TxQ developer docs, and faster ledger size growth

[ximinez]

Two separate commits, I'm only putting them together because they both affect the TxQ.

1. Updates the developer docs for the TxQ and related classes. I think I got every class, function, and member.
2. Allows the open ledger limit to grow by 20% instead of one transaction per ledger, so that we can respond more quickly to "good" network traffic growth. Further, will cause the limit to be cut by 50% instead of cutting all the way down to 50 txs when we have "bad" network traffic. Ongoing attacks will quickly drop the limit back down to a minimum, while still costing the attacker a lot in fees, but will allow the limit to recover more quickly for short attacks or non-attack "hiccup" scenarios.

Note: I don't believe this change requires an amendment because it does not affect transaction processing, only queuing behavior.

[ripplelabs-jenkins]

Jenkins Build Summary

Built from this commit

Built at 20181002 - 00:32:16

Test Results

Build Type	Log	Result	Status
rpm	logfile	1036 cases, 0 failed, t: n/a	PASS ✅
msvc.Debug	logfile	1033 cases, 0 failed, t: 543s	PASS ✅
msvc.Debug, NINJA_BUILD=true	logfile	1033 cases, 0 failed, t: 565s	PASS ✅
msvc.Debug -Dunity=OFF	logfile	1033 cases, 0 failed, t: 1182s	PASS ✅
msvc.Release	logfile	1033 cases, 0 failed, t: 394s	PASS ✅
gcc.Release -Dassert=ON, MANUAL_TESTS=true	logfile	1101 cases, 0 failed, t: 925s	PASS ✅
docs	logfile	1035 cases, 0 failed, t: 423s	PASS ✅
gcc.Debug -Dcoverage=ON	logfile	1036 cases, 0 failed, t: 856s	PASS ✅
clang.Debug	logfile	1036 cases, 0 failed, t: 278s	PASS ✅
gcc.Debug	logfile	1036 cases, 0 failed, t: 291s	PASS ✅
clang.Debug -Dunity=OFF	logfile	1036 cases, 0 failed, t: 635s	PASS ✅
gcc.Debug -Dunity=OFF	logfile	1036 cases, 0 failed, t: 388s	PASS ✅
clang.Release -Dassert=ON	logfile	1035 cases, 0 failed, t: 403s	PASS ✅
gcc.Release -Dassert=ON	logfile	1035 cases, 0 failed, t: 425s	PASS ✅
gcc.Debug -Dstatic=OFF	logfile	1036 cases, 0 failed, t: 295s	PASS ✅
gcc.Debug -Dstatic=OFF -DBUILD_SHARED_LIBS=ON	logfile	1036 cases, 0 failed, t: 293s	PASS ✅
gcc.Debug, NINJA_BUILD=true	logfile	1036 cases, 0 failed, t: 267s	PASS ✅
clang.Debug -Dunity=OFF -Dsan=address, PARALLEL_TESTS=false, DEBUGGER=false	logfile	1036 cases, 0 failed, t: 731s	PASS ✅
clang.Debug -Dunity=OFF -Dsan=undefined, PARALLEL_TESTS=false	logfile	1036 cases, 0 failed, t: 888s	PASS ✅

[mellery451]

is this 25% number here the same as normal_consensus_increase_percent? If so, elsewhere the default says 20%.

[ximinez]

Woops. Dang, that messed up the example, too. Fixed.

[mellery451]

ie. --> i.e.

[ximinez]

Fixed

[mellery451]

27nd --> 27th ?

[ximinez]

Fixed

[mellery451]

indentation

[ximinez]

Fixed

[mellery451]

ie --> i.e.

[ximinez]

Fixed

[mellery451]

...pay TO bypass... ?

[ximinez]

Fixed

[scottschurr]

I'm only part way through the review, but here are a few thought I had while looking through the first commit.

[scottschurr]

Noting the difference between minFeeLevel and expFeeLevel. minFeeLevel is to get into the TxQ. expFeeLevel is to get into the current open ledger. Their names don't reflect that they operate on fundamentally different stuff (the TxQ vs the open ledger). I think that could be an added point of confusion in an already confusing area.

I don't mind long names, so I'll suggest txQMinFeeLevel and estOpenLedgerFeeLevel. I know that others are allergic to long names, so I don't necessarily expect you to use those.

