feat: alpenglow clock checks (anza-xyz#597)

We enforce Alpenglow clock checks, outlined in detail here:
solana-foundation/solana-improvement-documents#363.

Author: ksn6

core/src/block_creation_loop.rs

@@ -37,7 +37,7 @@ use {
             atomic::{AtomicBool, Ordering},
         },
         thread::{self, Builder, JoinHandle},
-        time::{Duration, Instant},
+        time::{Duration, Instant, SystemTime, UNIX_EPOCH},
     },
     thiserror::Error,
 };
@@ -137,7 +137,7 @@ enum StartLeaderError {
     ),
 }
 
-fn produce_block_footer(block_producer_time_nanos: u64) -> BlockFooterV1 {
+fn produce_block_footer_with_timestamp(block_producer_time_nanos: u64) -> BlockFooterV1 {
     BlockFooterV1 {
         bank_hash: Hash::default(),
         block_producer_time_nanos,
@@ -359,6 +359,57 @@ fn produce_window(
     Ok(())
 }
 
+/// Clamps the block producer timestamp to ensure that the leader produces a timestamp that conforms
+/// to Alpenglow clock bounds.
+fn skew_block_producer_time_nanos(
+    parent_slot: Slot,
+    parent_time_nanos: i64,
+    working_bank_slot: Slot,
+    working_bank_time_nanos: i64,
+) -> i64 {
+    let (min_working_bank_time, max_working_bank_time) =
+        BlockComponentProcessor::nanosecond_time_bounds(
+            parent_slot,
+            parent_time_nanos,
+            working_bank_slot,
+        );
+
+    working_bank_time_nanos
+        .max(min_working_bank_time)
+        .min(max_working_bank_time)
+}
+
+/// Produces a block footer with the current timestamp and version information.
+/// The bank_hash field is left as default and will be filled in after the bank freezes.
+fn produce_block_footer(bank: Arc<Bank>) -> BlockFooterV1 {
+    let mut block_producer_time_nanos = i64::try_from(
+        SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .expect("Misconfigured system clock; couldn't measure block producer time.")
+            .as_nanos(),
+    )
+    .unwrap_or(i64::MAX);
+
+    let slot = bank.slot();
+
+    if let Some(parent_bank) = bank.parent() {
+        // Get parent time from alpenglow clock (nanoseconds) or fall back to clock sysvar.
+        let parent_time_nanos = parent_bank
+            .get_nanosecond_clock()
+            .unwrap_or_else(|| parent_bank.clock().unix_timestamp.saturating_mul(1_000_000_000));
+        let parent_slot = parent_bank.slot();
+
+        block_producer_time_nanos = skew_block_producer_time_nanos(
+            parent_slot,
+            parent_time_nanos,
+            slot,
+            block_producer_time_nanos,
+        );
+    }
+
+    let block_producer_time_nanos = u64::try_from(block_producer_time_nanos).unwrap_or_default();
+    produce_block_footer_with_timestamp(block_producer_time_nanos)
+}
 /// Records incoming transactions until we reach the block timeout.
 /// Afterwards:
 /// - Shutdown the record receiver
@@ -399,15 +450,13 @@ fn record_and_complete_block(
 
     // Construct and send the block footer
     let mut w_poh_recorder = poh_recorder.write().unwrap();
-    let block_producer_time_nanos = w_poh_recorder.working_bank_block_producer_time_nanos();
-    let footer = produce_block_footer(block_producer_time_nanos);
-    w_poh_recorder.send_marker(VersionedBlockMarker::new_block_footer(footer.clone()))?;
-
-    // Alpentick and clear bank
     let bank = w_poh_recorder
         .bank()
         .expect("Bank cannot have been cleared as BlockCreationLoop is the only modifier");
+    let footer = produce_block_footer(bank.clone());
+    w_poh_recorder.send_marker(VersionedBlockMarker::new_block_footer(footer.clone()))?;
 
+    // Alpentick and clear bank
     trace!(
         "{}: bank {} has reached block timeout, ticking",
         bank.leader_id(),

ledger/src/blockstore_processor.rs

@@ -1577,9 +1577,13 @@ pub fn confirm_slot(
                 )?;
             }
             BlockComponent::BlockMarker(marker) => {
+                let parent_bank = bank
+                    .parent()
+                    .unwrap_or_else(|| bank.clone_without_scheduler());
                 processor
                     .on_marker(
                         bank.clone_without_scheduler(),
+                        parent_bank,
                         &marker,
                         migration_status,
                         is_final,

runtime/src/bank.rs

@@ -236,7 +236,6 @@ pub const MAX_LEADER_SCHEDULE_STAKES: Epoch = 5;
 /// This will be guaranteed through the VAT rules,
 /// only the top 2000 validators by stake will be present in vote account structures.
 pub const MAX_ALPENGLOW_VOTE_ACCOUNTS: usize = 2000;
-
 /// The off-curve account where we store the Alpenglow clock. The clock sysvar has seconds
 /// resolution while the Alpenglow clock has nanosecond resolution.
 static NANOSECOND_CLOCK_ACCOUNT: LazyLock<Pubkey> = LazyLock::new(|| {

