assumeutxo #15606

See the proposal for assumeutxo here.

Testing instructions can be found below the “Progress” section.

Progress

All items here have corresponding commits here, but are unchecked if they haven’t been merged yet.

• Chainstate interface
  • #15976
• Localize chainstate data
  • #16443
• Share block data
  • #16194
• Deglobalize chainstate
  • #15948
• UpdateTip/CheckBlockIndex modifications
  • #21526
• ChainstateManager
  • #17737
• Mempool
  • #22415
• LoadBlockIndex
  • #23174
• Init/teardown
  • #24232
  • #25667
  • #25740
• Wallet: includes avoiding rescans when assumed-valid block data is in use
  • #23997
  • #26282
• P2P: minor changes are made to init.cpp and net_processing.cpp to make simultaneous IBD across multiple chainstates work.
  • #24008
• Pruning: implement correct pruning behavior when using a background chainstate
• Blockfile separation: to prevent “fragmentation” in blockfile storage, have background chainstates use separate blockfiles from active snapshot chainstates to avoid interleaving heights and impairing pruning.
• Indexing: all existing CValidationInterface events are given with an additional parameter, ChainstateRole, and all indexers ignore events from ChainstateRole::ASSUMEDVALID so that indexation only happens sequentially.
• Raise error when both -reindex and assumeutxo are in use.
• RPC: introduce RPC commands dumptxoutset, loadtxoutset, and (the probably temporary) monitorsnapshot.
  • #16899
• Release docs & first assumeutxo commitment: add notes and a particular assumeutxo hash value for first AU-enabled release.
  • This will complete the project and allow use of UTXO snapshots for faster node bootstrap.
• (optional) Coinscache optimization: allow flushing chainstate data without emptying the coins cache; results in better performance after UTXO snapshot load.
  • #17487
  • #27008

Testing

For fun (~5min)

If you want to do a quick test, you can run ./contrib/devtools/test_utxo_snapshots.sh and follow the instructions. This is mostly obviated by the functional tests, though.

For real (longer)

If you’d like to experience a real usage of assumeutxo, you can do that too. I’ve cut a new snapshot at height 788'000 (http://img.jameso.be/utxo-788000.dat - but you can do it yourself with ./contrib/devtools/utxo_snapshot.sh if you want). Download that, and then create a datadir for testing:

 0$ cd ~/src/bitcoin  # or whatever
 1
 2# get the snapshot
 3$ curl http://img.jameso.be/utxo-788000.dat > utxo-788000.dat
 4
 5# you'll want to do this if you like copy/pasting 
 6$ export AU_DATADIR=/home/${USER}/au-test # or wherever
 7
 8$ mkdir ${AU_DATADIR}
 9$ vim ${AU_DATADIR}/bitcoin.conf
10
11dbcache=8000  # or, you know, something high
12blockfilterindex=1
13coinstatsindex=1
14prune=3000
15logthreadnames=1

Obtain this branch, build it, and then start bitcoind:

0$ git remote add jamesob https://github.com/jamesob/bitcoin
1$ git fetch jamesob utxo-dumpload-compressed
2$ git checkout jamesob/utxo-dumpload-compressed
3
4$ ./configure $conf_args && make  # (whatever you like to do here)
5
6# start 'er up and watch the logs
7$ ./src/bitcoind -datadir=${AU_DATADIR}

Then, in some other window, load the snapshot

0$ ./src/bitcoin-cli -datadir=${AU_DATADIR} loadtxoutset $(pwd)/utxo-788000.dat

You’ll see some log messages about headers retrieval and waiting to see the snapshot in the headers chain. Once you get the full headers chain, you’ll spend a decent amount of time (~10min) loading the snapshot, checking it, and flushing it to disk. After all that happens, you should be syncing to tip in pretty short order, and you’ll see the occasional [background validation] log message go by.

In yet another window, you can check out chainstate status with

0$ ./src/bitcoin-cli -datadir=${AU_DATADIR} getchainstates

as well as usual favorites like getblockchaininfo.

