BIP 8 - replace FAILING with MUST_SIGNAL #950

pull ajtowns wants to merge 3 commits into bitcoin:master from ajtowns:202007-bip8 changing 4 files +198 −79
  1. ajtowns commented at 5:38 AM on July 26, 2020: contributor

    Prior to this patch bip8 allows for states to go STARTED -> FAILING -> ACTIVE in which case the last block of FAILING state signalling or not signalling would change the consensus rules applied to the very next block. This potentially gives very little warning of an upgrade.

    Additionally, if it is desirable to reduce the timeoutheight for a bip8 deployment (for example from X to Y, Y < X), then activation via lockinontimeout at the shorter height would not result in consistent consensus rules. In particular, implementations would see:

    • timeoutheight=Y, lockinontimeout=true: height Y-2016: STARTED, height Y: LOCKED_IN, height Y+2016: ACTIVE
    • timeoutheight=Y, lockinontimeout=false: height Y-2016: STARTED, height Y: FAILING, height Y+2016: ACTIVE
    • timeoutheight=X, lockinontimeout=*: height Y-2016: STARTED, height Y: STARTED, height Y+2016: LOCKED_IN, height Y+4032: ACTIVE

    This patch also reduces the number of blocks that must signal during the new MUST_SIGNAL phase from the current 100% requirement to the same requirement as needed to trigger from STARTED to LOCKED_IN; this ensures that provided the same threshold is used, if the deployment transitions to LOCKED_IN at height X for any bip8 deployment, it will transition to LOCKED_IN at height X for every bip8 deployment, given the same startheight and timeoutheight > X.

    It also uses the MUST_SIGNAL state to trigger validation rules checking blocks signal. It would be possible to use these rules for checking if reindexing is necessary -- if you added an "impossible" transition from MUST_SIGNAL to INVALID if the threshold isn't met, then reindexing necessary precisely when the current block is INVALID, or MUST_SIGNAL and fails validation, and you need to reindex back to the last STARTED/DEFINED block.

  2. in bip-0008.mediawiki:196 in 30a9c1c8f4 outdated 
     181 | +            }
 182 | +            if (nonsignal + threshold > 2016) {
 183 | +                return state.Invalid(BlockValidationResult::RECENT_CONSENSUS_CHANGE, "blk-bip8-must-signal");
 184 | +            }
 185 | +        }
 186 | +    }
    jonasnick commented at 3:01 PM on July 27, 2020:

    0x2... misses a 0 and the parantheses are wrong (there's at least one opening paranthesis missing). I tested this code a little bit and it seems correct. Nit: Could perhaps be a bit simplified by moving the break condition to the while conditions and moving the nonsignal + count + threshold > 2016 condition somewhere else because the LHS is constant across loop iterations. Perhaps something like

    walk = block;
if (count + threshold >= 2016) {
    while (count > 0  && nonsignal + threshold <= 2016)  {
        ...
        if ... {
            ++nonsignal;
        }
    }
    if (nonsignal + threshold > 2016) {
        return Invalid;
    }
}

    Generally the suggested changes look very reasonable but I can't speak to the p2p relay issues.

    ajtowns commented at 7:07 AM on August 6, 2020:

    count decreases every iteration but nonsignal only increases sometimes, so the LHS is decreasing, which lets the loop exit early (if you've only seen 5 nonsignalling blocks, and there's only 95 more blocks to look at, you'll never get 101 nonsignalling blocks so no need to look any further). Not really very useful to include in the spec though. No real need to skip the loop if the current block signals either, I think which might make the spec a bit simpler.

    ajtowns commented at 8:16 AM on August 6, 2020:

    Updated this

    jonasnick commented at 5:46 PM on August 6, 2020:

    Hmm, not sure why I said the LHS would be constant. But what I meant is that you can leave count out of this as I did in my pseudocode.

    Anyway, the new code passes my tests. So ACK that.

    No real need to skip the loop if the current block signals either,

    Fwiw, the updated code still seems to that with the else if block.

  3. in bip-0008.mediawiki:82 in 30a9c1c8f4 outdated 
      76 | @@ -77,14 +77,14 @@ for the purposes of this proposal, and support two future upgrades for different
  77 |  When a block nVersion does not have top bits 001, it is treated as if all
  78 |  bits are 0 for the purposes of deployments.
  79 |  
  80 | -Miners must continue setting the bit in LOCKED_IN phase so uptake is visible and acknowledged.
  81 | -Blocks without the applicable bit set are invalid during this period.
  82 | -For flexibility, this rule does NOT require the top 3 bits to be set any particular way.
    luke-jr commented at 2:42 AM on August 1, 2020:

    This drops mandatory signalling in the MASF case. Maybe that's okay, but I'm not sure yet. Can you move it to a separate PR?

    ajtowns commented at 7:18 AM on August 6, 2020:

    Well, it drops mandatory signalling to 95% rather than 100%, but MASF won't happen without 95% signalling, so "MASF drops mandatory signalling" is technically saying "miners did 95% signalling to trigger activation, but they didn't do 95% signalling" which doesn't make sense to me... I'm not seeing what a 100% signal period buys over a 95% signal period (and it'd cost either miners or users having to immediately react to seeing it, or and extra month between lockin and activation, with states going STARTED -> PAUSE1 -> ALL_SIGNAL -> PAUSE2 -> ACTIVE assuming users are meant to react based on ALL_SIGNAL rather than the 95% signalling in STARTED)

    luke-jr commented at 10:16 PM on August 6, 2020:

    The 95% is before LOCKED_IN, so fundamentally separate from the mandatory signalling during LOCKED_IN.

