consensus: proposer self-verifies its own vote extension before broad…#42
Closed
satyakwok wants to merge 24 commits into
Closed
consensus: proposer self-verifies its own vote extension before broad…#42satyakwok wants to merge 24 commits into
satyakwok wants to merge 24 commits into
Conversation
Fixed a UX hiccup: `RPC.BroadcastTxSync()` calls `appMempool.CheckTx()` that limited retries. With Krakatoa's mempool that meant you couldn't resubmit a cosmos tx if your balance was low, for example. This PR drops the tx hash from the "seen cache" after a delay, letting you resubmit while still protecting the node from DoS. Closes STACK-2402 --- #### PR checklist - [x] Tests written/updated - [ ] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Improves height validation in state and execution. --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…#5773) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.49.0 to 0.50.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/crypto/commit/03ca0dcccbd37ba6be80adf74dde8d78a4d72817"><code>03ca0dc</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/8400f4a938077a7a7817ab7d163d148e371b320b"><code>8400f4a</code></a> ssh: respect signer's algorithm preference in pickSignatureAlgorithm</li> <li><a href="https://github.com/golang/crypto/commit/81c6cb34a8fc386ed53293cd79e3c0c232ee7366"><code>81c6cb3</code></a> ssh: swap cbcMinPaddingSize to cbcMinPacketSize to get encLength</li> <li>See full diff in <a href="https://github.com/golang/crypto/compare/v0.49.0...v0.50.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…ometbft#5593) --- #### PR checklist Fix a bug in handleRequests where the panic recovery defer function would attempt to unlock appMtx even when the lock was never acquired. - [x] Tests written/updated - [x] Changelog entry added in `.changelog` (we use [unclog](https://github.com/informalsystems/unclog) to manage our changelog) - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: Alex | Cosmos Labs <alex@cosmoslabs.io> Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.52.0 to 0.53.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/a8d1fc14d9e33e1f6842ab78a0127d42cd8fff44"><code>a8d1fc1</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/net/commit/056ac742146af742aa760d690269c02fa238cc7a"><code>056ac74</code></a> quic: avoid depending on golang.org/x/sys/unix</li> <li><a href="https://github.com/golang/net/commit/c85f61116e47b1523036c3005f8b2923b661eb64"><code>c85f611</code></a> http3: add http3 package for testing in std</li> <li><a href="https://github.com/golang/net/commit/805fc81a196b95c3c00f02e135ffb8a8d5582bdf"><code>805fc81</code></a> http2: add transport API tests</li> <li><a href="https://github.com/golang/net/commit/e63b894ab3cd38a1d05396530dccde7ffa3f68d0"><code>e63b894</code></a> http2: support testing via net/http.Transport.RoundTrip</li> <li><a href="https://github.com/golang/net/commit/9ee1e484e5aab0d95b3babbc6f1384d03f4f9e22"><code>9ee1e48</code></a> http2/hpack: prevent HeaderField from escaping during encoding</li> <li><a href="https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49"><code>1e71bd8</code></a> http2: prevent hanging Transport due to bad SETTINGS frame</li> <li><a href="https://github.com/golang/net/commit/7bca15042b9d2bda1402cb42232a9c6ddbae6212"><code>7bca150</code></a> internal/http3: respect net/http Server Shutdown context when shutting down</li> <li><a href="https://github.com/golang/net/commit/44c41bee5028537e64410b1583e8ae329ceac284"><code>44c41be</code></a> internal/http3: prevent server from holding mutex when sleeping during shutdown</li> <li><a href="https://github.com/golang/net/commit/228a67a374710bff77fc490e7f538b317c34e247"><code>228a67a</code></a> internal/http3: add CloseIdleConnections support in transport</li> <li>Additional commits viewable in <a href="https://github.com/golang/net/compare/v0.52.0...v0.53.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com>