[ximinez]

The thinking behind those names, IIRC, is that minFeeLevel is the minimum level to even be considered, while expFeeLevel is the expected level to be processed immediately.

What do you think about minProcessingFeeLevel and openLedgerFeeLevel? I think I'll also update the documentation again:

• minProcessingFeeLevel : minimum fee level for a transaction to be considered for the open ledger or the queue
• openLedgerFeeLevel: minimum fee level to get into the current open ledger, bypassing the queue

[scottschurr]

This description doesn't look right. The description talks about "all transactions". But the data structure contains a single shared_ptr to a single transaction. Does getTxs() return one of these for each transaction in the queue? If so, then a better comment might be...

"Structure that describes one transaction that should be considered for the open ledger."

[ximinez]

Looking at this description again, the phrasing is super-awkward. getTxs is what returns the descriptions for all transactions... I'm going to rewrite this one.

[scottschurr]

Hmmm. Interesting. If preflightResult is always tesSUCCESS, then what's the point in storing the value? Or even asking about it?

[ximinez]

IIRC, when I initially created the field, I was concerned there might be cases where it had some other value. Once I was convinced that there weren't it didn't occur to me to remove it. I'll double check, and do that now.

This description is wrong. There is an edge case where the result may not be tesSUCCESS - specifically if the rules or flags change after a transaction is queued, then TxQ::MaybeTx::apply can preflight again. It's unlikely, but I believe it's possible for that process to return a code that is not tesSUCCESS, but does not cause the transaction to be immediately removed from the queue, particularly if the attempt was made by TxQ::tryClearAccountQueue (speaking of complexity...).

[scottschurr]

Thanks for checking. You'll be adding a comment about the corner case I assume...

[ximinez]

Yep!

[scottschurr]

Does the "the math still works" mean that the math doesn't crash? The phrase, "the level will be higher than actually required" suggests that the math doesn't really work...

[ximinez]

"The math still works" means you're not going to get overflows, underflows, imaginary numbers, sqrt(pi), etc. I've rephrased the comment.

[scottschurr]

What are the conditions when the returned bool might be false? Perhaps this would be a good use for a boost::optional>?

[ximinez]

That's why I reference mulDiv. https://github.com/ximinez/rippled/blob/txq_doc/src/ripple/basics/mulDiv.h#L29

The bool can be false if the calculation overflows. The reason it returns a pair instead of an optional is that it populates a maxint value for the result, which the caller can use anyways if it wants.

[scottschurr]

Hmmm. Fair. If I'm desperate enough I can go look up the documentation on mulDiv at the cost of some small additional annoyance 😉 .

[ximinez]

I did update the description slightly, to mention that the flag indicates overflow.

[scottschurr]

Are there transactions in the queue that may never be applied to an open ledger? If so, why?

[ximinez]

There are several ways a transaction could fail to apply. Item 4 at https://github.com/ximinez/rippled/blob/txq_doc/src/ripple/app/misc/FeeEscalation.md#transaction-queue explains the possible results for a transaction in the queue.

[scottschurr]

Fair. I think what you're saying is that all transactions in the queue are intended to be applied to an open ledger (where the transaction may fail). Any given transaction in the queue may expire before that attempt is made. But there are no transactions in the queue which we know we will never apply to an open ledger.

And, no, I'm not going to ask you to put that in the comments 😉

[ximinez]

Correct. In fact, the biggest qualification for whether a transaction can be put into the queue is whether it is "likely to successfully claim a fee". And that is in the docs somewhere. 😀

[scottschurr]

What would cause the flags to change?

[ximinez]

One example: https://github.com/ximinez/rippled/blob/txq_doc/src/ripple/app/misc/impl/TxQ.cpp#L1123-L1132

[scottschurr]

Thanks. Sorry, I wasn't thinking about the flags in a broad enough sense. The comment is good as is.

[ximinez]

No problem.

[scottschurr]

Two suggestions:

• "... there is no limit ..."
• "... condition cannot last ..."

[ximinez]

Fixed

[scottschurr]

Generally looks good. I mostly had nits and questions.

