From 47a20d636ea4e988e0cb9e986b577b566b52f549 Mon Sep 17 00:00:00 2001
From: Michael Vines <mvines@gmail.com>
Date: Mon, 27 Apr 2020 10:22:49 -0700
Subject: [PATCH 01/67] Save/restore Tower

---
 core/benches/consensus.rs             |  36 ++++
 core/src/consensus.rs                 | 271 +++++++++++++++++++++++++-
 core/src/replay_stage.rs              |  27 ++-
 core/src/tvu.rs                       |   5 +
 core/src/validator.rs                 |  65 +++++-
 local-cluster/tests/local_cluster.rs  | 123 +++++++++++-
 multinode-demo/bootstrap-validator.sh |   1 +
 multinode-demo/validator.sh           |   1 +
 run.sh                                |   1 +
 validator/src/main.rs                 |   7 +
 10 files changed, 511 insertions(+), 26 deletions(-)
 create mode 100644 core/benches/consensus.rs

diff --git a/core/benches/consensus.rs b/core/benches/consensus.rs
new file mode 100644
index 00000000000000..64035f4c3af177
--- /dev/null
+++ b/core/benches/consensus.rs
@@ -0,0 +1,36 @@
+#![feature(test)]
+
+extern crate solana_core;
+extern crate test;
+
+use solana_core::consensus::Tower;
+use solana_runtime::bank::Bank;
+use solana_runtime::bank_forks::BankForks;
+use solana_sdk::{
+    pubkey::Pubkey,
+    signature::{Keypair, Signer},
+};
+use std::sync::Arc;
+use tempfile::TempDir;
+use test::Bencher;
+
+#[bench]
+fn bench_save_tower(bench: &mut Bencher) {
+    let dir = TempDir::new().unwrap();
+    let path = dir.path();
+
+    let vote_account_pubkey = &Pubkey::default();
+    let node_keypair = Arc::new(Keypair::new());
+    let heaviest_bank = BankForks::new(Bank::default()).working_bank();
+    let tower = Tower::new(
+        &node_keypair.pubkey(),
+        &vote_account_pubkey,
+        0,
+        &heaviest_bank,
+        &path,
+    );
+
+    bench.iter(move || {
+        tower.save(&node_keypair).unwrap();
+    });
+}
diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 249853cc0914c8..8b509d2a7759df 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -3,6 +3,7 @@ use crate::{
     pubkey_references::PubkeyReferences,
 };
 use chrono::prelude::*;
+use solana_ledger::{blockstore::Blockstore, blockstore_db};
 use solana_runtime::{bank::Bank, bank_forks::BankForks, commitment::VOTE_THRESHOLD_SIZE};
 use solana_sdk::{
     account::Account,
@@ -10,6 +11,7 @@ use solana_sdk::{
     hash::Hash,
     instruction::Instruction,
     pubkey::Pubkey,
+    signature::{Keypair, Signature, Signer},
 };
 use solana_vote_program::{
     vote_instruction,
@@ -17,9 +19,13 @@ use solana_vote_program::{
 };
 use std::{
     collections::{HashMap, HashSet},
+    fs::{self, File},
+    io::BufReader,
     ops::Bound::{Included, Unbounded},
-    sync::{Arc, RwLock},
+    path::{Path, PathBuf},
+    sync::Arc,
 };
+use thiserror::Error;
 
 #[derive(PartialEq, Clone, Debug)]
 pub enum SwitchForkDecision {
@@ -57,6 +63,8 @@ impl SwitchForkDecision {
 pub const VOTE_THRESHOLD_DEPTH: usize = 8;
 pub const SWITCH_FORK_THRESHOLD: f64 = 0.38;
 
+pub type Result<T> = std::result::Result<T, TowerError>;
+
 pub type Stake = u64;
 pub type VotedStakes = HashMap<Slot, Stake>;
 pub type PubkeyVotes = Vec<(Pubkey, Slot)>;
@@ -72,7 +80,7 @@ pub(crate) struct ComputedBankState {
 }
 
 #[frozen_abi(digest = "2ZUeCLMVQxmHYbeqMH7M97ifVSKoVErGvRHzyxcQRjgU")]
-#[derive(Serialize, AbiExample)]
+#[derive(Clone, Serialize, Deserialize, Debug, PartialEq, AbiExample)]
 pub struct Tower {
     node_pubkey: Pubkey,
     threshold_depth: usize,
@@ -80,6 +88,8 @@ pub struct Tower {
     lockouts: VoteState,
     last_vote: Vote,
     last_timestamp: BlockTimestamp,
+    #[serde(skip)]
+    save_path: PathBuf,
 }
 
 impl Default for Tower {
@@ -91,6 +101,7 @@ impl Default for Tower {
             lockouts: VoteState::default(),
             last_vote: Vote::default(),
             last_timestamp: BlockTimestamp::default(),
+            save_path: PathBuf::default(),
         }
     }
 }
@@ -101,13 +112,19 @@ impl Tower {
         vote_account_pubkey: &Pubkey,
         root: Slot,
         heaviest_bank: &Bank,
+        save_path: &Path,
     ) -> Self {
-        let mut tower = Self::new_with_key(node_pubkey);
+        let mut tower = Self {
+            node_pubkey: *node_pubkey,
+            save_path: PathBuf::from(save_path),
+            ..Tower::default()
+        };
         tower.initialize_lockouts_from_bank_forks(vote_account_pubkey, root, heaviest_bank);
 
         tower
     }
 
+    #[cfg(test)]
     pub fn new_with_key(node_pubkey: &Pubkey) -> Self {
         Self {
             node_pubkey: *node_pubkey,
@@ -363,6 +380,14 @@ impl Tower {
         self.lockouts.root_slot
     }
 
+    pub fn last_lockout_vote_slot(&self) -> Option<Slot> {
+        self.lockouts
+            .votes
+            .iter()
+            .max_by(|x, y| x.slot.cmp(&y.slot))
+            .map(|v| v.slot)
+    }
+
     // a slot is recent if it's newer than the last vote we have
     pub fn is_recent(&self, slot: Slot) -> bool {
         if let Some(last_voted_slot) = self.lockouts.last_voted_slot() {
@@ -579,13 +604,11 @@ impl Tower {
     }
 
     pub(crate) fn find_heaviest_bank(
-        bank_forks: &RwLock<BankForks>,
+        bank_forks: &BankForks,
         node_pubkey: &Pubkey,
     ) -> Option<Arc<Bank>> {
-        let ancestors = bank_forks.read().unwrap().ancestors();
+        let ancestors = bank_forks.ancestors();
         let mut bank_weights: Vec<_> = bank_forks
-            .read()
-            .unwrap()
             .frozen_banks()
             .values()
             .map(|b| {
@@ -637,6 +660,14 @@ impl Tower {
         bank_weight
     }
 
+    pub fn adjust_lockouts_if_newer_root(&mut self, root_slot: Slot) {
+        let my_root_slot = self.lockouts.root_slot.unwrap_or(0);
+        if root_slot > my_root_slot {
+            self.lockouts.root_slot = Some(root_slot);
+            self.lockouts.votes.retain(|v| v.slot > root_slot);
+        }
+    }
+
     fn initialize_lockouts_from_bank_forks(
         &mut self,
         vote_account_pubkey: &Pubkey,
@@ -667,6 +698,113 @@ impl Tower {
             );
         }
     }
+
+    pub fn get_filename(path: &Path, node_pubkey: &Pubkey) -> PathBuf {
+        PathBuf::from(path)
+            .join(format!("tower-{}", node_pubkey))
+            .with_extension("bin")
+    }
+
+    pub fn save(&self, node_keypair: &Arc<Keypair>) -> Result<()> {
+        if self.node_pubkey != node_keypair.pubkey() {
+            return Err(TowerError::WrongTower(format!(
+                "node_pubkey is {:?} but found tower for {:?}",
+                node_keypair.pubkey(),
+                self.node_pubkey
+            )));
+        }
+
+        fs::create_dir_all(&self.save_path)?;
+        let filename = Self::get_filename(&self.save_path, &self.node_pubkey);
+        let new_filename = filename.with_extension("new");
+        {
+            let mut file = File::create(&new_filename)?;
+            let saveable_tower = SavedTower::new(self, node_keypair)?;
+            bincode::serialize_into(&mut file, &saveable_tower)?;
+        }
+        fs::rename(&new_filename, &filename)?;
+        Ok(())
+    }
+
+    pub fn restore(save_path: &Path, node_pubkey: &Pubkey) -> Result<Self> {
+        let filename = Self::get_filename(save_path, node_pubkey);
+
+        let file = File::open(&filename)?;
+        let mut stream = BufReader::new(file);
+
+        let saved_tower: SavedTower = bincode::deserialize_from(&mut stream)?;
+        if !saved_tower.verify(node_pubkey) {
+            return Err(TowerError::InvalidSignature);
+        }
+        let mut tower = saved_tower.deserialize()?;
+        tower.save_path = save_path.to_path_buf();
+
+        // check that the tower actually belongs to this node
+        if &tower.node_pubkey != node_pubkey {
+            return Err(TowerError::WrongTower(format!(
+                "node_pubkey is {:?} but found tower for {:?}",
+                node_pubkey, tower.node_pubkey
+            )));
+        }
+        Ok(tower)
+    }
+}
+
+#[derive(Error, Debug)]
+pub enum TowerError {
+    #[error("IO Error: {0}")]
+    IOError(#[from] std::io::Error),
+
+    #[error("Serialization Error: {0}")]
+    SerializeError(#[from] Box<bincode::ErrorKind>),
+
+    #[error("The signature on the saved tower is invalid")]
+    InvalidSignature,
+
+    #[error("The tower does not match this validator: {0}")]
+    WrongTower(String),
+}
+
+#[derive(Default, Clone, Serialize, Deserialize, Debug, PartialEq)]
+pub struct SavedTower {
+    signature: Signature,
+    data: Vec<u8>,
+}
+
+impl SavedTower {
+    pub fn new<T: Signer>(tower: &Tower, keypair: &Arc<T>) -> Result<Self> {
+        let data = bincode::serialize(tower)?;
+        let signature = keypair.sign_message(&data);
+        Ok(Self { data, signature })
+    }
+
+    pub fn verify(&self, pubkey: &Pubkey) -> bool {
+        self.signature.verify(pubkey.as_ref(), &self.data)
+    }
+
+    pub fn deserialize(&self) -> Result<Tower> {
+        bincode::deserialize(&self.data).map_err(|e| e.into())
+    }
+}
+
+// Given an untimely crash, tower may have roots that are not reflected in blockstore because
+// `ReplayState::handle_votable_bank()` saves tower before setting blockstore roots
+pub fn reconcile_blockstore_roots_with_tower(
+    tower: &Tower,
+    blockstore: &Blockstore,
+) -> blockstore_db::Result<()> {
+    if let Some(tower_root) = tower.root() {
+        let last_blockstore_root = blockstore.last_root();
+        if last_blockstore_root < tower_root {
+            let new_roots: Vec<_> = blockstore
+                .slot_meta_iterator(last_blockstore_root + 1)?
+                .map(|(slot, _)| slot)
+                .take_while(|slot| *slot <= tower_root)
+                .collect();
+            blockstore.set_roots(&new_roots)?
+        }
+    }
+    Ok(())
 }
 
 #[cfg(test)]
@@ -681,6 +819,7 @@ pub mod test {
         progress_map::ForkProgress,
         replay_stage::{HeaviestForkFailures, ReplayStage},
     };
+    use solana_ledger::{blockstore::make_slot_entries, get_tmp_ledger_path};
     use solana_runtime::{
         bank::Bank,
         bank_forks::BankForks,
@@ -693,7 +832,14 @@ pub mod test {
         vote_state::{Vote, VoteStateVersions, MAX_LOCKOUT_HISTORY},
         vote_transaction,
     };
-    use std::{collections::HashMap, rc::Rc, sync::RwLock};
+    use std::{
+        collections::HashMap,
+        fs::{remove_file, OpenOptions},
+        io::{Read, Seek, SeekFrom, Write},
+        rc::Rc,
+        sync::RwLock,
+    };
+    use tempfile::TempDir;
     use trees::{tr, Tree, TreeWalk};
 
     pub(crate) struct VoteSimulator {
@@ -1837,4 +1983,113 @@ pub mod test {
         tower.last_timestamp.timestamp += 1_000_000; // Move last_timestamp well into the future
         assert!(tower.maybe_timestamp(3).is_none()); // slot 3 gets no timestamp
     }
+
+    fn run_test_load_tower_snapshot<F, G>(
+        modify_original: F,
+        modify_serialized: G,
+    ) -> (Tower, Result<Tower>)
+    where
+        F: Fn(&mut Tower, &Pubkey),
+        G: Fn(&PathBuf),
+    {
+        let dir = TempDir::new().unwrap();
+
+        // Use values that will not match the default derived from BankForks
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.save_path = dir.path().to_path_buf();
+
+        let identity_keypair = Arc::new(Keypair::new());
+        modify_original(&mut tower, &identity_keypair.pubkey());
+
+        tower.save(&identity_keypair).unwrap();
+        modify_serialized(&Tower::get_filename(
+            &tower.save_path,
+            &identity_keypair.pubkey(),
+        ));
+        let loaded = Tower::restore(&dir.path(), &identity_keypair.pubkey());
+
+        (tower, loaded)
+    }
+
+    #[test]
+    fn test_load_tower_ok() {
+        let (tower, loaded) =
+            run_test_load_tower_snapshot(|tower, pubkey| tower.node_pubkey = *pubkey, |_| ());
+        assert_eq!(loaded.unwrap(), tower)
+    }
+
+    #[test]
+    fn test_load_tower_wrong_identity() {
+        let identity_keypair = Arc::new(Keypair::new());
+        let tower = Tower::new_with_key(&Pubkey::default());
+        assert_matches!(
+            tower.save(&identity_keypair),
+            Err(TowerError::WrongTower(_))
+        )
+    }
+
+    #[test]
+    fn test_load_tower_invalid_signature() {
+        let (_, loaded) = run_test_load_tower_snapshot(
+            |tower, pubkey| tower.node_pubkey = *pubkey,
+            |path| {
+                let mut file = OpenOptions::new()
+                    .read(true)
+                    .write(true)
+                    .open(path)
+                    .unwrap();
+                let mut buf = [0u8];
+                assert_eq!(file.read(&mut buf).unwrap(), 1);
+                buf[0] += 1;
+                assert_eq!(file.seek(SeekFrom::Start(0)).unwrap(), 0);
+                assert_eq!(file.write(&buf).unwrap(), 1);
+            },
+        );
+        assert_matches!(loaded, Err(TowerError::InvalidSignature))
+    }
+
+    #[test]
+    fn test_load_tower_deser_failure() {
+        let (_, loaded) = run_test_load_tower_snapshot(
+            |tower, pubkey| tower.node_pubkey = *pubkey,
+            |path| {
+                OpenOptions::new()
+                    .write(true)
+                    .truncate(true)
+                    .open(&path)
+                    .unwrap_or_else(|_| panic!("Failed to truncate file: {:?}", path));
+            },
+        );
+        assert_matches!(loaded, Err(TowerError::SerializeError(_)))
+    }
+
+    #[test]
+    fn test_load_tower_missing() {
+        let (_, loaded) = run_test_load_tower_snapshot(
+            |tower, pubkey| tower.node_pubkey = *pubkey,
+            |path| {
+                remove_file(path).unwrap();
+            },
+        );
+        assert_matches!(loaded, Err(TowerError::IOError(_)))
+    }
+
+    #[test]
+    fn test_reconcile_blockstore_roots_with_tower() {
+        let blockstore_path = get_tmp_ledger_path!();
+        {
+            let blockstore = Blockstore::open(&blockstore_path).unwrap();
+            assert_eq!(blockstore.last_root(), 0);
+
+            let (shreds, _) = make_slot_entries(1, 0, 42);
+            blockstore.insert_shreds(shreds, None, false).unwrap();
+            assert_eq!(blockstore.last_root(), 0);
+
+            let mut tower = Tower::new_with_key(&Pubkey::default());
+            tower.lockouts.root_slot = Some(1);
+            reconcile_blockstore_roots_with_tower(&tower, &blockstore).unwrap();
+            assert_eq!(blockstore.last_root(), 1);
+        }
+        Blockstore::destroy(&blockstore_path).expect("Expected successful database destruction");
+    }
 }
diff --git a/core/src/replay_stage.rs b/core/src/replay_stage.rs
index 347ba1d4cd42f3..a2a0a16a894dd4 100644
--- a/core/src/replay_stage.rs
+++ b/core/src/replay_stage.rs
@@ -219,6 +219,7 @@ impl ReplayStage {
         cluster_info: Arc<ClusterInfo>,
         ledger_signal_receiver: Receiver<bool>,
         poh_recorder: Arc<Mutex<PohRecorder>>,
+        mut tower: Tower,
         vote_tracker: Arc<VoteTracker>,
         cluster_slots: Arc<ClusterSlots>,
         retransmit_slots_sender: RetransmitSlotsSender,
@@ -288,20 +289,6 @@ impl ReplayStage {
                 let mut heaviest_subtree_fork_choice =
                     HeaviestSubtreeForkChoice::new_from_frozen_banks(root, &frozen_banks);
                 let mut bank_weight_fork_choice = BankWeightForkChoice::default();
-                let heaviest_bank = if root > unlock_heaviest_subtree_fork_choice_slot {
-                    bank_forks
-                        .read()
-                        .unwrap()
-                        .get(heaviest_subtree_fork_choice.best_overall_slot())
-                        .expect(
-                            "The best overall slot must be one of `frozen_banks` which all
-                    exist in bank_forks",
-                        )
-                        .clone()
-                } else {
-                    Tower::find_heaviest_bank(&bank_forks, &my_pubkey).unwrap_or(root_bank)
-                };
-                let mut tower = Tower::new(&my_pubkey, &vote_account, root, &heaviest_bank);
                 let mut current_leader = None;
                 let mut last_reset = Hash::default();
                 let mut partition_exists = false;
@@ -1015,7 +1002,15 @@ impl ReplayStage {
         }
         trace!("handle votable bank {}", bank.slot());
         let (vote, tower_index) = tower.new_vote_from_bank(bank, vote_account_pubkey);
-        if let Some(new_root) = tower.record_bank_vote(vote) {
+        let new_root = tower.record_bank_vote(vote);
+        let last_vote = tower.last_vote_and_timestamp();
+
+        if let Err(err) = tower.save(&cluster_info.keypair) {
+            error!("Unable to save tower: {:?}", err);
+            std::process::exit(1);
+        }
+
+        if let Some(new_root) = new_root {
             // get the root bank before squash
             let root_bank = bank_forks
                 .read()
@@ -1075,7 +1070,7 @@ impl ReplayStage {
             bank,
             vote_account_pubkey,
             authorized_voter_keypairs,
-            tower.last_vote_and_timestamp(),
+            last_vote,
             tower_index,
             switch_fork_decision,
         );
diff --git a/core/src/tvu.rs b/core/src/tvu.rs
index 6b06a8a9b11832..489e0768b4f11e 100644
--- a/core/src/tvu.rs
+++ b/core/src/tvu.rs
@@ -10,6 +10,7 @@ use crate::{
     cluster_info_vote_listener::{VerifiedVoteReceiver, VoteTracker},
     cluster_slots::ClusterSlots,
     completed_data_sets_service::CompletedDataSetsSender,
+    consensus::Tower,
     ledger_cleanup_service::LedgerCleanupService,
     poh_recorder::PohRecorder,
     replay_stage::{ReplayStage, ReplayStageConfig},
@@ -90,6 +91,7 @@ impl Tvu {
         ledger_signal_receiver: Receiver<bool>,
         subscriptions: &Arc<RpcSubscriptions>,
         poh_recorder: &Arc<Mutex<PohRecorder>>,
+        tower: Tower,
         leader_schedule_cache: &Arc<LeaderScheduleCache>,
         exit: &Arc<AtomicBool>,
         completed_slots_receiver: CompletedSlotsReceiver,
@@ -203,6 +205,7 @@ impl Tvu {
             cluster_info.clone(),
             ledger_signal_receiver,
             poh_recorder.clone(),
+            tower,
             vote_tracker,
             cluster_slots,
             retransmit_slots_sender,
@@ -301,6 +304,7 @@ pub mod tests {
         let (replay_vote_sender, _replay_vote_receiver) = unbounded();
         let (completed_data_sets_sender, _completed_data_sets_receiver) = unbounded();
         let bank_forks = Arc::new(RwLock::new(bank_forks));
+        let tower = Tower::new_with_key(&target1_keypair.pubkey());
         let tvu = Tvu::new(
             &vote_keypair.pubkey(),
             vec![Arc::new(vote_keypair)],
@@ -322,6 +326,7 @@ pub mod tests {
                 block_commitment_cache.clone(),
             )),
             &poh_recorder,
+            tower,
             &leader_schedule_cache,
             &exit,
             completed_slots_receiver,
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 002b1b7482b3d3..7c4b107ef91d51 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -6,6 +6,7 @@ use crate::{
     cluster_info::{ClusterInfo, Node},
     cluster_info_vote_listener::VoteTracker,
     completed_data_sets_service::CompletedDataSetsService,
+    consensus::{reconcile_blockstore_roots_with_tower, Tower},
     contact_info::ContactInfo,
     gossip_service::{discover_cluster, GossipService},
     poh_recorder::{PohRecorder, GRACE_TICKS_FACTOR, MAX_GRACE_SLOTS},
@@ -95,6 +96,7 @@ pub struct ValidatorConfig {
     pub accounts_hash_interval_slots: u64,
     pub max_genesis_archive_unpacked_size: u64,
     pub wal_recovery_mode: Option<BlockstoreRecoveryMode>,
+    pub require_tower: bool,
 }
 
 impl Default for ValidatorConfig {
@@ -125,6 +127,7 @@ impl Default for ValidatorConfig {
             accounts_hash_interval_slots: std::u64::MAX,
             max_genesis_archive_unpacked_size: MAX_GENESIS_ARCHIVE_UNPACKED_SIZE,
             wal_recovery_mode: None,
+            require_tower: false,
         }
     }
 }
@@ -253,7 +256,8 @@ impl Validator {
                 cache_block_time_sender,
                 cache_block_time_service,
             },
-        ) = new_banks_from_ledger(config, ledger_path, poh_verify, &exit);
+            tower,
+        ) = new_banks_from_ledger(&id, vote_account, config, ledger_path, poh_verify, &exit);
 
         let leader_schedule_cache = Arc::new(leader_schedule_cache);
         let bank = bank_forks.working_bank();
@@ -475,6 +479,7 @@ impl Validator {
             ledger_signal_receiver,
             &subscriptions,
             &poh_recorder,
+            tower,
             &leader_schedule_cache,
             &exit,
             completed_slots_receiver,
@@ -613,8 +618,19 @@ impl Validator {
     }
 }
 
+fn empty_vote_account(bank: &Arc<Bank>, vote_account: &Pubkey) -> Option<bool> {
+    if let Some(account) = &bank.get_account(vote_account) {
+        if let Some(vote_state) = VoteState::from(&account) {
+            return Some(vote_state.votes.is_empty());
+        }
+    }
+    None
+}
+
 #[allow(clippy::type_complexity)]
 fn new_banks_from_ledger(
+    validator_identity: &Pubkey,
+    vote_account: &Pubkey,
     config: &ValidatorConfig,
     ledger_path: &Path,
     poh_verify: bool,
@@ -628,6 +644,7 @@ fn new_banks_from_ledger(
     LeaderScheduleCache,
     Option<(Slot, Hash)>,
     TransactionHistoryServices,
+    Tower,
 ) {
     info!("loading ledger from {:?}...", ledger_path);
     let genesis_config = open_genesis_config(ledger_path, config.max_genesis_archive_unpacked_size);
@@ -659,6 +676,14 @@ fn new_banks_from_ledger(
         .expect("Failed to open ledger database");
     blockstore.set_no_compaction(config.no_rocksdb_compaction);
 
+    let restored_tower = Tower::restore(ledger_path, &validator_identity);
+    if let Ok(tower) = &restored_tower {
+        reconcile_blockstore_roots_with_tower(&tower, &blockstore).unwrap_or_else(|err| {
+            error!("Failed to reconcile blockstore with tower: {:?}", err);
+            std::process::exit(1);
+        });
+    }
+
     let process_options = blockstore_processor::ProcessOptions {
         poh_verify,
         dev_halt_at_slot: config.dev_halt_at_slot,
@@ -690,6 +715,43 @@ fn new_banks_from_ledger(
         process::exit(1);
     });
 
+    let tower = match restored_tower {
+        Ok(mut tower) => {
+            // The tower root can be older if the validator booted from a newer snapshot, so
+            // tower lockouts may need adjustment
+            tower.adjust_lockouts_if_newer_root(bank_forks.root());
+            tower
+        }
+        Err(err) => {
+            if config.require_tower
+                && empty_vote_account(&bank_forks.working_bank(), &vote_account) != Some(true)
+            {
+                error!("Tower restore failed: {:?}", err);
+                process::exit(1);
+            }
+            info!("Rebuilding tower from the latest vote account");
+            let root_bank = bank_forks.root_bank().clone();
+            let root = root_bank.slot();
+            // is this expected a vote account????
+            let heaviest_bank =
+                Tower::find_heaviest_bank(&bank_forks, &vote_account).unwrap_or(root_bank);
+
+            Tower::new(
+                &validator_identity,
+                &vote_account,
+                root,
+                &heaviest_bank,
+                &ledger_path,
+            )
+        }
+    };
+
+    info!(
+        "Tower state: root slot={:?}, last vote slot={:?}",
+        tower.root(),
+        tower.last_lockout_vote_slot()
+    );
+
     leader_schedule_cache.set_fixed_leader_schedule(config.fixed_leader_schedule.clone());
 
     bank_forks.set_snapshot_config(config.snapshot_config.clone());
@@ -704,6 +766,7 @@ fn new_banks_from_ledger(
         leader_schedule_cache,
         snapshot_hash,
         transaction_history_services,
+        tower,
     )
 }
 
diff --git a/local-cluster/tests/local_cluster.rs b/local-cluster/tests/local_cluster.rs
index f6fecd33e9da92..baf87d44ef30a3 100644
--- a/local-cluster/tests/local_cluster.rs
+++ b/local-cluster/tests/local_cluster.rs
@@ -9,7 +9,7 @@ use solana_client::{
 use solana_core::{
     broadcast_stage::BroadcastStageType,
     cluster_info::VALIDATOR_PORT_RANGE,
-    consensus::{SWITCH_FORK_THRESHOLD, VOTE_THRESHOLD_DEPTH},
+    consensus::{Tower, SWITCH_FORK_THRESHOLD, VOTE_THRESHOLD_DEPTH},
     gossip_service::discover_cluster,
     validator::ValidatorConfig,
 };
@@ -1465,6 +1465,127 @@ fn test_optimistic_confirmation_violation() {
     assert!(output.contains(&expected_log));
 }
 
+#[test]
+#[serial]
+fn test_validator_saves_tower() {
+    solana_logger::setup();
+
+    let validator_config = ValidatorConfig {
+        require_tower: true,
+        ..ValidatorConfig::default()
+    };
+    let validator_identity_keypair = Arc::new(Keypair::new());
+    let validator_id = validator_identity_keypair.pubkey();
+    let config = ClusterConfig {
+        cluster_lamports: 10_000,
+        node_stakes: vec![100],
+        validator_configs: vec![validator_config],
+        validator_keys: Some(vec![validator_identity_keypair.clone()]),
+        ..ClusterConfig::default()
+    };
+    let mut cluster = LocalCluster::new(&config);
+
+    let validator_client = cluster.get_validator_client(&validator_id).unwrap();
+
+    let ledger_path = cluster
+        .validators
+        .get(&validator_id)
+        .unwrap()
+        .info
+        .ledger_path
+        .clone();
+
+    // Wait for some votes to be generated
+    loop {
+        if let Ok(slot) = validator_client.get_slot_with_commitment(CommitmentConfig::recent()) {
+            trace!("current slot: {}", slot);
+            if slot > 2 {
+                break;
+            }
+        }
+        sleep(Duration::from_millis(10));
+    }
+
+    // Stop validator and check saved tower
+    let validator_info = cluster.exit_node(&validator_id);
+    let tower1 = Tower::restore(&ledger_path, &validator_id).unwrap();
+    trace!("tower1: {:?}", tower1);
+    assert_eq!(tower1.root(), Some(0));
+
+    // Restart the validator and wait for a new root
+    cluster.restart_node(&validator_id, validator_info);
+    let validator_client = cluster.get_validator_client(&validator_id).unwrap();
+
+    // Wait for the first root
+    loop {
+        if let Ok(root) = validator_client.get_slot_with_commitment(CommitmentConfig::root()) {
+            trace!("current root: {}", root);
+            if root > 0 {
+                break;
+            }
+        }
+        sleep(Duration::from_millis(50));
+    }
+
+    // Stop validator, and check saved tower
+    let validator_info = cluster.exit_node(&validator_id);
+    let tower2 = Tower::restore(&ledger_path, &validator_id).unwrap();
+    trace!("tower2: {:?}", tower2);
+    assert_eq!(tower2.root(), Some(1));
+
+    // Rollback saved tower to `tower1` to simulate a validator starting from a newer snapshot
+    // without having to wait for that snapshot to be generated in this test
+    tower1.save(&validator_identity_keypair).unwrap();
+
+    cluster.restart_node(&validator_id, validator_info);
+    let validator_client = cluster.get_validator_client(&validator_id).unwrap();
+
+    // Wait for a new root, demonstrating the validator was able to make progress from the older `tower1`
+    loop {
+        if let Ok(root) = validator_client.get_slot_with_commitment(CommitmentConfig::root()) {
+            trace!("current root: {}", root);
+            if root > 1 {
+                break;
+            }
+        }
+        sleep(Duration::from_millis(50));
+    }
+
+    // Check the new root is reflected in the saved tower state
+    let mut validator_info = cluster.exit_node(&validator_id);
+    let tower3 = Tower::restore(&ledger_path, &validator_id).unwrap();
+    trace!("tower3: {:?}", tower3);
+    assert!(tower3.root().unwrap() > 1);
+
+    // Remove the tower file entirely and allow the validator to start without a tower.  It will
+    // rebuild tower from its vote account contents
+    fs::remove_file(Tower::get_filename(&ledger_path, &validator_id)).unwrap();
+    validator_info.config.require_tower = false;
+
+    cluster.restart_node(&validator_id, validator_info);
+    let validator_client = cluster.get_validator_client(&validator_id).unwrap();
+
+    // Wait for a couple more slots to pass so another vote occurs
+    let current_slot = validator_client
+        .get_slot_with_commitment(CommitmentConfig::recent())
+        .unwrap();
+    loop {
+        if let Ok(slot) = validator_client.get_slot_with_commitment(CommitmentConfig::recent()) {
+            trace!("current_slot: {}, slot: {}", current_slot, slot);
+            if slot > current_slot + 1 {
+                break;
+            }
+        }
+        sleep(Duration::from_millis(50));
+    }
+
+    cluster.close_preserve_ledgers();
+
+    let tower4 = Tower::restore(&ledger_path, &validator_id).unwrap();
+    trace!("tower4: {:?}", tower4);
+    assert_eq!(tower4.root(), tower3.root());
+}
+
 fn wait_for_next_snapshot(
     cluster: &LocalCluster,
     snapshot_package_output_path: &Path,
diff --git a/multinode-demo/bootstrap-validator.sh b/multinode-demo/bootstrap-validator.sh
index bb7b007c82be5a..87ce93eae79d94 100755
--- a/multinode-demo/bootstrap-validator.sh
+++ b/multinode-demo/bootstrap-validator.sh
@@ -93,6 +93,7 @@ ledger_dir="$SOLANA_CONFIG_DIR"/bootstrap-validator
 args+=(
   --enable-rpc-exit
   --enable-rpc-set-log-filter
+  --require-tower
   --ledger "$ledger_dir"
   --rpc-port 8899
   --snapshot-interval-slots 200
diff --git a/multinode-demo/validator.sh b/multinode-demo/validator.sh
index 2cebf2a7f9f0b8..b95c4f1c1e0f8f 100755
--- a/multinode-demo/validator.sh
+++ b/multinode-demo/validator.sh
@@ -228,6 +228,7 @@ default_arg --ledger "$ledger_dir"
 default_arg --log -
 default_arg --enable-rpc-exit
 default_arg --enable-rpc-set-log-filter
+default_arg --require-tower
 
 if [[ -n $SOLANA_CUDA ]]; then
   program=$solana_validator_cuda
diff --git a/run.sh b/run.sh
index 74deb4b35580c0..3d244225562c81 100755
--- a/run.sh
+++ b/run.sh
@@ -104,6 +104,7 @@ args=(
   --enable-rpc-exit
   --enable-rpc-transaction-history
   --init-complete-file "$dataDir"/init-completed
+  --require-tower
 )
 solana-validator "${args[@]}" &
 validator=$!
diff --git a/validator/src/main.rs b/validator/src/main.rs
index 6eb8eee2f60dea..ccb7a3cfb28725 100644
--- a/validator/src/main.rs
+++ b/validator/src/main.rs
@@ -794,6 +794,12 @@ pub fn main() {
                 .takes_value(false)
                 .help("Use CUDA"),
         )
+        .arg(
+            clap::Arg::with_name("require_tower")
+                .long("require-tower")
+                .takes_value(false)
+                .help("Refuse to start if saved tower state is not found"),
+        )
         .arg(
             Arg::with_name("expected_genesis_hash")
                 .long("expected-genesis-hash")
@@ -1016,6 +1022,7 @@ pub fn main() {
     let restricted_repair_only_mode = matches.is_present("restricted_repair_only_mode");
 
     let mut validator_config = ValidatorConfig {
+        require_tower: matches.is_present("require_tower"),
         dev_halt_at_slot: value_t!(matches, "dev_halt_at_slot", Slot).ok(),
         expected_genesis_hash: matches
             .value_of("expected_genesis_hash")

From ec256c935c4b667c73992ef974f1c4a002557a64 Mon Sep 17 00:00:00 2001
From: Michael Vines <mvines@gmail.com>
Date: Tue, 12 May 2020 20:43:54 -0700
Subject: [PATCH 02/67] Avoid unwrap()

---
 core/src/consensus.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 8b509d2a7759df..4037b4ed029069 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -447,7 +447,10 @@ impl Tower {
         let root = self.lockouts.root_slot.unwrap_or(0);
         self.last_voted_slot()
             .map(|last_voted_slot| {
-                let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap();
+                let last_vote_ancestors = match ancestors.get(&last_voted_slot) {
+                    None => return SwitchForkDecision::NoSwitch, // last_vote may not be in ancestors after restarting from a snapshot
+                    Some(last_vote_ancestors) => last_vote_ancestors,
+                };
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
 
                 if switch_slot == last_voted_slot || switch_slot_ancestors.contains(&last_voted_slot) {

From 5c0a2a23d92cdd0aa6818d04a765369a8a0be44c Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Fri, 19 Jun 2020 20:02:36 +0900
Subject: [PATCH 03/67] Rebase cleanups

---
 core/src/consensus.rs    | 36 ++++++++++++++++++
 core/src/replay_stage.rs | 82 ++++++++++++++++++++++++----------------
 core/src/validator.rs    | 13 ++-----
 3 files changed, 89 insertions(+), 42 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 4037b4ed029069..4e155cdf1c55b7 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -141,6 +141,42 @@ impl Tower {
         }
     }
 
