fix: atomically add and remove shares from a committee #1760
Conversation
anatolie-ssv
added
bug
anatolie-ssv
changed the title
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
This solution indeed works at the moment, but there's something I don't like about it. We still have AddShare and RemoveShare methods in committee.go . This means someone can use them without the atomicity you just added. This means if someone add a usage of them in the future, we might have a race condition again.
I can think of 2 options we have here:
- Emphasize in name and comments that these methods are practically unsafe, and that any consumer should use the atomic function in
ValidatorsMap - Move the atomicity to inside the
Committeestruct, which will inherently stop itself when it has no shares left. this way you can probably check invalidatorsmapwhether the committee has stopped, and if so, remove it from the map. and still keep the functions safe.
I'm leaning more towards 2, what do you guys think? @anatolie-ssv , @MatusKysel , @moshe-blox
anatolie-ssv
force-pushed
the
fix/add-share-rc
branch
4 times, most recently
from
6c95e40
to
f0a092c
Compare
anatolie-ssv
changed the title
anatolie-ssv
changed the title
I moved the atomicity functionality to the committee object. |
| @@ -87,6 +90,9 @@ func (c *Committee) RemoveShare(validatorIndex phase0.ValidatorIndex) { | |||
| if share, exist := c.Shares[validatorIndex]; exist { | |||
| c.dutyGuard.StopValidator(share.ValidatorPubKey) | |||
| delete(c.Shares, validatorIndex) | |||
| if len(c.Shares) == 0 { | |||
| c.stop() | |||
There was a problem hiding this comment.
@y0sher now that we are able to stop the committee should we be checking its state before doing actions like AddShare, ProcessMessage etc?
There was a problem hiding this comment.
Perhaps it's better (more straightforward) to just call Committee.cancel once we determined that committee can stop (shares dropped to 0), presumably this should be enough to finish all the work Committee was doing (while it's controller's job to make sure no new tasks will be assigned to such Committee - which it does handle by atomically removing it from controller.validatorsMap),
and, from my reading of this code, unless we do something with stopped Committee (have some business logic for it in stopped state, like restarting it) there is no reason to even store this stopped atomic.Bool (and have corresponding methods stop and Stopped) - you could simply remove these and adjust the way UpdateCommitteeAtomic works (so that instead of checking Stopped() func mutate will return a bool to signal that committee was stopped by this mutation - which will immediately trigger all the cleanup necessary).
anatolie-ssv
force-pushed
the
fix/add-share-rc
branch
from
7223a0e
to
bea9f9a
Compare
|
deployed to stage |
anatolie-ssv
force-pushed
the
fix/add-share-rc
branch
2 times, most recently
from
9e64123
to
4d86735
Compare
anatolie-ssv
force-pushed
the
fix/add-share-rc
branch
from
4d86735
to
25f8e3d
Compare
anatolie-ssv
force-pushed
the
fix/add-share-rc
branch
from
25f8e3d
to
60d5e2e
Compare
anatolie-ssv
force-pushed
the
fix/add-share-rc
branch
2 times, most recently
from
0332913
to
9a78188
Compare
| func (vm *ValidatorsMap) cleanup() { | ||
| var stopped []spectypes.CommitteeID | ||
| for k, v := range vm.committees { | ||
| if v.Stopped() { | ||
| stopped = append(stopped, k) | ||
| } | ||
| } | ||
| for _, k := range stopped { | ||
| delete(vm.committees, k) | ||
| } | ||
| return nil | ||
| } |
There was a problem hiding this comment.
why not something more simple
func (vm *ValidatorsMap) cleanup() {
for k, v := range vm.committees {
if v.Stopped() {
delete(vm.committees, k)
}
}
}There was a problem hiding this comment.
also do we want to iterate or just clean up one that's been modified in UpdateCommitteeAtomic?
There was a problem hiding this comment.
just to cleanup, fixed now!
anatolie-ssv
force-pushed
the
fix/add-share-rc
branch
from
9a78188
to
b008038
Compare
anatolie-ssv
force-pushed
the
fix/add-share-rc
branch
from
0c1e89e
to
4853472
Compare
There was a problem hiding this comment.
The code should work, I left couple of nits, but mostly I don't quite understand why we need the concept of "stopped" committee - if it isn't something we are planning to use I'd rather we simplify code by getting rid of it.
operator/validator/controller.go
Outdated
| @@ -698,10 +698,9 @@ func (c *controller) UpdateValidatorsMetadata(data map[spectypes.ValidatorPK]*be | |||
| if err != nil { | |||
| c.logger.Warn("could not start validator", zap.Error(err)) | |||
| } | |||
| vc, found := c.validatorsMap.GetCommittee(v.Share().CommitteeID()) | |||
| if found { | |||
| _ = c.validatorsMap.UpdateCommitteeAtomic(v.Share().CommitteeID(), func(vc *validator.Committee) { | |||
There was a problem hiding this comment.
Shouldn't we log an error or something when UpdateCommitteeAtomic returns false here (just as a sanity check/thing) ?
operator/validator/controller.go
Outdated
| var vc *validator.Committee | ||
|
|
||
| // Start a committee validator. | ||
| vc, found := c.validatorsMap.GetCommittee(operator.CommitteeID) | ||
| found = c.validatorsMap.UpdateCommitteeAtomic(operator.CommitteeID, func(fvc *validator.Committee) { | ||
| fvc.AddShare(&share.Share) | ||
| vc = fvc | ||
| }) |
There was a problem hiding this comment.
Would be cleaner to return validator.Committee from UpdateCommitteeAtomic, wdyt ?
There was a problem hiding this comment.
We could, but there are 3 call sites to this function and only this one would benefit from the extra return value. @y0sher @MatusKysel your take here?
There was a problem hiding this comment.
I would vote for returning the value
| if !ok || v.Stopped() { | ||
| return nil, false | ||
| } |
There was a problem hiding this comment.
It doesn't seem like "stopped" committee can be present in vm.committees map because we immediately remove stopped committees in UpdateCommitteeAtomic, so perhaps no need to add this check here ?
Applies to all methods in ValidatorsMap I think, but only because we don't really "stop" committee from anywhere else other than ValidatorsMap (via UpdateCommitteeAtomic -> RemoveShare) - like I mentioned in #1760 (comment). In theory we could "stop" committee from somewhere else, I just don't see why we would (and it makes code harder to understand or see the whole picture).
| deletedCommittee.Stop() | ||
| } | ||
| }) { | ||
| c.logger.Warn("committee not found", fields.PubKey(pubKey[:])) |
There was a problem hiding this comment.
Similar to https://github.com/ssvlabs/ssv/pull/1760/files#r1840850336, probably want to log this as Error (not Warn) ? Because if committee is not found here - looks like something is wrong with the way we manage it's lifecycle, and we'd need to address it (warnings in logs are pretty easy to miss, compared to errors).
There was a problem hiding this comment.
As I remember in past conversations it was decided not to change the log level and keep it as it was previously (line 898)
anatolie-ssv
force-pushed
the
fix/add-share-rc
branch
from
4853472
to
e771d25
Compare
Co-authored-by: rehs0y <lyosher@gmail.com>
Co-authored-by: Nikita Kryuchkov <nkryuchkov10@gmail.com>
Share addition/removal takes place under a single lock.
Close: #1558