…ts) (cometbft#5695) ## Summary - Skip `fsync` (`WriteSync`) for `BlockPartMessage` in the consensus WAL's `receiveRoutine`, using buffered `Write` instead - Only signed messages (`VoteMessage`, `ProposalMessage`) retain `WriteSync` for double-signing prevention - Adds explicit type-switch with `default: panic` to prevent future signed message types from silently bypassing fsync - Replaces stale TODO in `replay_test.go` with documentation of the selective-fsync approach ## Safety analysis **Why signed messages MUST keep `WriteSync`:** - Pre-sign `FlushAndSync` ensures WAL replay reaches the same deterministic state - Post-sign `WriteSync` ensures the signed message is durable before `handleMsg` processes/broadcasts it - Without this, crash-replay could re-sign a different vote → equivocation **Why `BlockPartMessage` can safely use `Write`:** 1. Block parts are unsigned data chunks derived from the proposal block 2. On crash: proposal exists (fsynced), some block parts may be missing → round times out → consensus proceeds 3. The periodic 2-second WAL flush (`processFlushTicks`) eventually flushes them 4. Any subsequent `WriteSync` (vote) or `FlushAndSync` (pre-sign) also flushes buffered block parts 5. `EndHeightMessage` uses `WriteSync`, which flushes ALL buffered writes before the end marker **Defensive measures:** - Explicit `case *BlockPartMessage` (not `default`) ensures new message types panic rather than silently bypassing fsync - `default: panic("unexpected internal message type")` with SAFETY comment for future maintainers - WAL `Write` failure panics (matches `WriteSync` behavior) since write errors indicate disk failure ## Benchmark results (Apple M1 Max SSD) ``` BenchmarkWALWrite-10 ~1μs/op 1680 B/op 13 allocs/op BenchmarkWALWriteSync-10 ~4.4ms/op 1680 B/op 13 allocs/op BenchmarkWALRoundSimulation/AllWriteSync-10 ~233ms/round BenchmarkWALRoundSimulation/SelectiveFsync-10 ~9.3ms/round (~25x faster) ``` --- #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [x] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Dmitry S <11892559+swift1337@users.noreply.github.com>
Closes STACK-2679 --- #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments
…ometbft#5811) Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 3.0.1 to 3.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/slackapi/slack-github-action/releases">slackapi/slack-github-action's releases</a>.</em></p> <blockquote> <h2>Slack GitHub Action v3.0.2</h2> <h3>Patch Changes</h3> <ul> <li>79529d7: fix: resolve url.parse deprecation warning for webhook techniques</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md">slackapi/slack-github-action's changelog</a>.</em></p> <blockquote> <h2>3.0.2</h2> <h3>Patch Changes</h3> <ul> <li>79529d7: fix: resolve url.parse deprecation warning for webhook techniques</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/slackapi/slack-github-action/commit/03ea5433c137af7c0495bc0cad1af10403fc800c"><code>03ea543</code></a> chore: release</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/90fee45e5a24e9528739e92f00a117715b567f60"><code>90fee45</code></a> chore: release (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/593">#593</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/b0fbce7f9b4377c9f74655f874e49a08e87de628"><code>b0fbce7</code></a> ci: send release announcements on publish (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/594">#594</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/0b9c067e72046525581ec13e37caa9d9435cbaec"><code>0b9c067</code></a> build: automate release packaging and version bumps with changesets (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/592">#592</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/dd817b08e9a373b33f039b7d0ab4328a71425c78"><code>dd817b0</code></a> docs: update broken hyperlinks to docs (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/591">#591</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/7ce931db3e03539a3974cdb86b42df650e98ce36"><code>7ce931d</code></a> docs: streamlines doc structure (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/590">#590</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/093434f78f68609806ff1bed395f480e8ada3f8c"><code>093434f</code></a> build(deps): bump follow-redirects from 1.15.11 to 1.16.0 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/589">#589</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/1f09fc7124315577beed7be7ebf027afb94ef524"><code>1f09fc7</code></a> build(deps-dev): bump typescript from 5.9.3 to 6.0.2 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/584">#584</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/79529d74f960df86c8beb7e51fb8e174fed0c65e"><code>79529d7</code></a> build(deps): bump axios from 1.14.0 to 1.15.0 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/588">#588</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/4414b7f01f5b1da26c98314521dcc5c802d0419e"><code>4414b7f</code></a> build(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/581">#581</a>)</li> <li>Additional commits viewable in <a href="https://github.com/slackapi/slack-github-action/compare/v3.0.1...v3.0.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
