3651 prefetch entries in soroban ops

[ThomasBrady]

Description

Adds LedgerKeyMeter to track the allowance of read bytes for each transaction when prefetching soroban ops.

Resolves #3651

Checklist

• Reviewed the contributing document
• Rebased on top of master (no merge commits)
• Ran clang-format v8.0.0 (via make format or the Visual Studio extension)
• Compiles
• Ran all tests
• If change impacts performance, include supporting evidence per the performance document

[SirTyson]

Overall looks like a good start! Most of my comments are pretty minor nit picky things, although there are a couple of more significant issues that will require a little redesign. I'm not quite sure why the test is failing for range based indexes at the moment, but I did flag a few issues that may be contributing factors.

Additionally, there are one or two DOS concerns I have, especially regarding individual indexes. I think you should focus on correctness for now though, and we can chat about that later offline (I'd rather not explain attack vectors in-depth publicly...)

[SirTyson]

Need to prefetch TTL keys as well.

[SirTyson]

Need to prefetch TTL keys.

[SirTyson]

We should almost never use std::unordered_map and std::unordered_set. We want to use our own Hasher, where we can deterministically set the hashing seed. This helps us get determinism across unit test runs. Use UnorderedMap and UnorderedSet instead.

[SirTyson]

I think we should rename this instead of overloading, something like prefetchWithLimits.

[SirTyson]

Why is getResources called here?

[SirTyson]

auto const&

[SirTyson]

Params should both be auto const&

[SirTyson]

auto const&

[SirTyson]

I think we might also have to account for read quota if a DEADENTRY is returned. I'd have to double check the fee model, but I think we charge for the size of the key on reads that return null. Again, I'm not sure though and will need to double check.

[ThomasBrady]

Were can I find the fee model?

[dmkozh]

but I think we charge for the size of the key on reads that return null

We don't, we only charge the read bytes for live entries read. Dead entries/non-existent entry lookups are free.

[SirTyson]

Moving in the right direction! I think structurally this is looking good and I think your approach is correct, but there's still some significant bugs and gaps in testing that need to be addressed, as well as DOS exploits. I'm also not quite sure what the test cases are doing, but I'm looking forward to chatting IRL so you can walk me through it and improve my understanding!

[SirTyson]

Null dereference, keys may be empty such that currKeyIt == keys.end() here.

[SirTyson]

Instead of using count here, if you do something like auto iter = lkToTx.find(key); iter != lkToTx.end(), you can reuse the iter in your for loop and only do one map lookup instead of 2. You can actually simplify this if block to just the iter != lkToTx.end() check, the empty checks are redundant.

[SirTyson]

I see what you're doing here with the optimization, but I think it would be safer to just call auto maxReadQuota = maxReadQuotaForKey(*currKeyIt); at the start of every for loop instead of keeping track of the previous iterator. This avoids issues like the null dereference and is simpler. Worst case we do an extra lookup in a relatively small, in memory hash map, so I'd value the minor perf hit for simplicity here.

[SirTyson]

Good thought! But I don't think this metric is necessary here, as it's already covered by the soroban apply time metrics. Prefetch may "fail" in so far as some keys are not loaded, but we never fail a TX at prefetch time, so we always make it to the apply time metrics anyway.

[SirTyson]

I think it would be useful to rename lkToTx to something like meteredLedgerKeyToTx. This indicates that this field only contains metered keys and that classic keys should not be part of this set. With this naming, I'd initially expect all keys to be in this set.

[SirTyson]

nit: lowerCamelCase

[SirTyson]

This is unnecessary, just call cd_value.bytes().resize(size)

[SirTyson]

Instead of using a literal, you should use cfg.EXPERIMENTAL_BUCKETLIST_DB_INDEX_PAGE_SIZE_EXPONENT

[SirTyson]

I'm not sure what this for loop is doing, all Buckets either have a page size determined by the cfg or a page size of 0 if they are individually index, you can remove it.