Original change description

For those unfamiliar with assumeutxo, here’s a brief summary from the issue (where any conceptual discussion not specific to this implementation should happen):

assumeutxo would be a way to initialize a node using a headers chain and a serialized version of the UTXO state which was generated from another node at some block height. A client making use of this UTXO “snapshot” would specify a hash and expect the content of the resulting UTXO set to yield this hash after deserialization.

This would allow users to bootstrap a usable pruned node & wallet far more quickly (and with less disk usage) than waiting for a full initial block download to complete, since we only have to sync blocks between the base of the snapshot and the current network tip. Needless to say this is at expense of accepting a different trust model, though how different this really ends up being from assumevalid in effect is worth debate.

In short, this is an interesting change because it would allow nodes to get up and running within minutes given a ~3GB file (at time of writing) under an almost identical trust model to assumevalid.

In this implementation, I add a few RPC commands: dumptxoutset creates a UTXO snapshot and writes it to disk, and loadtxoutset intakes a snapshot from disk, constructs and activates chainstate based on it, and continues a from-scratch initial block download in the background for the sole purpose of validating the snapshot. Once the snapshot is validated, we throw away the chainstate used for background validation.

The assumeutxo procedure as implemented is as follows:

1. A UTXO snapshot is loaded with the loadtxoutset <path> RPC command.
2. A new chainstate (CChainState) is initialized using ChainstateManager::ActivateSnapshot():
   1. The serialized UTXO data is read in and various sanity checks are performed, e.g. compare expected coin count, recompute the hash and compare it with assumeutxo hash in source code.
   2. We “fast forward” new_chainstate->m_chain to have a tip at the base of the snapshot (with or without block data). Lacking block data, we fake the nTx counts of the constituent CBlockIndex entries.
   3. LoadChainTip() is called on the new snapshot and it is installed as our active chainstate.
3. The new assumed-valid chainstate is now our active, and so that enters IBD until it is synced to the network’s tip. Presumably the snapshot would be taken relatively close to the current tip but far enough away to avoid meaningful reorgs, say 10,000 blocks deep.
4. Once the active chainstate is out of IBD, our old validation chain continues IBD “in the background” while the active chainstate services requests from most of the system.
5. Once the background validation chainstate reaches a height equal the base of the snapshot, we take the hash of its UTXO set and ensure it equals the expected hash based on the snapshot. If the hashes are equivalent, we delete the validation chainstate and move on without event; if they aren’t, we log loudly and fall back to the validation chainstate (we should probably just shut down).

The implicit assumption is that the background validation chain will always be a subset of the assumed-valid snapshot chain while the latter is active. We don’t properly handle reorgs that go deeper than the base of the snapshot.

Changes (already merged/outdated)

The crux of this change is in removing any assumptions in the codebase that there is a single chainstate, i.e. any references to global variables chainActive, pcoinsTip, et al. need to be replaced with functions that return the relevant chainstate data at that moment in time. This change also takes CChainState to its logical conclusion by making it more self-contained - any references to globals like chainActive are removed with class-local references (m_chain).

A few minor notes on the implementation:

• When we attempt to load a wallet with a BestBlock locator lower than the base of a snapshot and the snapshot has not yet been validated, we refuse to load the wallet.

• For additional notes, see the new assumeutxo docs.

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #27491 (refactor: Move chain constants to the util library by TheCharlatan)
• #27357 (validation: Move warningcache to ChainstateManager and rename to m_warningcache by dimitaracev)
• #27277 (Move log messages: tx enqueue to mempool, allocation to blockstorage by Sjors)
• #27125 (refactor, kernel: Decouple ArgsManager from blockstorage by TheCharlatan)
• #27039 (blockstorage: do not flush block to disk if it is already there by pinheadmz)
• #26966 (index: blockfilter initial sync speedup, parallelize process by furszy)
• #26762 (refactor: Make CCheckQueue RAII-styled by hebasto)
• #25977 (refactor: Replace std::optional<bilingual_str> with util::Result by ryanofsky)
• #25970 (Add headerssync tuning parameters optimization script to repo by sipa)
• #25722 (refactor: Use util::Result class for wallet loading by ryanofsky)
• #25665 (refactor: Add util::Result failure values, multiple error and warning messages by ryanofsky)
• #25193 (indexes: Read the locator’s top block during init, allow interaction with reindex-chainstate by mzumsande)
• #24230 (indexes: Stop using node internal types and locking cs_main, improve sync logic by ryanofsky)
• #24008 (assumeutxo: net_processing changes by jamesob)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

