feat: committor service #366
Conversation
- at this point schedule commit tests pass with maximum concurrency
There was a problem hiding this comment.
Good job at documenting the code so thoroughly, left some nits, I have to trust that the logic is sane and the test suite covers all the edge case, as trying to completely understand the entire interplay of all the components would take prohibitive amount of time.
| res.await | ||
| .map_err(|err| { | ||
| // Send request error | ||
| AccountClonerError::CommittorSerivceError(format!("{:?}", err)) |
There was a problem hiding this comment.
| AccountClonerError::CommittorSerivceError(format!("{:?}", err)) | |
| AccountClonerError::CommittorSerivceError(format!("error sending request {err:?}")) |
| let max_slot = scheduled_commits | ||
| .iter() | ||
| .map(|commit| commit.slot) | ||
| .max() | ||
| .unwrap(); | ||
| // Safety we just obtained the max slot from the scheduled commits | ||
| let ephemeral_blockhash = scheduled_commits | ||
| .iter() | ||
| .find(|commit| commit.slot == max_slot) | ||
| .map(|commit| commit.blockhash) | ||
| .unwrap(); | ||
|
|
||
| changeset.slot = max_slot; |
There was a problem hiding this comment.
| let max_slot = scheduled_commits | |
| .iter() | |
| .map(|commit| commit.slot) | |
| .max() | |
| .unwrap(); | |
| // Safety we just obtained the max slot from the scheduled commits | |
| let ephemeral_blockhash = scheduled_commits | |
| .iter() | |
| .find(|commit| commit.slot == max_slot) | |
| .map(|commit| commit.blockhash) | |
| .unwrap(); | |
| changeset.slot = max_slot; | |
| let mut changeset = Changeset::default(); | |
| let Some(commit) = scheduled_commits.iter().max_by_key(|commit| commit.slot) else { | |
| return Ok(()); | |
| }; | |
| let max_slot = commit.slot; | |
| let ephemeral_blockhash = commit.blockhash; | |
| changeset.slot = max_slot; |
There was a problem hiding this comment.
I'd say we can safely unwrap()
There was a problem hiding this comment.
Or keep this and remove empty check above
if scheduled_commits.is_empty() {
return Ok(());
}There was a problem hiding this comment.
Yeah I agree that unwrap is ok. It is very clear that it is a logic (dev) error if we'd crash there (and in that case we'd want to instead of just happily returning Ok)
| msg!("Error: {:?}", e); | ||
| use CommittorError::*; | ||
| let n = match e { | ||
| UnableToSerializeChangeSet(_) => 0x69000, |
There was a problem hiding this comment.
What are those magic numbers? Some explanatory comments would be helpful
There was a problem hiding this comment.
This is just us namespacing our errors. I tried to use a starting value that no other programs are using in order to be able to identify errors coming from our program. Any starting number will do here.
| /// - *returns* `true` if the pubkey could be reserved | ||
| fn reserve(&self, pubkey: &Pubkey) -> bool { | ||
| if let Some(count) = self.pubkeys.get(pubkey) { | ||
| count.fetch_add(1, Ordering::SeqCst); |
There was a problem hiding this comment.
SeqCst is a total overkill, Relaxed would be totally correct as we are not synchronizing any other state through this atomic
There was a problem hiding this comment.
I'm not 100% sure and if we get this wrong then we might end up with stuck lookup tables (which could be expensive for validator operators).
So at a minimal added cost when this method is called I attempt to prevent this.
I'm open to change this to relaxed if we ensure there is no way for race conditions.
| fn release(&self, pubkey: &Pubkey) -> bool { | ||
| if let Some(count) = self.pubkeys.get(pubkey) { | ||
| count | ||
| .fetch_update(Ordering::SeqCst, Ordering::SeqCst, |x| { |
There was a problem hiding this comment.
ditto, SeqCst is an overkill, since no other state is synchronized
| fn has_reservations(&self) -> bool { | ||
| self.pubkeys | ||
| .values() | ||
| .any(|rc_pubkey| rc_pubkey.load(Ordering::SeqCst) > 0) |
There was a problem hiding this comment.
ditto, Ordering::Relaxed is enough
| }) | ||
| } | ||
|
|
||
| /// Returns `true` if the we requested to deactivate this table. |
There was a problem hiding this comment.
| /// Returns `true` if the we requested to deactivate this table. | |
| /// Returns `true` if we have already requested to deactivate this table. |
There was a problem hiding this comment.
