Remove dead CheckForkWarningConditionsOnNewFork (consensus)

Nov 4, 2020

https://github.com/bitcoin/bitcoin/pull/19905

Host: MarcoFalke  -  PR author: MarcoFalke

The PR branch HEAD was fa7eed5b at the time of this review club meeting.

Notes

• Following an accidental chain split in 2013 (documented in BIP 50), a fork warning system was added in PR 2658.

• The feature was originally tested via the large reorg test (today found in test/functional/feature_block.py). However it is no longer possible to trigger the warning due to changes in the validation logic.

• The validation logic to validate and potentially connect a new block is handled in ProcessNewBlock(), which can be called from ProcessMessage() in src/net_processing.cpp or from the submitblock RPC. ProcessNewBlock() runs basic validation sanity checks and stores the block to disk. If the initial checks pass, it calls ActivateBestChain() to (try to) connect the block to the best chain.

Questions

1. Did you review the PRs? Concept ACK, approach ACK, ACK, or NACK?

2. What are some examples of when a chain split can happen? Which ones should users be warned about?

3. ActivateBestChain() consists of two nested loops. What is the condition for each loop to terminate?

4. The inner loop calls ActivateBestChainStep(), which disconnects blocks (in case of a reorg) and connects a batch of up to 32 blocks toward the new tip. When an invalid block is found, CheckForkWarningConditionsOnNewFork() is called. Which block from the batch is passed to CheckForkWarningConditionsOnNewFork()?

5. ActivateBestChainStep() will also call m_chain.SetTip(), which updates the global reference to the active chain tip (::ChainActive().Tip()). What is the maximum block height difference between pindexNewForkTip and pfork?

6. Is it possible to hit the condition that updates pindexBestForkTip?

7. What are your thoughts on the approach of the pull request? Should the bug in the warning system be fixed or should the code be removed? What alternative places/ways to implement the warning logic can you think of?

Meeting Log

1

17:00

<jnewbery> #startmeeting

2

17:00

<jnewbery> hi folks. Welcome to review club!

3

17:00

<emzy> hi

4

17:00

<stacie> hi

5

17:00

<sift> hi

6

17:00

<murch> hi

7

17:00

<andozw> hi

8

17:00

<jnewbery> feel free to say hi to let everyone know you're here

9

17:00

<fjahr> hi

10

17:00

<lightlike> hi

11

17:00

<glozow> hi

12

17:00

<carlakc> hi

13

17:00

<dongcarl> hi

14

17:00

<michaelfolkson> hi

15

17:00

<jnewbery> anyone here for the first time?

16

17:01

<andozw> :waves: :)

17

17:01

<troygiorshev> hi

18

17:01

<fi3> hi

19

17:01

<jnewbery> welcome andozw! Thanks for joining us :)

20

17:01

<MarcoFalke> hi

21

17:01

<andozw> thank you! excited to learn

22

17:01

<nehan> hi

23

17:01

<jnewbery> Notes and questions are in the normal place: https://bitcoincore.reviews/19905

24

17:02

<MarcoFalke> Reminder don't ask to ask, just ask :)

25

17:02

<jnewbery> MarcoFalke wrote the notes and questions and is hosting today, so I'll pass over to him. Thanks Marco!

26

17:02

<sergei-t> hi

27

17:02

<MarcoFalke> ok, let's get started. Who reviewed the pull?

28

17:02

<jonatack> hi

29

17:02

<jnewbery> y

30

17:02

<stacie> y

31

17:02

<sergei-t> jnewbery: I'm for the first time. Totally unprepared, will probably just lurk.

32

17:02

<nehan> y

33

17:03

<troygiorshev> n (only a little)

34

17:03

<MarcoFalke> sergei-t: Welcome

35

17:03

<dongcarl> y

36

17:03

<fi3> n

37

17:03

<lightlike> 0.5

38

17:03

<jnewbery> sergei-t: that's fine. Lurkers are welcome too!

39

17:03

<carlakc> I went through it, but still getting a handle on cpp so very high level

40

17:03

<carlakc> will likely also lurk :)

41

17:04

<fjahr> wip

42

17:04

<felixweis> hi

43

17:04

<emzy> n

44

17:04

<MarcoFalke> Today we are talking about chain splits. What are some examples of when a chain split can happen? Which ones should users be warned about?

45

17:04

<felixweis> 2013 types of chain splits

46

17:05

<michaelfolkson> Name all 2013 please

47

17:05

<nehan> if the network is partitioned

48

17:05

<emzy> There was the problem with 32 and 64 bit systems. Remember not more about it.

