tower: when syncing from vote state, update last_vote

[AshwinSekar]

Problem

On replay, if validators observe a newer vote state from a frozen bank, they will adopt that vote state in favor of their local tower. This is to avoid an outdated local tower from sending out slashable votes, or in case of large divergences, having to wait forever for lockout to expire.

However when we adopt vote state, we do not update the tower's last_vote field. This causes problems in situations where our fork choice does not agree with the on chain vote state.
Consider the following:

[...] - 115 - 124 - 125 - 126 - 127
         \
          - 120 - 121 - 122 - 123

Previously our validator had voted on slots 124 and 126 which landed in block 127. Currently, our validator has replayed only up to 115 and has most recently voted on 115.

Next it receives the remaining blocks up to 127 to replay. Upon replay of 127 it realizes it has voted on slots 124 and 126 in the past, and updates the tower vote state to reflect that.

solana/core/src/replay_stage.rs

Lines 3029 to 3031 in 14d0759

	"Frozen bank vote state slot {:?}
	is newer than our local vote state slot {:?},
	adopting the bank vote state as our own.

Suppose that previously, our validator did not get a chance to observe the 120 fork which is why it voted on 124. However in our current run, fork choice rates 123 as the best slot. When it comes time to select forks, we select 123 as the heaviest slot and 123 as the heaviest slot descended from our last vote:

solana/core/src/consensus/heaviest_subtree_fork_choice.rs

Lines 1015 to 1017 in 14d0759

	fn heaviest_slot_on_same_voted_fork(&self, tower: &Tower) -> Option<SlotHashKey> {
	tower
	.last_voted_slot_hash()

Because we have not updated our last vote, we think that the heaviest slot descends from our last vote, and incorrectly SwitchForkDecision::SameFork

solana/core/src/consensus.rs

Lines 872 to 875 in 14d0759

	if switch_slot == last_voted_slot || switch_slot_ancestors.contains(&last_voted_slot) {
	// If the `switch_slot is a descendant of the last vote,
	// no switching proof is necessary
	return SwitchForkDecision::SameFork;

At this point we vote on 123, however because we adopted the vote state from 127 which contains votes for 124 and 126, this vote will fail. Unfortunately we use process_vote_unchecked which silently ignores this error. We think that the vote has succeeded, and construct our new last_vote from the tower. This last_vote is garbage, it contains slot 126, but has a vote_hash for slot 123.

solana/core/src/consensus.rs

Lines 569 to 578 in 14d0759

	process_vote_unchecked(&mut self.vote_state, vote);
	VoteTransaction::from(VoteStateUpdate::new(
	self.vote_state
	.votes
	.iter()
	.map(|vote| vote.lockout)
	.collect(),
	self.vote_state.root_slot,
	vote_hash,
	))

Any further operations involving the tower + fork choice will now panic, as the last vote in the tower does not exist in fork choice (invalid SlotHashKey).

Summary of Changes

• When adopting on chain vote state, update tower.last_vote as well.
• tower.record_bank_vote... variants should use process_vote_unfiltered. Although it is unlikely we can recover in case this vote fails, we can log the error to make debugging such situations possible.

Fixes #32880
This is the proper fix for #32894

[codecov]

Codecov Report

Merging #32944 (f24821a) into master (14d0759) will increase coverage by 0.0%.
The diff coverage is 90.1%.

@@           Coverage Diff           @@
##           master   #32944   +/-   ##
=======================================
  Coverage    82.0%    82.0%           
=======================================
  Files         784      784           
  Lines      212512   212565   +53     
=======================================
+ Hits       174313   174398   +85     
+ Misses      38199    38167   -32     

[carllin]

maybe just bubble up the error from process_vote_unchecked and error log here?

[carllin]

could be as strong as error!

[carllin]

If we set this properly when we ingest a new on chain tower in ReplayStage::compute_bank_stats(), is this still necessary here?

[AshwinSekar]

We still need it because we are recording a new vote here. this takes care of this block we were doing previously:

new_vote.set_timestamp(self.maybe_timestamp(self.last_voted_slot().unwrap_or_default()));
self.last_vote = new_vote;

[carllin]

not exactly clear to me how supermajority roots cause tower to be empty

[AshwinSekar]

Anything that artificially increases the root could trigger this. I think snapshot is the best example, but I think supermajority roots could also cause this:

solana/ledger/src/blockstore_processor.rs

Lines 1576 to 1580 in d90e158

	let _ = bank_forks.write().unwrap().set_root(
	root,
	accounts_background_request_sender,
	None,
	);

[carllin]

where is this logic guaranteed?

[AshwinSekar]

None <= None. If tower.vote_state.last_voted_slot() is None, this means bank_vote_state.last_voted_slot() must have originally been Some in order to pass this check:

if bank_vote_state.last_voted_slot()
                                > tower.vote_state.last_voted_slot()

That means it must have been adjusted here:

bank_vote_state .votes .retain(|lockout| lockout.slot() > local_root);

For it to have been adjusted, it must have passed this check:

if let Some(local_root) = tower.vote_state.root_slot {

So it follows that iff tower.vote_state.root_slot is Some then tower.vote_state.last_voted_slot() is None

[carllin]

ah yeah, i missed the logic where we adjust the root and filter out slots less than the root

[carllin]

doesn't this have to be Some because we checked

if bank_vote_state.last_voted_slot() > tower.vote_state.last_voted_slot()

above, so there must be at least some vote in bank_vote_state.last_voted_slot()

[AshwinSekar]

not necessarily, see here:

bank_vote_state
    .votes
    .retain(|lockout| lockout.slot() > local_root);

[carllin]

just wanted to make sure root bank exists in bank forks even if we load from a snapshot, I think it does because of bank_from_snapshot_archives()