Convert Banks

[carllin]

Problem

Old bank structure is incompatible with changes to bank implemented here: #8958

Summary of Changes

1. Add a conversion to the new bank structure when deserializing the bank from 1.0 snapshots
2. Write out version 1.1 snapshots
3. Note this change includes changes from: Store and compute node/stake state in EpochStakes struct #8958

With 1 + 2, when validators all upgrade to 1.1, only 1.1 snapshots should be present in the system and we can throw away this code.

Note that with this change, any validators that don't upgrade to this change will be unable to process the new 1.1 snapshots.

Fixes #

[carllin]

@mvines, @sakridge, I ran ledger-tool verify on an old 1.0 snapshot and this works fine.

At first I was like great, the change works!

But on second thought, isn't this a vulnerability? I fundamentally changed a field in the bank that's used by many parts of the system, and the snapshot hash still verified fine...

[mvines]

We don't require the Bank struct be immutable. There could exist another Solana implementation written in bash that produces the same snapshot hash as the current mostly-Rust implementation

[carllin]

Seems like critical fields in the bank that should be verified(please check if any are missing!)

1. parent_hash
2. hard_forks
3. transaction_count
4. tick_height
5. signature_count
6. capitalization
7. max_tick_height
8. hashes_per_tick
9. ticks_per_slot
10. ns_per_slot
11. genesis_creation_time
12. slots_per_year
13. slots_per_segment
14. slot
15. epoch
16. block_height
17. collector_id
18. collector_fees
19. fee_calculator
20. fee_rate_governor
21. collected_rent
22. rent_collector
23. epoch_schedule
24. inflation
25. stakes
26. storage_accounts
27. epoch_stakes
28. is_delta
29. message_processor

[carllin]

@mvines seems like I could just replace a stake account, or a epoch stakes account, or inflation/rent in the bank, and it would affect this node's view of consensus

[mvines]

That would cause a bank hash mismatch

[sakridge]

Speed is not a reason to not do it, the whole serialized size of the bank is 200KB, that should take about 500us to hash with sha-2. We are already spending 100s of ms to hash the account states.

[mvines]

We can, and we'll probably need one of these painful snapshot/Bank adaption PRs every time we do so.

[sakridge]

That, or you re-compute these values from the account state which is hashed. That seems like more work to me.

[mvines]

hehe I'm just saying that I'm pretty sure that all of the 29 Bank fields that Carl listed above do not all need be included in the bank hash.

[ryoqun]

That's part of #7167 and on @ryoqun 's radar. Part of why we are using the flags to get verified snapshots from only trusted nodes.

@carllin FYI: As @sakridge said, this is the wip-stale-closed PR for the exact thing of this discussion: #8185. I'm steadily approaching to it. There are still other bunch of security issues in the snapshot to tackle first, though. ;)

[mvines]

Bank1_1 we can just call Current, and it only gets a version when it's an older bank that we care about

[mvines]

This can just be SNAPSHOT_VERSION ("Current" is the default, only name the legacy versions)

[codecov]

Codecov Report

Merging #9033 into v1.0 will decrease coverage by <.1%.
The diff coverage is 54.6%.

@@           Coverage Diff           @@
##            v1.0   #9033     +/-   ##
=======================================
- Coverage   80.4%   80.3%   -0.1%     
=======================================
  Files        263     265      +2     
  Lines      57363   57553    +190     
=======================================
+ Hits       46126   46228    +102     
- Misses     11237   11325     +88

[mvines]

The runtime/src/bank.rs → runtime/src/bank/mod.rs rename seems unnecessary but I'm not strongly opposed.

Let's wait until 1.0.9 ships before landing this in v1.0 though please. I didn't review runtime/src/epoch_stakes.rs, I assume that's been covered in the other PR for master

[mvines]

@carllin - please ping me when this PR and #8958 are green and I'll review again, thanks!

[carllin]

@mvines Green!

[mvines]

Thanks, this looks good! I'm 👎 this PR until we ship v1.0.10 this evening. I'd like to get this in v1.0.11 instead

[mvines]

1.0.10 has shipped, all clear