49

17:06

<sipa> emzy: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-July/009697.html

50

17:06

<MarcoFalke> Which ones should the user *not* be warned about?

51

17:06

<stacie> BIP-50 describes a chain split as an unintended result of switching from Berkely DB to Level DB. Level DB was able to handle blocks with more tx inputs

52

17:06

<nehan> or if there's a soft fork

53

17:06

<michaelfolkson> I guess there are bugs causing network chain splits. Natural re-orgs would be considered temporary chain splits?

54

17:06

<lightlike> one harmless example would just two blocks found at almost the same time by chance.

55

17:06

<nehan> a user probably shouldn't be notified if it's very small, or if they're still doing IBD

56

17:06

<fjahr> Competing blocks mined by different miners competing for the longest chain.

57

17:06

<felixweis> few blog reorgs. 1 stale block happens regularly

58

17:07

<pinheadmz> chainsplits are worrisome after a soft fork like strict DER - miners were not fully validating!

59

17:07

<MarcoFalke> Good points so far

60

17:07

<sift> pinheadmz +1

61

17:08

<MarcoFalke> About expected stale blocks, users shouldn't be warned, but if there is a disagreement about consensus rules, they should be warned.

62

17:08

<MarcoFalke> Let's got to the next question.

63

17:08

<MarcoFalke> ActivateBestChain() consists of two nested loops. What is the condition for each loop to terminate?

64

17:08

<sift> consensus-equivalent, block-production equivalent chain split would be worrying

65

17:09

<nehan> i think outer loop: caught up to tip of most-work chain we've seen

66

17:10

<MarcoFalke> btw, this is the function for those lurking: https://github.com/bitcoin/bitcoin/blob/ed9f5477502e5856eba742656e8fc0fcf7bb053b/src/validation.cpp#L2870

67

17:10

<stacie> I noticed CBlockIndexWorkComparator returns true if the block passed in as the second parameter is the “better” block (based on the following criteria, in order: if it has more work, was received earlier (nSequenceId), or has a lower pointer address). My question is, is that how comparators typically work in C++? Return true if the second parameter is “better”?

68

17:10

<MarcoFalke> nehan: right

69

17:11

<lightlike> inner loop: our current tip (after connecting some blocks) has more work than the one we started this loop with

70

17:11

<MarcoFalke> lightlike: correct

71

17:12

<sipa> stacie: comparators' contract is to return true for "less than"

72

17:12

<sipa> e.g. std::set<int> is the same as std::set<int, std::less<int>>

73

17:13

<MarcoFalke> The inner loop calls ActivateBestChainStep(), which disconnects blocks (in case of a reorg) and connects a batch of up to 32 blocks toward the new tip. When an invalid block is found, CheckForkWarningConditionsOnNewFork() is called. Which block from the batch is passed to CheckForkWarningConditionsOnNewFork()?

74

17:13

<sipa> where std::less<int> is an object that exposes an operator()(int a, int b) { return a < b; }

75

17:13

<jnewbery> Compare function: https://en.cppreference.com/w/cpp/named_req/Compare

76

17:14

<stacie> ahh! thanks sipa & jnewbery!

77

17:14

<MarcoFalke> again for lurkers: https://github.com/bitcoin/bitcoin/blob/ed9f5477502e5856eba742656e8fc0fcf7bb053b/src/validation.cpp#L2744

78

17:16

<stacie> the first invalid block from the batch (the one with the lowest height) is the one passed to CheckForkWarningConditionsOnNewFork()

79

17:17

<MarcoFalke> stacie: correct

80

17:17

<MarcoFalke> ActivateBestChainStep() will also call m_chain.SetTip(), which updates the global reference to the active chain tip (::ChainActive().Tip()). What is the maximum block height difference between pindexNewForkTip and pfork?

81

17:18

<MarcoFalke> (This question is a bit more tricky, so I won't accept an answer that is just a single number ;)

82

17:19

<MarcoFalke> for lurkers, we just jumped into a new function: https://github.com/bitcoin/bitcoin/blob/ed9f5477502e5856eba742656e8fc0fcf7bb053b/src/validation.cpp#L1378

83

17:20

<MarcoFalke> reminder that pindexNewForkTip is "the first invalid block from the batch (the one with the lowest height)" (correct answer from stacie)

84

17:21

<michaelfolkson> A tip within 72 blocks but a fork that is at least 7 blocks. What does that mean?

85

17:22

<jnewbery> MarcoFalke: are you asking for the difference in height between pindexNewForkTip and plonger?