No need to get more wordy here (the already is basically a flller IMO).
|
|
||
| #[derive(Clone)] | ||
| pub struct TableMania { | ||
| pub active_tables: Arc<RwLock<Vec<LookupTableRc>>>, |
There was a problem hiding this comment.
I guess some research was made to justify the usage of async synchronization primitives, i.e. they will be used in highly concurrent environments and with lock guards being held across await points, if not, then their use is unjustified.
| @@ -66,6 +70,20 @@ pub enum AccountClonerUnclonableReason { | |||
| DelegatedAccountsNotClonedWhileHydrating, | |||
| } | |||
|
|
|||
| pub async fn map_committor_request_result<T>( | |||
There was a problem hiding this comment.
I would propose to use imp From<> for AccountClonerError to get rid of this function. It adds more indirection where code is really simple.
There was a problem hiding this comment.
I prefer to have this be a very explicit conversion as we also include some more information on top.
There was a problem hiding this comment.
I feel like ChangesetBundles::from would be explicit enough
| "Committor service persists to: {}", | ||
| committor_persist_path.display() | ||
| ); | ||
| let committor_service = Arc::new(CommittorService::try_start( |
There was a problem hiding this comment.
That goes out from usual flow of services. Would be good to start it from Validator::start along with other services
There was a problem hiding this comment.
If I remember correctly specific services have to be started only after some other services are started already.
Here we start all those services together in the right order.
There was a problem hiding this comment.
I felt it was due to separation: instance creation, start work
There was a problem hiding this comment.
For ease of reading I think Actor shall be moved to its personal file
There was a problem hiding this comment.
I don't agree as the actor is just the internal impl of the API interface and both are tightly coupled, thus makes sense to have them in the same module.
| RpcClientError(#[from] solana_rpc_client_api::client_error::Error), | ||
|
|
||
| #[error("Error getting blockhash: {0} ({0:?})")] | ||
| GetLatestBlockhash(solana_rpc_client_api::client_error::Error), |
There was a problem hiding this comment.
Are those errors intended to be handled? Not sure we need error per rpc entrypoint. If we want to have extra context I'd suggest logging instead
There was a problem hiding this comment.
In a more core lib (which this is) you don't want to just log, but provide detailed errors ror the upper level logic to handle, i.e. it might handle a missing blockhash differently than a deserialization error.
If we don't provide different errors for those cases then this is not possible.
| }; | ||
|
|
||
| let storing = remaining[..storing_len].to_vec(); | ||
| let stored = table |
There was a problem hiding this comment.
We could make this work without new allocations at all.
We just pass &mut remaining into extend_respecting_capacity, which would pop from the back pubkeys it needs
|
|
||
| /// How many process and commit buffer instructions fit into a single transaction | ||
| #[allow(unused)] // serves as documentation as well | ||
| pub(crate) const MAX_PROCESS_PER_TX: u8 = 3; |
There was a problem hiding this comment.
How were those consts determined? I think also worth adding this information as comment
There was a problem hiding this comment.
See tests below in this file
| /// when using address lookup tables but not including the buffer account in the | ||
| /// lookup table | ||
| #[allow(unused)] // serves as documentation as well | ||
| pub(crate) const MAX_PROCESS_PER_TX_USING_LOOKUP: u8 = 12; |
There was a problem hiding this comment.
How were those consts determined? I think also worth adding this information as comment
There was a problem hiding this comment.
See tests below in this file
| .first() | ||
| .map(|(_, acc)| acc.bundle_id()) | ||
| .unwrap_or_default(); | ||
| Err(CommittorServiceError::CouldNotFindCommitStrategyForBundle( |
There was a problem hiding this comment.
Feels like a very critical error. It pretty much breaks a contract that validator has with user - you can commit and undelegate your state, With this it's not true anymore.
it actually shall be slashable when validator doesn't commits or undelegates your state. Now it will be hard to handle this.
