validation: UTXO snapshot activation #19806
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jamesob
force-pushed
the
2020-08-au.activate
branch
2 times, most recently
from
19b7517 to
08a0861
Compare
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
This was referenced Aug 26, 2020
jamesob
force-pushed
the
2020-08-au.activate
branch
from
08a0861 to
82ad09b
Compare
This was referenced Aug 26, 2020
Merged
This was referenced Aug 26, 2020
jamesob
force-pushed
the
2020-08-au.activate
branch
2 times, most recently
from
86355a1 to
2cb1f84
Compare
This was referenced Aug 27, 2020
fjahr
reviewed
Aug 29, 2020
src/txdb.cpp
Outdated
Comment on lines
425
to
430
| // progress= measure, but returning 0 would cause us to not be able to add | ||
| // chain tips for the snapshot chainstate. This shouldn't happen and is |
There was a problem hiding this comment.
I assume it wouldn't work because of a divide by zero error in the progress function? Shouldn't that be rather dealt with at that layer?
There was a problem hiding this comment.
I assume it wouldn't work because of a divide by zero error in the progress function? Shouldn't that be rather dealt with at that layer?
Would agree that handling this in LoadBlockIndex would be preferable to having to hardcode 1's here and in ChainstateManager::GetSnapshotNChainTx along with comments describing other layers of code. Both CCoinsViewDB::GetNChainTx and ChainstateManager::GetSnapshotNChainTx could return Optional<int> to avoid the need to hardcode something
jamesob
force-pushed
the
2020-08-au.activate
branch
2 times, most recently
from
461a521 to
e7b1615
Compare
|
Code review ACK 1afc0e4 Reviewed changes since last review and confirmed they were due to rebasing or addressing review comments as discussed above. |
|
Code review ACK 1afc0e4 |
maflcko
reviewed
Apr 3, 2021
| @@ -8,7 +8,6 @@ | |||
| #include <chainparamsseeds.h> | |||
| #include <consensus/merkle.h> | |||
| #include <hash.h> // for signet block challenge hash | |||
| #include <tinyformat.h> | |||
There was a problem hiding this comment.
7a6c46b: why is this removed. This is needed for strprintf
| //! | ||
| //! It is also possible, though very unlikely, that a change in this | ||
| //! construction could cause a previously invalid (and potentially malicious) | ||
| //! UTXO snapshot to be considered valid. |
There was a problem hiding this comment.
7a6c46b: I don't understand this section. Does this assume that the way outputs are applied to the hash_obj is broken? In that case it doesn't require a "previously" invalid snapshot. Likely, any invalid snapshot can be generated/modified, so that it is considered valid.
If it assumes that the underlying hash function is broken, there is nothing we can do anyway and any invalid snapshot can be generated/modified to be valid, regardless of changing this construction.
| @@ -20,6 +20,8 @@ | |||
| #include <functional> | |||
| #include <unordered_map> | |||
|
|
|||
| class ChainstateManager; | |||
| BOOST_CHECK(chainman.ActiveChainstate().m_from_snapshot_blockhash.IsNull()); | ||
| BOOST_CHECK_EQUAL( | ||
| chainman.ActiveChainstate().m_from_snapshot_blockhash, | ||
| chainman.SnapshotBlockhash().value_or(uint256())); |
There was a problem hiding this comment.
4d8de04: Wouldn't it be better to check !chainman.SnapshotBlockhash()? Otherwise it can incorrectly return a default constructed uint256 without this test noticing.
|
|
||
| // Snapshot should refuse to load at this height. | ||
| BOOST_REQUIRE(!CreateAndActivateUTXOSnapshot(m_node, m_path_root)); | ||
| BOOST_CHECK(chainman.ActiveChainstate().m_from_snapshot_blockhash.IsNull()); |
There was a problem hiding this comment.
Wouldn't it be better to have the same interface as for the SnapshotBlockhash member function? I.e. return nullopt when there is no hash instead of 0.
|
|
||
| struct TestChain100DeterministicSetup : public TestChain100Setup { | ||
| TestChain100DeterministicSetup() : TestChain100Setup(true) { } | ||
| }; |
There was a problem hiding this comment.
