feat: add a sanity check for sync state of rocksdb vs sqlite, minor partitioning changes

[drahnr]

From #1326 (comment) :

Could we move all loading-related methods into a separate file? Basically, I'd split this file into:

src/state/mod.rs
src/state/loader.rs

I think overall, we need 3 loading modes:

* Load everything from memory (when rocksdb feature is disabled).
* Use persistent data from RockDB (when rocksdb feature is enabled). This would probably require passing filepaths to RocksDB databases on startup (or at least assuming some defaults).
* Rebuild RocksDB data from the database (when rocksdb feature is enabled and we are starting a new node, or the user sets some flag that indicates that RocksDB databases are to be re-built).

I think currently we have 1 and 2, and maybe some parts of 3.

Changes

• Adds a --force-rebuild flag to the CLI to force re-building of the tree stores from sqlite
• Error out if we detect a mismatch of the tree stores and sqlite

[drahnr]

Relevant code to review 👆

[Mirko-von-Leipzig]

I'm not convinced we want this to be an explicit option. We can also trigger this by manually deleting the database which should be sufficient so long as things are sort of working okay..

From a deployment perspective, this is problematic because we will either have it permanently true or false. Doing this once-off would require a manual intervention in any case.

[bobbinth]

Good point! I think manually removing the files is fine. We should probably just document this (as behavior may not be obvious).

[drahnr]

I think the option is preferred, since it doesn't require having knowledge what all of this means. Deleting a specific subset of files seems to be an unnecessary footgun for an operator.

[Mirko-von-Leipzig]

But there is no operator that will be able to use it since you cannot "deploy" with this option? Its only useable in a local context imo.

We similarly don't have an option to rebuild the sqlite database for example. Though technically its possible from raw blocks.

imo the fewer options there are, the better. The rarer the occurrence, the more "manual" it should be. If this becomes a common problem, then sure we can address it differently.

[drahnr]

I agree, that it should be done as a subcommand, the current form 'd require a separate deployment cycle, which makes it less useful.

[drahnr]

Left markers for most relevant code changes

[bobbinth]

Looks good! Thank you! I left some comments inline - many of them are for the future.

[bobbinth]

Not for this PR, but would be great to make the methodology of loading account and nullifier trees consistent. Currently, for nullifier tree we use NullifierTree::with_storage_from_entries() and for account tree we use AccountTree::new().

Some of these changes may need to happen in miden-base. Let's create issues for these (unless we have the already).

[drahnr]

My thinking is that with_storage_from_entries won't work anyways for larger nullifier sets, and hence this will go away in the next PR #1536

[Mirko-von-Leipzig]

But there is no operator that will be able to use it since you cannot "deploy" with this option? Its only useable in a local context imo.

We similarly don't have an option to rebuild the sqlite database for example. Though technically its possible from raw blocks.

imo the fewer options there are, the better. The rarer the occurrence, the more "manual" it should be. If this becomes a common problem, then sure we can address it differently.

[Mirko-von-Leipzig]

Currently we return an error if we have a root mismatch during apply_block.

miden-node/crates/store/src/state.rs

Lines 423 to 425 in a2de154

	if nullifier_tree_update.as_mutation_set().root() != header.nullifier_root() {
	return Err(InvalidBlockError::NewBlockInvalidNullifierRoot.into());
	}

Should we have a similar plan if the corruption happens "live"? Its a bit of a weird situation since we can't know if its an SMT bug, or a block building bug.

[drahnr]

I think we'd just bubble the error up and find the corrupted tree store on startup, and do it that way.

[Mirko-von-Leipzig]

Right but this doesn't actually bubble up to anywhere. This is part of the gRPC server on the store side, so it gets sent back to the block-producer which shrugs, rolls the block back and tries again.

[drahnr]

I'll create a follow-up issue, maybe it's time for fatality to disambiguate which ones are relevant for the query response and which ones are an actual issue for the service running.

[drahnr]

How did this compile previously??

[bobbinth]

nit (but let's address in a follow-up): we don't need to use fully-qualified paths here.