Add block cache, remove sqlite3

[LarryRuane]

This PR is based on #148 (so until that PR gets merged, this PR includes its commits), so only review the most recent commit.

[codecov]

Codecov Report

Merging #149 into master will decrease coverage by 3.37%.
The diff coverage is 13.74%.

@@            Coverage Diff             @@
##           master     #149      +/-   ##
==========================================
- Coverage   34.46%   31.09%   -3.38%     
==========================================
  Files          11       11              
  Lines        1532     1489      -43     
==========================================
- Hits          528      463      -65     
- Misses        935      968      +33     
+ Partials       69       58      -11

Impacted Files	Coverage Δ
frontend/service.go	0% <0%> (ø)	⬆️
cmd/server/main.go	6.97% <0%> (-0.23%)	⬇️
common/common.go	0% <0%> (ø)
walletrpc/service.pb.go	3.01% <2.77%> (-0.06%)	⬇️
common/cache.go	88.23% <88.23%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f58a5f9...758cdec. Read the comment docs.

[defuse]

Nitpick: You can give @adityapk00 formal credit for a co-authored commit (so it's shown in the GitHub UI and recognized by other automated things) by using Co-authored-by in the commit message

[defuse]

Nearly done with this review, I just need to think a little bit more about reorgs, posting what I have now.

[defuse]

Having Sql / SQL in things' names will be confusing since there's no longer an SQL db. I suggest renaming.

[defuse]

Can we remove this dependency?

[defuse]

In case txf.Block.Hash == nil and txf.Hash == nil, this will return an all-zero txBytes and zero txHeight. The comment in the old code says it used to return the genesis coinbase tx. We should either preserve that behavior or return an error (my preference to return an error unless something's actually relying on the old behavior).

[defuse]

Yay for deleting code!

[defuse]

We'll need new tests to replace these but this PR need not block on that, it's tracked here: #146

[defuse]

Could this lead to some kind of confusion where some other code thinks a nil RawTransaction was actually mined at height 0?

[LarryRuane]

This is machine-generated code, and there is no way to indicate an "invalid value" within type uint64. If height had type int64, then we could use -1 to mean invalid value. But that would likely be an invasive change. Let's see if it causes problems. I think height zero having special meaning is okay (no one will ever really want to do anything with the genesis block).

[defuse]

It looks like this new argument had the same effect as veryInsecure had (my bad for the confusing name). We still want it to be really obvious that not using TLS is very insecure, so I suggest removing veryInsecure and renaming no-tls's option to no-tls-very-insecure.

[LarryRuane]

Yes, these have the same effect; what happened was that the same enhancement was made to the two forks (ours and Aditya's) independently. I intentionally allowed both options because I wanted our version of lightwalletd to be backward compatible with Aditya's version, at least initially.

But I like your suggestion, and having both is one of those things that's easy to forget about (since everything is working), and then will be much harder to fix later. I'll make your suggested change. I can coordinate with Aditya so he can make the required adjustment to his code when he switches over to using our lightwalletd.

[defuse]

This comment is out of date, the default value is 40,000. I suggest just: latestblock - cache size.

[LarryRuane]

Force-pushed up to 65bd2c1 to incorporate @defuse's comments. (Leaving each review item as a separate commit for now, but will squash before the final merge.)

[LarryRuane]

This is machine-generated code, and there is no way to indicate an "invalid value" within type uint64. If height had type int64, then we could use -1 to mean invalid value. But that would likely be an invasive change. Let's see if it causes problems. I think height zero having special meaning is okay (no one will ever really want to do anything with the genesis block).

[LarryRuane]

Yes, these have the same effect; what happened was that the same enhancement was made to the two forks (ours and Aditya's) independently. I intentionally allowed both options because I wanted our version of lightwalletd to be backward compatible with Aditya's version, at least initially.

But I like your suggestion, and having both is one of those things that's easy to forget about (since everything is working), and then will be much harder to fix later. I'll make your suggested change. I can coordinate with Aditya so he can make the required adjustment to his code when he switches over to using our lightwalletd.

[defuse]

Requesting one small change to prevent the cache from entering weird states. Also see the message I'm about to send on Slack.

