feat: expose sector status to FEVM #1707
Conversation
Implement methods for generating and validating sector status information. This comes with a drawback that after expiry, the state becomes impossible to present. Signed-off-by: Jakub Sztandera <oss@kubuxu.com>
Signed-off-by: Jakub Sztandera <oss@kubuxu.com>
Signed-off-by: Jakub Sztandera <oss@kubuxu.com>
|
@Kubuxu : I assume this relates to filecoin-project/FIPs#1108 ? |
|
Yes |
ZenGround0
left a comment
ZenGround0
left a comment
There was a problem hiding this comment.
I like the separation into an offchain location generating call and an onchain lookup call.
Unfortunately this doesn't work as intended because terminated bitfield can be mutated during cleanup.
There are a lot of possible approaches. At the top level its a matter of decided whether to add in an immutable record of terminated sector numbers or to work around information loss. I'm going to spend some time reading up on @lordshashank's previous design which probably has a proposal for addressing this.
| let current_status = if partition.terminated.get(params.sector_number) { | ||
| SectorStatusCode::Terminated | ||
| } else { | ||
| SectorStatusCode::Active // Includes faulty sectors |
There was a problem hiding this comment.
nit: we use the term Live within code for a sector that is !Terminated. It may make sense to use this teriminology instead.
| let partition = deadline.load_partition(rt.store(), partition_idx)?; | ||
|
|
||
| // Determine status | ||
| let current_status = if partition.terminated.get(params.sector_number) { |
There was a problem hiding this comment.
Unfortunately this general approach does not work for the simple reason that partition.terminated is not immutable. It can get cleaned up during compact_partitions. See miner actor and deadline state code.
In the case of a cleaned up terminated sector we are going to get a failure from find_sector call above (sector <params.sector_number> not due at any deadline)
There was a problem hiding this comment.
That is fine, I think. What we really care about is showing that the sector is Live. We could even hide the terminated state. What do you think?
There was a problem hiding this comment.
A clear problem I see with the info loss of today is that we proof of non-existence is very expensive. So if we live with loss of information we'd basically need to move the interface to be proof of liveness which can succeed or fail. And no way to prove Terminatedness
There was a problem hiding this comment.
Which IMO is fine, Filecoin L1 administers and manages that the sectors are stored and repeatedly proven.
Then we use this to unlock funds on FEVM.
There was a problem hiding this comment.
Well actually we could do a sector number based check very cheaply by just going to the AMT. It is a bit rougher to do both but maybe not that bad. We can assign "No deadline No partition" to sectors that are fully removed / never added from/to the system
There was a problem hiding this comment.
Since there's an invariant that all sectors in a partition are also in the AMT
There was a problem hiding this comment.
Well actually we could do a sector number based check very cheaply by just going to the AMT.
what do you mean? Which AMT? We don't have mapping of sectorId->(deadline, partition), and we need that to check whether the sector has been terminated, and without being able to check that the sector hasn't been terminated, we can't assign it a Live state.
There was a problem hiding this comment.
So the liveness check to me, narrows down to: "Exists in deadline and is not terminated in it"
There was a problem hiding this comment.
we talked offline but for anyone follwoing along AMT meaning sectors AMT. We agreed that isDead is possible to prove quickly by either providing (partition,deadline) and demonstrating sector number is in terminated bitfield OR attempting to search in sectors AMT and coming back with a not found error
@Kubuxu is leaning towards only including isLive and not isDead in the interface for practical reasons which is ok with me.
|
@lordshashank I can't tag you for review directly so pinging you in comments. |
|
@ZenGround0 should I narrow it down to
This is fine, they generate a new location and re-submit it if it is still alive, and if it is terminated, they no longer can show Alive proof. Which is why I'm thinking about hiding the Terminated state. |
|
this is ok but imo if we can do something like wether sector was active on particular epoch or not somehow, it would be better. |
|
Miner controls when the sector ends (either through expiration or termination). |
|
I am also thinking the benefits of including expiration are limited since any consuming contract is going to need to handle the case where GetExpiration fails upon early termination. However I don't have any problem including an additional GetExpiration wrapper method which returns an expiration iff sector is live and fails if sector is dead. |
|
I would like to ask an extreme case, SP can currently generate 40 days + fault sectors, does that mean that rails has been paying for downed services for 40 days continuously, which is as expected? Should faulty sectors be exposed to contracts? |
Early review welcomed, FIP is going to be next.