validation: Add missing mempool locks

[maflcko]

Take the mempool read lock during reorgs, so that we don't accidentally read an inconsistent mempool.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #16273 (refactor: Remove unused includes by practicalswift)
• #16194 (refactor: share blockmetadata with BlockManager by jamesob)
• #16066 (mempool: Skip estimator if block is older than X by promag)
• #15192 (Add missing cs_main locks in ThreadImport(...)/Shutdown(...)/gettxoutsetinfo(...)/InitScriptExecutionCache(). Add missing locking annotations. by practicalswift)
• #13949 (Introduce MempoolObserver interface to break "policy/fees -> txmempool -> policy/fees" circular dependency by Empact)
• #10443 (Add fee_est tool for debugging fee estimation code by ryanofsky)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[sdaftuar]

Is the idea that you're trying to prevent RPC users from having an inconsistent state, like if they call getbestblockhash() and then call getrawmempool(), the latter should be consistent with the former?

That may be reasonable, but I think it'd be good to have some documentation (whether a project document or even a gist explaining our thinking) explaining the consistency guarantees for RPC calls with respect to the mempool, validation, and the wallet. I feel like this kind of thing has come up before in a haphazard way and caused issues when we didn't think things through or missed an implication of a change.

(Also, I think it would aid RPC users if they knew what our consistency guarantees were.)

[ryanofsky]

Is the idea that you're trying to prevent RPC users from having an inconsistent state

From the description, I assumed the intent of the PR was to prevent RPCs like getmempoolentry, which acquire mempool.cs but not cs_main, from returning garbage or segfaulting during reorgs because UpdateMempoolForReorg and InvalidateBlock functions were apparently not acquiring mempool.cs while updating the mempool.

But actually it seems like in all the places where the mempool is updated, the code already has both cs_main and mempool.cs locks. So it should be perfectly safe to read the mempool while holding either of the two locks, and trying to acquire both is wasteful.

So maybe this PR is not doing what it intended to do, and instead it would be better just to add comments and fix thread safety annotations somehow. Maybe it would be possible to annotate cs_main and mempool.cs individually as shared locks needed for reading mempool data, and cs_main+mempool.cs both together as an exclusive lock needed for updating mempool data?

[maflcko]

@ryanofsky With inconsistent I don't mean invalid reads, but rather transactions that are invalid (and still in the process of removal) as of our current block tip.

[ryanofsky]

Code utACK fa3e0471a81252e333886b97d8d33bb275061d42. Code change seems perfectly fine, and it could perhaps lead to more consistency in some cases, but like the previous comment #14193 (comment) says, it's unclear which cases are better off after this change or what case motivated this PR. More comments and documentation would be helpful.

[maflcko]

@sdaftuar, @ryanofsky: Added a test with comments to illustrate my motivation a bit more.

[ryanofsky]

Started review:

• dea5dbf2d5ca0177d3a4be665790288bef40e27e validation: Add missing mempool locks (1/2)
• fa27735e0f1fd52f03a17d7e9b94a66f310ddfa1 [test] Add test to check mempool consistency in case of reorgs (2/2)

I didn't look closely at the test yet, since it seems pretty complex. If you could a write a one or two sentence comment before the test describing how it works, that might be helpful.

I also think it would be useful to have a comment on the mempool::cs variable. It's definitely being used in a way I wouldn't have expected. From first appearance, it looks like it's just being used to protect mapTx and allow maybe reads & writes from multiple threads:

bitcoin/src/txmempool.h

Lines 488 to 489 in 5d605b2

	mutable CCriticalSection cs;
	indexed_transaction_set mapTx GUARDED_BY(cs);

But apparently it's supposed to not just provide thread safety, but also guarantee consistency between mempool and chainActive? Would suggest maybe:

    /**
     * Lock to guarantee consistency between mempool and external chain state.
     *
     * Lock must be held whenever mempool is read from or written to and
     * whenever a block is connected. Lock can be released when the mempool
     * contains no transactions that conflict internally or externally. It
     * should be acquired after `cs_main` if both locks need to be held at the
     * same time.
     */
    mutable CCriticalSection cs;

re: #14193 (comment)

I think it'd be good to have some documentation (whether a project document or even a gist explaining our thinking) explaining the consistency guarantees for RPC calls with respect to the mempool, validation, and the wallet

Documentation was added in #14592.

