Commit Graph

21862 Commits

Author SHA1 Message Date
Kittywhiskers Van Gogh
93a01604c3 refactor: define a UINT256_ONE global constant
Borrowed from https://github.com/bitcoin/bitcoin/pull/17261, commit 4977c30d59
2022-07-02 23:47:42 +05:30
Kittywhiskers Van Gogh
d2d7febd0e fuzz: sort ENABLE_FUZZ block alphabetically to avoid merge conflicts 2022-07-02 23:47:42 +05:30
UdjinM6
14402a1b34
fix(llmq): Fix quorum commitments requirement conditions (#4899)
Wasn't really requiring other commitments for rotation quorums once a single commitment was mined
2022-07-02 21:02:42 +03:00
UdjinM6
44d095b59c
Merge pull request #4880 from PastaPastaPasta/backports-19754
backport: 19754 and necessary pre-reqs
2022-07-02 21:01:26 +03:00
PastaPastaPasta
9021e3a314
merge #19754: wallet, gui: Reload previously loaded wallets on startup
Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
2022-07-01 15:53:24 -05:00
UdjinM6
def2e98d61
Merge pull request #4898 from PastaPastaPasta/backport-18530
Merge #18530: Add test for -blocksonly and -whitelistforcerelay param interaction
2022-06-30 22:06:15 +03:00
PastaPastaPasta
d89de3a2fa
Merge pull request #4866 from Munkybooty/backports-0.20-pr4
Backports 0.20 pr4
2022-06-30 10:08:59 -05:00
MarcoFalke
4d6f0cd2f2
Merge #18530: Add test for -blocksonly and -whitelistforcerelay param interaction
0ea5d70b4756f376342417e0019490233cb4a918 Updated comment for the condition where a transaction relay is denied (glowang)
be01449cc8eb7bb97531a967f5d1dcc7b8865d1e Add test for param interaction b/w -blocksonly and -whitelistforcerelay (glowang)

Pull request description:

  Related to: #18428

  When -blocksonly is turned on, a node would still relay transactions from whitelisted peers. This funcitonality has not been tested.

ACKs for top commit:
  MarcoFalke:
    ACK 0ea5d70b4756f376342417e0019490233cb4a918

Tree-SHA512: 4e99c88281cb518cc67f5f3be7171a7b413933047b5d24a04bb3ff2210a82e914d69079f64cd5bac9206ec435e21a622c8e69cedbc2ccb39d2328ac5c01668e5
2022-06-29 10:14:58 -05:00
Odysseas Gabrielides
088d7f2ec5
fix: Faster feature_llmq_rotation.py + introduction of llmq_devnet_dip0024 (#4878)
* Added LLMQ_DEVNET_V2

* Faster feature_llmq_rotation func test

* Updated llmq_devnet_dip0024

* Adjusted parameters

* Better comments

* Re-adjusted rotated llmq params
2022-06-28 19:14:09 -05:00
UdjinM6
46c887d394
Merge pull request #4894 from PastaPastaPasta/develop-trivial-2022-06-22
backport: trivial backports
2022-06-27 22:58:16 +03:00
UdjinM6
ac7ed67d30
Merge pull request #4889 from PastaPastaPasta/develop-trivial-2022-06-18
Develop trivial 2022 06 18
2022-06-27 22:57:55 +03:00
Munkybooty
9c839dd836
Merge #18499: rpc: Make rpc documentation not depend on call-time rpc args (#4893) 2022-06-27 11:40:22 -05:00
MarcoFalke
093252cba6
Merge bitcoin/bitcoin#24072: doc: fix wording of alertnotify to match behaviour
6981de4435573ad44ee53fd5efc10894866ed2f9 doc: fix wording of alertnotify (willcl-ark)

Pull request description:

  The documentation of the `alertnotify` startup option no longer matches the implementation.

  Currently the alert is only triggered by `DoWarning` (as part of `CChainstate::UpdateTip` when blocks containing unknown versionbits are detected on the network, indicating that there may be an upcoming softfork which you don't know about), but not when we see a "really long fork":

  2825c41a61/src/validation.cpp (L2418-L2433)

  I think it would be desirable in a follow-up PR to implement the logic to alert on a (really) long fork, but not to alert for "partition detection" (abnormally slow/fast blocks). `PartitionChecker` code was removed in ab8be98fdb

ACKs for top commit:
  josibake:
    ACK 6981de4435
  achow101:
    ACK 6981de4435573ad44ee53fd5efc10894866ed2f9

Tree-SHA512: ea124f53ca1db803ba93d649f4bc983484c47fb5fe7fa61a8eb32fcbc7425f67d8578e66a6ba70202e13868fe8add0103306dede3b1edd1d3261ffb9c1042b87
2022-06-27 11:37:04 -05:00
fanquake
4e6b49d6f6
Merge bitcoin/bitcoin#24093: build: specify hosts for qrencode package
bf044ef9ecc93a69619cbaa9fa2b874d5fc06932 build: specify hosts for qrencode package (fanquake)

Pull request description:

  Similar to how we specify the OS's we build Qt for, specify which OS's
  we will build qrencode for (a qt dependency). This commit alone doesn't
  change anything, but when we start supporting other OS's, i.e #23948,
  where we wont support qt (or at least initially), it'll skip building
  the qrencode package, which would be unused.

  I'll rebase the other *BSD changes on top of this.

ACKs for top commit:
  hebasto:
    ACK bf044ef9ecc93a69619cbaa9fa2b874d5fc06932, I have reviewed the code and it looks OK, I agree it can be merged.

Tree-SHA512: 3f5f11f122704a664dd77d8da0b7e9b95d44b2f1514d0199deed9b8b8ad0d8883a1de1f444b796c5f4681f423a380c3905fce720d7d2b788130162c907c2ce3b
2022-06-27 11:37:04 -05:00
fanquake
93e70903ce
Merge bitcoin/bitcoin#23937: doc: Fix dumptxoutset RPC help doc
faa9e461ab3cdec61d8428621fb3adc76e964415 doc: Fix dumptxoutset RPC help doc (MarcoFalke)

Pull request description:

  Fixes `help dumptxoutset`.

  To test: `help dumptxoutset`.

ACKs for top commit:
  shaavan:
    ACK faa9e461ab3cdec61d8428621fb3adc76e964415

Tree-SHA512: f40f1636469da61ab4a2aa6d9efb84de525b220e8897b4fe2720211def87d262be57956d1474fe04f395e7634d83b4e5aee474ad869b4b5aa619f22ecd2e78fc
2022-06-27 11:37:04 -05:00
fanquake
12b6efe874
Merge bitcoin/bitcoin#23617: doc: Fix typos in packages.md
83c08ba0c97798e7da2d4e74722ece534d0f8620 doc: Fix typos in packages.md (Hennadii Stepanov)

Pull request description:

ACKs for top commit:
  theStack:
    ACK 83c08ba0c97798e7da2d4e74722ece534d0f8620
  Zero-1729:
    ACK 83c08ba0c97798e7da2d4e74722ece534d0f8620
  brunoerg:
    ACK 83c08ba0c97798e7da2d4e74722ece534d0f8620