[SirTyson]

This test is pretty hard to follow, I think it would be easier if we chatted and you walked me through it.

[dmkozh]

What does this function have to do with the limits (as the name suggests)?

[dmkozh]

nit: Using .find would be more optimal here (no need to call count above), also there's no need to check if lkToTx is empty.

[dmkozh]

It's not correct to add anything to the entry size as the read limit only accounts for the entry sizes.

[dmkozh]

Can we add a test for this? I don't think we need to involve classic, it should be sufficient to access the source account of some tx from the footprint, right?

[dmkozh]

Can this be const?

[dmkozh]

This logic should be common for all Soroban ops. Moreover, it really belongs to the transaction layer, as resources are defined at transaction level (not operation level).

[dmkozh]

That's not correct, only entry sizes are accounted for.

[dmkozh]

TTL entries are not counted towards the transaction read byte limit (we generally don't want users to care about them). So we should not count them towards the limits here as well.

[dmkozh]

We should skip TTL entry size here (see the similar comment in Bucket.cpp )

[dmkozh]

I don't fully understand the prefetch flows; is there any way to avoid logic duplication between this and Bucket.cpp?

[anupsdf]

While discussing pre-fetching work with Marta and Nico, a suggestion came up to have separation of phases (classic phase and Soroban phase) when pre-fetching entries. This will help us have better metrics on IO and also help in future parallelization work.
(Already discussed with Tom)

[SirTyson]

Looking good overall! The structure is a lot simpler and easier to follow, nice job! I think there's a few areas where you can further simplify the metering interface and hide some of the internal details a bit more.

Staging wise, I think we can punt on the partial deserialization in this PR and follow up on it later. I think we're pretty close! No significant issues as far as I can tell. Biggest thing missing is an end-to-end test at the LedgerTxn level, but after that I think we'll be good to go!

[SirTyson]

Nit: No need for constructor, just default construct these in the header file.

[SirTyson]

Unused includes:

#include "util/UnorderedMap.h"
#include "util/UnorderedSet.h"

[SirTyson]

You don't need to include this here, just forward declare LedgerKeyMeter.

[SirTyson]

We don't need to include this here, forward declare LedgerKeyMeter instead.

[SirTyson]

auto const& entry = entries.at(i)

[SirTyson]

Additional edge case here: add new TX with a greater read quota than tx 1

[SirTyson]

Additional edge case: consume more than the read quota for a given key.

[SirTyson]

I don't think we need to call this in a loop, I think you can just run all these tests once since the inner body is just dealing with a single TX and key at a time.

[SirTyson]

These tests are off to a good start and are much easier to follow! I think we should add one more end-to-end test case in this file, you probably want to test the following sections inside of it:

1. Prefetch a mix of soroban and classic keys, all keys have enough quota
2. Prefetch a mix of keys, some keys don't have quota
3. Prefetch a mix of keys, keys have quota, but some indiviual TXs don't have quota.

Ideally, these tests would be as high level as possible.

[SirTyson]

Soroban prefetching should only be supported with BucketListDB, so need to change this to if (isSoroban() && isUsingBucketsDB()). We might need to through in a few more additional BucketsDB checks (and a few asserts might not hurt too).

[SirTyson]

Looking very close! I think the implementation is mostly correct, just one bug and a few nit picks. The tests also look good (I like the higher level tests much better!), but I still think there's a few areas where we need some more coverage.

[SirTyson]

Nit: In general, I like to avoid default arguments, they can lead to footguns and misunderstanding down the line.

[SirTyson]

Why default to null? If anything I think prefetchSoroban should assert that lkMeter is not null. Is there ever a condition we would call prefetchSoroban and not want metering?

[SirTyson]

Why not have tx call addTxn inside TransactionFrame::insertKeysForTxApply? I think this would clean up the interface a bit and you wouldn't need the extra copy UnorderedSet<LedgerKey> txKeys;, since TransactionFrame could populate directly into lkMeter and sorobanKeys at the same time.