[maflcko]

The test is trivial, but looks scary because of the boilerplate overhead of the cpp unit tests. Pretty much the only thing it is doing is to check that during a reorg a (simulated) rpc thread (e.g. getrawmempool) would either return a consistent mempool as of before the reorg or a consistent mempool as of after the reorg and never something inconsistent in the middle of a reorg.

[maflcko]

Added a commit with further comments and documentation.

[jamesob]

The change in general seems fine to me (mempool state should update atomically after a contiguous batch of chain maintenance and not during) and the test is great, but it might be nice to:

• explain what the motivations are. There's an argument for RPC client consistency, but IIRC this may also be a prereq for Dandelion?
• add comments for new lock acquisitions explaining why we're grabbing a seemingly unrelated lock at a coarse grain (in line with what @ryanofsky is saying).

In practice, ActivateBestChain calls are very short and so I don't think there are any real-world downsides to locking ::mempool.cs for their duration - although I'm curious if this affects mempool access during IBD/reindex.

[maflcko]

add comments for new lock acquisitions explaining why we're grabbing a seemingly unrelated lock at a coarse grain (in line with what @ryanofsky is saying).

I think I already did that. Let me know if any of them are still unclear.

[jamesob]

utACK fae71ff

Just a few clarifying questions.

[jamesob]

We require the pool.cs lock for the duration of this function (instead of just relying on the lock in pool.Expire) because we want to keep the mempool from changing while pcoinsTip modifications happen, correct?

[maflcko]

Yeah, calling LimitMempoolSize only makes sense after you have written to the mempool, in which case you already have acquired the lock and can keep it for LimitMempoolSize.

[ryanofsky]

utACK fa2b083 [EDIT: was e284e422e75189794e24fe482819d8b1407857c3, from bad copy and paste]. Changes since last review: rebase after #15976, adding vTxHashes lock annotation, adding new commit dropping mempool lock for nTransactionsUpdated and making it atomic to avoid deadlock between mempool lock and g_best_block_mutex

[promag]

Concept ACK, some comments.

[promag]

👀

[promag]

fa2b083

Why continue?

[maflcko]

Because the thread should continue and not exit (for now)

[promag]

Why would it exit?

[maflcko]

It would exit when it breaks. I think this is well documented in the test case and I am not sure what you are asking exactly.

If you are asking about cpp syntax, I find cppreference really helpful. E.g. https://en.cppreference.com/w/cpp/language/break

If you are asking about this test case logic, please write a more verbose question.

[ryanofsky]

I don't get this either. If you have a loop, and an unconditional continue is the last statement in the loop, the continue isn't doing anything and could be removed.

bitcoin/src/test/validation_block_tests.cpp

Line 316 in fa2b083

continue;

[maflcko]

Oh, I now I understand that you were asking why I put a redundant continue there.

That was intentional, because I felt it was more clear back when I wrote the test. Happy to remove, but I think we shouldn't spend too much time on style of tests.

[promag]

I didn't mean to discuss style! I honestly though something was wrong because of the pointless continue, like missing code or something else.

[maflcko]

Ah, good point. Sorry for the confusion.

[promag]

fa2b083

I think this is flawless, what guarantees that there's a non-atomic change once mempool.cs is released?

[maflcko]

The code changes in this pull request should guarantee that this doesn't happen here in the test (you can check it by running the test before the code changes and after), as well as for "real" rpc polling threads. Though, I didn't write a functional test for this.

[laanwj]

code review ACK fa2b083

@ryanofsky didn't you ack the wrong commit above ? e284e422e75189794e24fe482819d8b1407857c3 ("Remove getBlockDepth method from Chain::interface") isn't part of this PR

[ryanofsky]

@ryanofsky didn't you ack the wrong commit above

Sorry, bad copy and paste from the command line. Edited #14193 (review) to fix.

[laanwj]

Thanks!