Add consensus_decode_from_finite_reader optimization

[dpc]

As things are right now, memory exhaustion protection in Decodable
is based on checking input-decoded lengths against arbitrary limits,
and ad-hoc wrapping collection deserialization in Take.

The problem with that are two-fold:

• Potential consensus bugs due to incorrect limits.
• Performance degradation when decoding nested structured,
  due to recursive Take<Take<..>> readers.

This change introduces a systematic approach to the problem.

A concept of a "size-limited-reader" is introduced to rely on
the input data to finish at enforced limit and fail deserialization.

Memory exhaustion protection is now achived by capping allocations
to reasonable values, yet allowing the underlying collections
to grow to accomodate rare yet legitmately oversized data (with tiny
performance cost), and reliance on input data size limit.

A set of simple rules allow avoiding recursive Take wrappers.

Fix #997

[dpc]

True?

[dpc]

Not true, because network message is using it to decode payload.

[dpc]

MAX_VEC_SIZE it is then.

[dpc]

OK. I have to benchmark this on a laptop, with a lot of noise, so I've ran the bench multiple times and picked some best results for both master and this PR:

old:
test blockdata::block::benches::bench_block_deserialize                 ... bench:   1,381,111 ns/iter (+/- 18,765)
test blockdata::transaction::benches::bench_transaction_deserialize     ... bench:         133 ns/iter (+/- 5)

test blockdata::block::benches::bench_block_deserialize                 ... bench:   1,431,350 ns/iter (+/- 187,241)
test blockdata::transaction::benches::bench_transaction_deserialize     ... bench:         177 ns/iter (+/- 4)

test blockdata::block::benches::bench_block_deserialize                 ... bench:   1,364,857 ns/iter (+/- 22,960)
test blockdata::transaction::benches::bench_transaction_deserialize     ... bench:         127 ns/iter (+/- 6)


new:
test blockdata::block::benches::bench_block_deserialize                 ... bench:   1,112,535 ns/iter (+/- 45,702)
test blockdata::transaction::benches::bench_transaction_deserialize     ... bench:         145 ns/iter (+/- 3)

test blockdata::block::benches::bench_block_deserialize                 ... bench:   1,093,602 ns/iter (+/- 21,832)
test blockdata::transaction::benches::bench_transaction_deserialize     ... bench:          97 ns/iter (+/- 2)

test blockdata::block::benches::bench_block_deserialize                 ... bench:   1,133,440 ns/iter (+/- 36,818)
test blockdata::transaction::benches::bench_transaction_deserialize     ... bench:         146 ns/iter (+/- 2)

[apoelstra]

In ae28a501e0e41a78afb6b01dcf1fba8a689262dd:

Curious why this isn't just a default impl on the trait? This code looks like it's repeated for every individual type.

[apoelstra]

Ah, you already have a default impl going the other way.

FWIW I think it would be ok to have both methods default-impl'd to call each other, with doccomments instructing trait implementors to implement one. I believe that std does this somewhere, though I don't remember where..

[dpc]

I think I like it. I'll give it a try.

[dpc]

Pushed

[apoelstra]

In 3a87775a22f2957f8b71ca8a68dfaadd5615a3f0:

I'm a liiitle tempted to change the above line to Cursor::new(&data[..MAX_VEC_SIZE]) but maybe that's a little too weird/surprising.

[dpc]

I was thinking about it. It would give a little bit of protection if someone somehow passed a huge vector in here. But then - if the caller allows malicious input to create huge vectors, they kind of already lost anyway. And the ability of decoding/encoding huge data might be useful for someone that can trust it. Eg. Vec<Block> stored in the file system or something. And arbitrary limits might get in the way.

[apoelstra]

ACK 888a1ec5c4e830f905288b6a824cb23fc1375989

[tcharding]

I did a bunch of docs fixes (mainly grammar), if you'd like to use them I pushed a patch to branch dpc-issue-997-2 on my fork.

I had one question, just out of interest, is there a reason you use such short line length in the comments?

While cleaning up I've been favouring line length 100 for comments (I try to not touch them if they are at least 80 though if changing them does not make them noticeably nicer.)

[dpc]

I had one question, just out of interest, is there a reason you use such short line length in the comments?

I typically let rustfmt deal with it, so I wasn't thinking much about. I'm so used to typing out garbage that rustfmt just fixes for me, that I have a hard enough time with the code, and wasn't even thinking about comments. :D

I did a bunch of docs fixes (mainly grammar), if you'd like to use them I pushed a patch to branch dpc-issue-997-2 on my fork.

Notes. Will do. Thanks a lot!

[tcharding]

I typically let rustfmt deal with it, so I wasn't thinking much about. I'm so used to typing out garbage that rustfmt just fixes for me, that I have a hard enough time with the code, and wasn't even thinking about comments. :D

ah, no sweat. We should have that fixed up soon hopefully :)

[tcharding]

All my comments are nits only.

ACK 888a1ec5c4e830f905288b6a824cb23fc1375989

[tcharding]

This comment is stale, there is no len argument now. This PR was a little confusing to review because the last patch modifies code in the first patch.

[tcharding]

A question please since we have been discussing debug asserts a bit but I'm still not totally understanding when to use what. This debug statement is defensive programming against insane input with chunck size 0 causing an infinite loop, right? What made you choose to use debug assert instead of either
A. a regular asset
B. returning an error

[dpc]

I wasn't really sure myself what to do. chunk_size should always be a constant, and this whole function is kind of internal, so I thought checking in debug_ is good enough to spot some silly mistake. I'm still not sure about it. I wish I could make chunk_size a const of some kind.

[dpc]

I just turned it into assert_ne. Compiler can probably optimize it anyway.

[tcharding]

Why references here? This works too

            assert_eq!(
                read_bytes_from_finite_reader(
                    io::Cursor::new(&data),
                    ReadBytesFromFiniteReaderOpts { len: data.len(), chunk_size }
                ).unwrap(),
                data
            );

[dpc]

Natural possessiveness, I guess. 🤷

[tcharding]

LGTM, can you squash this all down into a single commit please?

[apoelstra]

ACK 082e185

[apoelstra]

No comment on choice of assert ;)

[tcharding]

ACK 082e185

[sanket1729]

post merge ACK. Thanks for doing this cleanly

[dpc]

Bad news. Somehow, somewhere I've lost e6a3ec41bb9b3f072453665338059879d982eada . No idea when and why.

Oh, it doesn't even show up.

commit e6a3ec41bb9b3f072453665338059879d982eada (issue-997)
Reflog: HEAD@{87} (Dawid Ciężarkiewicz <dpc@dpc.pw>)
Reflog message: commit (amend): Forward default `consensus_decode` to `consensus_decode_from_finite_reader`
Author: Dawid Ciężarkiewicz <dpc@dpc.pw>
Date:   Mon May 30 18:14:09 2022 -0700

    Forward default `consensus_decode` to `consensus_decode_from_finite_reader`

I'll introduce it in another PR. You might want to take a second look if I didn't mess up something else, just in case. I'm really sorry - no idea RN how it happened.

*Edit: I push it again, should show up as 80d8cc2f6bc4e4ccbdc57ec5fff9d283c1e5e263 . I intended for it to be in there, would make this PR even smaller.

[dpc]

@RCasatta since I know you're using these traits in blocks_iterator and care about performance there you might want to be aware of this and #1035 .