InvalidFeePayerFilter

[apfitzge]

Problem

Some transactions that cannot pay fees make it into banking stage, often with repeat offenders. These transactions take time to process which can cause fewer valid transactions to make it into the block.

Summary of Changes

• Add an InvalidFeePayerFilter
  • Wrapper of DashMap for now, but potentially switch to a bloom filter in future (?)
• Upon seeing a transaction without sufficient funds for fees, add the fee-payer to the InvalidFeePayerFilter
• Multi-Iterator checks InvalidFeePayerFilter during batch selection
  • this let's more quickly rule these out
• Checks InvalidFeePayerFilter before forwarding
  • no need to forward these transactions to the next leader
• BankingStage checks InvalidFeePayerFilter when receiving packets from SigVerify
  • this means these transactions cannot take up the limited buffer space
• BankingStage will periodically clear the filter

Fixes #

[codecov]

Codecov Report

Merging #32939 (afe8dd8) into master (5f58d2d) will increase coverage by 0.0%.
Report is 2 commits behind head on master.
The diff coverage is 93.6%.

@@           Coverage Diff            @@
##           master   #32939    +/-   ##
========================================
  Coverage    82.0%    82.0%            
========================================
  Files         796      797     +1     
  Lines      215727   215926   +199     
========================================
+ Hits       176897   177100   +203     
+ Misses      38830    38826     -4     

[apfitzge]

I wrote a benchmark to test this code against master. The bench is a bit hacky, but I filled a single-thread of banking-stage buffer half with prioritized spam (unable to pay fees) and half with valid transactions. Benched how long it took to get through all transactions.

After observing the first spam transaction, the rest should be more quickly filtered out by the MI batch selection:

master:
test bench_banking_invalid_fee_payers               ... bench:   2,998,819 ns/iter (+/- 64,277)
test bench_banking_invalid_fee_payers               ... bench:   3,036,917 ns/iter (+/- 52,711)
test bench_banking_invalid_fee_payers               ... bench:   2,987,155 ns/iter (+/- 58,034)

invalid_fee_payer_filter:
test bench_banking_invalid_fee_payers               ... bench:   2,069,501 ns/iter (+/- 75,636)
test bench_banking_invalid_fee_payers               ... bench:   2,034,970 ns/iter (+/- 32,393)
test bench_banking_invalid_fee_payers               ... bench:   2,026,578 ns/iter (+/- 25,654)

bench is a bit flaky, with a sigsev if I try to join my poh_service...so not committing the code for bench quite yet.

[apfitzge]

Here is the only place we add to our filter currently.

These 3 errors:

• AccountNotFound - could not find fee-payer during load
• InsufficientFundsForFee - fee-payer exists, but doesn't have enough lamports
• InvalidAccountForFee - this account can't pay fees

[t-nelson]

won't AccountNotFound get thrown for accounts besides the fee-payer?

:my_eyes_are_bleeding:

solana/accounts-db/src/accounts.rs

Lines 493 to 497 in dbe4017

	if !validated_fee_payer {
	error_counters.account_not_found += 1;
	return Err(TransactionError::AccountNotFound);
	}

[apfitzge]

I think that was the only instance😭
Maybe it's better to swap that error with InsufficientFunds or rename it to FeePayerAccoutNotFound so we don't lose the distinction

[t-nelson]

I think that was the only instance😭 Maybe it's better to swap that error with InsufficientFunds or rename it to FeePayerAccoutNotFound so we don't lose the distinction

could. separate pr tho

[apfitzge]

Check vote transactions for invalid fee-payers prior to forwarding.

[apfitzge]

remove any known invalid-fee-payer when receiving from sigverify into banking stage.

This prevents them from taking up buffer space

[apfitzge]

Check for known invalid fee-payers during MI batch selection. Don't even attempt to load and execute these transactions.

[apfitzge]

Plan is to eventually also check txs prior to signature verification in SigVerifyStage so we don't even waste resources verifying them. That's a bit more involved, and think it's a good for a separate PR.

[apfitzge]

hmm re-thinking after I posted the PR. I probably don't really need a separate thread for this at all.

