fix(sync): avoid Tail double requesting (#290)

To avoid requesting tail twice, I had to extract new `networkHead`
method out of `Head` method. This refactoring lead to a few adjacent
refactors:
* avoids double verification of a recent head request. Previously, we
verified it in exchange and then in the syncer's code. This double
verification is actually a bad one that verifies all the signatures and
not just `NextValidatorHash`
* prevents duplicate request right after subjective init for a more
recent head, if the subjective initialization yielded non recent header.
* extract `localHead` out of `subjectiveHead`
* improves logging

Author: Wondertan

local/exchange.go

@@ -26,8 +26,24 @@ func (l *Exchange[H]) Stop(context.Context) error {
 	return nil
 }
 
-func (l *Exchange[H]) Head(ctx context.Context, _ ...header.HeadOption[H]) (H, error) {
-	return l.store.Head(ctx)
+func (l *Exchange[H]) Head(ctx context.Context, opts ...header.HeadOption[H]) (H, error) {
+	params := &header.HeadParams[H]{}
+	for _, opt := range opts {
+		opt(params)
+	}
+
+	head, err := l.store.Head(ctx)
+	if err != nil {
+		return head, err
+	}
+
+	if !params.TrustedHead.IsZero() {
+		if err := header.Verify(params.TrustedHead, head); err != nil {
+			return head, err
+		}
+	}
+
+	return head, nil
 }
 
 func (l *Exchange[H]) GetByHeight(ctx context.Context, height uint64) (H, error) {

sync/syncer.go

@@ -203,7 +203,7 @@ func (s *Syncer[H]) syncLoop() {
 
 // sync ensures we are synced from the Store's head up to the new subjective head.
 func (s *Syncer[H]) sync(ctx context.Context) {
-	subjHead, err := s.subjectiveHead(ctx)
+	subjHead, err := s.localHead(ctx)
 	if err != nil {
 		log.Errorw("getting subjective head", "err", err)
 		return

sync/syncer_head.go

@@ -9,126 +9,150 @@ import (
 	"github.com/celestiaorg/go-header"
 )
 
-// headRequestTimeout is the amount of time the syncer is willing to wait for
+// NetworkHeadRequestTimeout is the amount of time the syncer is willing to wait for
 // the exchange to request the head of the chain from the network.
-var headRequestTimeout = time.Second * 2
+var NetworkHeadRequestTimeout = time.Second * 2
 
-// Head returns the Network Head or an error. It will try to get the most recent header until it fails entirely.
-// It may return an error with a header which caused it.
-//
-// Known subjective head is considered network head if it is recent enough(now-timestamp<=blocktime)
-// Otherwise, we attempt to request recent network head from a trusted peer and
-// set as the new subjective head, assuming that trusted peer is always fully synced.
-//
-// The request is limited with 2 seconds and otherwise potentially unrecent header is returned.
+// Head returns the network head or an error. It will try to get the most recent network head or return the current
+// non-expired subjective head as a fallback.
+// If the head has changed, it will update the tail with the new head.
 func (s *Syncer[H]) Head(ctx context.Context, _ ...header.HeadOption[H]) (H, error) {
-	sbjHead, err := s.subjectiveHead(ctx)
+	netHead, err := s.networkHead(ctx)
+	if err != nil {
+		return netHead, err
+	}
+
+	if _, err = s.subjectiveTail(ctx, netHead); err != nil {
+		return netHead, fmt.Errorf(
+			"subjective tail for head %d: %w",
+			netHead.Height(),
+			err,
+		)
+	}
+
+	// attempt to set the (potentially) new network head
+	// it doesn't matter for the caller setting succeeds or not
+	_ = s.incomingNetworkHead(ctx, netHead)
+	// so return whatever is the current highest head
+	return s.localHead(ctx)
+}
+
+// networkHead returns subjective head ensuring its recency.
+// If the subjective head is not recent, it attempts to request the most recent network head from trusted peers
+// assuming that trusted peers are always fully synced.
+// The request is limited with [NetworkHeadRequestTimeout], otherwise the unrecent subjective header is returned.
+func (s *Syncer[H]) networkHead(ctx context.Context) (H, error) {
+	sbjHead, initialized, err := s.subjectiveHead(ctx)
 	if err != nil {
 		return sbjHead, err
 	}
-	defer func() {
-		// always ensure tail is up to date
-		_, err = s.subjectiveTail(ctx, sbjHead)
-		if err != nil {
-			log.Errorw("subjective tail", "head_height", sbjHead.Height(), "err", err)
-		}
-	}()
-	// if subjective header is recent enough (relative to the network's block time) - just use it
-	if isRecent(sbjHead, s.Params.blockTime, s.Params.recencyThreshold) {
+	if isRecent(sbjHead, s.Params.blockTime, s.Params.recencyThreshold) || initialized {
 		return sbjHead, nil
 	}
 