Any need for this? Seems odd to have an option to make a test non-deterministic
| @@ -79,7 +79,6 @@ struct BasicTestingSetup { | |||
| explicit BasicTestingSetup(const std::string& chainName = CBaseChainParams::MAIN, const std::vector<const char*>& extra_args = {}); | |||
| ~BasicTestingSetup(); | |||
|
|
|||
| private: | |||
This was referenced Apr 3, 2021
|
(commit title and description of f6e2da5 doesn't match what it does) |
2 tasks
maflcko
reviewed
Apr 13, 2021
| } | ||
|
|
||
| assert(index); | ||
| index->nChainTx = metadata.m_nchaintx; |
There was a problem hiding this comment.
metadata.m_nchaintx is untrusted input, so this lets an attacker pick the value
There was a problem hiding this comment.
Oh, yeah, good catch. This is outdated, and should be ... = au_data.nChainTx instead. This is an artifact from before we moved nChainTx into the hardcoded assumeutxo parameters.
There was a problem hiding this comment.
Fixed here: #21681
Thanks for finding this.
maflcko
pushed a commit
to bitcoin-core/gui
that referenced
this pull request
May 5, 2021
…hardcoded nChainTx 91d93aa validation: remove nchaintx from assumeutxo metadata (James O'Beirne) 931684b validation: fix ActivateSnapshot to use hardcoded nChainTx (James O'Beirne) Pull request description: This fixes an oversight from the move of nChainTx from the user-supplied snapshot metadata into the hardcoded assumeutxo chainparams. Since the nChainTx is now unused in the metadata, it should be removed in a future commit. See: bitcoin/bitcoin#19806 (comment) ACKs for top commit: Sjors: utACK 91d93aa ryanofsky: Code review ACK 91d93aa. No change to previous commit, just new commit removing now unused utxo snapshot field and updating tests. Tree-SHA512: 445bdd738faf007451f40bbcf360dd1fb4675e17a4c96546e6818c12e33dd336dadd95cf8d4b5f8df1d6ccfbc4bf5496864bb5528e416cea894857b6b732140c
Fabcien
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Jan 4, 2022
Summary: This is a backport of [[bitcoin/bitcoin#21244 | core#21244]] [2/8] bitcoin/bitcoin@1add318 Note: due to out of order backport, I also had to remove `private:` in `setup_common.h` which is otherwise removed in [[bitcoin/bitcoin#19806 | core#19806]]. Depends on D10749 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Subscribers: Fabien Differential Revision: https://reviews.bitcoinabc.org/D10750
deadalnix
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Mar 22, 2022
Summary: This move/refactor is needed to set up a decent unittest for UTXO snapshot activation. This is a backport of [[bitcoin/bitcoin#19806 | core#19806]] [1/8] bitcoin/bitcoin@6606a4f Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D11224
Fabcien
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Apr 12, 2022
Summary: We can't support a reset of the dbwrapper object when in-memory configuration is used because it results in the permanent loss of coins. This only affects unittest configurations (since that's the only place we use in-memory CCoinsViewDB instances). This is a backport of [[bitcoin/bitcoin#19806 | core#19806]] [2/8] bitcoin/bitcoin@ad949ba Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D11226
Fabcien
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Apr 12, 2022
Summary: This is a backport of [[bitcoin/bitcoin#19806 | core#19806]] [3/8] bitcoin/bitcoin@31d2252 Note that the hash of the block in `TestChain100Setup` is different because Bitcoin ABC blocks have differences with Bitcoin Core blocks. I added a test that does nothing but initialize a `TestChain100DeterministicSetup` to demonstrate that the hash in the assertion is correct (changing something in that string makes the test fail). Test Plan: `ninja check` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Subscribers: Fabien Differential Revision: https://reviews.bitcoinabc.org/D11225
Fabcien
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Apr 12, 2022
Summary: Values for mainnet and testnet will be specified in a follow-up PR that can be scrutinized accordingly. This structure is required for use in snapshot activation logic. This is a backport of [[bitcoin/bitcoin#19806 | core#19806]] [4/8] and [[bitcoin/bitcoin#21584 | core#21584]] [2 & 3/5] bitcoin/bitcoin@7a6c46b bitcoin/bitcoin@0000007 bitcoin/bitcoin@fa5668b (partial) Notes: - The new circular dependency was added by core in a later commit. We already need it here. - We also check the allowed hashes in a functional test reproducing the deterministic regtest chain and allowed hashes. Depends on D11328 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Subscribers: Fabien Differential Revision: https://reviews.bitcoinabc.org/D11238
Fabcien
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Apr 13, 2022