Tree-SHA512: d6b192ecf10254943c6be0762a512258642862992d28834b0429d5b95601192da60058cf1d72fd1a4e5834b56e11776aa8b994b7947d3d29d6592617b9d875ef
2022-06-27 11:37:04 -05:00
fanquake
a1ecac0f61
Merge bitcoin/bitcoin#22783: build: Cleanup depends build system
539ca409c939a31bc51f41f14ebb8bf8f48e0073 build: Remove unneeded share/man directory from libXau package (Hennadii Stepanov)
6c25c83050a8401a76502a1f0ace0ca1428e2916 build: Remove unneeded share/man directory from freetype package (Hennadii Stepanov)
9067c6c451262222a11785ce9622dd6627644cf1 build: Remove empty var/cache/fontconfig directory from fontconfig (Hennadii Stepanov)
4a37c268dbeed3a361286dcd090aea779527d996 build: Remove unneeded share/doc directory from expat package (Hennadii Stepanov)
acb9400ab602065d0996f3901de418b710a18159 build: Drop non-existent share/pkgconfig directory (Hennadii Stepanov)

Pull request description:

  This PR:
  - removes non-existent `share/pkgconfig` path from `PKG_CONFIG_PATH`. This change, actually, make `PKG_CONFIG_PATH` unused in the depends build system
  - removes `doc`,  `man` and empty directories from the built packages

ACKs for top commit:
  fanquake:
    ACK 539ca409c939a31bc51f41f14ebb8bf8f48e0073

Tree-SHA512: 41ffd5cea962f7533cb5d66ff9e8fd71a3dd7a8d9568b1bb63fc68e7070d7e416f6db02a0f8ab4d94063ee7f6370f00d62a5791b44f0d21c10666af590268c36
2022-06-27 11:37:03 -05:00
fanquake
c1969bb2e8
Merge bitcoin/bitcoin#21788: build: Silence [-Wunused-command-line-argument] warnings
e9f948c72790136656df6056fd9e3698f360e077 build: Convert warnings into errors when testing for -fstack-clash-protection (Hennadii Stepanov)

Pull request description:

  Apple clang version 12.0.5 (clang-1205.0.22.9) that is a part of Xcode 12.5, and is based on LLVM clang 11.1.0, fires spammy warnings:

  ```
  clang: warning: argument unused during compilation: '-fstack-clash-protection' [-Wunused-command-line-argument]
  ```

  From the https://github.com/apple/llvm-project:
  ```
  $ git log --oneline | grep 'stack-clash-protection'
  00065d5cbd02 Revert "-fstack-clash-protection: Return an actual error when used on unsupported OS"
  4d59c8fdb955 -fstack-clash-protection: Return an actual error when used on unsupported OS
  df3bfaa39071 [Driver] Change -fnostack-clash-protection to  -fno-stack-clash-protection
  68e07da3e5d5 [clang][PowerPC] Enable -fstack-clash-protection option for ppc64
  515bfc66eace [SystemZ] Implement -fstack-clash-protection
  e67cbac81211 Support -fstack-clash-protection for x86
  454621160066 Revert "Support -fstack-clash-protection for x86"
  0fd51a4554f5 Support -fstack-clash-protection for x86
  658495e6ecd4 Revert "Support -fstack-clash-protection for x86"
  e229017732bc Support -fstack-clash-protection for x86
  b03c3d8c6209 Revert "Support -fstack-clash-protection for x86"
  4a1a0690ad68 Support -fstack-clash-protection for x86
  f6d98429fcdb Revert "Support -fstack-clash-protection for x86"
  39f50da2a357 Support -fstack-clash-protection for x86
  ```

  I suppose, that Apple clang-1205.0.22.9 ends with on of the "Revert..." commits.

  This PR prevents using of the `-fstack-clash-protection` flag if it causes warnings.

  ---

  System: macOS Big Sur 11.3 (20E232).

ACKs for top commit:
  jarolrod:
    re-ACK e9f948c72790136656df6056fd9e3698f360e077
  Sjors:
    tACK e9f948c72790136656df6056fd9e3698f360e077 on macOS 11.3.1

Tree-SHA512: 30186da67f9b0f34418014860c766c2e7f622405520f1cbbc1095d4aa4038b0a86014d76076f318a4b1b09170a96d8167c21d7f53a760e26017f486e1a7d39d4
2022-06-27 11:37:03 -05:00
MarcoFalke
f3b7c61a9a
Merge bitcoin/bitcoin#21746: refactor: init: mark fReset const
785f9cc46a43661c63a5ec56a9e82f4ce9d42f44 refactor: init: mark fReset const (James O'Beirne)

Pull request description:

  Small thing, but hey - it doesn't change.

ACKs for top commit:
  theStack:
    Code-review ACK 785f9cc46a43661c63a5ec56a9e82f4ce9d42f44

Tree-SHA512: 3cb8d7037f517162f6315d561accc4932b0f1e340162c3283871433f2e355d57b3740c9d2e953ce33fbfa3b277c8437f91955fb70331b3fe9c8e6a8589dc2b49
2022-06-27 11:37:03 -05:00
fanquake
46cc6423b1
Merge #21311: rpc: document optional fields for getchaintxstats result
73e1f7d754c0a2381254447d692fe27a5af8c1c5 rpc: document optional fields for getchaintxstats result (Sebastian Falbesoner)

Pull request description:

  This mini-PR updates the result help of the `getchaintxstats` RPC by showing the following fields as "optional":
  - window_tx_count
  - window_interval
  - txrate

  Help output diff between master and PR branch:
  ```diff
  16,18c16,18
  <   "window_tx_count" : n,                (numeric) The number of transactions in the window. Only returned if "window_block_count" is > 0
  <   "window_interval" : n,                (numeric) The elapsed time in the window in seconds. Only returned if "window_block_count" is > 0
  <   "txrate" : n                          (numeric) The average rate of transactions per second in the window. Only returned if "window_interval" is > 0
  ---
  >   "window_tx_count" : n,                (numeric, optional) The number of transactions in the window. Only returned if "window_block_count" is > 0
  >   "window_interval" : n,                (numeric, optional) The elapsed time in the window in seconds. Only returned if "window_block_count" is > 0
  >   "txrate" : n                          (numeric, optional) The average rate of transactions per second in the window. Only returned if "window_interval" is > 0
  ```

ACKs for top commit:
  0xB10C:
    ACK 73e1f7d754c0a2381254447d692fe27a5af8c1c5

Tree-SHA512: 63c8db3e47a3c2d5564d53c564484b95b656e1e5deca1e9841bc90d122d3c81f02fd2b59313fd913ce81b16f7cc2969fe1dd9d6c3e23628b8ac057ea08f55daa
2022-06-27 11:37:03 -05:00
fanquake
b2df26bec3
Merge #21421: build: don't try and use -fstack-clash-protection on Windows
7b3434f8002d1a8cf0dbd0a0caef28e783b1efd8 build: don't try and use -fstack-clash-protection on Windows (fanquake)

Pull request description:

  This has never worked with any of the mingw-w64 compilers we use, and the `-O0` is causing issues for builders applying spectre mitigations (see [IRC logs](http://www.erisian.com.au/bitcoin-core-dev/log-2021-03-12.html#l-15)).

  Recent discussion on https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458 would also indicate that this should just not be used on Windows.

ACKs for top commit:
  laanwj:
    Concept and code review ACK (but untested) 7b3434f8002d1a8cf0dbd0a0caef28e783b1efd8
  hebasto:
    ACK 7b3434f8002d1a8cf0dbd0a0caef28e783b1efd8, I've verified that this change does not affect builds for `HOST=x86_64-w64-mingw32` by comparing sizes of the output `*.exe` files.

