Basic multiwallet support

[luke-jr]

This allows running with multiple -wallet options to load more than one wallet.

GUI has independent comboboxen for the main GUI window and debug console to select which wallet to view/use. The comboboxes are not visible in the main GUI unless multiple wallets are loaded (the debug window's combobox is useful even for a single wallet, since it allows selecting "(none)" to block wallet access).

RPC can access only one wallet per user, but rpcauth is extended to accept a 4th field which controls which wallet, if any, the user has access to. I chose to do it this way because pre-multiwallet nodes will gracefully ignore such rpcauth rather than expose their wallet. The field can also be a single hyphen to block wallet access.

(RPC and GUI changes are moved to my multiwallet_rpc and multiwallet_gui branches)

[jonasschnelli]

Impressive changeset!
General Concept ACK.

Instead of the extending the RPC auth, I could imaging using different RPC endpoints would also work.

• Accessing RPC at / would result in the default wallet.
• Accessing RPC at /<walletid> would result in using the wallet with the id <walletid>.

bitcoin-cli could just support a new argument -walletid.
Something like bitcoin-cli -walletid=something getbalance would result in the same RPC call just against the endpoint /something.
Maybe this would result in a simple RPC access to the multiple wallets.

Will review soon.

[luke-jr]

Instead of the extending the RPC auth, I could imaging using different RPC endpoints would also work.

Indeed, although my main purpose in doing this was to isolate JoinMarket, and it's less isolated if it has auth to my real hotwallet. :)

(Also, endpoints seemed like they'd require more code.)

Accessing RPC at /<walletid> would result in using the wallet with the id <walletid>.

This isn't very future-proof. If we go this route, I'd suggest /?wallet=<walletid>

[btcdrak]

Nice, Concept ACK. Will test.

[MarcoFalke]

I like the approach by @jonasschnelli better. Let's keep most of the multiwallet logic in wallet.cpp.

[luke-jr]

It's not in wallet.cpp now. Moving it there seems like a good idea, but independent of this PR...

[luke-jr]

Rebased, but please prioritise #8775 review (which this is based on) first. Once that's merged, it may or may not make sense to split the Qt changes out of this.

[gmaxwell]

Concept ACK.

Syntax for the auth field should have a clear way to extend it to support a list of wallets (first being the default, I guess). I think. To support things like the path selected wallets suggested above later.

[luke-jr]

Moved RPC/GUI changes out of this, and rebased.

[luke-jr]

Rebased and now the next-step in multiwallet integration.

[jonasschnelli]

Re-Concept ACK.
Binaries to play with: https://bitcoin.jonasschnelli.ch/build/PR/8694

[ryanofsky]

Curious, why have a CWallet_ptr typedef instead of using CWallet *? Is there a plan to switch to a different type of pointer later? Curious, because this seems to make the rest of the code more opaque. For example:

for (CWallet_ptr pwallet : vpwallets)

Because this says CWallet_ptr instead of CWallet* it's unclear whether the copy initialization has extra cost (which it would for a shared_ptr), implying a const reference should be used instead.

[luke-jr]

Indeed, a shared_ptr or similar would be needed for when/if we add the ability to close wallets at runtime.

[ryanofsky]

This thread is created from the non-static method CWallet::postInitProcess, so it seems like it makes more sense for it to continue flushing a single wallet, rather than going through the global wallets list. Instead of looping and accessing the global vpwallet variable, ThreadFlushWalletDB could just take a new CWallet* pwallet argument and be invoked with:

threadGroup.create_thread([this](){ThreadFlushWalletDB(this);});

from CWallet::postInitProcess.

[luke-jr]

Having a dedicated thread per wallet is just needlessly inefficient.

[ryanofsky]

How come the nLastFlushed assignment is moving ouside of the _mi != bitdb.mapFileUseCount.end() condition? It seems unrelated to this change. Maybe a code comment explaining the assignment would be good here.

[luke-jr]

Because the condition is per-wallet. Maybe nLastFlushed ought to be as well...?

