Fix virtual size limit enforcement in transaction package context

[instagibbs]

(Alternative) Minimal subset of #28345 to:

1. Replace MAX_PACKAGE_SIZE with MAX_PACKAGE_WEIGHT which accounts for additional WU necessary to not exclude default chain limit transactions that would have been accepted individually. Avoids sigops vbyte confusion.
2. pass correct vsize to chain limit evaluations in package context
3. stop overly-large packages that have no existing mempool ancestors (also a bugfix by itself if someone sets non-standard chain limits)

This should fix the known issues while not blocking additional refactoring later.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	ariard, glozow, achow101
Concept ACK	darosior

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

No conflicts as of last run.

[glozow]

Concept ACK, thanks for taking this over!

[dergoegge]

Can you add tests for the bug fixes?

[instagibbs]

Can you add tests for the bug fixes?

Added.

[glozow]

LGTM except worried about rounding and error strings. Also a few nits on the test.

[glozow]

ACK 3a4adfb with a doc nit

[glozow]

Could we get a review from maybe @luke-jr or @ariard?

[glozow]

Ah hold on, avoiding rounding is good but it does mean that this limit is effectively a few Wu smaller than the default ancestor size limit. (#22097 (comment) and #22097 (comment)) so this statement is untrue.

I think having this limit denominated in Wu is good and it should be distinct from the ancestor package limits anyway. But I agree with those comments that maybe it's best to not make this limit more restrictive than normal ancestor limits.

We can bake in the rounding so this limit is 404000Wu + MAX_PACKAGE_COUNT * (WITNESS_SCALE_FACTOR -1) = 404075Wu.

Also I think the primary Rationale (if you could edit this bullet point please) should be "We want package size to be as small as possible to mitigate DoS via package validation. However, we want to make sure that the limit does not restrict ancestor packages that would be allowed if submitted individually."

[instagibbs]

Fixed up as suggested, and fixed some inverted static asserts.

I thought about calling it 405KWU and calling it a day, but I think that would make code history more difficult, so instead stayed precisely as calculated.

[glozow]

Oops, those comments are incorrect. The rounding does mean that this weight limit across multiple transactions is different from the ancestor size limits, but it makes the package limits less restrictive, not more restrictive. That's totally fine. No change needed, we can just keep 404,000Wu.

[ariard]

Concept ACK on replacing MAX_PACKAGE_SIZE to MAX_PACKAGE_WEIGHT and other changes sounds good to me, will code review more soon.

[instagibbs]

rebased on latest master with all suggestions included (will discuss @ariard note)

[glozow]

ACK 5c48501

[ariard]

Code Review ACK 5c48501

Test coverage sounds it can be better.

[ariard]

Playing with the boundary values 403’999 or 404’001 doesn’t break package_sanitization_tests as one could expect.

[instagibbs]

should break if you make it significantly larger, I think, since it's making txns that aren't 1 WU. leaving as is for now

[ariard]

Following diff doesn’t sound to break functional test mempool_sigoplimit.py.

diff --git a/src/txmempool.cpp b/src/txmempool.cpp
index 324292c055..21571b9e8a 100644
--- a/src/txmempool.cpp
+++ b/src/txmempool.cpp
@@ -205,7 +205,7 @@ bool CTxMemPool::CheckPackageLimits(const Package& package,
     // Package itself is busting mempool limits; should be rejected even if no staged_ancestors exist
     if (pack_size > static_cast<uint64_t>(m_limits.ancestor_count)) {
         errString = strprintf("package count %u exceeds ancestor count limit [limit: %u]", pack_size, m_limits.ancestor_count);
-        return false;
+        return true;
     } else if (pack_size > static_cast<uint64_t>(m_limits.descendant_count)) {
         errString = strprintf("package count %u exceeds descendant count limit [limit: %u]", pack_size, m_limits.descendant_count);
         return false;

[instagibbs]

going to reserve for follow-up test writing

[ariard]

Same here

diff --git a/src/txmempool.cpp b/src/txmempool.cpp
index 324292c055..a9d8355aa3 100644
--- a/src/txmempool.cpp
+++ b/src/txmempool.cpp
@@ -208,7 +208,7 @@ bool CTxMemPool::CheckPackageLimits(const Package& package,
         return false;
     } else if (pack_size > static_cast<uint64_t>(m_limits.descendant_count)) {
         errString = strprintf("package count %u exceeds descendant count limit [limit: %u]", pack_size, m_limits.descendant_count);
-        return false;
+        return true;
     } else if (total_vsize > m_limits.ancestor_size_vbytes) {
         errString = strprintf("package size %u exceeds ancestor size limit [limit: %u]", total_vsize, m_limits.ancestor_size_vbytes);
         return false;

[instagibbs]

going to reserve for follow-up test writing

[ariard]

Same here

diff --git a/src/txmempool.cpp b/src/txmempool.cpp
index 324292c055..20456e250c 100644
--- a/src/txmempool.cpp
+++ b/src/txmempool.cpp
@@ -214,7 +214,7 @@ bool CTxMemPool::CheckPackageLimits(const Package& package,
         return false;
     } else if (total_vsize > m_limits.descendant_size_vbytes) {
         errString = strprintf("package size %u exceeds descendant size limit [limit: %u]", total_vsize, m_limits.descendant_size_vbytes);
-        return false;
+        return true;
     }

(Mutating the third check on ancestor size vbytes break the functional test)

[instagibbs]

going to reserve for follow-up test writing

[instagibbs]

seems to be a spurious failure

[hebasto]

seems to be a spurious failure

Yeap. The failed job has been restarted.

The failure itself is fixed in #28509.

[ariard]

Re-Code ACK eb8f58f

[glozow]

reACK eb8f58f

[glozow]

nit eb8f58f

Suggested change

	self.log.info("Test a overly-large sigops-vbyte hits package limits")
	self.log.info("Test a package whose sigop-adjusted vsize hits ancestor size limits")

[glozow]

nit eb8f58f: unused

Suggested change

	tx_child_utxo, tx_child = create_bare_multisig_tx(tx_parent_utxo)
	_, tx_child = create_bare_multisig_tx(tx_parent_utxo)

[achow101]

ACK eb8f58f

[darosior]

post-merge light ACK eb8f58f. Still need to catchup with the past 2 years of package relay but this makes sense to me.

[luke-jr]

Replace MAX_PACKAGE_SIZE with MAX_PACKAGE_WEIGHT which accounts for additional WU necessary to not exclude default chain limit transactions that would have been accepted individually. Avoids sigops vbyte confusion.

This just seems to make the bug harder to fix? How does it account for sigops?

[darosior]

This PR changed the first context-less size check use weight units to make it clear it doesn't check sigops at this stage. As you know (since it's your commit), virtual size adjusted for sigops is later accounted for in PackageMempoolChecks:

bitcoin/src/validation.cpp

Lines 1302 to 1305 in b66f6dc

	std::string err_string;
	if (txns.size() > 1 && !PackageMempoolChecks(txns, m_total_vsize, package_state)) {
	return PackageMempoolAcceptResult(package_state, std::move(results));
	}

What bug are you talking about which is made harder to fix?