-	s.metrics.outdatedHead(s.ctx)
+	s.metrics.outdatedHead(ctx)
+	log.Warnw("outdated subjective head", "outdated_height", sbjHead.Height())
+	log.Warnw("attempting to request the most recent network head...")
 
-	reqCtx, cancel := context.WithTimeout(ctx, headRequestTimeout)
+	// cap the max blocking time for the request call
+	ctx, cancel := context.WithTimeout(ctx, NetworkHeadRequestTimeout)
 	defer cancel()
-	netHead, err := s.head.Head(reqCtx, header.WithTrustedHead[H](sbjHead))
+
+	newHead, err := s.head.Head(ctx, header.WithTrustedHead[H](sbjHead))
+	var verErr *header.VerifyError
+	if errors.As(err, &verErr) && verErr.SoftFailure {
+		// if we have a soft failure, try to bifurcate
+		err = s.incomingNetworkHead(ctx, newHead)
+	}
 	if err != nil {
+		// if we have a non-expired subjective head, but failed to get a more recent network head
+		// still return the current subjective head
 		log.Warnw(
-			"failed to get recent head, returning current subjective",
-			"sbjHead",
-			sbjHead.Height(),
+			"error requesting the most recent network head, using the current subjective",
 			"err",
 			err,
+			"subjective_height",
+			sbjHead.Height(),
 		)
-		return s.subjectiveHead(ctx)
+
+		return sbjHead, nil
+	}
+	// still check if even the newly requested head is outdated
+	if !isRecent(newHead, s.Params.blockTime, s.Params.recencyThreshold) {
+		log.Warnw("non recent head from trusted peers", "height", newHead.Height())
+		log.Error("trusted peers are out of sync")
+		s.metrics.trustedPeersOutOufSync(ctx)
 	}
 
-	// process and validate netHead fetched from trusted peers
-	// NOTE: We could trust the netHead like we do during 'automatic subjective initialization'
-	// but in this case our subjective head is not expired, so we should verify netHead
-	// and only if it is valid, set it as new head
-	_ = s.incomingNetworkHead(ctx, netHead)
-	// netHead was either accepted or rejected as the new subjective
-	// anyway return most current known subjective head
-	return s.subjectiveHead(ctx)
+	if newHead.Height() <= sbjHead.Height() {
+		// nothing new, just return what we have already
+		return sbjHead, nil
+	}
+	// set the new head as subjective, skipping expensive verification
+	// as it was already verified by the Exchange.
+	s.setLocalHead(ctx, newHead)
+
+	log.Infow(
+		"successfully requested a more recent network head",
+		"height",
+		newHead.Height(),
+	)
+	return newHead, nil
 }
 