[luke-jr]

Sanitised this better in the rebase

[ryanofsky]

(needs another rebase)

[laanwj]

Added 0.15.0 milestone.

[luke-jr]

Significantly rebased. Also fixed minor race conditions surrounding wallet flush (it was bumping the "have update to flush" counter before doing the actual update).

[laanwj]

It would be preferable to increment the update counter after committing a database transaction, not after every call to a CWalletDB method.
So this would mean the destructor of CWalletDB and TxnCommit() . Which should be overridden in CWalletDB, or alternatively use composition not inheritance for CDB as I've done in the last commit in #9951.
This will simplify these changes (no need to do WriteIC/EraseIC everywhere), as well as makes sure that only changes that actually hit the database/disk are counted.

[laanwj]

I think it is confusing for a "Set" function to add something to a list. If anything it should replace it.
What do you need this for, specifically?
In the past I've defined SoftSetMultiArg to be able to define a whole list argument at once.

[luke-jr]

It can't get here unless the list is currently empty. It's used to initialise -wallet, which is accessed as a list only now.

[TheBlueMatt]

I believe this is also not correct - other threads may be using mapMultiArgs or the vector in it at the same time

[TheBlueMatt]

Maybe get @jtimon to do it in #9494 and then just use it here?

[laanwj]

It can't get here unless the list is currently empty.

Good point

[luke-jr]

@TheBlueMatt I don't see what your concern is... We have the lock here already.

[TheBlueMatt]

We do not take the lock when accessing mapMultiArgs all over the codebase. You cannot write a new entry to this map without updating the various locations in the codebase which access mapMultiArgs to also go through cs_args.

[laanwj]

Why define pwalletMain here?

[luke-jr]

There's no need to modify the tests to use vpwallets in most cases?

[ryanofsky]

In commit "Wallet: Replace pwalletMain with a vector of wallet pointers":

Maybe add a TODO comment for updating the tests to stop referencing pwalletMain, since this will be confusing to someone seeing this who isn't familiar with the pre-multiwallet history of the code.

[laanwj]

Depends on the reason why they are setting pwalletMain. Generally that is to communicate with stuff in wallet.cpp/walletdb.cpp I'd say.

[laanwj]

I think the overall approach here is good. This is another step towards multi-wallet support. As it's not anywhere on the API yet, I guess it's too early to ask for a multiwallet test?

[luke-jr]

It would be preferable to increment the update counter after committing a database transaction, not after every call to a CWalletDB method.

IMO too much for this PR. Just trying to multiwallet here, not refactor stuff that doesn't need it. :)

[laanwj]

IMO too much for this PR. Just trying to multiwallet here, not refactor stuff that doesn't need it. :)

Maybe my recommendation goes to far but I just think your current approach there is messy. The mutator functions call WriteIC/EraseIC which call IncrementUpdateCounter which calls IncrementUpdateCounter(strFile) which indexes into a global map indexed by name. This makes the wallet code even more complex and hard to understand as it introduces another place where per-wallet(-database) information is stored.

We need to decide whether CWalletDBStateInfo belongs with the database wrapper, or with the wallet.

• If it is part of the database statistics side of things, the place to put it would be CDBEnv, with the other maps mapFileUseCount and mapDb. After #9951 I'm going to refactor these to put them on a CDBWrapper object which represents a single database.
• If it is specific to wallets, the structure could be put on CWallet, and a reference passed in where it is needed (e.g. to CWalletDB) instead of looking it up all the time. This makes the CWallet more self-contained.

[ryanofsky]

utACK 3f096ca

[ryanofsky]

In commit "Wallet: Replace pwalletMain with a vector of wallet pointers":

Maybe add a TODO comment for updating the tests to stop referencing pwalletMain, since this will be confusing to someone seeing this who isn't familiar with the pre-multiwallet history of the code.

[ryanofsky]

In commit "Bugfix: wallet: Increment "update counter" only after actually making the applicable db changes to avoid potential races":

It seems good not to increment the counter when a write or erase fails. But I don't understand what the "potential races" are that could happen if the counter is incremented regardless. If you could clarify / expand the commit message on this point, I think that would be helpful.