cometbft#5823) Bumps [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver) from 3.4.0 to 3.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Masterminds/semver/releases">github.com/Masterminds/semver/v3's releases</a>.</em></p> <blockquote> <h2>v3.5.0</h2> <h2>What's Changed</h2> <ul> <li>Adding more prerelease tests by <a href="https://github.com/mattfarina"><code>@mattfarina</code></a> in <a href="https://redirect.github.com/Masterminds/semver/pull/273">Masterminds/semver#273</a></li> <li>Update constraint error messages by <a href="https://github.com/mattfarina"><code>@mattfarina</code></a> in <a href="https://redirect.github.com/Masterminds/semver/pull/278">Masterminds/semver#278</a></li> <li>Fix edge cases by <a href="https://github.com/mattfarina"><code>@mattfarina</code></a> in <a href="https://redirect.github.com/Masterminds/semver/pull/279">Masterminds/semver#279</a></li> <li>Adding some checks in by <a href="https://github.com/mattfarina"><code>@mattfarina</code></a> in <a href="https://redirect.github.com/Masterminds/semver/pull/280">Masterminds/semver#280</a></li> <li>Updating deps by <a href="https://github.com/mattfarina"><code>@mattfarina</code></a> in <a href="https://redirect.github.com/Masterminds/semver/pull/281">Masterminds/semver#281</a></li> <li>Bump github/codeql-action from 4.35.1 to 4.35.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Masterminds/semver/pull/282">Masterminds/semver#282</a></li> <li>Bump actions/cache from 4.2.3 to 5.0.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Masterminds/semver/pull/283">Masterminds/semver#283</a></li> <li>Bump golangci/golangci-lint-action from 7.0.1 to 9.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Masterminds/semver/pull/284">Masterminds/semver#284</a></li> <li>Updating gitignore for devcontainers by <a href="https://github.com/mattfarina"><code>@mattfarina</code></a> in <a href="https://redirect.github.com/Masterminds/semver/pull/286">Masterminds/semver#286</a></li> <li>Fixing some quality issues by <a href="https://github.com/mattfarina"><code>@mattfarina</code></a> in <a href="https://redirect.github.com/Masterminds/semver/pull/287">Masterminds/semver#287</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] made their first contribution in <a href="https://redirect.github.com/Masterminds/semver/pull/282">Masterminds/semver#282</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Masterminds/semver/compare/v3.4.0...v3.5.0">https://github.com/Masterminds/semver/compare/v3.4.0...v3.5.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Masterminds/semver/blob/master/CHANGELOG.md">github.com/Masterminds/semver/v3's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Masterminds/semver/commit/8b89c86cb53c57cfd5d07c13de12bc4d78954e99"><code>8b89c86</code></a> Merge pull request <a href="https://redirect.github.com/Masterminds/semver/issues/287">#287</a> from mattfarina/fix-da-issues</li> <li><a href="https://github.com/Masterminds/semver/commit/29d51d0ea4bffe39173673685d0dd312447d74a7"><code>29d51d0</code></a> Fixing some quality issues</li> <li><a href="https://github.com/Masterminds/semver/commit/87f651dbe2f616342d6408b997ad7116ba72ddf3"><code>87f651d</code></a> Merge pull request <a href="https://redirect.github.com/Masterminds/semver/issues/286">#286</a> from mattfarina/update-devcontainer</li> <li><a href="https://github.com/Masterminds/semver/commit/158a6852a7e66d99594653227d3e8c3dc6d160ca"><code>158a685</code></a> Updating gitignore for devcontainers</li> <li><a href="https://github.com/Masterminds/semver/commit/7e83c080cfb4455752c654805b189274a10890ab"><code>7e83c08</code></a> Merge pull request <a href="https://redirect.github.com/Masterminds/semver/issues/284">#284</a> from Masterminds/dependabot/github_actions/golangci/g...</li> <li><a href="https://github.com/Masterminds/semver/commit/697e27f32e7419eb896e7d3ec680c65fc673166b"><code>697e27f</code></a> Merge pull request <a href="https://redirect.github.com/Masterminds/semver/issues/283">#283</a> from Masterminds/dependabot/github_actions/actions/ca...</li> <li><a href="https://github.com/Masterminds/semver/commit/1591f8e3806198f60fa4dcaf2751bfc805c7740d"><code>1591f8e</code></a> Merge pull request <a href="https://redirect.github.com/Masterminds/semver/issues/282">#282</a> from Masterminds/dependabot/github_actions/github/cod...