Implement limits on the size of transactions in ChunkStateWitness

[jancionear]

Fixes: #11103

This PR adds 3 new limitations to control total size of transactions included in ChunkStateWitness

1. Reduce max_transaction_size from 4MiB to 1.5MiB. Transactions larger than 1.5MiB will be rejected.
2. Limit size of transactions included in the last two chunks to 2MiB. ChunkStateWitness contains transactions from both the current and the previous chunk, so we have to limit the sum of transactions from both of those chunks.
3. Limit size of storage proof generated during transaction validation to 500kiB (soft limit).

In total that limits the size transaction related fields to 2.5MiB.

About 1):
Having 4MiB transactions is troublesome, because it means that we have to allow at least 4MiB of transactions to be included in ChunkStateWitness. Having so much space taken up by the transactions could cause problems with witness size. See #11379 for more information.

About 2):
ChunkStateWitness contains both transactions from the previous chunk (transactions) and the new chunk (new_transactions). This is annoying because it halves the space that we can reserve for transactions. To make sure that the size stays reasonable we limit the sum of both those fields to 2MiB. On current mainnet traffic the sum of these fields stays under 400kiB, so 2MiB should be more than enough. This limit has to be slightly higher than the limit for a single transaction, so we can't make it 1MiB, it has to be at least 1.5MiB.

About 3):
On mainnet traffic the size of transactions storage proof is under 500kiB on most chunks, so adding this limit shouldn't affect the throughput. I assume that every transactions generates a limited amount of storage proof during validation, so we can have a soft limit for the total size of storage proof. Implementing a hard limit would be difficult because it's hard to predict how much storage proof will be generated by validating a transaction.

Transactions are validated by running prepare_transactions on the validator, so there's no need for separate validation code.

[jancionear]

I'm not sure about the snapshots files. I added max_transactions_size_in_witness and new_transactions_validation_state_size_soft_limit to the runtime config, but should I also add it to the snapshots? The tests aren't complaining, so I wonder if I have to do it?
I saw that @shreyan-gupta added storage_proof_size_soft_limit to the snapshots, but it's in the transaction_costs section. That sounds weird, should I put my parameters there as well?

[jancionear]

With testing I saw that some of the existing tests already kinda cover the feature.
When I lowered the max_transaction_size to 1.5MiB a bunch of tests started failing because they tried to submit 4MiB transactions.
Adding max_transactions_size_in_witness caused the benchmark_large_chunk_production_time test to fail because the produced chunk was 3MiB instead of the expected 35MiB.

I can think about some dedicated tests, but there might not be a big need for that.

[codecov]

Codecov Report

Attention: Patch coverage is 82.42424% with 29 lines in your changes are missing coverage. Please review.

Project coverage is 71.36%. Comparing base (1ade93b) to head (c5579f9).
Report is 10 commits behind head on master.

Files	Patch %	Lines
chain/chain/src/runtime/mod.rs	88.29%	6 Missing and 5 partials ⚠️
chain/client/src/client.rs	52.38%	7 Missing and 3 partials ⚠️
core/parameters/src/parameter_table.rs	50.00%	0 Missing and 3 partials ⚠️
...client/src/stateless_validation/shadow_validate.rs	0.00%	2 Missing ⚠️
...nt/src/stateless_validation/chunk_validator/mod.rs	87.50%	0 Missing and 1 partial ⚠️
core/parameters/src/view.rs	90.00%	1 Missing ⚠️
...me-params-estimator/src/costs_to_runtime_config.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11406      +/-   ##
==========================================
+ Coverage   71.27%   71.36%   +0.08%     
==========================================
  Files         784      784              
  Lines      157847   158131     +284     
  Branches   157847   158131     +284     
==========================================
+ Hits       112511   112843     +332     
+ Misses      40489    40412      -77     
- Partials     4847     4876      +29     

Flag	Coverage Δ
backward-compatibility	0.24% <0.00%> (-0.01%)	⬇️
db-migration	0.24% <0.00%> (-0.01%)	⬇️
genesis-check	1.38% <0.00%> (-0.01%)	⬇️
integration-tests	37.48% <67.87%> (+0.20%)	⬆️
linux	68.87% <60.00%> (+0.07%)	⬆️
linux-nightly	70.78% <81.21%> (+0.05%)	⬆️
macos	52.39% <56.66%> (+0.01%)	⬆️
pytests	1.59% <0.00%> (-0.01%)	⬇️
sanity-checks	1.39% <0.00%> (-0.01%)	⬇️
unittests	65.72% <74.54%> (+0.01%)	⬆️
upgradability	0.28% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[tayfunelmas]

is this function for a test? otherwise not sure why it needs to specifically call out the limits, which are set in params files.

[wacban]

+1
nit: cost_max
also it seems like it's 15 but it's 1.5

[jancionear]

is this function for a test? otherwise not sure why it needs to specifically call out the limits, which are set in params files.

Ok I'll change it so that it uses the param file instead of a hardcoded value

[tayfunelmas]

assuming this serialization will take some time, guard this with the new protocol version?

