Add QBFT manager

[dknopik]

Refactor the current qbft crate to be sync and general purpose and create qbft_manager which integrates into the client architecture such as the processor. This module is going to be used by the validator store (to trigger QBFT instances) and the network (to pass on network messages related to QBFT).

There is still quite a bit to do to clean this up, but this initial version should be able to get us going.

Depends on #76.

[jking-aus]

This is excellent work mate -- tonnes of great additions, in particular I like the idea of splitting out the instance manager from the consensus mechanism. Probably two or three PRs of work here tbh

[jking-aus]

could this panic if committee.len = 0? assume there is a sanity check somewhere to prevent this

[dknopik]

Actually - yes, modulo/remainder panics if the len is 0. And no, I don't think this is currently checked 😅 - I will extend the validation done by the config builder.

[diegomrsantos]

I see there's some overlapping with https://github.com/sigp/anchor/pull/80/files#diff-46abd9dbbf9cc4366e3258211d1bf4ff7fce2df918e1e870e607150429fc97a2

[dknopik]

Yeah, this was just a rough draft for my understanding as the comment says - we should probably switch to yours :)

[diegomrsantos]

There are better things in your code, like using an Enum for the raw data. We could keep both for now, but think about a way of merging them and where it should be in the code. Should we use the same type for the data parsed from the network and the one used in application logic?

[dknopik]

We should probably use them in application code as well. In some cases, we rely on them being the same as networking messages - for example, PREPARE and COMMIT messages refer to the full data by hash, so we need the messages to be identical to the format used by go-ssv so that the hashes agree.

I propose we both merge our versions and then align them in an own PR. Intuitively, I would put them in ssv_types, but we can figure that out then :)

[diegomrsantos]

What about the full_data is passed as raw bytes to the application and the decoding is done there?

[dknopik]

In my opinion, the network stack should verify that full_data is actually a valid object, so that illegal messages with junk data are not further gossiped. But I am not sure if that is actually done by go-ssv...

[dknopik]

But yeah, I think we will (unfortunately) need some kind of type separation - we can only decode as soon as we know the data version (i.e. fork) that is specified in the message itself

[diegomrsantos]

It's possible to create a valid object with junk data anyway. I believe the more comprehensive validation in Gossipsub is done by the application.

[diegomrsantos]

This is possibly related https://docs.rs/libp2p-gossipsub/latest/libp2p_gossipsub/struct.Behaviour.html#method.report_message_validation_result

[diegomrsantos]

Should those fields be private?

[dknopik]

No, IMO users should be able to use the Config directly instead of using the builder

[dknopik]

(but then we should probably move the validation)

[diegomrsantos]

No, IMO users should be able to use the Config directly instead of using the builder

In this way, I don't see the point of the builder.

[dknopik]

The Builder is for ease of use when default values are desired. As the defaults are dependent on other values, a Default impl does not suffice.

[diegomrsantos]

The purpose of this builder pattern I mentioned is to facilitate the creation of an immutable config instance making it clearer what fields are required and optional, as well as centralizing the validation.

[dknopik]

Okay, fair point 👍

[diegomrsantos]

We could add this to the beginning of this impl

    /// Private constructor so it can only be built by our `ConfigBuilder`.
    fn from_builder(builder: &ConfigBuilder<F>) -> Self {
        Self {
            operator_id: builder.operator_id,
            instance_height: builder.instance_height,
            committee_members: builder.committee_members.clone(),
            round: builder.round,
            round_time: builder.round_time,
            max_rounds: builder.max_rounds,
            quorum_size: builder.quorum_size,
            leader_fn: builder.leader_fn.clone(),
        }
    }

[diegomrsantos]

I noticed that the constructor is doing more than just initializing data structures - start_round() is changing state and sending messages. It might be cleaner and easier to work with if construction and execution were kept separate. This way, the caller can control when the QBFT process starts, and it could also make testing simpler. What do you think?

[dknopik]

Not calling start_round leaves the instance in an invalid state, inviting misuse. I'd prefer to leave it here.

[diegomrsantos]

Why does the constructor create an instance in an invalid state?

[dknopik]

ah, sorry, got confused, you are right! should be fine without, even if messages come in without calling it. so yeah, we can change it.

[jking-aus]

valid comment but let's merge this in first

[diegomrsantos]

Is it worth creating an issue to address that?

[diegomrsantos]

pub trait Hashable: Debug + Clone {
    type Digest: Debug + Clone + Eq + Hash;
    
    fn digest(&self) -> Self::Digest;
}

What do you think about it? The motivation is to make the trait name more descriptive and avoid using Hash twice - it seems like a recursive definition.

[dknopik]

I named it Data intentionally, as it does more than hashing through the bounds on Debug and Clone.

I don't have a strong opinion on Digest vs Hash, so feel free to change it.

[diegomrsantos]

do we need those?

[dknopik]

yeah, at least the test need to access the builder data (now that it is impossible to update the Config, see c742d1d)

I am unsure if we now ended up with the most ergonomic/clean setup, but I think it's fine for now. We can revisit it later.

[jking-aus]

great work daniel - lots of good discussion as well

[Zacholme7]

why are we calling the corresponding receive after each send?