# PR #423 Code Review: fix/405-404-310-pbss-recovery **Branch:** `fix/405-404-310-pbss-recovery` (latest: `5580fde71`) **Repository:** XDCIndia/go-ethereum fork (XDC-Geth) **Issues addressed:** #405, #404, #310 — PBSS recovery and V2 consensus initialization --- ## Executive Summary The PR is **substantially correct** and addresses the core issues. The `initial()` function now properly handles the V2 switch block during sync, the walk-back logic finds the checkpoint header correctly after the C11/C12 fixes, and `GetMasternodesFromEpochSwitchHeader()` correctly reads validators with appropriate V1/V2 discrimination. **However, there are 3 remaining concerns** that could still cause sync failures at or near the V2 switch block: 1. **Walk-back guard is correct but fragile** — the `for h := header; h != nil ...` loop relies on `chain.GetHeader` returning `nil` at genesis boundary; this is standard but worth noting. 2. **`getEpochSwitchInfo` recursion guard (C12) uses `time.Sleep` polling** — this is a pragmatic fix but not ideal; under extreme load from many sync peers, the 100ms wait may still be insufficient. 3. **No integration tests exist for the V2 switch block sync path** — the unit tests cover vote pools and QC encoding, but there is no test that simulates `initial()` being called during bulk sync with a header far past the switch block and a missing checkpoint header in DB. --- ## 1. `initial()` Function — V2 Switch Block Handling (Line 289-421) ### What changed - **QC extraction is now guarded** (lines 327-347): If `header.Number <= V2.SwitchBlock`, the code skips QC extraction because V1 headers have no V2 QC. This prevents `getExtraFields` from failing on V1-format extra data. - **`processQC` is deferred during bulk sync** (lines 337-346): If the QC's proposed block is not yet in the DB, `processQC` is skipped with a debug log. This prevents sync stalling when blocks arrive out of order. - **Gap header nil check** (lines 355-360): `lastGapHeader` is now checked for nil, returning a clear error instead of panicking later. - **Walk-back logic** (lines 366-373): If the header is past the switch block, the code walks back through parent hashes to find the switch block header, instead of relying solely on `chain.GetHeaderByNumber` which may fail during sync. - **Checkpoint header nil guard** (lines 375-385): Returns a typed error with logging if the checkpoint header still cannot be found. - **Masternode extraction fix** (lines 388-394): Uses `GetMasternodesFromEpochSwitchHeader(chain, checkpointHeader)` which prefers `header.Validators` for V2 blocks, with a fallback to `decodeMasternodesFromHeaderExtra` for the switch block itself. - **Variable shadowing fix (C12)** (line 400): `snap := newSnapshot(...)` changed to `snap = newSnapshot(...)` so the outer `snap` variable is assigned correctly. ### Verdict: CORRECT ✅ The logic correctly distinguishes: - `header.Number == SwitchBlock` → first V2 block, synthetic QC, no DB lookup needed. - `header.Number < SwitchBlock` → V1 block, skip QC extraction entirely. - `header.Number > SwitchBlock` → normal V2 block, extract QC from extra fields, defer `processQC` if proposed block missing. The walk-back loop is bounded by `h.Number >= SwitchBlock` and terminates when `h == nil` (genesis) or when the switch block is found. This is correct. --- ## 2. Walk-Back Logic — Finding Checkpoint Header (Lines 366-373) ### Code ```go if header != nil && header.Number.Uint64() > x.config.V2.SwitchBlock.Uint64() { for h := header; h != nil && h.Number.Uint64() >= x.config.V2.SwitchBlock.Uint64(); h = chain.GetHeader(h.ParentHash, h.Number.Uint64()-1) { if h.Number.Uint64() == x.config.V2.SwitchBlock.Uint64() { checkpointHeader = h break } } } ``` ### Verdict: CORRECT ✅ - **Indentation fix (C11)** was applied in commit `5580fde71`. The loop is now properly scoped outside the `if checkpointHeader == nil` block. - The walk-back terminates correctly at the switch block or when `chain.GetHeader` returns nil. - **Potential edge case**: If the chain DB is missing intermediate headers between `header` and the switch block (e.g., due to a partial sync), `chain.GetHeader` will return nil and the loop will exit without finding the switch block. The subsequent `checkpointHeader == nil` check handles this gracefully by returning an error. --- ## 3. `GetMasternodesFromEpochSwitchHeader()` — Validator Reading (Lines 866-900) ### What changed - **Signature changed** to accept `chain consensus.ChainReader` (needed for future extensibility, though currently unused in the function body). - **V1→V2 switch block special case** (line 876): Explicitly uses `decodeMasternodesFromHeaderExtra(header)` because the switch block has V1-format `header.Extra` and may have invalid V1-format `header.Validators`. - **V1 pre-switch guard (C14)** (lines 883-888): Explicitly rejects headers before the switch block with an error log, preventing garbage masternode lists from 4-byte ASCII M2 indices. - **V2 epoch switch blocks** (lines 891-897): Reads from `header.Validators` with a length check (`len % 20 == 0`). ### Verdict: CORRECT ✅ The three-way discrimination is sound: 1. `header.Number == SwitchBlock` → decode from `Extra` (V1 format). 2. `header.Number < SwitchBlock` → reject (bug if called). 3. `header.Number > SwitchBlock` → read from `Validators` (V2 format). --- ## 4. Remaining Bugs / Risks That Could Cause Sync Failures ### Risk A: `getEpochSwitchInfo` Recursion Guard (C12) — Lines 1191-1225 The C12 fix uses a `sync.Mutex` + `map[common.Hash]struct{}` + `time.Sleep` polling: ```go x.epochSwitchMu.Lock() if _, inProgress := x.epochSwitchInProgress[hash]; inProgress { x.epochSwitchMu.Unlock() for i := 0; i < 10; i++ { time.Sleep(10 * time.Millisecond) if info, ok := x.epochSwitches.Get(hash); ok && info != nil { return info, nil } } return nil, fmt.Errorf("recursive getEpochSwitchInfo call detected for hash %s", hash.Hex()) } ``` **Issue**: Under heavy concurrent load (many sync peers calling `VerifyHeader` simultaneously), 100ms may not be enough for the in-progress goroutine to complete the recursive DB walk and populate the cache. This could cause spurious "recursive call detected" errors that abort sync. **Severity**: Low-to-moderate. The error is transient and the next block may succeed, but it could cause sync stuttering. **Recommendation**: Replace the polling loop with a `sync.Cond` or a per-hash promise/future pattern to avoid arbitrary timeouts. --- ### Risk B: `repairSnapshot` Recursive Depth `repairSnapshot` (line 779) recursively walks back by `x.config.Epoch` (900 blocks) until it finds a valid snapshot. For a node syncing from genesis to a head millions of blocks past the switch block, this could theoretically recurse thousands of times. **Issue**: There is no depth limit in `repairSnapshot`. If every epoch's snapshot is corrupted or missing, this will recurse until it hits the switch block, which is fine, but for very long chains the recursion depth could be large (though not stack-overflow large in Go, which grows the stack). **Severity**: Very low. Go's segmented stacks handle this, but it's worth noting. --- ### Risk C: `verifyHeader` Calls `calcMasternodes` Which Calls `getSnapshot` Which May Call `repairSnapshot` During bulk sync, `verifyHeader` (line 144) calls `calcMasternodes`. If the snapshot is missing, `getSnapshot` calls `repairSnapshot`, which may recursively call `calcMasternodes` for previous epochs. This is the exact recursion pattern that C12 guards against in `getEpochSwitchInfo`, but there is **no similar guard in `getSnapshot`/`repairSnapshot`**. **Issue**: If `repairSnapshot` triggers `calcMasternodes` for a previous epoch, and that triggers `getSnapshot` → `repairSnapshot` again, we have unguarded recursion. However, `repairSnapshot` seeds the previous gap snapshot into the cache (`x.snapshots.Add`) before calling `calcMasternodes`, so the next call should hit the cache. This is likely safe, but it's a complex interaction. **Severity**: Low. The cache seeding prevents infinite recursion, but a race condition between concurrent `repairSnapshot` calls for the same gap block is theoretically possible. --- ### Risk D: `UpdateMasternodesFromHeader` — Smart Contract State Dependency (Lines 1047-1100) This new function reads candidates from the smart contract state at the gap block: ```go candidates := state.GetCandidates(statedb) ``` **Issue**: During bulk sync, the `statedb` passed to `UpdateMasternodesFromHeader` must