# beacon_chain # Copyright (c) 2018-2020 Status Research & Development GmbH # Licensed and distributed under either of # * MIT license (license terms in the root directory or at https://opensource.org/licenses/MIT). # * Apache v2 license (license terms in the root directory or at https://www.apache.org/licenses/LICENSE-2.0). # at your option. This file may not be copied, modified, or distributed except according to those terms. {.push raises: [Defect].} import # Standard library std/tables, std/options, std/typetraits, # Status libraries chronicles, stew/results, # Internal ../spec/[datatypes, digest], # Fork choice ./fork_choice_types logScope: topics = "fork_choice" export results # https://github.com/ethereum/eth2.0-specs/blob/v0.11.1/specs/phase0/fork-choice.md # This is a port of https://github.com/sigp/lighthouse/pull/804 # which is a port of "Proto-Array": https://github.com/protolambda/lmd-ghost # See also: # - Protolambda port of Lighthouse: https://github.com/protolambda/eth2-py-hacks/blob/ae286567/proto_array.py # - Prysmatic writeup: https://hackmd.io/bABJiht3Q9SyV3Ga4FT9lQ#High-level-concept # - Gasper Whitepaper: https://arxiv.org/abs/2003.03052 # Helper # ---------------------------------------------------------------------- func tiebreak(a, b: Eth2Digest): bool = ## Fork-Choice tie-break between 2 digests ## Currently implemented as `>=` (greater or equal) ## on the binary representation for i in 0 ..< a.data.len: if a.data[i] < b.data[i]: return false elif a.data[i] > b.data[i]: return true # else we have equality so far return true template getOrFailcase*[K, V](table: Table[K, V], key: K, failcase: untyped): V = ## Get a value from a Nim Table, turning KeyError into ## the "failcase" block: # TODO: try/except expression with Nim v1.2.0: # https://github.com/status-im/nim-beacon-chain/pull/865#discussion_r404856551 var value: V try: value = table[key] except KeyError: failcase value template unsafeGet*[K, V](table: Table[K, V], key: K): V = ## Get a value from a Nim Table, turning KeyError into ## an AssertionError defect getOrFailcase(table, key): doAssert false, "The " & astToStr(table) & " table shouldn't miss a key" # Forward declarations # ---------------------------------------------------------------------- func maybe_update_best_child_and_descendant( self: var ProtoArray, parent_index: Index, child_index: Index): FcResult[void] func node_is_viable_for_head(self: ProtoArray, node: ProtoNode): bool func node_leads_to_viable_head(self: ProtoArray, node: ProtoNode): FcResult[bool] # ProtoArray routines # ---------------------------------------------------------------------- func apply_score_changes*( self: var ProtoArray, deltas: var openarray[Delta], justified_epoch: Epoch, finalized_epoch: Epoch ): FcResult[void] = ## Iterate backwards through the array, touching all nodes and their parents ## and potentially the best-child of each parent. ## ## The structure of `self.nodes` array ensures that the child of each node ## is always touched before it's aprent. ## ## For each node the following is done: ## ## 1. Update the node's weight with the corresponding delta. ## 2. Backpropagate each node's delta to its parent's delta. ## 3. Compare the current node with the parent's best-child, ## updating if the current node should become the best-child ## 4. If required, update the parent's best-descendant with the current node or its best-descendant if deltas.len != self.indices.len: return err ForkChoiceError( kind: fcInvalidDeltaLen, deltasLen: deltas.len, indicesLen: self.indices.len ) self.justified_epoch = justified_epoch self.finalized_epoch = finalized_epoch # Iterate backwards through all the indices in `self.nodes` for node_index in countdown(self.nodes.len - 1, 0): template node: untyped {.dirty.