    I'm not saying it should definitely be rejected, just that it should be separate from this PR and evaluated independently.

    ajtowns commented at 11:48 PM on August 6, 2020:

    The way I'm looking at the fundamentals is that, at present:

    • miners need to react instantly when they see 95% signalling during STARTED, and do 100% signalling during LOCKED_IN
    • users need to react instantly when they see 100% signalling during FAILING/LOCKED_IN, and start enforcing soft fork rules
    • with lockinontimeout, miners need to signal at 100% at a particular time

    And after this patch:

    • miners don't need to upgrade from 95% signalling to 100% signalling
    • users have a retarget period to react when they see 95% signalling during STARTED/MUST_SIGNAL, and then need to start enforcing the soft fork rules
    • with lockinontimeout, miners are required to signal at 95% at a particular time

    The only reason I can see for "miners need to upgrade from 95% signalling to 100% signalling" is if users want to only react when they see 100% signalling (which would make it more plausible to reduce the activation threshold for a deployment I guess), but to preserve the "don't have to react immediately" that would look add another two retarget periods, something like:

     * STARTED -> THRESHOLD_MET (95% threshold)
 * THRESHOLD_MET -> SIGNAL_ALL (always)
 * SIGNAL_ALL -> LOCKED_IN (always)
 * LOCKED_IN -> ACTIVE (always)
 * STARTED -> LOCKED_IN (100% threshold)

 * all blocks must signal during SIGNAL_ALL
 * STARTED -> LOCKED_IN transition ensures compatibility with lock in via reduced threshold activation

    But if you want to reduce the activation threshold you can just have another deployment like bip91 that signals on a different bit, so instead of STARTED -> THREDHOLD_MET -> SIGNAL_ALL -> LOCKED_IN -> ACTIVE you go (STARTED,STARTED) -> (STARTED,LOCKED_IN) -> (STARTED,ACTIVE) -> (LOCKED_IN,COMPLETE) -> (ACTIVE,COMPLETE) which takes the same amount of time, but doesn't complicate deployments that don't need their threshold reduced. And that approach works even if you change the period length as well as the threshold.

    luke-jr commented at 3:57 PM on October 5, 2020:

    Again, I'm not saying we shouldn't make this change, only that it is logically independent from the rest of the changes here, and should be a separate PR.

  4. in bip-0008.mediawiki:124 in 30a9c1c8f4 outdated 
     120 | @@ -121,7 +121,8 @@ We remain in the initial state until we reach the start block height.
 121 |  After a period in the STARTED state, we tally the bits set,
 122 |  and transition to LOCKED_IN if a sufficient number of blocks in the past period set the deployment bit in their
 123 |  version numbers. The threshold is ≥1916 blocks (95% of 2016), or ≥1512 for testnet (75% of 2016).
 124 | -If the threshold hasn't been met, and we reach the timeout, then we either transition to LOCKED_IN state anyway (if lockinontimeout is true), or we transition to FAILING.
 125 | +If the threshold hasn't been met, and lockinontimeout is true and we are at the last period before the timeout, then we transition to MUST_SIGNAL.
    luke-jr commented at 2:43 AM on August 1, 2020:

    I wonder if we should keep FAILING as an alternative here, for UX only (no logic difference from STARTED).

    ajtowns commented at 7:19 AM on August 6, 2020:

    UX only should be in the code, not in the bip, I think?

    luke-jr commented at 10:18 PM on August 6, 2020:

    Well, the UX side is simply conveying "deployment status". It might be cleaner to recognise a status of "others might be MUST_SIGNAL".

    Buuut... the point of this change is to make it so that could be arbitrarily earlier. So maybe FAILING would be bad to reintroduce in the end.

    ajtowns commented at 2:15 AM on August 7, 2020:

    Maybe ideally you'd somehow track "there's a lower work header chain where the fork has activated, and the tip is not terribly old" and alert based on that?

  5. in bip-0008.mediawiki:188 in 30a9c1c8f4 outdated 
     183 | +                return state.Invalid(BlockValidationResult::RECENT_CONSENSUS_CHANGE, "blk-bip8-must-signal");
 184 | +            }
 185 | +        }
 186 | +    }
 187 | +
 188 | +Implementations should be careful not to ban peers that send blocks that are invalid due to not signalling (or blocks that build on those blocks), as that would allow an incompatible chain that is only briefly longer than the compliant chain to cause a split of the p2p network. If that occurred, nodes that are not enforcing lockinontimeout may not see new blocks in the compliant chain, and thus not reorg to it at the point when it has more work, and would thus not be following the valid chain with the most work.
    luke-jr commented at 2:46 AM on August 1, 2020:

    But even more importantly, nodes enforcing MUST_SIGNAL need to ensure they remain attached to other such nodes.

    ajtowns commented at 8:02 AM on August 6, 2020:

    I think the details of that probably need to be left to the bips that want to deploy via bip-8; they could ensure they remain connected to other nodes by making sure lockinontimeout only happens when everybody is happy with it, in which case no special code is needed; or they could allocate a temporary service flag bit for it and preferentially connect to other nodes that way for some period.

