Punish offline validators, aura-style (#1216)

* make offline-reporting infrastructure more generic

* add a listener-trait for watching when the timestamp has been set

* prevent inclusion of empty offline reports

* add test for exclusion

* generate aura-offline reports

* ability to slash many times for being offline "multiple" times

* Logic for punishing validators for missing aura steps

* stub tests

* pave way for verification of timestamp vs slot

* alter aura import queue to wait for timestamp

* check timestamp matches seal

* do inherent check properly

* service compiles

* all tests compile

* test srml-aura logic

* aura tests pass

* everything builds

* some more final tweaks to block authorship for aura

* switch to manual delays before step

* restore substrate-consensus-aura to always std and address grumbles

* update some state roots in executor tests

* node-executor tests pass

* get most tests passing

* address grumbles

substrate/srml/aura/src/lib.rs

@@ -0,0 +1,199 @@
+// Copyright 2017-2018 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+//! Consensus extension module for Aura consensus. This manages offline reporting.
+
+#![cfg_attr(not(feature = "std"), no_std)]
+
+#[allow(unused_imports)]
+#[macro_use]
+extern crate sr_std as rstd;
+
+#[macro_use]
+extern crate parity_codec_derive;
+extern crate parity_codec;
+
+#[macro_use]
+extern crate srml_support as runtime_support;
+
+extern crate sr_primitives as primitives;
+extern crate srml_system as system;
+extern crate srml_timestamp as timestamp;
+extern crate srml_staking as staking;
+extern crate substrate_primitives;
+
+#[cfg(test)]
+extern crate srml_consensus as consensus;
+
+#[cfg(test)]
+extern crate sr_io as runtime_io;
+
+#[cfg(test)]
+#[macro_use]
+extern crate lazy_static;
+
+#[cfg(test)]
+extern crate parking_lot;
+
+use rstd::prelude::*;
+use runtime_support::storage::StorageValue;
+use runtime_support::dispatch::Result;
+use primitives::traits::{As, Zero};
+use timestamp::OnTimestampSet;
+
+mod mock;
+mod tests;
+
+/// Something which can handle Aura consensus reports.
+pub trait HandleReport {
+	fn handle_report(report: AuraReport);
+}
+
+impl HandleReport for () {
+	fn handle_report(_report: AuraReport) { }
+}
+
+pub trait Trait: timestamp::Trait {
+	/// The logic for handling reports.
+	type HandleReport: HandleReport;
+}
+
+decl_storage! {
+	trait Store for Module<T: Trait> as Aura {
+		// The last timestamp.
+		LastTimestamp get(last) build(|_| T::Moment::sa(0)): T::Moment;
+	}
+}
+
+decl_module! {
+	pub struct Module<T: Trait> for enum Call where origin: T::Origin { }
+}
+
+/// A report of skipped authorities in aura.
+#[derive(Clone, Encode, Decode, PartialEq, Eq)]
+#[cfg_attr(feature = "std", derive(Debug))]
+pub struct AuraReport {
+	// The first skipped slot.
+	start_slot: usize,
+	// The number of times authorities were skipped.
+	skipped: usize,
+}
+
+impl AuraReport {
+	/// Call the closure with (validator_indices, punishment_count) for each
+	/// validator to punish.
+	pub fn punish<F>(&self, validator_count: usize, mut punish_with: F)
+		where F: FnMut(usize, usize)
+	{
+		let start_slot = self.start_slot % validator_count;
+
+		// the number of times everyone was skipped.
+		let skipped_all = self.skipped / validator_count;
+		// the number of validators who were skipped once after that.
+		let skipped_after = self.skipped % validator_count;
+
+		let iter = (start_slot..validator_count).into_iter()
+			.chain(0..start_slot)
+			.enumerate();
+
+		for (rel_index, actual_index) in iter {
+			let slash_count = skipped_all + if rel_index < skipped_after {
+				1
+			} else {
+				// avoid iterating over all authorities when skipping a couple.
+				if skipped_all == 0 { break }
+				0
+			};
+
+			if slash_count > 0 {
+				punish_with(actual_index, slash_count);
+			}
+		}
+	}
+}
+
+impl<T: Trait> Module<T> {
+	/// Determine the Aura slot-duration based on the timestamp module configuration.
+	pub fn slot_duration() -> u64 {
+		// we double the minimum block-period so each author can always propose within
+		// the majority of their slot.
+		<timestamp::Module<T>>::block_period().as_().saturating_mul(2)
+	}
+
+	/// Verify an inherent slot that is used in a block seal against a timestamp
+	/// extracted from the block.
+	// TODO: ensure `ProvideInherent` can deal with dependencies like this.
+	// https://github.com/paritytech/substrate/issues/1228
+	pub fn verify_inherent(timestamp: T::Moment, seal_slot: u64) -> Result {
+		let timestamp_based_slot = timestamp.as_() / Self::slot_duration();
+
+		if timestamp_based_slot == seal_slot {
+			Ok(())
+		} else {
+			Err("timestamp set in block doesn't match slot in seal".into())
+		}
+	}
+
+	fn on_timestamp_set<H: HandleReport>(now: T::Moment, slot_duration: T::Moment) {
+		let last = Self::last();
+		<Self as Store>::LastTimestamp::put(now.clone());
+
+		if last == T::Moment::zero() {
+			return;
+		}
+
+		assert!(slot_duration > T::Moment::zero(), "Aura slot duration cannot be zero.");
+
+		let last_slot = last / slot_duration.clone();
+		let first_skipped = last_slot.clone() + T::Moment::sa(1);
+		let cur_slot = now / slot_duration;
+
+		assert!(last_slot < cur_slot, "Only one block may be authored per slot.");
+		if cur_slot == first_skipped { return }
+
+		let slot_to_usize = |slot: T::Moment| { slot.as_() as usize };
+
+		let skipped_slots = cur_slot - last_slot - T::Moment::sa(1);
+
+		H::handle_report(AuraReport {
+			start_slot: slot_to_usize(first_skipped),
+			skipped: slot_to_usize(skipped_slots),
+		})
+	}
+}
+
+impl<T: Trait> OnTimestampSet<T::Moment> for Module<T> {
+	fn on_timestamp_set(moment: T::Moment) {
+		Self::on_timestamp_set::<T::HandleReport>(moment, T::Moment::sa(Self::slot_duration()))
+	}
+}
+
+/// A type for performing slashing based on aura reports.
+pub struct StakingSlasher<T>(::rstd::marker::PhantomData<T>);
+
+impl<T: staking::Trait + Trait> HandleReport for StakingSlasher<T> {
+	fn handle_report(report: AuraReport) {
+		let validators = staking::Module::<T>::validators();
+
+		report.punish(
+			validators.len(),
+			|idx, slash_count| {
+				let v = validators[idx].clone();
+				staking::Module::<T>::on_offline_validator(v, slash_count);
+			}
+		);
+	}
+}