be the state at the gap block. If the state is not yet available (e.g., because the node is still downloading state via snap sync), `GetCandidates` may return empty or incorrect results. The fallback to `calcMasternodes` mitigates this, but `calcMasternodes` itself may fail if the previous snapshot is missing. **Severity**: Moderate. This is primarily a concern for snap sync, not full sync. The fallback path exists. --- ### Risk E: No Tests for the V2 Switch Block Sync Path The test file `engine_v2_test.go` (304 lines) covers: - Vote pool add/count/clear - Timeout pool add - QC signature encoding / deep copy - Forensics `SetCommittedQCs` length checks - `VoteSigHash` / `TimeoutSigHash` determinism **Missing**: No test for `initial()` with a mock chain where: - `chain.GetHeaderByNumber(SwitchBlock)` returns nil (simulating early sync) - `header.Number > SwitchBlock` and the walk-back must find the switch block - `loadSnapshot` returns nil and the snapshot must be bootstrapped from the checkpoint header - `GetMasternodesFromEpochSwitchHeader` is called with a V1-format switch block header **Severity**: Moderate. The logic appears correct by inspection, but without tests, regressions are possible. --- ## 5. Additional Observations ### PBSS Recovery Changes (core/blockchain.go) The PBSS recovery changes are substantial and well-documented: - **Stale `StateSyncRunning` flag clearing** (Fix #61): Correct — XDC uses pre-merge sync, so a stale flag would disable pathdb. - **Disk layer root fast path** (Fix #35/#36): Correct — avoids the 10K-block backward scan on every startup by checking `triedb.DiskLayerRoot()` first. - **Checkpoint rewind for missing state** (Fix #36): Correct — rewinds to the nearest 900-block checkpoint instead of genesis, which is safe because checkpoint blocks always commit state. - **Commit root caching** (`XdcGetCachedStateRoot`): Correct — ensures trie nodes are committed under the GP5-computed root rather than the header root, which differs due to uint256/BigBalance encoding. ### Snapshot Key Format Change `snapshot.go` changed the DB key from `"xdpos-v2-snapshot-" + hash.Hex()` to `"XDPoS-V2-" + hash[:]`. This is **backward-incompatible** for existing snapshots. However, the PR also adds logic to evict and rebuild snapshots at the V2 switch block, so existing corrupted snapshots are discarded anyway. This is acceptable for a recovery fix. ### Singleton Pattern in `New()` The `XDPoS_v2` engine now uses a singleton pattern (`engineOnce.Do`) to prevent multiple engine instances. This is a pragmatic fix for memory leaks but could cause issues in tests that create multiple engines with different configs. The comment acknowledges this. --- ## Final Verdict | Criterion | Rating | Notes | |-----------|--------|-------| | `initial()` V2 switch handling | ✅ Correct | Proper QC skip, walk-back, masternode extraction | | Walk-back logic | ✅ Correct | C11 indentation fix applied, bounded loop | | `GetMasternodesFromEpochSwitchHeader()` | ✅ Correct | Three-way V1/switch/V2 discrimination | | Recursion guard (C12) | ⚠️ Acceptable | `time.Sleep` polling is pragmatic but not ideal | | `repairSnapshot` recursion | ⚠️ Low risk | No explicit depth limit, but cache seeding prevents loops | | `UpdateMasternodesFromHeader` state dependency | ⚠️ Moderate risk | Fallback exists, but snap-sync edge case untested | | Test coverage | ❌ Insufficient | No tests for `initial()` or switch-block sync path | | PBSS recovery | ✅ Correct | Well-documented, addresses #310 | **Recommendation: APPROVE with suggestions** 1. Add an integration test for `initial()` with a mock chain simulating the V2 switch block sync scenario. 2. Consider replacing the `time.Sleep` polling in `getEpochSwitchInfo` with a `sync.Cond` or promise pattern. 3. Add a depth limit or loop guard to `repairSnapshot` for defensive programming. 4. Ensure the singleton `engineOnce` does not break unit tests that need multiple engine configs. The PR fixes the reported issues (#405, #404, #310) and the latest commit (`5580fde71`) correctly addresses the C11 and C12 findings. No critical bugs remain that would definitively cause sync failures at the V2 switch block, but the moderate-risk items above should be monitored.