Remove MemPoolAccept::m_limits to avoid mutating it in package evaluation

[instagibbs]

Without remoing it, if we ever call PreChecks() multiple times for any reason during any one MempoolAccept, subsequent invocations may have incorrect limits, allowing longer/larger chains than should be allowed.

Currently this is only an issue with submitpackage, so this is not exposed on mainnet.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	achow101, glozow, ariard

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #28471 (Fix virtual size limit enforcement in transaction package context by instagibbs)
• #26711 (validate package transactions with their in-package ancestor sets by glozow)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[ajtowns]

This prevents PackageMempoolChecks and SubmitPackage from seeing the bumped limits. Maybe have const m_base_limits and m_current_limits and have PreChecks() reset m_current_limits=m_base_limits before bumping it?

[glozow]

I think there aren't any situations in which we'd have RBFing and PackageMempoolChecks/SubmitPackage right now? This has been mentioned in the comment which was added to maybe_rbf_limits. We'll just need to think about this again when we try to add package RBF.

[glozow]

After #26711, are there scenarios where it would make sense to give these carveouts to transactions in SubmitPackage? At that point we only use those functions for transactions that need to be bumped. They won't be allowed to do package RBF (so no RBF carveout), and CPFP carveout will never work (it'd be given to the parent which exceeds limits, but parent+child will bust 26). Also see 9b576f0.

Also, I just realized we could maybe delete MemPoolAccept::m_limits now that we can just query pool.m_limits. Unless we need to remember the limit amendments for SubmitPackage, I think these amendments should probably just have a local scope.

[dergoegge]

Could you add a test?

[instagibbs]

@glozow good idea, I think removing it entirely makes a lot of sense if your assumptions are correct, and they sound correct to me.

@dergoegge Ok, I don't think this is easy(possible?) to hit in master as it shows easier when PreChecks are being called more often, and allowed to fail the first time, such as #26711 it's possible

Example on #26711 master

ancestor limit: 2
descendant limit: 1

A (already in mempool, to be RBF'd by A')
A' -> B (A is RBF'd  and where B > 4kWu)

if you run PreChecks once over A', then B, it's now 2 and 2(thanks to RBF of A), making A'+B  allowed even though it shouldn't be

[instagibbs]

Pushed a test that fails on master

[ariard]

After #26711, are there scenarios where it would make > sense to give these carveouts to transactions in SubmitPackage? At that point we only use > those functions for transactions that need to be bumped.

I can’t see a scenario, at least for LN-chain of transactions, where these carveouts would make sense (maybe if you have 24 commitment txn bumped by one CPFP, though this is not safe for other reasons).

[ariard]

should say” spend B”.

[instagibbs]

tried pushing an update, it doesn't seem to be showing yet... tried to fix this up anyways!

[ariard]

Shows up at ee589d4

[achow101]

ACK ee589d4

[glozow]

ACK ee589d4, nits can be ignored

[glozow]

I think there aren't any situations in which we'd have RBFing and PackageMempoolChecks/SubmitPackage right now? This has been mentioned in the comment which was added to maybe_rbf_limits. We'll just need to think about this again when we try to add package RBF.

[glozow]

nit ee589d4: just use get_utxo

Suggested change

	rbf_utxo = self.wallet.send_self_transfer(
	from_node=node,
	confirmed_only=True
	)["new_utxo"]
	self.generate(node, 1)
	rbf_utxo = self.wallet.get_utxo(confirmed_only=True)

[glozow]

nit ee589d4: this arg doesn't do anything as you've already specified which utxo to spend. Doesn't hurt but you can omit it.

[ariard]

Code Review ACK ee589d4

[ariard]

nit: the two types of carve-out (RBF and CPFP) are disabled, could be commented here.