substrate/srml/aura/src/mock.rs

@@ -0,0 +1,78 @@
+// Copyright 2018 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+//! Test utilities
+
+#![cfg(test)]
+
+use primitives::{BuildStorage, testing::{Digest, DigestItem, Header}};
+use runtime_io;
+use substrate_primitives::{H256, Blake2Hasher};
+use {Trait, Module, consensus, system, timestamp};
+
+impl_outer_origin!{
+	pub enum Origin for Test {}
+}
+
+// Workaround for https://github.com/rust-lang/rust/issues/26925 . Remove when sorted.
+#[derive(Clone, PartialEq, Eq, Debug)]
+pub struct Test;
+
+impl consensus::Trait for Test {
+	const NOTE_OFFLINE_POSITION: u32 = 1;
+	type Log = DigestItem;
+	type SessionKey = u64;
+	type InherentOfflineReport = ();
+}
+
+impl system::Trait for Test {
+	type Origin = Origin;
+	type Index = u64;
+	type BlockNumber = u64;
+	type Hash = H256;
+	type Hashing = ::primitives::traits::BlakeTwo256;
+	type Digest = Digest;
+	type AccountId = u64;
+	type Header = Header;
+	type Event = ();
+	type Log = DigestItem;
+}
+
+impl timestamp::Trait for Test {
+	const TIMESTAMP_SET_POSITION: u32 = 0;
+
+	type Moment = u64;
+	type OnTimestampSet = Aura;
+}
+
+impl Trait for Test {
+	type HandleReport = ();
+}
+
+pub fn new_test_ext(authorities: Vec<u64>) -> runtime_io::TestExternalities<Blake2Hasher> {
+	let mut t = system::GenesisConfig::<Test>::default().build_storage().unwrap().0;
+	t.extend(consensus::GenesisConfig::<Test>{
+		code: vec![],
+		authorities,
+	}.build_storage().unwrap().0);
+	t.extend(timestamp::GenesisConfig::<Test>{
+		period: 1,
+	}.build_storage().unwrap().0);
+	t.into()
+}
+
+pub type System = system::Module<Test>;
+pub type Aura = Module<Test>;

substrate/srml/aura/src/tests.rs

@@ -0,0 +1,79 @@
+// Copyright 2017-2018 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+//! Tests for the module.
+
+#![cfg(test)]
+
+use mock::{System, Aura, new_test_ext};
+use primitives::traits::Header;
+use runtime_io::with_externalities;
+use parking_lot::Mutex;
+use {AuraReport, HandleReport};
+
+#[test]
+fn aura_report_gets_skipped_correctly() {
+	let mut report = AuraReport {
+		start_slot: 0,
+		skipped: 30,
+	};
+
+	let mut validators = vec![0; 10];
+	report.punish(10, |idx, count| validators[idx] += count);
+
+	assert_eq!(validators, vec![3; 10]);
+
+	let mut validators = vec![0; 4];
+	report.punish(4, |idx, count| validators[idx] += count);
+	assert_eq!(validators, vec![8, 8, 7, 7]);
+
+	report.start_slot = 2;
+	report.punish(4, |idx, count| validators[idx] += count);
+	assert_eq!(validators, vec![15, 15, 15, 15]);
+}
+
+#[test]
+fn aura_reports_offline() {
+	lazy_static! {
+		static ref SLASH_COUNTS: Mutex<Vec<usize>> = Mutex::new(vec![0; 4]);
+	}
+
+	struct HandleTestReport;
+	impl HandleReport for HandleTestReport {
+		fn handle_report(report: AuraReport) {
+			let mut counts = SLASH_COUNTS.lock();
+			report.punish(counts.len(), |idx, count| counts[idx] += count);
+		}
+	}
+
+	with_externalities(&mut new_test_ext(vec![0, 1, 2, 3]), || {
+		System::initialise(&1, &Default::default(), &Default::default());
+		let slot_duration = Aura::slot_duration();
+
+		Aura::on_timestamp_set::<HandleTestReport>(5 * slot_duration, slot_duration);
+		let header = System::finalise();
+
+		// no slashing when last step was 0.
+		assert_eq!(SLASH_COUNTS.lock().as_slice(), &[0, 0, 0, 0]);
+
+		System::initialise(&2, &header.hash(), &Default::default());
+		Aura::on_timestamp_set::<HandleTestReport>(8 * slot_duration, slot_duration);
+		let _header = System::finalise();
+
+		// Steps 6 and 7 were skipped.
+		assert_eq!(SLASH_COUNTS.lock().as_slice(), &[0, 0, 1, 1]);
+	});
+}