1. Just add an atomic interval on the InvalidFeePayerFilter
2. Banking threads just call some fn that resets & reports if atomic interval should report

[tao-stones]

Looks good to me, filtering txs couldn't/won't pay at banking_stage's receiving, processing and forwarding points are thoughtful process to improve banking qos. Even it'd be defenseless if spammer continuously rotating invalid payer accounts, this change, imo, are still good.

Will take another round of review later

[t-nelson]

there's resource exhaustion attack potential with retaining the pubkeys here. consider Deduper as a high-performance, fixed-size, statistical accounting mechanism

[apfitzge]

Had that in mind as a follow up, hence why I separated a class.
I can just do in this PR tho

[apfitzge]

Looked into this a bit and could be wrong. It looks to me reseting or clearing the deduper/bloom filter would require mutability; so we'd need some sort of locking mechanism. Since this filter is shared by multiple threads, that would block other threads which is something I'm trying to avoid.

Might be better to just vacate LRU if we would exceed some capacity. That would protect us from OOMing, but potentially slow things down if we exceed capacity. vs periodic locking of something like deduper. wdyt?

[t-nelson]

isn't deduper all atomics?

[apfitzge]

Not for resetting:

    pub fn maybe_reset<R: Rng>(
        &mut self,
        ...

because the underlying bits is stored in a Vec: bits: Vec<AtomicU64>,

[apfitzge]

@t-nelson are you content with this decision to just randomly evict if we see too many invalid fee payers?

[t-nelson]

performance in the bench i was running (1 very active invalid fee-payer) showed no difference between bloom and dash map internally.

seems like bloom should be preferable in that case due to constant size?

@t-nelson are you content with this decision to just randomly evict if we see too many invalid fee payers?

seems fine, yeah

[t-nelson]

seems like bloom should be preferable in that case due to constant size?

thoughts?

[apfitzge]

a pre-allocated dashmap also has a constant size, although I think larger than the double-bloom filter for a similar number of items.

Since there doesn't seem to be any time performance benefit, I was sticking with the simpler implementation, instead of maintaining 2 bloom-filters to allow us to "atomically" clear.

[apfitzge]

@t-nelson not sure if you saw the reply to your "thoughts?"

[t-nelson]

InvalidAccountForFee would have less potential to mislead as an aggregate error here

[tao-stones]

I was about to suggest to use a new TransactionError specifically to indicate it's failed because the payer account is black listed.

Mainly thinking from UX perspective; sophisticated abusers will soon find way to get around this filter, the 2 sec blackout would probably apply more to innocent mistakes, a clear error might help in that case?

[apfitzge]

Unrecorded transaction errors do not get reported back to the users though. It'd purely be an internal metric - similar to our AccountInUse error metrics.

[apfitzge]

@t-nelson the actual errors here don't get used at all. We only check is_ok() below.
But I changed agree InvalidAccountForFee is a better dummy error here since we've effectively marked the account as invalid with the filter: d52a238

[t-nelson]

won't AccountNotFound get thrown for accounts besides the fee-payer?

:my_eyes_are_bleeding:

solana/accounts-db/src/accounts.rs

Lines 493 to 497 in dbe4017

	if !validated_fee_payer {
	error_counters.account_not_found += 1;
	return Err(TransactionError::AccountNotFound);
	}

[t-nelson]

performance in the bench i was running (1 very active invalid fee-payer) showed no difference between bloom and dash map internally.

seems like bloom should be preferable in that case due to constant size?

@t-nelson are you content with this decision to just randomly evict if we see too many invalid fee payers?

seems fine, yeah

[t-nelson]

core eng will use the error variant for debugging. conflating this case with others may mislead those efforts

[apfitzge]

That's kind of why I added the comment here. It makes it clear that these will not show up in the regular error metrics.
The only way someone finds this is if they search for the error variant, in which case they then see this comment.

I changed it to the more appropriate variant InvalidAccountForFee - unless we want to create a new error variant not sure what action to take here.

[t-nelson]

I think that was the only instance😭 Maybe it's better to swap that error with InsufficientFunds or rename it to FeePayerAccoutNotFound so we don't lose the distinction

could. separate pr tho

[t-nelson]

nit: typo?

[t-nelson]

seems like bloom should be preferable in that case due to constant size?

thoughts?