+    pub fn new_from_bankforks(
+        bank_forks: &BankForks,
+        ledger_path: &Path,
+        my_pubkey: &Pubkey,
+        vote_account: &Pubkey,
+    ) -> Self {
+        let (
+            root_bank,
+            _progress,
+            heaviest_subtree_fork_choice,
+            unlock_heaviest_subtree_fork_choice_slot,
+        ) = crate::replay_stage::ReplayStage::initialize_progress_and_fork_choice(
+            &bank_forks,
+            &my_pubkey,
+            &vote_account,
+        );
+        let root = root_bank.slot();
+
+        let heaviest_bank = if root > unlock_heaviest_subtree_fork_choice_slot {
+            bank_forks
+                .get(heaviest_subtree_fork_choice.best_overall_slot())
+                .expect("The best overall slot must be one of `frozen_banks` which all exist in bank_forks")
+                .clone()
+        } else {
+            Tower::find_heaviest_bank(&bank_forks, &my_pubkey).unwrap_or(root_bank)
+        };
+
+        Self::new(
+            &my_pubkey,
+            &vote_account,
+            root,
+            &heaviest_bank,
+            &ledger_path,
+        )
+    }
+
     pub(crate) fn collect_vote_lockouts<F>(
         node_pubkey: &Pubkey,
         bank_slot: Slot,
diff --git a/core/src/replay_stage.rs b/core/src/replay_stage.rs
index a2a0a16a894dd4..4283927378416f 100644
--- a/core/src/replay_stage.rs
+++ b/core/src/replay_stage.rs
@@ -256,38 +256,16 @@ impl ReplayStage {
                 let mut all_pubkeys = PubkeyReferences::default();
                 let verify_recyclers = VerifyRecyclers::default();
                 let _exit = Finalizer::new(exit.clone());
-                let mut progress = ProgressMap::default();
-                let mut frozen_banks: Vec<_> = bank_forks
-                    .read()
-                    .unwrap()
-                    .frozen_banks()
-                    .values()
-                    .cloned()
-                    .collect();
-
-                frozen_banks.sort_by_key(|bank| bank.slot());
-
-                // Initialize progress map with any root banks
-                for bank in &frozen_banks {
-                    let prev_leader_slot = progress.get_bank_prev_leader_slot(bank);
-                    progress.insert(
-                        bank.slot(),
-                        ForkProgress::new_from_bank(
-                            bank,
-                            &my_pubkey,
-                            &vote_account,
-                            prev_leader_slot,
-                            0,
-                            0,
-                        ),
-                    );
-                }
-                let root_bank = bank_forks.read().unwrap().root_bank().clone();
-                let root = root_bank.slot();
-                let unlock_heaviest_subtree_fork_choice_slot =
-                    Self::get_unlock_heaviest_subtree_fork_choice(root_bank.cluster_type());
-                let mut heaviest_subtree_fork_choice =
-                    HeaviestSubtreeForkChoice::new_from_frozen_banks(root, &frozen_banks);
+                let (
+                    _root_bank,
+                    mut progress,
+                    mut heaviest_subtree_fork_choice,
+                    unlock_heaviest_subtree_fork_choice_slot,
+                ) = Self::initialize_progress_and_fork_choice(
+                    &bank_forks.read().unwrap(),
+                    &my_pubkey,
+                    &vote_account,
+                );
                 let mut bank_weight_fork_choice = BankWeightForkChoice::default();
                 let mut current_leader = None;
                 let mut last_reset = Hash::default();
@@ -639,6 +617,46 @@ impl ReplayStage {
                 .unwrap_or(true)
     }
 
+    pub(crate) fn initialize_progress_and_fork_choice(
+        bank_forks: &BankForks,
+        my_pubkey: &Pubkey,
+        vote_account: &Pubkey,
+    ) -> (Arc<Bank>, ProgressMap, HeaviestSubtreeForkChoice, Slot) {
+        let mut progress = ProgressMap::default();
+        let mut frozen_banks: Vec<_> = bank_forks.frozen_banks().values().cloned().collect();
+
+        frozen_banks.sort_by_key(|bank| bank.slot());
+
+        // Initialize progress map with any root banks
+        for bank in &frozen_banks {
+            let prev_leader_slot = progress.get_bank_prev_leader_slot(bank);
+            progress.insert(
+                bank.slot(),
+                ForkProgress::new_from_bank(
+                    bank,
+                    &my_pubkey,
+                    &vote_account,
+                    prev_leader_slot,
+                    0,
+                    0,
+                ),
+            );
+        }
+        let root_bank = bank_forks.root_bank().clone();
+        let root = root_bank.slot();
+        let unlock_heaviest_subtree_fork_choice_slot =
+            Self::get_unlock_heaviest_subtree_fork_choice(root_bank.operating_mode());
+        let heaviest_subtree_fork_choice =
+            HeaviestSubtreeForkChoice::new_from_frozen_banks(root, &frozen_banks);
+
+        (
+            root_bank,
+            progress,
+            heaviest_subtree_fork_choice,
+            unlock_heaviest_subtree_fork_choice_slot,
+        )
+    }
+
     fn report_memory(
         allocated: &solana_measure::thread_mem_usage::Allocatedp,
         name: &'static str,
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 7c4b107ef91d51..11e668d519142f 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -730,18 +730,11 @@ fn new_banks_from_ledger(
                 process::exit(1);
             }
             info!("Rebuilding tower from the latest vote account");
-            let root_bank = bank_forks.root_bank().clone();
-            let root = root_bank.slot();
-            // is this expected a vote account????
-            let heaviest_bank =
-                Tower::find_heaviest_bank(&bank_forks, &vote_account).unwrap_or(root_bank);
-
-            Tower::new(
+            Tower::new_from_bankforks(
+                &bank_forks,
+                &ledger_path,
                 &validator_identity,
                 &vote_account,
-                root,
-                &heaviest_bank,
-                &ledger_path,
             )
         }
     };

From 524b7c90ad64628f4b805cbddc2aea72b48ec1f9 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Sat, 20 Jun 2020 01:56:57 +0900
Subject: [PATCH 04/67] Forcibly pass test

---
 core/src/heaviest_subtree_fork_choice.rs | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index 999a667ac69395..d5ad3b7a9f77f1 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -551,15 +551,20 @@ impl ForkChoice for HeaviestSubtreeForkChoice {
         bank_forks: &RwLock<BankForks>,
     ) -> (Arc<Bank>, Option<Arc<Bank>>) {
         let last_voted_slot = tower.last_voted_slot();
-        let heaviest_slot_on_same_voted_fork = last_voted_slot.map(|last_voted_slot| {
-            let heaviest_slot_on_same_voted_fork =
-                self.best_slot(last_voted_slot).expect("a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing");
-            if heaviest_slot_on_same_voted_fork == last_voted_slot {
-                None
-            } else {
-                Some(heaviest_slot_on_same_voted_fork)
-            }
-        }).unwrap_or(None);
+        let heaviest_slot_on_same_voted_fork = last_voted_slot
+            .map(|last_voted_slot| {
+                let heaviest_slot_on_same_voted_fork =
+                    self.best_slot(last_voted_slot).unwrap_or_default();
+                if heaviest_slot_on_same_voted_fork == 0 {
+                    error!("fix me.....");
+                    None
+                } else if heaviest_slot_on_same_voted_fork == last_voted_slot {
+                    None
+                } else {
+                    Some(heaviest_slot_on_same_voted_fork)
+                }
+            })
+            .unwrap_or(None);
         let heaviest_slot = self.best_overall_slot();
         let r_bank_forks = bank_forks.read().unwrap();
         (

From 61621e8228d10e4a8b9724921c5d4f6cd4bf0709 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Mon, 22 Jun 2020 11:59:48 +0900
Subject: [PATCH 05/67] Correct reconcilation of votes after validator resume

---
 core/src/consensus.rs | 166 ++++++++++++++++++++++++++++++++++++++++--
 core/src/validator.rs |  19 +++--
 runtime/src/bank.rs   |   4 +
 3 files changed, 173 insertions(+), 16 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 4e155cdf1c55b7..84f87cd3e2fc76 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -12,6 +12,7 @@ use solana_sdk::{
     instruction::Instruction,
     pubkey::Pubkey,
     signature::{Keypair, Signature, Signer},
+    slot_history::SlotHistory,
 };
 use solana_vote_program::{
     vote_instruction,
@@ -699,12 +700,45 @@ impl Tower {
         bank_weight
     }
 
-    pub fn adjust_lockouts_if_newer_root(&mut self, root_slot: Slot) {
-        let my_root_slot = self.lockouts.root_slot.unwrap_or(0);
-        if root_slot > my_root_slot {
-            self.lockouts.root_slot = Some(root_slot);
-            self.lockouts.votes.retain(|v| v.slot > root_slot);
+    // The tower root can be older if the validator booted from a newer snapshot, so
+    // tower lockouts may need adjustment
+    pub fn adjust_lockouts_if_newer_root(
+        mut self,
+        replayed_root_slot: Slot,
+        slot_history: &SlotHistory,
+    ) -> Result<Self> {
+        // should root_bank be used or any child (frozen?) banks?
+        //let my_root_slot = self.lockouts.root_slot.unwrap_or(0);
+        //if root_slot > my_root_slot {
+        //    self.lockouts.root_slot = Some(root_slot);
+        //    self.lockouts.votes.retain(|v| v.slot > root_slot);
+        //}
+        // return immediately if last_voted_slot is None, votes are empty...
+
+        error!("root bank slot: {}", replayed_root_slot);
+        error!("before votes: {:?}", self.lockouts.votes);
+        assert!(slot_history.check(replayed_root_slot) == solana_sdk::slot_history::Check::Found);
+        let last_voted_slot = self.last_voted_slot().unwrap();
+        if slot_history.check(last_voted_slot) == solana_sdk::slot_history::Check::TooOld {
+            return Err(TowerError::TooOld(
+                last_voted_slot,
+                slot_history.oldest(),
+            ));
         }
+
+        // check in reverse order
+        self.lockouts.votes.retain(|v| {
+            let check = slot_history.check(v.slot);
+            dbg!(&check);
+            check != solana_sdk::slot_history::Check::Found
+        });
+        self.lockouts.root_slot = Some(replayed_root_slot);
+        error!("after votes: {:?}", self.lockouts.votes);
+        // assert replayed_root_slot is in slot_history!!!
+        // also adjust self.last_vote!
+        // should call self.votes.pop_expired_votes()?
+        // if slots are out of history; abort
+        Ok(self)
     }
 
     fn initialize_lockouts_from_bank_forks(
@@ -802,6 +836,9 @@ pub enum TowerError {
 
     #[error("The tower does not match this validator: {0}")]
     WrongTower(String),
+
+    #[error("The tower is too old: last voted ({0}) << oldest slot history ({1})")]
+    TooOld(Slot, Slot),
 }
 
 #[derive(Default, Clone, Serialize, Deserialize, Debug, PartialEq)]
@@ -866,7 +903,13 @@ pub mod test {
             create_genesis_config_with_vote_accounts, GenesisConfigInfo, ValidatorVoteKeypairs,
         },
     };
-    use solana_sdk::{clock::Slot, hash::Hash, pubkey::Pubkey, signature::Signer};
+    use solana_sdk::{
+        clock::Slot,
+        hash::Hash,
+        pubkey::Pubkey,
+        signature::Signer,
+        slot_history::SlotHistory,
+    };
     use solana_vote_program::{
         vote_state::{Vote, VoteStateVersions, MAX_LOCKOUT_HISTORY},
         vote_transaction,
@@ -2131,4 +2174,115 @@ pub mod test {
         }
         Blockstore::destroy(&blockstore_path).expect("Expected successful database destruction");
     }
+
+    impl Tower {
+        fn voted_slots(&self) -> Vec<Slot> {
+            self.lockouts
+                .votes
+                .iter()
+                .map(|lockout| lockout.slot)
+                .collect()
+        }
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.record_vote(0, Hash::default());
+        tower.record_vote(1, Hash::default());
+        tower.record_vote(2, Hash::default());
+        tower.record_vote(3, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(1);
+
+        tower = tower
+            .adjust_lockouts_if_newer_root(1, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.voted_slots(), vec![2, 3]);
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load2() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.record_vote(0, Hash::default());
+        tower.record_vote(1, Hash::default());
+        tower.record_vote(2, Hash::default());
+        tower.record_vote(3, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(1);
+        slot_history.add(4);
+
+        tower = tower
+            .adjust_lockouts_if_newer_root(4, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.voted_slots(), vec![2, 3]);
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load3() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.record_vote(0, Hash::default());
+        tower.record_vote(1, Hash::default());
+        tower.record_vote(2, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(1);
+        slot_history.add(2);
+        slot_history.add(3);
+        slot_history.add(4);
+        slot_history.add(5);
+
+        tower = tower
+            .adjust_lockouts_if_newer_root(5, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load4() {
+        use solana_sdk::slot_history::MAX_ENTRIES;
+
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.record_vote(0, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(MAX_ENTRIES);
+
+        let result = tower.adjust_lockouts_if_newer_root(MAX_ENTRIES, &slot_history);
+        //assert_matches!(result, Err(TowerError::TooOld(ref message)) if message.to_string() == *"too old tower stake");
+        //assert_eq!(format!("{:?}", result.unwrap()), "too old tower stake");
+        assert_matches!(result, Err(TowerError::TooOld(s1, s2)) if s1 == 0 && s2 == 1);
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load5() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.record_vote(0, Hash::default());
+        tower.record_vote(1, Hash::default());
+        tower.record_vote(2, Hash::default());
+        tower.record_vote(3, Hash::default());
+        tower.record_vote(4, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(1);
+        slot_history.add(2);
+
+        tower = tower
+            .adjust_lockouts_if_newer_root(2, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.voted_slots(), vec![3, 4]);
+    }
+
+    // test empty
 }
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 11e668d519142f..aed2c856a44985 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -715,14 +715,14 @@ fn new_banks_from_ledger(
         process::exit(1);
     });
 
-    let tower = match restored_tower {
-        Ok(mut tower) => {
-            // The tower root can be older if the validator booted from a newer snapshot, so
-            // tower lockouts may need adjustment
-            tower.adjust_lockouts_if_newer_root(bank_forks.root());
-            tower
-        }
-        Err(err) => {
+    let tower = restored_tower
+        .and_then(|tower| {
+            let root_bank = bank_forks.root_bank();
+            let slot_history = root_bank.get_slot_history();
+            // assert bank is frozen
+            tower.adjust_lockouts_if_newer_root(root_bank.slot(), &slot_history)
+        })
+        .unwrap_or_else(|err| {
             if config.require_tower
                 && empty_vote_account(&bank_forks.working_bank(), &vote_account) != Some(true)
             {
@@ -736,8 +736,7 @@ fn new_banks_from_ledger(
                 &validator_identity,
                 &vote_account,
             )
-        }
-    };
+        });
 
     info!(
         "Tower state: root slot={:?}, last vote slot={:?}",
diff --git a/runtime/src/bank.rs b/runtime/src/bank.rs
index 9ed39cb95c250f..eb783ece0a749a 100644
--- a/runtime/src/bank.rs
+++ b/runtime/src/bank.rs
@@ -913,6 +913,10 @@ impl Bank {
         });
     }
 
+    pub fn get_slot_history(&self) -> SlotHistory {
+        SlotHistory::from_account(&self.get_account(&sysvar::slot_history::id()).unwrap()).unwrap()
+    }
+
     fn update_epoch_stakes(&mut self, leader_schedule_epoch: Epoch) {
         // update epoch_stakes cache
         //  if my parent didn't populate for this staker's epoch, we've

From d986f7f690f318fa0efce6485cb65725cc1c82fd Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 23 Jun 2020 22:05:14 +0900
Subject: [PATCH 06/67] d b g

---
 core/src/consensus.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 84f87cd3e2fc76..4e730ec40ec6df 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -729,7 +729,7 @@ impl Tower {
         // check in reverse order
         self.lockouts.votes.retain(|v| {
             let check = slot_history.check(v.slot);
-            dbg!(&check);
+            //d b g!(&check);
             check != solana_sdk::slot_history::Check::Found
         });
         self.lockouts.root_slot = Some(replayed_root_slot);

From 9452ee1b36e54dc720aec71e369ea90292f8cc23 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 23 Jun 2020 22:42:30 +0900
Subject: [PATCH 07/67] Add more tests

---
 core/src/consensus.rs | 221 ++++++++++++++++++++++++++++++++++++------
 core/src/validator.rs |   2 +-
 2 files changed, 191 insertions(+), 32 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 4e730ec40ec6df..177273e046f3fc 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -700,44 +700,77 @@ impl Tower {
         bank_weight
     }
 
-    // The tower root can be older if the validator booted from a newer snapshot, so
+    // The tower root can be older/newer if the validator booted from a newer/older snapshot, so
     // tower lockouts may need adjustment
-    pub fn adjust_lockouts_if_newer_root(
+    pub fn adjust_lockouts_after_replay(
         mut self,
         replayed_root_slot: Slot,
         slot_history: &SlotHistory,
     ) -> Result<Self> {
-        // should root_bank be used or any child (frozen?) banks?
-        //let my_root_slot = self.lockouts.root_slot.unwrap_or(0);
-        //if root_slot > my_root_slot {
-        //    self.lockouts.root_slot = Some(root_slot);
-        //    self.lockouts.votes.retain(|v| v.slot > root_slot);
-        //}
+        assert_eq!(slot_history.check(replayed_root_slot), Check::Found);
+        // reconcile_blockstore_roots_with_tower() should already have aligned these.
+        assert!(self.root().is_none() || self.root().unwrap() >= replayed_root_slot);
+
+        use solana_sdk::slot_history::Check;
+
         // return immediately if last_voted_slot is None, votes are empty...
+        if self.lockouts.votes.is_empty() {
+            assert_eq!(self.root(), None);
+            // assert self.last_vote, ???
+            return Ok(self);
+        }
 
-        error!("root bank slot: {}", replayed_root_slot);
-        error!("before votes: {:?}", self.lockouts.votes);
-        assert!(slot_history.check(replayed_root_slot) == solana_sdk::slot_history::Check::Found);
         let last_voted_slot = self.last_voted_slot().unwrap();
-        if slot_history.check(last_voted_slot) == solana_sdk::slot_history::Check::TooOld {
+        if slot_history.check(last_voted_slot) == Check::TooOld {
             return Err(TowerError::TooOld(
                 last_voted_slot,
                 slot_history.oldest(),
             ));
         }
 
-        // check in reverse order
-        self.lockouts.votes.retain(|v| {
-            let check = slot_history.check(v.slot);
-            //d b g!(&check);
-            check != solana_sdk::slot_history::Check::Found
-        });
+        let mut is_diverged_descendants_in_reverse: Vec<_> =
+            Vec::with_capacity(self.lockouts.votes.len());
+        let mut still_in_future = true;
+        let mut past_outside_history = false;
+        let mut found = false;
+        for vote in self.lockouts.votes.iter().rev() {
+            let check = slot_history.check(vote.slot);
+
+            // this can't happen unless we're fed with bogus snapshot
+            if !found && check == Check::Found {
+                found = true;
+            } else if found && check == Check::NotFound {
+                return Err(TowerError::InconsistentWithSlotHistory(
+                    "diverged ancestor?".to_owned(),
+                ));
+            }
+
+            // really odd cases: bad ordered votes?
+            if still_in_future && check != Check::Future {
+                still_in_future = false;
+            } else if !still_in_future && check == Check::Future {
+                return Err(TowerError::InconsistentWithSlotHistory(
+                    "time warmped?".to_owned(),
+                ));
+            }
+            if !past_outside_history && check == Check::TooOld {
+                past_outside_history = true;
+            } else if past_outside_history && check != Check::TooOld {
+                return Err(TowerError::InconsistentWithSlotHistory(
+                    "not too old once after got too old?".to_owned(),
+                ));
+            }
+
+            is_diverged_descendants_in_reverse.push(!found);
+        }
+        let mut is_diverged_descendants_iter = is_diverged_descendants_in_reverse.into_iter().rev();
+        self.lockouts
+            .votes
+            .retain(move |_| is_diverged_descendants_iter.next().unwrap());
+
         self.lockouts.root_slot = Some(replayed_root_slot);
-        error!("after votes: {:?}", self.lockouts.votes);
-        // assert replayed_root_slot is in slot_history!!!
         // also adjust self.last_vote!
         // should call self.votes.pop_expired_votes()?
-        // if slots are out of history; abort
         Ok(self)
     }
 
@@ -837,8 +870,11 @@ pub enum TowerError {
     #[error("The tower does not match this validator: {0}")]
     WrongTower(String),
 
-    #[error("The tower is too old: last voted ({0}) << oldest slot history ({1})")]
+    #[error("The tower is too old: last voted slot in tower ({0}) < oldest slot in available history ({1})")]
     TooOld(Slot, Slot),
+
+    #[error("The tower is inconsistent with slot history: {0}")]
+    InconsistentWithSlotHistory(String),
 }
 
 #[derive(Default, Clone, Serialize, Deserialize, Debug, PartialEq)]
@@ -2197,11 +2233,13 @@ pub mod test {
         slot_history.add(0);
         slot_history.add(1);
 
+        let replayed_root_slot = 1;
         tower = tower
-            .adjust_lockouts_if_newer_root(1, &slot_history)
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
             .unwrap();
 
         assert_eq!(tower.voted_slots(), vec![2, 3]);
+        assert_eq!(tower.root(), Some(replayed_root_slot));
     }
 
     #[test]
@@ -2217,11 +2255,13 @@ pub mod test {
         slot_history.add(1);
         slot_history.add(4);
 
+        let replayed_root_slot = 4;
         tower = tower
-            .adjust_lockouts_if_newer_root(4, &slot_history)
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
             .unwrap();
 
         assert_eq!(tower.voted_slots(), vec![2, 3]);
+        assert_eq!(tower.root(), Some(replayed_root_slot));
     }
 
     #[test]
@@ -2239,11 +2279,13 @@ pub mod test {
         slot_history.add(4);
         slot_history.add(5);
 
+        let replayed_root_slot = 5;
         tower = tower
-            .adjust_lockouts_if_newer_root(5, &slot_history)
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
             .unwrap();
 
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
+        assert_eq!(tower.root(), Some(replayed_root_slot));
     }
 
     #[test]
@@ -2257,10 +2299,91 @@ pub mod test {
         slot_history.add(0);
         slot_history.add(MAX_ENTRIES);
 
-        let result = tower.adjust_lockouts_if_newer_root(MAX_ENTRIES, &slot_history);
-        //assert_matches!(result, Err(TowerError::TooOld(ref message)) if message.to_string() == *"too old tower stake");
-        //assert_eq!(format!("{:?}", result.unwrap()), "too old tower stake");
-        assert_matches!(result, Err(TowerError::TooOld(s1, s2)) if s1 == 0 && s2 == 1);
+        let result = tower.adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history);
+        assert_eq!(format!("{}", result.unwrap_err()), "The tower is too old: last voted slot in tower (0) < oldest slot in available history (1)");
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load40() {
+        use solana_sdk::slot_history::MAX_ENTRIES;
+
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.record_vote(0, Hash::default());
+        tower.record_vote(1, Hash::default());
+        tower.record_vote(2, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(1);
+        slot_history.add(2);
+        slot_history.add(MAX_ENTRIES);
+
+        tower = tower
+            .adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history)
+            .unwrap();
+        assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
+        assert_eq!(tower.root(), Some(MAX_ENTRIES));
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load41() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.lockouts.votes.push_back(Lockout::new(1));
+        tower.lockouts.votes.push_back(Lockout::new(0));
+        let vote = Vote::new(vec![0], Hash::default());
+        tower.last_vote = vote;
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+
+        let result = tower.adjust_lockouts_after_replay(0, &slot_history);
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is inconsistent with slot history: time warmped?"
+        );
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load42() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.lockouts.votes.push_back(Lockout::new(1));
+        tower.lockouts.votes.push_back(Lockout::new(2));
+        let vote = Vote::new(vec![2], Hash::default());
+        tower.last_vote = vote;
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(2);
+
+        let result = tower.adjust_lockouts_after_replay(2, &slot_history);
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is inconsistent with slot history: diverged ancestor?"
+        );
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load43() {
+        use solana_sdk::slot_history::MAX_ENTRIES;
+
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower
+            .lockouts
+            .votes
+            .push_back(Lockout::new(MAX_ENTRIES - 1));
+        tower.lockouts.votes.push_back(Lockout::new(0));
+        tower.lockouts.votes.push_back(Lockout::new(1));
+        let vote = Vote::new(vec![1], Hash::default());
+        tower.last_vote = vote;
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(MAX_ENTRIES);
+
+        let result = tower.adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history);
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is inconsistent with slot history: not too old once after got too old?"
+        );
     }
 
     #[test]
@@ -2277,12 +2400,48 @@ pub mod test {
         slot_history.add(1);
         slot_history.add(2);
 
+        let replayed_root_slot = 2;
         tower = tower
-            .adjust_lockouts_if_newer_root(2, &slot_history)
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
             .unwrap();
 
         assert_eq!(tower.voted_slots(), vec![3, 4]);
+        assert_eq!(tower.root(), Some(replayed_root_slot));
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load6() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.record_vote(5, Hash::default());
+        tower.record_vote(6, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(1);
+        slot_history.add(2);
+
+        let replayed_root_slot = 2;
+        tower = tower
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.voted_slots(), vec![5, 6]);
+        assert_eq!(tower.root(), Some(replayed_root_slot));
     }
 
-    // test empty
+    #[test]
+    fn test_expire_old_votes_on_load7() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+
+        let replayed_root_slot = 0;
+        tower = tower
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
+        assert_eq!(tower.root(), None);
+    }
 }
diff --git a/core/src/validator.rs b/core/src/validator.rs
index aed2c856a44985..8c05141a4eb53a 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -720,7 +720,7 @@ fn new_banks_from_ledger(
             let root_bank = bank_forks.root_bank();
             let slot_history = root_bank.get_slot_history();
             // assert bank is frozen
-            tower.adjust_lockouts_if_newer_root(root_bank.slot(), &slot_history)
+            tower.adjust_lockouts_after_replay(root_bank.slot(), &slot_history)
         })
         .unwrap_or_else(|err| {
             if config.require_tower

From e06de5487b7e1f6df8a9d41cf153bbf16d8a140f Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 24 Jun 2020 23:57:11 +0900
Subject: [PATCH 08/67] fsync and fix test

---
 core/src/consensus.rs | 19 ++++++++++---------
 core/src/validator.rs |  2 +-
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 177273e046f3fc..4528743e27d2be 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -417,14 +417,6 @@ impl Tower {
         self.lockouts.root_slot
     }
 
-    pub fn last_lockout_vote_slot(&self) -> Option<Slot> {
-        self.lockouts
-            .votes
-            .iter()
-            .max_by(|x, y| x.slot.cmp(&y.slot))
-            .map(|v| v.slot)
-    }
-
     // a slot is recent if it's newer than the last vote we have
     pub fn is_recent(&self, slot: Slot) -> bool {
         if let Some(last_voted_slot) = self.lockouts.last_voted_slot() {
@@ -709,7 +701,14 @@ impl Tower {
     ) -> Result<Self> {
         assert_eq!(slot_history.check(replayed_root_slot), Check::Found);
         // reconcile_blockstore_roots_with_tower() should already have aligned these.
-        assert!(self.root().is_none() || self.root().unwrap() >= replayed_root_slot);
+        assert!(
+            self.root().is_none() || self.root().unwrap() <= replayed_root_slot,
+            format!(
+                "tower root: {:?} >= replayed root slot: {}",
+                self.root().unwrap(),
+                replayed_root_slot
+            )
+        );
 
         use solana_sdk::slot_history::Check;
 
@@ -827,8 +826,10 @@ impl Tower {
             let mut file = File::create(&new_filename)?;
             let saveable_tower = SavedTower::new(self, node_keypair)?;
             bincode::serialize_into(&mut file, &saveable_tower)?;
+            file.sync_all().unwrap();
         }
         fs::rename(&new_filename, &filename)?;
+        File::open(&self.save_path).unwrap().sync_all().unwrap();
         Ok(())
     }
 
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 8c05141a4eb53a..92119693d30bfb 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -741,7 +741,7 @@ fn new_banks_from_ledger(
     info!(
         "Tower state: root slot={:?}, last vote slot={:?}",
         tower.root(),
-        tower.last_lockout_vote_slot()
+        tower.last_voted_slot()
     );
 
     leader_schedule_cache.set_fixed_leader_schedule(config.fixed_leader_schedule.clone());

From f8e1e3f7c436c66ca71b82a0198fb42623f78f93 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 25 Jun 2020 16:14:57 +0900
Subject: [PATCH 09/67] Add test

---
 core/src/consensus.rs | 158 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 154 insertions(+), 4 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 4528743e27d2be..8c084fad3c71c4 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -476,10 +476,8 @@ impl Tower {
         let root = self.lockouts.root_slot.unwrap_or(0);
         self.last_voted_slot()
             .map(|last_voted_slot| {
-                let last_vote_ancestors = match ancestors.get(&last_voted_slot) {
-                    None => return SwitchForkDecision::NoSwitch, // last_vote may not be in ancestors after restarting from a snapshot
-                    Some(last_vote_ancestors) => last_vote_ancestors,
-                };
+                let empty = HashSet::default();
+                let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or(&empty);
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
 
                 if switch_slot == last_voted_slot || switch_slot_ancestors.contains(&last_voted_slot) {
@@ -1340,6 +1338,158 @@ pub mod test {
         }
     }
 
+    #[test]
+    fn test_switch_threshold_across_tower_reload() {
+        // Init state
+        let mut vote_simulator = VoteSimulator::new(2);
+        let my_pubkey = vote_simulator.node_pubkeys[0];
+        let other_vote_account = vote_simulator.vote_pubkeys[1];
+        let bank0 = vote_simulator
+            .bank_forks
+            .read()
+            .unwrap()
+            .get(0)
+            .unwrap()
+            .clone();
+        let total_stake = bank0.total_epoch_stake();
+        assert_eq!(
+            total_stake,
+            vote_simulator.validator_keypairs.len() as u64 * 10_000
+        );
+
+        // Create the tree of banks
+        let forks = tr(0)
+            / (tr(1)
+                / (tr(2)
+                    / tr(10)
+                    / (tr(43)
+                        / (tr(44)
+                            // Minor fork 2
+                            / (tr(45) / (tr(46) / (tr(47) / (tr(48) / (tr(49) / (tr(50)))))))
+                            / (tr(110) / tr(111))))));
+
+        // Fill the BankForks according to the above fork structure
+        vote_simulator.fill_bank_forks(forks, &HashMap::new());
+        let ancestors = vote_simulator.bank_forks.read().unwrap().ancestors();
+        let descendants = vote_simulator.bank_forks.read().unwrap().descendants();
+        let mut tower = Tower::new_with_key(&my_pubkey);
+
+        tower.record_vote(43, Hash::default());
+        tower.record_vote(44, Hash::default());
+        tower.record_vote(45, Hash::default());
+        tower.record_vote(46, Hash::default());
+        tower.record_vote(47, Hash::default());
+        tower.record_vote(48, Hash::default());
+        tower.record_vote(49, Hash::default());
+
+        // Trying to switch to a descendant of last vote should always work
+        assert_eq!(
+            tower.check_switch_threshold(
+                50,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::NoSwitch
+        );
+
+        // Trying to switch to another fork at 110 should fail
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::FailedSwitchThreshold
+        );
+
+        vote_simulator.simulate_lockout_interval(111, (10, 49), &other_vote_account);
+
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::SwitchProof(Hash::default())
+        );
+
+        assert_eq!(tower.voted_slots(), vec![43, 44, 45, 46, 47, 48, 49]);
+        {
+            let mut tower = tower.clone();
+            tower.record_vote(110, Hash::default());
+            tower.record_vote(111, Hash::default());
+            assert_eq!(tower.voted_slots(), vec![43, 110, 111]);
+            assert_eq!(tower.lockouts.root_slot, None);
+        }
+
+        let mut vote_simulator = VoteSimulator::new(2);
+        let other_vote_account = vote_simulator.vote_pubkeys[1];
+        let bank0 = vote_simulator
+            .bank_forks
+            .read()
+            .unwrap()
+            .get(0)
+            .unwrap()
+            .clone();
+        let total_stake = bank0.total_epoch_stake();
+        let forks = tr(0) / (tr(1) / (tr(2) / tr(10) / (tr(43) / (tr(44) / (tr(110) / tr(111))))));
+
+        // Fill the BankForks according to the above fork structure
+        vote_simulator.fill_bank_forks(forks, &HashMap::new());
+        let ancestors = vote_simulator.bank_forks.read().unwrap().ancestors();
+        let descendants = vote_simulator.bank_forks.read().unwrap().descendants();
+
+        let mut slot_history = SlotHistory::default();
+        for slot in &[0, 1, 2, 43, 44, 110] {
+            slot_history.add(*slot);
+        }
+        let mut tower = tower
+            .adjust_lockouts_after_replay(110, &slot_history)
+            .unwrap();
+        assert_eq!(tower.voted_slots(), vec![45, 46, 47, 48, 49]);
+
+        // Trying to switch to another fork at 110 should fail
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::FailedSwitchThreshold
+        );
+
+        vote_simulator.simulate_lockout_interval(111, (10, 49), &other_vote_account);
+
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::SwitchProof(Hash::default())
+        );
+
+        tower.record_vote(110, Hash::default());
+        tower.record_vote(111, Hash::default());
+        assert_eq!(tower.voted_slots(), vec![110, 111]);
+        assert_eq!(tower.lockouts.root_slot, Some(110));
+    }
+
     #[test]
     fn test_switch_threshold() {
         // Init state

From 8ea0d0a3adbdd06c7b8c7dcb0c20e9df1c4fb213 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Fri, 26 Jun 2020 00:22:07 +0900
Subject: [PATCH 10/67] Fix fmt

---
 core/src/consensus.rs | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 8c084fad3c71c4..c77b02947bc786 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -719,10 +719,7 @@ impl Tower {
 
         let last_voted_slot = self.last_voted_slot().unwrap();
         if slot_history.check(last_voted_slot) == Check::TooOld {
-            return Err(TowerError::TooOld(
-                last_voted_slot,
-                slot_history.oldest(),
-            ));
+            return Err(TowerError::TooOld(last_voted_slot, slot_history.oldest()));
         }
 
         let mut is_diverged_descendants_in_reverse: Vec<_> =

From 6b7e34eee980d2235c22efe3ee9b939fd7419679 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Fri, 26 Jun 2020 14:30:22 +0900
Subject: [PATCH 11/67] Debug

---
 core/src/consensus.rs | 25 ++++++++++++++++++++-----
 core/src/validator.rs |  2 +-
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index c77b02947bc786..f1f272e085a2e6 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -697,6 +697,7 @@ impl Tower {
         replayed_root_slot: Slot,
         slot_history: &SlotHistory,
     ) -> Result<Self> {
+        error!("adjust_lockouts_after_replay....");
         assert_eq!(slot_history.check(replayed_root_slot), Check::Found);
         // reconcile_blockstore_roots_with_tower() should already have aligned these.
         assert!(
@@ -707,6 +708,14 @@ impl Tower {
                 replayed_root_slot
             )
         );
+        assert!(
+            self.last_vote == Vote::default() && self.lockouts.votes.is_empty()
+                || self.last_vote != Vote::default() && !self.lockouts.votes.is_empty(),
+            format!(
+                "last vote: {:?} lockouts.votes: {:?}",
+                self.last_vote, self.lockouts.votes
+            )
+        );
 
         use solana_sdk::slot_history::Check;
 
@@ -722,7 +731,7 @@ impl Tower {
             return Err(TowerError::TooOld(last_voted_slot, slot_history.oldest()));
         }
 
-        let mut is_diverged_descendants_in_reverse: Vec<_> =
+        let mut diverged_descendant_flags_in_reverse: Vec<_> =
             Vec::with_capacity(self.lockouts.votes.len());
         let mut still_in_future = true;
         let mut past_outside_history = false;
@@ -755,14 +764,20 @@ impl Tower {
                 ));
             }
 
-            is_diverged_descendants_in_reverse.push(!found);
+            diverged_descendant_flags_in_reverse.push(!found);
         }
-        let mut is_diverged_descendants_iter = is_diverged_descendants_in_reverse.into_iter().rev();
+        let mut diverged_descendant_flags = diverged_descendant_flags_in_reverse.into_iter().rev();
         self.lockouts
             .votes
-            .retain(move |_| is_diverged_descendants_iter.next().unwrap());
+            .retain(move |_| diverged_descendant_flags.next().unwrap());
 
-        self.lockouts.root_slot = Some(replayed_root_slot);
+        if self.lockouts.votes.is_empty() {
+            error!("resetting root_slot and last_vote in tower!");
+            self.lockouts.root_slot = None;
+            self.last_vote = Vote::default();
+        } else {
+            assert_eq!(self.last_vote, Vote::default());
+        }
         // also adjust self.last_vote!
         // should call self.votes.pop_expired_votes()?
         Ok(self)
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 92119693d30bfb..06963a8c9529c2 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -729,7 +729,7 @@ fn new_banks_from_ledger(
                 error!("Tower restore failed: {:?}", err);
                 process::exit(1);
             }
-            info!("Rebuilding tower from the latest vote account");
+            error!("Rebuilding tower from the latest vote account: {}", err);
             Tower::new_from_bankforks(
                 &bank_forks,
                 &ledger_path,

From 1bc913edc74629462302b0f2fac025fbcc218147 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Fri, 26 Jun 2020 14:55:40 +0900
Subject: [PATCH 12/67] Fix tests...

