[BFT] ReceiptValidator ensures k receipts committing to the execution result

[durkmurder]

https://github.com/dapperlabs/flow-go/issues/6863

Context

As summarized in the issue currently ReceiptValidator is not ensuring that an execution result was actually executed, by not checking the availability of receipt we allow a malicious leader to incorporate made-up execution results. This PR fixes is by introducing a parameter k which controls how many different execution receipts have to be committing to the execution result

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (456c131) 56.31% compared to head (103de18) 56.30%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5050      +/-   ##
==========================================
- Coverage   56.31%   56.30%   -0.01%     
==========================================
  Files         976      976              
  Lines       91752    91761       +9     
==========================================
- Hits        51673    51670       -3     
- Misses      36253    36265      +12     
  Partials     3826     3826              

Flag	Coverage Δ
unittests	56.30% <100.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jordanschalm]

Looks great, however I think we can simplify by removing the parameter k.

My interpretation of the issue is that k was meant to abstractly describe the set of valid payload inputs the implementation needs to accept, not to actually be a parameter we add to the implementation. I don't think there is a need for k to be configurable.

[jordanschalm]

I think we can remove this test case. If k is constant, then this is equivalent to the previous test.

[durkmurder]

oh, alright, I thought that it's useful for some BFT cases in future development. I will remove it.

[jordanschalm]

I think it is still worthwhile to test both valid cases:

• Proposer includes result and 1 receipt in block
• Proposer includes result and multiple receipts in block

[durkmurder]

added it back 856c8cc

[jordanschalm]

🎸

[AlexHentschel]

great code and detailed test 🎵

[AlexHentschel]

In this function ValidatePayload, we are checking the protocol compliance of all the results in the payload. Anything that violates protocol rules makes the entire block invalid. I think arguing at that level is totally fine. I don't think we need to go into the details of parent-children relationship (tbh, I didn't follow that argument about parent-children relationship ... it might have well been me adding or suggesting this comment).

Suggested change

	// first validate all results that were included into payload
	// if one of results is invalid we fail the whole check because it could be violating
	// parent-children relationship
	// if one of results is invalid we fail the whole check because it could be violating parent-children relationship
	// each execution
	// Validate all results that are incorporated into the payload. If one is malformed, the entire block is invalid.

[AlexHentschel]

I think it would help to extend this description a bit.

Suggested change

	// TestValidateReceiptResultHasEnoughReceipts tests a case where a leader incorporates an execution result
	// into their proposal, which has multiple receipts and ReceiptValidator accepts it as valid payload.
	// TestValidateReceiptResultHasEnoughReceipts tests the happy path of a block proposal, where a leader
	// includes multiple Execution Receipts that commit to the same result. In this case, the Flow protocol
	// prescribes that
	// - the Execution Result is only incorporated once
	// - from each Receipt the `ExecutionReceiptMeta` is to be included
	//
	// The validator is expected to accept such Payload as valid.