> Make invalid states unrepresentable - someone # Background Some problems: - We have redundant nil checks everywhere - We forget to populate fields of structs when doing raw initialization What can we do? Leverage the compiler more: - Compiler does the heavy lifting - Catch errors in development Go does not make this easy for us, unfortunately. We do not have good enum types, nor generics. What can we do? Let's do a thought experiment: be as extreme as possible with the Go type system to increase safety / purity of our application. ## Avoid Active Validation Active validation has problems: ```go func createFoo(name string, value *big.Int, receivedAt time.Time) error { if !nameIsValid(name) { } if !valueExists(value) || valueLessThanRequired(value) { } if !receivedWithinThreshold(receivedAt) { } } ``` - Captures a point in time with no guarantee of ongoing validity - High chance we'll forget a future validation - Hard to test, each test requires complex setup for each branch - High-trust approach to writing code Prefer dedicated constructors for types ```go! func NewUserValue(val *big.Int) (UserValue, error) { if !valueExists(value) || valueLessThanRequired(value) { ... // Err } return UserValue{val}, nil } ``` Then, we know that create foo has _validated_ inputs: ```go! func createFoo(name Name, value UserValue, receivedAt ThresholdTimestamp) error { ... } ``` Problem, what about someone just doing `Name{someBadString}` as a raw caller? Instead, we make `Name` an `interface` and prevent exporting its raw struct. The **only way** to get a `Name` type is via the constructor, which validates inputs. ## Zero Values Zero values of important types can bypass their constructor requirements we mentioned above. Anyone can create a `Name{someBadString}` from anywhere, bypassing our controls. Moreover, sometimes the definition of what "allowed zero values" are is complex, as we've had many issues with using nil vs. empty slices in serialization paths. Maybe we can mark values as **complete or incomplete**. Types with fields that are allowed to be _zero values_ shouldn't affect the _zero-value-ness_ of that type, or we should have more granular control over them. Let's define a `Complete` interface which is met by types that must be complete. ```go type Complete interface { IsComplete() bool } ``` The above returns false is the value is the zero value and is invalid, or for complex types, if any of its inner methods that satisfy `Complete` return false. ```go! type Foo struct { Name Name ReceivedAt ThresholdTimestamp } func (f *Foo) IsComplete() bool { return f.Name.IsComplete() && f.ReceivedAt.IsComplete() } func doSomething(name Name, receivedAt ThresholdTimestamp) { ... f := &Foo{ Name: name, ReceivedAt: receivedAt, } if types.IsIncomplete(f) { return types.ErrIncomplete } ... } ``` > Some of these ideas can be used to implement nice forking logic depending on fork versions! Super-structs such as beacon state could benefit from this if we have a notion of completeness depending on fork object ## Two Kinds of Errors with Completeness There are two categories of validation errors in applications such as Prysm: 1. **Validation errors**: bad input, malformed, not spec compliant, etc. 2. **Completeness errors**: of a single kind: only developers can cause completeness errors. Detectable at dev time ## Safety Around Completeness - Good tests make completeness errors easy to catch - Crazy idea: - Build tags to compile zero-value checks during development, and panic if they fail - Include this in CI ```go! //go:build release func NewService(foo Foo) Service { return newService(foo) } ``` and our dev build: ```go! //go:build develop func NewService(foo Foo) Service { types.ValidateCompleteness(foo) return newService(foo) } ``` Pretty radical idea, but it's an idea nonetheless. This approach panics in development, helping us set up CI jobs that fail before they reach prod. ## Options `nil` as the expression of absence is pretty terrible in our design, as it can mean an accidental omission, or it could be on purpose and make our completeness checks tricky. Other languages that do not have `nil` instead use optional types. Here's what they look like in Go: ```go! type Option[T any] struct { t T } func None[T any]() Option[T] { return Option[T]{nil} } func Some[T any](x T) Option[T] { return Option[T]{&x} } func (x Option[T]) IsNone() bool { return x.value == nil } func (x Option[T]) IsSome() bool { return x.value != nil } func (x Option[T]) Unwrap() T { return *x.value } ``` Why? Well we can express absence _safely_ without nil pointer dereferences, and because option types are non-nilable, we will receive compile time errors if we forget to add them to a struct: ```go! type Transaction struct { From common.Address To common.Address Data []byte Value Option[*big.Int] } ``` Compile time error below! We forgot `Value` ```go func foo() { ... tx := &Transaction{ from: from, to: to, data: data, } } ``` Instead, ```go= func foo() { ... tx := &Transaction{ from: from, to: to, data: data, value: None[*big.Int](), } } ``` ## Combining Options With Completeness We can also protect our option values from invalid states by adding the type constraint to our `None` constructor and checking for completeness when building an option: ```go= func None[T Complete]() Option[T] { return Option[T]{nil} } func Some[T any](x T) Option[T] { if cpt, ok := x.(types.Complete); ok { if !x.IsComplete() { return ErrIncomplete } } return Option[T]{&x} } ```
Last changed by  
Prysmatic Labs
eth2 development team
209