86

17:22

<jnewbery> (pfork is set to pindexNewForkTip)

87

17:22

<MarcoFalke> jnewbery: pfork, when it has been assigned it's final value

88

17:23

<MarcoFalke> pfork is initialized to pindexNewForkTip, and then "walked back" to determine the base of the fork

89

17:24

<fjahr> Should be just 1 because if its only the first block in the fork that is passed to the function

90

17:24

<murch> That comment is odd. Was that second sentence inserted into the middle of the big sentence?

91

17:24

<jnewbery> I think pindexNewForkTip is either on the active chain, or it's the child of a block on the active chain

92

17:25

<MarcoFalke> michaelfolkson: The code is more clear on that. It means the fork tip is within 72 blocks of our current tip, but the fork is at least 7 blocks "heavy" (with pow)

93

17:26

<MarcoFalke> fjahr: Correct

94

17:26

<murch> Given that different difficulties can only appear across diff adjustments, and the adjustment is limited to a factor of four, why a factor of 10?

95

17:26

<MarcoFalke> jnewbery: Also correct. If it is on the active chain, the difference is 0. If not, it is 1

96

17:27

<MarcoFalke> murch: Are you asking about the "10%"?

97

17:27

<jnewbery> just to clarify a point above. The block that's passed to CheckForkWarningConditionsOnNewFork() isn't necessarily an invalid block

98

17:27

<sift> MarcoFalke "but the fork is at least 7 blocks "heavy" (with pow)" 7 blocks worth of PoW weight...relative to what?

99

17:28

<MarcoFalke> sift: Measured relative to the pow of the fork base block

100

17:28

<stacie_> For the earlier question about the inner loop in ActivateBestChain(). terminating, I see the line where the conditions are defined, https://github.com/bitcoin/bitcoin/blob/ed9f5477502e5856eba742656e8fc0fcf7bb053b/src/validation.cpp#L2932 but I can't find where starting_tip is updated. I'm guessing it might have something to do with the fact that it's a pointer? (my cpp is rusty :) )

101

17:28

<sift> MarcoFalke e.g. 7 blocks worth of PoW weight at the divergence point?

102

17:28

<jnewbery> imagine we've tried to connect 32 blocks in a loop in ActivateBestChainStep() and the 10th block is invalid. The pindex that we pass to CheckForkWarningConditionsOnNewFork() will be the first block in that batch of 32, which is a valid block

103

17:28

<MarcoFalke> sift: yes, that's how I see it

104

17:29

<sift> ty

105

17:29

<sipa> stacie_: https://github.com/bitcoin/bitcoin/blob/ed9f5477502e5856eba742656e8fc0fcf7bb053b/src/validation.cpp#L2898

106

17:29

* sift thinks about a miner, under producing blocks to drop that 7 block pow weight and then turning on hash rate

107

17:30

<MarcoFalke> jnewbery: thanks for the extended explanation :)

108

17:30

<MarcoFalke> jnewbery: To round up, can you also explain why the diff wouln't be negative in case the passed block is valid?

109

17:31

<stacie_> sipa - thanks. so every time the loop progresses, the m_chain.Tip() call will result in a new value, right?

110

17:31

<murch> 7 blocks worth of weight, but 72 blocks long seems impossible, because diff could only change minusculy between two competing tips

111

17:31

<MarcoFalke> murch: not "72 blocks long", but "withing 72 blocks of our tip"

112

17:31

<sipa> stacie_: starting_tip doesn't change

113

17:31

<murch> But I think I haven't really grokked what the 72 and 7 blocks are

114

17:32

<jnewbery> MarcoFalke: because plonger will walk back until it's the same block as pindexNewForkTip

115

17:32

<sipa> but m_chain.Tip will

116

17:32

<murch> oh, you mean it could include a stale tip forking off 30 blocks ago?

117

17:32

<MarcoFalke> jnewbery: Correct, thx.

118

17:32

<troygiorshev> stacie_: if I'm seeing it right, it's line 2547 that makes the change to m_chain.Tip

119

17:32

<MarcoFalke> murch: Yes, that was the design goal (I think)

120

17:33

<lightlike> stacie_: I think that starting_tip is not updated once defined (it is the reference we compare to), but m_chain.Tip() ist updated inside of ConnectTip(), which is called from ActivateBestChainStep

121

17:33

<troygiorshev> stacie_: i take it back, it's what lightlike said :)

122

17:34

<michaelfolkson> murch: I am unsure why you need a warning about a stale tip forking off 30 blocks ago. Who cares?