    Still worth mentioning, but nothing's coming to mind as to what to say exactly.

    ajtowns commented at 8:15 AM on August 6, 2020:

    Added a note about this in a separate commit

  6. in bip-0008.mediawiki:246 in 30a9c1c8f4 outdated 
     244 | @@ -227,7 +245,6 @@ https://github.com/bitcoin/bitcoin/compare/master...luke-jr:bip8
 245 |  
 246 |  * The '''lockinontimeout''' flag is added. BIP 9 would only transition to the FAILED state when timeout was reached.
    luke-jr commented at 2:47 AM on August 1, 2020:

    Probably should rephrase this

  7. luke-jr added the label Proposed BIP modification on Aug 1, 2020
  8. ajtowns force-pushed on Aug 6, 2020
  9. ajtowns force-pushed on Aug 6, 2020
  10. ajtowns force-pushed on Aug 6, 2020
  11. ajtowns force-pushed on Aug 6, 2020
  12. ajtowns commented at 12:48 PM on August 6, 2020: contributor

    Updated with some of the comments addressed, and a little restructuring. (EDIT: and rebased on master)

    Corresponding patch at https://github.com/ajtowns/bitcoin/commits/202008-bip8-pr950 -- it's on top of @luke-jr's bip8 branch rebased onto master and with some warnings/errors fixed.

  13. BIP8: add dot file for generating states diagram 770ec1157c
  14. BIP8: replace FAILING with MUST_SIGNAL
    This removes the FAILING state and replaces compulsory signalling during
LOCKED_IN with compulsory signalling during a new MUST_SIGNAL phase during
the last retarget period prior to the timeout height.  Also reduces the
amount of blocks that are required to signal to match the threshold.

This ensures that if a deployment occurs using bip8 with
lockinontimeout=false and timeoutheight=N, that a later deployment using
bip8 with lockinontimeout=true and timeoutheight=K, where K<N that any
chain where LOCKED_IN is reached prior to height K, will be accepted as
valid by nodes using either set of deployment parameters.

It also ensures that the soft-fork's changed rules are only enforced
on chain a retarget period after signalling indicates enforcement is
expected (which was not previously the case if the FAILING to ACTIVE
transition took place).
    f9f02b1ae7
  15. BIP8: add note about keeping lockinontimeout=true peers connected to each other b019d5fce5
  16. ajtowns force-pushed on Aug 6, 2020
  17. in bip-0008.mediawiki:63 in b019d5fce5 
      58 | @@ -59,10 +59,10 @@ With each block and soft fork, we associate a deployment state. The possible sta
  59 |  
  60 |  # '''DEFINED''' is the first state that each soft fork starts out as. The genesis block is by definition in this state for each deployment.
  61 |  # '''STARTED''' for blocks at or beyond the startheight.
  62 | -# '''LOCKED_IN''' for one retarget period after the first retarget period with STARTED blocks of which at least threshold have the associated bit set in nVersion, or for one retarget period after the timeout when '''lockinontimeout''' is true.
  63 | +# '''MUST_SIGNAL''' for one retarget period prior to the timeout, if LOCKED_IN was not reached and '''lockinontimeout''' is true.
  64 | +# '''LOCKED_IN''' for one retarget period after the first retarget period with STARTED blocks of which at least threshold have the associated bit set in nVersion.
    luke-jr commented at 3:55 PM on October 5, 2020:

    ...with STARTED (or MUST_SIGNAL) blocks...

  18. luke-jr commented at 3:57 PM on October 15, 2020: member

    Partially merged this in 3c63846fc2b2a39b615ecce58bb70d649493d806, da9cdd675931fece248e98eaf04e308f28427f67, and 0f683f71f58f05d314cf943700558a82aba63102

  19. luke-jr cross-referenced this on Oct 15, 2020 from issue Replace unused BIP 9 logic with draft BIP 8 by luke-jr
  20. luke-jr closed this on Oct 15, 2020
  21. ajtowns commented at 5:17 AM on October 19, 2020: contributor

    Follow ups in #1019 (wording tweaks) #1020 (signalling non-mandatory during locked in) and #1021 (must signal at 95% threshold instead of 100%)

Contributors
ajtownsjonasnickluke-jr
Labels
Proposed BIP modification
Linked (view graph)
#1019 BIP8: clarify timeoutheight behaviour and requirements#1020 BIP8: Make signalling during LOCKED_IN recommended rather than mandatory#1021 BIP8: allow some MUST_SIGNAL blocks to not signal
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 11:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me