-// subjectiveHead returns the latest known local header that is not expired(within trusting period).
-// If the header is expired, it is retrieved from a trusted peer without validation;
-// in other words, an automatic subjective initialization is performed.
-func (s *Syncer[H]) subjectiveHead(ctx context.Context) (sbjHead H, err error) {
-	// pending head is the latest known subjective head and sync target, so try to get it
-	// NOTES:
-	// * Empty when no sync is in progress
-	// * Pending cannot be expired, guaranteed
-	pendHead := s.pending.Head()
-	if !pendHead.IsZero() {
-		return pendHead, nil
-	}
-	// if pending is empty - get the latest stored/synced head
-	storeHead, err := s.store.Head(ctx)
+// subjectiveHead returns the highest known non-expired subjective Head.
+// If the current subjective head is expired or does not exist,
+// it performs automatic subjective (re) initialization by requesting the most recent head from trusted peers.
+// Reports true if initialization was performed, false otherwise.
+func (s *Syncer[H]) subjectiveHead(ctx context.Context) (H, bool, error) {
+	sbjHead, err := s.localHead(ctx)
 	switch {
 	case errors.Is(err, header.ErrEmptyStore):
 		log.Info("empty store, initializing...")
-		s.metrics.subjectiveInitialization(s.ctx)
-	case !storeHead.IsZero() && isExpired(storeHead, s.Params.TrustingPeriod):
-		log.Infow("stored head header expired", "height", storeHead.Height())
+	case !sbjHead.IsZero() && isExpired(sbjHead, s.Params.TrustingPeriod):
+		log.Infow(
+			"subjective head expired, reinitializing...",
+			"expired_height",
+			sbjHead.Height(),
+		)
 	default:
-		return storeHead, err
+		// success or unknown error case
+		return sbjHead, false, err
 	}
-	// fetch a new head from trusted peers if not available locally
+
+	s.metrics.subjectiveInitialization(ctx)
 	newHead, err := s.head.Head(ctx)
 	if err != nil {
-		return newHead, err
+		return newHead, false, err
 	}
-	switch {
-	case isExpired(newHead, s.Params.TrustingPeriod):
+	// still check if even the newly requested head is expired
+	if isExpired(newHead, s.Params.TrustingPeriod) {
 		// forbid initializing off an expired header
 		err := fmt.Errorf("subjective initialization with an expired header(%d)", newHead.Height())
-		log.Error(err, "\n trusted peers are out of sync")
-		s.metrics.trustedPeersOutOufSync(s.ctx)
-		return newHead, err
-	case !isRecent(newHead, s.Params.blockTime, s.Params.recencyThreshold):
-		// it's not the most recent, buts its good enough - allow initialization
-		log.Warnw("subjective initialization with not recent header", "height", newHead.Height())
-		s.metrics.trustedPeersOutOufSync(s.ctx)
+		log.Error(err)
+		log.Error("trusted peers are out of sync")
+		s.metrics.trustedPeersOutOufSync(ctx)
+		return newHead, false, err
 	}
 
-	_, err = s.subjectiveTail(ctx, newHead)
-	if err != nil {
-		return newHead, fmt.Errorf(
-			"subjective tail during subjective initialization for head %d: %w",
-			newHead.Height(),
-			err,
-		)
-	}
+	log.Infow("subjective initialization finished", "height", newHead.Height())
+	return newHead, false, nil
+}
 
-	// and set the fetched head as the new subjective head validating it against the tail
-	// or, in other words, do 'automatic subjective initialization'
-	err = s.incomingNetworkHead(ctx, newHead)
-	if err != nil {
-		err = fmt.Errorf("subjective initialization failed for head(%d): %w", newHead.Height(), err)
-		log.Error(err)
-		return newHead, err
+// localHead reports the current highest locally known head.
+func (s *Syncer[H]) localHead(ctx context.Context) (H, error) {
+	// pending head is the latest known subjective head and a sync target
+	// if it is empty, no sync is in progress
+	pendHead := s.pending.Head()
+	if !pendHead.IsZero() {
+		return pendHead, nil
 	}
-
-	log.Infow("subjective initialization finished", "head", newHead.Height())
-	return newHead, nil
+	// if pending is empty - get the latest stored/synced head
+	return s.store.Head(ctx)
 }
 
-// setSubjectiveHead takes already validated head and sets it as the new sync target.
-func (s *Syncer[H]) setSubjectiveHead(ctx context.Context, netHead H) {
+// setLocalHead takes the already validated head and sets it as the new sync target.
+func (s *Syncer[H]) setLocalHead(ctx context.Context, netHead H) {
 	// TODO(@Wondertan): Right now, we can only store adjacent headers, instead we should:
 	//  * Allow storing any valid header here in Store
 	//  * Remove ErrNonAdjacent
@@ -155,24 +179,25 @@ func (s *Syncer[H]) setSubjectiveHead(ctx context.Context, netHead H) {
 	log.Infow("new network head", "height", netHead.Height(), "hash", netHead.Hash())
 }
 