123

17:34

<murch> Well, would still indicate a consensus failure

124

17:35

<murch> someone got forked off and recognized an ancestor of your chaintip as invalid

125

17:35

<MarcoFalke> michaelfolkson: For example if 40% of miners are building on a different chain, that is 30 blocks back

126

17:35

<michaelfolkson> Oh ok, that makes sense

127

17:37

<MarcoFalke> Is it possible to hit the condition that updates pindexBestForkTip?

128

17:37

<stacie_> catching up now - thank you sipa, trygiorshev and lightlike! That explains it. I didn't dive into the methods that ActivateBestChainStep calls but it makes sense now!

129

17:37

<stacie_> *troygiorshev

130

17:38

<elle> MarcoFalke: pIndexNewForkTip never gets set because it is only set if pfork is set...which is only set if pIndexNewForkTip is set

131

17:40

<elle> oh sorry , looking at wrong variable

132

17:40

<MarcoFalke> To recap: pfork is set, but the height difference between pindexNewForkTip and pfork is at most 1

133

17:41

<jnewbery> We need to look at this condition: pindexNewForkTip->nChainWork - pfork->nChainWork > (GetBlockProof(*pfork) * 7)

134

17:42

<MarcoFalke> Jup, we are in CheckForkWarningConditionsOnNewFork, which is supposed to update the pindexBest* variables

135

17:43

<glozow> is pfork the base of the fork there? sorry very basic question

136

17:43

<MarcoFalke> glozow: Correct

137

17:43

<MarcoFalke> pfork is the assumed base of the fork relative to our current chain tip

138

17:43

<glozow> so the condition jnewbery is talking about = there's 7 blocks worth of work on the fork?

139

17:44

<glozow> 7 blocks of work on 1 block? 🤔

140

17:44

<MarcoFalke> glozow: Yes. This is one of the conditions that need to be fulfilled to update the pindexBest* variables

141

17:45

<michaelfolkson> 7 blocks of work on 7 blocks

142

17:45

<fjahr> michaelfolkson: but the condition would only be fulfilled if you would have 7 blocks of work in 1 block

143

17:46

<jnewbery> so we've established that pindexNewForkTip and pfork can be at most one block apart, and the condition is that there's at least 7 block's worth of difference in their total work. Is that possible?

144

17:46

<fjahr> that's the thing why it can't be hit or only in theory

145

17:46

<glozow> seems like the answer to Marco's question is ~no

146

17:47

<MarcoFalke> Correct, this can not be hit

147

17:47

<MarcoFalke> Extra question: if the we passed the highest block of the to-be-connected chain instead, what would the height difference between pfork and pindexNewForkTip be?

148

17:48

<jnewbery> the to-be-connected chain is 32 blocks

149

17:48

<fjahr> 32

150

17:48

<jnewbery> *up to 32 blocks, sorry

151

17:48

<MarcoFalke> up to 32 or always 32?

152

17:48

<MarcoFalke> jnewbery: Heh, nice

153

17:49

<MarcoFalke> That the lowest hight block is passed is an oversight/bug, but can the fork detection logic be fixed by passing the highest block?

154

17:49

<murch> jnewbery: no, because two competing blocks can only differ in difficulty in forks across a difficulty adjustment and a factor 7 won't be possible there

155

17:50

<MarcoFalke> murch: Even with a difficulty adjustment this should not be possible

156

17:50

<sift> 10 minutes left

157

17:50

<murch> yes

158

17:50

<MarcoFalke> I think those are limited to a factor of 4

159

17:50

<murch> Well, one could go down, the other up

160

17:51

<murch> but the time difference wouldn't be that big in practice

161

17:51

<MarcoFalke> What are your thoughts on the approach of the pull request? Should the bug in the warning system be fixed or should the code be removed? What alternative places/ways to implement the warning logic can you think of?

162

17:52

<michaelfolkson> I have a couple of unrelated questions. What tools are available to the user to react to the warning? Presumably if they became aware of a UASF like scenario they could join it

163

17:52

<michaelfolkson> And then where is the warning test in test/functional/feature_block.py? I couldn't find it with a quick search

164

17:53

<MarcoFalke> michaelfolkson: Good q. If I was an exchange and I'd see a warning, I'd shut down all nodes for now

165

17:53

<MarcoFalke> michaelfolkson: It is the "re-org" test (last test which creates more than 1000 blocks)

166

17:53

<jnewbery> MarcoFalke: I think that removing dead code and adding working code can be seen as two separate questions. I don't think "You should fix it" is a reasonable response to someone removing broken code.