}= self.nodes[node_index] ## Alias # This cannot raise the IndexError exception, how to tell compiler? if node.root == default(Eth2Digest): continue if node_index notin {0..deltas.len-1}: # TODO: Here `deltas.len == self.indices.len` from the previous check # and we can probably assume that # `self.indices.len == self.nodes.len` by construction # and avoid this check in a loop or altogether return err ForkChoiceError( kind: fcInvalidNodeDelta, index: node_index ) let node_delta = deltas[node_index] # Apply the delta to the node # We fail fast if underflow, which shouldn't happen. # Note that delta can be negative but weight cannot let weight = node.weight + node_delta if weight < 0: return err ForkChoiceError( kind: fcDeltaUnderflow, index: node_index ) node.weight = weight # If the node has a parent, try to update its best-child and best-descendant if node.parent.isSome(): # TODO: Nim `options` module could use some {.inline.} # and a mutable overload for unsafeGet # and a "no exceptions" (only panics) implementation. let parent_index = node.parent.unsafeGet() if parent_index notin {0..deltas.len-1}: return err ForkChoiceError( kind: fcInvalidParentDelta, index: parent_index ) # Back-propagate the nodes delta to its parent. deltas[parent_index] += node_delta ? self.maybe_update_best_child_and_descendant(parent_index, node_index) return ok() func on_block*( self: var ProtoArray, root: Eth2Digest, hasParentInForkChoice: bool, parent: Eth2Digest, justified_epoch: Epoch, finalized_epoch: Epoch ): FcResult[void] = ## Register a block with the fork choice ## A block `hasParentInForkChoice` may be false ## on fork choice initialization: ## - either from Genesis ## - or from a finalized state loaded from database # Note: if parent is an "Option" type, we can run out of stack space. # If the block is already known, ignore it if root in self.indices: return ok() var parent_index: Option[int] if not hasParentInForkChoice: # Genesis (but Genesis might not be default(Eth2Digest)) parent_index = none(int) elif parent notin self.indices: return err ForkChoiceError( kind: fcUnknownParent, child_root: root, parent_root: parent ) else: parent_index = some(self.indices.unsafeGet(parent)) let node_index = self.nodes.len let node = ProtoNode( root: root, parent: parent_index, justified_epoch: justified_epoch, finalized_epoch: finalized_epoch, weight: 0, best_child: none(int), best_descendant: none(int) ) self.indices[node.root] = node_index self.nodes.add node # TODO: if this is costly, we can setLen + construct the node in-place if parent_index.isSome(): # parent_index is always valid except for Genesis ? self.maybe_update_best_child_and_descendant(parent_index.unsafeGet(), node_index) return ok() func find_head*( self: var ProtoArray, head: var Eth2Digest, justified_root: Eth2Digest ): FcResult[void] = ## Follows the best-descendant links to find the best-block (i.e. head-block) ## ## ⚠️ Warning ## The result may not be accurate if `on_new_block` ## is not followed by `apply_score_changes` as `on_new_block` does not ## update the whole tree. let justified_index = self.indices.getOrFailcase(justified_root): return err ForkChoiceError( kind: fcJustifiedNodeUnknown, block_root: justified_root ) if justified_index notin {0..self.nodes.len-1}: return err ForkChoiceError( kind: fcInvalidJustifiedIndex, index: justified_index ) template justified_node: untyped = self.nodes[justified_index] # Alias, IndexError are defects let best_descendant_index = block: if justified_node.best_descendant.isSome(): justified_node.best_descendant.unsafeGet() else: justified_index if best_descendant_index notin {0..self.nodes.len-1}: return err ForkChoiceError( kind: fcInvalidBestDescendant, index: best_descendant_index ) template best_node: untyped = self.nodes[best_descendant_index] # Alias, IndexError are defects # Perform a sanity check to ensure the node can be head if not self.node_is_viable_for_head(best_node): return err ForkChoiceError( kind: fcInvalidBestNode, start_root: justified_root, justified_epoch: self.justified_epoch, finalized_epoch: self.finalized_epoch, head_root: justified_node.root, head_justified_epoch: justified_node.justified_epoch, head_finalized_epoch: justified_node.finalized_epoch ) head = best_node.root return ok() # TODO: pruning can be made cheaper by keeping the new offset as a field # in proto_array instead of scanning the table to substract the