Commit Graph

15756 Commits

Author SHA1 Message Date
Anthony Towns
526023aa7a Improve handling of BIP9Deployment limits
Small tweaks by Pieter Wuille.
2017-11-06 19:09:05 -08:00
practicalswift
76ea17c796 Add mutex requirement for AddToCompactExtraTransactions(…)
The vector `vExtraTxnForCompact`, which is guarded by the mutex
`cs_main`, is accessed in `AddToCompactExtraTransactions(…)`.
2017-11-06 17:41:02 +01:00
practicalswift
4616c825a4 Use -Wthread-safety-analysis if available (+ -Werror=thread-safety-analysis if --enable-werror) 2017-11-06 17:41:02 +01:00
Matt Corallo
7e319d6393 Fix -Wthread-safety-analysis warnings. Change the sync.h primitives to std from boost.
Commit 1.

This code was written by @TheBlueMatt in the following branch:
* https://github.com/TheBlueMatt/bitcoin/commits/2017-08-test-10923

This commit message was written by me (@practicalswift) who also squashed
@TheBlueMatt's commits into one and tried to summarize the changes made.

Commit 2.

Remove boost include. Remove boost mentions in comments.
2017-11-06 17:41:02 +01:00
Sjors Provoost
4a110a009c
[build] .gitignore: add background.tiff 2017-11-06 14:01:26 +01:00
Wladimir J. van der Laan
0e707919f5
Merge #11611: [build] Don't fail when passed --disable-lcov and lcov isn't available
223a4aa [build] Don't fail when passed --disable-lcov and lcov isn't available (fanquake)

Pull request description:

  Fixes #10828
  As pointed out in #10828, failing with "lcov not found" when we've been passed --disable-lcov doesn't make sense. Master currently behaves like this (where lcov isn't available):
  ```
  ./configure --disable-lcov
  checking for pkg-config... /usr/local/bin/pkg-config
  checking pkg-config is at least version 0.9.0... yes
  configure: error: "lcov testing requested but lcov not found"
  ```

  cc @janstary

Tree-SHA512: 606fdbddae67e72fff175f2f34e2c9af4e6972d40d5e1ec5c5d8be5051a728e5b16c35cfd856da0c0ce81dcab9db154a4937b1a6ca1e0233b6e160f2f4362002
2017-11-06 11:29:51 +01:00
Jonas Schnelli
0cc9876391
Merge #11607: Add Gitian PGP key: Sjors
41b15cfc9 Add sjors gitian key (Sjors Provoost)

Pull request description:

  First Gitian PR: bitcoin/gitian.sigs#603

Tree-SHA512: 02ac643b31a47724bb06a80f00ca10b3f128aa4337e59e34161d6d2281f2882b1a834b3e4769de15fc3cea76616cf25b17e85026507c8f242f21b93744b4fe70
2017-11-05 12:04:59 -10:00
fanquake
223a4aabd3
[build] Don't fail when passed --disable-lcov and lcov isn't available 2017-11-05 14:10:33 +08:00
Sjors Provoost
41b15cfc9e
Add sjors gitian key 2017-11-04 20:35:06 +01:00
Karl-Johan Alm
a02c5e459a
[trivial] Fix error messages in CFeeBumper 2017-11-03 15:37:54 -07:00
Russell Yanofsky
abbd230217 Move RPC registration out of AppInitParameterInteraction
Move to AppInitServers. This doesn't have any effects on bitcoin behavior. It
was just strange to have this unrelated code in the middle or parameter
interaction.
2017-11-03 16:28:18 -04:00
Wladimir J. van der Laan
2f959a5874
Merge #11560: Connect to a new outbound peer if our tip is stale
6262915 Add unit test for stale tip checking (Suhas Daftuar)
83df257 Add CConnmanTest to mutate g_connman in tests (João Barbosa)
ac7b37c Connect to an extra outbound peer if our tip is stale (Suhas Daftuar)
db32a65 Track tip update time and last new block announcement from each peer (Suhas Daftuar)
2d4327d net: Allow connecting to extra outbound peers (Suhas Daftuar)

Pull request description:

  This is an alternative approach to #11534.  Rather than disconnect an outbound peer when our tip looks stale, instead try to connect to an additional outbound peer.