Presumably the snapshot would be taken relatively close to the current tip but far enough away to avoid meaningful reorgs, say 10,000 blocks deep.

To be clear, the snapshot can’t be terribly recent for the user of it or it breaks the security model. Assume valid only has any security at all if there is time for the review and communication about review to happen, which means a human timescale of at least weeks.

Probably the assumption should be that snapshots are created pretty close to tip, just far enough to avoid wasting time in reorgs (even 6 blocks would be fine) but the users aren’t using them until they are quite a bit older, likely using the second to most recent available one.

We don’t serve blocks or transactions to the network while we’re operating with an unvalidated snapshot-based chain.

We shouldn’t do that. The worst that getting it wrong does is getting us disconnected from peers, which isn’t particularly cosmic (and at least we might notice that something is going wrong). The downside of it is that not forwarding transactions shoots our privacy in the head, since any transaction we’re emitting would be one we created.

When we attempt to load a wallet with a BestBlock locator lower than the base of a snapshot and the snapshot has not yet been validated, we refuse to load the wallet.

Sounds good.

compare it with the claimed hash in the snapshot metadata.

This is a zero security approach. You can’t just ask the user for a value and then accept that. The attack is to reorg the chain and then announce to everyone that there is a node bug and you need to run this command to continue, we specifically engineered out that possibility in assumevalid. This isn’t hypothetical, this is exactly what we’ve seen happen in ethereum w/ fastsync.

This is a fine setup for testing your PR however! Ultimately we should get it to a state where a (FEC-split) copy of the state is loaded from the network and where it can be tested against a publicly reviewed constants configured in the software and/or blockchain.

Probably the assumption should be that snapshots are created pretty close to tip, just far enough to avoid wasting time in reorgs (even 6 blocks would be fine) but the users aren’t using them until they are quite a bit older, likely using the second to most recent available one.

Yep - I figured that we’d update the assumeutxo hash in lockstep with assumevalid’s.

We shouldn’t do that. The worst that getting it wrong does is getting us disconnected from peers, which isn’t particularly cosmic (and at least we might notice that something is going wrong). The downside of it is that not forwarding transactions shoots our privacy in the head […]

Good points, will fix that.

This is a zero security approach. You can’t just ask the user for a value and then accept that.

Agreed - the check I do there is just for sanity. Deciding on an initial hardcoded assumeutxo hash seems corequisite to allowing snapshots to be loadable through RPC (or any other means).

Thanks for the suggestion, @ryanofsky. I spent the last few days reconstructing the changeset into sensible commits - hopefully it’s easier to understand this way.

Most of the early commits are just shuffling stuff around (though all of it strictly necessary AFAICT). I’ve phrased the changes as much as possible as scripted-diffs and move-onlys. In replaying the changes, I found a few unnecessary diffs to omit.

If anyone has additional suggestions for how this could be made easier to review, I’m all ears, though I’m not holding my breath waiting until some Concept (N)ACKs roll in on #15605.

Started review (will update list below with progress).