</li> <li><a href="https://github.com/Masterminds/semver/commit/3f5ff1737a28437e536d3ec54e41919577748ae6"><code>3f5ff17</code></a> Bump golangci/golangci-lint-action from 7.0.1 to 9.2.0</li> <li><a href="https://github.com/Masterminds/semver/commit/04baa3376047b6d5e79ffcc60f69332dd3e26c85"><code>04baa33</code></a> Bump actions/cache from 4.2.3 to 5.0.5</li> <li><a href="https://github.com/Masterminds/semver/commit/45939fec77cd7d07d586b823284d11423028e9c2"><code>45939fe</code></a> Bump github/codeql-action from 4.35.1 to 4.35.2</li> <li>Additional commits viewable in <a href="https://github.com/Masterminds/semver/compare/v3.4.0...v3.5.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#5820) Return immediately when a witness reports conflicting headers or proposer-priority divergence so the detector cannot treat a mismatch as a valid match. Add a detector test that keeps header hashes equal while diverging proposer priorities to verify ErrProposerPrioritiesDiverge is returned. --- #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [x] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: Matt Acciai <matt@cosmoslabs.io>
…tbft#5835) --- #### PR checklist - [ ] Tests written/updated - [ ] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments
…#5814) ## Summary Fix the failing CI at https://github.com/cometbft/cometbft/actions/runs/25421557069/job/74564693795?pr=5837 `TestByzantinePrevoteEquivocation` was sporadically timing out on CI under the `-race` detector. The root cause was goroutine leaks: subscriptions were created with `context.Background()`, so the subscriber goroutines had no clean exit path when a block with evidence never arrived — they blocked forever on `sub.Out()`, leaked across tests, and exhausted resources on the runner. ## Changes - Replace `for range sub.Out()` with a `select` that also handles `sub.Canceled()`, so goroutines exit cleanly when the eventbus stops during test cleanup - Add `subErrCh` to surface unexpected subscription cancellation errors instead of silently swallowing them ## Test plan - [x] `go test ./consensus/... -run TestByzantinePrevoteEquivocation -v -count=1` passes locally - [x] CI passing
cometbft#5815) The same deadlock pattern existed across multiple consensus tests in `state_test.go`, `replay_test.go`, and `node_test.go`: - The consensus goroutine holds `cs.mtx` while publishing a vote event and blocks until the test drains it. - The test calls `cs.GetRoundState()` (which acquires `cs.mtx`) between receiving the proposal event and draining the vote channel. - Both sides wait on each other until `go test -timeout` aborts the run. **Fix:** make `ensureNewProposal` return the `types.BlockID` from the `EventDataCompleteProposal` it already reads. All call sites that only needed `ProposalBlock.Hash()` and `ProposalBlockParts.Header()` now use `blockID.Hash` and `blockID.PartSetHeader` directly. For sites that need the full `ProposalBlock` (e.g. `Time`, `Txs`) but only use it after channel drains, `GetRoundState()` is deferred to after those drains. **Files fixed:** - `consensus/common_test.go`: `ensureNewProposal` now returns `types.BlockID` - `consensus/state_test.go`: 13 call sites fixed across 11 tests - `consensus/replay_test.go`: 6 call sites fixed in `setupChainWithChangingValidators` - `node/node_test.go`: 4 tests fixed to not bind the hardcoded GRPC port 36658, preventing address-in-use failures when tests run in parallel #### PR checklist - [x] Tests written/updated - [ ] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments
--- #### PR checklist - [ ] Tests written/updated - [ ] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments
…heckFull (cometbft#5837) --- Fix the failing CI at https://github.com/cometbft/cometbft/actions/runs/25390468582/job/74463272144. Two independent atomics (`isRechecking`, `recheckFull`) had a race: `setDone()` cleared them in two separate stores, and `setRecheckFull()` (called outside the write lock) could read stale `isRechecking=true` between the two stores and overwrite the already-cleared `recheckFull` back to true, causing `CheckTx` to spuriously return `ErrRecheckFull`. Replace with a single atomic.Int32 (idle/active/full). `setDone()` is now one `Store(idle)` with no race window; `setRecheckFull()` uses CAS(active→full), so idle→full is impossible. Add `TestRecheckStateMachine` to pin the state transitions and the idle→full invariant. #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: mattac21 <matt@cosmoslabs.io>