[wacban]

ChunkStateWitness contains both transactions from the previous chunk (transactions) and the new chunk (new_transactions).

Quick question about this - isn't new_transactions duplicated in the ChunkStateWitness and in the ShardChunk itself? Do we need it in both places?

[wacban]

LGTM but I'd like to have another look later so for now just a few comments

[wacban]

1. The chunk header contains field height_included that points to the block height where the last existing chunk on this shard is. Not sure if this would simplify or speed up this implementation so sharing just in case you find it useful. There is a caveat that height included is not set when the chunk is produced (since at this point we don't know what block height will include it), it's only set once part of a block.

2. The shard_id changes meaning during resharding. No need to do it here but can you add a todo for this? Something like:

TODO(resharding) - handle looking for the last existing chunk

3. JFYI there is an interesting interaction with state sync here. Intuitively state sync gets the state as of the last block of the epoch. If there are missing chunks around this epoch boundary this loop could go before that and the node might not have the needed blocks. This issue actually appeared elsewhere and should be fixed already. When syncing the node will get the blocks up until the last existing chunk for every shard.

[jancionear]

The shard_id changes meaning during resharding. No need to do it here but can you add a todo for this?

I used:

shard_id = epoch_manager.get_prev_shard_id(&cur_block_hash, shard_id)?;

Doesn't that take care of reshardings?

[wacban]

Ah sorry I missed that line. That should do it.

[jancionear]

Oh actually I just realized that the last chunk is included in the previous block, so I don't need to iterate at all 🤦. I'll remove this function.

[wacban]

nit: Can you move this to a helper method? This method is already quite overblown.

[wacban]

This is pretty neat!

[wacban]

nit: Can you split this into multiple lines by moving the factors / addends to helper variables? It's getting a bit too crazy ;)

[wacban]

nit: typo maxmium

[wacban]

Ditto inconsistent names. Looking at the other parameters the convention is to use Limit or SoftLimit.

[jancionear]

There's StorageProofSizeSoftLimit, so NewTransactionsValidationStateSizeSoftLimit is consistent with that 👀

[wacban]

Yeah, I meant the max one, sorry, wrong line.

[wacban]

That's funny, wasn't the old limit 4mb?

[wacban]

1500 or 1024 * 1.5?

[jancionear]

The transaction can't be bigger than 1.5MiB, so the code size is set to 1.5MB to leave some space for other transaction data.

[wacban]

Ah okay.

[wacban]

+1
nit: cost_max
also it seems like it's 15 but it's 1.5

[jancionear]

Quick question about this - isn't new_transactions duplicated in the ChunkStateWitness and in the ShardChunk itself? Do we need it in both places?

My understanding is that with stateless validation the validators don't receive the ShardChunks anymore, they should only be sent to nodes that track the shard. Validators receive ChunkStateWitness which is ShardChunk + validation information.

It would be great to get input from @staffik who implemented transaction validation (#10414), but he's OOO until next week :c. Maybe @pugachAG can chime in instead.

[pugachAG]

@wacban @jancionear

Quick question about this - isn't new_transactions duplicated in the ChunkStateWitness and in the ShardChunk itself? Do we need it in both places?

State witness doesn't include the whole ShardChunk, only the header. So yeah, both ChunkStateWitness and ShardChunk contain new transactions, but as Jan pointed out stateless validators are not expected to have ShardChunk, so we do need it in both structs.

[wacban]

LGTM, just a few mini nits

[wacban]

mini nit: There is a new alternative for this, I don't remember the exact syntax but it's something like this: ProtocolFeature::WitnessTransactionLimits.enabled(protocol_version). Up to you as the convention is what you've used.

[wacban]

You used an if - else here. Should if be a minimum of the two if the new feature is enabled?

[wacban]

Please forgive me. Now that you changed it to be the chunk from the prev block I would go back to naming it prev_chunk_header. Sorry :)

[jancionear]

Eh the PR has been already merged, so I'm gonna leave it as is. If some names bother you, you can make a PR to change them ;)

[wacban]

ditto prev_chunk

[wacban]

mini nit: Consider putting that in a helper method.

[wacban]

❤️

[wacban]

mini nit: Maybe StateWitnessConfig? Best to just stick to whatever convention we have, I think StateWitness is more popular in struct names.

[wacban]

I like this idea, it's very nice. I'm curious if we're ever going to observe some oscillating behaviour close to congestion where every other chunk has 1.5MB and the rest 0.5MB. Nothing wrong with that as far as I can tell though.

[jancionear]

Yeah it could happen with a lot of large transactions, but IMO this approach should be good enough. The chunk producers are assigned at random, so it's not like someone can use this mechanism for anything malicious.

[wacban]

I'm not familiar with the runtime configs views. Can you briefly tell me what are they for?

[jancionear]

AFAIU they are responsible for converting the RuntimeConfig to the json representation that's in the snapshots. After I added WitnessConfigView to RuntimeConfigView it started appearing in the snapshots.

[wacban]

mini nit: StateWitnessTransactionLimits