Tree-SHA512: 72b582321ddff8db3201460fa42a53304e70f141ae078d76a4d4eeb1ca27c8dd567ccb468cc8616179c8df784bd8ca038dcb9a277f9e29f9d98c3cc842916b18
2022-06-27 11:37:02 -05:00
MarcoFalke
10979f1a74
Merge #21317: util: Make Assume() usable as unary expression
fa4cebadcffd9112da4b13c7cc7ccf21e2bee887 util: Make Assume() usable as unary expression (MarcoFalke)

Pull request description:

  Assume shouldn't behave different at the call site depending on build flags. Currently compilation fails if it is used as expression. Fix that by using the lambda approach from `Assert()` without the `assert()`.

ACKs for top commit:
  jnewbery:
    ACK fa4cebadcffd9112da4b13c7cc7ccf21e2bee887
  practicalswift:
    cr ACK fa4cebadcffd9112da4b13c7cc7ccf21e2bee887: patch looks correct and commit hash starts with `fa`

Tree-SHA512: 9ec9ac8d410cdaf5e4e28df571a89e3d23d38e05a7027bb726cae3da6e9314734277e5a218e9e090cc17e10db763da71052c229ad642077ca5824ee42022f3ed
2022-06-27 11:37:02 -05:00
UdjinM6
d9c70e2916
llmq: Various fixes and improvements (#4890)
* feat(llmq): Introduce useRotation in LLMQParams

* fix(llmq): Fix IsQuorumRotationEnabled to recognize all dip0024 quorums

* fix(llmq): Do not allow rotation llmqs for `-llmqinstantsend` and non-rotation ones for `-llmqinstantsenddip0024`

* fix(llmq): Unify and fix IsMiningPhase

NOTE: no need for 1 extra block in mining phase for rotation quorums

* chore(llmq): Reduce the number of IsQuorumRotationEnabled calls

* chore(llmq): Improve logging

* feat(llmq): Make `llmq-` threads for rotation quorums distinguishable by quorum index

* fix(llmq): Fix another endless loop in GetQuorumRelayMembers

* throw an error when a llmq type with an incompatible rotation flag is picked for `-llmq...` params

* Add a note about loop conditions

* llmq: Make TransactionRemovedFromMempool the last action for invalid txes, just like we do for orphans with rejected parents

Write to log, send reject msg and (maybe) punish first and only then notify IS about the tx removal. Makes it easier to reason about it when reading logs.
2022-06-27 13:02:46 +03:00
UdjinM6
b9b60b02c6
chore: no scriptPayout and scriptOperatorPayout by default in protx diff / CSimplifiedMNListEntry (#4895) 2022-06-27 13:01:52 +03:00
PastaPastaPasta
f7f70d61de
feat: add scriptPayout and scriptOperatorPayout to protx diff / CSimplifiedMNListEntry (#4740)
* feat: add scriptPayout and scriptOperatorPayout to `protx diff` / CSimplifiedMNListEntry

* mem-only

* tweak BuildSimplifiedDiff

* add "extended" to "protx diff"

Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
2022-06-24 21:35:23 +03:00
MarcoFalke
68809aeacb
Merge #19217: p2p: disambiguate block-relay-only variable names from blocksonly variables
ec4c6a17e82a6726d95075b43ebd2525c50b37cd scripted-diff: replace MAX_BLOCKS_ONLY_CONNECTIONS with MAX_BLOCK_RELAY_ONLY_CONNECTIONS (glowang)

Pull request description:

  We have two different concepts that have similar names: `-blocksonly` and `block-relay-only`, and the similarity of names could lead to confusion. `-blocksonly` disables all local receiving & relaying of transactions (with a few exceptions), while `block-relay-only`means that bitcoind will make 2 additional outbound connections that are only used for block relay.

  In net.h and init.cpp, `MAX_BLOCKS_ONLY_CONNECTIONS` is used to represent the maximum number of `block-relay-only` outbound peers, which is 2. But this name sounds ambiguous, and I proposed a better name,  `MAX_BLOCK_RELAY_ONLY_CONNECTION`.

ACKs for top commit:
  jnewbery:
    ACK ec4c6a17e82a6726d95075b43ebd2525c50b37cd

Tree-SHA512: cfa592a7ff936f14d10cfc1e926a51b82bc0feaf104885a41ca8111b906cb3d1ec5536bab143a3cfca70aa49e9575c6995941eb6d3d7f4018d4535712342f155
2022-06-22 18:01:03 -07:00
fanquake
0fcd9bd10c
Merge #18910: p2p: add MAX_FEELER_CONNECTIONS constant
e3047edfb63c3d098cb56ba9f9a1e7e0a795d552 test: use p2p constants in denial of service tests (fanquake)
25d8264c95eaf98a66df32addb0bf32d795a35bd p2p: add MAX_FEELER_CONNECTIONS constant (tryphe)

Pull request description:

  Extracted from #16003.

ACKs for top commit:
  naumenkogs:
    utACK e3047ed

Tree-SHA512: 14fc15292be4db2e825a0331dd189a48713464f622a91c589122c1a7135bcfd37a61e64af1e76d32880ded09c24efd54d3c823467d6c35367a380e0be33bd35f
2022-06-22 17:58:47 -07:00
PastaPastaPasta
c3f5f81a44
Merge pull request #4891 from kittywhiskers/antispam_bps
backport: bitcoin#15141, #19219 (rewrite DoS interface, use discouragement filter)
2022-06-22 17:11:56 -07:00
Vijay
6df949628f
Merge #15427: Add support for descriptors to utxoupdatepsbt (#4656)
26fe9b990995f9cb5eee21d40b4daaad19f7181f Add support for descriptors to utxoupdatepsbt (Pieter Wuille)
3135c1a2d2e2fb31bc362c848bd2456d576e408b Abstract out UpdatePSBTOutput from FillPSBT (Pieter Wuille)
fb90ec3c33e824f5abb6a68452c683d6ce8b3e4a Abstract out EvalDescriptorStringOrObject from scantxoutset (Pieter Wuille)
eaf4f887348a08c620732125ad4430e1a133d434 Abstract out IsSegWitOutput from utxoupdatepsbt (Pieter Wuille)

Pull request description:

  This adds a descriptors argument to the `utxoupdatepsbt` RPC. This means:
  * Input and output scripts and keys will be filled in when known.
  * P2SH-witness inputs will be filled in from the UTXO set when a descriptor is provided that shows they're spending segwit outputs.

  This also moves some (newly) shared code to separate functions: `UpdatePSBTOutput` (an analogue to `SignPSBTInput`), `IsSegWitOutput`, and `EvalDescriptorStringOrObject` (implementing the string or object notation parsing used in `scantxoutset`).

ACKs for top commit:
  jnewbery:
    utACK 26fe9b990995f9cb5eee21d40b4daaad19f7181f
  laanwj:
    utACK 26fe9b990995f9cb5eee21d40b4daaad19f7181f (will hold merging until response to promag's comments)
  promag:
    ACK 26fe9b9, checked refactors and tests look comprehensive. Still missing a release note but can be added later.