offset. # In that case pruning can always be done and does not need a threshold for efficiency. # https://github.com/protolambda/eth2-py-hacks/blob/ae286567/proto_array.py func maybe_prune*( self: var ProtoArray, finalized_root: Eth2Digest ): FcResult[void] = ## Update the tree with new finalization information. ## The tree is pruned if and only if: ## - The `finalized_root` and finalized epoch are different from current ## - The number of nodes in `self` is at least `self.prune_threshold` ## ## Returns error if: ## - The finalized epoch is less than the current one ## - The finalized epoch matches the current one but the finalized root is different ## - Internal error due to invalid indices in `self` let finalized_index = self.indices.getOrFailcase(finalized_root): return err ForkChoiceError( kind: fcFinalizedNodeUnknown, block_root: finalized_root ) if finalized_index < self.prune_threshold: # Pruning small numbers of nodes incurs more overhead than leaving them as is return ok() # Remove the `self.indices` key/values for the nodes slated for deletion if finalized_index notin {0..self.nodes.len-1}: return err ForkChoiceError( kind: fcInvalidNodeIndex, index: finalized_index ) trace "Pruning blocks from fork choice", finalizedRoot = shortlog(finalized_root), pcs = "prune" for node_index in 0 ..< finalized_index: self.indices.del(self.nodes[node_index].root) # Drop all nodes prior to finalization. # This is done in-place with `moveMem` to avoid costly reallocations. static: doAssert ProtoNode.supportsCopyMem(), "ProtoNode must be a trivial type" let tail = self.nodes.len - finalized_index # TODO: can we have an unallocated `self.nodes`? i.e. self.nodes[0] is nil moveMem(self.nodes[0].addr, self.nodes[finalized_index].addr, tail * sizeof(ProtoNode)) self.nodes.setLen(tail) # Adjust the indices map for index in self.indices.mvalues(): index -= finalized_index if index < 0: return err ForkChoiceError( kind: fcIndexUnderflow, underflowKind: fcUnderflowIndices ) # Iterate through all the existing nodes and adjust their indices to match # the new layout of `self.nodes` for node in self.nodes.mitems(): # If `node.parent` is less than `finalized_index`, set it to None if node.parent.isSome(): let new_parent = node.parent.unsafeGet() - finalized_index if new_parent < 0: node.parent = none(Index) else: node.parent = some(new_parent) if node.best_child.isSome(): let new_best_child = node.best_child.unsafeGet() - finalized_index if new_best_child < 0: return err ForkChoiceError( kind: fcIndexUnderflow, underflowKind: fcUnderflowBestChild ) node.best_child = some(new_best_child) if node.best_descendant.isSome(): let new_best_descendant = node.best_descendant.unsafeGet() - finalized_index if new_best_descendant < 0: return err ForkChoiceError( kind: fcIndexUnderflow, underflowKind: fcUnderflowBestDescendant ) node.best_descendant = some(new_best_descendant) return ok() func maybe_update_best_child_and_descendant( self: var ProtoArray, parent_index: Index, child_index: Index): Result[void, ForkChoiceError] = ## Observe the parent at `parent_index` with respect to the child at `child_index` and ## potentiatlly modify the `parent.best_child` and `parent.best_descendant` values ## ## There are four scenarios: ## ## 1. The child is already the best child ## but it's now invalid due to a FFG change and should be removed. ## 2. The child is already the best child ## and the parent is updated with the new best descendant ## 3. The child is not the best child but becomes the best child ## 4. The child is not the best child and does not become the best child if child_index notin {0..self.nodes.len-1}: return err ForkChoiceError( kind: fcInvalidNodeIndex, index: child_index ) if parent_index notin {0..self.nodes.len-1}: return err ForkChoiceError( kind: fcInvalidNodeIndex, index: parent_index ) # Aliases template child: untyped {.dirty.} = self.nodes[child_index] template parent: untyped {.dirty.