Read more

Migrating Prysm to Slog

Contextual logging:

12/6/2023
Running BOLD Challenges on Sepolia

This guide will set up

11/17/2023
Generalized History Commitment

Today in BOLD, challenges can have subchallenges, and we have a total of 3 levels. We do this because at each challenge, validators have to commit to N state roots of a block’s history, which can be very expensive to compute. For example, computing 2048 machine hashes for the execution of a block and collecting them takes around 5 minutes on a modern MacBook Pro.

8/16/2023
If I Had a Reset Button...

If you knew what you know now, and you were starting a new CL from scratch, what structures would you use? Let me start myself to set the tone, you can make it language specific (for example Go and avoid templated methods) but I am not really interested in the small details but rather the main components of the critical parts of code. Typical questions I’m thinking about areWould you use a custom allocator for the beacon-state/validators/attestations structures?Would you use a struct like object for them or would you use a functional style object. The typical situation is this:We have a buffer with 8192 roots in the BeaconState, but these roots are sequential, if state for N had up to root r, the state for N+1 will share essentially all of the roots as that for N except at one point where it would have changed one. If you store vectors and then you want to share the common part then you are lead to structures like the multi-value slice or similar structures, where you have a base slice and then somewhere else you store the diffs (or some mathematically equivalent statement). Another way to store the object is as a linked list (with some additions to make it into a round buffer) and when you change one element you just change a single node on that list, someone that holds the pointer to the current node will resolve to the current full round buffer, while someone that holds the pointer to the previous-to-modified node, will resolve (by traversing the links from it) to the previous full round buffer. If you have a fork this still works, you just need to add a few pointers on either side of the fork. The point is that from the point of view of the structure itself, there’s no “base state” and some diffs, and rather you can just delete the pointer and let GC in Go, or the Destructuror in C++ deal with the rest. No need to be pruning yourself from a multi-value slice for example. On the other side, the multi-value slice would incur in way less memory fragmentation if you are dealing with a single state in the happy case.There are variations of this for all structures in the Beacon State and there are benefits and cons for each one of them.What sort of thread management would you use? (I think here there won’t be a disagreement and just relying on the Go runtime is fine)What sort of fork management would you use? I originally thought about templating, something like having the Fork being the template parameter for a BeaconBlock structure. In C++ at least, the best structure seems to be vertical polymorphism in the structures themselves like having class AltairBlock : public Phase0Block but not use methods of these structures, but rather pure functions like attestations(block Block) []Attestations and just let AltairBlock and Phase0Block satisfy the concept Block, which in this case would mean they both have a member attestations so you can just simply implement that function as return block.attestations. In Go this seems to be quite complicated, templates as far as I could read do not allow us to do this, and interfaces themselves we have them, but we still are forced to repeat the underlying structures completely for AltairBlock and Phase0Block instead of invisibly inheriting and obscuring the changed ones.Would you trade security and correctness for performance? I think this is a funny one: if you’re coding for 0.1% of the market, then you can do lots of shit like only keeping the last two states and break if there’s a depth 3 reorg. That’s an extreme case, but that’s probably not so far away from what Erigon’s CL may be, I would bet that they just follow blindly whatever is voted. But besides the extreme cases, how about Optimistic sync? I am pretty sure we are the only ones that considered a recursive system in which a bunch of branches turned out to be invalid. I am convinced that you can simplify a lot the optimistic status dealing if you just ignore correctness in a bunch of cases, with no real danger to the network.How would you deal with the engine? Would you change the interaction with the engine if you knew that ALL your users are using MEV-Boost? would you optimize the builder code in detriment of the local code? for example, it could be perfectly valid to not wait for local blocks and not request them in advance until it’s late in the block in case we know we are not resource-heavy. Not wait for the result of FCU is also good, since we are guaranteed already from a VALID response from NewPayload (this is something we could do right now on Prysm).

8/2/2023
Read more from Prysmatic Labs
Published on HackMD