Tree-SHA512: 1d833b7351b59d6c5ded6da399ff371a8a2a6ad04c0a8f90e6e46105dc737fa6f2740b1e5340280d59e01f42896c40b720c042f44417e38dfbee6477b894b245

Co-authored-by: Wladimir J. van der Laan <laanwj@gmail.com>
2022-06-22 16:42:19 -07:00
Kittywhiskers Van Gogh
a7ee2c2667 merge bitcoin#19219: Replace automatic bans with discouragement filter
Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
2022-06-21 19:11:49 +05:30
Kittywhiskers Van Gogh
f14bf83a9d merge bitcoin#15141: Rewrite DoS interface between validation and net_processing
Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
2022-06-21 19:11:26 +05:30
PastaPastaPasta
da5ba5a304 merge #19099: refactor: Move wallet methods out of chain.h and node.h
Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
2022-06-21 19:08:57 +05:30
PastaPastaPasta
7f3c8c399e merge #15937: Add loadwallet and createwallet load_on_startup options
Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
2022-06-21 19:08:56 +05:30
PastaPastaPasta
e1d8dfba06 merge #15935: Add <datadir>/settings.json persistent settings storage
Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
2022-06-21 19:08:55 +05:30
PastaPastaPasta
b9efbdeab7 merge #16115: On bitcoind startup, write config args to debug.log
Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
2022-06-21 19:08:55 +05:30
PastaPastaPasta
98cec64482 partial #17473: refactor: Replace FlagsOfKnownArg with GetArgFlags 2022-06-21 19:08:54 +05:30
Konstantin Akimov
ef3f738f6f
Merge bitcoin#15759: p2p: Add 2 outbound block-relay-only connections (#4862)
* Remove unused variable

* [refactor] Move tx relay state to separate structure

* [refactor] Change tx_relay structure to be unique_ptr

* Check that tx_relay is initialized before access

* Add comment explaining intended use of m_tx_relay

* Add 2 outbound block-relay-only connections

Transaction relay is primarily optimized for balancing redundancy/robustness
with bandwidth minimization -- as a result transaction relay leaks information
that adversaries can use to infer the network topology.

Network topology is better kept private for (at least) two reasons:

(a) Knowledge of the network graph can make it easier to find the source IP of
a given transaction.

(b) Knowledge of the network graph could be used to split a target node or
nodes from the honest network (eg by knowing which peers to attack in order to
achieve a network split).

We can eliminate the risks of (b) by separating block relay from transaction
relay; inferring network connectivity from the relay of blocks/block headers is
much more expensive for an adversary.

After this commit, bitcoind will make 2 additional outbound connections that
are only used for block relay. (In the future, we might consider rotating our
transaction-relay peers to help limit the effects of (a).)

* Don't relay addr messages to block-relay-only peers

We don't want relay of addr messages to leak information about
these network links.

* doc: improve comments relating to block-relay-only peers

* Disconnect peers violating blocks-only mode

If we set fRelay=false in our VERSION message, and a peer sends an INV or TX
message anyway, disconnect. Since we use fRelay=false to minimize bandwidth,
we should not tolerate remaining connected to a peer violating the protocol.

* net_processing. Removed comment + fixed formatting

* Refactoring net_processing, removed duplicated code

* Refactor some bool in a many-arguments function to enum

It's made to avoid possible typos with arguments, because some of them have default values and it's very high probability to make a mistake here.

* Added UI debug option for Outbound

* Fixed data race related to `setInventoryTxToSend`, introduced in `[refactor] Move tx relay state to separate structure`

Co-authored-by: Suhas Daftuar <sdaftuar@gmail.com>
2022-06-18 23:02:28 -07:00
fanquake
b50457044c
Merge #20720: build: more robustly check for fcf-protection support
e9189a750b237eba1befc6b16c12c2cee3e0176c build: more robustly check for fcf-protection support (fanquake)

Pull request description:

  When using Clang 7, we may end up trying to use the flag when it won't
  work properly, which can lead to confusing errors. i.e:
  ```bash
  /usr/bin/ld: error: ... <corrupt x86 feature size: 0x8>
  ```

  Use `AX_CHECK_LINK_FLAG` & `--fatal-warnings` to ensure we wont use the flag in this case.

  We do this as even when the error is emitted, compilation succeeds, and the binaries produced will run. This means we can't just check if the compiler accepts the flag, or if compilation succeeds (without or without `-Werror`, and/or passing `-Wl,--fatal-warnings`, which may not be passed through to the linker).

  This was reported by someone configuring for fuzzing, on Debian 10, where Clang 7 is the default.

  See here for a minimal example of the problematic behaviour:
  https://gist.github.com/fanquake/9b33555fcfebef8eb8c0795a71732bc6

ACKs for top commit:
  pstratem:
    tested ACK e9189a750b237eba1befc6b16c12c2cee3e0176c
  MarcoFalke:
    not an ACK e9189a750b237eba1befc6b16c12c2cee3e0176c , I only tested configure on my system (gcc-10, clang-11):
  hebasto:
    ACK e9189a750b237eba1befc6b16c12c2cee3e0176c, tested with clang-7, clang-10 and gcc: the `-fcf-protection=full` is not applied for clang-7, but applied for others compilers.

Tree-SHA512: ec24b0cc5523b90139c96cbb33bb98d1e6a24d858c466aa7dfb3c474caf8c50aca53e570fdbc0ff88378406b0ac5d687542452637b1b5fa062e829291b886fc1
2022-06-18 22:14:04 -07:00
Jonas Schnelli
2622653e74
Merge #20563: build: Check that Homebrew's berkeley-db4 package is actually installed
d3ef947524a07f8d7fbad5b95781ab6cacb1cb49 build: Check that Homebrew's berkeley-db4 package is actually installed (Hennadii Stepanov)

Pull request description:

  On master (a0489f3472f3799dc1ece32a59556fd239c4c14b) the `configure` script is not able to determine that Homebrew's `berkeley-db4` package is uninstalled. This causes a compile error on macOS.

  With this PR, and with the [uninstalled](https://stackoverflow.com/questions/20802320/detect-if-homebrew-package-is-installed) `berkeley-db4` package:
  ```
  % ./configure -q
  configure: error: libdb_cxx headers missing, Bitcoin Core requires this library for BDB wallet support (--without-bdb to disable BDB wallet support)
  ```

  Related #20478.

ACKs for top commit:
  promag:
    Tested ACK d3ef947524a07f8d7fbad5b95781ab6cacb1cb49.
  willcl-ark:
    tACK d3ef947524a07f8d7fbad5b95781ab6cacb1cb49
  jonasschnelli:
    utACK d3ef947524a07f8d7fbad5b95781ab6cacb1cb49

Tree-SHA512: 8dc532e08249ec63bd357594aa458d314b6e8537fc63f5b1d509c84d0d71d5b1f70172caa1a7efe2fc8af31c829e7982a0695cf3fbe5cbc477019550269915e1
2022-06-18 22:14:04 -07:00
Jonas Schnelli
6d5109e90f
Merge #20478: Don't set BDB flags when configuring without
982e548a9a78b1b0abad59b54c780b6b06570452 Don't set BDB flags when configuring without (Jonas Schnelli)

Pull request description:

  Configuring `--without-bdb` on MacOS leads to a compile error (when BerkeleyDB is not installed). `brew --prefix berkeley-db4` always reports the target directory (even if not installed).

  This PR prevents BDB_CFLAGS (et al) from being populated when configuring `--without-bdb`

  ```
  ld: warning: directory not found for option '-L/Users/user/Documents/homebrew/Cellar/berkeley-db@4/4.8.30/lib'
  ld: warning: directory not found for option '-L/Users/user/Documents/homebrew/Cellar/berkeley-db@4/4.8.30/lib'
  ld: library not found for -ldb_cxx-4.8
  ld: library not found for -ldb_cxx-4.8
  ```

ACKs for top commit:
  promag:
    Tested ACK 982e548a9a78b1b0abad59b54c780b6b06570452.
  hebasto:
    ACK 982e548a9a78b1b0abad59b54c780b6b06570452, tested on macOS 11 Big Sur.

Tree-SHA512: f8ca0adca0e18e2de4c0f99d5332cba70d957a9d31a357483b43dcf61c2ed4749d223eabadd45fdbf3ef0781c6b37217770e9aa935b5207eaf7f87c5bdfe9e95
2022-06-18 22:14:04 -07:00
fanquake
1ce15a1ac6
Merge #20430: sanitizers: Add suppression for unsigned-integer-overflow in libstdc++
0f020cdf0a8c3c88499c96522470e2e5e79f27fa sanitizers: Add suppression for unsigned-integer-overflow in libstdc++ basic_string.tcc (Jonas Schnelli)

Pull request description:

  Reported here: https://bitcoinbuilds.org/logs/e35cd579-0f0f-47e4-b49a-4ceba8ff9830.log
  Issue: https://github.com/gcc-mirror/gcc/blob/master/libstdc%2B%2B-v3/include/bits/basic_string.tcc#L1271

ACKs for top commit:
  MarcoFalke:
    cr ACK 0f020cdf0a8c3c88499c96522470e2e5e79f27fa
  practicalswift:
    cr ACK 0f020cdf0a8c3c88499c96522470e2e5e79f27fa

Tree-SHA512: e304259a1eed878263bd715b4d16c57f8974264c23ccd6799f85e8141b2eb0b5c6468a6452ffbc7334f57c1957b6e43bb248760b3c0718d93f092d57764d0a8f
2022-06-18 22:14:04 -07:00
Wladimir J. van der Laan
e1b091be3b
Merge #18921: build: add stack-clash and control-flow protection options to hardening flags
b536813cefc13f5c54a28a7c2fce8c69e89d6624 build: add -fstack-clash-protection to hardening flags (fanquake)
076183b36b76a11438463883ff916f17aef9e001 build: add -fcf-protection=full to hardening options (fanquake)

Pull request description:

  Beginning with Ubuntu `19.10`, it's packaged GCC now has some additional hardening options enabled by default (in addition to existing defaults like `-fstack-protector-strong` and reducing the minimum ssp buffer size). The new additions are`-fcf-protection=full` and `-fstack-clash-protection`.

  > -fcf-protection=[full|branch|return|none]
  > Enable code instrumentation of control-flow transfers to increase program security by checking that target addresses of control-flow transfer instructions (such as indirect function call, function return, indirect jump) are valid. This prevents diverting the flow of control to an unexpected target. This is intended to protect against such threats as Return-oriented Programming (ROP), and similarly call/jmp-oriented programming (COP/JOP).

  > -fstack-clash-protection
  > Generate code to prevent stack clash style attacks. When this option is enabled, the compiler will only allocate one page of stack space at a time and each page is accessed immediately after allocation. Thus, it prevents allocations from jumping over any stack guard page provided by the operating system.

  If your interested you can grab `gcc-9_9.3.0-10ubuntu2.debian.tar.xz` from https://packages.ubuntu.com/focal/g++-9. The relevant changes are part of the `gcc-distro-specs` patches, along with the relevant additions to the gcc manages:

  > NOTE: In Ubuntu 19.10 and later versions, -fcf-protection is enabled by default for C, C++, ObjC, ObjC++, if none of -fno-cf-protection nor -fcf-protection=* are found.

  > NOTE: In Ubuntu 19.10 and later versions, -fstack-clash-protection is enabled by default for C, C++, ObjC, ObjC++, unless -fno-stack-clash-protection is found.

  So, if you're C++ using GCC on Ubuntu 19.10 or later, these options will be active unless you explicitly opt out. This can be observed with a small test:

  ```c++
  int main() { return 0; }
  ```

  ```bash
  g++ --version
  g++ (Ubuntu 9.3.0-10ubuntu2) 9.3.0

  g++ test.cpp

  objdump -dC a.out
  ..
  0000000000001129 <main>:
      1129:	f3 0f 1e fa          	endbr64
      112d:	55                   	push   %rbp
      112e:	48 89 e5             	mov    %rsp,%rbp
      1131:	b8 00 00 00 00       	mov    $0x0,%eax
      1136:	5d                   	pop    %rbp
      1137:	c3                   	retq
      1138:	0f 1f 84 00 00 00 00 	nopl   0x0(%rax,%rax,1)
      113f:	00

  # recompile opting out of control flow protection
  g++ test.cpp -fcf-protection=none

  objdump -dC a.out
  ...
  0000000000001129 <main>:
      1129:	55                   	push   %rbp
      112a:	48 89 e5             	mov    %rsp,%rbp
      112d:	b8 00 00 00 00       	mov    $0x0,%eax
      1132:	5d                   	pop    %rbp
      1133:	c3                   	retq
      1134:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
      113b:	00 00 00
      113e:	66 90                	xchg   %ax,%ax
  ```

  Note the insertion of an `endbr64` instruction when compiling and _not_ opting out. This instruction is part of the Intel Control-flow Enforcement Technology [spec](https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf), which the GCC control flow implementation is based on.

  If we're still doing gitian builds for the `0.21.0` and `0.22.0` releases, we'd likely update the gitian image to Ubuntu Focal, which would mean that the GCC used for gitian builds would also be using these options by default. So we should decide whether we want to explicitly turn these options on as part of our hardening options (although not just for this reason), or, we should be opting-out.

  GCC has supported both options since 8.0.0. Clang has supported `-fcf-protection` from 7.0.0 and will support `-fstack-clash-protection` in it's upcoming [11.0.0 release](https://clang.llvm.org/docs/ReleaseNotes.html#id6).

ACKs for top commit:
  jamesob:
    ACK b536813cefc13f5c54a28a7c2fce8c69e89d6624 ([`jamesob/ackr/18921.1.fanquake.build_add_stack_clash_an`](https://github.com/jamesob/bitcoin/tree/ackr/18921.1.fanquake.build_add_stack_clash_an))
  laanwj:
    Code review ACK b536813cefc13f5c54a28a7c2fce8c69e89d6624

Tree-SHA512: abc9adf23cdf1be384f5fb9aa5bfffdda86b9ecd671064298d4cda0440828b509f070f9b19c88c7ce50ead9ff32afff9f14c5e78d75f01241568fbfa077be0b7
2022-06-18 22:14:03 -07:00
fanquake
37d58e402c
Merge #19356: build: Fix search for brew-installed BDB 4 on OS X
8578c6fccd11404412d2c60f9bede311b79ca0d0 build: Fix search for brew-installed BDB 4 on OS X (Glenn Willen)

Pull request description:

  ~~NOTE: This PR contains one important fix that I need (to make Bitcoin Core build cleanly on my system without shenanigans), plus some related general cleanup that is not really necessary, and could be annoying. (I am prepared to defend my argument that BDB_CFLAGS is wrong here, and BDB_CPPFLAGS is right, but this could bite anybody who has gotten in the habit of -- or scripted -- setting the former.)~~

  Ok, I have been convinced that I was too clever with the refactor and I have removed it. Now it's just the tiny change to fix the build on my local machine.

