Add new catchup mode to use transaction results to skip failed transaction and signature verification

[ThomasBrady]

Description

Resolves #X

Adds a new config option, CATCHUP_SKIP_KNOWN_RESULTS. When this config option is enabled, transaction results are downloaded from history archives for the catchup range. Failed transactions are not applied, and signatures are not verified.

Preliminary perf testing locally running catchup on 1000 ledgers:

user/system/total time seconds

*Baseline (no skipping):*     429 / 115 / 138s
*Skip Failed:*                373 / 99  / 114s  (1.14x / 1.16x / 1.21x speedup over baseline)
*Skip Failed + verification:* 334 / 88  / 95s   (1.28x / 1.30x / 1.45x speedup over baseline)

Remaining work:

• Run catchup in supercluster to get a more representative idea of the performance characteristics of the new mode
• Add more test coverage to test correct meta generation in this mode

Checklist

• Reviewed the contributing document
• Rebased on top of master (no merge commits)
• Ran clang-format v8.0.0 (via make format or the Visual Studio extension)
• Compiles
• Ran all tests
• If change impacts performance, include supporting evidence per the performance document

[marta-lokhova]

Please avoid adding mutable state to TransactionFrame - @SirTyson recently did a lot of work to make TransactionFrame immutable, so we should keep it that way. Reason is that tx frame is used across the codebase for overlay flooding as well as ledger application, so any incorrectly set mutable state leads to awful failure modes like state divergence. If you want to override results, could we modify MutableTransactionResult class instead?

[ThomasBrady]

Ah I see, that makes sense. I'll change this to store the replay result in MutableTransactionResult.

[marta-lokhova]

I'm not sure this is correct: don't we still need to do signature verification for failed transactions?

[marta-lokhova]

(A good sanity check for this check would be running full parallel catchup)

[ThomasBrady]

We need to update one time signers (which are removed whether the signature verification succeeds or fails), but I don't see why we need to verify signatures for failed transactions as it doesn't effect the ledger state.

[marta-lokhova]

Request for some renaming for clarity:

• SignatureChecker -> AbstractSignatureChecker
• SignatureCheckerImpl -> SignatureChecker

[marta-lokhova]

To avoid footguns, results should be optional

[marta-lokhova]

Why did the formatting change?

[ThomasBrady]

I reworded it a bit, which changed the line lengths and formatting.

[marta-lokhova]

Please keep the implementation of OnFailureCallback the way it was before: mArchive can be null, in which case GetAndUnzipRemoteFileWork will pick a random archive. With the current change, core would crash de-referencing a null pointer.

[marta-lokhova]

unused

[marta-lokhova]

nit: the log is misleading, since we're deleting transactions and results

[marta-lokhova]

Is it a valid scenario when CATCHUP_SKIP_KNOWN_RESULTS=true but expectedResults is not set?

[ThomasBrady]

If the CATCHUP_SKIP_KNOWN_RESULTS=true, but for some reason we do not have expectedResults (e.g. if for some reason they aren't in the archive), catchup will proceed but no transactions will be skipped. I think I should probably add a warning to inform users that this is the case, but I'm hesitant to report an error in that case as its not fatal. What do you think?

[marta-lokhova]

I see, this makes me realize: with the current implementation of catchup, won't it fail if results couldn't be downloaded? If so, I think we should make it less strict, so it'll try to download results, but if it can't, catchup should still proceed normally. In this case, I agree the logic here makes sense and we can add a warning (probably not at individual ledger level though as it'll get spammy. We can warn per checkpoint).

[ThomasBrady]

I changed WorkSequence to take an vector of "optional" works, which, if they fail do not block the execution of subsequent works. This step now will log a warning every checkpoint if the downloading of results fails, but catchup will proceed.

[marta-lokhova]

This looks a bit suspicious: the order of results should match the order of transactions application exactly. I think you can do expectedResults->at(i) instead of the loop.

[ThomasBrady]

Correct, the order should match, but the loop accounts for the case when there are gaps in the results stored in the archive, which I believe can be the case when there are ledgers with empty txn sets (?)

[marta-lokhova]

if you have ledgers with empty sets, then txs should be empty as well, so we should use the same index logic for both results and txs

[sisuresh]

I think we should add an invariant either here or in TransactionFrame that makes sure we're actually doing catchup when we see an expected result. What do you think?

[ThomasBrady]

That makes sense, something like releaseAssert(mApp.getCatchupManager().isCatchupInitialized()); ?

[sisuresh]

Is it possible for CatchupManagerImpl::catchupWorkIsDone() to be true along with a non null mCatchupWork here? I don't recall how the catchup state transitions work. Maybe @marta-lokhova has some input on a safe way to do this check.

[marta-lokhova]

Since this change targets a very specific use case (parallel catchup for testing), I'd recommend putting all this functionality behind BUILD_TESTS. The prod paths should remain unchanged.

[sisuresh]

Ah I thought this was meant for running catchup in general. Is it just for parallel catchup testing?

[ThomasBrady]

Meta, events and metrics are not equivalent to live execution when this mode is enabled, making it unsuitable to general catchup use case. It could be used in all scenarios where one doesn't care about them. Its not limited to parallel catchup, but generally development/testing scenarios so I agree that it should be behind an ifdef BUILDTESTS.

[marta-lokhova]

Yes, we don't win much by skipping work in prod paths. Different application flows increase the risk of divergence. Parallel catchup seems like a nice middle ground given the performance benefits + low risk.

[sisuresh]

I agree. In that case, a lot more of this PR should be behind the BUILD_TESTS ifdef.