---
 core/src/consensus.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index f1f272e085a2e6..94a8b408143c9b 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -776,9 +776,9 @@ impl Tower {
             self.lockouts.root_slot = None;
             self.last_vote = Vote::default();
         } else {
-            assert_eq!(self.last_vote, Vote::default());
+            self.lockouts.root_slot = Some(replayed_root_slot);
+            assert!(self.last_vote != Vote::default());
         }
-        // also adjust self.last_vote!
         // should call self.votes.pop_expired_votes()?
         Ok(self)
     }
@@ -2448,7 +2448,7 @@ pub mod test {
             .unwrap();
 
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
-        assert_eq!(tower.root(), Some(replayed_root_slot));
+        assert_eq!(tower.root(), None);
     }
 
     #[test]
@@ -2485,7 +2485,7 @@ pub mod test {
             .adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history)
             .unwrap();
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
-        assert_eq!(tower.root(), Some(MAX_ENTRIES));
+        assert_eq!(tower.root(), None);
     }
 
     #[test]

From 786ee893db34691bfa428a51f5637b209435a821 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Fri, 26 Jun 2020 21:35:55 +0900
Subject: [PATCH 13/67] save

---
 core/src/consensus.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 94a8b408143c9b..7f9da58eca8fa8 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -836,10 +836,10 @@ impl Tower {
             let mut file = File::create(&new_filename)?;
             let saveable_tower = SavedTower::new(self, node_keypair)?;
             bincode::serialize_into(&mut file, &saveable_tower)?;
-            file.sync_all().unwrap();
+            //file.sync_all().unwrap();
         }
         fs::rename(&new_filename, &filename)?;
-        File::open(&self.save_path).unwrap().sync_all().unwrap();
+        //File::open(&self.save_path).unwrap().sync_all().unwrap();
         Ok(())
     }
 

From 75de4d386531dd0b3dab898fb9c8da46fbb8bd86 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 30 Jun 2020 18:46:49 +0900
Subject: [PATCH 14/67] Clarify error message and code cleaning around it

---
 core/src/validator.rs | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/core/src/validator.rs b/core/src/validator.rs
index 06963a8c9529c2..527209197e121d 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -618,13 +618,13 @@ impl Validator {
     }
 }
 
-fn empty_vote_account(bank: &Arc<Bank>, vote_account: &Pubkey) -> Option<bool> {
+fn active_vote_account_exists_in_bank(bank: &Arc<Bank>, vote_account: &Pubkey) -> bool {
     if let Some(account) = &bank.get_account(vote_account) {
         if let Some(vote_state) = VoteState::from(&account) {
-            return Some(vote_state.votes.is_empty());
+            return !vote_state.votes.is_empty();
         }
     }
-    None
+    false
 }
 
 #[allow(clippy::type_complexity)]
@@ -723,13 +723,24 @@ fn new_banks_from_ledger(
             tower.adjust_lockouts_after_replay(root_bank.slot(), &slot_history)
         })
         .unwrap_or_else(|err| {
-            if config.require_tower
-                && empty_vote_account(&bank_forks.working_bank(), &vote_account) != Some(true)
-            {
-                error!("Tower restore failed: {:?}", err);
+            let is_already_active = active_vote_account_exists_in_bank(&bank_forks.working_bank(), &vote_account);
+            if config.require_tower && is_already_active {
+                error!("Required tower restore failed: {:?}", err);
+                error!("And there is an existing vote_account containing actual votes. Aborting due to possible conflicting duplicate votes");
                 process::exit(1);
             }
-            error!("Rebuilding tower from the latest vote account: {}", err);
+            let not_found = if let crate::consensus::TowerError::IOError(io_err) = &err {
+                io_err.kind() == std::io::ErrorKind::NotFound
+            } else {
+                false
+            };
+            if not_found && !is_already_active {
+                // Currently, don't protect against spoofed snapshots with no tower at all
+                info!("Ignoring expected failed tower restore because this is the initial validator start with the vote account...");
+            } else {
+                error!("Rebuilding tower from the latest vote account due to failed tower restore: {}", err);
+            }
+
             Tower::new_from_bankforks(
                 &bank_forks,
                 &ledger_path,

From 438f9596730335d4c1dd70f8cbf944781f5ecd8c Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 30 Jun 2020 21:49:34 +0900
Subject: [PATCH 15/67] Move most of code out of tower save hot codepath

---
 core/src/consensus.rs    | 38 ++++++++++++++++++++++++--------------
 core/src/replay_stage.rs | 25 +++++++++++++++++--------
 2 files changed, 41 insertions(+), 22 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 7f9da58eca8fa8..c56bbde512ca66 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -90,7 +90,9 @@ pub struct Tower {
     last_vote: Vote,
     last_timestamp: BlockTimestamp,
     #[serde(skip)]
-    save_path: PathBuf,
+    path: PathBuf,
+    #[serde(skip)]
+    tmp_path: PathBuf,
 }
 
 impl Default for Tower {
@@ -102,7 +104,8 @@ impl Default for Tower {
             lockouts: VoteState::default(),
             last_vote: Vote::default(),
             last_timestamp: BlockTimestamp::default(),
-            save_path: PathBuf::default(),
+            path: PathBuf::default(),
+            tmp_path: PathBuf::default(),
         }
     }
 }
@@ -115,9 +118,12 @@ impl Tower {
         heaviest_bank: &Bank,
         save_path: &Path,
     ) -> Self {
+        let path = Self::get_filename(&PathBuf::from(save_path), node_pubkey);
+        let tmp_path = Self::get_tmp_filename(&path);
         let mut tower = Self {
             node_pubkey: *node_pubkey,
-            save_path: PathBuf::from(save_path),
+            path,
+            tmp_path,
             ..Tower::default()
         };
         tower.initialize_lockouts_from_bank_forks(vote_account_pubkey, root, heaviest_bank);
@@ -154,7 +160,8 @@ impl Tower {
             heaviest_subtree_fork_choice,
             unlock_heaviest_subtree_fork_choice_slot,
         ) = crate::replay_stage::ReplayStage::initialize_progress_and_fork_choice(
-            &bank_forks,
+            bank_forks.root_bank().clone(),
+            bank_forks.frozen_banks().values().cloned().collect(),
             &my_pubkey,
             &vote_account,
         );
@@ -820,6 +827,10 @@ impl Tower {
             .with_extension("bin")
     }
 
+    pub fn get_tmp_filename(path: &Path) -> PathBuf {
+        path.with_extension("bin.new")
+    }
+
     pub fn save(&self, node_keypair: &Arc<Keypair>) -> Result<()> {
         if self.node_pubkey != node_keypair.pubkey() {
             return Err(TowerError::WrongTower(format!(
@@ -829,9 +840,8 @@ impl Tower {
             )));
         }
 
-        fs::create_dir_all(&self.save_path)?;
-        let filename = Self::get_filename(&self.save_path, &self.node_pubkey);
-        let new_filename = filename.with_extension("new");
+        let filename = &self.path;
+        let new_filename = &self.tmp_path;
         {
             let mut file = File::create(&new_filename)?;
             let saveable_tower = SavedTower::new(self, node_keypair)?;
@@ -845,6 +855,7 @@ impl Tower {
 
     pub fn restore(save_path: &Path, node_pubkey: &Pubkey) -> Result<Self> {
         let filename = Self::get_filename(save_path, node_pubkey);
+        fs::create_dir_all(&filename.parent().unwrap())?;
 
         let file = File::open(&filename)?;
         let mut stream = BufReader::new(file);
@@ -854,7 +865,8 @@ impl Tower {
             return Err(TowerError::InvalidSignature);
         }
         let mut tower = saved_tower.deserialize()?;
-        tower.save_path = save_path.to_path_buf();
+        tower.path = filename;
+        tower.tmp_path = Self::get_tmp_filename(&tower.path);
 
         // check that the tower actually belongs to this node
         if &tower.node_pubkey != node_pubkey {
@@ -2274,19 +2286,17 @@ pub mod test {
         G: Fn(&PathBuf),
     {
         let dir = TempDir::new().unwrap();
+        let identity_keypair = Arc::new(Keypair::new());
 
         // Use values that will not match the default derived from BankForks
         let mut tower = Tower::new_for_tests(10, 0.9);
-        tower.save_path = dir.path().to_path_buf();
+        tower.path = Tower::get_filename(&dir.path().to_path_buf(), &identity_keypair.pubkey());
+        tower.tmp_path = Tower::get_tmp_filename(&tower.path);
 
-        let identity_keypair = Arc::new(Keypair::new());
         modify_original(&mut tower, &identity_keypair.pubkey());
 
         tower.save(&identity_keypair).unwrap();
-        modify_serialized(&Tower::get_filename(
-            &tower.save_path,
-            &identity_keypair.pubkey(),
-        ));
+        modify_serialized(&tower.path);
         let loaded = Tower::restore(&dir.path(), &identity_keypair.pubkey());
 
         (tower, loaded)
diff --git a/core/src/replay_stage.rs b/core/src/replay_stage.rs
index 4283927378416f..299633594179b8 100644
--- a/core/src/replay_stage.rs
+++ b/core/src/replay_stage.rs
@@ -261,11 +261,21 @@ impl ReplayStage {
                     mut progress,
                     mut heaviest_subtree_fork_choice,
                     unlock_heaviest_subtree_fork_choice_slot,
-                ) = Self::initialize_progress_and_fork_choice(
-                    &bank_forks.read().unwrap(),
-                    &my_pubkey,
-                    &vote_account,
-                );
+                ) = {
+                    let (root_bank, frozen_baks) = {
+                        let bank_forks = bank_forks.read().unwrap();
+                        (
+                            bank_forks.root_bank().clone(),
+                            bank_forks.frozen_banks().values().cloned().collect(),
+                        )
+                    };
+                    Self::initialize_progress_and_fork_choice(
+                        root_bank,
+                        frozen_baks,
+                        &my_pubkey,
+                        &vote_account,
+                    )
+                };
                 let mut bank_weight_fork_choice = BankWeightForkChoice::default();
                 let mut current_leader = None;
                 let mut last_reset = Hash::default();
@@ -618,12 +628,12 @@ impl ReplayStage {
     }
 
     pub(crate) fn initialize_progress_and_fork_choice(
-        bank_forks: &BankForks,
+        root_bank: Arc<Bank>,
+        mut frozen_banks: Vec<Arc<Bank>>,
         my_pubkey: &Pubkey,
         vote_account: &Pubkey,
     ) -> (Arc<Bank>, ProgressMap, HeaviestSubtreeForkChoice, Slot) {
         let mut progress = ProgressMap::default();
-        let mut frozen_banks: Vec<_> = bank_forks.frozen_banks().values().cloned().collect();
 
         frozen_banks.sort_by_key(|bank| bank.slot());
 
@@ -642,7 +652,6 @@ impl ReplayStage {
                 ),
             );
         }
-        let root_bank = bank_forks.root_bank().clone();
         let root = root_bank.slot();
         let unlock_heaviest_subtree_fork_choice_slot =
             Self::get_unlock_heaviest_subtree_fork_choice(root_bank.operating_mode());

From 0aab30edd6a63abf26c6a5777e673de18acf2e91 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 12:05:27 +0900
Subject: [PATCH 16/67] Proper comment for the lack of fsync on tower

---
 core/src/consensus.rs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index c56bbde512ca66..9fdefc0108dabb 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -843,18 +843,20 @@ impl Tower {
         let filename = &self.path;
         let new_filename = &self.tmp_path;
         {
+            // overwrite anything if exists
             let mut file = File::create(&new_filename)?;
-            let saveable_tower = SavedTower::new(self, node_keypair)?;
-            bincode::serialize_into(&mut file, &saveable_tower)?;
-            //file.sync_all().unwrap();
+            let saved_tower = SavedTower::new(self, node_keypair)?;
+            bincode::serialize_into(&mut file, &saved_tower)?;
+            // file.sync_all() hurts performance; pipeline sync-ing and submitting votes to the cluster!
         }
         fs::rename(&new_filename, &filename)?;
-        //File::open(&self.save_path).unwrap().sync_all().unwrap();
+        // self.path.parent().sync_all() hurts performance; pipeline sync-ing and submitting votes to the cluster!
         Ok(())
     }
 
     pub fn restore(save_path: &Path, node_pubkey: &Pubkey) -> Result<Self> {
         let filename = Self::get_filename(save_path, node_pubkey);
+        // Ensure to create parent dir here, because restore() precedes save() always
         fs::create_dir_all(&filename.parent().unwrap())?;
 
         let file = File::open(&filename)?;

From bd8b18bb50c774885184f546583ade8ae8db816e Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 12:45:35 +0900
Subject: [PATCH 17/67] Clean up

---
 core/src/consensus.rs | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 9fdefc0108dabb..c408c3ad16924c 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -116,9 +116,9 @@ impl Tower {
         vote_account_pubkey: &Pubkey,
         root: Slot,
         heaviest_bank: &Bank,
-        save_path: &Path,
+        path: &Path,
     ) -> Self {
-        let path = Self::get_filename(&PathBuf::from(save_path), node_pubkey);
+        let path = Self::get_filename(&path, node_pubkey);
         let tmp_path = Self::get_tmp_filename(&path);
         let mut tower = Self {
             node_pubkey: *node_pubkey,
@@ -822,8 +822,7 @@ impl Tower {
     }
 
     pub fn get_filename(path: &Path, node_pubkey: &Pubkey) -> PathBuf {
-        PathBuf::from(path)
-            .join(format!("tower-{}", node_pubkey))
+        path.join(format!("tower-{}", node_pubkey))
             .with_extension("bin")
     }
 
@@ -854,8 +853,8 @@ impl Tower {
         Ok(())
     }
 
-    pub fn restore(save_path: &Path, node_pubkey: &Pubkey) -> Result<Self> {
-        let filename = Self::get_filename(save_path, node_pubkey);
+    pub fn restore(path: &Path, node_pubkey: &Pubkey) -> Result<Self> {
+        let filename = Self::get_filename(path, node_pubkey);
         // Ensure to create parent dir here, because restore() precedes save() always
         fs::create_dir_all(&filename.parent().unwrap())?;
 

From 5ea42ab3c65c821bc0b0289187ee78d75b7210c2 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 13:44:09 +0900
Subject: [PATCH 18/67] Clean up

---
 core/src/consensus.rs | 2 --
 core/src/validator.rs | 5 ++---
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index c408c3ad16924c..b65bfad131e077 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -704,7 +704,6 @@ impl Tower {
         replayed_root_slot: Slot,
         slot_history: &SlotHistory,
     ) -> Result<Self> {
-        error!("adjust_lockouts_after_replay....");
         assert_eq!(slot_history.check(replayed_root_slot), Check::Found);
         // reconcile_blockstore_roots_with_tower() should already have aligned these.
         assert!(
@@ -729,7 +728,6 @@ impl Tower {
         // return immediately if last_voted_slot is None, votes are empty...
         if self.lockouts.votes.is_empty() {
             assert_eq!(self.root(), None);
-            // assert self.last_vote, ???
             return Ok(self);
         }
 
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 527209197e121d..77884c101c3912 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -6,7 +6,7 @@ use crate::{
     cluster_info::{ClusterInfo, Node},
     cluster_info_vote_listener::VoteTracker,
     completed_data_sets_service::CompletedDataSetsService,
-    consensus::{reconcile_blockstore_roots_with_tower, Tower},
+    consensus::{reconcile_blockstore_roots_with_tower, Tower, TowerError},
     contact_info::ContactInfo,
     gossip_service::{discover_cluster, GossipService},
     poh_recorder::{PohRecorder, GRACE_TICKS_FACTOR, MAX_GRACE_SLOTS},
@@ -719,7 +719,6 @@ fn new_banks_from_ledger(
         .and_then(|tower| {
             let root_bank = bank_forks.root_bank();
             let slot_history = root_bank.get_slot_history();
-            // assert bank is frozen
             tower.adjust_lockouts_after_replay(root_bank.slot(), &slot_history)
         })
         .unwrap_or_else(|err| {
@@ -729,7 +728,7 @@ fn new_banks_from_ledger(
                 error!("And there is an existing vote_account containing actual votes. Aborting due to possible conflicting duplicate votes");
                 process::exit(1);
             }
-            let not_found = if let crate::consensus::TowerError::IOError(io_err) = &err {
+            let not_found = if let TowerError::IOError(io_err) = &err {
                 io_err.kind() == std::io::ErrorKind::NotFound
             } else {
                 false

From 90b8cf1357cb97fb1141105a1bc587580e99239e Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 15:04:39 +0900
Subject: [PATCH 19/67] Simpler type alias

---
 core/src/consensus.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index b65bfad131e077..a1d64598e254f7 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -884,7 +884,7 @@ pub enum TowerError {
     IOError(#[from] std::io::Error),
 
     #[error("Serialization Error: {0}")]
-    SerializeError(#[from] Box<bincode::ErrorKind>),
+    SerializeError(#[from] bincode::Error),
 
     #[error("The signature on the saved tower is invalid")]
     InvalidSignature,

From c29fc96946a35940ede4e5f7c84403cf5f72a789 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 16:16:06 +0900
Subject: [PATCH 20/67] Manage tower-restored ancestor slots without banks

---
 core/src/consensus.rs                    | 41 ++++++++++++++++--------
 core/src/heaviest_subtree_fork_choice.rs | 26 +++++++--------
 2 files changed, 40 insertions(+), 27 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index a1d64598e254f7..f7b076e043e2b8 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -19,7 +19,7 @@ use solana_vote_program::{
     vote_state::{BlockTimestamp, Lockout, Vote, VoteState, MAX_LOCKOUT_HISTORY},
 };
 use std::{
-    collections::{HashMap, HashSet},
+    collections::{BTreeSet, HashMap, HashSet},
     fs::{self, File},
     io::BufReader,
     ops::Bound::{Included, Unbounded},
@@ -93,6 +93,8 @@ pub struct Tower {
     path: PathBuf,
     #[serde(skip)]
     tmp_path: PathBuf,
+    #[serde(skip)]
+    restored_stray_slots: BTreeSet<Slot>,
 }
 
 impl Default for Tower {
@@ -106,6 +108,7 @@ impl Default for Tower {
             last_timestamp: BlockTimestamp::default(),
             path: PathBuf::default(),
             tmp_path: PathBuf::default(),
+            restored_stray_slots: BTreeSet::default(),
         }
     }
 }
@@ -481,10 +484,19 @@ impl Tower {
         epoch_vote_accounts: &HashMap<Pubkey, (u64, Account)>,
     ) -> SwitchForkDecision {
         let root = self.lockouts.root_slot.unwrap_or(0);
+        let mut maybe_stray_ancestors = HashSet::new();
+
         self.last_voted_slot()
             .map(|last_voted_slot| {
-                let empty = HashSet::default();
-                let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or(&empty);
+                let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
+                    if self.is_restored_stray_slot(last_voted_slot) {
+                        maybe_stray_ancestors = self.restored_stray_slots.range(0..last_voted_slot).copied().collect();
+                        &maybe_stray_ancestors
+                    } else {
+                        panic!("no ancestors: {}", last_voted_slot)
+                    }
+                });
+
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
 
                 if switch_slot == last_voted_slot || switch_slot_ancestors.contains(&last_voted_slot) {
@@ -697,6 +709,18 @@ impl Tower {
         bank_weight
     }
 
+    fn voted_slots(&self) -> Vec<Slot> {
+        self.lockouts
+            .votes
+            .iter()
+            .map(|lockout| lockout.slot)
+            .collect()
+    }
+
+    pub fn is_restored_stray_slot(&self, slot: Slot) -> bool {
+        self.restored_stray_slots.contains(&slot)
+    }
+
     // The tower root can be older/newer if the validator booted from a newer/older snapshot, so
     // tower lockouts may need adjustment
     pub fn adjust_lockouts_after_replay(
@@ -785,6 +809,7 @@ impl Tower {
             assert!(self.last_vote != Vote::default());
         }
         // should call self.votes.pop_expired_votes()?
+        self.restored_stray_slots = self.voted_slots().into_iter().collect();
         Ok(self)
     }
 
@@ -2383,16 +2408,6 @@ pub mod test {
         Blockstore::destroy(&blockstore_path).expect("Expected successful database destruction");
     }
 
-    impl Tower {
-        fn voted_slots(&self) -> Vec<Slot> {
-            self.lockouts
-                .votes
-                .iter()
-                .map(|lockout| lockout.slot)
-                .collect()
-        }
-    }
-
     #[test]
     fn test_expire_old_votes_on_load() {
         let mut tower = Tower::new_for_tests(10, 0.9);
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index d5ad3b7a9f77f1..99a904b2428a41 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -551,20 +551,18 @@ impl ForkChoice for HeaviestSubtreeForkChoice {
         bank_forks: &RwLock<BankForks>,
     ) -> (Arc<Bank>, Option<Arc<Bank>>) {
         let last_voted_slot = tower.last_voted_slot();
-        let heaviest_slot_on_same_voted_fork = last_voted_slot
-            .map(|last_voted_slot| {
-                let heaviest_slot_on_same_voted_fork =
-                    self.best_slot(last_voted_slot).unwrap_or_default();
-                if heaviest_slot_on_same_voted_fork == 0 {
-                    error!("fix me.....");
-                    None
-                } else if heaviest_slot_on_same_voted_fork == last_voted_slot {
-                    None
-                } else {
-                    Some(heaviest_slot_on_same_voted_fork)
-                }
-            })
-            .unwrap_or(None);
+        let heaviest_slot_on_same_voted_fork = last_voted_slot.map(|last_voted_slot| {
+            if tower.is_restored_stray_slot(last_voted_slot) {
+                return None;
+            }
+            let heaviest_slot_on_same_voted_fork =
+                self.best_slot(last_voted_slot).expect("a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing");
+            if heaviest_slot_on_same_voted_fork == last_voted_slot {
+                None
+            } else {
+                Some(heaviest_slot_on_same_voted_fork)
+            }
+        }).unwrap_or(None);
         let heaviest_slot = self.best_overall_slot();
         let r_bank_forks = bank_forks.read().unwrap();
         (

From f49f55ff15a1e4a3703c0c7700b96e264931b8ea Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 16:26:44 +0900
Subject: [PATCH 21/67] Add comment

---
 core/src/consensus.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index f7b076e043e2b8..aa42f2f83a40c4 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -92,7 +92,7 @@ pub struct Tower {
     #[serde(skip)]
     path: PathBuf,
     #[serde(skip)]
-    tmp_path: PathBuf,
+    tmp_path: PathBuf, // used before atomic fs::rename()
     #[serde(skip)]
     restored_stray_slots: BTreeSet<Slot>,
 }

From 218a82e5cca80e91ad148dfc7842d674e04baafd Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 17:19:01 +0900
Subject: [PATCH 22/67] Extract long code blocks...

---
 core/src/consensus.rs                    | 21 +++---
 core/src/heaviest_subtree_fork_choice.rs |  1 +
 core/src/replay_stage.rs                 | 43 +++++++------
 core/src/validator.rs                    | 82 +++++++++++++++---------
 4 files changed, 85 insertions(+), 62 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index aa42f2f83a40c4..a208c04f981790 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -157,17 +157,14 @@ impl Tower {
         my_pubkey: &Pubkey,
         vote_account: &Pubkey,
     ) -> Self {
-        let (
-            root_bank,
-            _progress,
-            heaviest_subtree_fork_choice,
-            unlock_heaviest_subtree_fork_choice_slot,
-        ) = crate::replay_stage::ReplayStage::initialize_progress_and_fork_choice(
-            bank_forks.root_bank().clone(),
-            bank_forks.frozen_banks().values().cloned().collect(),
-            &my_pubkey,
-            &vote_account,
-        );
+        let root_bank = bank_forks.root_bank();
+        let (_progress, heaviest_subtree_fork_choice, unlock_heaviest_subtree_fork_choice_slot) =
+            crate::replay_stage::ReplayStage::initialize_progress_and_fork_choice(
+                root_bank,
+                bank_forks.frozen_banks().values().cloned().collect(),
+                &my_pubkey,
+                &vote_account,
+            );
         let root = root_bank.slot();
 
         let heaviest_bank = if root > unlock_heaviest_subtree_fork_choice_slot {
@@ -176,7 +173,7 @@ impl Tower {
                 .expect("The best overall slot must be one of `frozen_banks` which all exist in bank_forks")
                 .clone()
         } else {
-            Tower::find_heaviest_bank(&bank_forks, &my_pubkey).unwrap_or(root_bank)
+            Tower::find_heaviest_bank(&bank_forks, &my_pubkey).unwrap_or_else(|| root_bank.clone())
         };
 
         Self::new(
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index 99a904b2428a41..07d0285945a4d0 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -553,6 +553,7 @@ impl ForkChoice for HeaviestSubtreeForkChoice {
         let last_voted_slot = tower.last_voted_slot();
         let heaviest_slot_on_same_voted_fork = last_voted_slot.map(|last_voted_slot| {
             if tower.is_restored_stray_slot(last_voted_slot) {
+                // return None because bank_forks doesn't have corresponding banks
                 return None;
             }
             let heaviest_slot_on_same_voted_fork =
diff --git a/core/src/replay_stage.rs b/core/src/replay_stage.rs
index 299633594179b8..c9c4ef966329e8 100644
--- a/core/src/replay_stage.rs
+++ b/core/src/replay_stage.rs
@@ -261,21 +261,7 @@ impl ReplayStage {
                     mut progress,
                     mut heaviest_subtree_fork_choice,
                     unlock_heaviest_subtree_fork_choice_slot,
-                ) = {
-                    let (root_bank, frozen_baks) = {
-                        let bank_forks = bank_forks.read().unwrap();
-                        (
-                            bank_forks.root_bank().clone(),
-                            bank_forks.frozen_banks().values().cloned().collect(),
-                        )
-                    };
-                    Self::initialize_progress_and_fork_choice(
-                        root_bank,
-                        frozen_baks,
-                        &my_pubkey,
-                        &vote_account,
-                    )
-                };
+                ) = Self::initialize_progress_and_fork_choice_with_locked_bank_forks(&bank_forks, &my_pubkey, &vote_account);
                 let mut bank_weight_fork_choice = BankWeightForkChoice::default();
                 let mut current_leader = None;
                 let mut last_reset = Hash::default();
@@ -627,12 +613,34 @@ impl ReplayStage {
                 .unwrap_or(true)
     }
 
+    fn initialize_progress_and_fork_choice_with_locked_bank_forks(
+        bank_forks: &RwLock<BankForks>,
+        my_pubkey: &Pubkey,
+        vote_account: &Pubkey,
+    ) -> (Arc<Bank>, ProgressMap, HeaviestSubtreeForkChoice, Slot) {
+        let (root_bank, frozen_baks) = {
+            let bank_forks = bank_forks.read().unwrap();
+            (
+                bank_forks.root_bank().clone(),
+                bank_forks.frozen_banks().values().cloned().collect(),
+            )
+        };
+
+        let (progress_map, fork_choice, slot) = Self::initialize_progress_and_fork_choice(
+            &root_bank,
+            frozen_baks,
+            &my_pubkey,
+            &vote_account,
+        );
+        (root_bank, progress_map, fork_choice, slot)
+    }
+
     pub(crate) fn initialize_progress_and_fork_choice(
-        root_bank: Arc<Bank>,
+        root_bank: &Arc<Bank>,
         mut frozen_banks: Vec<Arc<Bank>>,
         my_pubkey: &Pubkey,
         vote_account: &Pubkey,
-    ) -> (Arc<Bank>, ProgressMap, HeaviestSubtreeForkChoice, Slot) {
+    ) -> (ProgressMap, HeaviestSubtreeForkChoice, Slot) {
         let mut progress = ProgressMap::default();
 
         frozen_banks.sort_by_key(|bank| bank.slot());
@@ -659,7 +667,6 @@ impl ReplayStage {
             HeaviestSubtreeForkChoice::new_from_frozen_banks(root, &frozen_banks);
 
         (
-            root_bank,
             progress,
             heaviest_subtree_fork_choice,
             unlock_heaviest_subtree_fork_choice_slot,
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 77884c101c3912..54670e45ba521a 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -627,6 +627,48 @@ fn active_vote_account_exists_in_bank(bank: &Arc<Bank>, vote_account: &Pubkey) -
     false
 }
 
+fn post_process_restored_tower(
+    restored_tower: crate::consensus::Result<Tower>,
+    validator_identity: &Pubkey,
+    vote_account: &Pubkey,
+    config: &ValidatorConfig,
+    ledger_path: &Path,
+    bank_forks: &BankForks,
+) -> Tower {
+    restored_tower
+        .and_then(|tower| {
+            let root_bank = bank_forks.root_bank();
+            let slot_history = root_bank.get_slot_history();
+            tower.adjust_lockouts_after_replay(root_bank.slot(), &slot_history)
+        })
+        .unwrap_or_else(|err| {
+            let is_already_active = active_vote_account_exists_in_bank(&bank_forks.working_bank(), &vote_account);
+            if config.require_tower && is_already_active {
+                error!("Required tower restore failed: {:?}", err);
+                error!("And there is an existing vote_account containing actual votes. Aborting due to possible conflicting duplicate votes");
+                process::exit(1);
+            }
+            let not_found = if let TowerError::IOError(io_err) = &err {
+                io_err.kind() == std::io::ErrorKind::NotFound
+            } else {
+                false
+            };
+            if not_found && !is_already_active {
+                // Currently, don't protect against spoofed snapshots with no tower at all
+                info!("Ignoring expected failed tower restore because this is the initial validator start with the vote account...");
+            } else {
+                error!("Rebuilding tower from the latest vote account due to failed tower restore: {}", err);
+            }
+
+            Tower::new_from_bankforks(
+                &bank_forks,
+                &ledger_path,
+                &validator_identity,
+                &vote_account,
+            )
+        })
+}
+
 #[allow(clippy::type_complexity)]
 fn new_banks_from_ledger(
     validator_identity: &Pubkey,
@@ -715,38 +757,14 @@ fn new_banks_from_ledger(
         process::exit(1);
     });
 
-    let tower = restored_tower
-        .and_then(|tower| {
-            let root_bank = bank_forks.root_bank();
-            let slot_history = root_bank.get_slot_history();
-            tower.adjust_lockouts_after_replay(root_bank.slot(), &slot_history)
-        })
-        .unwrap_or_else(|err| {
-            let is_already_active = active_vote_account_exists_in_bank(&bank_forks.working_bank(), &vote_account);
-            if config.require_tower && is_already_active {
-                error!("Required tower restore failed: {:?}", err);
-                error!("And there is an existing vote_account containing actual votes. Aborting due to possible conflicting duplicate votes");
-                process::exit(1);
-            }
-            let not_found = if let TowerError::IOError(io_err) = &err {
-                io_err.kind() == std::io::ErrorKind::NotFound
-            } else {
-                false
-            };
-            if not_found && !is_already_active {
-                // Currently, don't protect against spoofed snapshots with no tower at all
-                info!("Ignoring expected failed tower restore because this is the initial validator start with the vote account...");
-            } else {
-                error!("Rebuilding tower from the latest vote account due to failed tower restore: {}", err);
-            }
-
-            Tower::new_from_bankforks(
-                &bank_forks,
-                &ledger_path,
-                &validator_identity,
-                &vote_account,
-            )
-        });
+    let tower = post_process_restored_tower(
+        restored_tower,
+        &validator_identity,
+        &vote_account,
+        &config,
+        &ledger_path,
+        &bank_forks,
+    );
 
     info!(
         "Tower state: root slot={:?}, last vote slot={:?}",

From b1ff0216651b00b800ddc0f7cac2c62010757301 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 18:20:23 +0900
Subject: [PATCH 23/67] Add comment

---
 core/src/consensus.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index a208c04f981790..75a7c775e6ae66 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -487,6 +487,7 @@ impl Tower {
             .map(|last_voted_slot| {
                 let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
                     if self.is_restored_stray_slot(last_voted_slot) {
+                        // Construct artifical ancestors because we can't with ancestors from bank_forks
                         maybe_stray_ancestors = self.restored_stray_slots.range(0..last_voted_slot).copied().collect();
                         &maybe_stray_ancestors
                     } else {

From d3bb2a45127ef77e7712c1f4475a3be9ee5ed546 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 18:27:05 +0900
Subject: [PATCH 24/67] Simplify returned tuple...

---
 core/src/replay_stage.rs | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/core/src/replay_stage.rs b/core/src/replay_stage.rs
index c9c4ef966329e8..5d691271a8fe8c 100644
--- a/core/src/replay_stage.rs
+++ b/core/src/replay_stage.rs
@@ -257,7 +257,6 @@ impl ReplayStage {
                 let verify_recyclers = VerifyRecyclers::default();
                 let _exit = Finalizer::new(exit.clone());
                 let (
-                    _root_bank,
                     mut progress,
                     mut heaviest_subtree_fork_choice,
                     unlock_heaviest_subtree_fork_choice_slot,
@@ -617,7 +616,7 @@ impl ReplayStage {
         bank_forks: &RwLock<BankForks>,
         my_pubkey: &Pubkey,
         vote_account: &Pubkey,
-    ) -> (Arc<Bank>, ProgressMap, HeaviestSubtreeForkChoice, Slot) {
+    ) -> (ProgressMap, HeaviestSubtreeForkChoice, Slot) {
         let (root_bank, frozen_baks) = {
             let bank_forks = bank_forks.read().unwrap();
             (
@@ -626,13 +625,12 @@ impl ReplayStage {
             )
         };
 
-        let (progress_map, fork_choice, slot) = Self::initialize_progress_and_fork_choice(
+        Self::initialize_progress_and_fork_choice(
             &root_bank,
             frozen_baks,
             &my_pubkey,
             &vote_account,
-        );
-        (root_bank, progress_map, fork_choice, slot)
+        )
     }
 
     pub(crate) fn initialize_progress_and_fork_choice(

From 5ae6cccecc3052e147937c66bae98ef12c845558 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 1 Jul 2020 18:36:15 +0900
Subject: [PATCH 25/67] Tweak too aggresive log

---
 core/src/consensus.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 75a7c775e6ae66..775c6f45be1222 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -799,7 +799,7 @@ impl Tower {
             .retain(move |_| diverged_descendant_flags.next().unwrap());
 
         if self.lockouts.votes.is_empty() {
-            error!("resetting root_slot and last_vote in tower!");
+            info!("All restored votes are behind replayed_root_slot; resetting root_slot and last_vote in tower!");
             self.lockouts.root_slot = None;
             self.last_vote = Vote::default();
         } else {

From cbb7769c9d85f9c6e14f4ce59b66af4300048c87 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Mon, 6 Jul 2020 13:21:28 +0900
Subject: [PATCH 26/67] Fix typo...

