spec: Rust like pseudo code for Sequential supervisor and core verification

[OStevan]

rendered

As @josef-widder mentioned here is the pseudo code proposal for specification and code changes. I was not sure how to name this and where to put it so we can change it as others see fit.

Goals?

The proposed pseudo code should solve the main issues of LightStore having an unbounded interface which makes code of skipping forward verification more complicated than needed. If implemented it should solve several issues which came out of it.

Possible issues?

• with this proposal the LightStore requires that when inserting new information it is always possible to build a verification chain with what is already in it
• the requirement above makes backward verification using just hashes impossible as the links with lower LightBlocks are impossible to recreate in this situation

Proposal details

• current LightStore is now split:
  1. what were once verified LightBlocks are now stored in Trace
  2. Unverified LightBlocks are now on the FetchedStack
  3. There are no longer Failed LightBlocks as there can be only one and that one is returned as an error reason in verify_to_target
  4. The notion of Trusted is removed, and with the sequential supervisor everything in what is now LightStore is what were previously trusted.
• History of how LightBlocks were verified can be retrieved from the LightStore
• LightStore can recover from possible forks in the future by removing LightBlocks which are now considered to be from a fork.

Order in which to review for easier understanding

• basically top to bottom
• first part is related to skipping verification until the LightStore (excluding)
• second part relevant for supervisor and possible ForkDetection and Relayer requirements

Issue which prompted this PR

• spec: Detector refactor #494

Issues this approach should solve.

• Lightstore Invariants + Maintain Verification Information #499 : chain invariant is easily retrievable, and chain computation is built-in the LightStore now
• light-node: does not recover from primary restart #487 : previous losses of trusted LightBlock are no longer possible as we always ask for the highest from the supervisor LightStore
• light-client: improve separation of concerns in get_or_fetch_block #434 : no longer relevant with refactors proposed here
• light-client: improve LightStore API #428 : logic is very much split and the API is now easier to reason about
• Ensure a trusted light block stays trusted permanently, even if its peer fails later #420 : same as for 487
• Basic bisecting schedule logic can be simplified #333 : simplified by design

Should help with easier implementation of

• light-client: Fork Detection Evidence Submission Review #415 : should be easier to collect evidence as verification trace is collected
• Relayer requirements for the Light Client #497 : for all the mentioned height combinations it should be possible to easily get the light block for verification.

Issues which should be reworded depending on the changes here

• Do we need current_height in the schedule function? #334 : everything stored in the LightStore is assumed to have passed verification at some point

• Referenced an issue explaining the need for the change
• Updated all relevant documentation in docs
• Updated all code comments where relevant
• Wrote tests
• Updated CHANGELOG.md

[OStevan]

@milosevic @brapse @ebuchman @romac @xla

[josef-widder]

Thanks a lot! Both for the proposal of the code and the awesome overview of the issues!

I think we should discuss this here, and then incorporate either the proposed pseudo code (or a go variant of it) into a supervisor spec and the existing verification.md. (A go variant of a supervisor lives in detection.md #479, but the way the lightstore is treated and the parameters that are passes here in #509 seem much more to the point in the rust pseudo code in this PR).

[xla]

This is some great work. The amount of potential improvements it touches is amazing to see. Generally the direction is promising, some thoughts inline and here:

• If we start to develop this notion of a linked list a.k.a. chain, we should look closer at how we make it correct to construct. As we want to point to the previous block we ought to encode that in the linked list semantics.
• I'd be curious to see how much simpler the design can be if we assume that the LightStore is immutable. This would mean it needs reconstruction, which will make it very easy to reason in the case of fork recovery. Currently it's proposed that the LightStore itself offers a recovery functionality. There is strong evidence that we might be better served with treating it as immutable and rather lean heavier on type encoding to for example have a deterministic function a la: fn recover(tainted: LightStore::Tainted, boundary: Height) -> LightStore::Trusted
• It's great that we trying to address the divergence we observed when querying the Supervisor - yet I think we would benefit from separating these concerns. On the surface it looks like we rework the LightStore entity to give us historical data and traceability, while when disseminating the latest/highest state it is a really the most trusted ChainPair and we don't depend on the history of how we got there. Clarifying which component depends on what information will bring more clarity.

[xla]

What are the semantics of the stack? I don't believe there is a type definition in this file.

[OStevan]

There is no semantics as we could use a Vec for this, the goal was just to name it here and explain it is going to be used as a stack (push, pop, peek, is_empty) and not with random access.

[xla]

The naming is confusing as it indicates that a Chain is paired with something. What I'm also wondering doesn't the LightBlock contain its Height, what's the benefit of pairing it with the Height.

[OStevan]

Height in this case is the height of the block which was used to check the light. For example if we inserted a light block A into the Trace after passing all the checks in verify_to_target using light block B of height h. The ChainPair for A would be (A, h).

[xla]

Is it always the height of B -1? In any case the term Height is so ubiquitous everywhere that we should encode what height we are referring to here, which in turn an help challenge how it can be constructed.

[xla]

Still the term ChainPair for a pairing of block with height is miss-leading, imho.

[OStevan]

Made a custom enum VerificationChain.

[xla]

What does fetch_light_block do?

[OStevan]

It's just copied from the current specifications. In current code it's from the Io component.

[xla]

It would greatly benefit if this side-effect is not done in this function, it could be a parameter to be called with.

[OStevan]

This was an error. The structure is changed a but now.

[xla]

If we want to ensure the 1-1 invariant we should think in terms of a Set where we have a uniqueness constraint on the height, unless I miss-understand this part.

[OStevan]

I think it would make more sense to have a Map<Height, LightBlock> where keys would be automatically unique.

[xla]

For clarification, every height can only exist once? And there is only exactly one LightBlock per unique height?

[OStevan]

Yes, that was the intention. At each point in time, there can be only one LightBlock which can be considered to be from the valid blockchain. Conflict on a single height would mean there is a fork.

[OStevan]

@xla thanks for the comments. One thing which might not be clear just from the pseudo code and which I was not sure how to capture. This PR only addresses the case when we are doing forward verification without implying how the backward verification case will be done. For example lets say we start from height 1 and want to verify with height 10. One possible trace could be (1<- 5 <- 10) and after verifying 10 we get a request for height 8.

Now this case is not clear for me yet, so I didn't imply anything about the LightStore. For example one can imagine a case where for height 8 we just used the previously fetched light block of height 5. In this case the LightStore would basically be comprised of two chains: (this is currently what is expected)

1 <- 5 <- 10
     ^
      - - 8

It does not seem reasonable to just insert 8 between 5 and 10 (1 <- 5 <-8 <- 10) because in the case of validator set change such that skipping trust can not be established between 8 and 10 and somebody wants to replay the verification process just with the LightBlocks in the chain. They will not be able to replay the process.

To solve this we would need to also verify 10 starting from 8, however in this case the question is what do we do with the previous information that originally the LightBlock of height 10 was checked with 5, do we update it and make one chain 1 <- 5 <- 8 <- 10 or just try and verify as a sanity check.

[melekes]

looks like this will never terminate, making the rest of the code unreachable

[melekes]

don't you have a single primary at any moment?

[melekes]

why do you need above and below when you already have get?

[josef-widder]

The ideas in the PR are great. I tried to incorporate them into tendermint/spec#159.
I propose that we conclude the discussions there and close this PR.

[josef-widder]

Thanks for the discussions. Let's continue that the other PR tendermint/spec#159.