  Periodically, check to see if we have more outbound peers than we target (ie if any extra peers are in use), and if so, disconnect the one that least recently announced a new block (breaking ties by choosing the newest peer that we connected to).

Tree-SHA512: 8f19e910e0bb36867f81783e020af225f356451899adfc7ade1895d6d3bd5afe51c83759610dfd10c62090c4fe404efa0283b2f63fde0bd7da898a1aaa7fb281
2017-11-02 20:13:24 +01:00
Wladimir J. van der Laan
7008b07005
Merge #11593: rpc: work-around an upstream libevent bug
97932cd rpc: further constrain the libevent workaround (Cory Fields)
6b58360 rpc: work-around an upstream libevent bug (Cory Fields)

Pull request description:

  A rare race condition may trigger while awaiting the body of a message.

  This may fix some reported rpc hangs/crashes.

  This work-around mimics what libevent does internally once a write has started, which is what usually happens, but not always due to the processing happening on a different thread: e7ff4ef2b4/http.c (L373)

  Fixed upstream at: 5ff8eb2637

Tree-SHA512: b9fa97cae9da2a44101c5faf1e3be0b9cbdf722982d35541cf224be31430779c75e519c8ed18d06ab7487bfb1211069b28f22739f126d6c28ca62d3f73b79a52
2017-11-02 20:11:08 +01:00
Cory Fields
97932cd268 rpc: further constrain the libevent workaround
The bug was introduced in 2.1.6-beta, versions before that don't need the
workaround.
2017-11-02 14:37:35 -04:00
Russell Yanofsky
725b79a9cf [test] Verify node doesn't send headers that haven't been fully validated 2017-11-02 13:49:15 -04:00
MarcoFalke
bfb270acfa
Merge #11590: [Wallet] always show help-line of wallet encryption calls
720d9e8fa [Wallet] always show help-line of wallet encryption calls (Jonas Schnelli)

Pull request description:

  We do currently show/hide the wallet encryption RPC calls from the help if the current wallet.
  In case of an encrypted wallet, `encryptwallet` is hidden and `walletpassphrasechange`, `walletpassphrasechange` and `walletlock` do appear in the help.

  This is no longer ideal in case of multiwallet due to the fact that one may want help infos in order to target a specific wallet.

  IMO its preferable to have a static help screen (show everything always). The currently show/hidden calls do handle the possible invalid encryption-state fine.

  Fixes #11588

Tree-SHA512: 513fecd15248a31361f5143685e8cdeb63dfd3fa7120828917e1db54d936dc3db60d48ce46efa5c3a563a48157fe962689879856eeeed53f904686b12aec204e
2017-11-02 12:58:56 -04:00
Suhas Daftuar
626291508c Add unit test for stale tip checking 2017-11-02 12:39:14 -04:00
João Barbosa
83df25736e Add CConnmanTest to mutate g_connman in tests 2017-11-02 12:39:14 -04:00
Suhas Daftuar
ac7b37cd2b Connect to an extra outbound peer if our tip is stale
If our tip hasn't updated in a while, that may be because our peers are
not relaying blocks to us that we would consider valid. Allow connection
to an additional outbound peer in that circumstance.

Also, periodically check to see if we are exceeding our target number of
outbound peers, and disconnect the one which has least recently
announced a new block to us (choosing the newest such peer in the case
of tie).
2017-11-02 12:39:14 -04:00
Cory Fields
6b58360f9b rpc: work-around an upstream libevent bug
A rare race condition may trigger while awaiting the body of a message, see
upsteam commit 5ff8eb26371c4dc56f384b2de35bea2d87814779 for details.