---
 core/src/replay_stage.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/src/replay_stage.rs b/core/src/replay_stage.rs
index 5d691271a8fe8c..77301ccd8d19e3 100644
--- a/core/src/replay_stage.rs
+++ b/core/src/replay_stage.rs
@@ -617,7 +617,7 @@ impl ReplayStage {
         my_pubkey: &Pubkey,
         vote_account: &Pubkey,
     ) -> (ProgressMap, HeaviestSubtreeForkChoice, Slot) {
-        let (root_bank, frozen_baks) = {
+        let (root_bank, frozen_banks) = {
             let bank_forks = bank_forks.read().unwrap();
             (
                 bank_forks.root_bank().clone(),
@@ -627,7 +627,7 @@ impl ReplayStage {
 
         Self::initialize_progress_and_fork_choice(
             &root_bank,
-            frozen_baks,
+            frozen_banks,
             &my_pubkey,
             &vote_account,
         )

From cbb1fc55a204f5f1ea82476be7fb2fc57d39036c Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Mon, 6 Jul 2020 13:37:10 +0900
Subject: [PATCH 27/67] Add test

---
 core/src/consensus.rs                    |  2 +-
 core/src/heaviest_subtree_fork_choice.rs | 78 +++++++++++++++++-------
 2 files changed, 57 insertions(+), 23 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 775c6f45be1222..18a73ad854d62a 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -385,7 +385,7 @@ impl Tower {
     }
 
     #[cfg(test)]
-    fn record_vote(&mut self, slot: Slot, hash: Hash) -> Option<Slot> {
+    pub fn record_vote(&mut self, slot: Slot, hash: Hash) -> Option<Slot> {
         let vote = Vote::new(vec![slot], hash);
         self.record_bank_vote(vote)
     }
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index 07d0285945a4d0..58628c5c5e807f 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -491,6 +491,24 @@ impl HeaviestSubtreeForkChoice {
         );
     }
 
+    fn heaviest_slot_on_same_voted_fork(&self, tower: &Tower) -> Option<Slot> {
+        let last_voted_slot = tower.last_voted_slot();
+
+        last_voted_slot.map(|last_voted_slot| {
+            if tower.is_restored_stray_slot(last_voted_slot) {
+                // return None because bank_forks doesn't have corresponding banks
+                return None;
+            }
+            let heaviest_slot_on_same_voted_fork =
+                self.best_slot(last_voted_slot).expect("a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing");
+            if heaviest_slot_on_same_voted_fork == last_voted_slot {
+                None
+            } else {
+                Some(heaviest_slot_on_same_voted_fork)
+            }
+        }).unwrap_or(None)
+    }
+
     #[cfg(test)]
     fn set_stake_voted_at(&mut self, slot: Slot, stake_voted_at: u64) {
         self.fork_infos.get_mut(&slot).unwrap().stake_voted_at = stake_voted_at;
@@ -550,30 +568,17 @@ impl ForkChoice for HeaviestSubtreeForkChoice {
         _ancestors: &HashMap<u64, HashSet<u64>>,
         bank_forks: &RwLock<BankForks>,
     ) -> (Arc<Bank>, Option<Arc<Bank>>) {
-        let last_voted_slot = tower.last_voted_slot();
-        let heaviest_slot_on_same_voted_fork = last_voted_slot.map(|last_voted_slot| {
-            if tower.is_restored_stray_slot(last_voted_slot) {
-                // return None because bank_forks doesn't have corresponding banks
-                return None;
-            }
-            let heaviest_slot_on_same_voted_fork =
-                self.best_slot(last_voted_slot).expect("a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing");
-            if heaviest_slot_on_same_voted_fork == last_voted_slot {
-                None
-            } else {
-                Some(heaviest_slot_on_same_voted_fork)
-            }
-        }).unwrap_or(None);
-        let heaviest_slot = self.best_overall_slot();
         let r_bank_forks = bank_forks.read().unwrap();
+
         (
-            r_bank_forks.get(heaviest_slot).unwrap().clone(),
-            heaviest_slot_on_same_voted_fork.map(|heaviest_slot_on_same_voted_fork| {
-                r_bank_forks
-                    .get(heaviest_slot_on_same_voted_fork)
-                    .unwrap()
-                    .clone()
-            }),
+            r_bank_forks.get(self.best_overall_slot()).unwrap().clone(),
+            self.heaviest_slot_on_same_voted_fork(tower)
+                .map(|heaviest_slot_on_same_voted_fork| {
+                    r_bank_forks
+                        .get(heaviest_slot_on_same_voted_fork)
+                        .unwrap()
+                        .clone()
+                }),
         )
     }
 }
@@ -615,6 +620,7 @@ mod test {
     use super::*;
     use crate::consensus::test::VoteSimulator;
     use solana_runtime::{bank::Bank, bank_utils};
+    use solana_sdk::{hash::Hash, slot_history::SlotHistory};
     use std::{collections::HashSet, ops::Range};
     use trees::tr;
 
@@ -1494,6 +1500,34 @@ mod test {
         assert!(heaviest_subtree_fork_choice.subtree_diff(0, 6).is_empty());
     }
 
+    #[test]
+    fn test_is_restored_stray_slot() {
+        let forks = tr(0) / (tr(1) / tr(2));
+        let heaviest_subtree_fork_choice = HeaviestSubtreeForkChoice::new_from_tree(forks);
+
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.record_vote(1, Hash::default());
+
+        assert_eq!(tower.is_restored_stray_slot(1), false);
+        assert_eq!(
+            heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower),
+            Some(2)
+        );
+
+        // Make slot 1 a restored stray slot
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        tower = tower
+            .adjust_lockouts_after_replay(0, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.is_restored_stray_slot(1), true);
+        assert_eq!(
+            heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower),
+            None
+        );
+    }
+
     fn setup_forks() -> HeaviestSubtreeForkChoice {
         /*
             Build fork structure:

From 016b1f77c9236b3db18007ad561febc0319a8df9 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Mon, 6 Jul 2020 14:50:25 +0900
Subject: [PATCH 28/67] Update comment

---
 core/src/consensus.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 18a73ad854d62a..d3d393545cf648 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -487,7 +487,7 @@ impl Tower {
             .map(|last_voted_slot| {
                 let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
                     if self.is_restored_stray_slot(last_voted_slot) {
-                        // Construct artifical ancestors because we can't with ancestors from bank_forks
+                        // Construct artifical ancestors because we can't derive them from given ancestors (=bank_forks)
                         maybe_stray_ancestors = self.restored_stray_slots.range(0..last_voted_slot).copied().collect();
                         &maybe_stray_ancestors
                     } else {

From 036251dfa6eca74eabcd9b04cf8644b63396c2ad Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Mon, 6 Jul 2020 15:05:34 +0900
Subject: [PATCH 29/67] Improve test to require non-empty stray restored slots

---
 core/src/consensus.rs                    | 74 +++++++++++++++---------
 core/src/heaviest_subtree_fork_choice.rs | 15 ++---
 2 files changed, 56 insertions(+), 33 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index d3d393545cf648..c1876f31866992 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -19,7 +19,7 @@ use solana_vote_program::{
     vote_state::{BlockTimestamp, Lockout, Vote, VoteState, MAX_LOCKOUT_HISTORY},
 };
 use std::{
-    collections::{BTreeSet, HashMap, HashSet},
+    collections::{HashMap, HashSet},
     fs::{self, File},
     io::BufReader,
     ops::Bound::{Included, Unbounded},
@@ -94,7 +94,7 @@ pub struct Tower {
     #[serde(skip)]
     tmp_path: PathBuf, // used before atomic fs::rename()
     #[serde(skip)]
-    restored_stray_slots: BTreeSet<Slot>,
+    stray_restored_slots: HashSet<Slot>,
 }
 
 impl Default for Tower {
@@ -108,7 +108,7 @@ impl Default for Tower {
             last_timestamp: BlockTimestamp::default(),
             path: PathBuf::default(),
             tmp_path: PathBuf::default(),
-            restored_stray_slots: BTreeSet::default(),
+            stray_restored_slots: HashSet::default(),
         }
     }
 }
@@ -480,20 +480,14 @@ impl Tower {
         total_stake: u64,
         epoch_vote_accounts: &HashMap<Pubkey, (u64, Account)>,
     ) -> SwitchForkDecision {
-        let root = self.lockouts.root_slot.unwrap_or(0);
-        let mut maybe_stray_ancestors = HashSet::new();
-
         self.last_voted_slot()
             .map(|last_voted_slot| {
-                let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
-                    if self.is_restored_stray_slot(last_voted_slot) {
-                        // Construct artifical ancestors because we can't derive them from given ancestors (=bank_forks)
-                        maybe_stray_ancestors = self.restored_stray_slots.range(0..last_voted_slot).copied().collect();
-                        &maybe_stray_ancestors
-                    } else {
-                        panic!("no ancestors: {}", last_voted_slot)
-                    }
-                });
+                let last_vote_ancestors = if self.is_stray_last_vote() {
+                    // Use stray restored slots because we can't derive them from given ancestors (=bank_forks)
+                    &self.stray_restored_slots
+                } else {
+                    ancestors.get(&last_voted_slot).unwrap()
+                };
 
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
 
@@ -715,8 +709,12 @@ impl Tower {
             .collect()
     }
 
-    pub fn is_restored_stray_slot(&self, slot: Slot) -> bool {
-        self.restored_stray_slots.contains(&slot)
+    pub fn is_stray_last_vote(&self) -> bool {
+        if let Some(last_voted_slot) = self.last_voted_slot() {
+            self.stray_restored_slots.contains(&last_voted_slot)
+        } else {
+            false
+        }
     }
 
     // The tower root can be older/newer if the validator booted from a newer/older snapshot, so
@@ -804,10 +802,13 @@ impl Tower {
             self.last_vote = Vote::default();
         } else {
             self.lockouts.root_slot = Some(replayed_root_slot);
-            assert!(self.last_vote != Vote::default());
+            assert_eq!(
+                self.last_vote.last_voted_slot().unwrap(),
+                *self.voted_slots().last().unwrap()
+            );
         }
         // should call self.votes.pop_expired_votes()?
-        self.restored_stray_slots = self.voted_slots().into_iter().collect();
+        self.stray_restored_slots = self.voted_slots().into_iter().collect();
         Ok(self)
     }
 
@@ -1386,6 +1387,7 @@ pub mod test {
 
     #[test]
     fn test_switch_threshold_across_tower_reload() {
+        solana_logger::setup();
         // Init state
         let mut vote_simulator = VoteSimulator::new(2);
         let my_pubkey = vote_simulator.node_pubkeys[0];
@@ -1487,20 +1489,28 @@ pub mod test {
             .unwrap()
             .clone();
         let total_stake = bank0.total_epoch_stake();
-        let forks = tr(0) / (tr(1) / (tr(2) / tr(10) / (tr(43) / (tr(44) / (tr(110) / tr(111))))));
+        let forks = tr(0)
+            / (tr(1)
+                / (tr(2)
+                    / tr(10)
+                    / (tr(43) / (tr(44) / (tr(45) / tr(222)) / (tr(110) / tr(111))))));
+        let replayed_root_slot = 44;
 
         // Fill the BankForks according to the above fork structure
         vote_simulator.fill_bank_forks(forks, &HashMap::new());
-        let ancestors = vote_simulator.bank_forks.read().unwrap().ancestors();
-        let descendants = vote_simulator.bank_forks.read().unwrap().descendants();
 
+        // prepend tower restart!
         let mut slot_history = SlotHistory::default();
-        for slot in &[0, 1, 2, 43, 44, 110] {
+        vote_simulator.set_root(replayed_root_slot);
+        let ancestors = vote_simulator.bank_forks.read().unwrap().ancestors();
+        let descendants = vote_simulator.bank_forks.read().unwrap().descendants();
+        for slot in &[0, 1, 2, 43, replayed_root_slot] {
             slot_history.add(*slot);
         }
         let mut tower = tower
-            .adjust_lockouts_after_replay(110, &slot_history)
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
             .unwrap();
+
         assert_eq!(tower.voted_slots(), vec![45, 46, 47, 48, 49]);
 
         // Trying to switch to another fork at 110 should fail
@@ -1516,8 +1526,20 @@ pub mod test {
             SwitchForkDecision::FailedSwitchThreshold
         );
 
-        vote_simulator.simulate_lockout_interval(111, (10, 49), &other_vote_account);
+        vote_simulator.simulate_lockout_interval(111, (45, 50), &other_vote_account);
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::FailedSwitchThreshold
+        );
 
+        vote_simulator.simulate_lockout_interval(111, (110, 200), &other_vote_account);
         assert_eq!(
             tower.check_switch_threshold(
                 110,
@@ -1533,7 +1555,7 @@ pub mod test {
         tower.record_vote(110, Hash::default());
         tower.record_vote(111, Hash::default());
         assert_eq!(tower.voted_slots(), vec![110, 111]);
-        assert_eq!(tower.lockouts.root_slot, Some(110));
+        assert_eq!(tower.lockouts.root_slot, Some(replayed_root_slot));
     }
 
     #[test]
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index 58628c5c5e807f..d9b22d79edc676 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -494,11 +494,12 @@ impl HeaviestSubtreeForkChoice {
     fn heaviest_slot_on_same_voted_fork(&self, tower: &Tower) -> Option<Slot> {
         let last_voted_slot = tower.last_voted_slot();
 
+        if tower.is_stray_last_vote() {
+            // return None because bank_forks doesn't have corresponding banks
+            return None;
+        }
+
         last_voted_slot.map(|last_voted_slot| {
-            if tower.is_restored_stray_slot(last_voted_slot) {
-                // return None because bank_forks doesn't have corresponding banks
-                return None;
-            }
             let heaviest_slot_on_same_voted_fork =
                 self.best_slot(last_voted_slot).expect("a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing");
             if heaviest_slot_on_same_voted_fork == last_voted_slot {
@@ -1501,14 +1502,14 @@ mod test {
     }
 
     #[test]
-    fn test_is_restored_stray_slot() {
+    fn test_stray_restored_slot() {
         let forks = tr(0) / (tr(1) / tr(2));
         let heaviest_subtree_fork_choice = HeaviestSubtreeForkChoice::new_from_tree(forks);
 
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.record_vote(1, Hash::default());
 
-        assert_eq!(tower.is_restored_stray_slot(1), false);
+        assert_eq!(tower.is_stray_last_vote(), false);
         assert_eq!(
             heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower),
             Some(2)
@@ -1521,7 +1522,7 @@ mod test {
             .adjust_lockouts_after_replay(0, &slot_history)
             .unwrap();
 
-        assert_eq!(tower.is_restored_stray_slot(1), true);
+        assert_eq!(tower.is_stray_last_vote(), true);
         assert_eq!(
             heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower),
             None

From 9c65cef96bb01cbf58f6f2e371992ee23b25a18a Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 7 Jul 2020 15:49:11 +0900
Subject: [PATCH 30/67] Measure tower save and dump all tower contents

---
 core/src/consensus.rs | 8 ++++++++
 core/src/validator.rs | 6 +-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index c1876f31866992..075def0c992e74 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -4,6 +4,7 @@ use crate::{
 };
 use chrono::prelude::*;
 use solana_ledger::{blockstore::Blockstore, blockstore_db};
+use solana_measure::measure::Measure;
 use solana_runtime::{bank::Bank, bank_forks::BankForks, commitment::VOTE_THRESHOLD_SIZE};
 use solana_sdk::{
     account::Account,
@@ -853,6 +854,8 @@ impl Tower {
     }
 
     pub fn save(&self, node_keypair: &Arc<Keypair>) -> Result<()> {
+        let mut measure = Measure::start("tower_save-ms");
+
         if self.node_pubkey != node_keypair.pubkey() {
             return Err(TowerError::WrongTower(format!(
                 "node_pubkey is {:?} but found tower for {:?}",
@@ -872,11 +875,16 @@ impl Tower {
         }
         fs::rename(&new_filename, &filename)?;
         // self.path.parent().sync_all() hurts performance; pipeline sync-ing and submitting votes to the cluster!
+
+        measure.stop();
+        inc_new_counter_info!("tower_save-ms", measure.as_ms() as usize);
+
         Ok(())
     }
 
     pub fn restore(path: &Path, node_pubkey: &Pubkey) -> Result<Self> {
         let filename = Self::get_filename(path, node_pubkey);
+
         // Ensure to create parent dir here, because restore() precedes save() always
         fs::create_dir_all(&filename.parent().unwrap())?;
 
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 54670e45ba521a..65fc36a84f4965 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -766,11 +766,7 @@ fn new_banks_from_ledger(
         &bank_forks,
     );
 
-    info!(
-        "Tower state: root slot={:?}, last vote slot={:?}",
-        tower.root(),
-        tower.last_voted_slot()
-    );
+    info!("Tower state: {:?}", tower);
 
     leader_schedule_cache.set_fixed_leader_schedule(config.fixed_leader_schedule.clone());
 

From d1047adf486145dcf0f5ba7f6156607b5edd35f8 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 7 Jul 2020 16:09:59 +0900
Subject: [PATCH 31/67] Log adjust and add threshold related assertions

---
 core/src/consensus.rs | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 075def0c992e74..ffd794ca7a56a2 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -725,6 +725,8 @@ impl Tower {
         replayed_root_slot: Slot,
         slot_history: &SlotHistory,
     ) -> Result<Self> {
+        info!("adjusting lockouts after replay up to {}: {:?}", replayed_root_slot, self.voted_slots());
+
         assert_eq!(slot_history.check(replayed_root_slot), Check::Found);
         // reconcile_blockstore_roots_with_tower() should already have aligned these.
         assert!(
@@ -807,9 +809,10 @@ impl Tower {
                 self.last_vote.last_voted_slot().unwrap(),
                 *self.voted_slots().last().unwrap()
             );
+            // should call self.votes.pop_expired_votes()?
+            self.stray_restored_slots = self.voted_slots().into_iter().collect();
         }
-        // should call self.votes.pop_expired_votes()?
-        self.stray_restored_slots = self.voted_slots().into_iter().collect();
+
         Ok(self)
     }
 
@@ -2358,7 +2361,12 @@ pub mod test {
     fn test_load_tower_ok() {
         let (tower, loaded) =
             run_test_load_tower_snapshot(|tower, pubkey| tower.node_pubkey = *pubkey, |_| ());
-        assert_eq!(loaded.unwrap(), tower)
+        let loaded = loaded.unwrap();
+        assert_eq!(loaded, tower);
+        assert_eq!(tower.threshold_depth, 10);
+        assert_eq!(tower.threshold_size, 0.9);
+        assert_eq!(loaded.threshold_depth, 10);
+        assert_eq!(loaded.threshold_size, 0.9);
     }
 
     #[test]
@@ -2501,6 +2509,7 @@ pub mod test {
 
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
         assert_eq!(tower.root(), None);
+        assert_eq!(tower.stray_restored_slots, HashSet::default());
     }
 
     #[test]

From b326bc52cdfb1a712b1077b59c37b90e5b3ecd00 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 7 Jul 2020 16:33:03 +0900
Subject: [PATCH 32/67] cleanup adjust

---
 core/src/consensus.rs | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index ffd794ca7a56a2..eac68682f413a4 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -748,7 +748,7 @@ impl Tower {
 
         use solana_sdk::slot_history::Check;
 
-        // return immediately if last_voted_slot is None, votes are empty...
+        // return immediately if votes are empty...
         if self.lockouts.votes.is_empty() {
             assert_eq!(self.root(), None);
             return Ok(self);
@@ -756,30 +756,35 @@ impl Tower {
 
         let last_voted_slot = self.last_voted_slot().unwrap();
         if slot_history.check(last_voted_slot) == Check::TooOld {
+            // We could try hard to anchor with other older votes, but opt to simplify the
+            // following logic
             return Err(TowerError::TooOld(last_voted_slot, slot_history.oldest()));
         }
 
-        let mut diverged_descendant_flags_in_reverse: Vec<_> =
-            Vec::with_capacity(self.lockouts.votes.len());
+        // only divergent slots will be retained
+        let mut retain_flags_for_each_vote_in_reverse: Vec<_> = Vec::with_capacity(self.lockouts.votes.len());
         let mut still_in_future = true;
         let mut past_outside_history = false;
         let mut found = false;
+
+        // iterate over votes in the newest => oldest order
+        // bail out early if bad condition is found
         for vote in self.lockouts.votes.iter().rev() {
             let check = slot_history.check(vote.slot);
 
-            // this can't happen unless we're fed with bogus snapshot
             if !found && check == Check::Found {
                 found = true;
             } else if found && check == Check::NotFound {
+                // this can't happen unless we're fed with bogus snapshot
                 return Err(TowerError::InconsistentWithSlotHistory(
                     "diverged ancestor?".to_owned(),
                 ));
             }
 
-            // really odd cases: bad ordered votes?
             if still_in_future && check != Check::Future {
                 still_in_future = false;
             } else if !still_in_future && check == Check::Future {
+                // really odd cases: bad ordered votes?
                 return Err(TowerError::InconsistentWithSlotHistory(
                     "time warmped?".to_owned(),
                 ));
@@ -787,23 +792,28 @@ impl Tower {
             if !past_outside_history && check == Check::TooOld {
                 past_outside_history = true;
             } else if past_outside_history && check != Check::TooOld {
+                // really odd cases: bad ordered votes?
                 return Err(TowerError::InconsistentWithSlotHistory(
                     "not too old once after got too old?".to_owned(),
                 ));
             }
 
-            diverged_descendant_flags_in_reverse.push(!found);
+            retain_flags_for_each_vote_in_reverse.push(!found);
         }
-        let mut diverged_descendant_flags = diverged_descendant_flags_in_reverse.into_iter().rev();
+        let mut retain_flags_for_each_vote = retain_flags_for_each_vote_in_reverse.into_iter().rev();
+
         self.lockouts
             .votes
-            .retain(move |_| diverged_descendant_flags.next().unwrap());
+            .retain(move |_| retain_flags_for_each_vote.next().unwrap());
 
         if self.lockouts.votes.is_empty() {
-            info!("All restored votes are behind replayed_root_slot; resetting root_slot and last_vote in tower!");
+            info!("All restored votes were behind replayed_root_slot; resetting root_slot and last_vote in tower!");
+
             self.lockouts.root_slot = None;
             self.last_vote = Vote::default();
         } else {
+            info!("Some restored votes were on different fork: {:?}!", self.voted_slots());
+
             self.lockouts.root_slot = Some(replayed_root_slot);
             assert_eq!(
                 self.last_vote.last_voted_slot().unwrap(),

From 8823a5d4fe5613a82233f32735f3107cf550ea7b Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 7 Jul 2020 16:56:11 +0900
Subject: [PATCH 33/67] Properly lower stray restored slots priority...

---
 core/src/consensus.rs                    | 17 ++++++++++-------
 core/src/heaviest_subtree_fork_choice.rs | 16 ++++++++--------
 2 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index eac68682f413a4..85389c5cba28cd 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -483,12 +483,15 @@ impl Tower {
     ) -> SwitchForkDecision {
         self.last_voted_slot()
             .map(|last_voted_slot| {
-                let last_vote_ancestors = if self.is_stray_last_vote() {
-                    // Use stray restored slots because we can't derive them from given ancestors (=bank_forks)
-                    &self.stray_restored_slots
-                } else {
-                    ancestors.get(&last_voted_slot).unwrap()
-                };
+                let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
+                    if self.is_stray_last_vote() {
+                        // Use stray restored slots because we can't derive them from given ancestors (=bank_forks)
+                        info!("returning restored slots {:?} because of stray last vote...", self.stray_restored_slots);
+                        &self.stray_restored_slots
+                    } else {
+                        panic!("no ancestor!")
+                    }
+                });
 
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
 
@@ -812,7 +815,7 @@ impl Tower {
             self.lockouts.root_slot = None;
             self.last_vote = Vote::default();
         } else {
-            info!("Some restored votes were on different fork: {:?}!", self.voted_slots());
+            info!("Some restored votes were on different fork or are future votes on unrooted slots: {:?}!", self.voted_slots());
 
             self.lockouts.root_slot = Some(replayed_root_slot);
             assert_eq!(
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index d9b22d79edc676..f41a6092c8a190 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -492,16 +492,16 @@ impl HeaviestSubtreeForkChoice {
     }
 
     fn heaviest_slot_on_same_voted_fork(&self, tower: &Tower) -> Option<Slot> {
-        let last_voted_slot = tower.last_voted_slot();
 
-        if tower.is_stray_last_vote() {
-            // return None because bank_forks doesn't have corresponding banks
-            return None;
-        }
+        tower.last_voted_slot().map(|last_voted_slot| {
+            let heaviest_slot_on_same_voted_fork = self.best_slot(last_voted_slot);
+            if heaviest_slot_on_same_voted_fork.is_none() && tower.is_stray_last_vote() {
+                info!("returning None because of stray last vote...");
+                // return None because bank_forks doesn't have corresponding banks
+                return None;
+            };
+            let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork.expect("a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing");
 
-        last_voted_slot.map(|last_voted_slot| {
-            let heaviest_slot_on_same_voted_fork =
-                self.best_slot(last_voted_slot).expect("a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing");
             if heaviest_slot_on_same_voted_fork == last_voted_slot {
                 None
             } else {

From 3c81d8a0d78fe09faffce6cd9a812363f2c1d2ae Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 7 Jul 2020 17:46:32 +0900
Subject: [PATCH 34/67] Rust fmt

---
 core/src/consensus.rs                    | 16 +++++++++++-----
 core/src/heaviest_subtree_fork_choice.rs |  5 +++--
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 85389c5cba28cd..388406c8e723ff 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -728,7 +728,11 @@ impl Tower {
         replayed_root_slot: Slot,
         slot_history: &SlotHistory,
     ) -> Result<Self> {
-        info!("adjusting lockouts after replay up to {}: {:?}", replayed_root_slot, self.voted_slots());
+        info!(
+            "adjusting lockouts after replay up to {}: {:?}",
+            replayed_root_slot,
+            self.voted_slots()
+        );
 
         assert_eq!(slot_history.check(replayed_root_slot), Check::Found);
         // reconcile_blockstore_roots_with_tower() should already have aligned these.
@@ -765,7 +769,8 @@ impl Tower {
         }
 
         // only divergent slots will be retained
-        let mut retain_flags_for_each_vote_in_reverse: Vec<_> = Vec::with_capacity(self.lockouts.votes.len());
+        let mut retain_flags_for_each_vote_in_reverse: Vec<_> =
+            Vec::with_capacity(self.lockouts.votes.len());
         let mut still_in_future = true;
         let mut past_outside_history = false;
         let mut found = false;
@@ -803,7 +808,8 @@ impl Tower {
 
             retain_flags_for_each_vote_in_reverse.push(!found);
         }
-        let mut retain_flags_for_each_vote = retain_flags_for_each_vote_in_reverse.into_iter().rev();
+        let mut retain_flags_for_each_vote =
+            retain_flags_for_each_vote_in_reverse.into_iter().rev();
 
         self.lockouts
             .votes
@@ -2377,9 +2383,9 @@ pub mod test {
         let loaded = loaded.unwrap();
         assert_eq!(loaded, tower);
         assert_eq!(tower.threshold_depth, 10);
-        assert_eq!(tower.threshold_size, 0.9);
+        assert!((tower.threshold_size - 0.9_f64).abs() < f64::EPSILON);
         assert_eq!(loaded.threshold_depth, 10);
-        assert_eq!(loaded.threshold_size, 0.9);
+        assert!((loaded.threshold_size - 0.9_f64).abs() < f64::EPSILON);
     }
 
     #[test]
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index f41a6092c8a190..b308f381383576 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -492,7 +492,6 @@ impl HeaviestSubtreeForkChoice {
     }
 
     fn heaviest_slot_on_same_voted_fork(&self, tower: &Tower) -> Option<Slot> {
-
         tower.last_voted_slot().map(|last_voted_slot| {
             let heaviest_slot_on_same_voted_fork = self.best_slot(last_voted_slot);
             if heaviest_slot_on_same_voted_fork.is_none() && tower.is_stray_last_vote() {
@@ -500,7 +499,9 @@ impl HeaviestSubtreeForkChoice {
                 // return None because bank_forks doesn't have corresponding banks
                 return None;
             };
-            let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork.expect("a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing");
+            let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork.expect(
+                "a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing",
+            );
 
             if heaviest_slot_on_same_voted_fork == last_voted_slot {
                 None

From fd426fd9c48a14762b55898f6c5d2bd09a8c599d Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Tue, 7 Jul 2020 19:28:09 +0900
Subject: [PATCH 35/67] Fix test....

---
 core/src/heaviest_subtree_fork_choice.rs | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index b308f381383576..aa84464ae7b40e 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -1516,13 +1516,25 @@ mod test {
             Some(2)
         );
 
-        // Make slot 1 a restored stray slot
+        // Make slot 1 (existing in bank_forks) a restored stray slot
         let mut slot_history = SlotHistory::default();
         slot_history.add(0);
         tower = tower
             .adjust_lockouts_after_replay(0, &slot_history)
             .unwrap();
 
+        assert_eq!(tower.is_stray_last_vote(), true);
+        assert_eq!(
+            heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower),
+            Some(2)
+        );
+
+        // Make slot 3 (NOT existing in bank_forks) a restored stray slot
+        tower.record_vote(3, Hash::default());
+        tower = tower
+            .adjust_lockouts_after_replay(0, &slot_history)
+            .unwrap();
+
         assert_eq!(tower.is_stray_last_vote(), true);
         assert_eq!(
             heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower),

From 8607ff0c3418dbb62f7f630865ef4abf811c59c2 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 13:10:26 +0900
Subject: [PATCH 36/67] Clarify comments a bit and add TowerError::TooNew

---
 core/src/consensus.rs   | 66 +++++++++++++++++++++++++++++++++--------
 sdk/src/slot_history.rs |  6 +++-
 2 files changed, 59 insertions(+), 13 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 388406c8e723ff..175a9428f8c7c8 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -486,7 +486,12 @@ impl Tower {
                 let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
                     if self.is_stray_last_vote() {
                         // Use stray restored slots because we can't derive them from given ancestors (=bank_forks)
-                        info!("returning restored slots {:?} because of stray last vote...", self.stray_restored_slots);
+                        // Also, can't just return empty ancestors because we should exclude
+                        // lockouts on stray last vote's ancestors in the lockout_intervals.
+                        info!(
+                            "returning restored slots {:?} because of stray last vote ({})...",
+                            self.stray_restored_slots, last_voted_slot
+                        );
                         &self.stray_restored_slots
                     } else {
                         panic!("no ancestor!")
@@ -773,16 +778,18 @@ impl Tower {
             Vec::with_capacity(self.lockouts.votes.len());
         let mut still_in_future = true;
         let mut past_outside_history = false;
-        let mut found = false;
+        let mut anchored = false;
 
         // iterate over votes in the newest => oldest order
         // bail out early if bad condition is found
+        let mut checked_slot = None;
         for vote in self.lockouts.votes.iter().rev() {
-            let check = slot_history.check(vote.slot);
+            checked_slot = Some(vote.slot);
+            let check = slot_history.check(checked_slot.unwrap());
 
-            if !found && check == Check::Found {
-                found = true;
-            } else if found && check == Check::NotFound {
+            if !anchored && check == Check::Found {
+                anchored = true;
+            } else if anchored && check == Check::NotFound {
                 // this can't happen unless we're fed with bogus snapshot
                 return Err(TowerError::InconsistentWithSlotHistory(
                     "diverged ancestor?".to_owned(),
@@ -794,7 +801,7 @@ impl Tower {
             } else if !still_in_future && check == Check::Future {
                 // really odd cases: bad ordered votes?
                 return Err(TowerError::InconsistentWithSlotHistory(
-                    "time warmped?".to_owned(),
+                    "time warped?".to_owned(),
                 ));
             }
             if !past_outside_history && check == Check::TooOld {
@@ -806,8 +813,16 @@ impl Tower {
                 ));
             }
 
-            retain_flags_for_each_vote_in_reverse.push(!found);
+            retain_flags_for_each_vote_in_reverse.push(!anchored);
+        }
+
+        if !anchored && checked_slot.unwrap() > slot_history.newest() {
+            return Err(TowerError::TooNew(
+                checked_slot.unwrap(),
+                slot_history.newest(),
+            ));
         }
+
         let mut retain_flags_for_each_vote =
             retain_flags_for_each_vote_in_reverse.into_iter().rev();
 
@@ -946,9 +961,12 @@ pub enum TowerError {
     #[error("The tower does not match this validator: {0}")]
     WrongTower(String),
 
-    #[error("The tower is too old: last voted slot in tower ({0}) < oldest slot in available history ({1})")]
+    #[error("The tower is too old: newest slot in tower ({0}) << oldest slot in available history ({1})")]
     TooOld(Slot, Slot),
 
+    #[error("The tower is too new: oldest slot in tower ({0}) >> newest slot in available history ({1})")]
+    TooNew(Slot, Slot),
+
     #[error("The tower is inconsistent with slot history: {0}")]
     InconsistentWithSlotHistory(String),
 }
@@ -2543,7 +2561,30 @@ pub mod test {
         slot_history.add(MAX_ENTRIES);
 
         let result = tower.adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history);
-        assert_eq!(format!("{}", result.unwrap_err()), "The tower is too old: last voted slot in tower (0) < oldest slot in available history (1)");
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is too old: newest slot in tower (0) << oldest slot in available history (1)"
+        );
+    }
+
+    #[test]
+    fn test_expire_old_votes_on_load44() {
+        solana_logger::setup();
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.lockouts.votes.push_back(Lockout::new(100));
+        tower.lockouts.votes.push_back(Lockout::new(101));
+        let vote = Vote::new(vec![101], Hash::default());
+        tower.last_vote = vote;
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(2);
+
+        let result = tower.adjust_lockouts_after_replay(2, &slot_history);
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is too new: oldest slot in tower (100) >> newest slot in available history (2)"
+        );
     }
 
     #[test]
@@ -2582,7 +2623,7 @@ pub mod test {
         let result = tower.adjust_lockouts_after_replay(0, &slot_history);
         assert_eq!(
             format!("{}", result.unwrap_err()),
-            "The tower is inconsistent with slot history: time warmped?"
+            "The tower is inconsistent with slot history: time warped?"
         );
     }
 
@@ -2662,8 +2703,9 @@ pub mod test {
         slot_history.add(0);
         slot_history.add(1);
         slot_history.add(2);
+        slot_history.add(7);
 
-        let replayed_root_slot = 2;
+        let replayed_root_slot = 7;
         tower = tower
             .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
             .unwrap();
diff --git a/sdk/src/slot_history.rs b/sdk/src/slot_history.rs
index 4765fab7049aa6..293ae38e1b1460 100644
--- a/sdk/src/slot_history.rs
+++ b/sdk/src/slot_history.rs
@@ -63,7 +63,7 @@ impl SlotHistory {
     }
 
     pub fn check(&self, slot: Slot) -> Check {
-        if slot >= self.next_slot {
+        if slot > self.newest() {
             Check::Future
         } else if slot < self.oldest() {
             Check::TooOld
@@ -77,6 +77,10 @@ impl SlotHistory {
     pub fn oldest(&self) -> Slot {
         self.next_slot.saturating_sub(MAX_ENTRIES)
     }
+
+    pub fn newest(&self) -> Slot {
+        self.next_slot - 1
+    }
 }
 
 #[cfg(test)]

From 100c88acea801d3dd68419eccf3b8e28ca37c8c1 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 14:33:54 +0900
Subject: [PATCH 37/67] Further clean-up arround TowerError

---
 core/src/consensus.rs | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 175a9428f8c7c8..de5961f8852188 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -770,7 +770,10 @@ impl Tower {
         if slot_history.check(last_voted_slot) == Check::TooOld {
             // We could try hard to anchor with other older votes, but opt to simplify the
             // following logic
-            return Err(TowerError::TooOld(last_voted_slot, slot_history.oldest()));
+            return Err(TowerError::TooOldTower(
+                last_voted_slot,
+                slot_history.oldest(),
+            ));
         }
 
         // only divergent slots will be retained
@@ -816,8 +819,10 @@ impl Tower {
             retain_flags_for_each_vote_in_reverse.push(!anchored);
         }
 
+        // All of votes in an unrooted warming-up vote account may cannot be anchored.
+        // In that case, just continue; otherwise check for too old slot history.
         if !anchored && checked_slot.unwrap() > slot_history.newest() {
-            return Err(TowerError::TooNew(
+            return Err(TowerError::TooOldSlotHistory(
                 checked_slot.unwrap(),
                 slot_history.newest(),
             ));
@@ -836,7 +841,7 @@ impl Tower {
             self.lockouts.root_slot = None;
             self.last_vote = Vote::default();
         } else {
-            info!("Some restored votes were on different fork or are future votes on unrooted slots: {:?}!", self.voted_slots());
+            info!("Some restored votes were on different fork or are upcoming votes on unrooted slots: {:?}!", self.voted_slots());
 
             self.lockouts.root_slot = Some(replayed_root_slot);
             assert_eq!(
@@ -962,10 +967,10 @@ pub enum TowerError {
     WrongTower(String),
 
     #[error("The tower is too old: newest slot in tower ({0}) << oldest slot in available history ({1})")]
-    TooOld(Slot, Slot),
+    TooOldTower(Slot, Slot),
 
-    #[error("The tower is too new: oldest slot in tower ({0}) >> newest slot in available history ({1})")]
-    TooNew(Slot, Slot),
+    #[error("The slot history is too old: oldest slot in tower ({0}) >> newest slot in available history ({1})")]
+    TooOldSlotHistory(Slot, Slot),
 
     #[error("The tower is inconsistent with slot history: {0}")]
     InconsistentWithSlotHistory(String),
@@ -2583,7 +2588,7 @@ pub mod test {
         let result = tower.adjust_lockouts_after_replay(2, &slot_history);
         assert_eq!(
             format!("{}", result.unwrap_err()),
-            "The tower is too new: oldest slot in tower (100) >> newest slot in available history (2)"
+            "The slot history is too old: oldest slot in tower (100) >> newest slot in available history (2)"
         );
     }
 

From c6812f001171d32c0e72427b58857a71c92b65c4 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 14:45:01 +0900
Subject: [PATCH 38/67] Truly create ancestors by excluding last vote slot

---
 core/src/consensus.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index de5961f8852188..e3a9ddc9a373f1 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -95,6 +95,7 @@ pub struct Tower {
     #[serde(skip)]
     tmp_path: PathBuf, // used before atomic fs::rename()
     #[serde(skip)]
+    // this could be emptied; but left intact indefinitely for easier implementation
     stray_restored_slots: HashSet<Slot>,
 }
 
@@ -481,6 +482,8 @@ impl Tower {
         total_stake: u64,
         epoch_vote_accounts: &HashMap<Pubkey, (u64, Account)>,
     ) -> SwitchForkDecision {
+        let mut stray_restored_ancestors = HashSet::default();
+
         self.last_voted_slot()
             .map(|last_voted_slot| {
                 let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
@@ -488,11 +491,13 @@ impl Tower {
                         // Use stray restored slots because we can't derive them from given ancestors (=bank_forks)
                         // Also, can't just return empty ancestors because we should exclude
                         // lockouts on stray last vote's ancestors in the lockout_intervals.
+                        stray_restored_ancestors = self.stray_restored_slots.clone();
+                        stray_restored_ancestors.remove(&last_voted_slot);
                         info!(
                             "returning restored slots {:?} because of stray last vote ({})...",
-                            self.stray_restored_slots, last_voted_slot
+                            stray_restored_ancestors, last_voted_slot
                         );
-                        &self.stray_restored_slots
+                        &stray_restored_ancestors
                     } else {
                         panic!("no ancestor!")
                     }