[defuse]

Should be --no-tls-very-insecure

[defuse]

This can set height to a value less than startHeight. If this happens, then the cache can contain invalid blocks, because the cache's Add function only clears higher-height cached blocks if the block being added falls within the range of cached blocks (if height < startHeight, then it won't fall in range, so the reorged-away blocks don't get cleared). We can do: height = Max(height - 10, startHeight); here to prevent this.

[defuse]

This function should fail with an error unless either height >= c.FirstBlock && height <= c.LastBlock or height = c.LastBlock + 1. This will make sure the cache doesn't reach any of several weird states:

• Some nil blocks in the cache (currently could be reached by adding a block at height > c.LastBlock + 1).
• Blocks from a mixture of reorg forks (currently could be reached by adding a block at height < c.FirstBlock; the higher-height blocks won't be deleted)
• Blocks where the PrevHash doesn't match the previous block's hash.

AFAICT enforcing this constraint won't break the ingestor code (except for the edge case about height < startHeight I left a comment about there).

[LarryRuane]

I made many changes to this function, which together should solve all these problems (but some in a different way). The cache should be very resilient to anything the caller (block ingestor thread) can do -- not just what it does today, but anything it may do in the future (there should be no assumptions about the behavior of the caller). It should not be possible for any extra blocks to be present in the cache (a type of memory leak)

As a side-effect, the code is much simpler; there is much less dependency on these state variables (FirstBlock and LastBlock).

Reviewers, please give this a careful look. I will write a good test but I haven't done that yet.

[defuse]

Needs to be changed to --no-tls-very-insecure.

[defuse]

Should this be uint64 (it gets cast to uint64 right away anyway)?

[LarryRuane]

I tried changing that variable's type to uint64 (and int), and made the corresponding change to where it's assigned, and the result was a type assertion:

$ go run cmd/server/main.go -cache-size 4 -no-tls-very-insecure -conf-file ~/.zcash/zcash.conf
panic: interface conversion: interface {} is float64, not uint64
(...)
exit status 2
$ 

Then I found that this code is correct; this value comes from unmarshalling a JSON string, and as stated here: https://golang.org/pkg/encoding/json/#Unmarshal

float64, for JSON numbers

So, in JSON, all numbers are (or can be) floating point.

[defuse]

Ah, makes sense, thanks!

[LarryRuane]

I didn't test these changes to Dockerfile

[LarryRuane]

I didn't test this yet

[LarryRuane]

(for some reason this was missing a newline)

[LarryRuane]

This can no longer fail (if this call fails, the app exits)

[LarryRuane]

There is no need for clean shutdown (because there is no longer any persistent state, no db).

[LarryRuane]

Error return has been removed (function will exit the entire app if it fails, see call to log.Fatal above).

[LarryRuane]

This situation is now handled in a more robust way. One interesting difference is that if a GetBlock api request arrives while lightwalletd is syncing (retrieving and caching the most recent 40k or however many blocks), for a block height that's more recent than the current height being synced, the old behavior is to return an error here. The lightwalletd client must try again later.

The new code, upon not finding the block in the cache, will just go ahead and call getBlockFromRPC(), bypassing the cache, and return the correct results immediately. So, with this change, it's safe to start using lightwalletd immediately after it starts, reducing the effective sync time to zero.

[LarryRuane]

I think this right, no functionality changes, just hardness and bug fixes.

[LarryRuane]

This entire function should better handle zcashd disappearing or not responding for any reason.

[LarryRuane]

Note that if we weren't successful on our first attempt (retryCount > 0), that means we logged some errors... so now that we're finally successful, let's indicate that in the log file (otherwise it's unclear that we're okay now). We could log this every time (not just if retryCount > 0), but it's really only confusing not to if we've had earlier errors.

[adityapk00]

We should at least double this default to 80,000 with blossom

[adityapk00]

This should probably be just -1 or -2. Re-reading 10 blocks for each re-org seems excessive.

[adityapk00]

@defuse Identified a security problem here where the address field could contain multiple addresses, and cause a DoS attack.

See his fix here: https://github.com/adityapk00/lightwalletd/pull/4/files

[LarryRuane]

Please see the comment I just wrote on that PR: adityapk00#4 (comment)

[LarryRuane]

Note that I just cherry-picked this commit: adityapk00@cc30455 (but I didn't include the later correction to replace the ^ and $ from the pattern because I don't think that's necessary).