This may fix some reported rpc hangs/crashes.
2017-11-01 17:49:07 -04:00
Suhas Daftuar
db32a65897 Track tip update time and last new block announcement from each peer 2017-11-01 13:13:45 -04:00
Suhas Daftuar
2d4327db19 net: Allow connecting to extra outbound peers 2017-11-01 13:13:43 -04:00
MarcoFalke
1b8c88451b
Merge #11376: Ensure backupwallet fails when attempting to backup to source file
5d465e396 Ensure backupwallet fails when attempting to backup to source file (Tomas van der Wansem)

Pull request description:

  Previous behaviour was to destroy the wallet (to zero-length)

  This fixes #11375

Tree-SHA512: bfd1738659b15e3f23b6bbdf55ec12269c62c820bf701daec19500b52bd5845bb5516733c6f76f36197eb155182a8a35dc239ad4de2ef1e59bbb0f124a455759
2017-11-01 12:27:02 -04:00
Wladimir J. van der Laan
cffa5ee132
Merge #11531: Check that new headers are not a descendant of an invalid block (more effeciently)
f3d4adf Make p2p-acceptablock not an extended test (Matt Corallo)
00dcda6 [qa] test that invalid blocks on an invalid chain get a disconnect (Matt Corallo)
015a525 Reject headers building on invalid chains by tracking invalidity (Matt Corallo)
932f118 Accept unrequested blocks with work equal to our tip (Matt Corallo)
3d9c70c Stop always storing blocks from whitelisted peers (Matt Corallo)
3b4ac43 Rewrite p2p-acceptblock in preparation for slight behavior changes (Matt Corallo)

Pull request description:

  @sdaftuar pointed out that the version in #11487 was somewhat DoS-able as someone could feed you a valid chain that forked off the the last checkpoint block and force you to do lots of work just walking backwards across blocks for each new block they gave you. We came up with a few proposals but settled on the one implemented here as likely the simplest without obvious DoS issues. It uses our existing on-load mapBlockIndex walk to make sure everything that descends from an invalid block is marked as such, and then simply caches blocks which we attempted to connect but which were found to be invalid. To avoid DoS issues during IBD, this will need to depend on #11458.

  Includes tests from #11487.

Tree-SHA512: 46aff8332908e122dae72ceb5fe8cd241902c2281a87f58a5fb486bf69d46458d84a096fdcb5f3e8e07fbcf7466232b10c429f4d67855425f11b38ac0bf612e1
2017-11-01 14:42:08 +01:00
Wladimir J. van der Laan
db2f83ed46
Merge #11511: [Init] Remove redundant exit(EXIT_FAILURE) instances and replace with return false
b296bf1 Init: Remove redundant exit(EXIT_FAILURE) instances and replace with return false (donaloconnor)

Pull request description:

  While reviewing the bitcoin code I noticed that there are a few exit(EXIT_FAILURE) at various places in the AppInit function.

  This function returns to main() which will return/exit with EXIT_FAILURE so returning false instead of an explicit exit(EXIT_FAILURE) seems to be cleaner.

  This PR attempts to make things a bit more consistent.

  There is a subtle difference between exit() and return from main in that the exit() will not clean up any local vars but I don't think this makes a difference in this case. Using exit() might even lead to bugs in the future where the dtor of local objects are expected to be called.

Tree-SHA512: 7d104c3a752b4e7d7bc2382ef7e62543462988f1bbf13dd4077fbeff5399729b76c71a4352556f188b8d306604232477466f5bb827b58a6f3f6273f2370e1faa
2017-11-01 14:26:23 +01:00
Wladimir J. van der Laan
c95832da87
Merge #11571: Fixed a couple small grammatical errors.
f927ee1 Fixed a couple small grammatical errors. (Christian Gentry)

Pull request description:

  1. "If a pull request is not to be considered for merging (yet), please
  prefix the ..."

  2. If a particular commit references another issue, please add the reference. For
  example: `refs #1234` or `fixes #4321`.