[luke-jr]

1. (thread 1) Increment the counter.
2. (thread 2) DB gets flushed
3. (thread 1) Actual change happens.
4. (thread 2) Thinks DB hasn't changed, so doesn't flush again.

[ryanofsky]

In commit "Bugfix: wallet: Increment "update counter" only after actually making the applicable db changes to avoid potential races":

I'm probably missing something, but if the first write above succeeds and second write fails, the counter won't be incremented. Is this wrong? Would a possible fix be to drop this line and replace all the Write/Erases above with WriteIC/EraseIC?

[luke-jr]

Hmm, not sure what we want to happen in that case...

[laanwj]

This is one of the reasons why I suggested above to only update the update counter if a DB transaction actually hits the database. That's more robust than doing it per operation. It's possible for all the operations to succeed then TxnAbort() to be called and still no update happens.

[luke-jr]

I agree, but it's outside the scope of this PR. For now, I'll just increment the counter more aggressively (merely reordering the increment to fix the race issue).

[luke-jr]

@laanwj I agree that stuff should be refactored, but I don't think multiwallet needs to depend on it here.

(Why is CWalletDB not just a private parent class of CWallet anyway?)

[laanwj]

(Why is CWalletDB not just a private parent class of CWallet anyway?)

• It's named wrongly. Because CWalletDB is not a database, it provides access to it. To be exact, it is a database transaction, similar to the CDBBatch in leveldbwrapper.h. It is commited when the object goes out of scope or TxnCommit() is called. It is not committed if TxnAbort() is called.
• Should at least use composition there not inheritance. A wallet uses a wallet database, it is not a wallet database. This avoids low-level implementation details from leaking through.

I agree that stuff should be refactored, but I don't think multiwallet needs to depend on it here.

As said I understand that. I'm not asking for you to do big changes. I just don't want it to become even worse and more muddled.

I might pick this up myself if I have some time next week.

[TheBlueMatt]

Barely got started, will finish review later.

[TheBlueMatt]

Don't you still need to delete each wallet here?

[TheBlueMatt]

I believe this is also not correct - other threads may be using mapMultiArgs or the vector in it at the same time

[TheBlueMatt]

Why typedef this? Its literally /more/ characters now.

[laanwj]

Typedef-ing a pointer type doesn't seem that useful to me either. I suppose the rationale is "what if we want to change it to e.g. std::shared_ptr later". But a) I think the code is more readable if the kind of pointer is clear from the function/struct/class signatures using it b) You might want to have different kinds of pointers to the same kind of objects in different places.

[NicolasDorier]

not sure it make sense either, but if it is done, better naming it to CWalletRef to be consistent with CTransactionRef

[NicolasDorier]

I throwing an RPC error like RPC_METHOD_NOT_FOUND is better than returning NULL.

[luke-jr]

It is not always an error for there to be no wallet (eg, signrawtransaction).

[NicolasDorier]

vpwallets.clear() ?

EDIT: Meh, not really needed, just thought it would be more coherent.

[NicolasDorier]

not blocking, but I think a CWallets instead of vpwallets it would make the code way easier to read and less error prone.
Would also make locking easier to get right, and preventing some loop.

It would impact:

std::map<std::string, CWalletDBStateInfo> WalletDBStateInfos
std::vector<CWallet_ptr> vpwallets;
IncrementUpdateCounter()

That said, this can be done in a separate PR.

[laanwj]

s/NULL/nullptr?

[laanwj]

walletFile.find_first_of("/\\") is not portable. Likely, boost::filesystem::path has a way to check a path for path separators.

[luke-jr]

        boost::filesystem::path walletFileBoost = walletFile;
        if (walletFileBoost.has_root_path() || walletFileBoost.has_parent_path()) {

This would work, but off-topic here since this is existing code.

[luke-jr]

In-scope nits addressed and rebased.

[jtimon]

why clear here? afaik this is only used for unittests now.

[luke-jr]

So that there's only one value in _mapMultiArgs...