  ---

  On OS X, when searching Homebrew keg-only packages for BDB 4.8, if we find it,
  use BDB_CPPFLAGS and BDB_LIBS instead of CFLAGS and LIBS for the result. This
  is (1) more correct, and (2) necessary in order to give this location
  priority over other directories in the include search path, which may include
  system include directories with other versions of BDB.

ACKs for top commit:
  theuni:
    ACK 8578c6fccd11404412d2c60f9bede311b79ca0d0.

Tree-SHA512: a28f48fc81a25736f7e77c663f21cd9a6ae1cd115682031c5aa695c94cb5afa11920330a60cd6a54832822a2aec1eb23123ac2e2dcd4f0b3835aef9c9339ac97
2022-06-18 22:14:03 -07:00
Wladimir J. van der Laan
33c473a8e3
Merge #18796: scripts: security-check.py refactors
eacedfb0230978748cbcfb13817fed7e7c756ba7 scripts: add additional type annotations to security-check.py (fanquake)
83d063e9541cc9ea41ea86919eb9435c73efb14e scripts: add run_command to security-check.py (fanquake)
13f606b4f940e5820ff21ea62fc27a5a91774b05 scripts: remove NONFATAL from security-check.py (fanquake)
061acf62a15ad3dbb9f055b7c2569b9832ed623a scripts: no-longer check for 32 bit windows in security-check.py (fanquake)

Pull request description:

  * Remove 32-bit Windows checks.
  * Remove NONFATAL checking. Added in #8249, however unused since #13764.
  * Add `run_command` to de-duplicate all of the subprocess calls. Mentioned in #18713.
  * Add additional type annotations.
  * Print stderr when there is an issue running a command.

ACKs for top commit:
  laanwj:
    ACK eacedfb0230978748cbcfb13817fed7e7c756ba7

Tree-SHA512: 69a7ccfdf346ee202b3e8f940634c5daed1d2b5a5d15ac9800252866ba3284ec66e391a66a0b341f5a4e5e8482fe1b614d4671e8e766112ff059405081184a85
2022-06-18 22:14:03 -07:00
fanquake
f7a94b58d4
Merge #18629: scripts: add PE .reloc section check to security-check.py
3e38023af724a76972d39cbccfb0bba4c54a0323 scripts: add PE .reloc section check to security-check.py (fanquake)

Pull request description:

  The `ld` in binutils has historically had a few issues with PE binaries, there's a good summary in this [thread](https://sourceware.org/bugzilla/show_bug.cgi?id=19011).

  One issue in particular was `ld` stripping the `.reloc` section out of PE binaries, even though it's required for functioning ASLR. This was [reported by a Tor developer in 2014](https://sourceware.org/bugzilla/show_bug.cgi?id=17321) and they have been patching their [own binutils](https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/binutils) ever since. However their patch only made it into binutils at the [start of this year](https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=dc9bd8c92af67947db44b3cb428c050259b15cd0). It adds an `--enable-reloc-section` flag, which is turned on by default if you are using `--dynamic-base`. In the mean time this issue has also been worked around by other projects, such as FFmpeg, see [this commit](91b668acd6).

  I have checked our recent supported Windows release binaries, and they do contain a `.reloc` section. From what I understand, we are using all the right compile/linker flags, including `-pie` & `-fPIE`, and have never run into the crashing/entrypoint issues that other projects might have seen.

  One other thing worth noting here, it how Debian/Ubuntu patch the binutils that they distribute, because that's what we end up using in our gitian builds.

  In the binutils-mingw-w64 in Bionic (18.04), which we currently use in gitian, PE hardening options/security flags are enabled by default. See the [changelog](https://changelogs.ubuntu.com/changelogs/pool/universe/b/binutils-mingw-w64/binutils-mingw-w64_8ubuntu1/changelog) and the [relevant commit](452b3013b8).

  However in Focal (20.04), this has now been reversed. PE hardening options are no-longer the default. See the [changelog](https://changelogs.ubuntu.com/changelogs/pool/universe/b/binutils-mingw-w64/binutils-mingw-w64_8.8/changelog) and [relevant commit](7bd8b2fbc2), which cites same .reloc issue mentioned here.

  Given that we explicitly specify/opt-in to everything that we want to use, the defaults aren't necessarily an issue for us. However I think it highlights the importance of continuing to be explicit about what we want, and not falling-back or relying on upstream.

  This was also prompted by the possibility of us doing link time garbage collection, see #18579 & #18605. It seemed some sanity checks would be worthwhile in-case the linker goes haywire while garbage collecting.

  I think Guix is going to bring great benefits when dealing with these kinds of issues. Carl you might have something to say in that regard.

ACKs for top commit:
  dongcarl:
    ACK 3e38023af724a76972d39cbccfb0bba4c54a0323

Tree-SHA512: af14d63bdb334bde548dd7de3e0946556b7e2598d817b56eb4e75b3f56c705c26aa85dd9783134c4b6a7aeb7cb4de567eed996e94d533d31511f57ed332287da
2022-06-18 22:14:03 -07:00
fanquake
bd7b5a3ad4
Merge #18713: scripts: Add MACHO stack canary check to security-check.py
8334ee31f868f0f9baf0920d14d20174ed889dbe scripts: add MACHO LAZY_BINDINGS test to test-security-check.py (fanquake)
7b99c7454cdb74cd9cd7a5eedc2fb9d0a19df456 scripts: add MACHO Canary check to security-check.py (fanquake)

Pull request description:

  7b99c7454cdb74cd9cd7a5eedc2fb9d0a19df456 uses `otool -Iv` to check for `___stack_chk_fail` in the macOS binaries. Similar to the [ELF check](https://github.com/bitcoin/bitcoin/blob/master/contrib/devtools/security-check.py#L105). Note that looking for a triple underscore prefixed function (as opposed to two for ELF) is correct for the macOS binaries. i.e:
  ```bash
  otool -Iv bitcoind | grep chk
  0x00000001006715b8   509 ___memcpy_chk
  0x00000001006715be   510 ___snprintf_chk
  0x00000001006715c4   511 ___sprintf_chk
  0x00000001006715ca   512 ___stack_chk_fail
  0x00000001006715d6   517 ___vsnprintf_chk
  0x0000000100787898   513 ___stack_chk_guard
  ```

  8334ee31f868f0f9baf0920d14d20174ed889dbe is a follow up to #18295 and adds test cases to `test-security-check.py` that for some reason I didn't add at the time. I'll sort out #18434 so that we can run these tests in the CI.

ACKs for top commit:
  practicalswift:
    ACK 8334ee31f868f0f9baf0920d14d20174ed889dbe: Mitigations are important. Important things are worth asserting :)
  jonasschnelli:
    utACK 8334ee31f868f0f9baf0920d14d20174ed889dbe.

Tree-SHA512: 1aa5ded34bbd187eddb112b27278deb328bfc21ac82316b20fab6ad894f223b239a76b53dab0ac1770d194c1760fcc40d4da91ec09959ba4fc8eadedb173936a
2022-06-18 22:14:03 -07:00
fanquake
96866c4579
Merge #18709: doc: note why we can't use thread_local with glibc back compat
b155fcda5186c59fc4fb2a9eaaf791d132e0ab30 doc: fix typo in configure.ac (fanquake)
20a30922fbf6ba14e250ca649239af115dbbe7b0 doc: note why we can't use thread_local with glibc back compat (fanquake)

Pull request description:

  Given that we went through a [gitian build](https://github.com/bitcoin/bitcoin/pull/18681) to remember why this is the case, we might as well make a note of it in configure.ac.

