feat(full/availability): adding different withholding options to tests

[distractedm1nd]

Closes #2592 by adding three different modes to full availability test nodes: FullyRecoverable, BarelyRecoverable, and Unrecoverable.

BarelyRecoverable test case requires 230 nodes for 99% chance of recoverability:

BarelyRecoverable is not used in DisconnectedFullNodes, only in ConnectedFullNodes, because as you can see by the graph by splitting the 230 node count in two we are not ensured failed recoverability.

[ramin]

i had a good "in person" review of this that was convincing. I'm curious about the effectiveness of the "2 lightnode subnet split brain" test based on how the removed blocks are provisioned from Unrecoverable, but maybe i'm imagining a test that doesn't exist yet (ie: a full node transitions from failing to reconstruct from 1 subnet, to being able to with 2 subnets) but this might just be my limited grasp

[walldiss]

Random thought: Just curious, if it would still work same for similar topology, but for more than 2 full nodes.

[distractedm1nd]

It should, yes

[Wondertan]

Good thought, we need to park this in an issue. @musalbas requested the ability to scale the test in such a way.

[codecov-commenter]

Codecov Report

Merging #2697 (416d090) into main (7c1f8f3) will decrease coverage by 0.05%.
The diff coverage is 83.33%.

@@            Coverage Diff             @@
##             main    #2697      +/-   ##
==========================================
- Coverage   51.37%   51.33%   -0.05%     
==========================================
  Files         159      159              
  Lines       10699    10709      +10     
==========================================
  Hits         5497     5497              
- Misses       4723     4734      +11     
+ Partials      479      478       -1     

Files Changed	Coverage Δ
share/availability/full/testing.go	93.33% <83.33%> (-6.67%)	⬇️

... and 7 files with indirect coverage changes

[renaynay]

should we make this a context.WithCancel and then t.Cleanup the cancel

[Wondertan]

[question]
Where is 230 coming from?

• 24 light nodes(c) are enough when data is not withheld
• Table 1 in the paper states 69 for light nodes(c) as the number for the same k and s as in our test.
• The graph below does not have it either
  
• 2k2k = 1024 total shares in square; 23020 = 4600 max shares clients would sample. Seems too much,

[distractedm1nd]

Again, this case is not covered in the paper. Refer to my description, and I can send you the script so you can verify it for yourself

[Wondertan]

The description didn't describe where 230 is coming from and thus the question.

Again, this case is not covered in the paper
Okay, then I missed some discussion around it because I don't remember such a fact. In my memory, figures from the paper assume withholding attack as it is extensively described in theorems in the same sections as all the plots I am referring to.

Please share the script, I am curious about how it's constructed and would like to play and verify with it. The number 230 feels too much for me when 23 is enough to reconstruct the whole square when data isn't withheld. Did you verify the script with @musalbas

[distractedm1nd]

23 is not enough to reconstruct the whole square with high probability in this case and matches my simulations, which you can verify running yourself. Will send the script over slack

[Wondertan]

I meant 23/24 when data is not withheld, updated the comment.

[distractedm1nd]

https://gist.github.com/distractedm1nd/d2b306da13581b97bbbcefaa5b050738
I apologize for the shitty code, didnt expect it to be read by others :)

[walldiss]

Main loop flow in montle carlo script looks familiar 🙂
If ds.sample(s) would act as noop (for example for share that is withheld), it would mean that given share is not sampled, but you count it as sampled here:

for len(uniqueSamples) < shares {
	s := randomSample(k)
	uniqueSamples[s]++
	ds.sample(s)
}

Could you please clarify, why you count it as sampled, when it is not? Looks like it could lead to less than 20 samples being assigned to each light node and make required amount of light nodes higher that it needs to be.
I have tried to modify the code to be as following, to ensure 20 samples per every light node:

for len(uniqueSamples) < shares {
	s := randomSample(k)
	if ds.sample(s) {
		uniqueSamples[s]++
	}
}

On adjusted calculation algo, probability graph shows, that there is decent chance to do reconstruction for withholding case on amount of light node lower than 230:

[distractedm1nd]

Yes - I tried to match it with the current implementation that does not change the coordinates to sample after failure but just retries. Or is this incorrect?

In any case, seeing how much the numbers improve after this change indicates it should be what we are doing both in IPLD retrieval as well as here in the test. Thank you for looking deeper into this!

[walldiss]

I've checked light availability and seems like it is acting like neither of simulations. 😆 I'll drop my finding into new issue to discuss further.

