feat(blockchain): cap aggregation job children to 2 (binary merge)#482
feat(blockchain): cap aggregation job children to 2 (binary merge)#482MegaRedHand wants to merge 3 commits into
Conversation
select_proofs_greedily picked as many existing proofs as fit the greedy coverage criterion, with no upper bound. Uncapped child counts have previously driven debug builds to stack-overflow in leanVM's rec_aggregation, and an unbounded N-way merge isn't far from leanVM's own hard cap (MAX_RECURSIONS = 16), at which point a group would fail to aggregate outright. Cap each aggregation job at 2 children, forcing pairwise (binary) merges. Proofs left uncovered by the cap stay in the new/known buffers and get merged in a later aggregation round instead of being dropped.
🤖 Kimi Code ReviewOverall Assessment: This is a well-executed safety fix that prevents stack overflow in recursive verification by capping aggregation arity to binary merges. The implementation is correct and the test coverage is thorough. Minor Suggestions
Consensus Safety Check
Code Quality
Conclusion: LGTM. The change correctly bounds recursion depth while preserving liveness (uncovered proofs remain in buffers for subsequent rounds) and safety (aggregation correctness is maintained). Automated review by Kimi (Moonshot AI) · kimi-k2.5 · custom prompt |
🤖 Codex Code ReviewFindings
Notes I did not see a direct memory-safety or consensus-validation bug in the narrow diff itself, but Item 1 is a real aggregation-progress regression. I could not run Automated review by OpenAI Codex · gpt-5.4 · custom prompt |
🤖 Claude Code ReviewGood, confirms test helpers are valid. I now have enough context to write the review. Review: cap aggregation job children to 2 (binary merge)Overall: Sound, narrowly-scoped fix with good test coverage. The core logic in A few things worth confirming/calling out:
No correctness, security, or memory-safety issues found in the diff itself. The change is a safe, well-justified narrowing of existing behavior. Automated review by Claude (Anthropic) · sonnet · custom prompt |
Greptile SummaryThis PR changes interval-2 proof aggregation to use binary merges. The main changes are:
Confidence Score: 5/5The changed flow looks mergeable after a small cleanup to proof selection ordering.
crates/blockchain/src/aggregation.rs
|
| Filename | Overview |
|---|---|
| crates/blockchain/src/aggregation.rs | Adds the binary child cap and tests it, with one ordering issue where new proofs can fill the cap before better known proofs are considered. |
Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
crates/blockchain/src/aggregation.rs:347
**Priority Bucket Hides Better Proofs**
When `new_proofs` contains two small disjoint proofs, this loop reaches the child cap before `known_proofs` is examined. A known proof for the same root that covers many more validators is skipped, so `build_job` receives a smaller `covered` set and can produce a heavier, lower-coverage aggregate even though the same two-child limit could have reused the better proof.
Reviews (1): Last reviewed commit: "feat(blockchain): cap aggregation job ch..." | Re-trigger Greptile
| @@ -337,7 +347,7 @@ fn select_proofs_greedily( | |||
| for proof_set in [new_proofs, known_proofs] { | |||
There was a problem hiding this comment.
Priority Bucket Hides Better Proofs
When new_proofs contains two small disjoint proofs, this loop reaches the child cap before known_proofs is examined. A known proof for the same root that covers many more validators is skipped, so build_job receives a smaller covered set and can produce a heavier, lower-coverage aggregate even though the same two-child limit could have reused the better proof.
Prompt To Fix With AI
This is a comment left during a code review.
Path: crates/blockchain/src/aggregation.rs
Line: 347
Comment:
**Priority Bucket Hides Better Proofs**
When `new_proofs` contains two small disjoint proofs, this loop reaches the child cap before `known_proofs` is examined. A known proof for the same root that covers many more validators is skipped, so `build_job` receives a smaller `covered` set and can produce a heavier, lower-coverage aggregate even though the same two-child limit could have reused the better proof.
How can I resolve this? If you propose a fix, please make it concise.
Summary
select_proofs_greedily(committee-signature aggregation worker, interval 2) picked every existing proof that added new validator coverage, with no upper bound on how many became children of one aggregation job.Why
Uncapped child counts have previously driven debug builds to stack-overflow in leanVM's
rec_aggregation, and an unbounded N-way merge approaches leanVM's own hard cap (MAX_RECURSIONS = 16), beyond which a group fails to aggregate outright. Bounding to 2 keeps recursive verification cost per round small and predictable.Scoped to the interval-2 aggregation worker (
crates/blockchain/src/aggregation.rs) only; block-building compaction and reaggregate.rs have their own greedy-selection sites left untouched.Test plan
cargo test -p ethlambda-blockchain --lib— 42 passed (3 new tests covering: cap within one set, cap across new+known combined, early-stop when no new coverage)cargo fmt --all -- --checkcargo clippy -p ethlambda-blockchain --all-targets -- -D warnings