• 77e5c902168ca2191448c5f8924b6831dc2717b9 move-only: make the CChainState interface public (1/39)
• bd6c3c1fa50bed627345b25c14b1f1a824b82cd0 rename: CChainState.chainActive -> m_chain (2/39)
• b5627060df9c7876d91391e34c84a7e4fb1ff378 refactoring: introduce unused ChainActive() (3/39)
• 3b7184e514f9dac7949007a34147b43383c3d229 scripted-diff: replace chainActive -> ::ChainActive() (4/39)
• 47f8e200e7159e6145f26fa711dceb19cf054a8f refactoring: remove unused chainActive (5/39)
• 612d1b5df556eb70eb5fb670d166a1d7927e6efc refactoring: introduce ChainstateActive() (6/39)
• c9d13d26314e2368562a1612bc0c89f3099c4154 refactoring: FlushStateToDisk -> CChainState (7/39)
• e9fab103e6f81cf32b09618ea9a70540616f7da8 refactoring: IsInitialBlockDownload -> CChainState (8/39)
• e8e09fcb16b7e358a88b4f38d0d8af49a3eafac3 move-onlyish: move CCoinsViewErrorCatcher out of init.cpp (9/39)
• 155ee896520e51b8a13d6904e3a14b5fa50295c0 refactoring: move block metadata into BlockMetadataManager (10/39)
• 525df322de8e6803f41a56aff16bfc1ebe95f845 refactoring: have CCoins* data managed under CChainState (11/39)
• 56ad8d226539a44daef02f479fab1820c536731f move-only: move coins statistics utils out of RPC (12/39)
• 0b33ff5bcba7f2aa357a1a12fe1e1452c23defb7 validationinterface: add unused CChainState parameter (13/39)
• ebc844e8a1bacfe603db85ef4deae6e1f109cd57 chain: add unused CChain::FakeNTx (14/39)
• 50d8e7c910edec10dcf08beec577c3efd67f2276 validation: add unused SnapshotMetadata class (15/39)
• 7f39dfd011c6921b396c5acfc8917f748c1e97dd coinstats: add coins_count (16/39)
• 71a65a08213b0159d4e4df2199d9993547f163e4 rpc: add dumptxoutset (17/39)
• deca3be21d35ca661e047512f74c805ee24ecb16 refactoring: add CChainState::ActivateBestChain (18/39)
• 3faddddba7abcdd609aae08653c35c05602a086f refactoring: move LoadChainTip to CChainState method (19/39)
• d9505cd540bfa94d07c24ed7471822e1babdbfee coins: add constructor to CCoinsCacheEntry (20/39)
• 10973e8e1dfd1951a98bf0de4c98b8cee385d70d trivial: add CChainState::ToString() (21/39)

~ 8d9b707f609b647fb28ae182a097adc03e718725 validation: introduce ChainstateManager, use in init (22/39) ~ 9b6907e080fe4da105a332c76ddb5110310e8840 validation: add ChainstateManager::ActivateSnapshot (23/39) ~ f9571218d41304040778655e2f3941042b358dd5 rpc: add loadtxoutset (24/39) ~ 6d85241c236f563715d4a982651fd1815d76dbd2 validation: introduce ChainstateManager::GetChainstateForNewBlock (25/39)

• 6f87ecc366defcc9ce14ad9ec8ba0ae12652f866 net_processing: work with multiple chainstates (26/39)
• da14524e5214462a67ea03519229fa789311343e refactoring: move ReplayBlocks under CChainState (27/39)
• be40574dfaa13414881d16d9b82798af74026428 init: fix up for multiple chainstates (28/39)
• 8f99b98b0a742b49614e26f572a6822516b0ae61 validation: fix up LoadBlockIndex for multiple chainstates (29/39)
• 30ac0bb2a32f1dea8c2f7401168463adcf068137 dbwrapper: add delete-on-deconstruct option (30/39)
• e037ea550056acef55d585b001ec7dd707ecd7be validation: add ChainstateManager logic for completing UTXO snapshot validation (31/39)
• 32c054bd7b4300617ca4220edf5fdf3d203933a9 validation: put UTXO snapshot validation completion into practice (32/39)
• a3e6f67bf547b76037bb6964a84647a6e3db19e2 wallet: avoid rescans if under the snapshot (33/39)
• 0a1fd4881bf3d1a353c926ab7517159f0928567a doc: add note about snapshots and index building (34/39)
• bced4f61eac00f9f3ed36f9d6a3c91c3013171fd validation: fix pruning + misc. (35/39)
• 183d744247fb4b25edb28a1f2a3c7df7a00d8d87 doc: add some minor CChainState doc (36/39)
• da94a6d64132b1d16fae7c275fe5b9fad0b7308c zmq: fix notifier to ignore background snapshot validation (37/39)
• 5f24ef13a84356a79f9ce6e921f1a3afcce74313 rpc: add monitorsnapshot (38/39)
• 1bb64fcf1cb94e28c4090909e229f546757d25de DON’T MERGE: add utxo snapshot demo script (39/39)

Just some more comments.