167

17:54

<MarcoFalke> jnewbery: I tend to agree

168

17:54

<jnewbery> if it's broken and has been for many releases, then removing the dead code so the code reflects reality is a quality improvement in itself

169

17:54

<jnewbery> if someone then wants to implement a working warning system, that should be judged on its own merits

170

17:54

<troygiorshev> Might this be a similar situation to the old "alert notify" system? Where (even if it was fixed) it's simply outdated?

171

17:54

<sift> seems like priority should be soundness first, performance second

172

17:55

<michaelfolkson> In response to your questions MarcoFalke you say in the PR comment "add a fork detection somewhere outside of the ActivateBestChainStep logic (maybe net_processing)."

173

17:55

<murch> Anything that is an obvious improvement has merit, and removing dead code is an obvious improvement

174

17:55

<MarcoFalke> michaelfolkson: Yes, I think that the internal validation logic is the wrong place to put the fork detection algorithm

175

17:56

<michaelfolkson> I don't think anything has changed re whether the warning is needed or not. If it was needed back then it is needed today too

176

17:56

<murch> Upping the bar just leads to abandoned PRs and frustrated would be contributors

177

17:57

<fjahr> It doesn't seem like the ideal way to solve this so removing and (possibly) reimplementing seems better than fixing which would make the PR more complicated. But I don't have great ideas how it should be done.

178

17:57

<michaelfolkson> But yeah if it doesn't work and it is in the wrong place it should be removed

179

17:57

<michaelfolkson> Ideally there would be a follow up PR reimplementing it :)

180

17:57

<MarcoFalke> A warning system is very much needed

181

17:58

<jnewbery> michaelfolkson: you're very welcome to open that PR!

182

17:58

<emzy> Could be first an external one.

183

17:58

<michaelfolkson> Haha

184

17:58

<emzy> To figure out what's the best parameters.

185

17:58

<fjahr> michaelfolkson: just change the 7 to 1 and reuse the rest of the code :P

186

17:59

<sift> The_scream.jpg

187

17:59

<MarcoFalke> Any last minute questions/suggestions?

188

18:00

<MarcoFalke> #endmeeting

189

18:00

<MarcoFalke> Thanks everyone!

190

18:00

<troygiorshev> thanks MarcoFalke!

191

18:00

<sift> thanks MarcoFalke !

192

18:00

<murch> Thanks

193

18:00

<emzy> Thank you MarcoFalke!

194

18:00

<stacie_> Thank you MarcoFalke!

195

18:00

<jnewbery> I tend to think that if it wasn't working, then ripping it out and starting from scratch is safer. It shouldn't be the case, but tweaking code that wasn't working would probably receive less scrutiny in review than implementing something new

196

18:00

<felixweis> Thanks MarcoFalke!

197

18:00

<sergei-t> thanks!

198

18:00

<lightlike> thanks!

199

18:00

<carlakc> thanks for the lurker links marco!

200

18:00

<fjahr> thanks MarcoFalke

201

18:00

<jnewbery> Thanks MarcoFalke!

202

18:01

<dongcarl> thanks MarcoFalke!

203

18:01

<michaelfolkson> Thanks MarcoFalke, very interesting

204

18:01

<MarcoFalke> jnewbery: If the fix was trivial, I might have fixed it. But I don't even see a way to fix this without rewriting the validation core

205

18:01

<MarcoFalke> logic

206

18:02

<michaelfolkson> I guess in terms of review the most important thing is to check that the code being ripped out isn't used elsewhere. Just for the warning

207

18:02

<jnewbery> Well done everyone. Today was a difficult PR to review. We went really deep into the consensus code. If you managed to follow along for the whole meeting you can give yourself a pat on the back :)

208

18:02

<jnewbery> we'll do something a bit easier next week

209

18:04

<fjahr> BTW, that the code discussed is not hit by any of the tests can also be seen in the coverage analysis: https://marcofalke.github.io/btc_cov/total.coverage/src/validation.cpp.gcov.html obviously also provided by MarcoFalke

210

18:04

<MarcoFalke> fjahr: lol, I initially spent a day trying to write a test for it

211

18:05

<MarcoFalke> writing tests for uncovered code is a good way to find dead and buggy code

212

18:05

<michaelfolkson> What are you using to identify code that can be safely be ripped out? Just eyes and something like ctags?

213

18:05

<fjahr> :)

214

18:05

<MarcoFalke> michaelfolkson: writing tests. I haven't used ctags yet

215

18:06

<MarcoFalke> I only use vanilla git and vim (and firefox for GitHub)

216

18:06

<michaelfolkson> OK cool, thanks