Tree-SHA512: b2ed11a235800a6b8e9450937352954a2222eb6f08f9556c8f298fd3d64d18e731397b46f3141eab01e0196f53fa3a9d84fb707a1e7691a63dd146b3c5298fe5
2017-11-01 14:22:37 +01:00
Wladimir J. van der Laan
e1f6a2a801
Merge #11565: Make listsinceblock refuse unknown block hash
659b206 Make listsinceblock refuse unknown block hash (Russell Yanofsky)

Pull request description:

  Change suggested by @theuni  who noticed listsinceblock would ignore invalid block hashes causing it to return a completely unfiltered list of transactions.

Tree-SHA512: 3c8fb160265780d1334e856e853ab48e2e18372b8f1fc71ae480c3f45317048cc1fee0055d5c58031981a91b9c2bdbeb8e49a889d04ecba61729ce8109f2ce3f
2017-11-01 14:12:54 +01:00
Wladimir J. van der Laan
2631d55f61
Merge #11573: [Util] Update tinyformat.h
60b98f8 [Util] Update tinyformat.h (fanquake)

Pull request description:

  Updates `tinyformat.h` to commit c42f/tinyformat@689695c upstream. Including:
  8a2812d848
  5d9e05a347
  48e2e48789

  @achow101 mentioned that since upgrading to Ubuntu 17.10 (GCC 7), tinyformat had been throwing lots of -Wimplicit-fallthrough warnings. However fallthrough warnings should have been silenced by #10489. cc @theuni.

  The upstream commit to fix fallthrough warnings is in this PR https://github.com/c42f/tinyformat/pull/39.

  The last time tinyformat.h was updated in this repo was in #8274.

Tree-SHA512: a51bd30544693550e08148daf5d244e3a3a410caff7897351eb9cd28f661dc85e193e045bb86068ee4006b2f89a7233b7573b8c50d93d2a9a15a11386fdcc605
2017-11-01 14:12:13 +01:00
Wladimir J. van der Laan
e8f3c88133
Merge #11442: [Docs] Update OpenBSD Build Instructions for OpenBSD 6.2
9d30f54 [Docs] Update OpenBSD Build Instructions for OpenBSD 6.2 (fanquake)

Pull request description:

  This updates the OpenBSD build docs to reflect building [master](8ddf60db7a) on a OpenBSD 6.2 VM (using VirtualBox 5.1.28 r117968 on macOS 10.12.6).

  Versions of installed packages were:
  ```
  gmake 4.2.1
  g++ 4.9.4
  git 2.12.2
  libevent 2.0.22
  libtool 2.4.2
  autoconf 2.69p2
  automake 1.15p0
  python 3.6.0
  boost 1.58.0p3
  llvm 4.0.0p2
  ```

  The boost package installed via pkg_add now seems to work correctly. So we shouldn't require manual building + patching.
  I also wasn't required to make adjustments to any resource limits.

  Building with g++ and Clang was successful, using:
  ```
  ./configure --disable-wallet --with-gui=no CC=egcc CXX=eg++ CPP=ecpp
  ```
  and
  ```
  ./configure --disable-wallet --with-gui=no CC=clang CXX=clang++
  ```

  Running ``` make check ``` worked for ```test/test_bitcoin``` but ```test/util/bitcoin-util-test.py``` failed with:
  ```
  Running test/util/bitcoin-util-test.py...
  ../test/util/bitcoin-util-test.py
  env: python3: No such file or directory
  ```
  So that seems like a configuration issue, Python 3.6 is installed.

