External sender queue implementation

[vkomenda]

Fixes #226

This PR implements a reference spam control mechanism - the sender queue - by requiring all peers implement post-processing of outgoing messages as follows:

• Peer epochs are monitored.

• An outgoing message is sent to a peer if and when the sender reckons the peer is at an epoch that matches the epoch of the message. If the peer is already ahead, the message is discarded by the sender instead of being sent.

• Target::All messages may be split into Target::Node messages for each peer if peers happen to be at different epochs, some of which match the epoch of the message while others don't.

Incoming message queues have been removed. Message recipients discard obsolete messages and return a Fault for messages with epochs too far ahead.

The sender queue is agnostic to the differences between validators and observers. All it cares about is what the peer IDs are and what is the ID of the node it is running on. I believe this is approximately in line with Option 2 of @afck's comment.

There are three implementations of a sender queue, one for each of HoneyBadger, DynamicHoneyBadger and QueueingHoneyBadger, although the last one uses the DynamicHoneyBadger implementation, so those two are essentially the same.

Comments welcome: I'm not sure whether Epoched::Epoch is fine to stay Copy rather than Clone. Maybe I should have implemented an optional storage for the computed epoch and make Epoched::Epoch to be Clone instead to avoid possible recomputation of the epoch of the same message multiple times.

[c0gent]

Vlad, could you provide a brief (but complete) outline of the changes you've made just for a frame of reference? I haven't been following the this topic closely so it would be helpful for me but it would also make it easier for us in the future if we ever look back at this. I usually like to put a description or list of changes in the commit message but here in the PR is fine too.

[vkomenda]

@c0gent, I updated the description as you asked.

[c0gent]

Excellent description!

[afck]

This looks great! I think that's the right approach to the sender queue.
(Only halfway through the review so far. Will continue in the afternoon.)

I'm still a bit concerned about getting rid of the general "observer", and instead coupling that concept to the peer turning up inside an InProgress in a batch. I wonder whether there's something to be gained from keeping that concept more general, and allowing the user to just tell the sender queue if an observer has connected.
But maybe both can be combined anyway, and it's certainly something for a separate PR, if at all.

[afck]

Is this Arc needed? It seems like we don't even have to clone netinfo: We could collect our_id and all_ids before building dhb.

[afck]

We could avoid creating these collections by just pushing the messages right away. Especially if remote_epochs contained all remote nodes, it would be a lot simpler:

for (id, them) in remote_epochs {
    if is_accepting_epoch(&message, them) {
        passed_msgs.push(Target::Node(id.clone()).message(message.clone()));
    } else if is_later_epoch(&message, them) {
        deferred_msgs.push((id.clone(), message.clone()));
    }
}

(Although I might be confused by all the negations. 😵)

[afck]

I still think this ⬆️ would make the code simpler and avoid allocating the two sets.

[vkomenda]

Good point about double negations. Let's keep them away if possible.

[vkomenda]

There should only be one extra negation in your else if clause.

[afck]

Maybe we should add these as convenience methods to SenderQueue (has_input only for SenderQueue<DHB> and SenderQueue<HB>, of course).

[afck]

I just realized that we probably need to include max_future_epochs in the JoinPlan now (or, alternatively, include more information about which epochs we accept in the EpochStarted message). Otherwise a node with max_future_epochs == 3 will send messages to one with max_future_epochs == 2 that it won't accept yet.

With this and #288, it would make sense to add a mechanism that on network startup and for joining nodes ensures that the nodes all agree on those parameters (but probably in a separate PR).

[vkomenda]

I reckon including max_future_epochs in every EpochStarted message would be a bit chatty. But including it in the JoinPlan is doable. I can do it in this PR if you prefer.

[afck]

If we collect these before creating dhb, we don't need to clone the netinfo at all.

[c0gent]

Also, how is the era/epoch terminology defined now?

Unnecessary

[c0gent]

Hydrabadger works fine with these changes fyi. Batch::seqnum definitely needs to be renamed.

[c0gent]

More documentation of era, epoch terminology needed.

[afck]

I find that very counterintuitive. Should there maybe be a next_epoch method in SenderQueueableOutput instead?

[afck]

If we add next_epoch, we can probably remove the Epoched trait bound here.

[afck]

I still feel it would be easier to just iterate through all the messages in the big loop below, and populate passed_msgs there, too. That would avoid allocating and then consuming failed_msgs.
(Can also be refactored in another PR, of course.)

[afck]

I still think this ⬆️ would make the code simpler and avoid allocating the two sets.

[afck]

I won't be able to continue the review before Monday, but if @mbr and @c0gent approve, feel free to merge.

[vkomenda]

If that is needed, I would rather add max_future_epochs to JoinPlan in a separate PR not to overcrowd this one.

[vkomenda]

Rebased on top of master.

The last commit adds an intermediate type between non-linear epochs Epoched::Epoch and linear epochs of DHB, that is u64. This intermediate type is Epoched::LinEpoch of "linearizable epochs". It can be converted to u64 but not vice versa. Also peer_epochs now use this type, which allows to avoid unreachable match cases.