Discard pre hard fork persisted tower if hard-forking

[ryoqun]

Problem

The tds relaunch failed. The theory is like this:

Substantial validator (~20-30%, rough guess from chronograf) has rooted newer slots than the hard fork slot (4676591) and kept the ledger. In that case, validator cannot vote because restored tower isn't adjusted for the hard fork and it prevents voting at all because of switch threshold failure. Finally this makes liveness under supermajority.
voting node log sample:

[2020-11-11T08:02:10.893472532Z INFO  solana_core::validator] Waiting for 80% of activated stake at slot 46765918 to be in gossip...
[2020-11-11T08:02:10.781175975Z ERROR solana_core::consensus] For some reason, we're REPROCESSING slots which has already been voted and ROOTED by us; VOTING will be SUSPENDED UNTIL 46766871!
[2020-11-11T13:09:32.455506994Z INFO  solana_core::replay_stage] Waiting to switch vote to 46766495, resetting to slot None on same fork for now
[2020-11-11T13:09:33.192110752Z INFO  solana_core::replay_stage] Waiting to switch vote to 46766980, 
resetting to slot None on same fork for now
[2020-11-11T13:09:33.192139724Z INFO  solana_core::replay_stage] Couldn't vote on heaviest fork: 46766980, heaviest_fork_failures: [FailedSwitchThreshold(46766980)]
$ TZ=UTC ls -l ledger/tower-twP716sMjTFynrZRSCKkHhoeHaQEXnR2bzqDEzuxP81.bin 
-rw-r--r-- 1 sol sol 2360 Nov  9 04:17 ledger/tower-twP716sMjTFynrZRSCKkHhoeHaQEXnR2bzqDEzuxP81.bin # tower not saved after the restart at all.

Summary of Changes

Discard old persited tower if hard-forking.

• Think more to ensure to avoid false positive/false negative...
• Write a test.

Fixes #

[ryoqun]

hmm. we need to check last_voted_slot?

[sakridge]

This is probably fine for now, but how about storing the shred version in the persistent vote file? I think that might be more robust, we can just discard it if the shred version has a mismatch.

[ryoqun]

yeah. makes sense.

[ryoqun]

@carllin Could you review this? :)

[codecov]

Codecov Report

Merging #13527 (4f6e3b1) into master (58354d1) will decrease coverage by 0.0%.
The diff coverage is 12.5%.

@@            Coverage Diff            @@
##           master   #13527     +/-   ##
=========================================
- Coverage    82.1%    82.1%   -0.1%     
=========================================
  Files         378      378             
  Lines       90603    90628     +25     
=========================================
- Hits        74435    74423     -12     
- Misses      16168    16205     +37     

[sakridge]

remove?

[ryoqun]

well added proper message.

[carllin]

Should the persisted tower be deleted/overwritten with default in the hard fork case (since it's a hard fork we don't care about the votes anyways)? The tower would be overwritten on the first vote, but there's still a small window. I'm imagining an edge case where somebody starts up with wait_for_supermajority, then shuts down before the validator votes, then starts up again without wait_for_supermajority

[ryoqun]

some ugly api is needed to work around blocking Validaotor::new. ;)

[carllin]

Let's call this root min_root, and then the hard_fork_slot below can be min_root - 5 to indicate the purpose is to be less than min_root

[ryoqun]

there was no test or whatever for hard fork code.. hence this generic test name can be justified.

[carllin]

Investigating why this is necessary, hopefully just a test issue 🙏

[carllin]

@ryoqun, I commented this check out, but haven't been able to repro the failure you described. The test seems to be passing fine on several different machines.

[ryoqun]

oops! Debug of tower can be really big. it might not be wise to put in the datapoint_error!, only add error! below.

[ryoqun]

nits: include wait_slot_for_supermajority instead.

[ryoqun]

superseded by #13536