[ThomasBrady]

that works. I was hesitant to change the interface for TransactionFrame, but that is much cleaner.

[SirTyson]

Nit: maybe reword this function slightly to make it more clear that the key could not be loaded due to insufficient resources, as isNotLoaded to me implies that the key may be loaded later, could not be loaded because it does not exist, etc. Maybe something like loadFailed.

[SirTyson]

Nit: We use mMemberName for classes and memberName for small structs. This is a bit of a grey space, but I think this class is complex enough to warrant the mMemberName.

[SirTyson]

We can remove this if check since cfg.EXPERIMENTAL_BUCKETLIST_DB == true always for this test.

[SirTyson]

A comment explaining this offset would be very helpful.

[SirTyson]

Why are we doing this again for lkMeter2? Cant we just use lkMeter?

[ThomasBrady]

I wanted to be sure there was no residual quota left in the meter. In the non-test usecase we never re-use the meter, it is constructed for each prefetch separately as the quotas should not persist across calls.

[SirTyson]

This check is redundant with the if (expectedFailedKeys2.find(k) != expectedFailedKeys2.end()) check below.

[SirTyson]

If I understand correctly, it looks like "Soroban Prefetch" tests the following case:
All txs have 1 unique Soroban metered key (as in no TTL entry). Some txs have enough resources, some do not. Check that they are loaded or not loaded properly. No TXs have overlapping keys.

I see you have some additional edge cases covered in the LedgerKeyMeter tests which is good, but I'd like to see this edge cases tested more end to end at the ledgertxn level. I think adding the following cases to "Soroban Prefetch" would be helpful (even if some of these are redundant with "LedgerKeyMeter tests":

1. Mix of metered soroban and classic keys
2. Multiple TXs referencing the same key, some of which have enough resource and some do not. I think it would be interesting if there was a TX that read 3 keys and only ran out of budget on the last one. Then maybe another TX that only reads failed key from the previous TX but has enough budget. Just interesting permutations of TXs that are overlapping that have a few keys instead of just one key.
3. Live cached entries are metered
4. Dead cached entries (i.e. null entries) are not metered (this is currently not working)
5. TTL keys are not metered

[SirTyson]

Looks great! A few minor nitpics and one implementation bug. I think everything looks like it working! The LkMeter interface in particular has improved a lot and is easy to follow, thanks for all the iterations. I'd like to see a little refactoring and cleanup of the test cases so they're a little easier to follow and have less redundant code, but I think we should be able to merge after that :)

[SirTyson]

Exclude CONFIG_SETTING here too.

[SirTyson]

This check isn't quite right, it should be

if (tx->isSoroban()) {
    if (isUsingBucketListDB()) {
    ...

Currently, if we have a soroban TX but the node isn't running BucketListDB, we will still insert any classic keys from the footprint into classicKeys, and these reads will be unmetered. We should not call insertKeysForTxApply on Soroban TXs when BucketListDB is disabled.

[SirTyson]

Nit: This constructor can be removed. Just default initialize these values in the member declaration.

[SirTyson]

What are you trying to accomplish with this deletion? If you want to remove copying and/or moving, you should look use util/NonCopyable.h.

[ThomasBrady]

I don't want this class to be accidentally copied. I can't see a case where that would be desired (but several cases where we might accidentally copy it and then update the quotas across several meters).

[ThomasBrady]

I've made this class inherit from NonMovableOrCopyable, should I also add enable_shared_from_this<LedgerKeyMeter> ?

[SirTyson]

I don't think we need to create a shared_ptr from within any of the LedgerKeyMeter functions, so enable_shared_from_this<LedgerKeyMeter> shouldn't be necessary.

[SirTyson]

Typo: indices

[SirTyson]

Nit: You can avoid 2 lookups here if you do:

auto iter = mLedgerKeyToTxs.find(key);
if (iter == end) ...

iter->second.insert(txId);

Alternatively, because we explicitly want to create a new entry in mLedgerKeyToTxs, this is the one scenario where the [] operator may be appropriate. Still, [] is footgunny, so I don't mind the iterator approach here either.