-// incomingNetworkHead processes new potential network headers.
-// If the header valid, sets as new subjective header.
+// incomingNetworkHead processes new potential network heads.
+// If the header is valid, sets as the new subjective header.
 func (s *Syncer[H]) incomingNetworkHead(ctx context.Context, head H) error {
 	// ensure there is no racing between network head candidates
+	// additionally ensures there is only one bifurcation attempt at a time
 	s.incomingMu.Lock()
 	defer s.incomingMu.Unlock()
 
 	if err := s.verify(ctx, head); err != nil {
 		return err
 	}
 
-	s.setSubjectiveHead(ctx, head)
+	s.setLocalHead(ctx, head)
 	return nil
 }
 
 // verify verifies given network head candidate.
 func (s *Syncer[H]) verify(ctx context.Context, newHead H) error {
-	sbjHead, err := s.subjectiveHead(ctx)
+	sbjHead, _, err := s.subjectiveHead(ctx)
 	if err != nil {
 		log.Errorw("getting subjective head during new network head verification", "err", err)
 		return err
@@ -250,7 +275,7 @@ func (s *Syncer[H]) verifyBifurcating(ctx context.Context, subjHead, newHead H)
 		// candidate was validated properly, update subjHead.
 		log.Infow("bifurcation: found new subjective head", "height", candidateHeight)
 		subjHead = candidateHeader
-		s.setSubjectiveHead(ctx, subjHead)
+		s.setLocalHead(ctx, subjHead)
 
 		err = header.Verify(subjHead, newHead)
 		if err == nil {

sync/syncer_head_test.go

@@ -125,7 +125,7 @@ func TestSyncer_HeadWithTrustedHead(t *testing.T) {
 }
 
 // Test will simulate a case with upto `iters` failures before we will get to
-// the header that can be verified against subjectiveHead.
+// the header that can be verified against localHead.
 func TestSyncer_verifyBifurcatingSuccess(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	t.Cleanup(cancel)
@@ -196,15 +196,15 @@ func TestSyncer_verifyBifurcatingSuccess(t *testing.T) {
 	headers[total-1].VerifyFailure = true
 	headers[total-1].SoftFailure = true
 
-	subjHead, err := syncer.subjectiveHead(ctx)
+	subjHead, err := syncer.localHead(ctx)
 	require.NoError(t, err)
 
 	err = syncer.verifyBifurcating(ctx, subjHead, headers[total-1])
 	require.NoError(t, err)
 }
 
 // Test will simulate a case with upto `iters` failures before we will get to
-// the header that can be verified against subjectiveHead.
+// the header that can be verified against localHead.
 func TestSyncer_verifyBifurcatingSuccessWithBadCandidates(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	t.Cleanup(cancel)
@@ -272,14 +272,14 @@ func TestSyncer_verifyBifurcatingSuccessWithBadCandidates(t *testing.T) {
 	headers[total-1].VerifyFailure = true
 	headers[total-1].SoftFailure = true
 
-	subjHead, err := syncer.subjectiveHead(ctx)
+	subjHead, err := syncer.localHead(ctx)
 	require.NoError(t, err)
 
 	err = syncer.verifyBifurcating(ctx, subjHead, headers[total-1])
 	require.NoError(t, err)
 }
 
-// Test will simulate a case when no headers can be verified against subjectiveHead.
+// Test will simulate a case when no headers can be verified against localHead.
 // As a result the [NewValidatorSetCantBeTrustedError] error will be returned.
 func TestSyncer_verifyBifurcatingCannotVerify(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
@@ -340,7 +340,7 @@ func TestSyncer_verifyBifurcatingCannotVerify(t *testing.T) {
 	headers[total-1].VerifyFailure = true
 	headers[total-1].SoftFailure = true
 
-	subjHead, err := syncer.subjectiveHead(ctx)
+	subjHead, err := syncer.localHead(ctx)
 	require.NoError(t, err)
 
 	err = syncer.verifyBifurcating(ctx, subjHead, headers[total-1])

sync/syncer_tail_test.go

@@ -223,8 +223,10 @@ func TestSyncer_TailInitialization(t *testing.T) {
 				remoteStore,
 				localStore,
 				headertest.NewDummySubscriber(),
-				WithBlockTime(time.Second*6),
-				WithRecencyThreshold(time.Nanosecond),
+				// make sure the blocktime is set for proper tail estimation
+				WithBlockTime(headertest.HeaderTime),
+				// make sure that recency check is not triggered
+				WithRecencyThreshold(time.Minute),
 				test.option,
 			)
 			require.NoError(t, err)