I think our magicblock-program shall have some surface-level check to reject impossible commits. Like if number of accounts to commit somehow > 32*256 (possible with lookup tables) we panic. or even > 30 * 256. Also we could pretty easily calculate overall sizes of committed accounts and make some estimates.
Thesis is: if something made it into scheduled_commits it has to be commited, otherwise validator is slashed. So here we need to panic really
There was a problem hiding this comment.
Interesting idea. However our validator needs to keep running in these cases and there is no direct way to communicate this back to the user. Keep in mind that it is the program that schedules commits, so there is no way this is the validator's fault if we exceed limits. Instead we fail those commits and keep an entry in our DB which we can then query in order to provide feedback to program authors about those violations. For now manually, but possibly we may provide a query interface for validator operators or even users as well (i.e. as part of a dashboard).
| undelegation_requested: commit.request_undelegation, | ||
| }); | ||
| committees.push(( | ||
| commit.id, |
There was a problem hiding this comment.
No need in commit.id here. In committees vector the all belong to same id
There was a problem hiding this comment.
We need that id further down.
There was a problem hiding this comment.
Couldn't find it, maybe missed it. Which part do you refer to?
| lamports: committee.account_data.lamports(), | ||
| data: committee.account_data.data().to_vec(), | ||
| owner: committee.owner, | ||
| bundle_id, |
There was a problem hiding this comment.
| bundle_id, | |
| commit.id, |
There was a problem hiding this comment.
Do we ever clean the entries up?
|
|
||
| pub fn ensure_processed() -> Self { | ||
| Self::SendAndConfirm { | ||
| wait_for_blockhash_to_become_valid: Some(Duration::from_millis( |
There was a problem hiding this comment.
Not sure we need all of the Options in MagicBlockSendTransactionConfig if all of those are defined, or defaulted to some value during runtime.
MagicBlockSendTransactionConfig can get rid from all the Options
There was a problem hiding this comment.
This library is intended to be used in more cases in the future (than just from the committer service). Therefore I made them configurable.
| wait_for_commitment_level | ||
| { | ||
| let now = Instant::now(); | ||
| let check_for_commitment_interval = check_for_commitment_interval |
There was a problem hiding this comment.
Value can be defaulted to this on construction if not set.
There was a problem hiding this comment.
I wanted to do this at last possible moment and closer to the code that uses it.
| .map(|account| account.bundle_id) | ||
| .collect::<HashSet<_>>() | ||
| { | ||
| let bundle_signatures = match changeset_committor |
There was a problem hiding this comment.
Why don't we return all of the signatures as result of commit_changeset?
- That would allow us to clean entries right away from persister.
- At this point all of the signatures already available, this call just reads them from db.
There was a problem hiding this comment.
I agree we could, but I don't want to introduce two sources of truth.
The idea is to return minimal info as part of the result and only if more details are needed do we query the DB.
There was a problem hiding this comment.
This would be 1 source of truth - returned value.
I see 2 problems with the other way around:
- we perform I/O for something that is result of function
- Persister isn't cleaned
There was a problem hiding this comment.
Source of truth is that is in the DB, we don't have to also return it IMO.
I/O is only needed if something goes wrong.
Cleaning of persister (removing rows for successful commits) will be added in a follow up once we saw everything working as expected.
|
|
||
| // Allow the committer service to reserve pubkeys in lookup tables | ||
| // that could be needed when we commit this account | ||
| map_committor_request_result( |
There was a problem hiding this comment.
It looks like all pubkeys will be in some lookup table, even when they're not needed to. For example, do we need this in case when we can commit using just arguments?
There was a problem hiding this comment.
Why don't we create tables only when necessary?
There was a problem hiding this comment.
We don't know this ahead of time, but need to prepare for the case where we do need them in order to save time in that case. This was a nice optimization idea by @bmuddha
There was a problem hiding this comment.
That's a valid point, but the other side is that validator pays when this may not be needed. I don't think waiting for txs to land in this case is so critical.
But it depends what we want to opimize at the end
There was a problem hiding this comment.
We optimize for fast commits
There was a problem hiding this comment.
What happens with TableMania if validator is restarted?
It looks like if validator is restarted we would start from scratch, creating lookup tables for pubkeys, that actually are already in some lookup table
There was a problem hiding this comment.