[luke-jr]

Rebased

[ryanofsky]

utACK 68bc5b9. This is much simpler than before and the bugfixes and cleanup are nice even independent of the multiwallet changes.

[ryanofsky]

In commit "Wallet: Replace pwalletMain with a vector of wallet pointers"

Should initialize these values.

[ryanofsky]

Should initialize these values.

Note: comment no longer applies. This is now done in two CWalletDBWrapper constructors.

[ryanofsky]

In commit "Wallet: Replace pwalletMain with a vector of wallet pointers"

It would be nice if conversion of these values from static variables to per-wallet members happened in the previous commit ("CWalletDB: Store the update counter per wallet") instead of this one. Would make both commits easier to follow and avoid the unusual intermediate state where globals and per-wallet members are compared to each other.

[ryanofsky]

In commit "CWalletDB: Store the update counter per wallet":

Should initialize this value.

[luke-jr]

It's an atomic, should have a default constructor?

[ryanofsky]

It's an atomic, should have a default constructor?

Yes but it seems to not initialize the value, see
https://stackoverflow.com/questions/36320008/whats-the-default-value-for-a-stdatomic or http://en.cppreference.com/w/cpp/atomic/atomic/atomic. IMO, adding = 0 to this line would make the code clearer anyway.

[ryanofsky]

In commit "CWalletDB: Store the update counter per wallet"

Maybe call this dbw for consistency with existing wallet code.

[ryanofsky]

In commit "Bugfix: wallet: Increment "update counter" only after actually making the applicable db changes to avoid potential races"

Would be helpful to have a comment mentioning that counter should be updated after the write operation, rather than before to prevent a race where the flush thread could run and store the higher counter value before the database is fully updated.

Could also mention the idea of moving the counter increment to the destructor / commit function so these write and erase wrappers would be unnecessary.

[ryanofsky]

In commit "CWalletDB: Store the update counter per wallet"

Might be nice to call this member dbw instead of wrapper for consistency with the wallet member.

[jonasschnelli]

This redundantly opens/checks the datadir via BDB. Not sure if this is a problem...

[jonasschnelli]

Without a lock we set the assumption that vpwallets is immutable.

[jonasschnelli]

nit: using Verifying wallet(s)...?

[jonasschnelli]

This renames an arbitrary wallet name to "wallet.%d.bak", collisions may happen.

2017-05-24 07:56:04 Renamed test1.dat to wallet.1495612559.bak

[jonasschnelli]

Maybe we should use <filename>.<date>.bak (will result in something like test1.dat.1495612559.bak (which is preferable IMO).

[jnewbery]

I agree with @jonasschnelli . This seems dangerous if Recover() or VerifyDatabaseFile() is called for multiple wallets. Should be straightforward to update Recover() to name the backup file uniquely (the warning string in VerifyDatabaseFile() will also need to be updated)

[jonasschnelli]

Tested a bit and seems to work as intended.
The only point I found during testing that needs fixing is the SalvageWallet renaming to "wallet.%d.bak".
Step-debugged the flushing and SyncTransaction.

Conceptual:

This PR mostly goes into a direction that one has to choose the wallets-to-work-with before starting up Core. I miss the pre-work for run-time adding and removing of wallets. Sure, this may be added later.
Furthermore, the "globalness" of the startup arguments and action like -usehd or -zapwallettxes, --keypool, etc. are somehow conceptual issues that need to be solved before deploying multiwallet.

• Ideally creating, loading and unloading of wallets happens during runtime over an RPC call (or though the GUI).
• In the long run, actions like zapwallettx, salvagewallet, rescan, upgradewallet, etc should also be moved to runtime.
• Per wallet settings like -usehd, -keypool, etc. should be values that can be set during creation (or loading of a wallet).

[jonasschnelli]

Gitian builds are failing (all three platforms): https://bitcoin.jonasschnelli.ch/build/147

[gmaxwell]

zapwallettx, salvagewallet

These should probably become less visible or go away or move to a separate utility.

rescan

We can do this from the rpc now.

