Replies: 1 comment 1 reply
-
|
An important remark here that in CometBFT the So, we indeed collect extra Precommits for a already decided block, but the block is delivered to the application once it is decided. The Precommits for block For this reason, if processing a block takes |
Beta Was this translation helpful? Give feedback.
-
|
I was not aware of that optimization, thank you for the extra context Daniel, super helpful! |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Context
This question originally applied to malachite-simulator (code ref). But since it also applies more generally to the design of timeouts in the core library (not Quint specs), answering it here.
Question
Answer
Background
The Malachite implementation of Tendermint comprises 3 timeouts (timeoutPropose, timeoutPrevote and timeoutPrecommit as in the whitepaper) plus 1 extra timeout.
The extra timeout is Commit. This timeout is optional (not necessary strictly for Tendermint), and does not appear in the whitepaper.
Usefulness
It's unclear if this timeout will be needed in Starknet sequencer. We had discussed about it with the Starkware team a long while ago, before starting Malachite implementation. I recall we decided to add it in Malachite because it is an easy lift and it proved useful historically in other Tendermint-based apps from our experience.
The way timeout Commit is usually employed is to implement an "extra waiting time" once a validator gathered a certificate and reached a decision for a given height i.e.,
2f+1matching precommits. Specifically, once a validator has locally gathered the certificate for a decision at height H, it can (as in the whitepaper) simply move on to the next height H+1. In proof of stake systems, however, the exact composition of the 2f+1 precommits in the certificate is very important: Only those validators that have a precommit among the2f+1will receive rewards for having voted and participated in consensus. The other validators -- potentiallyfof them, because Tendermint works in then=3f+1model -- may never a reward because their precommit votes may not be in the initial set of2f+1gathered votes.By design, a validator should not wait for more than
2f+1because the otherfmay never arrive (may be faulty). However, the validator could wait for a small predefined window of time -- the timeout Commit parameter -- to give the chance for the latefvalidators to broadcast their precommit vote and to arrive at the other nodes in the network, thus being included in a certificate for height H (which will have>2f+1precommits). Again, this window of waiting is optional, and useful for proof of stake systems where rewards are based on precommit counting, roughly speaking.Why is the timeout triggering instantly in the malachite-simulator prototype code?
Briefly, because we want the system to be responsive. In other words, we use a
timeout Commit = 0. (code ref). In that prototype, we don't care about gathering more stake or precommits from validators. We want to proceed as fast as possible.Side note on responsiveness
This timeout was a big source of confusion, and led some people to think that Tendermint is not a responsive BFT consensus protocol. This is false: Tendermint is a responsive BFT consensus algorithm.
Employing the timeout Commit to a non-zero value will lead the consensus protocol, however, to employ a fixed timeout on the critical path of block building, which does make such a configuration non-responsive. This configuration is not even specified in the whitepaper, but is possible and sometimes useful, accepting the tradeoff that the deployment would not be responsive.
Beta Was this translation helpful? Give feedback.
All reactions