[fastx client] Correct generic processing of orders and certificates. (Part 1)

[gdanezis]

This PR addresses issue

• [fastx client] Synchronise certificates with authorities before making move call and publish #252

In an nutshell is refactors sync_all_owned_objects to create a sync_all_given_objects that updates all authorities to the latest versions of the objects with IDs given. Then

• A process_order function takes an order, updates all authorities with the objects it needs to be processed, and then submits it to get a certificate.
• It also defines a process_certificate that submits a certificate to authorities, and even tries to update them if they are not up-to-date. This is designed to be called after process_order or when a certificate is available.
• Cleaned up some test functions, added more test helpers, and test for new functions.

For next PRs:

• Handle errors assigned to authorities better (probably separate PR).
• Delete dead code, or older code that is no more correct.

[gdanezis]

Hey @patrickkuo & @oxade -- this is to give you some early visibility into the resolution (finally) of #252.

[huitseeker]

Main thing:

• this is under-utilizing local structs in calls to quorum_map_then_reduce_with_timeout,
• this is missing an opportunity to get help on client test setup through an issue

[huitseeker]

I understand those are here to materialize todos, but:

• would it be possible to group them, one TODO comment per group?
• could we deduce required_ids from required_id_version rather than re-compute it?

[gdanezis]

Actually, after some reflection I do not think it is right to check that objects are at the right version. Since it is not incorrect to re-submit the same order even if some authorities have already processed it, in order to make other make progress (even though really you should then submit a cert). So I removed a lot of this.

Note that the _digest was there to check the handle_order response, but I will do that in separate functions as we dicussed.

[huitseeker]

Where should those checks be performed?

[gdanezis]

My plan is to define within authority_aggregator safe versions of the client authority interface, that check the returned values, and only use these that are pre-checked instead of doing checks everywhere.

[gdanezis]

Now this is PR

• [fastx client] Check authority responses (Part 3) #388

[huitseeker]

With match_opt for readability:

Suggested change

	for (stake, effects) in state.values() {
	if stake >= &threshold {
	return Ok(effects.clone());
	}
	}
	if Some(effects) = state.into_values().find_map(|x| match_opt!(x, (stake, effects) if stake >= &threshold => effects)) {
	return Ok(effects)
	}

if you're not into manual Option dissection:

state.into_values()
     .find_map(|x| match_opt!(x, (stake, effects) if stake >= &threshold => effects))
     .ok_or(FastPayError::ErrorWhileRequestingCertificate)

If you're conservative:

state.into_values()
     .find(|(stake, effects)| stake >= &threshold)
     .map(|x| x.1)
     .ok_or(FastPayError::ErrorWhileRequestingCertificate)

[gdanezis]

Hm, I do not find the iterator approach very readable. It requires the reader to know the semantics of about 3-4 rust specific functions or macros, rather than for, if and >=.

[huitseeker]

Here's the only thing I would insist on: I believe you can iterate over state.into_values() and eliminate the final .clone().

I would also note that sometimes when people are exposed to functionality present in the standard library, they tend to find it useful (e.g. local structs) rather than daunting.

[huitseeker]

This is going to make #380 harder, let's at least put a TODO here to remove it.

[gdanezis]

Lets find the right way for tests to be able to make orders -- this is what this test function is used for.

[huitseeker]

I think this is now straight up covered (to an acceptable compromise between correctness and development velocity) by #386

[huitseeker]

So we're retaining only the last returned signed.order and not testing discrepancies on this returned value?
Is it worth making that explicit by preceding this with an if order.is_none()?

[gdanezis]

I use this function to setup authority configurations, but I have now protected this by:

            if let Some(inner_order) = order {
                assert!(inner_order == signed.order);
            }
            order = Some(signed.order);

[huitseeker]

Do we have an issue open to make the client tests less repetitive? It would be a good first issue, and list the things we need pretty much everywhere:

• authorities, committee,
• a few clients, their fas objects and corresponding funding.
• a bunch of initial orders (prior to any assertions)

[gdanezis]

This version is much less verbose in the schedule of orders and certificates for each authority, but the setup is still long and repetitive. We could define a standard setup indeed.

[lxfind]

Could be in a separate PR, but the quorum weight tracking / checking seems to be a common need and might as well be done inside quorum_map_then_reduce_with_timeout if possible. If not, maybe we could add a new quorum primitive latter.

[lxfind]

It seems to me that what get_all_owned_objects really returns, is the list of all objects at least one authority thinks we hold, not a quorum of authorities think we hold, as long as a quorum of authorities responded. Not sure if that's a bug in get_all_owned_objects or intended.
If that's intended, we may want to clarify in the comment here.

[gdanezis]

This is indeed what we do, and here is why:

if we have a certificate that executes on 2f+1 authorities, we can only guarantee f+1 of these will not be faulty, and also f non faulty are not signers. So if now we sync with a fresh 2f+1 we can only guarantee that 1 non faulty intersects, and will give us the latest. So to get the latest objects from all previous executions we must listen to all objects, and check they are valid (through asking for certs and re-executing ideally).

[lxfind]

fyi in #375 @oxade was trying to distinguish the None case vs Err case as well.

[gdanezis]

I think the key thing here is to distinguish client errors (no network) from authority errors. Client errors are common, transient and recoverable (the client will just reconnect and re-try). On the other hand authorities going bad in very large number should be rare, and is sadly fatal and unrecoverable.

[gdanezis]

Could be in a separate PR, but the quorum weight tracking / checking seems to be a common need and might as well be done inside quorum_map_then_reduce_with_timeout if possible. If not, maybe we could add a new quorum primitive latter.

The initial version had that but @huitseeker correctly identified a problem with it: the correctness condition to tally good versus bad stake vary significantly, and in some cases we even have to keep a tally per item returned. Hence we do it specifically for each function defined -- which is a little repetitive indeed but forces one to think what their conditions are.

[huitseeker]

Very nice work!

[huitseeker]

Suggested change

	object_map.keys().map(|object_ref| object_ref.0).collect();
	object_map.keys().unzip().0;

[gdanezis]

The object_ref is a reference, so I would have to copy for this to work I think.

[lxfind]

Try object_map.into_keys().unzip().0;

[huitseeker]

Suggested change

	for (stake, effects) in state.effects_map.values() {
	if stake >= &threshold {
	return Ok(effects.clone());
	}
	}
	for (stake, effects) in state.effects_map.into_values() {
	if stake >= threshold {
	return Ok(effects);
	}
	}

[huitseeker]

I think this is now straight up covered (to an acceptable compromise between correctness and development velocity) by #386

[lxfind]

Try object_map.into_keys().unzip().0;

[lxfind]

Do we have other plans for get_all_owned_objects in the future? It seems we are only using the list of all objects ids, but it returns a ton of stuff

[gdanezis]

We do have many many plans for this function, starting with #381 and beyond.

[gdanezis]

It seems that zip(), unzip() work on 2-tuples, but refs are 3-tuples?