…ote gossip race (cometbft#5839) --- Fix the CI failure at: https://github.com/cometbft/cometbft/actions/runs/25498058929/job/74823025038 That run revealed two issues: 1. removeTimedoutPeers and onTimeout held pool.mtx while calling sendError, which blocks on errorsCh. The reactor loop (the only consumer) may itself wait for pool.mtx via AddBlock, forming a circular deadlock. 2. The split-delivery of conflicting prevotes required gossip to propagate before height 2 committed, which raced under -race. Fix: send both conflicting prevotes to every peer directly so each validator detects the equivocation without relying on gossip timing. Follows up on cometbft#5814 #### PR checklist - [x] Tests written/updated - [ ] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments
…ometbft#5852) Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 3.0.2 to 3.0.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/slackapi/slack-github-action/releases">slackapi/slack-github-action's releases</a>.</em></p> <blockquote> <h2>Slack GitHub Action v3.0.3</h2> <h3>Patch Changes</h3> <ul> <li>66834e4: feat: add instrumentation to address error rates</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md">slackapi/slack-github-action's changelog</a>.</em></p> <blockquote> <h2>3.0.3</h2> <h3>Patch Changes</h3> <ul> <li>66834e4: feat: add instrumentation to address error rates</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/slackapi/slack-github-action/commit/45a88b9581bfab2566dc881e2cd66d334e621e2c"><code>45a88b9</code></a> chore: release</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/1c0bcf08feaa559a9bcfcc249184e13b136ffa55"><code>1c0bcf0</code></a> chore: release (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/606">#606</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/66834e4b0cad4cbf09ca680587ad8af71d615d4b"><code>66834e4</code></a> feat: add instrumentation to address error rates (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/600">#600</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/0fe0f902b9f8da107ca0e1314a388c0f57e20d48"><code>0fe0f90</code></a> build(deps): bump <code>@actions/github</code> from 9.0.0 to 9.1.1 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/605">#605</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/c5e70597945c255539c5218d4178ed3c7d8188be"><code>c5e7059</code></a> build(deps): bump <code>@slack/web-api</code> from 7.15.0 to 7.15.1 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/604">#604</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/0325526875571a27abcfd2b302453a90871abbff"><code>0325526</code></a> build(deps-dev): bump <code>@biomejs/biome</code> from 2.4.10 to 2.4.13 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/601">#601</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/900cd3e6fa9d6eacd8a5512ecff230d08e65aec7"><code>900cd3e</code></a> build(deps-dev): bump <code>@types/node</code> from 24.12.0 to 24.12.2 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/603">#603</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/53fdcffeb6e4d34cbdf3276f7beadb0ecc7c9fcd"><code>53fdcff</code></a> build(deps): bump <code>@actions/core</code> from 3.0.0 to 3.0.1 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/602">#602</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/26856cc7fb2c1c2951483645f5fdc3643dbe96eb"><code>26856cc</code></a> build(deps): bump slackapi/slack-github-action from 3.0.1 to 3.0.2 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/596">#596</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/feba1e29702383a5a3cd5136af0559ba10859b04"><code>feba1e2</code></a> ci: skip publish step if no release is needed (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/599">#599</a>)</li> <li>Additional commits viewable in <a href="https://github.com/slackapi/slack-github-action/compare/v3.0.2...v3.0.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…ometbft#5853) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.2 to 5.19.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's releases</a>.</em></p> <blockquote> <h2>v5.19.0</h2> <h2>What's Changed</h2> <ul> <li>build: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/2010">go-git/go-git#2010</a></li> <li>v5: Bump sha1cd and go-billy by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/2060">go-git/go-git#2060</a></li> <li>v5: Align object encoding with upstream by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/2065">go-git/go-git#2065</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0">https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0</a></p> <h2>v5.18.0</h2> <h2>What's Changed</h2> <ul> <li>plumbing: transport/http, Add support for followRedirects policy by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/2004">go-git/go-git#2004</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0">https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/go-git/go-git/commit/bc930f4cbe095a3e1d49273655f73fcef7d41a42"><code>bc930f4</code></a> Merge