[defuse]

I left a comment on that PR (adityapk00#4 (comment)) saying \A and \z make it more obvious nothing's wrong, but this PR doesn't have to block on that.

[defuse]

One bug to fix in the cache Add function, other comments are non-blocking.

[defuse]

This dependency on aditya's fork came back

[defuse]

Previously the function returned in this case. Should it still do that now? Edit: oh wait, log.Fatal will exit the whole program right?

[LarryRuane]

Yes, the program will exit.

[defuse]

Nice! I'm convinced this new approach ensures there's never any reorged-away blocks in the cache. A couple issues remain:

If there's a reorg detected or the JSON unmarshalling fails below, then the function will return after this loop has deleted from height up to c.LastBlock, but c.LastBlock won't have been updated (leaving nil blocks in the cache). The same is also true of c.FirstBlock, calling this with a really low height will empty the cache but c.FirstBlock won't be updated if the function exits through those returns. We should make sure the cache is in a valid state immediately after this loop, which probably means something like this:

if height <= c.FirstBlock {
    // the entire cache was just emptied
    c.FirstBlock = -1;
    c.LastBlock = -1;
    // maybe assert that c.m is really empty here just in case
} else {
    // height > c.FirstBlock, so we know there's still a block at height - 1 in the cache
    c.LastBlock = height - 1;
}

(Please double-check this is correct since I haven't fully thought it through)

It's also still possible to add blocks at height > c.LastBlock + 1 to get the cache into a state containing nil blocks (I think this case just needs to be explicitly checked for).

[LarryRuane]

I added a reorg unit test, and addressed the review comments

[pacu]

@LarryRuane I checked out that branch and I'm having issues running make

pacu$ make
GO111MODULE=on CGO_ENABLED=1 go build -i -v ./cmd/server
github.com/zcash-hackworks/lightwalletd/frontend
# github.com/zcash-hackworks/lightwalletd/frontend
frontend/service.go:52:6: errCode declared and not used
make: *** [build] Error 2
````

[pacu]

I pulled latest changes and was able to run make.

I checked that upon connecting to a yet not initialized zcashd, lwd retries and finally starts syncing.

{"app":"frontend-grpc","error":"-28: Loading block index...","level":"warning","msg":"error with getblockchaininfo rpc, retrying...","retry":1,"time":"2019-12-19T10:29:32-03:00"}
{"app":"frontend-grpc","error":"-28: Loading block index...","level":"warning","msg":"error with getblockchaininfo rpc, retrying...","retry":2,"time":"2019-12-19T10:29:47-03:00"}
{"app":"frontend-grpc","error":"-28: Loading block index...","level":"warning","msg":"error with getblockchaininfo rpc, retrying...","retry":3,"time":"2019-12-19T10:30:07-03:00"}
{"app":"frontend-grpc","level":"warning","msg":"getblockchaininfo RPC successful","time":"2019-12-19T10:30:32-03:00"}
{"app":"frontend-grpc","level":"info","msg":"Got sapling height 280000 chain test branchID 2bb40e60","time":"2019-12-19T10:30:32-03:00"}
{"app":"frontend-grpc","level":"info","msg":"Starting gRPC server on 127.0.0.1:18232","time":"2019-12-19T10:30:32-03:00"}

[defuse]

utACK, awesome reorg test!

[adityapk00]

Looks good to me!

[LarryRuane]

Thank you for the reviews! I'll squash; to make sure I don't make a mistake and change anything, here's tree hash before:

$ curl -s https://api.github.com/repos/zcash-hackworks/lightwalletd/commits/a9a906452ed0dd3a569c41b3ac781b849aa5c81d | jq .commit.tree.sha
"4567d8da2ea61528a96d06ad899843720c7d5cc3"

(Tree hash depends only on the code, not the commit comments plus code, as commit hash does.) It's the same after squashing:

$ git log --pretty=format:'%T' | head -1
4567d8da2ea61528a96d06ad899843720c7d5cc3
$

It's also the same after pushing to github:

$ curl -s https://api.github.com/repos/zcash-hackworks/lightwalletd/commits/758cdeca899725a3e2486bf8b0195489e913c018 | jq .commit.tree.sha
"4567d8da2ea61528a96d06ad899843720c7d5cc3"
$