Add unit tests for zksync_consensus_bft (BFT-360)

[moshababo]

Adding new unit tests coverage for zksync_consensus_bft crate.

Notes

• Tests are located at the leader/replica mods level.
• testonly::ut_harness::UTHarness struct was added to encapsulate all testing operations, and moreover to minimize redundancy of test code.

Coverage

• replica prepare

  • replica_prepare_sanity
  • replica_prepare_sanity_yield_leader_prepare
  • replica_prepare_sanity_yield_leader_prepare_reproposal
  • replica_prepare_old_view
  • replica_prepare_during_commit
  • replica_prepare_not_leader_in_view
  • replica_prepare_already_exists
  • replica_prepare_num_received_below_threshold
  • replica_prepare_invalid_sig
  • replica_prepare_invalid_commit_qc
  • replica_prepare_high_qc_of_current_view
  • replica_prepare_high_qc_of_future_view
  • replica_prepare_non_validator_signer // FAILS

• leader prepare

  • leader_prepare_sanity
  • leader_prepare_reproposal_sanity
  • leader_prepare_sanity_yield_replica_commit
  • leader_prepare_invalid_leader
  • leader_prepare_old_view
  • leader_prepare_invalid_sig
  • leader_prepare_invalid_prepare_qc
  • leader_prepare_invalid_high_qc
  • leader_prepare_proposal_oversized_payload
  • leader_prepare_proposal_mismatched_payload
  • leader_prepare_proposal_when_previous_not_finalized
  • leader_prepare_proposal_invalid_parent_hash
  • leader_prepare_proposal_non_sequential_number
  • leader_prepare_reproposal_without_quorum
  • leader_prepare_reproposal_when_finalized
  • leader_prepare_reproposal_invalid_block

• replica commit

  • replica_commit_sanity
  • replica_commit_sanity_yield_leader_commit
  • replica_commit_old
  • replica_commit_not_leader_in_view
  • replica_commit_already_exists
  • replica_commit_num_received_below_threshold
  • replica_commit_invalid_sig
  • replica_commit_unexpected_proposal
  • replica_commit_protocol_version_mismatch // FAILS

• leader commit

  • leader_commit_sanity
  • leader_commit_sanity_yield_replica_prepare
  • leader_commit_invalid_leader
  • leader_commit_old
  • leader_commit_invalid_sig
  • leader_commit_invalid_commit_qc

[brunoffranca]

The direction looks good. I would just ask you to eventually move the utils to the testonly folder.

[moshababo]

The replica_prepare and replica_commit message processing triggers a panic if the creation of the respective prepare/commit quorum certificate fails. This occurs after completing all checks and updating the local state. While it shouldn't be reproducible, I added two tests that demonstrate it:

• replica_commit_protocol_version_mismatch
• replica_prepare_non_validator_signer

The first is protected against during top-level processing, but I couldn't find safeguards for the latter.

[brunoffranca]

Regarding the first test, we indeed do check the protocol version earlier. But its placement is not ideal, it's separate from all the other checks. And it only produces a tracing warning, it never produces an error that we can actually test. So I would move that check to later in the flow, so that we do all the checks for the message in the same place.
The second test shows an actual bug, we never check that the replica that is sending us a message belongs to the current validator set, we need to check it. Add that extra check for both the prepare and commit phases and we're good.

[brunoffranca]

Another point is if failing to create a QC should panic. Technically we could have that method just return an error, but I'm not sure how we could recover from it. By that time, the only thing we could do is discard all the replica prepare messages we got and let our turn timeout. Which I guess is better than panicking but it would still let an attacker stop the chain anyway.

[moshababo]

Another point is if failing to create a QC should panic. Technically we could have that method just return an error, but I'm not sure how we could recover from it. By that time, the only thing we could do is discard all the replica prepare messages we got and let our turn timeout. Which I guess is better than panicking but it would still let an attacker stop the chain anyway.

Does the current implementation support liveness in the event of a leader's timeout?

[moshababo]

Since all shared util code is now located in testonly mod, the tests can be moved to replica/leader mods, closer to the tested code. Any opinions?

[pompon0]

Does the current implementation support liveness in the event of a leader's timeout?

Yes, and we should write tests for that.

Since all shared util code is now located in testonly mod, the tests can be moved to replica/leader mods, closer to the tested code. Any opinions?

+1, tests should be as close to the code under test as possible.

[slowli]

This method seems to always return Some; could it be simplified to return Signed<_> instead of an Option?

[moshababo]

Yes, originally it had None which turned out to be unnecessary, but the method signature remained.

I changed it now to return Result which will propagate the error type from self.pipe.recv instead of just unwrapping it: aa85e36

[brunoffranca]

Looks good. There's only one change that needs to be committed. Approved!