test: showcase contention during asset generation, analyse problem and solutions

[gilcu3]

Closes #1175

Notice here we don't deal with the indexer being part of the problem, which we can somehow safely assume as we only face this right after resharings

[gilcu3]

this test focuses on the triples, but the presignatures might have some part in the problem, as they are also computed aggressively after resharing.

[claude]

PR title type suggestion: This PR changes source code files (p2p.rs) in addition to adding tests and documentation, so the type prefix should probably be refactor: instead of test:.

Suggested title: refactor: showcase contention during asset generation, analyse problem and solutions

[claude]

Pull request overview

Adds a self-contained reproduction for issue #1175 ("asset generation impacts signing performance"): a 4-node in-process cluster that measures signing latency in two states — steady (small buffers, idle generation) vs. simulated post-resharing (mainnet-sized buffers, aggressive refill) — and asserts the second case degrades. Also adds a design doc enumerating possible solutions (lower-OS-priority gen runtime, bounded follower fan-out, yield_now(), operational knobs, etc.) without picking one. No production code touched; this is analysis + scaffolding for a follow-up fix PR.

Changes:

• New tests/asset_generation_signing_contention.rs integration test (#[ignore], run manually) that compares signing p50/p90/max under two refill regimes.
• New LatencyReport aggregator built on the average crate (Mean/Quantile/Max), mirroring the threshold-signatures bench utilities.
• Adds average as a dev-dependency for mpc-node and bumps PortSeed::TOTAL_DEFINED_PORTS to allocate ASSET_GENERATION_SIGNING_CONTENTION_TEST = 22.
• Adds docs/design/signing-starvation-solution.md cataloguing root-cause facts and candidate fixes A, A.1, B, C, plus operational and protocol-level options.

Reviewed changes

Per-file summary

File	Description
Cargo.lock	Pulls in average dev-dep transitively.
crates/node/Cargo.toml	Adds average to [dev-dependencies].
crates/node/src/p2p.rs	Adds ASSET_GENERATION_SIGNING_CONTENTION_TEST PortSeed; bumps TOTAL_DEFINED_PORTS 22 to 23.
crates/node/src/tests.rs	Registers the new test module.
crates/node/src/tests/asset_generation_signing_contention.rs	The reproduction: builds two clusters back-to-back, sends warmup + measured signatures, asserts steady.timeouts == 0 and post_resharing.timeouts > 0 || post_resharing.p50 >= steady.p50 * 2.
docs/design/signing-starvation-solution.md	Root-cause writeup and solution-option catalogue.

Findings

Blocking (must fix before merge):

• None.

Non-blocking (nits, follow-ups, suggestions):

• crates/node/src/tests/asset_generation_signing_contention.rs:96 — gilcu3's open thread is still valid: the test holds PRESIGNATURE_CONCURRENCY and PRESIGNATURES_TO_BUFFER constant across both scenarios, so the "post-resharing" arm only exercises triple-side pressure. The design doc explicitly calls out that presignature pipelines also empty at resharing and that presignature.concurrency is itself a candidate knob (docs/design/signing-starvation-solution.md:95), so the reproduction under-models the very source it documents. Worth either (a) adding a third scenario that also raises presig pressure or (b) tightening the docstring to say "isolates the triple-refill component of Investigate why asset generation impacts signing performance #1175" rather than "post-resharing".
• crates/node/src/tests/asset_generation_signing_contention.rs:175 — the label "post-resharing" is used throughout, but no resharing happens; the test simulates the resulting state by sizing buffers. The module docstring is honest about this, but the function-level naming (buffers_empty: bool, case: u16 with magic 0/1) buries it. A Scenario { Steady, ColdBuffers } enum would let the call sites read measure_signing_latency(Scenario::ColdBuffers) and remove the parallel case argument, which today couples two unrelated concerns (which knobs to use, which port slot to use).
• crates/node/src/tests/asset_generation_signing_contention.rs:42 — the docstring papers over Result::unwrap() on an Err value: Closed panics from indexer/fake.rs during teardown as "pre-existing ... don't affect the result". If a future reader runs this test cold they'll reasonably treat those panics as a regression. Worth either filing a follow-up to fix the shutdown race or linking to an existing issue from the doc comment instead of just describing the symptom.
• crates/node/src/tests/asset_generation_signing_contention.rs:296 — the disjunctive assertion (timeouts > 0 || p50 >= steady.p50 * 2) means a cluster that fails to bring up in the second arm (zero signatures complete, so all timeouts) is indistinguishable from a cluster that degrades under load. The steady-state harness check at line 292 only validates the first run; consider also asserting post_resharing.n_ok > 0 (or a minimum success count) so genuine setup failure does not masquerade as the bug being reproduced.
• docs/design/signing-starvation-solution.md:36 — option labels skip from A/A.1/B/C straight to "Lower presignature.concurrency" / "Reduce SUPPORTED_TRIPLE_GENERATION_BATCH_SIZE" / "E", with no D. Minor, but if downstream PRs reference these by letter the numbering will be confusing — either rename the unlabelled ones D and F, or drop the lettering entirely and reference them by name.

