Make stalling timeout adaptive during IBD (p2p)

Sep 21, 2022

https://github.com/bitcoin/bitcoin/pull/25880

Host: glozow  -  PR author: mzumsande

The PR branch HEAD was 48e5385 at the time of this review club meeting.

Notes

• During Initial Block Download (IBD), after downloading the full headers chain, nodes have a BLOCK_DOWNLOAD_WINDOW=1024-block window within their best chain during which blocks are downloaded in parallel.

  • Blocks still need to be validated sequentially, since their validity depends on all outputs they spend being confirmed in previous blocks. When a node receives a block, the node attempts to connect it to the current tip, validate it, and calls ActivateBestChain().

  • The node may have up to MAX_BLOCKS_IN_TRANSIT_PER_PEER=16 in-flight requests to each peer. The node will never send more than one request for the same block out at a time.

  • It only uses outbound peers unless that’s not possible.

• Peers are not trusted to just always serve correct data in a timely manner. The node tries to detect if block download is stalling based on the following criteria:

  • The node is unable to connect a new chain of blocks past the current tip, e.g. if the tip is at height i and blocks [i+2: i+1024] have arrived, but block i+1 hasn’t.

  • The node cannot make any more requests; all of the 1024 blocks have already been received or are currently being requested.

  • Hint: Try not to confuse the block download stalling logic with headers sync timeout logic.

• Once the node detects that it is being stalled, it starts a stalling_since timer and gives each peer by which it is “bottlenecked” two more seconds to fulfil the block request(s) before disconnecting them. Then, it connects to a new peer and continues requesting the blocks it needs.

• However, the node will still consider itself to be stalled because the criteria are still met; the new peer will be the “bottleneck”. On master, this peer is also given only 2 seconds to fulfil to the block request before disconnection. This is a problem since, if our internet connection is very slow, we might end up needlessly churning through peers thinking they are “stalling” us.

Questions

1. Without looking at the PR, what solutions would you consider? Feel free to be creative.

2. Did you review the PR? Concept ACK, approach ACK, tested ACK, or NACK?

3. Under what circumstances does a node consider block download to be stalling?

4. What problem is this PR trying to address? How might you be able to observe this issue, and how common could it be?

5. If a node has such a slow internet connection that it cannot download blocks in less than 2 seconds, will it be continuously stalled and churning through peers? Why or why not?

6. What approach does this PR take? Is it an appropriate solution?

7. Why use a std::atomic<std::chrono::seconds> for m_block_stalling_timeout?

Meeting Log

1

17:00

<stickies-v> #startmeeting

2

17:00

<larryruane_> hi!

3

17:00

<alecc> hi

4

17:00

<amovfx> hello

5

17:01

<stickies-v> welcome everyone! Unfortunately, glozow isn't able to host the meeting today so dergoegge and I will be guiding you through the wonderful world of block download stalling

6

17:01

<stickies-v> two hosts for the price of one!

7

17:01

<amovfx> osom

8

17:01

<dergoegge> Hi!

9

17:01

<adam2k> 🎉

10

17:02

<lightlike> hi

11

17:02

<stickies-v> the PR we're looking at is #25880, authored by lightlike (mzumsande), who luckily is here as well! The notes and questions are available on https://bitcoincore.reviews/25880

12

17:02

<stickies-v> anyone joining us for the first time today? even if you're just lurking, feel free to say hi!

13

17:03

<brunoerg> hi

14

17:03

<michaelfolkson> hi

15

17:03

<kouloumos> hi

16

17:05

<stickies-v> who got the chance to review the PR or read the notes? (y/n) And for those that were able to review it, would you give it a Concept ACK, approach ACK, tested ACK, or NACK?

17

17:05

<sipa> hi

18

17:05

<amovfx> y

19

17:05

<amovfx> concept ack, tested ack

20

17:05

<alecc> y

21

17:06

<larryruane_> review 0.5, at least concept ACK

22

17:06

<alecc> concept ack, didn't get a chance to test

23

17:06

<yashraj> y

24

17:06

<dergoegge> Concept ACK, did a rough first pass on the code

25

17:06

<brunoerg> concept ack

26

17:06

<stickies-v> amovfx: awesome that you tested it too - could you share a bit about how you did that?

27

17:07

<adam2k> concept ACK

28

17:07

<BlueMoon> Hello!!

29

17:07

<amovfx> I just got the branch and ran the functional test

30

17:07

<amovfx> maybe that doesn't count?

31

17:07

<amovfx> would a proper test be me creating my own test?

32

17:08

<stickies-v> alright that's a great start! usually for tested ack we mean that we've done testing that goes beyond the functional tests though, because the CI runs the functional tests anyway - so them failing would get picked up pretty quickly

33

17:09

<amovfx> ah okay, good to know

34

17:09

<stickies-v> what "testing" means depends on the PR, your understanding of it, and how creative you can get in trying to poke holes in it. so there's no one definition. In general, it's also good to describe on your review how you tested something, so people can replicate and/or test other angles

35

17:09

<amovfx> great tip, ty

36

17:09

<lightlike> what I did to test this at some time is to locally reduce MAX_BLOCKS_IN_TRANSIT_PER_PEER=2 and BLOCK_DOWNLOAD_WINDOW=16 (or similar(), and run with -onlynet=tor - that way, I would get into stalling situations very soon.

37

17:09

<amovfx> I'm going to have to get a lot better before I can do that

38

17:09

<larryruane_> I'm running the PR now, and one fun thing to do is, during IBD, `bitcoin-cli getpeerinfo` and you can see how the outstanding block requests are more or less interleaved among the peers (no 2 peers downloading the same block)

39

17:10

<amovfx> what network did you do that on lightlike? reg or test?

40

17:10

<larryruane_> to get a simplified view: `bitcoin-cli getpeerinfo | jq '.[]|.inflight`

41

17:11

<dergoegge> Alright lets get started with the first question: Without looking at the PR, what solutions would you consider? (Feel free to be creative)

42

17:11

<lightlike> amovfx: I did it on mainnet (to have blocks that are large and take more than 2s to download )

43

17:11

<amovfx> ty

44

17:11

<amovfx> I think thompson sampling would be good for something like this

45

17:11

<amovfx> prolly way overkill though

46

17:11

<amovfx> https://en.wikipedia.org/wiki/Thompson_sampling

47

17:12

<amovfx> Helps with Multi arm bandit problems

48

17:13

<dergoegge> amovfx: haven't heard about that before, is there a simple explanation of how that would apply to our problem here?

49

17:13

<stickies-v> oh dear, I didn't know we had armed bandits on the bitcoin network, leave alone multi-armed

50

17:13

<larryruane_> there's a great podcast on this topic, featuring one of our esteemed attendees here today! https://podcast.chaincode.com/2020/01/27/pieter-wuille-1.html

51

17:14

<larryruane_> (podcast isn't about Thompson sampling, it's about IBD initial block download)

52

17:14

<alecc> some clarification on the PR, why does it keep stalling on newly connected peers after only one stalls? i.e. is it intentional to assume new peers are stalling? i was thinking a possible alternative to adjusting the stall window would be to change this assumption? maybe i'm misinterpreting some part

53

17:14

<amovfx> I think it would help with selecting nodes that have good behavior, it randomly samples and starts building a confidence metric on the nodes that are returning what you want, in this case blocks

54

17:15

<amovfx> so a node that stalls out, would have a drop in confidence, one that doesn't gains increased confidence

55

17:15

<amovfx> the higher the confidence, the more you sample from that node

56

17:16

<larryruane_> alecc: I think you've hit upon an alternate design idea, maybe when we hit this stall situation, temporarily increase the 1024 window ... then somehow reduce it gradually

57

17:16

<larryruane_> amovfx: really interesting, thanks

58

17:17

<stickies-v> dergoegge: perhaps one alternative solution would be to instead of disconnecting the peer, allowing one (or more) extra peers to download the same block that's being stalled? that would increase bandwidth usage though, so probably less preferable than what this PR proposes

59

17:17

<stickies-v> larryruane_: alecc interesting idea. you'd still have to eventually force something if the peer keeps not sending the block until infinity though, I think?

60

17:18

<dergoegge> stickies-v: yea that might work in some cases , but if you are on a slow connection it would probably make things worse

61

17:18

<amovfx> yea, this PR helps when the operator happens to have a bad connection, correct?

62

17:18

<lightlike> I think if we have a peer that is significantly slower than the rest of the peers, such that it stalls the download, we probably want to disconnect it and exchange it for a better peer. It's not like we want to keep our current peers at all costs.

63

17:19

<dergoegge> a really simple alternative to the PR is to just increase the stalling timeout instead of making it adaptive

64

17:19

<stickies-v> (the question didn't state to come up with GOOD solutions :-D )

65

17:19

<larryruane_> well, I guess I was thinking, when we hit the stall condition, still boot that peer (as we do today), but when we then connect the replacement peer, have the window be larger ... (not sure how to shrink it again)

66

17:19

<amovfx> Yea, it seems like this PR would find the fastest peers faster

67

17:20

<amovfx> this would converge on a stall time correct?

68

17:20

<stickies-v> alright I'll launch the next question already, but as always - feel free to continue talking about previous/side points. we're async whoo

69

17:20

<stickies-v> under what circumstances does a node consider block download to be stalling?

70

17:20

<larryruane_> I think that's answered in the notes? (maybe there's more to it)

71

17:21

<stickies-v> in your own words, maybe? quick summary? always helpful to distill info!

72

17:21

<amovfx> if it hist the timeout?

73

17:21

<amovfx> hits*

74

17:21

<stickies-v> what's it? what's the timeout?

75

17:21

<yashraj> block window does not move?

76

17:21

<larryruane_> stickies-v: yes, of course, sorry! :) ... one peer is holding us back from making progress

77

17:22

<amovfx> +1 yashraj

78

17:22

<larryruane_> so if it wasn't for the ONE peer, we'd be able to jump ahead 1024 blocks

79

17:22

<alecc> for the actual code, when it's processing a getdata message in `net_processing.cpp`, in `FindNextBlocksToDownload` it sets the stalling bit, and then sets `m_stalling_since` to current time based on that

80

17:23

<alecc> and then checks `m_stalling_since` with the current time - timeout to determine whether to disconnect

81

17:23

<stickies-v> larryruane_: yes, except that there could be more than one stalling peer

82

17:24

<larryruane_> I did have a question about the text in the notes tho, which is "The node is unable to connect a new chain of blocks past the current tip, e.g. if the tip is at height i and blocks [i+2: i+1024] have arrived, but block i+1 hasn’t." .... my question is, couldn't there be other missing block in [i+2: i+1024] BUT, all those blocks are assigned to the same peer (as block i+1 is assigned to)? ... small difference

83

17:24

<stickies-v> or rather, more than one peer that hasn't yet delivered all blocks in time

84

17:25

<yashraj> rookie question - what does tip mean exactly? highest validated block?

85

17:25

<stickies-v> yashraj: yeah exactly the window doesn't move. To add to that: we've *requested* all blocks in the window, but we've not fully received all blocks in the window yet

86

17:25

<amovfx> yashraj: yea

87

17:26

<larryruane_> stickies-v: "more than one peer" ... okay I definitely know less than I thought! (not usual!)

88

17:26

<lightlike> larryruane_: yes, that is possible (and probably the most usual case) that a couple of blocks from the 1024 window were assigned to staller.

89

17:26

<stickies-v> larryruane_: yeah I think there could be more missing blocks after that, but would they all need to be assigned to the same peer?

90

17:27

<larryruane_> stickies-v: well I thought if they weren't all assigned to the same peer, then we wouldn't be considering ourselves stalled?

91

17:27

<sipa> lightlike: Agree, there is no reason to keep our peers at all costs, though this is dependent on the fact that this is only relevant during IBD, when we mostly care about bandwidth and less about other properties (like partition resistance, latency, ...). After IBD, we're much more careful about when to disconnect.

92

17:28

<amovfx> thats neat, like IBD is a state of the node

93

17:28

<stickies-v> larryruane_: interesting, I thought we did. lightlike, what do you think?

94

17:29

<yashraj> stickies-v: if i+1 arrived but some of the rest have not, we still consider it stalled?

95

17:29

<sipa> And because I see people talking about increasing the 1024 window: I don't think that helps. For most of IBD, 1024 blocks is way too much; that value was set at a time when blocks were tiny. It still makes sense early in the chain, but arguably we should be shrinking it.

96

17:29

<larryruane_> amovfx: yes, and just as a side note, a node *always* starts in IBD state, but if it's synced with the block chain (or nearly so) then it's only in IBD momentarily

97

17:29

<amovfx> ty

98

17:29

<lightlike> larryruane_, stickies-v: we consider ourselves stalled if we have a peer with an open slot to which we want to assign a block, but can't becasue all of the blocks in thr 1024 windows are already either present or assigned to someone else. So yes, I think it's possible to have multiple stallers.

99

17:30

<stickies-v> ty for clearing it up!

100

17:30

<larryruane_> lightlike: excellent explanation, thanks

101

17:30

<dergoegge> Next question: What problem is this PR trying to address? How might you be able to observe this issue, and how common could it be?

102

17:31

<larryruane_> very basically, we disconnect peers who are not necessarily that bad! so lots of churn, we stall more then we should

103

17:31

<alecc> yashraj: i think it's the opposite - if all but i+1 arrived (i+2 -> i+1024) and we haven't seen i+1 for a certain amount of time we consider ourselves stalled, i guess i'm not super sure exactly what happens if i+1 arrives and then the others are taking a while

104

17:31

<amovfx> I think previously we could fill up with really slow peers

105

17:31

<amovfx> and we are slowed for a long time

106

17:31

<amovfx> oh nm

107

17:32

<sipa> lightlike: The staller is the peer we have requested the first block in the window from, so there can only be one at a time.

108

17:32

<sipa> (because that's the one that prevents the window from moving forward)

109

17:32

<larryruane_> you can observe this issue by looking at `debug.log` for "disconnecting" messages during IBD

110

17:32

<alecc> dergoegge: i saw in the pr notes it mentioned using tor was one way to observe, as one example of a situation with slower network speeds

111

17:32

<amovfx> larryruane_: so previously to this PR, there would be far more disconnecting peers

112

17:33

<dergoegge> alecc: yes! if you run a node on a slow network you will likely run into the issue the PR is trying to address

113

17:33

<larryruane_> amovfx: yes that's my understanding

114

17:34

<lightlike> sipa: yes, that is true, I meant that it could be a possible situation that multiple peers are actually stalling us (withholding blocks from us), that will get marked as stallers one after another - but only one at the same time.

115

17:34

<dergoegge> larryruane_: i think the bigger issue is having a slow connection yourself and then churning through peers, not necessarily individual slow peers

116

17:36

<larryruane_> dergoegge: yes because that 2 seconds for the new (replacement) peer to respond might always be exceeded if our own network is slow!

117

17:36

<amovfx> so this would be an attack vector too, a bad actor could eclipse a new node and just stalls sending blocks

118

17:36

<lightlike> I ran into this when I attempted IBD earlier this year on a slow connection with debug=net enabled - the log consisted of minutes of peers being connected and disconnected for stalling.

119

17:37

<larryruane_> is there an easy way to artificially give your node a slow connection?

120

17:37

<larryruane_> (for testing)

121

17:37

<dergoegge> amovfx: would you say that the PR makes that attack vector worse?

122

17:38

<amovfx> I dont have the understanding to say weather it does or if it could be exploited. I think it would make it more secure as we have an adaptive time out, so the attacker could use the max time out consistently

123

17:38

<amovfx> my intuition tells me this is an improvement

124

17:39

<alecc> dergoegge: it seems the PR is generally leaning towards assuming some nodes are not stalling, so I'd imagine if you were eclipsed, by extending the allowed stall window it would take longer to maybe escape the eclipse im thinking

125

17:39

<stickies-v> larryruane_: perhaps one options is to give all the peers of your node (assuming you control them in your test setup) a low `-maxuploadtarget`?

126

17:39

<dergoegge> amovfx: you can do much worse than stalling IBD if you are able to eclipse someone, so i think this not really a concern

127

17:39

<amovfx> cool, good to know

128

17:39

<alecc> that makes sense

129

17:40

<stickies-v> next question: before this PR, if a node has such a slow internet connection that it cannot download blocks in less than 2 seconds, will it be continuously stalled and churning through peers? Why or why not?

130

17:40

<lightlike> alecc: I would say this PR leans towards assuming not __all of our peers__ are stalling. The first staller will be disconnected as fast as before, just subsequent peers will be given more time if that happened.

131

17:41

<lightlike> so yes, you are right.

132

17:41

<amovfx> stickies: I believe so, because all peers hit the max time out window of 2s

133

17:41

<larryruane_> stickies-v: I would say no, because if our connection to ALL peers is more or less uniformly slow, then we wouldn't get into this situation where we're waiting for only ONE peer

134

17:42

<alecc> lightlike: makes sense, good to clarify that

135

17:43

<stickies-v> larryruane_: the uniformly slow is a pretty specific assumption though

136

17:43

<stickies-v> in a window of 1024 blocks and 16 blocks per peer, I'd say at the end of the window there's likely quite a bit of variation?

137

17:43

<larryruane_> stickies-v: sorry, I meant if *our* network is slow, then all of our peers would look slow to us

138

17:44

<lightlike> but not equally slow. some peers might be even slower than we are in this situation.

139

17:44

<amovfx> larryruane_: thats what I thought this PR would fix, if the controller is on potato interent, they get more time to connect

140

17:44

<larryruane_> to be clear, I was trying to say why, even without this PR, we *wouldn't* continuously stall and churn, that we *would* make progress (but i'm not entirely sure)

141

17:45

<stickies-v> yeah, but still I think there would be enough variation to generally end up with at least one peer being marked as stalling

142

17:45

<yashraj> if we increased timeout to 4s, downloaded the block, so reduced to 2s again wouldn't we likely get stalled again?

143

17:45

<stickies-v> so in every case but the one where we have virtually identical download timings across our peers, would you say we'd keep stalling and churning peers?

144

17:46

<yashraj> sorry if I side-tracked a bit there

145

17:47

<lightlike> yashraj: That's a gread question! I think it's possible, but we would have made some progress along the way, connected some blocks and moved the window forward a bit.

146

17:47

<dergoegge> yashraj: the current state of the PR decreases the timeout by a factor of 0.85 not 0.5 (the PR description should be updated)

147

17:48

<lightlike> if we have a slow connection, that doesn't mean we are more likely to get into stalling situations - for that to happen, we need some peers that are much slower compared to others.

148

17:48

<alecc> yashraj: to elaborate on what lightlike said, the stall timeout also decreases at a slower rate than it increases so it would try to go against the situation where you just flip back and forth between increasing the window then decreasing

149

17:48

<stickies-v> if we can't download any block in < 2 seconds, then as soon as we end up with one stalling peer, we would disconnect that peer. afterwards, we would give every new peer 2 seconds to catch up, but that would never happen, so we would be stuck forever I think?

150

17:48

<yashraj> dergoegge: oh yeah sorry forgot about that comment

151

17:49

<lightlike> but if we have a slow connection, we would have a hard time getting out of a stalling situation.

152

17:49

<larryruane_> lightlike: yes I agree, remember that the 2s (or with the PR, can be greater) timeout comes into play ONLY if we've entered this "stalled" condition ... with similarly slow peers, (or like if our own network connection is slow), we may never enter that state

153

17:49

<larryruane_> lightlike: ah interesting observation

154

17:49

<yashraj> great point alecc: and dergoegge: thanks

155

17:49

<stickies-v> bonus question: are there any (edge) cases where we wouldn't detect we have a stalling node?

156

17:50

<alecc> someone might've answered this already, but when considering whether we're stalling, does it consider the download times of all other peers (compares if one is relatively slower)?

157

17:50

<larryruane_> alecc: i don't think so

158

17:50

<stickies-v> no

159

17:50

<amovfx> I cant see one

160

17:51

<dergoegge> alecc: that could have been an alternative to the approach of the PR

161

17:51

<lightlike> alecc: this data isn't currently tracked. It would be a (more complicated) alternative approach to gather this data, and have some algorithm based on that.

162

17:51

<larryruane_> stickies-v: on the bonus question, you mean with the PR?

163

17:52

<yashraj> can a peer serve other blocks within 2s but not the i+1?

164

17:52

<stickies-v> larryruane_: the edge case I had in mind applies to both with and without this PR, but either would be interesting to hear!

165

17:52

<alecc> dergoegge: lightlike: makes sense

166

17:53

<dergoegge> yashraj: yes but the stalling timeout is only reset if a requested block is received

167

17:54

<larryruane_> stickies-v: that's a toughie .. i can't think of it

168

17:55

<stickies-v> I think if all of our nodes are just not sending us any blocks at all (probably malicious, or some serious technical issues), then we would just not make any progress at all, and no single node would be marked as stalling

169

17:55

<stickies-v> it's a very unlikely scenario though, just... theoretical edge case

170

17:55

<amovfx> if you are eclipsed, that could happen

171

17:55

<larryruane_> good one!

172

17:56

<alecc> stickies-v: would churning through not eventually find an honest node? or in the case that you're eclipsed, there's not much you could even do right

173

17:56

<alecc> or i guess does churning through all you to repeat connections to the same nodes (that would never be marked stalling)?

174

17:57

<dergoegge> stickies-v: we have a separate timeout for this case (Hint: have a look at m_downloading_since), after which we disconnect those peers.

175

17:57

<dergoegge> Last question: What approach does this PR take? Is it an appropriate solution?

176

17:57

<yashraj> can we run out of peers by churning? like for outbound-only?

177

17:58

<stickies-v> alecc: so we wouldn't disconnect them for stalling, but luckily as dergoegge points out there are other mechanisms that disconnect nodes when they're not sending us anything - and hopefully eventually we'd stumble upon a node that's able to send us something! that second mechanism is slower than the stalling disconnect, though

178

17:58

<amovfx> dergoegge: adding an adaptive timer? I think it is an appropriate solution.

179

17:58

<dergoegge> yashraj: your node will make new outbound connections continuously, so running out is not really possible i think

180

17:58

<amovfx> Sure hope we get to that atomic question

181

17:58

<alecc> stickies-v: ahh

182

17:59

<amovfx> my concurrency game is weak, I need that explained

183

17:59

<lightlike> yashraj: unlikely, if we know about enough peers in our addrman. also, I don't think we ban these peers, so nothing prevents us from re-connecting to a previously disconnected peer.

184

17:59

<dergoegge> amovfx: yes, how does it adapt though?

185

17:59

<amovfx> when a peer is dropped, the disconnect time increases

186

17:59

<amovfx> for the next peer

187

17:59

<amovfx> ?

188

18:00

<larryruane_> dergoegge: "Last question" -- we still disconnect the peer that's stalling us, as before, but we increase the 2s timeout for the replacement peer .. and increase again if it happens again, etc. (exponentially)

189

18:00

<yashraj> thanks dergoegge: and lightlike:

190

18:00

<dergoegge> larryruane_ right!

191

18:00

<amovfx> and if a peer gives a block, the window shrinks?

192

18:00

<alecc> amovfx: from what i could find, using std::atomic allows for some atomic operations that allows different threads to edit memory at the same time without unexpected behavior (compare_exchange_strong is used in the pr for this reason). i think this is easier than using another mutex/locking? there's probably more to it

193

18:00

<amovfx> window = timeout window

194

18:01

<dergoegge> amovfx: the timeout shrinks (by a factor of 0.85) if a new block is connected

195

18:01

<amovfx> rgr

196

18:01

<amovfx> alecc: ty

197

18:02

<stickies-v> alecc: you're right that we use std::atomic to protect against UB during threading, but std::atomic doesn't allow multiple threads to edit memory at the same time - it just prevents data races from happening by using atomic operations, i.e. makes sure that one thread waits for the other one to finish before proceeding

198

18:03

<dergoegge> #endmeeting