  [From #18681](https://github.com/bitcoin/bitcoin/pull/18681#issuecomment-615526634):

  Looking at the Linux build log, this has failed with:
  ```bash
  Checking glibc back compat...
  bitcoind: symbol __cxa_thread_atexit_impl from unsupported version GLIBC_2.18
  bitcoind: failed IMPORTED_SYMBOLS
  bitcoin-cli: symbol __cxa_thread_atexit_impl from unsupported version GLIBC_2.18
  bitcoin-cli: failed IMPORTED_SYMBOLS
  bitcoin-tx: symbol __cxa_thread_atexit_impl from unsupported version GLIBC_2.18
  bitcoin-tx: failed IMPORTED_SYMBOLS
  bitcoin-wallet: symbol __cxa_thread_atexit_impl from unsupported version GLIBC_2.18
  bitcoin-wallet: failed IMPORTED_SYMBOLS
  test/test_bitcoin: symbol __cxa_thread_atexit_impl from unsupported version GLIBC_2.18
  test/test_bitcoin: failed IMPORTED_SYMBOLS
  bench/bench_bitcoin: symbol __cxa_thread_atexit_impl from unsupported version GLIBC_2.18
  bench/bench_bitcoin: failed IMPORTED_SYMBOLS
  qt/bitcoin-qt: symbol __cxa_thread_atexit_impl from unsupported version GLIBC_2.18
  ```

  `__cxa_thread_atexit_impl` is used for [thread_local variable destruction](https://sourceware.org/glibc/wiki/Destructor%20support%20for%20thread_local%20variables):

  > To implement this support, glibc defines __cxa_thread_atexit_impl exclusively for use by libstdc++ (which has the __cxa_thread_atexit to wrap around it), that registers destructors for thread_local variables in a list. Upon thread or process exit, the destructors are called in reverse order in which they were added.

  As suggested, this only became available in glibc 2.18. From the [2.18 release notes](https://sourceware.org/legacy-ml/libc-alpha/2013-08/msg00160.html):

  > * Add support for calling C++11 thread_local object destructors on thread
    and program exit.  This needs compiler support for offloading C++11
    destructor calls to glibc.

ACKs for top commit:
  hebasto:
    ACK b155fcda5186c59fc4fb2a9eaaf791d132e0ab30

Tree-SHA512: 5b9567e4a70598a4b0b91956f44ae0d93091db17c84cbf9817dac6cfa992c97d3438a8b1bb66644c74891f2149e44984daed445d22de93ca8858c5b0eabefb40
2022-06-18 22:14:02 -07:00
fanquake
67ceda1b5a
Merge #18295: scripts: add MACHO lazy bindings check to security-check.py
5ca90f8b598978437340bb8467f527b9edfb2bbf scripts: add MACHO lazy bindings check to security-check.py (fanquake)

Pull request description:

  This is a slightly belated follow up to #17686 and some discussion with Cory. It's not entirely clear if we should make this change due to the way the macOS dynamic loader appears to work. However I'm opening this for some discussion. Also related to #17768.

  #### Issue:
  [`LD64`](https://opensource.apple.com/source/ld64/) doesn't set the [MH_BINDATLOAD](https://opensource.apple.com/source/xnu/xnu-6153.11.26/EXTERNAL_HEADERS/mach-o/loader.h.auto.html) bit in the header of MACHO executables, when building with `-bind_at_load`. This is in contradiction to the [documentation](https://opensource.apple.com/source/ld64/ld64-450.3/doc/man/man1/ld.1.auto.html):
  ```bash
  -bind_at_load
       Sets a bit in the mach header of the resulting binary which tells dyld to
       bind all symbols when the binary is loaded, rather than lazily.
  ```

  The [`ld` in Apples cctools](https://opensource.apple.com/source/cctools/cctools-927.0.2/ld/layout.c.auto.html) does set the bit, however the [cctools-port](https://github.com/tpoechtrager/cctools-port/) that we use for release builds, bundles `LD64`.

  However; even if the linker hasn't set that bit, the dynamic loader ([`dyld`](https://opensource.apple.com/source/dyld/)) doesn't seem to ever check for it, and from what I understand, it looks at a different part of the header when determining whether to lazily load symbols.

  Note that our release binaries are currently working as expected, and no lazy loading occurs.

  #### Example:

  Using a small program, we can observe the behaviour of the dynamic loader.

  Conducted using:
  ```bash
  clang++ --version
  Apple clang version 11.0.0 (clang-1100.0.33.17)
  Target: x86_64-apple-darwin18.7.0

  ld -v
  @(#)PROGRAM:ld  PROJECT:ld64-530
  BUILD 18:57:17 Dec 13 2019
  LTO support using: LLVM version 11.0.0, (clang-1100.0.33.17) (static support for 23, runtime is 23)
  TAPI support using: Apple TAPI version 11.0.0 (tapi-1100.0.11)
  ```

  ```cpp
  #include <iostream>
  int main() {
  	std::cout << "Hello World!\n";
  	return 0;
  }
  ```

  Compile and check the MACHO header:
  ```bash
  clang++ test.cpp -o test
  otool -vh test
  ...
  Mach header
        magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
  MH_MAGIC_64  X86_64        ALL LIB64     EXECUTE    16       1424   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

  # Run and dump dynamic loader bindings:
  DYLD_PRINT_BINDINGS=1 DYLD_PRINT_TO_FILE=no_bind.txt ./test
  Hello World!
  ```

  Recompile with `-bind_at_load`. Note still no `BINDATLOAD` flag:
  ```bash
  clang++ test.cpp -o test -Wl,-bind_at_load
  otool -vh test
  Mach header
        magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
  MH_MAGIC_64  X86_64        ALL LIB64     EXECUTE    16       1424   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
  ...
  DYLD_PRINT_BINDINGS=1 DYLD_PRINT_TO_FILE=bind.txt ./test
  Hello World!
  ```

  If we diff the outputs, you can see that `dyld` doesn't perform any lazy bindings when the binary is compiled with `-bind_at_load`, even if the `BINDATLOAD` flag is not set:
  ```diff
  @@ -1,11 +1,27 @@
  +dyld: bind: test:0x103EDF030 = libc++.1.dylib:__ZNKSt3__16locale9use_facetERNS0_2idE, *0x103EDF030 = 0x7FFF70C9FA58
  +dyld: bind: test:0x103EDF038 = libc++.1.dylib:__ZNKSt3__18ios_base6getlocEv, *0x103EDF038 = 0x7FFF70CA12C2
  +dyld: bind: test:0x103EDF068 = libc++.1.dylib:__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryC1ERS3_, *0x103EDF068 = 0x7FFF70CA12B6
  +dyld: bind: test:0x103EDF070 = libc++.1.dylib:__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryD1Ev, *0x103EDF070 = 0x7FFF70CA1528
  +dyld: bind: test:0x103EDF080 = libc++.1.dylib:__ZNSt3__16localeD1Ev, *0x103EDF080 = 0x7FFF70C9FAE6
  <trim>
  -dyld: lazy bind: test:0x10D4AC0C8 = libsystem_platform.dylib:_strlen, *0x10D4AC0C8 = 0x7FFF73C5C6E0
  -dyld: lazy bind: test:0x10D4AC068 = libc++.1.dylib:__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryC1ERS3_, *0x10D4AC068 = 0x7FFF70CA12B6
  -dyld: lazy bind: test:0x10D4AC038 = libc++.1.dylib:__ZNKSt3__18ios_base6getlocEv, *0x10D4AC038 = 0x7FFF70CA12C2
  -dyld: lazy bind: test:0x10D4AC030 = libc++.1.dylib:__ZNKSt3__16locale9use_facetERNS0_2idE, *0x10D4AC030 = 0x7FFF70C9FA58
  -dyld: lazy bind: test:0x10D4AC080 = libc++.1.dylib:__ZNSt3__16localeD1Ev, *0x10D4AC080 = 0x7FFF70C9FAE6
  -dyld: lazy bind: test:0x10D4AC070 = libc++.1.dylib:__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryD1Ev, *0x10D4AC070 = 0x7FFF70CA1528
  ```