  Still todo:
  - [ ] Check if a manual installation of Berkeley DB is required
  - [x] Fix running ```test/util/bitcoin-util-test.py```
  - [x] Have someone else verify building

  cc @laanwj

Tree-SHA512: 34b176de4865b36dab9d66e74a15c37152e4b6c9784152c30dabbb515d6d9ae9cdbdc7a7b4d777876f91269a6a78cc277ec87775fc6c17dd509f7cf46e89a2b3
2017-11-01 14:01:50 +01:00
Jonas Schnelli
720d9e8fa1
[Wallet] always show help-line of wallet encryption calls 2017-10-31 20:22:41 -10:00
Matt Corallo
f3d4adfa6f Make p2p-acceptablock not an extended test 2017-10-31 13:51:34 -04:00
Matt Corallo
00dcda60f6 [qa] test that invalid blocks on an invalid chain get a disconnect 2017-10-31 13:51:34 -04:00
Matt Corallo
015a5258ad Reject headers building on invalid chains by tracking invalidity
This tracks the set of all known invalid-themselves blocks (ie
blocks which we attempted to connect but which were found to be
invalid). This is used to cheaply check if new headers build on an
invalid chain.

While we're at it we also resolve an edge-case in invalidateblock
on pruned nodes which results in them needing a reindex if they
fail to reorg.
2017-10-31 13:51:30 -04:00
Matt Corallo
932f118e6a Accept unrequested blocks with work equal to our tip
This is a simple change that makes our accept requirements the
same as our request requirements, (ever so slightly) further
decoupling our consensus logic from our FindNextBlocksToDownload
logic in net_processing.
2017-10-31 13:36:06 -04:00
Matt Corallo
3d9c70ca0f Stop always storing blocks from whitelisted peers
There is no reason to wish to store blocks on disk always just
because a peer is whitelisted. This appears to be a historical
quirk to avoid breaking things when the accept limits were added.
2017-10-31 13:36:06 -04:00
Matt Corallo
3b4ac43bc3 Rewrite p2p-acceptblock in preparation for slight behavior changes
Removes checking whitelisted behavior (which will be removed, the
difference in behavior here makes little sense) and no longer
requires that blocks at the same work as our tip be dropped if not
requested (in part because we *do* request those blocks).
2017-10-31 13:36:02 -04:00
Wladimir J. van der Laan
8335cb4781
Merge #11578: net: Add missing lock in ProcessHeadersMessage(...)
2530bf2 net: Add missing lock in ProcessHeadersMessage(...) (practicalswift)

Pull request description:

  Add missing lock in `ProcessHeadersMessage(...)`.

  Reading the variable `mapBlockIndex` requires holding the mutex `cs_main`.

  The new "Disconnect outbound peers relaying invalid headers" code added in commit 37886d5e2f and merged as part of #11568 two days ago did not lock `cs_main` prior to accessing `mapBlockIndex`.

Tree-SHA512: b799c234be8043d036183a00bc7867bbf3bd7ffe3baa94c88529da3b3cd0571c31ed11dadfaf29c5b8498341d6d0a3c928029a43b69f3267ef263682c91563a3
2017-10-31 13:10:58 +01:00
practicalswift
3ab545d7f8 addrman: Add missing lock in Clear() (CAddrMan)
The variable vRandom is guarded by the mutex cs.
2017-10-31 10:34:00 +01:00
Matt Corallo
3788a8479b Do not send (potentially) invalid headers in response to getheaders
Nowhere else in the protocol do we send headers which are for
blocks we have not fully validated except in response to getheaders
messages with a null locator. On my public node I have not seen any
such request (whether for an invalid block or not) in at least two
years of debug.log output, indicating that this should have minimal
impact.
2017-10-30 18:59:07 -04:00
practicalswift
2530bf27b7 net: Add missing lock in ProcessHeadersMessage(...)
Reading the variable mapBlockIndex requires holding the mutex cs_main.

The new "Disconnect outbound peers relaying invalid headers" code
added in commit 37886d5e2f and merged
as part of #11568 two days ago did not lock cs_main prior to accessing
mapBlockIndex.
2017-10-30 20:00:17 +01:00
Wladimir J. van der Laan
bb9ab0fccf
Merge #11541: Build: Fix Automake warnings when running autogen.sh
cc5c39d [Build] Add AM_OBJCXXFLAGS and QT_PIE_FLAGS to OBJCXXFLAGS to future-proof darwin targets (fanquake)
f8c6697 Fix automake warnings when running autogen.sh (Evan Klitzke)

Pull request description:

  Adjusted @eklitzke's commit to completely remove GZIP_ENV.
  Added a commit to address OBJCXXFLAGS.
  Rebased on master.
  Relevant info from @theuni & #11013 below.