[SirTyson]

Needs to be reverted.

[SirTyson]

Each Soroban type key in the footprint also has a TTL key implicitly included in the footprint that we also need to prefetch. For each key in the footprint, if it's a Soroban key, we need to add its TTL key to the prefetch set.

[SirTyson]

Happy to see some great test coverage here! I think you have good cases covered, but it's a little hard to follow (and will be hard to debug if something breaks) given how every test case in condensed and tested into a single run. I think if you break this into pieces where each interesting edge case is it's own SECTION, it will be easier to follow, easier to setup, and we'll know what we need to debug if something fails. Right now if we break something, it will be difficult to determine what edge case we're hitting. I think if we do it like this, we can also condense LedgerTxnRoot prefetch soroban entries edge cases with LegerTxnRoot prefetch soroban entries to prevent copy-pasting lambdas and other setup code.

[SirTyson]

Pretty close! I think we need to do another pass on one test case. I think we can simplify it more, and we need to tighten some of the checks. For example, we don't actually check that keys that have insufficient quota are not loaded. I think if we simplify this test a bit, we'll be able to tighten some of the checks and make this possible.

[SirTyson]

Nit: SorobanResources const&

[SirTyson]

Nit: SorobanResources const&

[SirTyson]

Curr XDR changes also need to be reverted.

[SirTyson]

Also need to insert TTL keys for readWrite footprint entries.

[SirTyson]

Should be auto &

[SirTyson]

This function should take a set of expectedSuccess keys.

[SirTyson]

Once we pass in an explicit expectedSuccess instead of generating one in addTxn, we can enforce this more tightly with REQUIRE(numLoadedCold == expectedSuccessKeys.size());

[SirTyson]

This check is redundant, REQUIRE(txle); is sufficient.

[SirTyson]

After the load loop, we need to check prefetch hit rate to make sure it's 100% to ensure that the keys we loaded in the loop were actually in the cache.

[SirTyson]

I don't think we actually need to check this here. It will simplify the test case, and we already have coverage in the classic prefetch tests. The soroban specific prefetch logic just uses the same cache eviction library as the classic prefetch.

[SirTyson]

I don't think this is quite right. We want to make sure that deadKeys don't count towards quota, so this should just be a single call to addTxn(0, tx1Entries, deadKeys)

[SirTyson]

For this test, the key we expect to succeed is whichever key is lexographically smaller. Note that you can use < to compare LedgerKey types.

[SirTyson]

LGTM! A few small cleanups in the test then I think we're done :)

[SirTyson]

Remove allEntries and expectedFailedKeys, as they are not used.

[SirTyson]

Technically classic entries are always strictly less than Soroban entry types, so you can just leave a comment that says the smallest entry will get loaded first successfully and point in the classicEntry instead of doing this if check.

[SirTyson]

While TTL keys should be in keysToPrefetch, they should not be in the footprint.

[SirTyson]

Instead of a set of size 1, just make the dead key a single CONTRACT_DATA key. This will guarantee uniqueness against the other generated keys and will make our footprint valid.

[SirTyson]

The TTL entry should be included in all tests (every where that contractDataEntry is present).

[SirTyson]

Sorry I missed this last iteration, but we don't actually need this loop at all. The hotCache assert with 100% hit rate is sufficient to show that the first prefetch loaded all entries correctly.

[ThomasBrady]

If I don't call ltx2.load(k), then the hit rate will be zero as nothing has been loaded. I guess I don't need the assertion tho.

[SirTyson]

Ah, I thought the prefetch itself contributed to the hit rate, but I guess it's just loads after the prefetch, thanks!

[SirTyson]

LGTM! Just one final cleanup. The commit history has gotten a little long, so you should also squash and rebase into one or two commits (we don't want to keep all the review back and forth, but we still want to maintain different commits for discrete logical changes). We also need to investigate why the CI is currently failing.