From 8cbd5835a4356b21caf93dbcb8b2d4dec3b1ff0d Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 15:04:06 +0900
Subject: [PATCH 39/67] Add comment for stray_restored_slots

---
 core/src/consensus.rs | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index e3a9ddc9a373f1..9406308dc83893 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -95,7 +95,18 @@ pub struct Tower {
     #[serde(skip)]
     tmp_path: PathBuf, // used before atomic fs::rename()
     #[serde(skip)]
-    // this could be emptied; but left intact indefinitely for easier implementation
+    // Restored voted slots which cannot be found in SlotHistory at replayed root
+    // (This's kind of special field for slashing-free validator restart with edge cases).
+    // Those voted slots means they are/were on a different fork (which may not be available
+    // in bank_forks after validator restart) or are unrooted slots following the replayed
+    // rooted slot.
+    // This is only used to construct synthesized ancestors for the last vote, if restored
+    // last_vote's ancestors cannot be found in bank_forks. That's because fork choice
+    // and switch threshold requires that information.
+    // That way we avoid mangling bank_forks or relaxing bank_forks invariants just for
+    // validator's restart porpose.
+    // This could be emptied after some time; but left intact indefinitely for easier
+    // implementation
     stray_restored_slots: HashSet<Slot>,
 }
 

From dec032bf7be9cd561fdc2d0909d02268a48e0069 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 15:05:08 +0900
Subject: [PATCH 40/67] Add comment for stray_restored_slots

---
 core/src/consensus.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 9406308dc83893..ed97d46fb5d891 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -501,7 +501,8 @@ impl Tower {
                     if self.is_stray_last_vote() {
                         // Use stray restored slots because we can't derive them from given ancestors (=bank_forks)
                         // Also, can't just return empty ancestors because we should exclude
-                        // lockouts on stray last vote's ancestors in the lockout_intervals.
+                        // lockouts on stray last vote's ancestors in the lockout_intervals later
+                        // in this fn.
                         stray_restored_ancestors = self.stray_restored_slots.clone();
                         stray_restored_ancestors.remove(&last_voted_slot);
                         info!(

From 090c6d82abe5aae9e8b6fbf96acaad90fa39b114 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 15:06:19 +0900
Subject: [PATCH 41/67] Use BTreeSet

---
 core/src/consensus.rs                    | 18 ++++++++++--------
 core/src/heaviest_subtree_fork_choice.rs |  2 ++
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index ed97d46fb5d891..3c5701e16f8ba6 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -20,7 +20,7 @@ use solana_vote_program::{
     vote_state::{BlockTimestamp, Lockout, Vote, VoteState, MAX_LOCKOUT_HISTORY},
 };
 use std::{
-    collections::{HashMap, HashSet},
+    collections::{BTreeSet, HashMap, HashSet},
     fs::{self, File},
     io::BufReader,
     ops::Bound::{Included, Unbounded},
@@ -107,7 +107,7 @@ pub struct Tower {
     // validator's restart porpose.
     // This could be emptied after some time; but left intact indefinitely for easier
     // implementation
-    stray_restored_slots: HashSet<Slot>,
+    stray_restored_slots: BTreeSet<Slot>,
 }
 
 impl Default for Tower {
@@ -121,7 +121,7 @@ impl Default for Tower {
             last_timestamp: BlockTimestamp::default(),
             path: PathBuf::default(),
             tmp_path: PathBuf::default(),
-            stray_restored_slots: HashSet::default(),
+            stray_restored_slots: BTreeSet::default(),
         }
     }
 }
@@ -503,7 +503,7 @@ impl Tower {
                         // Also, can't just return empty ancestors because we should exclude
                         // lockouts on stray last vote's ancestors in the lockout_intervals later
                         // in this fn.
-                        stray_restored_ancestors = self.stray_restored_slots.clone();
+                        stray_restored_ancestors = self.stray_restored_slots.clone().into_iter().collect();
                         stray_restored_ancestors.remove(&last_voted_slot);
                         info!(
                             "returning restored slots {:?} because of stray last vote ({})...",
@@ -737,10 +737,12 @@ impl Tower {
 
     pub fn is_stray_last_vote(&self) -> bool {
         if let Some(last_voted_slot) = self.last_voted_slot() {
-            self.stray_restored_slots.contains(&last_voted_slot)
-        } else {
-            false
+            if let Some(max_stray_slot) = self.stray_restored_slots.iter().next_back() {
+                return *max_stray_slot == last_voted_slot;
+            }
         }
+
+        false
     }
 
     // The tower root can be older/newer if the validator booted from a newer/older snapshot, so
@@ -2568,7 +2570,7 @@ pub mod test {
 
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
         assert_eq!(tower.root(), None);
-        assert_eq!(tower.stray_restored_slots, HashSet::default());
+        assert_eq!(tower.stray_restored_slots, BTreeSet::default());
     }
 
     #[test]
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index aa84464ae7b40e..ea8954fae68f8e 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -1519,6 +1519,8 @@ mod test {
         // Make slot 1 (existing in bank_forks) a restored stray slot
         let mut slot_history = SlotHistory::default();
         slot_history.add(0);
+        // Work around TooOldSlotHistory
+        slot_history.add(999);
         tower = tower
             .adjust_lockouts_after_replay(0, &slot_history)
             .unwrap();

From e937647bdd6959b79c4d4737203fe73b20812104 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 16:23:48 +0900
Subject: [PATCH 42/67] Consider root_slot into post-replay adjustment

---
 core/src/consensus.rs | 43 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 41 insertions(+), 2 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 3c5701e16f8ba6..34b6125154314c 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -504,6 +504,7 @@ impl Tower {
                         // lockouts on stray last vote's ancestors in the lockout_intervals later
                         // in this fn.
                         stray_restored_ancestors = self.stray_restored_slots.clone().into_iter().collect();
+                        assert!(stray_restored_ancestors.contains(&last_voted_slot));
                         stray_restored_ancestors.remove(&last_voted_slot);
                         info!(
                             "returning restored slots {:?} because of stray last vote ({})...",
@@ -805,8 +806,15 @@ impl Tower {
         // iterate over votes in the newest => oldest order
         // bail out early if bad condition is found
         let mut checked_slot = None;
-        for vote in self.lockouts.votes.iter().rev() {
-            checked_slot = Some(vote.slot);
+        let mut voted_slots = if let Some(root) = self.lockouts.root_slot {
+            vec![root]
+        } else {
+            vec![]
+        };
+        voted_slots.extend(self.voted_slots());
+
+        for voted_slot in voted_slots.iter().rev() {
+            checked_slot = Some(*voted_slot);
             let check = slot_history.check(checked_slot.unwrap());
 
             if !anchored && check == Check::Found {
@@ -838,6 +846,15 @@ impl Tower {
             retain_flags_for_each_vote_in_reverse.push(!anchored);
         }
 
+        assert_eq!(
+            voted_slots.len(),
+            retain_flags_for_each_vote_in_reverse.len()
+        );
+
+        if self.lockouts.root_slot.is_some() {
+            retain_flags_for_each_vote_in_reverse.pop();
+        }
+
         // All of votes in an unrooted warming-up vote account may cannot be anchored.
         // In that case, just continue; otherwise check for too old slot history.
         if !anchored && checked_slot.unwrap() > slot_history.newest() {
@@ -2738,6 +2755,28 @@ pub mod test {
         assert_eq!(tower.root(), Some(replayed_root_slot));
     }
 
+    #[test]
+    fn test_expire_old_votes_on_load65() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.lockouts.root_slot = Some(2);
+        tower.record_vote(3, Hash::default());
+        tower.record_vote(4, Hash::default());
+        tower.record_vote(5, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(1);
+        slot_history.add(2);
+
+        let replayed_root_slot = 2;
+        tower = tower
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.voted_slots(), vec![3, 4, 5]);
+        assert_eq!(tower.root(), Some(replayed_root_slot));
+    }
+
     #[test]
     fn test_expire_old_votes_on_load7() {
         let mut tower = Tower::new_for_tests(10, 0.9);

From 70e54d6b094ed6ef7acbaecf126cb3e439697ee3 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 16:39:25 +0900
Subject: [PATCH 43/67] Tweak logging

---
 core/src/consensus.rs | 2 +-
 core/src/validator.rs | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 34b6125154314c..4fd51ad677b404 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -754,7 +754,7 @@ impl Tower {
         slot_history: &SlotHistory,
     ) -> Result<Self> {
         info!(
-            "adjusting lockouts after replay up to {}: {:?}",
+            "adjusting lockouts (after replay up to {}): {:?}",
             replayed_root_slot,
             self.voted_slots()
         );
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 65fc36a84f4965..850d614d040150 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -644,7 +644,7 @@ fn post_process_restored_tower(
         .unwrap_or_else(|err| {
             let is_already_active = active_vote_account_exists_in_bank(&bank_forks.working_bank(), &vote_account);
             if config.require_tower && is_already_active {
-                error!("Required tower restore failed: {:?}", err);
+                error!("Requested mandatory tower restore failed: {:?}", err);
                 error!("And there is an existing vote_account containing actual votes. Aborting due to possible conflicting duplicate votes");
                 process::exit(1);
             }

From 0f73733d6342f270b4239d65e5d45570aaad3091 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 17:03:35 +0900
Subject: [PATCH 44/67] Add test for stray_restored_ancestors

---
 core/src/consensus.rs | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 4fd51ad677b404..d01ffee4c3f1e7 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -484,6 +484,15 @@ impl Tower {
         false
     }
 
+    fn stray_restored_ancestors(&self) -> HashSet<Slot> {
+        let mut ancestors: HashSet<_> = self.stray_restored_slots.clone().into_iter().collect();
+        if let Some(last_voted_slot) = self.last_voted_slot() {
+            assert!(ancestors.contains(&last_voted_slot));
+            ancestors.remove(&last_voted_slot);
+        }
+        ancestors
+    }
+
     pub(crate) fn check_switch_threshold(
         &self,
         switch_slot: u64,
@@ -499,13 +508,11 @@ impl Tower {
             .map(|last_voted_slot| {
                 let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
                     if self.is_stray_last_vote() {
-                        // Use stray restored slots because we can't derive them from given ancestors (=bank_forks)
+                        // Use stray restored ancestors because we can't derive them from given ancestors (=bank_forks)
                         // Also, can't just return empty ancestors because we should exclude
                         // lockouts on stray last vote's ancestors in the lockout_intervals later
                         // in this fn.
-                        stray_restored_ancestors = self.stray_restored_slots.clone().into_iter().collect();
-                        assert!(stray_restored_ancestors.contains(&last_voted_slot));
-                        stray_restored_ancestors.remove(&last_voted_slot);
+                        stray_restored_ancestors = self.stray_restored_ancestors();
                         info!(
                             "returning restored slots {:?} because of stray last vote ({})...",
                             stray_restored_ancestors, last_voted_slot
@@ -2792,4 +2799,28 @@ pub mod test {
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
         assert_eq!(tower.root(), None);
     }
+
+    #[test]
+    fn test_stray_restored_ancestors() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.lockouts.root_slot = Some(2);
+        tower.record_vote(3, Hash::default());
+        tower.record_vote(4, Hash::default());
+        tower.record_vote(5, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(1);
+        slot_history.add(2);
+
+        let replayed_root_slot = 2;
+        tower = tower
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.voted_slots(), vec![3, 4, 5]);
+        assert_eq!(tower.last_voted_slot(), Some(5));
+        assert_eq!(tower.is_stray_last_vote(), true);
+        assert_eq!(tower.stray_restored_ancestors(), vec![3, 4].into_iter().collect());
+    }
 }

From f30272f0bfc4d3738a035185523bffc29761caf6 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 17:25:56 +0900
Subject: [PATCH 45/67] Reorder some code

---
 core/src/consensus.rs | 371 +++++++++++++++++++++---------------------
 1 file changed, 187 insertions(+), 184 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index d01ffee4c3f1e7..6a489fed9218b2 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -484,15 +484,6 @@ impl Tower {
         false
     }
 
-    fn stray_restored_ancestors(&self) -> HashSet<Slot> {
-        let mut ancestors: HashSet<_> = self.stray_restored_slots.clone().into_iter().collect();
-        if let Some(last_voted_slot) = self.last_voted_slot() {
-            assert!(ancestors.contains(&last_voted_slot));
-            ancestors.remove(&last_voted_slot);
-        }
-        ancestors
-    }
-
     pub(crate) fn check_switch_threshold(
         &self,
         switch_slot: u64,
@@ -753,6 +744,15 @@ impl Tower {
         false
     }
 
+    fn stray_restored_ancestors(&self) -> HashSet<Slot> {
+        let mut ancestors: HashSet<_> = self.stray_restored_slots.clone().into_iter().collect();
+        if let Some(last_voted_slot) = self.last_voted_slot() {
+            assert!(ancestors.contains(&last_voted_slot));
+            ancestors.remove(&last_voted_slot);
+        }
+        ancestors
+    }
+
     // The tower root can be older/newer if the validator booted from a newer/older snapshot, so
     // tower lockouts may need adjustment
     pub fn adjust_lockouts_after_replay(
@@ -862,7 +862,7 @@ impl Tower {
             retain_flags_for_each_vote_in_reverse.pop();
         }
 
-        // All of votes in an unrooted warming-up vote account may cannot be anchored.
+        // All of votes in an unrooted warming-up vote account may not be anchored.
         // In that case, just continue; otherwise check for too old slot history.
         if !anchored && checked_slot.unwrap() > slot_history.newest() {
             return Err(TowerError::TooOldSlotHistory(
@@ -1481,179 +1481,6 @@ pub mod test {
         }
     }
 
-    #[test]
-    fn test_switch_threshold_across_tower_reload() {
-        solana_logger::setup();
-        // Init state
-        let mut vote_simulator = VoteSimulator::new(2);
-        let my_pubkey = vote_simulator.node_pubkeys[0];
-        let other_vote_account = vote_simulator.vote_pubkeys[1];
-        let bank0 = vote_simulator
-            .bank_forks
-            .read()
-            .unwrap()
-            .get(0)
-            .unwrap()
-            .clone();
-        let total_stake = bank0.total_epoch_stake();
-        assert_eq!(
-            total_stake,
-            vote_simulator.validator_keypairs.len() as u64 * 10_000
-        );
-
-        // Create the tree of banks
-        let forks = tr(0)
-            / (tr(1)
-                / (tr(2)
-                    / tr(10)
-                    / (tr(43)
-                        / (tr(44)
-                            // Minor fork 2
-                            / (tr(45) / (tr(46) / (tr(47) / (tr(48) / (tr(49) / (tr(50)))))))
-                            / (tr(110) / tr(111))))));
-
-        // Fill the BankForks according to the above fork structure
-        vote_simulator.fill_bank_forks(forks, &HashMap::new());
-        let ancestors = vote_simulator.bank_forks.read().unwrap().ancestors();
-        let descendants = vote_simulator.bank_forks.read().unwrap().descendants();
-        let mut tower = Tower::new_with_key(&my_pubkey);
-
-        tower.record_vote(43, Hash::default());
-        tower.record_vote(44, Hash::default());
-        tower.record_vote(45, Hash::default());
-        tower.record_vote(46, Hash::default());
-        tower.record_vote(47, Hash::default());
-        tower.record_vote(48, Hash::default());
-        tower.record_vote(49, Hash::default());
-
-        // Trying to switch to a descendant of last vote should always work
-        assert_eq!(
-            tower.check_switch_threshold(
-                50,
-                &ancestors,
-                &descendants,
-                &vote_simulator.progress,
-                total_stake,
-                bank0.epoch_vote_accounts(0).unwrap(),
-            ),
-            SwitchForkDecision::NoSwitch
-        );
-
-        // Trying to switch to another fork at 110 should fail
-        assert_eq!(
-            tower.check_switch_threshold(
-                110,
-                &ancestors,
-                &descendants,
-                &vote_simulator.progress,
-                total_stake,
-                bank0.epoch_vote_accounts(0).unwrap(),
-            ),
-            SwitchForkDecision::FailedSwitchThreshold
-        );
-
-        vote_simulator.simulate_lockout_interval(111, (10, 49), &other_vote_account);
-
-        assert_eq!(
-            tower.check_switch_threshold(
-                110,
-                &ancestors,
-                &descendants,
-                &vote_simulator.progress,
-                total_stake,
-                bank0.epoch_vote_accounts(0).unwrap(),
-            ),
-            SwitchForkDecision::SwitchProof(Hash::default())
-        );
-
-        assert_eq!(tower.voted_slots(), vec![43, 44, 45, 46, 47, 48, 49]);
-        {
-            let mut tower = tower.clone();
-            tower.record_vote(110, Hash::default());
-            tower.record_vote(111, Hash::default());
-            assert_eq!(tower.voted_slots(), vec![43, 110, 111]);
-            assert_eq!(tower.lockouts.root_slot, None);
-        }
-
-        let mut vote_simulator = VoteSimulator::new(2);
-        let other_vote_account = vote_simulator.vote_pubkeys[1];
-        let bank0 = vote_simulator
-            .bank_forks
-            .read()
-            .unwrap()
-            .get(0)
-            .unwrap()
-            .clone();
-        let total_stake = bank0.total_epoch_stake();
-        let forks = tr(0)
-            / (tr(1)
-                / (tr(2)
-                    / tr(10)
-                    / (tr(43) / (tr(44) / (tr(45) / tr(222)) / (tr(110) / tr(111))))));
-        let replayed_root_slot = 44;
-
-        // Fill the BankForks according to the above fork structure
-        vote_simulator.fill_bank_forks(forks, &HashMap::new());
-
-        // prepend tower restart!
-        let mut slot_history = SlotHistory::default();
-        vote_simulator.set_root(replayed_root_slot);
-        let ancestors = vote_simulator.bank_forks.read().unwrap().ancestors();
-        let descendants = vote_simulator.bank_forks.read().unwrap().descendants();
-        for slot in &[0, 1, 2, 43, replayed_root_slot] {
-            slot_history.add(*slot);
-        }
-        let mut tower = tower
-            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
-            .unwrap();
-
-        assert_eq!(tower.voted_slots(), vec![45, 46, 47, 48, 49]);
-
-        // Trying to switch to another fork at 110 should fail
-        assert_eq!(
-            tower.check_switch_threshold(
-                110,
-                &ancestors,
-                &descendants,
-                &vote_simulator.progress,
-                total_stake,
-                bank0.epoch_vote_accounts(0).unwrap(),
-            ),
-            SwitchForkDecision::FailedSwitchThreshold
-        );
-
-        vote_simulator.simulate_lockout_interval(111, (45, 50), &other_vote_account);
-        assert_eq!(
-            tower.check_switch_threshold(
-                110,
-                &ancestors,
-                &descendants,
-                &vote_simulator.progress,
-                total_stake,
-                bank0.epoch_vote_accounts(0).unwrap(),
-            ),
-            SwitchForkDecision::FailedSwitchThreshold
-        );
-
-        vote_simulator.simulate_lockout_interval(111, (110, 200), &other_vote_account);
-        assert_eq!(
-            tower.check_switch_threshold(
-                110,
-                &ancestors,
-                &descendants,
-                &vote_simulator.progress,
-                total_stake,
-                bank0.epoch_vote_accounts(0).unwrap(),
-            ),
-            SwitchForkDecision::SwitchProof(Hash::default())
-        );
-
-        tower.record_vote(110, Hash::default());
-        tower.record_vote(111, Hash::default());
-        assert_eq!(tower.voted_slots(), vec![110, 111]);
-        assert_eq!(tower.lockouts.root_slot, Some(replayed_root_slot));
-    }
-
     #[test]
     fn test_switch_threshold() {
         // Init state
@@ -2442,6 +2269,179 @@ pub mod test {
         (tower, loaded)
     }
 
+    #[test]
+    fn test_switch_threshold_across_tower_reload() {
+        solana_logger::setup();
+        // Init state
+        let mut vote_simulator = VoteSimulator::new(2);
+        let my_pubkey = vote_simulator.node_pubkeys[0];
+        let other_vote_account = vote_simulator.vote_pubkeys[1];
+        let bank0 = vote_simulator
+            .bank_forks
+            .read()
+            .unwrap()
+            .get(0)
+            .unwrap()
+            .clone();
+        let total_stake = bank0.total_epoch_stake();
+        assert_eq!(
+            total_stake,
+            vote_simulator.validator_keypairs.len() as u64 * 10_000
+        );
+
+        // Create the tree of banks
+        let forks = tr(0)
+            / (tr(1)
+                / (tr(2)
+                    / tr(10)
+                    / (tr(43)
+                        / (tr(44)
+                            // Minor fork 2
+                            / (tr(45) / (tr(46) / (tr(47) / (tr(48) / (tr(49) / (tr(50)))))))
+                            / (tr(110) / tr(111))))));
+
+        // Fill the BankForks according to the above fork structure
+        vote_simulator.fill_bank_forks(forks, &HashMap::new());
+        let ancestors = vote_simulator.bank_forks.read().unwrap().ancestors();
+        let descendants = vote_simulator.bank_forks.read().unwrap().descendants();
+        let mut tower = Tower::new_with_key(&my_pubkey);
+
+        tower.record_vote(43, Hash::default());
+        tower.record_vote(44, Hash::default());
+        tower.record_vote(45, Hash::default());
+        tower.record_vote(46, Hash::default());
+        tower.record_vote(47, Hash::default());
+        tower.record_vote(48, Hash::default());
+        tower.record_vote(49, Hash::default());
+
+        // Trying to switch to a descendant of last vote should always work
+        assert_eq!(
+            tower.check_switch_threshold(
+                50,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::NoSwitch
+        );
+
+        // Trying to switch to another fork at 110 should fail
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::FailedSwitchThreshold
+        );
+
+        vote_simulator.simulate_lockout_interval(111, (10, 49), &other_vote_account);
+
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::SwitchProof(Hash::default())
+        );
+
+        assert_eq!(tower.voted_slots(), vec![43, 44, 45, 46, 47, 48, 49]);
+        {
+            let mut tower = tower.clone();
+            tower.record_vote(110, Hash::default());
+            tower.record_vote(111, Hash::default());
+            assert_eq!(tower.voted_slots(), vec![43, 110, 111]);
+            assert_eq!(tower.lockouts.root_slot, None);
+        }
+
+        let mut vote_simulator = VoteSimulator::new(2);
+        let other_vote_account = vote_simulator.vote_pubkeys[1];
+        let bank0 = vote_simulator
+            .bank_forks
+            .read()
+            .unwrap()
+            .get(0)
+            .unwrap()
+            .clone();
+        let total_stake = bank0.total_epoch_stake();
+        let forks = tr(0)
+            / (tr(1)
+                / (tr(2)
+                    / tr(10)
+                    / (tr(43) / (tr(44) / (tr(45) / tr(222)) / (tr(110) / tr(111))))));
+        let replayed_root_slot = 44;
+
+        // Fill the BankForks according to the above fork structure
+        vote_simulator.fill_bank_forks(forks, &HashMap::new());
+
+        // prepend tower restart!
+        let mut slot_history = SlotHistory::default();
+        vote_simulator.set_root(replayed_root_slot);
+        let ancestors = vote_simulator.bank_forks.read().unwrap().ancestors();
+        let descendants = vote_simulator.bank_forks.read().unwrap().descendants();
+        for slot in &[0, 1, 2, 43, replayed_root_slot] {
+            slot_history.add(*slot);
+        }
+        let mut tower = tower
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
+            .unwrap();
+
+        assert_eq!(tower.voted_slots(), vec![45, 46, 47, 48, 49]);
+
+        // Trying to switch to another fork at 110 should fail
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::FailedSwitchThreshold
+        );
+
+        vote_simulator.simulate_lockout_interval(111, (45, 50), &other_vote_account);
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::FailedSwitchThreshold
+        );
+
+        vote_simulator.simulate_lockout_interval(111, (110, 200), &other_vote_account);
+        assert_eq!(
+            tower.check_switch_threshold(
+                110,
+                &ancestors,
+                &descendants,
+                &vote_simulator.progress,
+                total_stake,
+                bank0.epoch_vote_accounts(0).unwrap(),
+            ),
+            SwitchForkDecision::SwitchProof(Hash::default())
+        );
+
+        tower.record_vote(110, Hash::default());
+        tower.record_vote(111, Hash::default());
+        assert_eq!(tower.voted_slots(), vec![110, 111]);
+        assert_eq!(tower.lockouts.root_slot, Some(replayed_root_slot));
+    }
+
     #[test]
     fn test_load_tower_ok() {
         let (tower, loaded) =
@@ -2821,6 +2821,9 @@ pub mod test {
         assert_eq!(tower.voted_slots(), vec![3, 4, 5]);
         assert_eq!(tower.last_voted_slot(), Some(5));
         assert_eq!(tower.is_stray_last_vote(), true);
-        assert_eq!(tower.stray_restored_ancestors(), vec![3, 4].into_iter().collect());
+        assert_eq!(
+            tower.stray_restored_ancestors(),
+            vec![3, 4].into_iter().collect()
+        );
     }
 }

From 83e25481b9ce431742d5df1ce3025ab6bfeed6b9 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 17:39:51 +0900
Subject: [PATCH 46/67] Better names for unit tests

---
 core/src/consensus.rs | 213 +++++++++++++++++++++---------------------
 1 file changed, 106 insertions(+), 107 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 6a489fed9218b2..e905da16553562 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -2530,7 +2530,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_expire_old_votes_on_load() {
+    fn test_adjust_lockouts_after_replay_future_slots() {
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.record_vote(0, Hash::default());
         tower.record_vote(1, Hash::default());
@@ -2551,7 +2551,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_expire_old_votes_on_load2() {
+    fn test_adjust_lockouts_after_replay_not_found_slots() {
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.record_vote(0, Hash::default());
         tower.record_vote(1, Hash::default());
@@ -2573,7 +2573,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_expire_old_votes_on_load3() {
+    fn test_adjust_lockouts_after_replay_all_rooted() {
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.record_vote(0, Hash::default());
         tower.record_vote(1, Hash::default());
@@ -2598,45 +2598,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_expire_old_votes_on_load4() {
-        use solana_sdk::slot_history::MAX_ENTRIES;
-
-        let mut tower = Tower::new_for_tests(10, 0.9);
-        tower.record_vote(0, Hash::default());
-
-        let mut slot_history = SlotHistory::default();
-        slot_history.add(0);
-        slot_history.add(MAX_ENTRIES);
-
-        let result = tower.adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history);
-        assert_eq!(
-            format!("{}", result.unwrap_err()),
-            "The tower is too old: newest slot in tower (0) << oldest slot in available history (1)"
-        );
-    }
-
-    #[test]
-    fn test_expire_old_votes_on_load44() {
-        solana_logger::setup();
-        let mut tower = Tower::new_for_tests(10, 0.9);
-        tower.lockouts.votes.push_back(Lockout::new(100));
-        tower.lockouts.votes.push_back(Lockout::new(101));
-        let vote = Vote::new(vec![101], Hash::default());
-        tower.last_vote = vote;
-
-        let mut slot_history = SlotHistory::default();
-        slot_history.add(0);
-        slot_history.add(2);
-
-        let result = tower.adjust_lockouts_after_replay(2, &slot_history);
-        assert_eq!(
-            format!("{}", result.unwrap_err()),
-            "The slot history is too old: oldest slot in tower (100) >> newest slot in available history (2)"
-        );
-    }
-
-    #[test]
-    fn test_expire_old_votes_on_load40() {
+    fn test_adjust_lockouts_after_relay_all_rooted_long_ago() {
         use solana_sdk::slot_history::MAX_ENTRIES;
 
         let mut tower = Tower::new_for_tests(10, 0.9);
@@ -2658,68 +2620,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_expire_old_votes_on_load41() {
-        let mut tower = Tower::new_for_tests(10, 0.9);
-        tower.lockouts.votes.push_back(Lockout::new(1));
-        tower.lockouts.votes.push_back(Lockout::new(0));
-        let vote = Vote::new(vec![0], Hash::default());
-        tower.last_vote = vote;
-
-        let mut slot_history = SlotHistory::default();
-        slot_history.add(0);
-
-        let result = tower.adjust_lockouts_after_replay(0, &slot_history);
-        assert_eq!(
-            format!("{}", result.unwrap_err()),
-            "The tower is inconsistent with slot history: time warped?"
-        );
-    }
-
-    #[test]
-    fn test_expire_old_votes_on_load42() {
-        let mut tower = Tower::new_for_tests(10, 0.9);
-        tower.lockouts.votes.push_back(Lockout::new(1));
-        tower.lockouts.votes.push_back(Lockout::new(2));
-        let vote = Vote::new(vec![2], Hash::default());
-        tower.last_vote = vote;
-
-        let mut slot_history = SlotHistory::default();
-        slot_history.add(0);
-        slot_history.add(2);
-
-        let result = tower.adjust_lockouts_after_replay(2, &slot_history);
-        assert_eq!(
-            format!("{}", result.unwrap_err()),
-            "The tower is inconsistent with slot history: diverged ancestor?"
-        );
-    }
-
-    #[test]
-    fn test_expire_old_votes_on_load43() {
-        use solana_sdk::slot_history::MAX_ENTRIES;
-
-        let mut tower = Tower::new_for_tests(10, 0.9);
-        tower
-            .lockouts
-            .votes
-            .push_back(Lockout::new(MAX_ENTRIES - 1));
-        tower.lockouts.votes.push_back(Lockout::new(0));
-        tower.lockouts.votes.push_back(Lockout::new(1));
-        let vote = Vote::new(vec![1], Hash::default());
-        tower.last_vote = vote;
-
-        let mut slot_history = SlotHistory::default();
-        slot_history.add(MAX_ENTRIES);
-
-        let result = tower.adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history);
-        assert_eq!(
-            format!("{}", result.unwrap_err()),
-            "The tower is inconsistent with slot history: not too old once after got too old?"
-        );
-    }
-
-    #[test]
-    fn test_expire_old_votes_on_load5() {
+    fn test_adjust_lockouts_after_replay_anchored_future_slots() {
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.record_vote(0, Hash::default());
         tower.record_vote(1, Hash::default());
@@ -2742,7 +2643,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_expire_old_votes_on_load6() {
+    fn test_adjust_lockouts_after_replay_all_not_found() {
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.record_vote(5, Hash::default());
         tower.record_vote(6, Hash::default());
@@ -2763,7 +2664,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_expire_old_votes_on_load65() {
+    fn test_adjust_lockouts_after_replay_all_future_votes_only_root_found() {
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.lockouts.root_slot = Some(2);
         tower.record_vote(3, Hash::default());
@@ -2785,7 +2686,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_expire_old_votes_on_load7() {
+    fn test_adjust_lockouts_after_replay_empty() {
         let mut tower = Tower::new_for_tests(10, 0.9);
 
         let mut slot_history = SlotHistory::default();
@@ -2800,6 +2701,104 @@ pub mod test {
         assert_eq!(tower.root(), None);
     }
 
+    #[test]
+    fn test_adjust_lockouts_after_replay_too_old_tower() {
+        use solana_sdk::slot_history::MAX_ENTRIES;
+
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.record_vote(0, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(MAX_ENTRIES);
+
+        let result = tower.adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history);
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is too old: newest slot in tower (0) << oldest slot in available history (1)"
+        );
+    }
+
+    #[test]
+    fn test_adjust_lockouts_after_replay_too_old_slot_history() {
+        solana_logger::setup();
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.lockouts.votes.push_back(Lockout::new(100));
+        tower.lockouts.votes.push_back(Lockout::new(101));
+        let vote = Vote::new(vec![101], Hash::default());
+        tower.last_vote = vote;
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(2);
+
+        let result = tower.adjust_lockouts_after_replay(2, &slot_history);
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The slot history is too old: oldest slot in tower (100) >> newest slot in available history (2)"
+        );
+    }
+    #[test]
+    fn test_adjust_lockouts_after_replay_time_warped() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.lockouts.votes.push_back(Lockout::new(1));
+        tower.lockouts.votes.push_back(Lockout::new(0));
+        let vote = Vote::new(vec![0], Hash::default());
+        tower.last_vote = vote;
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+
+        let result = tower.adjust_lockouts_after_replay(0, &slot_history);
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is inconsistent with slot history: time warped?"
+        );
+    }
+
+    #[test]
+    fn test_adjust_lockouts_after_replay_diverged_ancestor() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.lockouts.votes.push_back(Lockout::new(1));
+        tower.lockouts.votes.push_back(Lockout::new(2));
+        let vote = Vote::new(vec![2], Hash::default());
+        tower.last_vote = vote;
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(2);
+
+        let result = tower.adjust_lockouts_after_replay(2, &slot_history);
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is inconsistent with slot history: diverged ancestor?"
+        );
+    }
+
+    #[test]
+    fn test_adjust_lockouts_after_replay_out_of_order() {
+        use solana_sdk::slot_history::MAX_ENTRIES;
+
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower
+            .lockouts
+            .votes
+            .push_back(Lockout::new(MAX_ENTRIES - 1));
+        tower.lockouts.votes.push_back(Lockout::new(0));
+        tower.lockouts.votes.push_back(Lockout::new(1));
+        let vote = Vote::new(vec![1], Hash::default());
+        tower.last_vote = vote;
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(MAX_ENTRIES);
+
+        let result = tower.adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history);
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is inconsistent with slot history: not too old once after got too old?"
+        );
+    }
+
     #[test]
     fn test_stray_restored_ancestors() {
         let mut tower = Tower::new_for_tests(10, 0.9);

From fb5d4b7058013c77a35cd63e1aea6ddb267be325 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 22:53:53 +0900
Subject: [PATCH 47/67] Add frozen_abi to SavedTower

---
 core/src/consensus.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index e905da16553562..98e531d13fc9b2 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -1019,7 +1019,8 @@ pub enum TowerError {
     InconsistentWithSlotHistory(String),
 }
 
-#[derive(Default, Clone, Serialize, Deserialize, Debug, PartialEq)]
+#[frozen_abi(digest = "Gaxfwvx5MArn52mKZQgzHmDCyn5YfCuTHvp5Et3rFfpp")]
+#[derive(Default, Clone, Serialize, Deserialize, Debug, PartialEq, AbiExample)]
 pub struct SavedTower {
     signature: Signature,
     data: Vec<u8>,

From ceca73bfd1961ebaeaaad1c797f7e0b6f7336d22 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 9 Jul 2020 23:05:32 +0900
Subject: [PATCH 48/67] Fold long lines

---
 core/src/consensus.rs | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 98e531d13fc9b2..5c186377b89087 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -499,7 +499,8 @@ impl Tower {
             .map(|last_voted_slot| {
                 let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
                     if self.is_stray_last_vote() {
-                        // Use stray restored ancestors because we can't derive them from given ancestors (=bank_forks)
+                        // Use stray restored ancestors because we can't derive them from
+                        // given ancestors (=bank_forks)
                         // Also, can't just return empty ancestors because we should exclude
                         // lockouts on stray last vote's ancestors in the lockout_intervals later
                         // in this fn.
@@ -879,12 +880,17 @@ impl Tower {
             .retain(move |_| retain_flags_for_each_vote.next().unwrap());
 
         if self.lockouts.votes.is_empty() {
-            info!("All restored votes were behind replayed_root_slot; resetting root_slot and last_vote in tower!");
+            info!(
+                "All restored votes were behind replayed_root_slot; resetting root_slot and last_vote in tower!",
+            );
 
             self.lockouts.root_slot = None;
             self.last_vote = Vote::default();
         } else {
-            info!("Some restored votes were on different fork or are upcoming votes on unrooted slots: {:?}!", self.voted_slots());
+            info!(
+                "Some restored votes were on different fork or are upcoming votes on unrooted slots: {:?}!",
+                self.voted_slots()
+            );
 
             self.lockouts.root_slot = Some(replayed_root_slot);
             assert_eq!(
@@ -959,7 +965,7 @@ impl Tower {
             // file.sync_all() hurts performance; pipeline sync-ing and submitting votes to the cluster!
         }
         fs::rename(&new_filename, &filename)?;
-        // self.path.parent().sync_all() hurts performance; pipeline sync-ing and submitting votes to the cluster!
+        // self.path.parent().sync_all() hurts performance same as the above sync
 
         measure.stop();
         inc_new_counter_info!("tower_save-ms", measure.as_ms() as usize);
@@ -1009,10 +1015,16 @@ pub enum TowerError {
     #[error("The tower does not match this validator: {0}")]
     WrongTower(String),
 
-    #[error("The tower is too old: newest slot in tower ({0}) << oldest slot in available history ({1})")]
+    #[error(
+        "The tower is too old: \
+        newest slot in tower ({0}) << oldest slot in available history ({1})"
+    )]
     TooOldTower(Slot, Slot),
 