  --------
  GZIP_ENV was indeed added for determinism, but gitian exports this as needed, so it's not really necessary. I'd rather just remove it.

  The mm.o rule was added to support XCode 4.2's ancient version of automake. That's irrelevant now, so it makes sense to remove that too.

  All darwin targets are PIE by default, so we don't technically need the flags, but I'd be more comfortable if we hooked up the OBJCXXFLAGS in case future ones are added.

  --------

  The second commit addresses the last point, but could probably use a better commit message.
  These warnings are removed from autogen output:
  ```
  Makefile.am:12: warning: user variable 'GZIP_ENV' defined here ...
  /usr/local/Cellar/automake/1.15.1/share/automake-1.15/am/distdir.am: ... overrides Automake variable 'GZIP_ENV' defined here
  src/Makefile.am: installing 'build-aux/depcomp'
  src/Makefile.am:503: warning: user target '.mm.o' defined here ...
  /usr/local/Cellar/automake/1.15.1/share/automake-1.15/am/depend2.am: ... overrides Automake target '.mm.o' defined here
  ```

Tree-SHA512: bd59df5f6d3aafe35d5e36925bfe61cc71e774583a0438d7dd946c9e7ecf6e59d42f90a58b8cfef0faa404c81050338ad4cefe721b4a949af881e73b6ab254d4
2017-10-29 18:28:21 +01:00
fanquake
60b98f8e14
[Util] Update tinyformat.h
Updates `tinyformat.h` to commit c42f/tinyformat@689695c upstream.
2017-10-29 21:12:12 +08:00
Pieter Wuille
ba216b5fa6
Merge #11568: Disconnect outbound peers on invalid chains
37886d5e2 Disconnect outbound peers relaying invalid headers (Suhas Daftuar)
4637f1852 moveonly: factor out headers processing into separate function (Suhas Daftuar)

Pull request description:

  Alternate to #11446.

  Disconnect outbound (non-manual) peers that serve us block headers that are already known to be invalid, but exempt compact block announcements from such disconnects.

  We restrict disconnection to outbound peers that are using up an outbound connection slot, because we rely on those peers to give us connectivity to the honest network (our inbound peers are not chosen by us and hence could all be from an attacker/sybil).  Maintaining connectivity to peers that serve us invalid headers is sometimes desirable, eg after a soft-fork, to protect unupgraded software from being partitioned off the honest network, so we prefer to only disconnect when necessary.

  Compact block announcements are exempted from this logic to comply with BIP 152, which explicitly permits nodes to relay compact blocks before fully validating them.

Tree-SHA512: 3ea88e4ccc1184f292a85b17f800d401d2c3806fefc7ad5429d05d6872c53acfa5751e3df83ce6b9c0060ab289511ed70ae1323d140ccc5b12e3c8da6de49936
2017-10-28 11:19:38 -07:00
Christian Gentry
f927ee1aa8
Fixed a couple small grammatical errors.
1. "If a pull request is not to be considered for merging (yet), please
prefix the ..."

2. If a particular commit references another issue, please add the reference. For
example: `refs #1234` or `fixes #4321`.
2017-10-28 10:23:26 -07:00
Wladimir J. van der Laan
b5545d8df9
Merge #10409: [tests] Add fuzz testing for BlockTransactions and BlockTransactionsRequest
fd3a2f3 [tests] Add fuzz testing for BlockTransactions and BlockTransactionsRequest (practicalswift)

Pull request description:

  The `BlockTransactions` deserialization code is reachable with tainted data via `ProcessMessage(…, "BLOCKTXN", vRecv [tainted], …)`.