pull request <a href="https://redirect.github.com/go-git/go-git/issues/2065">#2065</a> from go-git/commit-v5</li> <li><a href="https://github.com/go-git/go-git/commit/d315264343cead712aa9eb56475c2ec96f5ecef1"><code>d315264</code></a> plumbing: object, Reset object before decode</li> <li><a href="https://github.com/go-git/go-git/commit/6e1d34890a4dae8a0df738e531234bd60b7e9b66"><code>6e1d348</code></a> plumbing: object, Align Tree handling with upstream</li> <li><a href="https://github.com/go-git/go-git/commit/e134ba34cf95ed0167e5b1df36a933d7bde9d02d"><code>e134ba3</code></a> tests: Skip double checks in Git v2.11</li> <li><a href="https://github.com/go-git/go-git/commit/1971422f6b1bec9176061b3293306981cfff981e"><code>1971422</code></a> tests: Add git conformance tests for signing verification</li> <li><a href="https://github.com/go-git/go-git/commit/a387aa8857a8fbba8e74b7f5485e9e030669ab5d"><code>a387aa8</code></a> plumbing: object, Add ErrMalformedTag</li> <li><a href="https://github.com/go-git/go-git/commit/f415670d906b5c6169d1fdc64f3f9f1d33eb6f9c"><code>f415670</code></a> plumbing: object, Decode Tag headers via a state machine</li> <li><a href="https://github.com/go-git/go-git/commit/5b0cd38a62e2336bb5f1a2ad0eb8ac8f9e7b740e"><code>5b0cd38</code></a> plumbing: object, Reject multi-signature commits at Verify</li> <li><a href="https://github.com/go-git/go-git/commit/fe8ed6223a6079d9fd84d853362a996e7df175fb"><code>fe8ed62</code></a> plumbing: object, Align Tag.EncodeWithoutSignature with Commit</li> <li><a href="https://github.com/go-git/go-git/commit/98e337d5bdc4c0536a40ab7381b2231f7e0b15cd"><code>98e337d</code></a> plumbing: object, Add support for Tag.SignatureSHA256</li> <li>Additional commits viewable in <a href="https://github.com/go-git/go-git/compare/v5.17.2...v5.19.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
cometbft#5860) --- Adds additional validation to blocksync, ensuring _before response unmarshalling_ that we have made a `BlockRequest` to the peer that is sending us a `BlockResponse` recently, and also that the response contains a valid amount of commit signatures (not > MaxVoteCount). To do this preunmarshal validation, we have added a `MsgBytesFilter` interface that `Reactors` can implement. Currently only `BLOCKSYNC` does. The `FilterMsgBytes` function is called for both comet P2P and libp2p implementations, inside of the `onReceive` function when setting up a peer for comet p2p, and inside of `handleStream` for libp2p, just before unmarshalling the message in both. #### PR checklist - [x] Tests written/updated - [x] Changelog entry added in `CHANGELOG.md` - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments
…bft#5854) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.80.0 to 1.81.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's releases</a>.</em></p> <blockquote> <h2>Release 1.81.0</h2> <h1>Behavior Changes</h1> <ul> <li>balancer/rls: Switch gauge metrics to asynchronous emission (once per collection cycle) to reduce telemetry noise and align with other gRPC language implementations. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8808">#8808</a>)</li> </ul> <h1>Dependencies</h1> <ul> <li>Minimum supported Go version is now 1.25. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8969">#8969</a>)</li> </ul> <h1>Bug Fixes</h1> <ul> <li>xds: Use the leaf cluster's security config for the TLS handshake instead of the aggregate cluster's config. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8956">#8956</a>)</li> <li>transport: Send a <code>RST_STREAM</code> when receiving an <code>END_STREAM</code> when the stream is not already half-closed. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8832">#8832</a>)</li> <li>xds: Fix ADS resource name validation to prevent a panic. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8970">#8970</a>)</li> </ul> <h1>New Features</h1> <ul> <li>grpc/stats: Add support for custom labels in per-call metrics (<a href="https://github.com/grpc/proposal/blob/master/A108-otel-custom-per-call-label.md">gRFC A108</a>). (<a href="https://redirect.github.com/grpc/grpc-go/issues/9008">#9008</a>)</li> <li>xds: Add support for Server Name Indication (SNI) and SAN validation (<a href="https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md">gRFC A101</a>). Disabled by default. To enable, set <code>GRPC_EXPERIMENTAL_XDS_SNI=true</code> environment variable. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9016">#9016</a>)</li> <li>xds: Add support to control which fields get propagated from ORCA backend metric reports to LRS load reports (<a href="https://github.com/grpc/proposal/blob/master/A85-lrs-custom-metrics-changes.md">gRFC A85</a>). Disabled by default. To enable, set <code>GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true</code>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9005">#9005</a>)</li> <li>xds: Add metrics to track xDS client connectivity and cached resource state (<a href="https://github.com/grpc/proposal/blob/master/A78-grpc-metrics-wrr-pf-xds.md">gRFC A78</a>). (<a href="https://redirect.github.com/grpc/grpc-go/issues/8807">#8807</a>)</li> <li>stats/otel: Enhance <code>grpc.subchannel.disconnections</code> metric by adding disconnection reason to the <code>grpc.disconnect_error</code> label (<a href="https://github.com/grpc/proposal/blob/master/A94-subchannel-otel-metrics.md">gRFC A94</a>). This provides granular insights into why subchannels are closing. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8973">#8973</a>)</li> <li>mem: Add <code>mem.Buffer.Slice()</code> API to slice the buffer like a slice. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8977">#8977</a>) <ul> <li>Special Thanks: <a href="https://github.com/ash2k"><code>@ash2k</code></a></li> </ul> </li> </ul> <h1>Performance Improvements</h1> <ul> <li>alts: Pool read buffers to lower memory utilization when sockets are unreadable. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8964">#8964</a>)</li> <li>transport: Pool HTTP/2 framer read buffers to reduce idle memory consumption. Currently limited to Linux for ALTS and non-encrypted transports (TCP, Unix). To disable, set <code>GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false</code> and report any issues. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9032">#9032</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/grpc/grpc-go/commit/cb18228317ff523e63d931b4058b0329585b7dcd"><code>cb18228</code></a> Change version to 1.81.0 (<a href="https://redirect.github.com/grpc/grpc-go/issues/9062">#9062</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/96748f973e20bbfcafa19a8bdffc85ad5da138d1"><code>96748f9</code></a> Cherry-pick <a href="https://redirect.github.com/grpc/grpc-go/issues/9105">#9105</a> to 1.81.x (<a href="https://redirect.github.com/grpc/grpc-go/issues/9106">#9106</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/91832222f0144f76527b630ca55cfea6e1aa015a"><code>9183222</code></a> Cherry pick <a href="https://redirect.github.com/grpc/grpc-go/issues/9055">#9055</a>, <a href="https://redirect.github.com/grpc/grpc-go/issues/9032">#9032</a> to v1.81.x (<a href="https://redirect.github.com/grpc/grpc-go/issues/9095">#9095</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/5cba6da4211f3b130238c792937f5921741b616a"><code>5cba6da</code></a> Revert "deps: update dependencies for all modules (<a href="https://redirect.github.com/grpc/grpc-go/issues/9065">#9065</a>)" (<a href="https://redirect.github.com/grpc/grpc-go/issues/9067">#9067</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/af8a9364aa7523ab24d214e9ef13e6ad64d5c5f9"><code>af8a936</code></a> deps: update dependencies for all modules (<a href="https://redirect.github.com/grpc/grpc-go/issues/9065">#9065</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/cdc60dfaaadde45e16aa3c28237c0e655a722c1a"><code>cdc60df</code></a> transport: optimize heap allocations in ready reader and update syscall conne...</li> <li><a href="https://github.com/grpc/grpc-go/commit/208d053e3204c806ba9e6205c26aa064c8b42852"><code>208d053</code></a> xds/resolver: pass complete XDSConfig in RPC context for HTTP filters (gRFC A...</li> <li><a href="https://github.com/grpc/grpc-go/commit/50fe1cc7fd78b78ae638ed90ea78514c934167ac"><code>50fe1cc</code></a> test: Fix flaky test <code>TestServerStreaming_ClientCallRecvMsgTwice</code> in `end2end...</li> <li><a href="https://github.com/grpc/grpc-go/commit/d574bad188f25ba03d41a506e6f2ef93837ad10b"><code>d574bad</code></a> build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (<a href="https://redirect.github.com/grpc/grpc-go/issues/9050">#9050</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/b8bf4d0488a351c563d63797ffba321585d6bb24"><code>b8bf4d0</code></a> build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in /inte...</li> <li>Additional commits viewable in <a href="https://github.com/grpc/grpc-go/compare/v1.80.0...v1.81.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Matt Acciai <matt@cosmoslabs.io>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.53.0 to 0.54.