That's a great observation. Remember that we derive the tablemania pubkeys deterministically which allows to find old tables and close them later to refund cost to the validator.
The alternative would be to delay validator stop for a few slots until we were able to deactivate and then close all tables (not a good solution IMO).
There was a problem hiding this comment.
Why do we need the garbage collector TableMania? Unless I miss something, now it looks like:
- once some account per pubkey is cloned, we extend/create a new table, or do nothing.
- once the addresses in table all undelegated it can be cleaned up.
From here I don't see why we need garbage collector:
- Ideally use tables only when its required for successful commit. Insert/extend/do nothing(if present) as per current logic
- Once the last key in some table is released - deactivate table right away.
No need for garbage collector.
There was a problem hiding this comment.
We need to first deactivate the table (checking in the background if that is possible).
Then we need to wait for a few slots until we can close it.
We cannot do this as part of the flow which needs to be fast.
There was a problem hiding this comment.
No, the part of asynchronous deactivation is fine with me) By garbage collector I also implied our reference counting and all that logic. It isn't needed in this flow. Even in current implementation the tables will be marked deactivated. so we can just completely remove garbage collection based on reference counting.
There was a problem hiding this comment.
How is that not needed? We need to know which pubkeys are still in use in order to know which tables can be deactivated and later closed. Keep in mind that we want to clean up the lookup tables as soon as possible, i.e. when we know that certain accounts were undelegated and thus will no longer be committed until they are delegated and cloned again.
There was a problem hiding this comment.
I'd suggest keeping it ./programs folder
There was a problem hiding this comment.
That folder is for programs that are part of our ephemeral validator. This program will be deployed on dev/mainnet, so it is different (more like the delegation program which is even in a separate repo)
| @@ -111,8 +102,13 @@ magicblock-accounts-api = { path = "./magicblock-accounts-api" } | |||
| magicblock-accounts-db = { path = "./magicblock-accounts-db" } | |||
| magicblock-api = { path = "./magicblock-api" } | |||
| magicblock-bank = { path = "./magicblock-bank" } | |||
| magicblock-committor-program = { path = "./magicblock-committor-program", features = [ | |||
There was a problem hiding this comment.
nitpick: we now have services ending with committor and committer, like RemoteAccountCommitter.
committor must be a typo
There was a problem hiding this comment.
No, everything in the committor-service is committor. RemoteAccountCommitter existed before.
It's a solana thing as we are buildooors. I'm trying to keep our codebase fun :)
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a full committor service to support efficient, atomic account commits with integration across multiple modules including the new committor program, service, and lookup table management. Key changes include:
- Adding new crates (magicblock-committor-program and magicblock-committor-service) to handle commit data, buffer management, and persistence via SQLite.
- Integrating the committor service into the validator and account processing pipelines by updating the APIs and tests.
- Updating error handling and dependency configurations across several modules to support the new commit flows.
Reviewed Changes
Copilot reviewed 118 out of 118 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| magicblock-committor-program/src/consts.rs | Introduces new constant definitions supporting commit limits. |
| magicblock-api/src/tickers.rs | Integrates committor service references in slot ticker processing. |
| magicblock-api/src/magic_validator.rs | Incorporates committor service for reserve and commit operations. |
| magicblock-api/src/errors.rs | Adds new error variants including validator funding and committor. |
| magicblock-accounts/* | Updates signatures and test setups to propagate changeset_committor. |
| magicblock-account-cloner/* | Adjusts account cloning and error mapping to use changeset_committor. |
| Cargo.toml (workspace root and sub-crates) | Updates dependencies and workspace members for new committor crates. |
Comments suppressed due to low confidence (1)
magicblock-accounts/src/remote_scheduled_commits_processor.rs:216
- [nitpick] The process_changeset function contains several nested operations; consider refactoring parts of its logic into smaller helper functions to improve readability and maintainability.
fn process_changeset<CC: ChangesetCommittor>(...) {
| CommitBundleStrategy::try_from((bundle, finalize))?; | ||
| match commit_strategy { | ||
| CommitBundleStrategy::Args(bundle) => { | ||
| add_to_changeset( |
There was a problem hiding this comment.
is it safe to append on new iteration to same args_changeset?