  The same thing applies to `BlockTransactionsRequest` which is reachable via `"GETBLOCKTXN"`.

Tree-SHA512: 64560ea344bc6145b940472f99866b808725745b060dedfb315be400bd94e55399f50b982149645bd7af7ed9935fd28751d7daf0d3f94a8e2ed3bc52e3325ffb
2017-10-28 16:22:20 +02:00
Suhas Daftuar
37886d5e2f Disconnect outbound peers relaying invalid headers 2017-10-27 16:29:12 -04:00
Suhas Daftuar
4637f18522 moveonly: factor out headers processing into separate function
ProcessMessages will now return earlier when processing headers
messages, rather than continuing on (and do nothing).
2017-10-26 16:37:06 -04:00
Wladimir J. van der Laan
d93fa261f0
Merge #11490: Disconnect from outbound peers with bad headers chains
e065249 Add unit test for outbound peer eviction (Suhas Daftuar)
5a6d00c Permit disconnection of outbound peers on bad/slow chains (Suhas Daftuar)
c60fd71 Disconnecting from bad outbound peers in IBD (Suhas Daftuar)

Pull request description:

  The first commit will disconnect an outbound peer that serves us a headers chain with insufficient work while we're in IBD.

  The second commit introduces a way to disconnect outbound peers whose chains fall out of sync with ours:

  For a given outbound peer, we check whether their best known block (which is known from the blocks they announce to us) has at least as much work as our tip.  If it doesn't, we set a 20 minute timeout, and if we still haven't heard about a block with as much work as our tip had when we set the timeout, then we send a single getheaders message, and wait 2 more minutes.  If after two minutes their best known block has insufficient work, we disconnect that peer.

  We protect 4 of our outbound peers (who provide some "good" headers chains, ie a chain with at least as much work as our tip at some point) from being subject to this logic, to prevent excessive network topology changes as a result of this algorithm, while still ensuring that we have a reasonable number of nodes not known to be on bogus chains.

  We also don't require our peers to be on the same chain as us, to prevent accidental partitioning of the network in the event of a chain split.  Note that if our peers are ever on a more work chain than our tip, then we will download and validate it, and then either reorg to it, or learn of a consensus incompatibility with that peer and disconnect.  This PR is designed to protect against peers that are on a less work chain which we may never try to download and validate.

Tree-SHA512: 2e0169a1dd8a7fb95980573ac4a201924bffdd724c19afcab5efcef076fdbe1f2cec7dc5f5d7e0a6327216f56d3828884f73642e00c8534b56ec2bb4c854a656
2017-10-26 21:53:41 +02:00
Suhas Daftuar
e065249c01 Add unit test for outbound peer eviction 2017-10-26 13:51:06 -04:00
Suhas Daftuar
5a6d00c6de Permit disconnection of outbound peers on bad/slow chains
Currently we have no rotation of outbound peers.  If an outbound peer
stops serving us blocks, or is on a consensus-incompatible chain with
less work than our tip (but otherwise valid headers), then we will never
disconnect that peer, even though that peer is using one of our 8
outbound connection slots.  Because we rely on our outbound peers to
find an honest node in order to reach consensus, allowing an
incompatible peer to occupy one of those slots is undesirable,
particularly if it is possible for all such slots to be occupied by such
peers.

Protect against this by always checking to see if a peer's best known
block has less work than our tip, and if so, set a 20 minute timeout --
if the peer is still not known to have caught up to a chain with as much
work as ours after 20 minutes, then send a single getheaders message,
wait 2 more minutes, and if a better header hasn't been received by then,
disconnect that peer.

Note:

- we do not require that our peer sync to the same tip as ours, just an
equal or greater work tip.  (Doing otherwise would risk partitioning the
network in the event of a chain split, and is also unnecessary.)

- we pick 4 of our outbound peers and do not subject them to this logic,
to be more conservative. We don't wish to permit temporary network
issues (or an attacker) to excessively disrupt network topology.
2017-10-26 13:43:53 -04:00