-    #[error("The slot history is too old: oldest slot in tower ({0}) >> newest slot in available history ({1})")]
+    #[error(
+        "The slot history is too old: \
+        oldest slot in tower ({0}) >> newest slot in available history ({1})"
+    )]
     TooOldSlotHistory(Slot, Slot),
 
     #[error("The tower is inconsistent with slot history: {0}")]

From 61ec3b4da52a337af57b0115399381ee4d1fcb4b Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Fri, 10 Jul 2020 16:38:41 +0900
Subject: [PATCH 49/67] Tweak stray ancestors and too old slot history

---
 core/src/consensus.rs                    | 92 ++++++++++++++++--------
 core/src/heaviest_subtree_fork_choice.rs | 38 +++++-----
 2 files changed, 82 insertions(+), 48 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 5c186377b89087..18a1a69566f300 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -13,7 +13,7 @@ use solana_sdk::{
     instruction::Instruction,
     pubkey::Pubkey,
     signature::{Keypair, Signature, Signer},
-    slot_history::SlotHistory,
+    slot_history::{Check, SlotHistory},
 };
 use solana_vote_program::{
     vote_instruction,
@@ -757,7 +757,7 @@ impl Tower {
     // The tower root can be older/newer if the validator booted from a newer/older snapshot, so
     // tower lockouts may need adjustment
     pub fn adjust_lockouts_after_replay(
-        mut self,
+        self,
         replayed_root_slot: Slot,
         slot_history: &SlotHistory,
     ) -> Result<Self> {
@@ -786,8 +786,6 @@ impl Tower {
             )
         );
 
-        use solana_sdk::slot_history::Check;
-
         // return immediately if votes are empty...
         if self.lockouts.votes.is_empty() {
             assert_eq!(self.root(), None);
@@ -804,30 +802,41 @@ impl Tower {
             ));
         }
 
-        // only divergent slots will be retained
+        self.do_adjust_lockouts_after_replay(replayed_root_slot, slot_history)
+    }
+
+    fn do_adjust_lockouts_after_replay(
+        mut self,
+        replayed_root_slot: Slot,
+        slot_history: &SlotHistory,
+    ) -> Result<Self> {
+        // retained slots will be consisted only from divergent slots
         let mut retain_flags_for_each_vote_in_reverse: Vec<_> =
             Vec::with_capacity(self.lockouts.votes.len());
+
         let mut still_in_future = true;
         let mut past_outside_history = false;
-        let mut anchored = false;
-
-        // iterate over votes in the newest => oldest order
-        // bail out early if bad condition is found
         let mut checked_slot = None;
-        let mut voted_slots = if let Some(root) = self.lockouts.root_slot {
+        let mut anchored_slot = None;
+
+        let mut root_checked = false;
+        let mut checked_slots = if let Some(root) = self.lockouts.root_slot {
+            root_checked = true;
             vec![root]
         } else {
             vec![]
         };
-        voted_slots.extend(self.voted_slots());
+        checked_slots.extend(self.voted_slots());
 
-        for voted_slot in voted_slots.iter().rev() {
+        // iterate over votes in the newest => oldest order
+        // bail out early if bad condition is found
+        for voted_slot in checked_slots.iter().rev() {
             checked_slot = Some(*voted_slot);
             let check = slot_history.check(checked_slot.unwrap());
 
-            if !anchored && check == Check::Found {
-                anchored = true;
-            } else if anchored && check == Check::NotFound {
+            if anchored_slot.is_none() && check == Check::Found {
+                anchored_slot = checked_slot;
+            } else if anchored_slot.is_some() && check == Check::NotFound {
                 // this can't happen unless we're fed with bogus snapshot
                 return Err(TowerError::InconsistentWithSlotHistory(
                     "diverged ancestor?".to_owned(),
@@ -851,23 +860,25 @@ impl Tower {
                 ));
             }
 
-            retain_flags_for_each_vote_in_reverse.push(!anchored);
+            retain_flags_for_each_vote_in_reverse.push(anchored_slot.is_none());
         }
 
         assert_eq!(
-            voted_slots.len(),
+            checked_slots.len(),
             retain_flags_for_each_vote_in_reverse.len()
         );
 
-        if self.lockouts.root_slot.is_some() {
+        if root_checked {
             retain_flags_for_each_vote_in_reverse.pop();
         }
 
         // All of votes in an unrooted warming-up vote account may not be anchored.
-        // In that case, just continue; otherwise check for too old slot history.
-        if !anchored && checked_slot.unwrap() > slot_history.newest() {
+        // In that case, just continue; otherwise check for too old slot history error.
+        let oldest_slot_in_tower = checked_slot.unwrap();
+        let within_range = oldest_slot_in_tower <= slot_history.newest();
+        if root_checked && anchored_slot.is_none() && !within_range {
             return Err(TowerError::TooOldSlotHistory(
-                checked_slot.unwrap(),
+                oldest_slot_in_tower,
                 slot_history.newest(),
             ));
         }
@@ -897,8 +908,14 @@ impl Tower {
                 self.last_vote.last_voted_slot().unwrap(),
                 *self.voted_slots().last().unwrap()
             );
+            if let Some(anchored_slot) = anchored_slot {
+                self.stray_restored_slots = std::iter::once(anchored_slot)
+                    .chain(self.voted_slots().into_iter())
+                    .collect();
+            } else {
+                self.stray_restored_slots = self.voted_slots().into_iter().collect();
+            }
             // should call self.votes.pop_expired_votes()?
-            self.stray_restored_slots = self.voted_slots().into_iter().collect();
         }
 
         Ok(self)
@@ -2376,6 +2393,7 @@ pub mod test {
             assert_eq!(tower.lockouts.root_slot, None);
         }
 
+        // Prepare simulated validator restart!
         let mut vote_simulator = VoteSimulator::new(2);
         let other_vote_account = vote_simulator.vote_pubkeys[1];
         let bank0 = vote_simulator
@@ -2423,6 +2441,7 @@ pub mod test {
             SwitchForkDecision::FailedSwitchThreshold
         );
 
+        // Add lockout_interval which should be excluded
         vote_simulator.simulate_lockout_interval(111, (45, 50), &other_vote_account);
         assert_eq!(
             tower.check_switch_threshold(
@@ -2436,6 +2455,7 @@ pub mod test {
             SwitchForkDecision::FailedSwitchThreshold
         );
 
+        // Add lockout_interval which should not be excluded
         vote_simulator.simulate_lockout_interval(111, (110, 200), &other_vote_account);
         assert_eq!(
             tower.check_switch_threshold(
@@ -2489,7 +2509,7 @@ pub mod test {
                     .unwrap();
                 let mut buf = [0u8];
                 assert_eq!(file.read(&mut buf).unwrap(), 1);
-                buf[0] += 1;
+                buf[0] = !buf[0];
                 assert_eq!(file.seek(SeekFrom::Start(0)).unwrap(), 0);
                 assert_eq!(file.write(&buf).unwrap(), 1);
             },
@@ -2586,7 +2606,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_adjust_lockouts_after_replay_all_rooted() {
+    fn test_adjust_lockouts_after_replay_all_rooted_with_no_too_old() {
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.record_vote(0, Hash::default());
         tower.record_vote(1, Hash::default());
@@ -2611,7 +2631,7 @@ pub mod test {
     }
 
     #[test]
-    fn test_adjust_lockouts_after_relay_all_rooted_long_ago() {
+    fn test_adjust_lockouts_after_relay_all_rooted_with_too_old() {
         use solana_sdk::slot_history::MAX_ENTRIES;
 
         let mut tower = Tower::new_for_tests(10, 0.9);
@@ -2745,12 +2765,18 @@ pub mod test {
         slot_history.add(0);
         slot_history.add(2);
 
-        let result = tower.adjust_lockouts_after_replay(2, &slot_history);
+        let result = tower.clone().adjust_lockouts_after_replay(2, &slot_history);
+        assert!(result.is_ok());
+
+        tower.lockouts.root_slot = Some(11);
+        // Skip some assertions to assume we're censored with crafted slots
+        let result = tower.do_adjust_lockouts_after_replay(2, &slot_history);
         assert_eq!(
             format!("{}", result.unwrap_err()),
-            "The slot history is too old: oldest slot in tower (100) >> newest slot in available history (2)"
+            "The slot history is too old: oldest slot in tower (11) >> newest slot in available history (2)"
         );
     }
+
     #[test]
     fn test_adjust_lockouts_after_replay_time_warped() {
         let mut tower = Tower::new_for_tests(10, 0.9);
@@ -2814,18 +2840,21 @@ pub mod test {
 
     #[test]
     fn test_stray_restored_ancestors() {
+        let tower_root = 2;
         let mut tower = Tower::new_for_tests(10, 0.9);
-        tower.lockouts.root_slot = Some(2);
+        tower.lockouts.root_slot = Some(tower_root);
         tower.record_vote(3, Hash::default());
         tower.record_vote(4, Hash::default());
         tower.record_vote(5, Hash::default());
 
+        let ledger_root = 10;
         let mut slot_history = SlotHistory::default();
         slot_history.add(0);
         slot_history.add(1);
-        slot_history.add(2);
+        slot_history.add(tower_root);
+        slot_history.add(ledger_root);
 
-        let replayed_root_slot = 2;
+        let replayed_root_slot = ledger_root;
         tower = tower
             .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
             .unwrap();
@@ -2833,9 +2862,10 @@ pub mod test {
         assert_eq!(tower.voted_slots(), vec![3, 4, 5]);
         assert_eq!(tower.last_voted_slot(), Some(5));
         assert_eq!(tower.is_stray_last_vote(), true);
+        assert_eq!(tower.lockouts.root_slot, Some(ledger_root));
         assert_eq!(
             tower.stray_restored_ancestors(),
-            vec![3, 4].into_iter().collect()
+            vec![tower_root, 3, 4].into_iter().collect()
         );
     }
 }
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index ea8954fae68f8e..5ebb2a8f3b84ed 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -492,23 +492,27 @@ impl HeaviestSubtreeForkChoice {
     }
 
     fn heaviest_slot_on_same_voted_fork(&self, tower: &Tower) -> Option<Slot> {
-        tower.last_voted_slot().map(|last_voted_slot| {
-            let heaviest_slot_on_same_voted_fork = self.best_slot(last_voted_slot);
-            if heaviest_slot_on_same_voted_fork.is_none() && tower.is_stray_last_vote() {
-                info!("returning None because of stray last vote...");
-                // return None because bank_forks doesn't have corresponding banks
-                return None;
-            };
-            let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork.expect(
-                "a bank at last_voted_slot is a frozen bank so must have been added to heaviest_subtree_fork_choice at time of freezing",
-            );
-
-            if heaviest_slot_on_same_voted_fork == last_voted_slot {
-                None
-            } else {
-                Some(heaviest_slot_on_same_voted_fork)
-            }
-        }).unwrap_or(None)
+        tower
+            .last_voted_slot()
+            .map(|last_voted_slot| {
+                let heaviest_slot_on_same_voted_fork = self.best_slot(last_voted_slot);
+                if heaviest_slot_on_same_voted_fork.is_none() && tower.is_stray_last_vote() {
+                    info!("returning None because of stray last vote...");
+                    // return None because bank_forks doesn't have corresponding banks
+                    return None;
+                };
+                let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork.expect(
+                    "a bank at last_voted_slot is a frozen bank so must have been added to \
+                heaviest_subtree_fork_choice at time of freezing",
+                );
+
+                if heaviest_slot_on_same_voted_fork == last_voted_slot {
+                    None
+                } else {
+                    Some(heaviest_slot_on_same_voted_fork)
+                }
+            })
+            .unwrap_or(None)
     }
 
     #[cfg(test)]

From 2c2f90139203fd48693d35ca86deaed36166db6b Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Fri, 10 Jul 2020 19:07:59 +0900
Subject: [PATCH 50/67] Re-adjust error conditon of too old slot history

---
 core/src/consensus.rs    | 21 +++++++++++++++++----
 core/src/replay_stage.rs |  6 +++++-
 core/src/validator.rs    | 18 ++++++++++++++----
 3 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 18a1a69566f300..0e4cae8bab9616 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -872,11 +872,13 @@ impl Tower {
             retain_flags_for_each_vote_in_reverse.pop();
         }
 
-        // All of votes in an unrooted warming-up vote account may not be anchored.
-        // In that case, just continue; otherwise check for too old slot history error.
+        // All of votes in an unrooted (= !root_checked) warming-up vote account may
+        // not be anchored. In that case, this fn will be Ok(_).
+        // Anyway always check for the too-old-slot-history error if not anchored,
+        // regardless root_checked or not.
         let oldest_slot_in_tower = checked_slot.unwrap();
         let within_range = oldest_slot_in_tower <= slot_history.newest();
-        if root_checked && anchored_slot.is_none() && !within_range {
+        if anchored_slot.is_none() && !within_range {
             return Err(TowerError::TooOldSlotHistory(
                 oldest_slot_in_tower,
                 slot_history.newest(),
@@ -903,6 +905,7 @@ impl Tower {
                 self.voted_slots()
             );
 
+            // Updating root is needed to correctly restore from newly-saved towers
             self.lockouts.root_slot = Some(replayed_root_slot);
             assert_eq!(
                 self.last_vote.last_voted_slot().unwrap(),
@@ -2564,6 +2567,7 @@ pub mod test {
 
     #[test]
     fn test_adjust_lockouts_after_replay_future_slots() {
+        solana_logger::setup();
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.record_vote(0, Hash::default());
         tower.record_vote(1, Hash::default());
@@ -2581,6 +2585,12 @@ pub mod test {
 
         assert_eq!(tower.voted_slots(), vec![2, 3]);
         assert_eq!(tower.root(), Some(replayed_root_slot));
+
+        tower = tower
+            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
+            .unwrap();
+        assert_eq!(tower.voted_slots(), vec![2, 3]);
+        assert_eq!(tower.root(), Some(replayed_root_slot));
     }
 
     #[test]
@@ -2766,7 +2776,10 @@ pub mod test {
         slot_history.add(2);
 
         let result = tower.clone().adjust_lockouts_after_replay(2, &slot_history);
-        assert!(result.is_ok());
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The slot history is too old: oldest slot in tower (100) >> newest slot in available history (2)"
+        );
 
         tower.lockouts.root_slot = Some(11);
         // Skip some assertions to assume we're censored with crafted slots
diff --git a/core/src/replay_stage.rs b/core/src/replay_stage.rs
index 77301ccd8d19e3..9afd66de4980ea 100644
--- a/core/src/replay_stage.rs
+++ b/core/src/replay_stage.rs
@@ -260,7 +260,11 @@ impl ReplayStage {
                     mut progress,
                     mut heaviest_subtree_fork_choice,
                     unlock_heaviest_subtree_fork_choice_slot,
-                ) = Self::initialize_progress_and_fork_choice_with_locked_bank_forks(&bank_forks, &my_pubkey, &vote_account);
+                ) = Self::initialize_progress_and_fork_choice_with_locked_bank_forks(
+                    &bank_forks,
+                    &my_pubkey,
+                    &vote_account,
+                );
                 let mut bank_weight_fork_choice = BankWeightForkChoice::default();
                 let mut current_leader = None;
                 let mut last_reset = Hash::default();
diff --git a/core/src/validator.rs b/core/src/validator.rs
index 850d614d040150..d346208a4ad981 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -642,10 +642,14 @@ fn post_process_restored_tower(
             tower.adjust_lockouts_after_replay(root_bank.slot(), &slot_history)
         })
         .unwrap_or_else(|err| {
-            let is_already_active = active_vote_account_exists_in_bank(&bank_forks.working_bank(), &vote_account);
+            let is_already_active =
+                active_vote_account_exists_in_bank(&bank_forks.working_bank(), &vote_account);
             if config.require_tower && is_already_active {
                 error!("Requested mandatory tower restore failed: {:?}", err);
-                error!("And there is an existing vote_account containing actual votes. Aborting due to possible conflicting duplicate votes");
+                error!(
+                    "And there is an existing vote_account containing actual votes. \
+                       Aborting due to possible conflicting duplicate votes"
+                );
                 process::exit(1);
             }
             let not_found = if let TowerError::IOError(io_err) = &err {
@@ -655,9 +659,15 @@ fn post_process_restored_tower(
             };
             if not_found && !is_already_active {
                 // Currently, don't protect against spoofed snapshots with no tower at all
-                info!("Ignoring expected failed tower restore because this is the initial validator start with the vote account...");
+                info!(
+                    "Ignoring expected failed tower restore because this is the initial \
+                      validator start with the vote account..."
+                );
             } else {
-                error!("Rebuilding tower from the latest vote account due to failed tower restore: {}", err);
+                error!(
+                    "Rebuilding tower from the latest vote account due to failed tower restore: {}",
+                    err
+                );
             }
 
             Tower::new_from_bankforks(

From 55295f7306a294787a92ab4ac9e6c647a80c183c Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Sat, 11 Jul 2020 00:30:24 +0900
Subject: [PATCH 51/67] Test normal ancestors is checked before stray ones

---
 core/src/consensus.rs | 49 +++++++++++++++++++++++++++----------------
 1 file changed, 31 insertions(+), 18 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 0e4cae8bab9616..24e5e4b7fa0ed8 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -484,6 +484,14 @@ impl Tower {
         false
     }
 
+    fn use_stray_restored_ancestors(
+        &self,
+        ancestors: &HashMap<Slot, HashSet<Slot>>,
+        slot: Slot,
+    ) -> bool {
+        !ancestors.contains_key(&slot) && self.is_stray_last_vote()
+    }
+
     pub(crate) fn check_switch_threshold(
         &self,
         switch_slot: u64,
@@ -497,23 +505,21 @@ impl Tower {
 
         self.last_voted_slot()
             .map(|last_voted_slot| {
-                let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
-                    if self.is_stray_last_vote() {
-                        // Use stray restored ancestors because we can't derive them from
-                        // given ancestors (=bank_forks)
-                        // Also, can't just return empty ancestors because we should exclude
-                        // lockouts on stray last vote's ancestors in the lockout_intervals later
-                        // in this fn.
-                        stray_restored_ancestors = self.stray_restored_ancestors();
-                        info!(
-                            "returning restored slots {:?} because of stray last vote ({})...",
-                            stray_restored_ancestors, last_voted_slot
-                        );
-                        &stray_restored_ancestors
-                    } else {
-                        panic!("no ancestor!")
-                    }
-                });
+                let last_vote_ancestors = if !self.use_stray_restored_ancestors(ancestors, last_voted_slot) {
+                    ancestors.get(&last_voted_slot).unwrap()
+                } else {
+                    // Use stray restored ancestors because we couldn't derive them from
+                    // given ancestors (=bank_forks)
+                    // Also, can't just return empty ancestors because we should exclude
+                    // lockouts on stray last vote's ancestors in the lockout_intervals later
+                    // in this fn.
+                    stray_restored_ancestors = self.stray_restored_ancestors();
+                    info!(
+                        "returning restored slots {:?} because of stray last vote ({})...",
+                        stray_restored_ancestors, last_voted_slot
+                    );
+                    &stray_restored_ancestors
+                };
 
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
 
@@ -2853,12 +2859,17 @@ pub mod test {
 
     #[test]
     fn test_stray_restored_ancestors() {
+        let ancestors = vec![(0, HashSet::new())].into_iter().collect();
+
         let tower_root = 2;
         let mut tower = Tower::new_for_tests(10, 0.9);
         tower.lockouts.root_slot = Some(tower_root);
         tower.record_vote(3, Hash::default());
         tower.record_vote(4, Hash::default());
         tower.record_vote(5, Hash::default());
+        assert!(!tower.is_stray_last_vote());
+        assert!(!tower.use_stray_restored_ancestors(&ancestors, 0));
+        assert!(!tower.use_stray_restored_ancestors(&ancestors, 1));
 
         let ledger_root = 10;
         let mut slot_history = SlotHistory::default();
@@ -2874,11 +2885,13 @@ pub mod test {
 
         assert_eq!(tower.voted_slots(), vec![3, 4, 5]);
         assert_eq!(tower.last_voted_slot(), Some(5));
-        assert_eq!(tower.is_stray_last_vote(), true);
+        assert!(tower.is_stray_last_vote());
         assert_eq!(tower.lockouts.root_slot, Some(ledger_root));
         assert_eq!(
             tower.stray_restored_ancestors(),
             vec![tower_root, 3, 4].into_iter().collect()
         );
+        assert!(!tower.use_stray_restored_ancestors(&ancestors, 0));
+        assert!(tower.use_stray_restored_ancestors(&ancestors, 1));
     }
 }

From 3d3be659b98481627103ba3e4fbc707ca81789ec Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Mon, 3 Aug 2020 15:14:57 +0900
Subject: [PATCH 52/67] Fix conflict, update tests, adjust behavior a bit

---
 core/src/consensus.rs                    | 28 +++++++++++++++---------
 core/src/heaviest_subtree_fork_choice.rs | 12 ++++++----
 local-cluster/tests/local_cluster.rs     | 27 +++++++++++++++++------
 3 files changed, 46 insertions(+), 21 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 24e5e4b7fa0ed8..946e2ab0936fcd 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -501,6 +501,7 @@ impl Tower {
         total_stake: u64,
         epoch_vote_accounts: &HashMap<Pubkey, (u64, Account)>,
     ) -> SwitchForkDecision {
+        let root = self.lockouts.root_slot.unwrap_or(0);
         let mut stray_restored_ancestors = HashSet::default();
 
         self.last_voted_slot()
@@ -894,20 +895,25 @@ impl Tower {
         let mut retain_flags_for_each_vote =
             retain_flags_for_each_vote_in_reverse.into_iter().rev();
 
+        let original_votes_len = self.lockouts.votes.len();
         self.lockouts
             .votes
             .retain(move |_| retain_flags_for_each_vote.next().unwrap());
 
         if self.lockouts.votes.is_empty() {
             info!(
-                "All restored votes were behind replayed_root_slot; resetting root_slot and last_vote in tower!",
+                "All restored votes were behind replayed_root_slot({}); resetting root_slot and last_vote in tower!",
+                replayed_root_slot
             );
-
+            // we might not have banks for those votes so just reset.
+            // That's because the votes may well past replayed_root_slot
             self.lockouts.root_slot = None;
             self.last_vote = Vote::default();
         } else {
             info!(
-                "Some restored votes were on different fork or are upcoming votes on unrooted slots: {:?}!",
+                "{} restored votes (out of {}) were on different fork or are upcoming votes on unrooted slots: {:?}!",
+                self.voted_slots().len(),
+                original_votes_len,
                 self.voted_slots()
             );
 
@@ -924,7 +930,6 @@ impl Tower {
             } else {
                 self.stray_restored_slots = self.voted_slots().into_iter().collect();
             }
-            // should call self.votes.pop_expired_votes()?
         }
 
         Ok(self)
@@ -1121,11 +1126,7 @@ pub mod test {
         },
     };
     use solana_sdk::{
-        clock::Slot,
-        hash::Hash,
-        pubkey::Pubkey,
-        signature::Signer,
-        slot_history::SlotHistory,
+        clock::Slot, hash::Hash, pubkey::Pubkey, signature::Signer, slot_history::SlotHistory,
     };
     use solana_vote_program::{
         vote_state::{Vote, VoteStateVersions, MAX_LOCKOUT_HISTORY},
@@ -2341,6 +2342,10 @@ pub mod test {
 
         // Fill the BankForks according to the above fork structure
         vote_simulator.fill_bank_forks(forks, &HashMap::new());
+        for (_, fork_progress) in vote_simulator.progress.iter_mut() {
+            fork_progress.fork_stats.computed = true;
+        }
+
         let ancestors = vote_simulator.bank_forks.read().unwrap().ancestors();
         let descendants = vote_simulator.bank_forks.read().unwrap().descendants();
         let mut tower = Tower::new_with_key(&my_pubkey);
@@ -2422,6 +2427,9 @@ pub mod test {
 
         // Fill the BankForks according to the above fork structure
         vote_simulator.fill_bank_forks(forks, &HashMap::new());
+        for (_, fork_progress) in vote_simulator.progress.iter_mut() {
+            fork_progress.fork_stats.computed = true;
+        }
 
         // prepend tower restart!
         let mut slot_history = SlotHistory::default();
@@ -2643,7 +2651,7 @@ pub mod test {
 
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
         assert_eq!(tower.root(), None);
-        assert_eq!(tower.stray_restored_slots, BTreeSet::default());
+        assert_eq!(tower.stray_restored_slots, vec![].into_iter().collect());
     }
 
     #[test]
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index 5ebb2a8f3b84ed..5783dc36fd2122 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -501,10 +501,14 @@ impl HeaviestSubtreeForkChoice {
                     // return None because bank_forks doesn't have corresponding banks
                     return None;
                 };
-                let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork.expect(
-                    "a bank at last_voted_slot is a frozen bank so must have been added to \
-                heaviest_subtree_fork_choice at time of freezing",
-                );
+                let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork
+                    .unwrap_or_else(|| {
+                        panic!(
+                            "a bank at last_voted_slot({}) is a frozen bank so must have been\
+                            added to heaviest_subtree_fork_choice at time of freezing",
+                            last_voted_slot,
+                        )
+                    });
 
                 if heaviest_slot_on_same_voted_fork == last_voted_slot {
                     None
diff --git a/local-cluster/tests/local_cluster.rs b/local-cluster/tests/local_cluster.rs
index baf87d44ef30a3..2f4ce50ec36eed 100644
--- a/local-cluster/tests/local_cluster.rs
+++ b/local-cluster/tests/local_cluster.rs
@@ -1480,7 +1480,7 @@ fn test_validator_saves_tower() {
         cluster_lamports: 10_000,
         node_stakes: vec![100],
         validator_configs: vec![validator_config],
-        validator_keys: Some(vec![validator_identity_keypair.clone()]),
+        validator_keys: Some(vec![(validator_identity_keypair.clone(), true)]),
         ..ClusterConfig::default()
     };
     let mut cluster = LocalCluster::new(&config);
@@ -1496,10 +1496,13 @@ fn test_validator_saves_tower() {
         .clone();
 
     // Wait for some votes to be generated
+    let mut last_replayed_root;
     loop {
         if let Ok(slot) = validator_client.get_slot_with_commitment(CommitmentConfig::recent()) {
             trace!("current slot: {}", slot);
             if slot > 2 {
+                // this will be the root next time a validator starts
+                last_replayed_root = slot;
                 break;
             }
         }
@@ -1520,7 +1523,8 @@ fn test_validator_saves_tower() {
     loop {
         if let Ok(root) = validator_client.get_slot_with_commitment(CommitmentConfig::root()) {
             trace!("current root: {}", root);
-            if root > 0 {
+            if root > last_replayed_root + 1 {
+                last_replayed_root = root;
                 break;
             }
         }
@@ -1528,10 +1532,14 @@ fn test_validator_saves_tower() {
     }
 
     // Stop validator, and check saved tower
+    let recent_slot = validator_client
+        .get_slot_with_commitment(CommitmentConfig::recent())
+        .unwrap();
     let validator_info = cluster.exit_node(&validator_id);
     let tower2 = Tower::restore(&ledger_path, &validator_id).unwrap();
     trace!("tower2: {:?}", tower2);
-    assert_eq!(tower2.root(), Some(1));
+    assert_eq!(tower2.root(), Some(last_replayed_root));
+    last_replayed_root = recent_slot;
 
     // Rollback saved tower to `tower1` to simulate a validator starting from a newer snapshot
     // without having to wait for that snapshot to be generated in this test
@@ -1543,8 +1551,12 @@ fn test_validator_saves_tower() {
     // Wait for a new root, demonstrating the validator was able to make progress from the older `tower1`
     loop {
         if let Ok(root) = validator_client.get_slot_with_commitment(CommitmentConfig::root()) {
-            trace!("current root: {}", root);
-            if root > 1 {
+            trace!(
+                "current root: {}, last_replayed_root: {}",
+                root,
+                last_replayed_root
+            );
+            if root > last_replayed_root {
                 break;
             }
         }
@@ -1555,7 +1567,7 @@ fn test_validator_saves_tower() {
     let mut validator_info = cluster.exit_node(&validator_id);
     let tower3 = Tower::restore(&ledger_path, &validator_id).unwrap();
     trace!("tower3: {:?}", tower3);
-    assert!(tower3.root().unwrap() > 1);
+    assert!(tower3.root().unwrap() > last_replayed_root);
 
     // Remove the tower file entirely and allow the validator to start without a tower.  It will
     // rebuild tower from its vote account contents
@@ -1583,7 +1595,8 @@ fn test_validator_saves_tower() {
 
     let tower4 = Tower::restore(&ledger_path, &validator_id).unwrap();
     trace!("tower4: {:?}", tower4);
-    assert_eq!(tower4.root(), tower3.root());
+    // should tower4 advance 1 slot compared to tower3????
+    assert_eq!(tower4.root(), tower3.root().map(|s| s + 1));
 }
 
 fn wait_for_next_snapshot(

From ea46eeabda76d3878f188583a275e012112df184 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 5 Aug 2020 12:56:18 +0900
Subject: [PATCH 53/67] Fix test

---
 local-cluster/tests/local_cluster.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/local-cluster/tests/local_cluster.rs b/local-cluster/tests/local_cluster.rs
index 2f4ce50ec36eed..567f3a178f7cd4 100644
--- a/local-cluster/tests/local_cluster.rs
+++ b/local-cluster/tests/local_cluster.rs
@@ -1416,6 +1416,8 @@ fn test_optimistic_confirmation_violation() {
     // Mark fork as dead on the heavier validator, this should make the fork effectively
     // dead, even though it was optimistically confirmed. The smaller validator should
     // jump over to the new fork
+    // Also, remove saved tower to intentionally make the restarted validator to violate the
+    // optimistic confirmation
     {
         let blockstore = Blockstore::open_with_access_type(
             &exited_validator_info.info.ledger_path,
@@ -1433,6 +1435,12 @@ fn test_optimistic_confirmation_violation() {
             prev_voted_slot
         );
         blockstore.set_dead_slot(prev_voted_slot).unwrap();
+
+        std::fs::remove_file(Tower::get_filename(
+            &exited_validator_info.info.ledger_path,
+            &entry_point_id,
+        ))
+        .unwrap();
     }
     cluster.restart_node(&entry_point_id, exited_validator_info);
 

From 52441723f2e0a89497cd04c4a12e73815a786b1f Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Wed, 5 Aug 2020 17:26:04 +0900
Subject: [PATCH 54/67] Address review comments

---
 core/src/consensus.rs           | 106 +++++++++++++++++++++++++++-----
 ledger/src/ancestor_iterator.rs |  36 +++++++++++
 2 files changed, 126 insertions(+), 16 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 946e2ab0936fcd..8faf3cad24bc0e 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -3,7 +3,7 @@ use crate::{
     pubkey_references::PubkeyReferences,
 };
 use chrono::prelude::*;
-use solana_ledger::{blockstore::Blockstore, blockstore_db};
+use solana_ledger::{ancestor_iterator::AncestorIterator, blockstore::Blockstore, blockstore_db};
 use solana_measure::measure::Measure;
 use solana_runtime::{bank::Bank, bank_forks::BankForks, commitment::VOTE_THRESHOLD_SIZE};
 use solana_sdk::{
@@ -20,6 +20,7 @@ use solana_vote_program::{
     vote_state::{BlockTimestamp, Lockout, Vote, VoteState, MAX_LOCKOUT_HISTORY},
 };
 use std::{
+    cmp::Ordering,
     collections::{BTreeSet, HashMap, HashSet},
     fs::{self, File},
     io::BufReader,
@@ -484,6 +485,7 @@ impl Tower {
         false
     }
 
+    #[cfg(test)]
     fn use_stray_restored_ancestors(
         &self,
         ancestors: &HashMap<Slot, HashSet<Slot>>,
@@ -506,11 +508,10 @@ impl Tower {
 
         self.last_voted_slot()
             .map(|last_voted_slot| {
-                let last_vote_ancestors = if !self.use_stray_restored_ancestors(ancestors, last_voted_slot) {
-                    ancestors.get(&last_voted_slot).unwrap()
-                } else {
-                    // Use stray restored ancestors because we couldn't derive them from
-                    // given ancestors (=bank_forks)
+                // NOTE: Update use_stray_restored_ancestors() as well when updating this!
+                let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
+                    // Use stray restored ancestors because we couldn't derive last_vote_ancestors
+                    // from given ancestors (=bank_forks)
                     // Also, can't just return empty ancestors because we should exclude
                     // lockouts on stray last vote's ancestors in the lockout_intervals later
                     // in this fn.
@@ -520,7 +521,7 @@ impl Tower {
                         stray_restored_ancestors, last_voted_slot
                     );
                     &stray_restored_ancestors
-                };
+                });
 
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
 
@@ -1094,11 +1095,23 @@ pub fn reconcile_blockstore_roots_with_tower(
     if let Some(tower_root) = tower.root() {
         let last_blockstore_root = blockstore.last_root();
         if last_blockstore_root < tower_root {
-            let new_roots: Vec<_> = blockstore
-                .slot_meta_iterator(last_blockstore_root + 1)?
-                .map(|(slot, _)| slot)
-                .take_while(|slot| *slot <= tower_root)
+            // Ensure tower_root itself to exist and mark as rooted in the blockstore
+            // in addition to its ancestors.
+            let new_roots: Vec<_> = AncestorIterator::new_inclusive(tower_root, &blockstore)
+                .take_while(|current| match current.cmp(&last_blockstore_root) {
+                    Ordering::Equal => false,
+                    Ordering::Greater => true,
+                    Ordering::Less => panic!(
+                        "couldn't find a last_blockstore_root upwards from: {}!?",
+                        tower_root
+                    ),
+                })
                 .collect();
+            assert!(
+                !new_roots.is_empty(),
+                "at least 1 parent slot must be found"
+            );
+
             blockstore.set_roots(&new_roots)?
         }
     }
@@ -2561,20 +2574,81 @@ pub mod test {
     }
 
     #[test]
-    fn test_reconcile_blockstore_roots_with_tower() {
+    fn test_reconcile_blockstore_roots_with_tower_normal() {
+        solana_logger::setup();
+        let blockstore_path = get_tmp_ledger_path!();
+        {
+            let blockstore = Blockstore::open(&blockstore_path).unwrap();
+
+            let (shreds, _) = make_slot_entries(1, 0, 42);
+            blockstore.insert_shreds(shreds, None, false).unwrap();
+            let (shreds, _) = make_slot_entries(3, 1, 42);
+            blockstore.insert_shreds(shreds, None, false).unwrap();
+            let (shreds, _) = make_slot_entries(4, 1, 42);
+            blockstore.insert_shreds(shreds, None, false).unwrap();
+            assert!(!blockstore.is_root(0));
+            assert!(!blockstore.is_root(1));
+            assert!(!blockstore.is_root(3));
+            assert!(!blockstore.is_root(4));
+
+            let mut tower = Tower::new_with_key(&Pubkey::default());
+            tower.lockouts.root_slot = Some(4);
+            reconcile_blockstore_roots_with_tower(&tower, &blockstore).unwrap();
+
+            assert!(!blockstore.is_root(0));
+            assert!(blockstore.is_root(1));
+            assert!(!blockstore.is_root(3));
+            assert!(blockstore.is_root(4));
+        }
+        Blockstore::destroy(&blockstore_path).expect("Expected successful database destruction");
+    }
+
+    #[test]
+    #[should_panic(expected = "couldn't find a last_blockstore_root upwards from: 4!?")]
+    fn test_reconcile_blockstore_roots_with_tower_panic_no_common_root() {
+        solana_logger::setup();
+        let blockstore_path = get_tmp_ledger_path!();
+        {
+            let blockstore = Blockstore::open(&blockstore_path).unwrap();
+
+            let (shreds, _) = make_slot_entries(1, 0, 42);
+            blockstore.insert_shreds(shreds, None, false).unwrap();
+            let (shreds, _) = make_slot_entries(3, 1, 42);
+            blockstore.insert_shreds(shreds, None, false).unwrap();
+            let (shreds, _) = make_slot_entries(4, 1, 42);
+            blockstore.insert_shreds(shreds, None, false).unwrap();
+            blockstore.set_roots(&[3]).unwrap();
+            assert!(!blockstore.is_root(0));
+            assert!(!blockstore.is_root(1));
+            assert!(blockstore.is_root(3));
+            assert!(!blockstore.is_root(4));
+
+            let mut tower = Tower::new_with_key(&Pubkey::default());
+            tower.lockouts.root_slot = Some(4);
+            reconcile_blockstore_roots_with_tower(&tower, &blockstore).unwrap();
+        }
+        Blockstore::destroy(&blockstore_path).expect("Expected successful database destruction");
+    }
+
+    #[test]
+    #[should_panic(expected = "at least 1 parent slot must be found")]
+    fn test_reconcile_blockstore_roots_with_tower_panic_no_parent() {
+        solana_logger::setup();
         let blockstore_path = get_tmp_ledger_path!();
         {
             let blockstore = Blockstore::open(&blockstore_path).unwrap();
-            assert_eq!(blockstore.last_root(), 0);
 
             let (shreds, _) = make_slot_entries(1, 0, 42);
             blockstore.insert_shreds(shreds, None, false).unwrap();
-            assert_eq!(blockstore.last_root(), 0);
+            let (shreds, _) = make_slot_entries(3, 1, 42);
+            blockstore.insert_shreds(shreds, None, false).unwrap();
+            assert!(!blockstore.is_root(0));
+            assert!(!blockstore.is_root(1));
+            assert!(!blockstore.is_root(3));
 
             let mut tower = Tower::new_with_key(&Pubkey::default());
-            tower.lockouts.root_slot = Some(1);
+            tower.lockouts.root_slot = Some(4);
             reconcile_blockstore_roots_with_tower(&tower, &blockstore).unwrap();
-            assert_eq!(blockstore.last_root(), 1);
         }
         Blockstore::destroy(&blockstore_path).expect("Expected successful database destruction");
     }
diff --git a/ledger/src/ancestor_iterator.rs b/ledger/src/ancestor_iterator.rs
index 0c01757d6ed1ef..6c8099ce98f053 100644
--- a/ledger/src/ancestor_iterator.rs
+++ b/ledger/src/ancestor_iterator.rs
@@ -20,6 +20,13 @@ impl<'a> AncestorIterator<'a> {
             blockstore,
         }
     }
+
+    pub fn new_inclusive(start_slot: Slot, blockstore: &'a Blockstore) -> Self {
+        Self {
+            current: blockstore.meta(start_slot).unwrap().map(|_| start_slot),
+            blockstore,
+        }
+    }
 }
 impl<'a> Iterator for AncestorIterator<'a> {
     type Item = Slot;
@@ -111,4 +118,33 @@ mod tests {
             vec![2, 1, 0]
         );
     }
+
+    #[test]
+    fn test_ancestor_iterator_inclusive() {
+        let blockstore_path = get_tmp_ledger_path!();
+        let blockstore = Blockstore::open(&blockstore_path).unwrap();
+
+        let (shreds, _) = make_slot_entries(0, 0, 42);
+        blockstore.insert_shreds(shreds, None, false).unwrap();
+        let (shreds, _) = make_slot_entries(1, 0, 42);
+        blockstore.insert_shreds(shreds, None, false).unwrap();
+        let (shreds, _) = make_slot_entries(2, 1, 42);
+        blockstore.insert_shreds(shreds, None, false).unwrap();
+
+        assert_eq!(
+            AncestorIterator::new(2, &blockstore).collect::<Vec<Slot>>(),
+            vec![1, 0]
+        );
+        // existing start_slot
+        assert_eq!(
+            AncestorIterator::new_inclusive(2, &blockstore).collect::<Vec<Slot>>(),
+            vec![2, 1, 0]
+        );
+
+        // non-existing start_slot
+        assert_eq!(
+            AncestorIterator::new_inclusive(3, &blockstore).collect::<Vec<Slot>>(),
+            vec![] as Vec<Slot>
+        );
+    }
 }

From 9dc9631638c462dca266c8965cefc7240af9feb9 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 6 Aug 2020 18:42:35 +0900
Subject: [PATCH 55/67] Last touch!