[walldiss]

#2780

[Wondertan]

[uber nit]

Suggested change

	// commit the batch to ipfs
	// commit the batch to ipld

[Wondertan]

Actually, this looks like a copy of a AddShares. I'm curious why we copy as delete functionality in AddAndWithholdShares looks like we can compose it over the AddShares func.

[distractedm1nd]

It was only copied in the first case because the intention was to use some internal state, but the most recent version just iterates over the adder and ipld Translates the DAH.

So I will see if I can just call AddShares and do the iteration after

[Wondertan]

Good thought, we need to park this in an issue. @musalbas requested the ability to scale the test in such a way.

[Wondertan]

[doc uber nit]
re: subsquare. We call em quadrants and just to decrease confusion we should continue to call em so.

[distractedm1nd]

I do not mean quadrants, look to the image in desc to see what I am referring to

[Wondertan]

[discussion]

Dropping the alternative naming, I have in my mind. There is no actionable here.
DataWithholding(FullyWitheld, PartialyWithheld, UnWithheld)

[distractedm1nd]

Agree with this

[Wondertan]

Suggested change

	// start connection lights with sources
	// connect lights with sources

[Wondertan]

Why do we omit unrecoverable case here?

[Wondertan]

Suggested change

	// NOTE: This test contains cases for barely recoverable but
	// DisconnectedFullNodes does not. The reasoning for this is that
	// DisconnectedFullNodes has the additional contstraint that the data
	// should not be reconstructable from a single subnetwork, while this
	// test only tests that the data is reconstructable once the subnetworks
	// are connected.
	// NOTE: This test contains cases for barely recoverable but
	// DisconnectedFullNodes does not. The reasoning for this is that
	// DisconnectedFullNodes has the additional constraint that the data
	// should not be reconstructible from a single subnetwork, while this
	// test only tests that the data is reconstructible once the subnetworks
	// are connected.

As per Grammarly

[Wondertan]

I need help understanding the reasoning here. Why DisconnectedFullNodes would not have a BarelyRecoverable case? BarelyReconstructible is the worst-case success scenario that, IMO, we should test. Two subnetworks sample the available minimum and the fulls collectively reconstruct.

[distractedm1nd]

Please refer to my description again to see - we also discussed this internally in slack. In order to have 99% confidence with BarelyRecoverable in DisconnectedFullNodes, you cannot use 2 subnetworks, as each subnetwork has a too high probability of the data being reconstructible. This is fine, as it is exactly what ConnectedFullNodes intends to test - that the data is available once connecting the full nodes, WITHOUT the assumption that it is unrecoverable from the independent subnetworks.

[Wondertan]

Sorry if this is being repeated. I still would like to get to the bottom of this.

In order to have 99% confidence with BarelyRecoverable in DisconnectedFullNodes, you cannot use 2 subnetworks, as each subnetwork has a too high probability of the data being reconstructible

Isn't that a sign that 230 is too big of a number if the 115 subnetwork has a very high chance of reconstructing? In other words, is there a number that would give 99% for subnetwork, but ~0% for the whole network? Is there a way to modify the script to support that? Note that my intuition for probabilities is not good.

[walldiss]

So those tests are flaky by nature, which is not good for CI. I did quick math with current suite and it seems those combined have 3% chance to fail. 0.990.99(1-0.007)*(1-0.003) = 0.9703

We should do something about it, but also I think it could be resolved by separate issue. One way to deal with it would be to separate all flaky test into separate CI runner, that is not blocking merge.

[distractedm1nd]

Good point, and we can adjust the LN count to be less at the threshold to decrease flakiness further

[walldiss]

Main loop flow in montle carlo script looks familiar 🙂
If ds.sample(s) would act as noop (for example for share that is withheld), it would mean that given share is not sampled, but you count it as sampled here:

for len(uniqueSamples) < shares {
	s := randomSample(k)
	uniqueSamples[s]++
	ds.sample(s)
}

Could you please clarify, why you count it as sampled, when it is not? Looks like it could lead to less than 20 samples being assigned to each light node and make required amount of light nodes higher that it needs to be.
I have tried to modify the code to be as following, to ensure 20 samples per every light node:

for len(uniqueSamples) < shares {
	s := randomSample(k)
	if ds.sample(s) {
		uniqueSamples[s]++
	}
}

On adjusted calculation algo, probability graph shows, that there is decent chance to do reconstruction for withholding case on amount of light node lower than 230: