wallet: Add missing cs_wallet/cs_KeyStore locks to wallet

[practicalswift]

Add missing wallet locks:

• Calling the function GetConflicts(...) requires holding the mutex cs_wallet
• Calling the function IsSpent(...) requires holding the mutex cs_wallet
• Accessing the variables mapKeys and mapCryptedKeys requires holding the mutex cs_KeyStore
• Accessing the variable nTimeFirstKey requires holding the mutex cs_wallet
• Accessing the variable mapWallet requires holding the mutex cs_wallet
• Accessing the variable nTimeFirstKey requires holding the mutex cs_wallet

[promag]

Either:

• lock once before the loop;
• loop first with the lock to mapWallet.find(hash) for all vWtx and then loop again without the lock to walletdb.WriteTx();
• lock only the mapWallet.find(hash).

[practicalswift]

@promag Thanks for reviewing! Feedback addressed. Looks good? :-)

[promag]

This should be before the line above. Anyway, there is no need to lock this wallet since it's a fresh instance, unknown to the remaining system. Unless you are adding the lock because of other asserts and if so please commit them to justify this change?

[practicalswift]

Now moved before the line above. Without that lock we'll trigger Clang thread safety analysis warnings when #11634 is merged due to:

src/wallet/wallet.h:    std::map<uint256, CWalletTx> mapWallet GUARDED_BY(cs_wallet);

As agreed upon in #11226 (comment) all guard/lock annotations are added in #11634 and all extra locking is submitted as separate PR:s (such as this one).

The annotations are compile-time only whereas the locks change run-time behaviour (and thus needs extra scrunity!).

[promag]

As agreed upon in #11226 (comment) all guard/lock annotations are added in #11634 and all extra locking is submitted as separate PR:s (such as this one)

I think you swapped the PR numbers?

[practicalswift]

Yes, you're right - the annotations are added in #11226 :-)

[promag]

utACK 007fcbf.

[practicalswift]

Added another commit with two more missing locks:

• calling function IsSpent requires holding mutex pwallet->cs_wallet exclusively
• writing variable nWalletVersion, nWalletMaxVersion, nOrderPosNext and nTimeFirstKey require holding mutex cs_wallet

[practicalswift]

@promag Would you mind re-reviewing? :-)

[TheBlueMatt]

Given this is effectively just the wallet's constructor, might as well just take the lock further up and hold it the whole time.

[practicalswift]

@TheBlueMatt Moving it further up will make the scope of the walletInstance->cs_wallet lock cover the ScanForWalletTransactions call. ScanForWalletTransactions locks cs_main giving us the lock order:

• 1. cs_wallet
• 2. cs_main

This is a potential deadlock given that the opposite lock order is used extensively:

$ git grep "LOCK2(cs_main,.*cs_wallet);" | wc -l
89

Please advice :-)

[promag]

A solution to that is to also lock cs_main.. but meh

[TheBlueMatt]

Same here. Just add a cs_wallet lock for the whole function.

[practicalswift]

@TheBlueMatt Thanks for reviewing! Feedback addressed. Please re-review :-)

[practicalswift]

Fixed build issue. Please re-review :-)

[maflcko]

Given that https://github.com/bitcoin/bitcoin/pull/11226/files#diff-12635a58447c65585f51d32b7e04075bR857 is now closed, wouldn't it make sense to add the clang annotations within this commit?

[practicalswift]

@MarcoFalke @TheBlueMatt @promag Thanks for reviewing. I've now addressed the feedback and added corresponding GUARDED_BY/EXCLUSIVE_LOCKS_REQUIRED annotations. Please re-review :-)

[maflcko]

Note that LoadWallet takes LOCK2(cs_main, cs_wallet), so taking cs_wallet before cs_main leads to a deadlock in case another thread takes cs_main and then cs_wallet, no?

[practicalswift]

Thanks. Now fixed. See #11634 (comment).

[practicalswift]

Please re-review :-)

[practicalswift]

Updated!

Added GUARDED_BY(cs_wallet) annotations also for encrypted_batch, nWalletMaxVersion, m_max_keypool_index and nOrderPosNext.

Rationale:

• AddKeyPubKeyWithDB(...) reads encrypted_batch which potentially races with write in the same method
• IncOrderPosNext(...) reads nOrderPosNext which potentially races with write in BlockDisconnected(...)
• LoadKeyPool(...) reads m_max_keypool_index which potentially races with write in BlockDisconnected(...)
• LoadMinVersion(...) reads nWalletMaxVersion which potentially races with write in BlockDisconnected(...)

Please review :-)

[practicalswift]

Added GUARDED_BY(cs_wallet) for setExternalKeyPool, mapKeyMetadata, m_script_metadata and setLockedCoins.

Rationale:

$ git grep -E 'AssertLockHeld.*(setExternalKeyPool|mapKeyMetadata|m_script_metadata|setLockedCoins)' | sort | uniq -c
      4 src/wallet/wallet.cpp:    AssertLockHeld(cs_wallet); // mapKeyMetadata
      1 src/wallet/wallet.cpp:    AssertLockHeld(cs_wallet); // m_script_metadata
      1 src/wallet/wallet.cpp:    AssertLockHeld(cs_wallet); // setExternalKeyPool
      5 src/wallet/wallet.cpp:    AssertLockHeld(cs_wallet); // setLockedCoins

[practicalswift]

@MarcoFalke @promag @TheBlueMatt Would you mind reviewing the updated version? :-)

[maflcko]

utACK 69e7ee2

[promag]

utACK 69e7ee2.

[promag]

No annotation requires this lock right?

[practicalswift]

Both cs_main and walletInstance->cs_wallet are required from what I can tell.

Removing that lock results in the following:

wallet/wallet.cpp:4104:28: error: calling function 'FindForkInGlobalIndex' requires holding mutex 'cs_main' exclusively [-Werror,-Wthread-safety-analysis]
            pindexRescan = FindForkInGlobalIndex(chainActive, locator);
                           ^
wallet/wallet.cpp:4131:48: error: reading variable 'nTimeFirstKey' requires holding mutex 'walletInstance->cs_wallet' [-Werror,-Wthread-safety-analysis]
        while (pindexRescan && walletInstance->nTimeFirstKey && (pindexRescan->GetBlockTime() < (walletInstance->nTimeFirstKey - TIMESTAMP_WINDOW))) {
                                               ^
wallet/wallet.cpp:4131:114: error: reading variable 'nTimeFirstKey' requires holding mutex 'walletInstance->cs_wallet' [-Werror,-Wthread-safety-analysis]
        while (pindexRescan && walletInstance->nTimeFirstKey && (pindexRescan->GetBlockTime() < (walletInstance->nTimeFirstKey - TIMESTAMP_WINDOW))) {
                                                                                                                 ^
wallet/wallet.cpp:4156:77: error: reading variable 'mapWallet' requires holding mutex 'walletInstance->cs_wallet' [-Werror,-Wthread-safety-analysis]
                std::map<uint256, CWalletTx>::iterator mi = walletInstance->mapWallet.find(hash);
                                                                            ^
wallet/wallet.cpp:4157:43: error: reading variable 'mapWallet' requires holding mutex 'walletInstance->cs_wallet' [-Werror,-Wthread-safety-analysis]
                if (mi != walletInstance->mapWallet.end())
                                          ^
wallet/wallet.cpp:4181:90: error: calling function 'GetKeyPoolSize' requires holding mutex 'walletInstance->cs_wallet' exclusively [-Werror,-Wthread-safety-analysis]
        walletInstance->WalletLogPrintf("setKeyPool.size() = %u\n",      walletInstance->GetKeyPoolSize());
                                                                                         ^
wallet/wallet.cpp:4182:90: error: reading variable 'mapWallet' requires holding mutex 'walletInstance->cs_wallet' [-Werror,-Wthread-safety-analysis]
        walletInstance->WalletLogPrintf("mapWallet.size() = %u\n",       walletInstance->mapWallet.size());
                                                                                         ^

[promag]

Right, the new annotations..

It could make sense to avoid calling uiInterface.LoadWallet() with the lock held.

[practicalswift]

@promag Ah, now I follow. Suggested fix below. What do you think?

diff --git a/src/wallet/wallet.cpp b/src/wallet/wallet.cpp
index 29014790e..2deeb9c42 100644
--- a/src/wallet/wallet.cpp
+++ b/src/wallet/wallet.cpp
@@ -4093,7 +4093,7 @@ std::shared_ptr<CWallet> CWallet::CreateWalletFromFile(const std::string& name,
     // Try to top up keypool. No-op if the wallet is locked.
     walletInstance->TopUpKeyPool();

-    LOCK2(cs_main, walletInstance->cs_wallet);
+    LOCK(cs_main);

     CBlockIndex *pindexRescan = chainActive.Genesis();
     if (!gArgs.GetBoolArg("-rescan", false))
@@ -4128,6 +4128,7 @@ std::shared_ptr<CWallet> CWallet::CreateWalletFromFile(const std::string& name,

         // No need to read and scan block if block was created before
         // our wallet birthday (as adjusted for block time variability)
+        LOCK(walletInstance->cs_wallet);
         while (pindexRescan && walletInstance->nTimeFirstKey && (pindexRescan->GetBlockTime() < (walletInstance->nTimeFirstKey - TIMESTAMP_WINDOW))) {
             pindexRescan = chainActive.Next(pindexRescan);
         }
@@ -4178,6 +4179,7 @@ std::shared_ptr<CWallet> CWallet::CreateWalletFromFile(const std::string& name,
     walletInstance->SetBroadcastTransactions(gArgs.GetBoolArg("-walletbroadcast", DEFAULT_WALLETBROADCAST));

     {
+        LOCK(walletInstance->cs_wallet);
         walletInstance->WalletLogPrintf("setKeyPool.size() = %u\n",      walletInstance->GetKeyPoolSize());
         walletInstance->WalletLogPrintf("mapWallet.size() = %u\n",       walletInstance->mapWallet.size());
         walletInstance->WalletLogPrintf("mapAddressBook.size() = %u\n",  walletInstance->mapAddressBook.size());

[promag]

I think that currently there is no harm in calling uiInterface.LoadWallet() with the lock held but if it's not necessary then I wouldn't change that. The diff looks ok.