Height) {
// The signer will sign the extension, make sure to remove the data on the way out
vote.StripExtension()
hasExt := len(vote.ExtensionSignature) > 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given the checks here, do we need the checks upstream, for example in signAddVote?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would leave them here for the time being, I prefer to be over-exhaustive... until this code has been used to some extent.
Just in case there is another path we didn't think of. Remember that the initial point of this code was ruling out possible inconsistencies with extension data when troubleshooting a real problem.

@sergio-mena sergio-mena merged commit ac6b072 into feature/abci++vef Mar 21, 2023
@sergio-mena sergio-mena deleted the sergio/10-strengthen-ve-enablement-checks branch March 21, 2023 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@lasarojc lasarojc lasarojc approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@sergio-mena sergio-mena

Labels
abci Application blockchain interface
Projects
No open projects
CometBFT 2023
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sergio-mena @lasarojc