Add ability for node to reject tx from mempool by number of tx inputs

[bitcartel]

Implement short-term solution described in #2343 so that users can respond promptly to critical short-term problems caused by quadratic validation scaling, such as the getblocktemplate latency, block propagation latency, and mempool size inflation issues described in #2333.

[daira]

Some minor changes needed. Also needs a test.

[daira]

I suggest "mempooltxinputlimit"; vin is internal jargon.

[daira]

Also, it's the number of transparent inputs.

[bitcartel]

Done

[daira]

Also change this if vin is dropped from the option name.

[bitcartel]

Done

[daira]

I believe the default should be 40, but let's discuss that on #2343.

[bitcartel]

Default is now 0 which means no limit (code has changed in forced push)

[daira]

int64_t limit = GetArg("-mempooltxvinlimit", std::numeric_limits<int64_t>::max());
if (limit < 0) {
    return InitError(_("Mempool limit on transparent inputs to a transaction must be greater than 0."));
}

[bitcartel]

Have adopted language.

[daira]

static_assert(std::numeric_limits<size_t>::max() >= std::numeric_limits<int64_t>::max(), "size_t too small");
size_t n = tx.vin.size();
size_t limit = (size_t) GetArg("-mempooltxvinlimit", std::numeric_limits<int64_t>::max());

[bitcartel]

Done

[zookozcash]

Red flag: Nathan mistakenly thought that the Incident Response team had required this ticket to be prioritised for 1.0.9. In fact the opposite was true, the Incident Response team (me as Executive Coordinator) had decided that we would take steps to fix the problem in the short term explicitly under the assumption that this would not imply that this ticket would be prioritised for 1.0.9.

[bitcartel]

@daira Changes made. No test yet, is someone available to write that?

[daira]

Non-blocking: s/which/that/

[bitcartel]

Done

[daira]

Other than the double-negative in the error message, ACK on the changes since my last review. Still needs a test.

[daira]

s/cannot not/cannot/

[bitcartel]

Done

[veikkoeeva]

A kind proposal, if there would a comment in the code about the problems and the solution, it would be great. I have been following the discussion in chat and I think I'd agree that "limiting this is good", but necessarily the real reasonin and why some particular limit was chosen (even commenting in vein "this limit is an educated guess to quell most of the problems known at the time") and what would happen to the transactions if the check fails (transactions in limbo?).

[daira]

@veikkoeeva I'll answer that on #2343.

[nathan-at-least]

Concept NACK: #2343 (comment)

[nathan-at-least]

Considering for 1.0.10 release juxtaposed to related tickets.

[str4d]

utACK on the patch, but I agree with daira's string requests and that this needs a test.

[str4d]

I'm also +1 on merging this in 1.0.10. I agree with @daira that we need something that users can leverage now, while we work on the longer-term improvements. I also think that the release notes should be explicit about how this is a short-term fix, and that it will be replaced (not extended) in future (likely with some metric that takes into account the entire mempool, not just individual transactions).

[bitcartel]

Why are all the error messages in the test related to 'bad-txns-version-too-low' ? I only see it fired here:

bool CheckTransactionWithoutProofVerification(const CTransaction& tx, CValidationState &state
)
{
    // Basic checks that don't depend on any context

    // Check transaction version
    if (tx.nVersion < MIN_TX_VERSION) {
        return state.DoS(100, error("CheckTransaction(): version too low"),
                         REJECT_INVALID, "bad-txns-version-too-low");
    }

[str4d]

Correct. I intentionally set tx.nVersion = 0 to trigger this error, as it's the first check that occurs after the -mempooltxinputlimit check, and it means that I didn't have to mock out a heap of global state. Think of that error as "the transaction passes the tx input limit check". The actual check itself doesn't return a reason, which is why I check that the reject reason is not bad-txns-version-too-low; we could possibly make things more explicit by checking instead that it is empty.

[bitcartel]

Could you copy the above explanation into the test? I take it we don't want to return state.DoS which updates global CValidationState state in init.cpp, rather than what we do right now which is simply return false (like some of the other code paths in AcceptToMemoryPool).