runtime/src/block_component_processor.rs

@@ -1,6 +1,7 @@
 use {
     crate::bank::Bank,
     agave_votor_messages::migration::MigrationStatus,
+    solana_clock::{Slot, DEFAULT_MS_PER_SLOT},
     solana_entry::block_component::{
         BlockFooterV1, BlockMarkerV1, VersionedBlockFooter, VersionedBlockHeader,
         VersionedBlockMarker,
@@ -21,6 +22,8 @@ pub enum BlockComponentProcessorError {
     MultipleBlockHeaders,
     #[error("BlockComponent detected pre-migration")]
     BlockComponentPreMigration,
+    #[error("Nanosecond clock out of bounds")]
+    NanosecondClockOutOfBounds,
 }
 
 #[derive(Default)]
@@ -67,6 +70,7 @@ impl BlockComponentProcessor {
     pub fn on_marker(
         &mut self,
         bank: Arc<Bank>,
+        parent_bank: Arc<Bank>,
         marker: &VersionedBlockMarker,
         migration_status: &MigrationStatus,
         is_final: bool,
@@ -79,7 +83,9 @@ impl BlockComponentProcessor {
         let VersionedBlockMarker::V1(marker) = marker;
 
         match marker {
-            BlockMarkerV1::BlockFooter(footer) => self.on_footer(bank, footer.inner()),
+            BlockMarkerV1::BlockFooter(footer) => {
+                self.on_footer(bank, parent_bank, footer.inner())
+            }
             BlockMarkerV1::BlockHeader(header) => self.on_header(header.inner()),
             // We process UpdateParent messages on shred ingest, so no callback needed here.
             BlockMarkerV1::UpdateParent(_) => Ok(()),
@@ -96,6 +102,7 @@ impl BlockComponentProcessor {
     fn on_footer(
         &mut self,
         bank: Arc<Bank>,
+        parent_bank: Arc<Bank>,
         footer: &VersionedBlockFooter,
     ) -> Result<(), BlockComponentProcessorError> {
         // The block header must be the first component of each block.
@@ -108,6 +115,8 @@ impl BlockComponentProcessor {
         }
 
         let VersionedBlockFooter::V1(footer) = footer;
+
+        Self::enforce_nanosecond_clock_bounds(bank.clone(), parent_bank, footer)?;
         Self::update_bank_with_footer(bank, footer);
 
         self.has_footer = true;
@@ -126,9 +135,53 @@ impl BlockComponentProcessor {
         Ok(())
     }
 
+    fn enforce_nanosecond_clock_bounds(
+        bank: Arc<Bank>,
+        parent_bank: Arc<Bank>,
+        footer: &BlockFooterV1,
+    ) -> Result<(), BlockComponentProcessorError> {
+        // If nanosecond clock hasn't been populated, don't enforce bounds yet.
+        let Some(parent_time_nanos) = parent_bank.get_nanosecond_clock() else {
+            return Ok(());
+        };
+
+        let parent_slot = parent_bank.slot();
+        let current_time_nanos = i64::try_from(footer.block_producer_time_nanos).unwrap_or(i64::MAX);
+        let current_slot = bank.slot();
+
+        let (lower_bound_nanos, upper_bound_nanos) =
+            Self::nanosecond_time_bounds(parent_slot, parent_time_nanos, current_slot);
+
+        if lower_bound_nanos <= current_time_nanos && current_time_nanos <= upper_bound_nanos {
+            Ok(())
+        } else {
+            Err(BlockComponentProcessorError::NanosecondClockOutOfBounds)
+        }
+    }
+
+    /// Given the parent slot, parent time, and slot, calculate the inclusive
+    /// bounds for the block producer timestamp.
+    pub fn nanosecond_time_bounds(
+        parent_slot: Slot,
+        parent_time_nanos: i64,
+        slot: Slot,
+    ) -> (i64, i64) {
+        let default_ns_per_slot = i64::try_from(DEFAULT_MS_PER_SLOT)
+            .unwrap_or(i64::MAX)
+            .saturating_mul(1_000_000);
+        let diff_slots = i64::try_from(slot.saturating_sub(parent_slot)).unwrap_or(i64::MAX);
+
+        let min_working_bank_time = parent_time_nanos.saturating_add(1);
+        let max_working_bank_time = parent_time_nanos
+            .saturating_add(diff_slots.saturating_mul(2).saturating_mul(default_ns_per_slot));
+
+        (min_working_bank_time, max_working_bank_time)
+    }
+
     pub fn update_bank_with_footer(bank: Arc<Bank>, footer: &BlockFooterV1) {
         // Update clock sysvar from footer timestamp.
-        bank.update_clock_from_footer(footer.block_producer_time_nanos as i64);
+        let unix_timestamp_nanos = i64::try_from(footer.block_producer_time_nanos).unwrap_or(i64::MAX);
+        bank.update_clock_from_footer(unix_timestamp_nanos);
 
         // TODO: rewards
     }