} = self.nodes[parent_index] let child_leads_to_viable_head = ? self.node_leads_to_viable_head(child) let # Aliases to the 3 possible (best_child, best_descendant) tuples change_to_none = (none(Index), none(Index)) change_to_child = ( some(child_index), # Nim `options` module doesn't implement option `or` if child.best_descendant.isSome(): child.best_descendant else: some(child_index) ) no_change = (parent.best_child, parent.best_descendant) # TODO: state-machine? The control-flow is messy let (new_best_child, new_best_descendant) = block: if parent.best_child.isSome: let best_child_index = parent.best_child.unsafeGet() if best_child_index == child_index and not child_leads_to_viable_head: # The child is already the best-child of the parent # but it's not viable to be the head block => remove it change_to_none elif best_child_index == child_index: # If the child is the best-child already, set it again to ensure # that the best-descendant of the parent is up-to-date. change_to_child else: if best_child_index notin {0..self.nodes.len-1}: return err ForkChoiceError( kind: fcInvalidBestDescendant, index: best_child_index ) let best_child = self.nodes[best_child_index] let best_child_leads_to_viable_head = ? self.node_leads_to_viable_head(best_child) if child_leads_to_viable_head and not best_child_leads_to_viable_head: # The child leads to a viable head, but the current best-child doesn't change_to_child elif not child_leads_to_viable_head and best_child_leads_to_viable_head: # The best child leads to a viable head, but the child doesn't no_change elif child.weight == best_child.weight: # Tie-breaker of equal weights by root if child.root.tiebreak(best_child.root): change_to_child else: no_change else: # Choose winner by weight if child.weight >= best_child.weight: change_to_child else: no_change else: if child_leads_to_viable_head: # There is no current best-child and the child is viable change_to_child else: # There is no current best-child but the child is not viable no_change self.nodes[parent_index].best_child = new_best_child self.nodes[parent_index].best_descendant = new_best_descendant return ok() func node_leads_to_viable_head( self: ProtoArray, node: ProtoNode ): FcResult[bool] = ## Indicates if the node itself or its best-descendant are viable ## for blockchain head let best_descendant_is_viable_for_head = block: if node.best_descendant.isSome(): let best_descendant_index = node.best_descendant.unsafeGet() if best_descendant_index notin {0..self.nodes.len-1}: return err ForkChoiceError( kind: fcInvalidBestDescendant, index: best_descendant_index ) let best_descendant = self.nodes[best_descendant_index] self.node_is_viable_for_head(best_descendant) else: false return ok(best_descendant_is_viable_for_head or self.node_is_viable_for_head(node)) func node_is_viable_for_head(self: ProtoArray, node: ProtoNode): bool = ## This is the equivalent of `filter_block_tree` function in eth2 spec ## https://github.com/ethereum/eth2.0-specs/blob/v0.10.0/specs/phase0/fork-choice.md#filter_block_tree ## ## Any node that has a different finalized or justified epoch ## should not be viable for the head. ( (node.justified_epoch == self.justified_epoch) or (self.justified_epoch == Epoch(0)) ) and ( (node.finalized_epoch == self.finalized_epoch) or (self.finalized_epoch == Epoch(0)) ) # Sanity checks # ---------------------------------------------------------------------- # Sanity checks on internal private procedures when isMainModule: import nimcrypto/hash echo "Sanity checks on fork choice tiebreaks" block: let a = Eth2Digest.fromHex("0x0000000000000001000000000000000000000000000000000000000000000000") let b = Eth2Digest.fromHex("0x0000000000000000000000000000000000000000000000000000000000000000") # sha256(1) doAssert tiebreak(a, b) block: let a = Eth2Digest.fromHex("0x0000000000000002000000000000000000000000000000000000000000000000") let b = Eth2Digest.fromHex("0x0000000000000001000000000000000000000000000000000000000000000000") # sha256(1) doAssert tiebreak(a, b) block: let a = Eth2Digest.fromHex("0xD86E8112F3C4C4442126F8E9F44F16867DA487F29052BF91B810457DB34209A4") # sha256(2) let b = Eth2Digest.fromHex("0x7C9FA136D4413FA6173637E883B6998D32E1D675F88CDDFF9DCBCF331820F4B8") # sha256(1) doAssert tiebreak(a, b)