[str4d]

NACK

[str4d]

At this point in the function, this is the list of all available inputs, not selected inputs; z_sendmany therefore fails incorrectly. This check needs to be shifted to just below where t_inputs_ is re-used for storing the selected inputs. We also need to re-write this code (likely as part of #1360) to prevent this kind of bug.

[bitcartel]

Fixed

[str4d]

ACK

[bitcartel]

@str4d can you check latest commit; fixed test and reduced time to run.
@daira can you review the tests which were added to the PR since you last commented?

[daira]

I'll review now.

[daira]

The comment about the order of checking tx version and number of inputs needs a response, otherwise utACK.

[daira]

Wait, input limiting occurs before the tx version check? How can we parse the transaction if it has an unknown version? The spec explicitly says you're not supposed to try to parse fields other than nVersion if the version is unrecognised. (This could lead to misreporting a transaction as being invalid for having too many inputs, when in fact that field at that position has changed its meaning entirely and the transaction should instead have been rejected for having an unknown version. Not critical, but it could lead to confusing log messages.)

[str4d]

I did wonder this myself. However:

• The version check is solely that tx.nVersion >= MIN_TX_VERSION, where MIN_TX_VERSION = 1, so any positive integer is already accepted. This is in fact one way in which transaction replay prevention has been proposed upstream: make the version negative.
• Transaction parsing already happens before AcceptToMemoryPool is called, so the spec should still be satisfied:

bool static ProcessMessage(...)
{
    ...
    else if (strCommand == "tx")
    {
        vector<uint256> vWorkQueue;
        vector<uint256> vEraseQueue;
        CTransaction tx;
        vRecv >> tx;

        CInv inv(MSG_TX, tx.GetHash());
        pfrom->AddInventoryKnown(inv);

        LOCK(cs_main);

        bool fMissingInputs = false;
        CValidationState state;

        pfrom->setAskFor.erase(inv.hash);
        mapAlreadyAskedFor.erase(inv);

        if (!AlreadyHave(inv) && AcceptToMemoryPool(mempool, state, tx, true, &fMissingInputs))
        {
            ...
        }
        ...
    }
    ...
}

bool ProcessMessages(...)
{
    ...
        bool fRet = false;
        try
        {
            fRet = ProcessMessage(pfrom, strCommand, vRecv, msg.nTime);
            boost::this_thread::interruption_point();
        }
        catch (const std::ios_base::failure& e)
        {
            ...
        }
    ...
}

[veikkoeeva]

A bystander note here, feel free to ignore, but could this reasoning be added as a comment to the code? I think it would greatly help others too and later when one is perhaps considering refactoring the code.

[bitcartel]

Thanks for the reminder @veikkoeeva - I've updated the first post in the conversation above, so when this is merged, it will also be in the commit message for the merge. I think anybody in the future who wants to refactor the code around mempooltxinputlimit will have the information on hand to do so.

[daira]

I don't see this in the first post.

[bitcartel]

@daira You don't see the text beginning "Implement short-term... " ? Also the PR number should be part of the zkbot commit message, so a developer can find their way to this conversation.

[daira]

Actually I'll file another ticket about the parsing-of-unknown-tx-versions issue. That is not going to affect consensus so it can be addressed separately and does not need to block this PR.

[str4d]

Needs one more adjustment, which I will make now.

[str4d]

The first call was changed from sendtoaddress to sendfrom; this one should be too.

[str4d]

ACK; the first variant was left over from an earlier version where node 1 already had a balance, so I was trying to get everything into one t-addr, but couldn't make multiple TXOs in the same z_sendmany.

[str4d]

ACK

[str4d]

@zkbot r+

[zkbot]

📌 Commit 6ea58d1 has been approved by str4d

[zkbot]

⌛ Testing commit 6ea58d1 with merge 59de56e...

[zkbot]

☀️ Test successful - pr-merge
Approved by: str4d
Pushing 59de56e to master...