---
 core/src/consensus.rs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 8faf3cad24bc0e..851626753faa8c 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -509,7 +509,9 @@ impl Tower {
         self.last_voted_slot()
             .map(|last_voted_slot| {
                 // NOTE: Update use_stray_restored_ancestors() as well when updating this!
-                let last_vote_ancestors = ancestors.get(&last_voted_slot).unwrap_or_else(|| {
+                let last_vote_ancestors = if !self.is_stray_last_vote() {
+                    ancestors.get(&last_voted_slot).unwrap()
+                } else {
                     // Use stray restored ancestors because we couldn't derive last_vote_ancestors
                     // from given ancestors (=bank_forks)
                     // Also, can't just return empty ancestors because we should exclude
@@ -521,7 +523,7 @@ impl Tower {
                         stray_restored_ancestors, last_voted_slot
                     );
                     &stray_restored_ancestors
-                });
+                };
 
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
 
@@ -1095,12 +1097,12 @@ pub fn reconcile_blockstore_roots_with_tower(
     if let Some(tower_root) = tower.root() {
         let last_blockstore_root = blockstore.last_root();
         if last_blockstore_root < tower_root {
-            // Ensure tower_root itself to exist and mark as rooted in the blockstore
+            // Ensure tower_root itself to exist and be marked as rooted in the blockstore
             // in addition to its ancestors.
             let new_roots: Vec<_> = AncestorIterator::new_inclusive(tower_root, &blockstore)
                 .take_while(|current| match current.cmp(&last_blockstore_root) {
-                    Ordering::Equal => false,
                     Ordering::Greater => true,
+                    Ordering::Equal => false,
                     Ordering::Less => panic!(
                         "couldn't find a last_blockstore_root upwards from: {}!?",
                         tower_root

From 1ce9b970e537a9c4b929c5e91c27cc2988d41695 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 27 Aug 2020 14:56:08 +0900
Subject: [PATCH 56/67] Immediately after creating cleaning pr

---
 core/src/consensus.rs                | 96 ++++++++++++++++++----------
 local-cluster/tests/local_cluster.rs | 83 +++++++++++++++++++++++-
 2 files changed, 145 insertions(+), 34 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 851626753faa8c..cacfb0bd1216e1 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -509,8 +509,8 @@ impl Tower {
         self.last_voted_slot()
             .map(|last_voted_slot| {
                 // NOTE: Update use_stray_restored_ancestors() as well when updating this!
-                let last_vote_ancestors = if !self.is_stray_last_vote() {
-                    ancestors.get(&last_voted_slot).unwrap()
+                let (last_vote_ancestors, is_restored) = if !self.is_stray_last_vote() {
+                    (ancestors.get(&last_voted_slot).unwrap(), false)
                 } else {
                     // Use stray restored ancestors because we couldn't derive last_vote_ancestors
                     // from given ancestors (=bank_forks)
@@ -519,10 +519,10 @@ impl Tower {
                     // in this fn.
                     stray_restored_ancestors = self.stray_restored_ancestors();
                     info!(
-                        "returning restored slots {:?} because of stray last vote ({})...",
+                        "using restored ancestors {:?} because of stray last vote ({})...",
                         stray_restored_ancestors, last_voted_slot
                     );
-                    &stray_restored_ancestors
+                    (&stray_restored_ancestors, true)
                 };
 
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
@@ -534,8 +534,8 @@ impl Tower {
                 }
 
                 // Should never consider switching to an ancestor
-                // of your last vote
-                assert!(!last_vote_ancestors.contains(&switch_slot));
+                // of your last vote unless the ancestor is restored from stray slots
+                assert!(is_restored || !last_vote_ancestors.contains(&switch_slot));
 
                 // By this point, we know the `switch_slot` is on a different fork
                 // (is neither an ancestor nor descendant of `last_vote`), so a
@@ -575,8 +575,8 @@ impl Tower {
 
                     // By the time we reach here, any ancestors of the `last_vote`,
                     // should have been filtered out, as they all have a descendant,
-                    // namely the `last_vote` itself.
-                    assert!(!last_vote_ancestors.contains(candidate_slot));
+                    // namely the `last_vote` itself, unless the ancestors are restored from stray slots.
+                    assert!(is_restored || !last_vote_ancestors.contains(candidate_slot));
 
                     // Evaluate which vote accounts in the bank are locked out
                     // in the interval candidate_slot..last_vote, which means
@@ -848,25 +848,21 @@ impl Tower {
                 anchored_slot = checked_slot;
             } else if anchored_slot.is_some() && check == Check::NotFound {
                 // this can't happen unless we're fed with bogus snapshot
-                return Err(TowerError::InconsistentWithSlotHistory(
-                    "diverged ancestor?".to_owned(),
-                ));
+                return Err(TowerError::FatallyInconsistent("diverged ancestor?"));
             }
 
             if still_in_future && check != Check::Future {
                 still_in_future = false;
             } else if !still_in_future && check == Check::Future {
                 // really odd cases: bad ordered votes?
-                return Err(TowerError::InconsistentWithSlotHistory(
-                    "time warped?".to_owned(),
-                ));
+                return Err(TowerError::FatallyInconsistent("time warped?"));
             }
             if !past_outside_history && check == Check::TooOld {
                 past_outside_history = true;
             } else if past_outside_history && check != Check::TooOld {
                 // really odd cases: bad ordered votes?
-                return Err(TowerError::InconsistentWithSlotHistory(
-                    "not too old once after got too old?".to_owned(),
+                return Err(TowerError::FatallyInconsistent(
+                    "not too old once after got too old?",
                 ));
             }
 
@@ -882,17 +878,28 @@ impl Tower {
             retain_flags_for_each_vote_in_reverse.pop();
         }
 
-        // All of votes in an unrooted (= !root_checked) warming-up vote account may
-        // not be anchored. In that case, this fn will be Ok(_).
-        // Anyway always check for the too-old-slot-history error if not anchored,
-        // regardless root_checked or not.
-        let oldest_slot_in_tower = checked_slot.unwrap();
-        let within_range = oldest_slot_in_tower <= slot_history.newest();
-        if anchored_slot.is_none() && !within_range {
-            return Err(TowerError::TooOldSlotHistory(
-                oldest_slot_in_tower,
-                slot_history.newest(),
-            ));
+        // Check for errors if not anchored
+        // Being not anchored doesn't always equate to errors: All of votes in
+        // an unrooted (= !root_checked) warming-up vote account may legally not
+        // be anchored.
+        if anchored_slot.is_none() {
+            let oldest_slot_in_tower = checked_slot.unwrap();
+            let with_no_overlap_slots = oldest_slot_in_tower > slot_history.newest();
+            if with_no_overlap_slots {
+                // we couldn't find an anchor... And this was indeed due to too much gap between
+                // tower and blockstore, so return error here.
+                // Generally, this shouldn't occur unless bad external backup/restore is conducted...
+                return Err(TowerError::TooOldSlotHistory(
+                    oldest_slot_in_tower,
+                    slot_history.newest(),
+                ));
+            } else if root_checked {
+                // this error really shouldn't happen unless ledger/tower is corrupted so check
+                // after the TooOldSlotHistory...
+                return Err(TowerError::FatallyInconsistent(
+                    "no common slot for rooted tower",
+                ));
+            }
         }
 
         let mut retain_flags_for_each_vote =
@@ -920,7 +927,8 @@ impl Tower {
                 self.voted_slots()
             );
 
-            // Updating root is needed to correctly restore from newly-saved towers
+            // Updating root is needed to correctly restore from newly-saved tower for the next
+            // boot
             self.lockouts.root_slot = Some(replayed_root_slot);
             assert_eq!(
                 self.last_vote.last_voted_slot().unwrap(),
@@ -1061,8 +1069,8 @@ pub enum TowerError {
     )]
     TooOldSlotHistory(Slot, Slot),
 
-    #[error("The tower is inconsistent with slot history: {0}")]
-    InconsistentWithSlotHistory(String),
+    #[error("The tower is fatally inconsistent with blockstore: {0}")]
+    FatallyInconsistent(&'static str),
 }
 
 #[frozen_abi(digest = "Gaxfwvx5MArn52mKZQgzHmDCyn5YfCuTHvp5Et3rFfpp")]
@@ -2796,6 +2804,28 @@ pub mod test {
         assert_eq!(tower.root(), Some(replayed_root_slot));
     }
 
+    #[test]
+    fn test_adjust_lockouts_after_replay_all_not_found_even_if_rooted() {
+        let mut tower = Tower::new_for_tests(10, 0.9);
+        tower.lockouts.root_slot = Some(4);
+        tower.record_vote(5, Hash::default());
+        tower.record_vote(6, Hash::default());
+
+        let mut slot_history = SlotHistory::default();
+        slot_history.add(0);
+        slot_history.add(1);
+        slot_history.add(2);
+        slot_history.add(7);
+
+        let replayed_root_slot = 7;
+        let result = tower.adjust_lockouts_after_replay(replayed_root_slot, &slot_history);
+
+        assert_eq!(
+            format!("{}", result.unwrap_err()),
+            "The tower is fatally inconsistent with blockstore: no common slot for rooted tower"
+        );
+    }
+
     #[test]
     fn test_adjust_lockouts_after_replay_all_future_votes_only_root_found() {
         let mut tower = Tower::new_for_tests(10, 0.9);
@@ -2894,7 +2924,7 @@ pub mod test {
         let result = tower.adjust_lockouts_after_replay(0, &slot_history);
         assert_eq!(
             format!("{}", result.unwrap_err()),
-            "The tower is inconsistent with slot history: time warped?"
+            "The tower is fatally inconsistent with blockstore: time warped?"
         );
     }
 
@@ -2913,7 +2943,7 @@ pub mod test {
         let result = tower.adjust_lockouts_after_replay(2, &slot_history);
         assert_eq!(
             format!("{}", result.unwrap_err()),
-            "The tower is inconsistent with slot history: diverged ancestor?"
+            "The tower is fatally inconsistent with blockstore: diverged ancestor?"
         );
     }
 
@@ -2937,7 +2967,7 @@ pub mod test {
         let result = tower.adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history);
         assert_eq!(
             format!("{}", result.unwrap_err()),
-            "The tower is inconsistent with slot history: not too old once after got too old?"
+            "The tower is fatally inconsistent with blockstore: not too old once after got too old?"
         );
     }
 
diff --git a/local-cluster/tests/local_cluster.rs b/local-cluster/tests/local_cluster.rs
index 567f3a178f7cd4..718bcf41488481 100644
--- a/local-cluster/tests/local_cluster.rs
+++ b/local-cluster/tests/local_cluster.rs
@@ -1370,7 +1370,8 @@ fn test_no_voting() {
 }
 
 #[test]
-fn test_optimistic_confirmation_violation() {
+#[serial]
+fn test_optimistic_confirmation_violation_with_no_tower() {
     solana_logger::setup();
     let mut buf = BufferRedirect::stderr().unwrap();
     // First set up the cluster with 2 nodes
@@ -1473,6 +1474,86 @@ fn test_optimistic_confirmation_violation() {
     assert!(output.contains(&expected_log));
 }
 
+#[test]
+#[serial]
+fn test_no_optimistic_confirmation_violation_with_tower() {
+    solana_logger::setup();
+    let mut buf = BufferRedirect::stderr().unwrap();
+
+    // First set up the cluster with 2 nodes
+    let slots_per_epoch = 2048;
+    let node_stakes = vec![50, 51];
+    let validator_keys: Vec<_> = iter::repeat_with(|| (Arc::new(Keypair::new()), true))
+        .take(node_stakes.len())
+        .collect();
+    let config = ClusterConfig {
+        cluster_lamports: 100_000,
+        node_stakes: vec![51, 50],
+        validator_configs: vec![ValidatorConfig::default(); node_stakes.len()],
+        validator_keys: Some(validator_keys),
+        slots_per_epoch,
+        stakers_slot_offset: slots_per_epoch,
+        skip_warmup_slots: true,
+        ..ClusterConfig::default()
+    };
+    let mut cluster = LocalCluster::new(&config);
+    let entry_point_id = cluster.entry_point_info.id;
+    // Let the nodes run for a while. Wait for validators to vote on slot `S`
+    // so that the vote on `S-1` is definitely in gossip and optimistic confirmation is
+    // detected on slot `S-1` for sure, then stop the heavier of the two
+    // validators
+    let client = cluster.get_validator_client(&entry_point_id).unwrap();
+    let mut prev_voted_slot = 0;
+    loop {
+        let last_voted_slot = client
+            .get_slot_with_commitment(CommitmentConfig::recent())
+            .unwrap();
+        if last_voted_slot > 50 {
+            if prev_voted_slot == 0 {
+                prev_voted_slot = last_voted_slot;
+            } else {
+                break;
+            }
+        }
+        sleep(Duration::from_millis(100));
+    }
+
+    let exited_validator_info = cluster.exit_node(&entry_point_id);
+
+    // Mark fork as dead on the heavier validator, this should make the fork effectively
+    // dead, even though it was optimistically confirmed. The smaller validator should
+    // jump over to the new fork
+    // Also, remove saved tower to intentionally make the restarted validator to violate the
+    // optimistic confirmation
+    {
+        let blockstore = Blockstore::open_with_access_type(
+            &exited_validator_info.info.ledger_path,
+            AccessType::PrimaryOnly,
+            None,
+        )
+        .unwrap_or_else(|e| {
+            panic!(
+                "Failed to open ledger at {:?}, err: {}",
+                exited_validator_info.info.ledger_path, e
+            );
+        });
+        info!(
+            "Setting slot: {} on main fork as dead, should cause fork",
+            prev_voted_slot
+        );
+        blockstore.set_dead_slot(prev_voted_slot).unwrap();
+    }
+    cluster.restart_node(&entry_point_id, exited_validator_info);
+
+    cluster.check_no_new_roots(400, "test_no_optimistic_confirmation_violation_with_tower");
+    // Check to see that validator didn't detected optimistic confirmation for
+    // `prev_voted_slot` failed
+    let expected_log = format!("Optimistic slot {} was not rooted", prev_voted_slot);
+    let mut output = String::new();
+    buf.read_to_string(&mut output).unwrap();
+    assert!(!output.contains(&expected_log));
+}
+
 #[test]
 #[serial]
 fn test_validator_saves_tower() {

From 696942b4de377c0cc3a4a972bddba22aec53d32d Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 27 Aug 2020 15:47:31 +0900
Subject: [PATCH 57/67] Revert stray slots

---
 core/src/consensus.rs                    | 130 ++++++-----------------
 core/src/heaviest_subtree_fork_choice.rs |  31 +++---
 local-cluster/src/cluster.rs             |   1 +
 local-cluster/src/local_cluster.rs       |  10 ++
 local-cluster/tests/local_cluster.rs     |  10 +-
 5 files changed, 65 insertions(+), 117 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index cacfb0bd1216e1..d460e79d66dcfd 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -21,7 +21,7 @@ use solana_vote_program::{
 };
 use std::{
     cmp::Ordering,
-    collections::{BTreeSet, HashMap, HashSet},
+    collections::{HashMap, HashSet},
     fs::{self, File},
     io::BufReader,
     ops::Bound::{Included, Unbounded},
@@ -96,19 +96,11 @@ pub struct Tower {
     #[serde(skip)]
     tmp_path: PathBuf, // used before atomic fs::rename()
     #[serde(skip)]
-    // Restored voted slots which cannot be found in SlotHistory at replayed root
-    // (This's kind of special field for slashing-free validator restart with edge cases).
-    // Those voted slots means they are/were on a different fork (which may not be available
-    // in bank_forks after validator restart) or are unrooted slots following the replayed
-    // rooted slot.
-    // This is only used to construct synthesized ancestors for the last vote, if restored
-    // last_vote's ancestors cannot be found in bank_forks. That's because fork choice
-    // and switch threshold requires that information.
-    // That way we avoid mangling bank_forks or relaxing bank_forks invariants just for
-    // validator's restart porpose.
+    // Restored last voted slot which cannot be found in SlotHistory at replayed root
+    // (This is a special field for slashing-free validator restart with edge cases).
     // This could be emptied after some time; but left intact indefinitely for easier
     // implementation
-    stray_restored_slots: BTreeSet<Slot>,
+    stray_restored_slot: Option<Slot>,
 }
 
 impl Default for Tower {
@@ -122,7 +114,7 @@ impl Default for Tower {
             last_timestamp: BlockTimestamp::default(),
             path: PathBuf::default(),
             tmp_path: PathBuf::default(),
-            stray_restored_slots: BTreeSet::default(),
+            stray_restored_slot: Option::default(),
         }
     }
 }
@@ -412,6 +404,10 @@ impl Tower {
         self.last_vote().last_voted_slot()
     }
 
+    pub fn stray_restored_slot(&self) -> Option<Slot> {
+        self.stray_restored_slot
+    }
+
     pub fn last_vote_and_timestamp(&mut self) -> Vote {
         let mut last_vote = self.last_vote.clone();
         last_vote.timestamp = self.maybe_timestamp(last_vote.last_voted_slot().unwrap_or(0));
@@ -485,15 +481,6 @@ impl Tower {
         false
     }
 
-    #[cfg(test)]
-    fn use_stray_restored_ancestors(
-        &self,
-        ancestors: &HashMap<Slot, HashSet<Slot>>,
-        slot: Slot,
-    ) -> bool {
-        !ancestors.contains_key(&slot) && self.is_stray_last_vote()
-    }
-
     pub(crate) fn check_switch_threshold(
         &self,
         switch_slot: u64,
@@ -504,26 +491,20 @@ impl Tower {
         epoch_vote_accounts: &HashMap<Pubkey, (u64, Account)>,
     ) -> SwitchForkDecision {
         let root = self.lockouts.root_slot.unwrap_or(0);
-        let mut stray_restored_ancestors = HashSet::default();
 
         self.last_voted_slot()
             .map(|last_voted_slot| {
-                // NOTE: Update use_stray_restored_ancestors() as well when updating this!
-                let (last_vote_ancestors, is_restored) = if !self.is_stray_last_vote() {
-                    (ancestors.get(&last_voted_slot).unwrap(), false)
-                } else {
-                    // Use stray restored ancestors because we couldn't derive last_vote_ancestors
-                    // from given ancestors (=bank_forks)
-                    // Also, can't just return empty ancestors because we should exclude
-                    // lockouts on stray last vote's ancestors in the lockout_intervals later
-                    // in this fn.
-                    stray_restored_ancestors = self.stray_restored_ancestors();
-                    info!(
-                        "using restored ancestors {:?} because of stray last vote ({})...",
-                        stray_restored_ancestors, last_voted_slot
-                    );
-                    (&stray_restored_ancestors, true)
-                };
+                let last_vote_ancestors =
+                    ancestors.get(&last_voted_slot).unwrap_or_else(|| {
+                        if !self.is_stray_last_vote() {
+                            panic!("no ancestors found with slot: {}", last_voted_slot);
+                        } else {
+                            // bank_forks doesn't have corresponding data for the stray restored last vote,
+                            // meaning severe inconsistentcy between saved tower and ledger.
+                            // (corrupted or pruned ledger, or only saved tower is moved over to new setup?)
+                            panic!("Unable to get ancestors for stray last vote {:?}", self.stray_restored_slot());
+                        }
+                    });
 
                 let switch_slot_ancestors = ancestors.get(&switch_slot).unwrap();
 
@@ -535,7 +516,7 @@ impl Tower {
 
                 // Should never consider switching to an ancestor
                 // of your last vote unless the ancestor is restored from stray slots
-                assert!(is_restored || !last_vote_ancestors.contains(&switch_slot));
+                assert!(!last_vote_ancestors.contains(&switch_slot));
 
                 // By this point, we know the `switch_slot` is on a different fork
                 // (is neither an ancestor nor descendant of `last_vote`), so a
@@ -576,7 +557,7 @@ impl Tower {
                     // By the time we reach here, any ancestors of the `last_vote`,
                     // should have been filtered out, as they all have a descendant,
                     // namely the `last_vote` itself, unless the ancestors are restored from stray slots.
-                    assert!(is_restored || !last_vote_ancestors.contains(candidate_slot));
+                    assert!(!last_vote_ancestors.contains(candidate_slot));
 
                     // Evaluate which vote accounts in the bank are locked out
                     // in the interval candidate_slot..last_vote, which means
@@ -747,23 +728,14 @@ impl Tower {
 
     pub fn is_stray_last_vote(&self) -> bool {
         if let Some(last_voted_slot) = self.last_voted_slot() {
-            if let Some(max_stray_slot) = self.stray_restored_slots.iter().next_back() {
-                return *max_stray_slot == last_voted_slot;
+            if let Some(stray_restored_slot) = self.stray_restored_slot {
+                return stray_restored_slot == last_voted_slot;
             }
         }
 
         false
     }
 
-    fn stray_restored_ancestors(&self) -> HashSet<Slot> {
-        let mut ancestors: HashSet<_> = self.stray_restored_slots.clone().into_iter().collect();
-        if let Some(last_voted_slot) = self.last_voted_slot() {
-            assert!(ancestors.contains(&last_voted_slot));
-            ancestors.remove(&last_voted_slot);
-        }
-        ancestors
-    }
-
     // The tower root can be older/newer if the validator booted from a newer/older snapshot, so
     // tower lockouts may need adjustment
     pub fn adjust_lockouts_after_replay(
@@ -934,13 +906,7 @@ impl Tower {
                 self.last_vote.last_voted_slot().unwrap(),
                 *self.voted_slots().last().unwrap()
             );
-            if let Some(anchored_slot) = anchored_slot {
-                self.stray_restored_slots = std::iter::once(anchored_slot)
-                    .chain(self.voted_slots().into_iter())
-                    .collect();
-            } else {
-                self.stray_restored_slots = self.voted_slots().into_iter().collect();
-            }
+            self.stray_restored_slot = Some(self.last_vote.last_voted_slot().unwrap());
         }
 
         Ok(self)
@@ -2445,7 +2411,11 @@ pub mod test {
             / (tr(1)
                 / (tr(2)
                     / tr(10)
-                    / (tr(43) / (tr(44) / (tr(45) / tr(222)) / (tr(110) / tr(111))))));
+                    / (tr(43)
+                        / (tr(44)
+                            // Minor fork 2
+                            / (tr(45) / (tr(46) / (tr(47) / (tr(48) / (tr(49) / (tr(50)))))))
+                            / (tr(110) / tr(111))))));
         let replayed_root_slot = 44;
 
         // Fill the BankForks according to the above fork structure
@@ -2735,7 +2705,7 @@ pub mod test {
 
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
         assert_eq!(tower.root(), None);
-        assert_eq!(tower.stray_restored_slots, vec![].into_iter().collect());
+        assert_eq!(tower.stray_restored_slot, None);
     }
 
     #[test]
@@ -2970,42 +2940,4 @@ pub mod test {
             "The tower is fatally inconsistent with blockstore: not too old once after got too old?"
         );
     }
-
-    #[test]
-    fn test_stray_restored_ancestors() {
-        let ancestors = vec![(0, HashSet::new())].into_iter().collect();
-
-        let tower_root = 2;
-        let mut tower = Tower::new_for_tests(10, 0.9);
-        tower.lockouts.root_slot = Some(tower_root);
-        tower.record_vote(3, Hash::default());
-        tower.record_vote(4, Hash::default());
-        tower.record_vote(5, Hash::default());
-        assert!(!tower.is_stray_last_vote());
-        assert!(!tower.use_stray_restored_ancestors(&ancestors, 0));
-        assert!(!tower.use_stray_restored_ancestors(&ancestors, 1));
-
-        let ledger_root = 10;
-        let mut slot_history = SlotHistory::default();
-        slot_history.add(0);
-        slot_history.add(1);
-        slot_history.add(tower_root);
-        slot_history.add(ledger_root);
-
-        let replayed_root_slot = ledger_root;
-        tower = tower
-            .adjust_lockouts_after_replay(replayed_root_slot, &slot_history)
-            .unwrap();
-
-        assert_eq!(tower.voted_slots(), vec![3, 4, 5]);
-        assert_eq!(tower.last_voted_slot(), Some(5));
-        assert!(tower.is_stray_last_vote());
-        assert_eq!(tower.lockouts.root_slot, Some(ledger_root));
-        assert_eq!(
-            tower.stray_restored_ancestors(),
-            vec![tower_root, 3, 4].into_iter().collect()
-        );
-        assert!(!tower.use_stray_restored_ancestors(&ancestors, 0));
-        assert!(tower.use_stray_restored_ancestors(&ancestors, 1));
-    }
 }
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index 5783dc36fd2122..b278a3e56f6d2f 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -496,18 +496,23 @@ impl HeaviestSubtreeForkChoice {
             .last_voted_slot()
             .map(|last_voted_slot| {
                 let heaviest_slot_on_same_voted_fork = self.best_slot(last_voted_slot);
-                if heaviest_slot_on_same_voted_fork.is_none() && tower.is_stray_last_vote() {
-                    info!("returning None because of stray last vote...");
-                    // return None because bank_forks doesn't have corresponding banks
-                    return None;
-                };
                 let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork
                     .unwrap_or_else(|| {
-                        panic!(
-                            "a bank at last_voted_slot({}) is a frozen bank so must have been\
-                            added to heaviest_subtree_fork_choice at time of freezing",
-                            last_voted_slot,
-                        )
+                        if !tower.is_stray_last_vote() {
+                            panic!(
+                                "a bank at last_voted_slot({}) is a frozen bank so must have been\
+                                added to heaviest_subtree_fork_choice at time of freezing",
+                                last_voted_slot,
+                            )
+                        } else {
+                            // fork_infos doesn't have corresponding data for the stray restored last vote,
+                            // meaning severe inconsistentcy between saved tower and ledger.
+                            // (corrupted or pruned ledger, or only saved tower is moved over to new setup?)
+                            panic!(
+                                "Unable to get best_slot for stray last vote {:?}",
+                                tower.stray_restored_slot()
+                            );
+                        };
                     });
 
                 if heaviest_slot_on_same_voted_fork == last_voted_slot {
@@ -1511,6 +1516,7 @@ mod test {
     }
 
     #[test]
+    #[should_panic(expected = "Unable to get best_slot for stray last vote Some(3)")]
     fn test_stray_restored_slot() {
         let forks = tr(0) / (tr(1) / tr(2));
         let heaviest_subtree_fork_choice = HeaviestSubtreeForkChoice::new_from_tree(forks);
@@ -1546,10 +1552,7 @@ mod test {
             .unwrap();
 
         assert_eq!(tower.is_stray_last_vote(), true);
-        assert_eq!(
-            heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower),
-            None
-        );
+        heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower);
     }
 
     fn setup_forks() -> HeaviestSubtreeForkChoice {
diff --git a/local-cluster/src/cluster.rs b/local-cluster/src/cluster.rs
index 6b507cf1f82f8b..bedae92670823e 100644
--- a/local-cluster/src/cluster.rs
+++ b/local-cluster/src/cluster.rs
@@ -39,6 +39,7 @@ pub trait Cluster {
     fn get_validator_client(&self, pubkey: &Pubkey) -> Option<ThinClient>;
     fn get_contact_info(&self, pubkey: &Pubkey) -> Option<&ContactInfo>;
     fn exit_node(&mut self, pubkey: &Pubkey) -> ClusterValidatorInfo;
+    fn remove_dead_node(&mut self, pubkey: &Pubkey) -> ClusterValidatorInfo;
     fn restart_node(&mut self, pubkey: &Pubkey, cluster_validator_info: ClusterValidatorInfo);
     fn exit_restart_node(&mut self, pubkey: &Pubkey, config: ValidatorConfig);
 }
diff --git a/local-cluster/src/local_cluster.rs b/local-cluster/src/local_cluster.rs
index ebb67ecac4b6cf..25b820abd31502 100644
--- a/local-cluster/src/local_cluster.rs
+++ b/local-cluster/src/local_cluster.rs
@@ -621,6 +621,16 @@ impl Cluster for LocalCluster {
         node
     }
 
+    fn remove_dead_node(&mut self, pubkey: &Pubkey) -> ClusterValidatorInfo {
+        let mut node = self.validators.remove(&pubkey).unwrap();
+
+        // Shut down the validator
+        let mut validator = node.validator.take().expect("Validator must be running");
+        validator.exit();
+        validator.join().unwrap_err();
+        node
+    }
+
     fn restart_node(&mut self, pubkey: &Pubkey, mut cluster_validator_info: ClusterValidatorInfo) {
         // Update the stored ContactInfo for this node
         let node = Node::new_localhost_with_pubkey(&pubkey);
diff --git a/local-cluster/tests/local_cluster.rs b/local-cluster/tests/local_cluster.rs
index 718bcf41488481..486029cefcaed2 100644
--- a/local-cluster/tests/local_cluster.rs
+++ b/local-cluster/tests/local_cluster.rs
@@ -1416,7 +1416,7 @@ fn test_optimistic_confirmation_violation_with_no_tower() {
 
     // Mark fork as dead on the heavier validator, this should make the fork effectively
     // dead, even though it was optimistically confirmed. The smaller validator should
-    // jump over to the new fork
+    // create and jump over to a new fork
     // Also, remove saved tower to intentionally make the restarted validator to violate the
     // optimistic confirmation
     {
@@ -1522,9 +1522,7 @@ fn test_no_optimistic_confirmation_violation_with_tower() {
 
     // Mark fork as dead on the heavier validator, this should make the fork effectively
     // dead, even though it was optimistically confirmed. The smaller validator should
-    // jump over to the new fork
-    // Also, remove saved tower to intentionally make the restarted validator to violate the
-    // optimistic confirmation
+    // create and jump over to a new fork
     {
         let blockstore = Blockstore::open_with_access_type(
             &exited_validator_info.info.ledger_path,
@@ -1546,6 +1544,10 @@ fn test_no_optimistic_confirmation_violation_with_tower() {
     cluster.restart_node(&entry_point_id, exited_validator_info);
 
     cluster.check_no_new_roots(400, "test_no_optimistic_confirmation_violation_with_tower");
+
+    // at this moment, the validator should be dead because of tower assertion
+    cluster.remove_dead_node(&entry_point_id);
+
     // Check to see that validator didn't detected optimistic confirmation for
     // `prev_voted_slot` failed
     let expected_log = format!("Optimistic slot {} was not rooted", prev_voted_slot);

From 4cedea479c32623ca248de6b91978c1aa04424f3 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 27 Aug 2020 21:33:14 +0900
Subject: [PATCH 58/67] Revert comment...

---
 core/src/consensus.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index d460e79d66dcfd..746e93e04aae2e 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -515,7 +515,7 @@ impl Tower {
                 }
 
                 // Should never consider switching to an ancestor
-                // of your last vote unless the ancestor is restored from stray slots
+                // of your last vote
                 assert!(!last_vote_ancestors.contains(&switch_slot));
 
                 // By this point, we know the `switch_slot` is on a different fork
@@ -556,7 +556,7 @@ impl Tower {
 
                     // By the time we reach here, any ancestors of the `last_vote`,
                     // should have been filtered out, as they all have a descendant,
-                    // namely the `last_vote` itself, unless the ancestors are restored from stray slots.
+                    // namely the `last_vote` itself.
                     assert!(!last_vote_ancestors.contains(candidate_slot));
 
                     // Evaluate which vote accounts in the bank are locked out

From d320594904f8804b76514af691b98da4fab3eeab Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 27 Aug 2020 21:51:53 +0900
Subject: [PATCH 59/67] Report error as metrics

---
 core/src/validator.rs | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/core/src/validator.rs b/core/src/validator.rs
index d346208a4ad981..cfb02027f78662 100644
--- a/core/src/validator.rs
+++ b/core/src/validator.rs
@@ -642,22 +642,32 @@ fn post_process_restored_tower(
             tower.adjust_lockouts_after_replay(root_bank.slot(), &slot_history)
         })
         .unwrap_or_else(|err| {
-            let is_already_active =
+            let voting_has_been_active =
                 active_vote_account_exists_in_bank(&bank_forks.working_bank(), &vote_account);
-            if config.require_tower && is_already_active {
-                error!("Requested mandatory tower restore failed: {:?}", err);
+            let saved_tower_is_missing = if let TowerError::IOError(io_err) = &err {
+                io_err.kind() == std::io::ErrorKind::NotFound
+            } else {
+                false
+            };
+            if !saved_tower_is_missing {
+                datapoint_error!(
+                    "tower_error",
+                    (
+                        "error",
+                        format!("Unable to restore tower: {}", err),
+                        String
+                    ),
+                );
+            }
+            if config.require_tower && voting_has_been_active {
+                error!("Requested mandatory tower restore failed: {}", err);
                 error!(
                     "And there is an existing vote_account containing actual votes. \
                        Aborting due to possible conflicting duplicate votes"
                 );
                 process::exit(1);
             }
-            let not_found = if let TowerError::IOError(io_err) = &err {
-                io_err.kind() == std::io::ErrorKind::NotFound
-            } else {
-                false
-            };
-            if not_found && !is_already_active {
+            if saved_tower_is_missing && !voting_has_been_active {
                 // Currently, don't protect against spoofed snapshots with no tower at all
                 info!(
                     "Ignoring expected failed tower restore because this is the initial \
@@ -665,7 +675,7 @@ fn post_process_restored_tower(
                 );
             } else {
                 error!(
-                    "Rebuilding tower from the latest vote account due to failed tower restore: {}",
+                    "Rebuilding a new tower from the latest vote account due to failed tower restore: {}",
                     err
                 );
             }

From 4ce9f780632c41b89f46ccd01f4c95ec5a842fd4 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Fri, 28 Aug 2020 15:12:51 +0900
Subject: [PATCH 60/67] Revert not to panic! and ignore unfixable test...