[SirTyson]

allEntries is unused and can be removed (you can just use tx1Entries to populate expectedSuccessKeys).

[sisuresh]

Does this mean the key size is only taken into account if we can't load the entry?

[ThomasBrady]

This is an optimization. At this point we know that the size of the key exceeds the remaining quota for all transactions which contain it, so we do not read the entry. We consume keySize (i.e. set the remaining quota to zero) for all transactions containing this key, so that next time canLoad is called with keys in the same transaction(s) it will return false. (Note its possible some of those keys are included in other within-quota transactions, in which case canLoad would return true)

[sisuresh]

Ah ok so you use the keySize in canLoad because the key is guaranteed to be smaller than the entry, and then you clear the quotas (you're using keySize because you know keySize is enough to clear every quota, but max int would work as well). Maybe clarify this in the comments?

[ThomasBrady]

I updated the comment to say:

                // If the transactions containing this key have a remaining
                // quota less than the size of the key, we cannot load the
                // entry, as xdr_size(key) <= xdr_size(entry). Here we consume
                // keySize bytes from the quotas of transactions containing the
                // key so that they will have zero remaining quota and
                // additional entries belonging to only those same transactions
                // will not be loaded even if they would fit in the remaining
                // quota before this update.                

Is that sufficient?

[dmkozh]

I feel like this function would benefit from and overload or default parameter, as to avoid the confusing nullptr passed around.

[dmkozh]

I don't see any changes here

[ThomasBrady]

Sorry! done now 😄

[marta-lokhova]

Curious to see perf results on various catchup segments 👀

[ThomasBrady]

Here's a doc with some tracy screenshots comparing catchup over 1000 ledgers on master, on this branch, and on master prefetching soroban ops with no metering. https://docs.google.com/document/d/1sWkABl7yimTWx99YW5qUi-8PiINO6_VBPwbXs1w9B9Q/edit

[marta-lokhova]

looks like CI is failing, any idea what's going on there?

[marta-lokhova]

Could you also squash commits please?

[marta-lokhova]

this is quite an error-prone way to store key <> tx mappings, as you have to update two data structures, and a tx is implicitly tied to the vector index (so if the index changes, it breaks the map). could we have a single map of keys mapped to {txHash, byte limit}?

[ThomasBrady]

With a single map, in order to update the byte limit after reading key A I would have to iterate over all other keys, and all transactions associated with each key and update the limits separately. That's less efficient and more error prone imo

[ThomasBrady]

Are envisioning something like this map<LedgerKey, vector<pair<Hash, size_t>>> ?

[marta-lokhova]

I mean, if perf is an issue with a single data structure, you can always re-arrange it into two like tx hash -> byte limit and key -> vector<tx hash>. The gist of my comment was that relying on indexes to implicitly represent transactions is error-prone and quite confusing; there doesn't seem to be any harm in using explicit IDs for transactions, right?

[ThomasBrady]

I had originally used hash, but @SirTyson suggested using indices #4178 (comment)

[ThomasBrady]

This saves space, but more importantly is more straightforward, as there's some inconsistencies between using getFullHash and getContentsHash. This also let's you convert UnorderedMap<Hash, uint32_t> txReadBytes to std::vector<uint32_t> where the index into the vector corresponds to txID.

[marta-lokhova]

hah :) I was thinking using hashes is lot more straightforward, since you know exactly what you're mapping. Not sure saving space matters here, we're talking a few extra bytes, right? I mean if ya'll feel strongly, lmk, just feels like there's more opportunity for bugs this way

[ThomasBrady]

Its both a space saving and a (albeit small) optimization, as we have a constant index into the vector<size_t> txReadBytes instead of a worst-case linear lookup in the UnorderedMap<Hash, uint32_t>. I don't feel very strongly either way, but seeing as this is an internal data structure that is only modified indirectly by the public functions of LedgerKeyMeter, I don't think the current approach is that error prone but I'm happy to change it back to Hashes 🤷

[dmkozh]

LGTM, but there is one minor comment that hasn't been addressed.