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/b138e06246cb323f2f380c2b7f7dd91f581dd56b"><code>b138e06</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/net/commit/689f70a42abd350f3a1aaa70b0d13eb9543d927a"><code>689f70a</code></a> quic: fix wrong final size being used for RESET_STREAM frame</li> <li><a href="https://github.com/golang/net/commit/208f306b2f0fd008b388bee2c2644be279778e94"><code>208f306</code></a> http3: increase handshake timeout</li> <li><a href="https://github.com/golang/net/commit/49810da71b9026da9e0d028a6ad8c7730c52d9c4"><code>49810da</code></a> http2: enable net/http wrapping when go >= 1.27</li> <li><a href="https://github.com/golang/net/commit/5e11a5ab891c117eda83b4304d60dd13286c1c76"><code>5e11a5a</code></a> quic: fix data race in streamForFrame</li> <li><a href="https://github.com/golang/net/commit/8c63081cd380ea768db5651941614b73472160ff"><code>8c63081</code></a> http2: use empty Transport rather than DefaultTransport in http2wrap</li> <li><a href="https://github.com/golang/net/commit/fc7b466ca49cb204039630533ece4fc557eb35cd"><code>fc7b466</code></a> http2: add http2wrap test</li> <li><a href="https://github.com/golang/net/commit/15c2cb1875fd727313dc4de909b3ee149422fbe2"><code>15c2cb1</code></a> http2: avoid overflowing 32-bit int when http2wrap enabled</li> <li><a href="https://github.com/golang/net/commit/64651885c2f2d745d77af2d7af2edbf568c179af"><code>6465188</code></a> http2: add wrapped Server</li> <li><a href="https://github.com/golang/net/commit/72f419a894cb0597dd5b6bcf119086bf2af41231"><code>72f419a</code></a> http2: add wrapped ClientConn</li> <li>Additional commits viewable in <a href="https://github.com/golang/net/compare/v0.53.0...v0.54.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Matt Acciai <matt@cosmoslabs.io>
…cast (cometbft#5204) If the application's ExtendVote produces data that its own VerifyVoteExtension rejects, the chain deadlocks: the proposer happily advances to the next height while every other validator loops verifying the same invalid extension and never reaches 2/3 precommits. Per the maintainer-blessed Option A in the issue thread, run VerifyVoteExtension on the proposer's own extension immediately after ExtendVote returns. On self-rejection panic with a clear error pointing at the inconsistency between the application's ExtendVote and VerifyVoteExtension handlers — better operator signal than a silent network-wide stall. Skip self-verify when the extension is empty: an absent-but-required extension is caught downstream by SignAndCheckVote and produces a recoverable error, which is the existing behavior we want to preserve (TestVoteExtensionEnableHeight/'extension absent but required' still passes unchanged). Test mock for VerifyVoteExtension in TestVoteExtensionEnableHeight is relaxed from Times(numValidators - 1) to unbounded — the new self-verify call makes the exact count timing-dependent; what matters is that the round completes correctly. Closes cometbft#5204
Author
|
Closing — this PR was accidentally opened against the Berachain fork. The intended target is upstream cometbft#5864 (same fix, against the upstream consensus codebase). Berachain's fork tracks upstream consensus by sync rather than carrying its own copy of this fix, so a separate upstream PR is the right venue. Sorry for the noise. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…cast (cometbft#5204)
If the application's ExtendVote produces data that its own VerifyVoteExtension rejects, the chain deadlocks: the proposer happily advances to the next height while every other validator loops verifying the same invalid extension and never reaches 2/3 precommits.
Per the maintainer-blessed Option A in the issue thread, run VerifyVoteExtension on the proposer's own extension immediately after ExtendVote returns. On self-rejection panic with a clear error pointing at the inconsistency between the application's ExtendVote and VerifyVoteExtension handlers — better operator signal than a silent network-wide stall.
Skip self-verify when the extension is empty: an absent-but-required extension is caught downstream by SignAndCheckVote and produces a recoverable error, which is the existing behavior we want to preserve (TestVoteExtensionEnableHeight/'extension absent but required' still passes unchanged).
Test mock for VerifyVoteExtension in TestVoteExtensionEnableHeight is relaxed from Times(numValidators - 1) to unbounded — the new self-verify call makes the exact count timing-dependent; what matters is that the round completes correctly.
Closes cometbft#5204
PR checklist
CHANGELOG.mddocs/orspec/) and code comments