---
 core/src/consensus.rs                    | 11 ++++---
 core/src/heaviest_subtree_fork_choice.rs | 39 ++++++++++++------------
 local-cluster/src/cluster.rs             |  1 -
 local-cluster/src/local_cluster.rs       | 10 ------
 local-cluster/tests/local_cluster.rs     | 12 +++-----
 5 files changed, 30 insertions(+), 43 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 746e93e04aae2e..4eac546155738c 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -490,19 +490,20 @@ impl Tower {
         total_stake: u64,
         epoch_vote_accounts: &HashMap<Pubkey, (u64, Account)>,
     ) -> SwitchForkDecision {
-        let root = self.lockouts.root_slot.unwrap_or(0);
-
         self.last_voted_slot()
             .map(|last_voted_slot| {
+                let root = self.lockouts.root_slot.unwrap_or(0);
+                let empty_ancestors = HashSet::default();
+
                 let last_vote_ancestors =
                     ancestors.get(&last_voted_slot).unwrap_or_else(|| {
                         if !self.is_stray_last_vote() {
                             panic!("no ancestors found with slot: {}", last_voted_slot);
                         } else {
                             // bank_forks doesn't have corresponding data for the stray restored last vote,
-                            // meaning severe inconsistentcy between saved tower and ledger.
-                            // (corrupted or pruned ledger, or only saved tower is moved over to new setup?)
-                            panic!("Unable to get ancestors for stray last vote {:?}", self.stray_restored_slot());
+                            // meaning some inconsistency between saved tower and ledger.
+                            // (newer snapshot, or only a saved tower is moved over to new setup?)
+                            &empty_ancestors
                         }
                     });
 
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index b278a3e56f6d2f..9c2ea5b143846d 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -496,24 +496,21 @@ impl HeaviestSubtreeForkChoice {
             .last_voted_slot()
             .map(|last_voted_slot| {
                 let heaviest_slot_on_same_voted_fork = self.best_slot(last_voted_slot);
-                let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork
-                    .unwrap_or_else(|| {
-                        if !tower.is_stray_last_vote() {
-                            panic!(
-                                "a bank at last_voted_slot({}) is a frozen bank so must have been\
-                                added to heaviest_subtree_fork_choice at time of freezing",
-                                last_voted_slot,
-                            )
-                        } else {
-                            // fork_infos doesn't have corresponding data for the stray restored last vote,
-                            // meaning severe inconsistentcy between saved tower and ledger.
-                            // (corrupted or pruned ledger, or only saved tower is moved over to new setup?)
-                            panic!(
-                                "Unable to get best_slot for stray last vote {:?}",
-                                tower.stray_restored_slot()
-                            );
-                        };
-                    });
+                if heaviest_slot_on_same_voted_fork.is_none() {
+                    if !tower.is_stray_last_vote() {
+                        panic!(
+                            "a bank at last_voted_slot({}) is a frozen bank so must have been\
+                            added to heaviest_subtree_fork_choice at time of freezing",
+                            last_voted_slot,
+                        )
+                    } else {
+                        // fork_infos doesn't have corresponding data for the stray restored last vote,
+                        // meaning some inconsistency between saved tower and ledger.
+                        // (newer snapshot, or only a saved tower is moved over to new setup?)
+                        return None;
+                    }
+                }
+                let heaviest_slot_on_same_voted_fork = heaviest_slot_on_same_voted_fork.unwrap();
 
                 if heaviest_slot_on_same_voted_fork == last_voted_slot {
                     None
@@ -1516,7 +1513,6 @@ mod test {
     }
 
     #[test]
-    #[should_panic(expected = "Unable to get best_slot for stray last vote Some(3)")]
     fn test_stray_restored_slot() {
         let forks = tr(0) / (tr(1) / tr(2));
         let heaviest_subtree_fork_choice = HeaviestSubtreeForkChoice::new_from_tree(forks);
@@ -1552,7 +1548,10 @@ mod test {
             .unwrap();
 
         assert_eq!(tower.is_stray_last_vote(), true);
-        heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower);
+        assert_eq!(
+            heaviest_subtree_fork_choice.heaviest_slot_on_same_voted_fork(&tower),
+            None
+        );
     }
 
     fn setup_forks() -> HeaviestSubtreeForkChoice {
diff --git a/local-cluster/src/cluster.rs b/local-cluster/src/cluster.rs
index bedae92670823e..6b507cf1f82f8b 100644
--- a/local-cluster/src/cluster.rs
+++ b/local-cluster/src/cluster.rs
@@ -39,7 +39,6 @@ pub trait Cluster {
     fn get_validator_client(&self, pubkey: &Pubkey) -> Option<ThinClient>;
     fn get_contact_info(&self, pubkey: &Pubkey) -> Option<&ContactInfo>;
     fn exit_node(&mut self, pubkey: &Pubkey) -> ClusterValidatorInfo;
-    fn remove_dead_node(&mut self, pubkey: &Pubkey) -> ClusterValidatorInfo;
     fn restart_node(&mut self, pubkey: &Pubkey, cluster_validator_info: ClusterValidatorInfo);
     fn exit_restart_node(&mut self, pubkey: &Pubkey, config: ValidatorConfig);
 }
diff --git a/local-cluster/src/local_cluster.rs b/local-cluster/src/local_cluster.rs
index 25b820abd31502..ebb67ecac4b6cf 100644
--- a/local-cluster/src/local_cluster.rs
+++ b/local-cluster/src/local_cluster.rs
@@ -621,16 +621,6 @@ impl Cluster for LocalCluster {
         node
     }
 
-    fn remove_dead_node(&mut self, pubkey: &Pubkey) -> ClusterValidatorInfo {
-        let mut node = self.validators.remove(&pubkey).unwrap();
-
-        // Shut down the validator
-        let mut validator = node.validator.take().expect("Validator must be running");
-        validator.exit();
-        validator.join().unwrap_err();
-        node
-    }
-
     fn restart_node(&mut self, pubkey: &Pubkey, mut cluster_validator_info: ClusterValidatorInfo) {
         // Update the stored ContactInfo for this node
         let node = Node::new_localhost_with_pubkey(&pubkey);
diff --git a/local-cluster/tests/local_cluster.rs b/local-cluster/tests/local_cluster.rs
index 486029cefcaed2..b7a944aa8c6c5a 100644
--- a/local-cluster/tests/local_cluster.rs
+++ b/local-cluster/tests/local_cluster.rs
@@ -1376,13 +1376,13 @@ fn test_optimistic_confirmation_violation_with_no_tower() {
     let mut buf = BufferRedirect::stderr().unwrap();
     // First set up the cluster with 2 nodes
     let slots_per_epoch = 2048;
-    let node_stakes = vec![50, 51];
+    let node_stakes = vec![51, 50];
     let validator_keys: Vec<_> = iter::repeat_with(|| (Arc::new(Keypair::new()), true))
         .take(node_stakes.len())
         .collect();
     let config = ClusterConfig {
         cluster_lamports: 100_000,
-        node_stakes: vec![51, 50],
+        node_stakes: node_stakes.clone(),
         validator_configs: vec![ValidatorConfig::default(); node_stakes.len()],
         validator_keys: Some(validator_keys),
         slots_per_epoch,
@@ -1476,19 +1476,20 @@ fn test_optimistic_confirmation_violation_with_no_tower() {
 
 #[test]
 #[serial]
+#[ignore]
 fn test_no_optimistic_confirmation_violation_with_tower() {
     solana_logger::setup();
     let mut buf = BufferRedirect::stderr().unwrap();
 
     // First set up the cluster with 2 nodes
     let slots_per_epoch = 2048;
-    let node_stakes = vec![50, 51];
+    let node_stakes = vec![51, 50];
     let validator_keys: Vec<_> = iter::repeat_with(|| (Arc::new(Keypair::new()), true))
         .take(node_stakes.len())
         .collect();
     let config = ClusterConfig {
         cluster_lamports: 100_000,
-        node_stakes: vec![51, 50],
+        node_stakes: node_stakes.clone(),
         validator_configs: vec![ValidatorConfig::default(); node_stakes.len()],
         validator_keys: Some(validator_keys),
         slots_per_epoch,
@@ -1545,9 +1546,6 @@ fn test_no_optimistic_confirmation_violation_with_tower() {
 
     cluster.check_no_new_roots(400, "test_no_optimistic_confirmation_violation_with_tower");
 
-    // at this moment, the validator should be dead because of tower assertion
-    cluster.remove_dead_node(&entry_point_id);
-
     // Check to see that validator didn't detected optimistic confirmation for
     // `prev_voted_slot` failed
     let expected_log = format!("Optimistic slot {} was not rooted", prev_voted_slot);

From f182647cfe7fc83e3dc1468a416dfdd315a976a1 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Sat, 29 Aug 2020 03:19:59 +0900
Subject: [PATCH 61/67] Normalize lockouts.root_slot more strictly

---
 core/src/consensus.rs               | 74 +++++++++++++++--------------
 programs/vote/src/vote_state/mod.rs |  3 ++
 2 files changed, 42 insertions(+), 35 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 4eac546155738c..0445686f1ec4c4 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -105,7 +105,7 @@ pub struct Tower {
 
 impl Default for Tower {
     fn default() -> Self {
-        Self {
+        let mut tower = Self {
             node_pubkey: Pubkey::default(),
             threshold_depth: VOTE_THRESHOLD_DEPTH,
             threshold_size: VOTE_THRESHOLD_SIZE,
@@ -115,7 +115,10 @@ impl Default for Tower {
             path: PathBuf::default(),
             tmp_path: PathBuf::default(),
             stray_restored_slot: Option::default(),
-        }
+        };
+        // VoteState::root_slot is ensured to be Some in Tower
+        tower.lockouts.root_slot = Some(Slot::default());
+        tower
     }
 }
 
@@ -124,7 +127,7 @@ impl Tower {
         node_pubkey: &Pubkey,
         vote_account_pubkey: &Pubkey,
         root: Slot,
-        heaviest_bank: &Bank,
+        bank: &Bank,
         path: &Path,
     ) -> Self {
         let path = Self::get_filename(&path, node_pubkey);
@@ -135,7 +138,7 @@ impl Tower {
             tmp_path,
             ..Tower::default()
         };
-        tower.initialize_lockouts_from_bank_forks(vote_account_pubkey, root, heaviest_bank);
+        tower.initialize_lockouts_from_bank(vote_account_pubkey, root, bank);
 
         tower
     }
@@ -396,12 +399,8 @@ impl Tower {
         self.record_bank_vote(vote)
     }
 
-    pub fn last_vote(&self) -> &Vote {
-        &self.last_vote
-    }
-
     pub fn last_voted_slot(&self) -> Option<Slot> {
-        self.last_vote().last_voted_slot()
+        self.last_vote.last_voted_slot()
     }
 
     pub fn stray_restored_slot(&self) -> Option<Slot> {
@@ -430,6 +429,7 @@ impl Tower {
         None
     }
 
+    // root may be forcibly set by arbitrary replay root slot
     pub fn root(&self) -> Option<Slot> {
         self.lockouts.root_slot
     }
@@ -752,8 +752,9 @@ impl Tower {
 
         assert_eq!(slot_history.check(replayed_root_slot), Check::Found);
         // reconcile_blockstore_roots_with_tower() should already have aligned these.
+        assert!(self.root().is_some());
         assert!(
-            self.root().is_none() || self.root().unwrap() <= replayed_root_slot,
+            self.root().unwrap() <= replayed_root_slot,
             format!(
                 "tower root: {:?} >= replayed root slot: {}",
                 self.root().unwrap(),
@@ -771,7 +772,6 @@ impl Tower {
 
         // return immediately if votes are empty...
         if self.lockouts.votes.is_empty() {
-            assert_eq!(self.root(), None);
             return Ok(self);
         }
 
@@ -879,9 +879,9 @@ impl Tower {
             retain_flags_for_each_vote_in_reverse.into_iter().rev();
 
         let original_votes_len = self.lockouts.votes.len();
-        self.lockouts
-            .votes
-            .retain(move |_| retain_flags_for_each_vote.next().unwrap());
+        self.do_initialize_lockouts(replayed_root_slot, move |_| {
+            retain_flags_for_each_vote.next().unwrap()
+        });
 
         if self.lockouts.votes.is_empty() {
             info!(
@@ -890,7 +890,6 @@ impl Tower {
             );
             // we might not have banks for those votes so just reset.
             // That's because the votes may well past replayed_root_slot
-            self.lockouts.root_slot = None;
             self.last_vote = Vote::default();
         } else {
             info!(
@@ -900,9 +899,6 @@ impl Tower {
                 self.voted_slots()
             );
 
-            // Updating root is needed to correctly restore from newly-saved tower for the next
-            // boot
-            self.lockouts.root_slot = Some(replayed_root_slot);
             assert_eq!(
                 self.last_vote.last_voted_slot().unwrap(),
                 *self.voted_slots().last().unwrap()
@@ -913,37 +909,42 @@ impl Tower {
         Ok(self)
     }
 
-    fn initialize_lockouts_from_bank_forks(
+    fn initialize_lockouts_from_bank(
         &mut self,
         vote_account_pubkey: &Pubkey,
         root: Slot,
-        heaviest_bank: &Bank,
+        bank: &Bank,
     ) {
-        if let Some((_stake, vote_account)) = heaviest_bank.vote_accounts().get(vote_account_pubkey)
-        {
-            let mut vote_state = VoteState::deserialize(&vote_account.data)
+        if let Some((_stake, vote_account)) = bank.vote_accounts().get(vote_account_pubkey) {
+            let vote_state = VoteState::deserialize(&vote_account.data)
                 .expect("vote_account isn't a VoteState?");
-            vote_state.root_slot = Some(root);
-            vote_state.votes.retain(|v| v.slot > root);
+            self.lockouts = vote_state;
+            self.do_initialize_lockouts(root, |v| v.slot > root);
             trace!(
                 "{} lockouts initialized to {:?}",
                 self.node_pubkey,
-                vote_state
+                self.lockouts
             );
             assert_eq!(
-                vote_state.node_pubkey, self.node_pubkey,
+                self.lockouts.node_pubkey, self.node_pubkey,
                 "vote account's node_pubkey doesn't match",
             );
-            self.lockouts = vote_state;
         } else {
             info!(
-                "vote account({}) not found in heaviest bank (slot={})",
+                "vote account({}) not found in bank (slot={})",
                 vote_account_pubkey,
-                heaviest_bank.slot()
+                bank.slot()
             );
         }
     }
 
+    fn do_initialize_lockouts<F: FnMut(&Lockout) -> bool>(&mut self, root: Slot, should_retain: F) {
+        // Updating root is needed to correctly restore from newly-saved tower for the next
+        // boot
+        self.lockouts.root_slot = Some(root);
+        self.lockouts.votes.retain(should_retain);
+    }
+
     pub fn get_filename(path: &Path, node_pubkey: &Pubkey) -> PathBuf {
         path.join(format!("tower-{}", node_pubkey))
             .with_extension("bin")
@@ -2394,7 +2395,7 @@ pub mod test {
             tower.record_vote(110, Hash::default());
             tower.record_vote(111, Hash::default());
             assert_eq!(tower.voted_slots(), vec![43, 110, 111]);
-            assert_eq!(tower.lockouts.root_slot, None);
+            assert_eq!(tower.lockouts.root_slot, Some(0));
         }
 
         // Prepare simulated validator restart!
@@ -2705,7 +2706,7 @@ pub mod test {
             .unwrap();
 
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
-        assert_eq!(tower.root(), None);
+        assert_eq!(tower.root(), Some(replayed_root_slot));
         assert_eq!(tower.stray_restored_slot, None);
     }
 
@@ -2728,7 +2729,7 @@ pub mod test {
             .adjust_lockouts_after_replay(MAX_ENTRIES, &slot_history)
             .unwrap();
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
-        assert_eq!(tower.root(), None);
+        assert_eq!(tower.root(), Some(MAX_ENTRIES));
     }
 
     #[test]
@@ -2832,7 +2833,7 @@ pub mod test {
             .unwrap();
 
         assert_eq!(tower.voted_slots(), vec![] as Vec<Slot>);
-        assert_eq!(tower.root(), None);
+        assert_eq!(tower.root(), Some(replayed_root_slot));
     }
 
     #[test]
@@ -2861,12 +2862,15 @@ pub mod test {
         tower.lockouts.votes.push_back(Lockout::new(101));
         let vote = Vote::new(vec![101], Hash::default());
         tower.last_vote = vote;
+        tower.lockouts.root_slot = None;
 
         let mut slot_history = SlotHistory::default();
         slot_history.add(0);
         slot_history.add(2);
 
-        let result = tower.clone().adjust_lockouts_after_replay(2, &slot_history);
+        let result = tower
+            .clone()
+            .do_adjust_lockouts_after_replay(2, &slot_history);
         assert_eq!(
             format!("{}", result.unwrap_err()),
             "The slot history is too old: oldest slot in tower (100) >> newest slot in available history (2)"
diff --git a/programs/vote/src/vote_state/mod.rs b/programs/vote/src/vote_state/mod.rs
index eeb9fa8416513c..bf2cc92c9bee38 100644
--- a/programs/vote/src/vote_state/mod.rs
+++ b/programs/vote/src/vote_state/mod.rs
@@ -163,6 +163,9 @@ pub struct VoteState {
     pub commission: u8,
 
     pub votes: VecDeque<Lockout>,
+
+    // This usually the last Lockout which was popped from self.votes.
+    // However, it can be arbitrary slot, when being used inside Tower
     pub root_slot: Option<Slot>,
 
     /// the signer for vote transactions

From 148f8ff9065f007cec0deb0d320a176d69346d22 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Sat, 29 Aug 2020 05:52:19 +0900
Subject: [PATCH 62/67] Add comments for panic! and more assertions

---
 core/src/consensus.rs                    | 22 +++++++++++++++++++---
 core/src/heaviest_subtree_fork_choice.rs |  8 ++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 0445686f1ec4c4..f1bc25888c0de0 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -498,6 +498,14 @@ impl Tower {
                 let last_vote_ancestors =
                     ancestors.get(&last_voted_slot).unwrap_or_else(|| {
                         if !self.is_stray_last_vote() {
+                            // Unless last vote is stray, we always must be able to fetch last_voted_slot's
+                            // ancestors, justifying to panic! here.
+                            // Also, adjust_lockouts_after_replay() correctly makes last_voted_slot None,
+                            // if all votes are older than replayed_root_slot. So this code shoun't be
+                            // touched in that case as well.
+                            // In other words, except being stray, all other slots have been voted on while
+                            // this validator has been running, so we must be able to fetch ancestors for
+                            // all of them.
                             panic!("no ancestors found with slot: {}", last_voted_slot);
                         } else {
                             // bank_forks doesn't have corresponding data for the stray restored last vote,
@@ -814,11 +822,10 @@ impl Tower {
         // iterate over votes in the newest => oldest order
         // bail out early if bad condition is found
         for voted_slot in checked_slots.iter().rev() {
-            checked_slot = Some(*voted_slot);
-            let check = slot_history.check(checked_slot.unwrap());
+            let check = slot_history.check(*voted_slot);
 
             if anchored_slot.is_none() && check == Check::Found {
-                anchored_slot = checked_slot;
+                anchored_slot = Some(*voted_slot);
             } else if anchored_slot.is_some() && check == Check::NotFound {
                 // this can't happen unless we're fed with bogus snapshot
                 return Err(TowerError::FatallyInconsistent("diverged ancestor?"));
@@ -839,6 +846,15 @@ impl Tower {
                 ));
             }
 
+            assert!(checked_slot
+                .map(
+                    |checked_slot| (*voted_slot == checked_slot && *voted_slot == 0)
+                        || *voted_slot < checked_slot
+                )
+                .unwrap_or(true));
+
+            checked_slot = Some(*voted_slot);
+
             retain_flags_for_each_vote_in_reverse.push(anchored_slot.is_none());
         }
 
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index 9c2ea5b143846d..a85436a60a9d6d 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -498,6 +498,14 @@ impl HeaviestSubtreeForkChoice {
                 let heaviest_slot_on_same_voted_fork = self.best_slot(last_voted_slot);
                 if heaviest_slot_on_same_voted_fork.is_none() {
                     if !tower.is_stray_last_vote() {
+                        // Unless last vote is stray, we always must be able to fetch last_voted_slot's
+                        // bast_slot, justifying to panic! here.
+                        // Also, adjust_lockouts_after_replay() correctly makes last_voted_slot None,
+                        // if all votes are older than replayed_root_slot. So this code shoun't be
+                        // touched in that case as well.
+                        // In other words, except being stray, all other slots have been voted on while this
+                        // validator has been running, so we must be able to fetch best_slots for all of
+                        // them.
                         panic!(
                             "a bank at last_voted_slot({}) is a frozen bank so must have been\
                             added to heaviest_subtree_fork_choice at time of freezing",

From 430ee7cff7d494b08bfe34fe7cc449de291483c5 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Sun, 30 Aug 2020 18:04:09 +0900
Subject: [PATCH 63/67] Proper initialize root without vote account

---
 core/src/consensus.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index f1bc25888c0de0..f2fb46e718474e 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -474,7 +474,13 @@ impl Tower {
             // This case should never happen because bank forks purges all
             // non-descendants of the root every time root is set
             if slot != root_slot {
-                assert!(ancestors[&slot].contains(&root_slot));
+                assert!(
+                    ancestors[&slot].contains(&root_slot),
+                    "ancestors: {:?}, slot: {} root: {}",
+                    ancestors[&slot],
+                    slot,
+                    root_slot
+                );
             }
         }
 
@@ -946,6 +952,7 @@ impl Tower {
                 "vote account's node_pubkey doesn't match",
             );
         } else {
+            self.do_initialize_lockouts(root, |_| true);
             info!(
                 "vote account({}) not found in bank (slot={})",
                 vote_account_pubkey,

From 0bfb8227e04077e10ae5107d47569fccefaba648 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 17 Sep 2020 03:26:47 +0900
Subject: [PATCH 64/67] Clarify code and comments based on review feedback

---
 core/src/consensus.rs                    | 50 +++++++++++++++---------
 core/src/heaviest_subtree_fork_choice.rs |  6 +--
 2 files changed, 34 insertions(+), 22 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index f2fb46e718474e..601dbda160e342 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -429,7 +429,13 @@ impl Tower {
         None
     }
 
-    // root may be forcibly set by arbitrary replay root slot
+    // root may be forcibly set by arbitrary replay root slot, for example from a root
+    // after replaying a snapshot.
+    // Also, tower.root() couldn't be None; do_initialize_lockouts() ensures that.
+    // Conceptually, every tower must have been constructed from a concrete starting point,
+    // which establishes the origin of trust (i.e. root) whether booting from genesis (slot 0) or
+    // snapshot (slot N). In other words, there should be no possibility a Tower doesn't have
+    // root, unlike young vote accounts.
     pub fn root(&self) -> Option<Slot> {
         self.lockouts.root_slot
     }
@@ -504,10 +510,10 @@ impl Tower {
                 let last_vote_ancestors =
                     ancestors.get(&last_voted_slot).unwrap_or_else(|| {
                         if !self.is_stray_last_vote() {
-                            // Unless last vote is stray, we always must be able to fetch last_voted_slot's
-                            // ancestors, justifying to panic! here.
+                            // Unless last vote is stray, ancestors.get(last_voted_slot) must
+                            // return Some(_), justifying to panic! here.
                             // Also, adjust_lockouts_after_replay() correctly makes last_voted_slot None,
-                            // if all votes are older than replayed_root_slot. So this code shoun't be
+                            // if all saved votes are ancestors of replayed_root_slot. So this code shouldn't be
                             // touched in that case as well.
                             // In other words, except being stray, all other slots have been voted on while
                             // this validator has been running, so we must be able to fetch ancestors for
@@ -764,9 +770,10 @@ impl Tower {
             self.voted_slots()
         );
 
+        // sanity assertions for roots
         assert_eq!(slot_history.check(replayed_root_slot), Check::Found);
-        // reconcile_blockstore_roots_with_tower() should already have aligned these.
         assert!(self.root().is_some());
+        // reconcile_blockstore_roots_with_tower() should already have aligned these.
         assert!(
             self.root().unwrap() <= replayed_root_slot,
             format!(
@@ -817,21 +824,21 @@ impl Tower {
         let mut anchored_slot = None;
 
         let mut root_checked = false;
-        let mut checked_slots = if let Some(root) = self.lockouts.root_slot {
+        let mut slots_in_tower = if let Some(root) = self.lockouts.root_slot {
             root_checked = true;
             vec![root]
         } else {
             vec![]
         };
-        checked_slots.extend(self.voted_slots());
+        slots_in_tower.extend(self.voted_slots());
 
-        // iterate over votes in the newest => oldest order
+        // iterate over votes + root (if any) in the newest => oldest order
         // bail out early if bad condition is found
-        for voted_slot in checked_slots.iter().rev() {
-            let check = slot_history.check(*voted_slot);
+        for slot_in_tower in slots_in_tower.iter().rev() {
+            let check = slot_history.check(*slot_in_tower);
 
             if anchored_slot.is_none() && check == Check::Found {
-                anchored_slot = Some(*voted_slot);
+                anchored_slot = Some(*slot_in_tower);
             } else if anchored_slot.is_some() && check == Check::NotFound {
                 // this can't happen unless we're fed with bogus snapshot
                 return Err(TowerError::FatallyInconsistent("diverged ancestor?"));
@@ -852,20 +859,25 @@ impl Tower {
                 ));
             }
 
-            assert!(checked_slot
-                .map(
-                    |checked_slot| (*voted_slot == checked_slot && *voted_slot == 0)
-                        || *voted_slot < checked_slot
-                )
-                .unwrap_or(true));
+            if let Some(checked_slot) = checked_slot {
+                // This is really special, only if tower is initialized (root = slot 0) for genesis and contains
+                // a vote (= slot 0) for the genesis, the slot 0 can repeat only once
+                let voting_from_genesis = *slot_in_tower == checked_slot && *slot_in_tower == 0;
+
+                if !voting_from_genesis {
+                    // Unless we're voting since genesis, slots_in_tower must always be older than last checked_slot
+                    // including all vote slot and the root slot.
+                    assert!(*slot_in_tower < checked_slot)
+                }
+            }
 
-            checked_slot = Some(*voted_slot);
+            checked_slot = Some(*slot_in_tower);
 
             retain_flags_for_each_vote_in_reverse.push(anchored_slot.is_none());
         }
 
         assert_eq!(
-            checked_slots.len(),
+            slots_in_tower.len(),
             retain_flags_for_each_vote_in_reverse.len()
         );
 
diff --git a/core/src/heaviest_subtree_fork_choice.rs b/core/src/heaviest_subtree_fork_choice.rs
index a85436a60a9d6d..c1dbdb1b6e8ccb 100644
--- a/core/src/heaviest_subtree_fork_choice.rs
+++ b/core/src/heaviest_subtree_fork_choice.rs
@@ -498,10 +498,10 @@ impl HeaviestSubtreeForkChoice {
                 let heaviest_slot_on_same_voted_fork = self.best_slot(last_voted_slot);
                 if heaviest_slot_on_same_voted_fork.is_none() {
                     if !tower.is_stray_last_vote() {
-                        // Unless last vote is stray, we always must be able to fetch last_voted_slot's
-                        // bast_slot, justifying to panic! here.
+                        // Unless last vote is stray, self.bast_slot(last_voted_slot) must return
+                        // Some(_), justifying to panic! here.
                         // Also, adjust_lockouts_after_replay() correctly makes last_voted_slot None,
-                        // if all votes are older than replayed_root_slot. So this code shoun't be
+                        // if all saved votes are ancestors of replayed_root_slot. So this code shouldn't be
                         // touched in that case as well.
                         // In other words, except being stray, all other slots have been voted on while this
                         // validator has been running, so we must be able to fetch best_slots for all of

From 49c9e77f0fa4bf686dc1cf8dee7ad7376180ffe1 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 17 Sep 2020 04:03:59 +0900
Subject: [PATCH 65/67] Fix rebase

---
 core/src/replay_stage.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/replay_stage.rs b/core/src/replay_stage.rs
index 9afd66de4980ea..1c96ed4509dc06 100644
--- a/core/src/replay_stage.rs
+++ b/core/src/replay_stage.rs
@@ -664,7 +664,7 @@ impl ReplayStage {
         }
         let root = root_bank.slot();
         let unlock_heaviest_subtree_fork_choice_slot =
-            Self::get_unlock_heaviest_subtree_fork_choice(root_bank.operating_mode());
+            Self::get_unlock_heaviest_subtree_fork_choice(root_bank.cluster_type());
         let heaviest_subtree_fork_choice =
             HeaviestSubtreeForkChoice::new_from_frozen_banks(root, &frozen_banks);
 

From dd25003d7112dca278609bdb460c3360c4c5b0a5 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 17 Sep 2020 12:36:56 +0900
Subject: [PATCH 66/67] Further simplify based on assured tower root

---
 core/src/consensus.rs | 99 +++++++++----------------------------------
 1 file changed, 20 insertions(+), 79 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index 601dbda160e342..f93a7b473f7cdc 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -761,25 +761,25 @@ impl Tower {
     // tower lockouts may need adjustment
     pub fn adjust_lockouts_after_replay(
         self,
-        replayed_root_slot: Slot,
+        replayed_root: Slot,
         slot_history: &SlotHistory,
     ) -> Result<Self> {
         info!(
             "adjusting lockouts (after replay up to {}): {:?}",
-            replayed_root_slot,
+            replayed_root,
             self.voted_slots()
         );
 
         // sanity assertions for roots
-        assert_eq!(slot_history.check(replayed_root_slot), Check::Found);
+        assert_eq!(slot_history.check(replayed_root), Check::Found);
         assert!(self.root().is_some());
+        let tower_root = self.root().unwrap();
         // reconcile_blockstore_roots_with_tower() should already have aligned these.
         assert!(
-            self.root().unwrap() <= replayed_root_slot,
+            tower_root <= replayed_root,
             format!(
                 "tower root: {:?} >= replayed root slot: {}",
-                self.root().unwrap(),
-                replayed_root_slot
+                tower_root, replayed_root
             )
         );
         assert!(
@@ -806,12 +806,13 @@ impl Tower {
             ));
         }
 
-        self.do_adjust_lockouts_after_replay(replayed_root_slot, slot_history)
+        self.do_adjust_lockouts_after_replay(tower_root, replayed_root, slot_history)
     }
 
     fn do_adjust_lockouts_after_replay(
         mut self,
-        replayed_root_slot: Slot,
+        tower_root: Slot,
+        replayed_root: Slot,
         slot_history: &SlotHistory,
     ) -> Result<Self> {
         // retained slots will be consisted only from divergent slots
@@ -823,13 +824,7 @@ impl Tower {
         let mut checked_slot = None;
         let mut anchored_slot = None;
 
-        let mut root_checked = false;
-        let mut slots_in_tower = if let Some(root) = self.lockouts.root_slot {
-            root_checked = true;
-            vec![root]
-        } else {
-            vec![]
-        };
+        let mut slots_in_tower = vec![tower_root];
         slots_in_tower.extend(self.voted_slots());
 
         // iterate over votes + root (if any) in the newest => oldest order
@@ -881,49 +876,32 @@ impl Tower {
             retain_flags_for_each_vote_in_reverse.len()
         );
 
-        if root_checked {
-            retain_flags_for_each_vote_in_reverse.pop();
-        }
+        retain_flags_for_each_vote_in_reverse.pop();
 
         // Check for errors if not anchored
-        // Being not anchored doesn't always equate to errors: All of votes in
-        // an unrooted (= !root_checked) warming-up vote account may legally not
-        // be anchored.
+        info!("adjusted tower's anchored slot: {:?}", anchored_slot);
         if anchored_slot.is_none() {
-            let oldest_slot_in_tower = checked_slot.unwrap();
-            let with_no_overlap_slots = oldest_slot_in_tower > slot_history.newest();
-            if with_no_overlap_slots {
-                // we couldn't find an anchor... And this was indeed due to too much gap between
-                // tower and blockstore, so return error here.
-                // Generally, this shouldn't occur unless bad external backup/restore is conducted...
-                return Err(TowerError::TooOldSlotHistory(
-                    oldest_slot_in_tower,
-                    slot_history.newest(),
-                ));
-            } else if root_checked {
-                // this error really shouldn't happen unless ledger/tower is corrupted so check
-                // after the TooOldSlotHistory...
-                return Err(TowerError::FatallyInconsistent(
-                    "no common slot for rooted tower",
-                ));
-            }
+            // this error really shouldn't happen unless ledger/tower is corrupted
+            return Err(TowerError::FatallyInconsistent(
+                "no common slot for rooted tower",
+            ));
         }
 
         let mut retain_flags_for_each_vote =
             retain_flags_for_each_vote_in_reverse.into_iter().rev();
 
         let original_votes_len = self.lockouts.votes.len();
-        self.do_initialize_lockouts(replayed_root_slot, move |_| {
+        self.do_initialize_lockouts(replayed_root, move |_| {
             retain_flags_for_each_vote.next().unwrap()
         });
 
         if self.lockouts.votes.is_empty() {
             info!(
-                "All restored votes were behind replayed_root_slot({}); resetting root_slot and last_vote in tower!",
-                replayed_root_slot
+                "All restored votes were behind replayed_root({}); resetting root_slot and last_vote in tower!",
+                replayed_root
             );
             // we might not have banks for those votes so just reset.
-            // That's because the votes may well past replayed_root_slot
+            // That's because the votes may well past replayed_root
             self.last_vote = Vote::default();
         } else {
             info!(
@@ -1066,12 +1044,6 @@ pub enum TowerError {
     )]
     TooOldTower(Slot, Slot),
 
-    #[error(
-        "The slot history is too old: \
-        oldest slot in tower ({0}) >> newest slot in available history ({1})"
-    )]
-    TooOldSlotHistory(Slot, Slot),
-
     #[error("The tower is fatally inconsistent with blockstore: {0}")]
     FatallyInconsistent(&'static str),
 }
@@ -2889,37 +2861,6 @@ pub mod test {
         );
     }
 
-    #[test]
-    fn test_adjust_lockouts_after_replay_too_old_slot_history() {
-        solana_logger::setup();
-        let mut tower = Tower::new_for_tests(10, 0.9);
-        tower.lockouts.votes.push_back(Lockout::new(100));
-        tower.lockouts.votes.push_back(Lockout::new(101));
-        let vote = Vote::new(vec![101], Hash::default());
-        tower.last_vote = vote;
-        tower.lockouts.root_slot = None;
-
-        let mut slot_history = SlotHistory::default();
-        slot_history.add(0);
-        slot_history.add(2);
-
-        let result = tower
-            .clone()
-            .do_adjust_lockouts_after_replay(2, &slot_history);
-        assert_eq!(
-            format!("{}", result.unwrap_err()),
-            "The slot history is too old: oldest slot in tower (100) >> newest slot in available history (2)"
-        );
-
-        tower.lockouts.root_slot = Some(11);
-        // Skip some assertions to assume we're censored with crafted slots
-        let result = tower.do_adjust_lockouts_after_replay(2, &slot_history);
-        assert_eq!(
-            format!("{}", result.unwrap_err()),
-            "The slot history is too old: oldest slot in tower (11) >> newest slot in available history (2)"
-        );
-    }
-
     #[test]
     fn test_adjust_lockouts_after_replay_time_warped() {
         let mut tower = Tower::new_for_tests(10, 0.9);

From df55bfb46af039cbc597cd60042d49b9d90b5961 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Thu, 17 Sep 2020 13:31:23 +0900
Subject: [PATCH 67/67] Reorder code for more readability

---
 core/src/consensus.rs | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/core/src/consensus.rs b/core/src/consensus.rs
index f93a7b473f7cdc..214e5f8d34cfad 100644
--- a/core/src/consensus.rs
+++ b/core/src/consensus.rs
@@ -871,13 +871,6 @@ impl Tower {
             retain_flags_for_each_vote_in_reverse.push(anchored_slot.is_none());
         }
 
-        assert_eq!(
-            slots_in_tower.len(),
-            retain_flags_for_each_vote_in_reverse.len()
-        );
-
-        retain_flags_for_each_vote_in_reverse.pop();
-
         // Check for errors if not anchored
         info!("adjusted tower's anchored slot: {:?}", anchored_slot);
         if anchored_slot.is_none() {
@@ -887,6 +880,12 @@ impl Tower {
             ));
         }
 
+        assert_eq!(
+            slots_in_tower.len(),
+            retain_flags_for_each_vote_in_reverse.len()
+        );
+        // pop for the tower root
+        retain_flags_for_each_vote_in_reverse.pop();
         let mut retain_flags_for_each_vote =
             retain_flags_for_each_vote_in_reverse.into_iter().rev();