Not sure about upgradewallet.

[jnewbery]

A couple of small nits inline, and a couple of general comments:

• I think this could do with both unit and integration tests
• Please update the comment for CWallet::Verify() in wallet.h now that it's responsible for parsing the wallet arguments and populating the ArgsManager

[jnewbery]

You've changed MaybeCompactWalletDB() to access CDB::nUpdateCounter directly, so this function isn't used.

[jnewbery]

I agree with @jonasschnelli . This seems dangerous if Recover() or VerifyDatabaseFile() is called for multiple wallets. Should be straightforward to update Recover() to name the backup file uniquely (the warning string in VerifyDatabaseFile() will also need to be updated)

[jnewbery]

Please update to use braces. You can also combine this line with the one below.

Several other if statements below which you can update to use braces.

[luke-jr]

Rebased and issues addressed

[laanwj]

Travis falure:

Running 255 test cases...
unknown location(0): fatal error: in "wallet_tests/importwallet_rescan": unknown type
wallet/test/wallet_tests.cpp(446): last checkpoint: "importwallet_rescan" entry.
*** 1 failure is detected in the test module "Bitcoin Test Suite"

[ryanofsky]

Travis falure:

The importwallet_rescan test has another pwalletMain usage that needs to be changed to vpwallets.

[ryanofsky]

utACK 33f0b60 with the test fix. First 6 commits were basically unchanged since my previous review (just a member rename and atomic init fixes). 7 new commits have been added and seem fine.

[ryanofsky]

In commit "Wallet: Support loading multiple wallets if -wallet used more than once"

Removing GetUpdateCounter in this commit isn't related to the rest of the changes here. This change was probably meant for the "CWalletDB: Store the update counter per wallet" commit.

[ryanofsky]

Should initialize these values.

Note: comment no longer applies. This is now done in two CWalletDBWrapper constructors.

[ryanofsky]

In commit "Replace pwalletMain with a vector of wallet"

This can probably be removed after the importwallet_rescan test is updated.

[ryanofsky]

This can probably be removed after the importwallet_rescan test is updated.

Never mind, it's used by the receiverequests test.

[ryanofsky]

In commit "Wallet: Move multiwallet sanity checks to CWallet::Verify"

Consider squashing this commit into previous commit "Wallet: Support loading multiple wallets if -wallet used more than once", because the two commits are making parallel sets changes, and having them separate makes the interaction confusing to think about.

[ryanofsky]

In commit "Bugfix: wallet: Fix warningStr, errorStr argument order"

Note: the bug seems to have been introduced in #8574.

[jnewbery]

I've had a quick scan and the new commits look generally good, although #10457 seems like a simpler solution to the wallet backup name issue. I don't think it's really worth passing the backup file name around through multiple function calls just so it can be printed in a single warning message.

I'll fully review once the the test has been fixed.

[achow101]

Here you say that -salvagewallet is only for one wallet file, but in CWallet::Verify(), the loop through all wallets checks for -salvagewallet and recovers all wallets if -salvagewallet is set. Which behavior is correct: salvage all wallets, or salvage only if there is one wallet?

For the latter, the -salvagewallet check in CWallet::Verify() can be moved out of the loop.

[luke-jr]

Both are correct. If we get to ::Verify, we should salvage all wallets. But for now, we forbid this combination. Moving it out of the loop is error-prone, and creates unnecessary complexity.

[ryanofsky]

utACK c237bd7. Changes since previous review were fixing rescan test, updating a salvagewallet comment, and removing GetUpdateCounter in an earlier commit.

[ryanofsky]

This can probably be removed after the importwallet_rescan test is updated.

Never mind, it's used by the receiverequests test.

[laanwj]

utACK c237bd7
Seems ready to merge.

[laanwj]

I've had a quick scan and the new commits look generally good, although #10457 seems like a simpler solution to the wallet backup name issue. I don't think it's really worth passing the backup file name around through multiple function calls just so it can be printed in a single warning message.

I agree. We should probably revert that part and do #10457 afterward.