Say we have 2 bundles:
Iteration 1 - we get CommitBundleStrategy::Args and push to args_changeset.
Iteration 2 - we get CommitBundleStrategy::Args and push to args_changeset.
Now the issue it that if bundle in Iteration 1 and 2 separately fit into args, doesn't mean they both will.
Looking into commit_changeset_using_args it doesn't handle them on bundle levels but tries create a single tx with data from 2 Iterations
| pubkey: Pubkey, | ||
| account: T, | ||
| ) -> bool { | ||
| self.accounts.insert(pubkey, account.into()).is_some() |
There was a problem hiding this comment.
/// If it already exists, it will be replaced, thus the caller needs
I think that could be an issue, assume actions.
Imagine:
- Bob makes a CommitWithActions with some accounts [acc1, acc2], and actions [a1, a2]. commit_id = 1
- Bob makes a CommitWithActions with some accounts [acc2, acc3], and actions [a3, a4]. commit_id = 2
At this point we would replaced acc2 with commit_id = 1, to acc2 with commit_id = 2. As result for commit_id/bundle_id = 1 we would commit [acc1] with actions [a1, a2], when user expected both of them to be commited, and action could be connected to state of acc2.
Shouldn't we keep all accounts per commit_id, and not replace them?
like:
First [acc1, acc2], and actions [a1, a2], then [acc2, acc3], and actions [a3, a4]
cc @GabrielePicco
* master: Optimizing column entries bookkeeping (#393) Update README.md (#396) Revert to using separate tokio runtime instance for RPC (#395) feat: fix release workflow (#392) Compaction V1: Manual compaction (#383) release: v0.1.3 (#391) Log validator version on startup (#390) Update README.md (#384) PubSub redesign from broadcast to multicast (#373)
* master: release: v0.1.7 (#409) Feat: simpler gasless implementation (#406) perf: run ensure accounts concurrently feat: account hydration on background task (#407) Revert "feat: Cleaner gasless implementation" (#405) feat: Cleaner gasless implementation (#360) fix: cleanup slots on non-fresh ledger (#404) release: v0.1.5 (#403) fix: properly init geyser plugin for rpc and use valid dummy Library (#402) release: v0.1.4 (#401) fix: remove grpc plugin altogether from geyser manager (#400) Patch tests from failing on subscription due to rate limits (#386)
Summary
Adding a full fledged committor service to support the following kind of commits:
easy to manually retry them or do this automatically (next committor version will support this)
Details
The following crates were developed
here and integrated
into the validator:
magicblock-rpc-client
signature status checking (including sane retries)
magicblock-table-mania
used in a transaction the needed table addresses are provided
all its pubkeys are released
magicblock-committor-program
(out of order is ok)
magicblock-committor-service
available
Sample Flow
service
lookup tables which we might need as fast as possible
is provided to the user via logs in a transaction (as we did before, just now we have to wait
for the commit to complete)
For those commits the committor service ensures that accounts with the same commit (bundle) id
are always processed atomically.
The committor service also picks the best possible strategy to commit each changeset,
preferring speed and then cost.
It also inserts configurable (via code) compute budget instructions to each transaction.
The outcome of each commit is persisted to a database which allows manual (and in the next
version) automated retries of failed commits.
Succeessful commits are also persisted to the database and can be used for diagnostics. In the
future they should be removed since no retry is necessary.
On chain signatures for process-commit/finaliz/undelegate transactions are also persisted to
the database in a separate table.
This table is queried by the validator to log those signatures as part of a transaction that
the user waits for.
Greptile Summary
This PR introduces a comprehensive committor service to the MagicBlock validator for managing account changes and transactions. The implementation includes a new Solana program for handling commits, a service layer for managing commit operations, and integration with lookup tables for transaction optimization.
magicblock-committor-programthat handles chunked account data commits with proper buffer management and security checksmagicblock-committor-servicethat orchestrates commit operations with support for bundling, lookup tables, and persistent status tracking via SQLitemagicblock-table-maniafor managing address lookup tables to optimize transaction sizesmagicblock-rpc-clientwith enhanced transaction handling and batched account fetching