Summary: bitcoin/bitcoin@f6e2da5 > Don't return null snapshotblockhash values to avoid caller complexity/confusion. ---- bitcoin/bitcoin@931684b > validation: fix ActivateSnapshot to use hardcoded nChainTx > > This fixes an oversight from the move of nChainTx from the user-supplied > snapshot metadata into the hardcoded assumeutxo chainparams. > > Since the nChainTx is now unused in the metadata, it should be removed > in a future commit. ---- bitcoin/bitcoin@91d93aa > validation: remove nchaintx from assumeutxo metadata > > This value is no longer used and is instead specified statically > in chainparams. This change means that previously generated > snapshots will no longer be usable. ---- bitcoin/bitcoin@fa9b74f > Fix assumeutxo crash due to missing base_blockhash ---- bitcoin/bitcoin@fae33f9 > Fix assumeutxo crash due to invalid base_blockhash > > Can be reviewed with --color-moved=dimmed-zebra --color-moved-ws=ignore-all-space ---- bitcoin/bitcoin@fa73ce6 > Fix assumeutxo crash due to truncated file ---- This is a backport of [[bitcoin/bitcoin#19806 | core#19806]] [5/8], core#21681 (partial), core#21582 (partial), core#21584 (partial) and core#21585 Notes: - The test related changes from core#21681, core#21582 and core#21584 are in D11241. This is because they depend on a missing (for now) test fixture for malleating the utxo snapshots. Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Subscribers: Fabien Differential Revision: https://reviews.bitcoinabc.org/D11239
Fabcien
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Apr 13, 2022
Summary: This also tests the hashes added in D11238. This is a backport of [[bitcoin/bitcoin#19806 | core#19806]] [6/8] bitcoin/bitcoin@4d8de04 Depends on D11239 Test Plan: `ninja check` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Subscribers: Fabien Differential Revision: https://reviews.bitcoinabc.org/D11240
Fabcien
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Apr 13, 2022
Summary: bitcoin/bitcoin@769a1ef > test: Add tests with maleated snapshot data ---- https://github.com/bitcoin/bitcoin/pull/21681/files > validation: fix ActivateSnapshot to use hardcoded nChainTx > validation: remove nchaintx from assumeutxo metadata Only test related changes for these commits are in this revision ---- bitcoin/bitcoin@fa8fffe > refactor: Prefer clean assert over UB in coinstats ---- bitcoin/bitcoin@fa9b74f > Fix assumeutxo crash due to missing base_blockhash Only test related changes from this commit are in this revision. ---- bitcoin/bitcoin@fae33f9 > Fix assumeutxo crash due to invalid base_blockhash Only test related changes from this commit are in this revision. ---- This is a backport of [[bitcoin/bitcoin#19806 | core#19806]] [7/8] and test related changes from [[bitcoin/bitcoin#21681 | core#21681]], [[bitcoin/bitcoin#21582 | core#21582]] and [[bitcoin/bitcoin#21584 | core#21584]] Depends on D11240 Test Plan: `ninja check` With UBSAN: `ninja all check-all` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D11241
Fabcien
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Apr 13, 2022
Summary: This concludes backport of [[bitcoin/bitcoin#19806 | core#19806]] [6/6] bitcoin/bitcoin@1afc0e4 Test Plan: NA Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D11243
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is part of the assumeutxo project:
Parent PR: #15606
Issue: #15605
Specification: https://github.com/jamesob/assumeutxo-docs/tree/master/proposal
This change proposes logic for activating UTXO snapshots, which is unused at the moment aside from an included unittest. There are a few moveonyish/refactoring commits to allow for halfway decent unittests.
Basic structure is included for specifying and checking the assumeutxo hash values used to validate activated snapshots. Initially I had specified a few height/hash pairs for mainnet in this change, but because of the security-critical nature of those parameters, I figured it was better to leave their inclusion to a future PR that includes only that change - my intent being that reviewers will be more likely to verify those parameters firsthand in a dedicated PR.
Aside from that and the snapshot activation logic, there are a few related changes:
allow caching thenChainTxvalue in the CCoinsViewDB; this is set during snapshot activation. Because we don't necessarily have access to the full chain at the time of snapshot load, this value is communicated through the snapshot metadata and must be cached within the chainstate to survive restarts.CreateUTXOSnapshot()from dumptxoutset. This is essentially a move-only change to allow the reuse of snapshot creation logic from within unittests.The move-onlyish commit is most easily reviewed with
--color-moved=zebra.