I think my biggest concern is that I'd like you to convince me why this doesn't need to be on an amendment. I agree that this change doesn't directly affect any individual transaction. But it influences which transactions are considered for the open ledger. So at the point where this change is partially installed on the network different servers will build different ledgers. I think this could cause desyncing. And the validators might have more trouble coming to consensus during the transaction period. Putting this change on amendment would stabilize the transition.

I'm open to being convinced otherwise.

[scottschurr]

"... transactions to only ..."?

[ximinez]

Rewritten

[scottschurr]

"... or required the ..." -> "... or the required ..."?

[ximinez]

Fixed

[scottschurr]

Micro nit: you might look around these files for instances of "can not" and consider using "cannot" instead. I believe that "cannot" is, under most circumstances, considered the more desirable spelling.

[ximinez]

I would swear that I remember from my high school grammar rules that "cannot" is not only less preferred, but not legit at all. But I looked around a little bit, and yeah, I'm just wrong.

[codecov-io]

Codecov Report

Merging #2682 into develop will decrease coverage by <.01%.
The diff coverage is 92.3%.

@@             Coverage Diff             @@
##           develop    #2682      +/-   ##
===========================================
- Coverage    70.02%   70.01%   -0.01%     
===========================================
  Files          703      704       +1     
  Lines        55251    55272      +21     
===========================================
+ Hits         38687    38698      +11     
- Misses       16564    16574      +10

Impacted Files	Coverage Δ
src/ripple/app/misc/impl/TxQ.cpp	95.37% <100%> (+0.07%)	⬆️
src/ripple/app/misc/TxQ.h	96.87% <100%> (-0.1%)	⬇️
src/ripple/rpc/impl/TransactionSign.cpp	90.07% <100%> (ø)	⬆️
src/ripple/app/misc/NetworkOPs.cpp	63.33% <72.72%> (-0.05%)	⬇️
src/ripple/app/misc/SHAMapStoreImp.cpp	72.53% <0%> (-0.24%)	⬇️
src/ripple/beast/insight/impl/StatsDCollector.cpp	0.39% <0%> (-0.01%)	⬇️
src/ripple/rpc/json_body.h	0% <0%> (ø)	⬆️
src/ripple/overlay/impl/ConnectAttempt.cpp	0% <0%> (ø)	⬆️
...le/beast/container/detail/aged_ordered_container.h	97.27% <0%> (ø)	⬆️
src/ripple/overlay/impl/PeerImp.cpp	0% <0%> (ø)	⬆️
... and 4 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b0092ae...0350acf. Read the comment docs.

[ximinez]

I think my biggest concern is that I'd like you to convince me why this doesn't need to be on an amendment.

The biggest reason I can give is precedent, including another PR that used a different "grow quickly, shrink slowly" method (#2235), one from just a few months ago that affected when transactions could come out of the ledger (#2567), the one that allowed clearing those "series" we discussed earlier (#1800), and the one that added support for multiple transactions per account (#1639).

But precedent is not conclusive.

These are my other reasons why I think this doesn't need an amendment:

1. conflicts like this will get dropped in the first round of consensus along with any other timing-related conflicts.
2. the network hasn't been busy enough for this to be an issue - yet. I want to be ready for if/when it is.
3. nodes aren't likely to lose sync because they're not going to have to query the network for validated transactions they don't have - those transactions will be available locally. My understanding of desyncs is that they're more likely to happen when the validated ledger contains a lot of data that the node hasn't seen before. If I'm wrong about that, I guess that weakens this argument. 😄

[scottschurr]

👍 Looks good as far as I can see. The expanded comments should help future maintainers a lot. It's a deep beastie, so I would not feel comfortable declaring there are no bugs. But there were not any that I spotted.

[ximinez]

As discussed with @scottschurr this morning, the biggest reason that this change doesn't need an amendment is that it doesn't affect the way transactions are processed through consensus. Even if consensus builds a ledger that includes transactions that a given node doesn't think paid enough, it will still include those transactions in it's validated ledger before continuing on. And since the transactions are just as likely to be available locally, the node is no more or less likely to desynchronize from the network.

I'm going to go ahead and mark this PR as passed. If there are any objections, I'll undo it.

[nbougalis]

Please squash this down.

[ximinez]

Squashed and rebased onto 1.1.0.

[nbougalis]

Merged as e14f913 and 7295cf9.