✅ Approved

[claude]

PR title type suggestion: This PR changes source code files (p2p.rs) along with tests and docs, so the type prefix should probably be fix: or perf: instead of test:. The test: type is for test-only changes.

Suggested title: perf: reduce contention during asset generation or fix: address signing starvation in asset generation

[gilcu3]

Notice this would not be executed in CI. The plan is to have it so that once the fixes are applied we can check if the behavior changes

[netrome]

Thanks for investigating and writing this up. I'm experiencing some issues running the test, but since it's ignored I don't consider it a hard blocker.

[netrome]

Oh didn't know until now the MetaNameValueStr syntax was supported for ignore attributes https://doc.rust-lang.org/reference/attributes/testing.html#r-attributes.testing.ignore.reason

Not sure what the benefit over a normal comment is 🤔

[netrome]

(I also didn't know this was called MetaNameValueStr until now when I looked it up 😅 )

[netrome]

Oh this sounds exactly like the kind of work tokio::spawn_blocking is for. Alternatively we should consider inserting more await points.

[gilcu3]

Oh this sounds exactly like the kind of work tokio::spawn_blocking is for.

Yes, that should at least fix the contention problem on the tokio runtime.

Are we considering adding waiting points inside the crypto implementation?

[netrome]

This is per network peer? Since we typically have ~10 participants this doesn't sound like it should be any problem.

[gilcu3]

I think it is, because each peer launches 2 batch triple computations (64 triples each batch) at the same time. So when we compute the load after resharing, it scales linearly with the number of participants.

Basically with 10 nodes, right after resharing, each node now will start concurrently computing 64102 triples, and 16 (presignature concurrency) * 10 presignatures (as soon as triples becomes available). That seems like a lot, but the important bit is that due to work started by peers, it scales linearly in each node.

[netrome]

Sure, but this problem was observed before we ran two CaitSith domains.

[gilcu3]

Right, that just maybe made it a bit worse, although as they share triples, and we also decreased the # triples from 1M to 16K, probably we never really observed the diff.

[netrome]

Yes, this sounds like something we should have added already. Should be a no-brainer for any CPU kind of work.

[gilcu3]

The one things I am not 100% sure of is if triple generation is just CPU bound, or the network has also a big influence.

[netrome]

Yeah definitely worth exploring, unless we go with E at which point this shouldn't matter as much.

[netrome]

I would much prefer not to add additional runtimes, but if not E and possibly C helps with this we should definitely consider something like this.

[netrome]

Hmm I tried to run this on my machine now and I'm getting this error:

    thread 'tests::asset_generation_signing_contention::signing_latency__should_degrade_under_concurrent_asset_generation' (419399) panicked at crates/node/src/tests/asset_generation_signing_contention.rs:292:5:
    assertion `left == right` failed: steady-state baseline should not time out; harness is unhealthy

anything you recognize?

[gilcu3]

we discussed in the thread, probably due to the use of test-release mode