perf: vote state view

[jstarry]

Problem

The stakes cache stores copies of vote account data so that things like consensus, inflation rewards, and vote timestamp calculation can access the vote account state for all staked validators. Every time when a vote is processed, the vote account entry in the stakes cache is updated and the account data is deserialized and ~1KB is allocated to store the new state. This is all unnecessary because the vote state data the protocol needs can be read on demand directly from the account data byte vector.

Summary of Changes

• Introduce new VoteStateView type which stores a copy of the vote account's Arc<Vec<u8>> and field offset data to speed up vote state field lookups.

Fixes #

[mergify]

If this PR represents a change to the public RPC API:

1. Make sure it includes a complementary update to rpc-client/ (example)
2. Open a follow-up PR to update the JavaScript client @solana/web3.js (example)

Thank you for keeping the RPC clients in sync with the server API @jstarry.

[mergify]

The Firedancer team maintains a line-for-line reimplementation of the
native programs, and until native programs are moved to BPF, those
implementations must exactly match their Agave counterparts.
If this PR represents a change to a native program implementation (not
tests), please include a reviewer from the Firedancer team. And please
keep refactors to a minimum.

[jstarry]

Before

test bench_vote_account_try_from ... bench:         321.63 ns/iter (+/- 5.15)

After

test bench_vote_account_try_from ... bench:          59.46 ns/iter (+/- 0.18)

[apfitzge]

Linking some related PRs so I do not need to find them again:

• Introduce VoteState::deserialize_into_uninit #2272 - deserialize into an uninitialized VoteState
• solana-program: VoteState::deserialize() solana-labs/solana#34829 - transition from bincode to manual implementation
• solana-program: improve VoteState::deserialize_into() #2146 - a parser improvement

[apfitzge]

Submitting first round of review comments. Will still need to go over it again, but overall the structure looks to be good to me.

One missing thing is documentation on the unsafe blocks - we should always aim to document those clarifying why we meet the criteria for the opreation to be safe.

[apfitzge]

This structure seems a bit odd to me since it represents two lists of different data types, depending on the version.

V3 has LandedVote which internally just has a latency and Lockout, but afaict there's no way to iterate over the LandedVote with the latency in there, only the Lockouts.

Do we never need the latency?

[jstarry]

We don't ever need to check latency in the runtime, it's only used by the vote program to accumulate credits. I just updated the PR to use an enum over the different types of votes lists. Lmk what you think!

[apfitzge]

what does the constraint here do?

[jstarry]

it helped the ListViewIter implicitly determine that ListFrame::Item lived as long as Iterator::Item. I think it's cleaner to just add the constraint directly to the iterator impl so I updated that here: b3be0f4

[apfitzge]

We should add some documentation to this function about what sorts of implementations are safe vs not, and do the same for any non-defaut implementation.

The safety of this ptr -> reference conversion is documented here.

Think we should have a comment along the lines of:

    /// This function is safe under the following conditions:
    /// SAFETY:
    /// - `Self::Item` is alignment 1
    /// - The passed slice is large enough for the type `Self::Item`
    /// - `Self::Item` is valid for any sequence of bytes
    unsafe fn read_item<'a>(&self, item_data: &'a [u8]) -> &'a Self::Item {
		// SAFETY:
        // - Function safety documentation conditions
		// - The cast pointer is not null because `item_data` is a valid slice
		// - The reference created is immutable, just like the slice, and thus does not violate aliasing rules
        &*(item_data.as_ptr() as *const Self::Item)
    }

^ following above comments, it seems reasonable to add a const assert on alignments.
We cannot add this into the fn unfortunately, but we could add a line for each of the types we're actually reading?

	// Verify at compile time there are no alignment constraints.
	const _: () = assert!(
	    core::mem::align_of::<Self::Item>() == 1,
	    "Item alignment"
	);

They don't technically need to be alignment 1, but afaict, there is no guarantee of alignment on our serialized slices so it would be the simplest assert.

Following these requirements, I'm actually pretty sure that the PriorVotersItem is not strictly safe to read, since it's alignment is 8, but we have no alignment guarantees, to my knowledge.
We should probably do the same [u8; 8] style of definition with accessors for that type as you have for the other type definitions.

[jstarry]

Added const assertions and improved safety comments here: a3d48ac

[alessandrod]

nit: read makes me think that it makes a copy (like ptr::read), call it
item_ref or something?

we use read everywhere probably not worth the effort of renaming everything

[apfitzge]

Interesting rust behavior wrt to the constant evaluation and why the original assert! doesn't work but const_assert! does: rust-lang/reference#1120 (comment)

^ in summary, consts in traits (unlike free consts) are not evaluated unless used. And since we don't use them, we don't actually run the assert.

const_assert! gets around it in an interesting way:

    const ASSERT_ITEM_ALIGNMENT: () = {
        const _: [(); 0 - !{
            const ASSERT: bool = core::mem::align_of::<LockoutItem>() == 1;
            ASSERT
        } as usize] = [];
    };

the assert is used a length, and when true makes the assignment of the actual outer constant invalid if the assertion evaluates to false.

[apfitzge]

this one. see above safety comment on read_item

[jstarry]

Nice, just noticed this one as well, thanks for calling it out

[jstarry]

Fixed here: a3d48ac

[alessandrod]

Super solid PR 🙌

Don't really have much to add, just a couple of super minor nits.

We should make sure that we run at least a subset of the tests under miri (although I'm getting a dejavu - we might have already set that up last time with the read_into changes?)

[alessandrod]

nit: drop get_ prefix?

[jstarry]

This is sort of like a map lookup so I think the get prefix makes sense on this one

[alessandrod]

nit: drop get_ here too?

[alessandrod]

nit: this doesn't seem to have test coverage

[alessandrod]

nit: read makes me think that it makes a copy (like ptr::read), call it
item_ref or something?

we use read everywhere probably not worth the effort of renaming everything

[apfitzge]

Have concern on the method of testing used here.
You test with random bytes; If CI fails, how can we recreate the case?

There doesn't appear to be any tests for invalid data afaict? Shouldn't we be testing cases where we do not have enough bytes for the structure?

[jstarry]

More test coverage added in: a93c8ba

[jstarry]

We should make sure that we run at least a subset of the tests under miri (although I'm getting a dejavu - we might have already set that up last time with the read_into changes?)

Yeah good call, added here: 742c757 (we previously chatted about this in this abandoned PR: #2751)

[jstarry]

rebased to pick up rust audit changes to pass CI

[jstarry]

rebased again to fix conflict

[apfitzge]

why do we need frozen-abi?

[jstarry]

It's just that this struct is now part of VoteAccountInner and afaik there's no way to skip a field for the AbiExample derivation