  Note: `dyld` also has a `DYLD_BIND_AT_LAUNCH=1` environment variable, that when set, will force any lazy bindings to be non-lazy:
  ```bash
  dyld: forced lazy bind: test:0x10BEC8068 = libc++.1.dylib:__ZNSt3__113basic_ostream
  ```

  #### Thoughts:
  After looking at the dyld source, I can't find any checks for `MH_BINDATLOAD`. You can see the flags it does check for, such as MH_PIE or MH_BIND_TO_WEAK [here](https://opensource.apple.com/source/dyld/dyld-732.8/src/ImageLoaderMachO.cpp.auto.html).

  It seems that the lazy binding of any symbols depends on whether or not [lazy_bind_size](https://opensource.apple.com/source/xnu/xnu-6153.11.26/EXTERNAL_HEADERS/mach-o/loader.h.auto.html) from the `LC_DYLD_INFO_ONLY` load command is > 0. Which was mentioned in [#17686](https://github.com/bitcoin/bitcoin/pull/17686#issue-350216254).

  #### Changes:
  This PR is one of [Corys commits](7b6ba26178), that I've rebased and modified to make build. I've also included an addition to the `security-check.py` script to check for the flag.

  However, given the above, I'm not entirely sure this patch is the correct approach. If the linker no-longer inserts it, and the dynamic loader doesn't look for it, there might be little benefit to setting it. Or, maybe this is an oversight from Apple and needs some upstream discussion. Looking for some thoughts / Concept ACK/NACK.

  One alternate approach we could take is to drop the patch and modify security-check.py to look for `lazy_bind_size` == 0 in the `LC_DYLD_INFO_ONLY` load command, using `otool -l`.

ACKs for top commit:
  theuni:
    ACK 5ca90f8b598978437340bb8467f527b9edfb2bbf

Tree-SHA512: 444022ea9d19ed74dd06dc2ab3857a9c23fbc2f6475364e8552d761b712d684b3a7114d144f20de42328d1a99403b48667ba96885121392affb2e05b834b6e1c
2022-06-18 22:14:02 -07:00
Wladimir J. van der Laan
3c4982205c
Merge #18415: scripts: add MACHO tests to test-security-check.py
7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 scripts: rename test_64bit_PE to test_PE (fanquake)
edaca2dd123cef958699c07ab248cf0ffc71af07 scripts: add MACHO NX check to security-check.py (fanquake)
1a4e9f32efcc5f6a74290446dc58784fd85c7b31 scripts: add MACHO tests to test-security-check.py (fanquake)

Pull request description:

  Adds tests for the MACHO checks in security-check.py:
  ac579ada7e/contrib/devtools/security-check.py (L212-L214)

  I'm planning on following up with more checks in security-check.py, and corresponding tests in test-security-check.py.

  Note that you'll probably have to be on macOS to run them. You can run just this suite with `python3 test-security-check.py TestSecurityChecks.test_MACHO`.

ACKs for top commit:
  laanwj:
    ACK 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46

Tree-SHA512: ace3ca9f6df5d4fedd5988938fb7dc7563ec7dc587aa275f780b5f51e9b8d7d6f7768e0a1e05ce438510a07b8640aba92c76847b30c2990f46c66b78a0acf960
2022-06-18 22:14:02 -07:00
Wladimir J. van der Laan
3ceb45fdb7
Merge #18135: build: add --enable-determinism configure flag
3d9b41ecc02a69daa19df2bc850d60bf9917b724 build: add --enable-determinism configure flag (fanquake)

Pull request description:

  This adds a `--enable-determinsm` configure flag, which if used, will enable additional compile / link time flags to make subsequent builds of bitcoind deterministic.

  The first flag enabled is `--no-insert-timestamp`. This prevents the linker from embedding timestamps, and makes consecutive builds of `bitcoind.exe` deterministic. This will likely also be used for [Guix Windows builds](https://github.com/bitcoin/bitcoin/pull/17595#issuecomment-582696467).

  [`--no-insert-timestamp`](https://manpages.debian.org/buster/binutils-mingw-w64-x86-64/x86_64-w64-mingw32-ld.bfd.1.en.html):
  > The option --no-insert-timestamp can be used to insert a zero value for the timestamp, this ensuring that binaries produced from identical sources will compare identically.

  Diff of consecutive builds of [master](2bdc476d4d):
  ```diff
  --- bitcoind.exe.1
  +++ bitcoind.exe.2
  @@ -2,20 +2,20 @@
   00000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS
   00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......
  -00000080: 5045 0000 6486 1400 57e8 445e 00da 6900  PE..d...W.D^..i.
  +00000080: 5045 0000 6486 1400 e3e9 445e 00da 6900  PE..d.....D^..i.
   00000090: e015 0100 f000 2600 0b02 021f 00de 4900  ......&.......I.
   000000a0: 00b0 5b00 008a 0000 e014 0000 0010 0000  ..[.............
   000000b0: 0000 4000 0000 0000 0010 0000 0002 0000  ..@.............
   000000c0: 0400 0000 0000 0000 0500 0200 0000 0000  ................
  -000000d0: 00f0 6a00 0006 0000 bd31 af00 0300 6001  ..j......1....`.
  +000000d0: 00f0 6a00 0006 0000 d434 af00 0300 6001  ..j......4....`.
   000000e0: 0000 2000 0000 0000 0010 0000 0000 0000  .. .............
  @@ -373594,15 +373594,15 @@
   005b35f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  -005b3600: 0000 0000 57e8 445e 0000 0000 7ce1 5b00  ....W.D^....|.[.
  +005b3600: 0000 0000 e2e9 445e 0000 0000 7ce1 5b00  ......D^....|.[.
   005b3610: 0100 0000 2200 0000 2200 0000 28e0 5b00  ...."..."...(.[.
  ```

ACKs for top commit:
  practicalswift:
    ACK 3d9b41ecc02a69daa19df2bc850d60bf9917b724 -- patch looks correct
  laanwj:
    ACK 3d9b41ecc02a69daa19df2bc850d60bf9917b724

Tree-SHA512: 1ff9dab7fa818b1fc6b0eb3b7a1e0468aac9e2578f4451aa300a648f883fa83f83722067f1adf27ebad54157790857d1501d573adbd7ebdf6962858cc669960d
2022-06-18 22:14:02 -07:00