In commit 3b7184e514f9dac7949007a34147b43383c3d229:

The scripted diff should not modify on-disc files that are not in git.

Can be solved by using

0sed --args ... $(git grep -l 'what_to_search_for')

I’m unable to compile this on macOS. See error log. It does compile on Ubuntu, despite quite a few warnings.

I tested making a dump for testnet and then importing it with a fresh datadir. But I think I’m using it wrong. First time I tried to load it I got. That was before it fetched any headers. I waited for it to fetch a few blocks and tried again, but same error:

0bitcoind: txdb.cpp:104: virtual bool CCoinsViewDB::BatchWrite(CCoinsMap&, const uint256&): Assertion `!hashBlock.IsNull()' failed.

I don’t think an RPC method is the right tool for loading a snapshot (it’s fine for saving); probably better to just specify a location at launch.

Can you add an actual assumeutxo value (mainnet & testnet)? When combined with #13713 it should be easier to create and test the snapshot (I had some difficulty wrapping my head around the demo script). That also means loadtxoutset can refuse to process a snapshot for a lower block height than the most recent fully processed block (even if the header is a valid-fork).

To facilitate writing functional tests, you could allow a -assumeutxo param for regtest only.

I’m unable to compile this on macOS. See error log. It does compile on Ubuntu, despite quite a few warnings.

Thanks; could you post the warnings you’re receiving on Ubuntu? I’m not getting any warnings during compilation when using clang 9.0.0 and gcc 7.3.0 on Ubuntu 18.04.2.

I don’t think an RPC method is the right tool for loading a snapshot (it’s fine for saving); probably better to just specify a location at launch.

Loading snapshot only on startup would simplify things in the short run, but ultimately if we’re going to share snapshots over the P2P network, we’ll need to support loading them at runtime. Better to test that process out earlier IMO.

I waited for it to fetch a few blocks and tried again, but same error…

Oops, looks like I introduced a bug during a recent rebase. Fixing now. Thanks for testing!

Can you add an actual assumeutxo value (mainnet & testnet)?

Yep, I’ll do this in the next day or so.

To facilitate writing functional tests, you could allow a -assumeutxo param for regtest only.

Yep, this seems like a good idea. I’m also going to try to do as much unittesting as I can (as opposed to functional tests).

Concept ACK. It compiles now. I was able to create a snapshot using the script and load it on a fresh datadir. Though it crashed when I stopped the node and started it again:

02019-04-27T14:18:10Z [snapshot] resetting coinsviews for Chainstate [ibd] @ height 410343 (000000000008b5afee8bdf7bbc4386c001615bbfcfe12e7ddd0ac19ab9a03235)
12019-04-27T14:18:10Z [snapshot] resetting coinsviews for Chainstate [snapshot] @ height 1512817 (0000000000000332aba2ad56296b67b7b6664a46b1c23bb014bb9aad6fb20828)
22019-04-27T14:18:13Z [default wallet] Releasing wallet
32019-04-27T14:18:13Z Shutdown: done
4
5...
62019-04-27T14:19:11Z Initializing chainstate Chainstate [snapshot] @ height -1 (null)
7Assertion failed: (!setBlockIndexCandidates.empty()), function PruneBlockIndexCandidates, file validation.cpp, line 2401.

It’s hard to follow what’s going on when loading the snapshot on a fresh node because the logs are flooded by the regular IBD in progress. Consider pausing IBD while loading the file.

Once we reach the tip and it starts syncing from genesis in the background, the log is too quiet. It’s only showing allocation of block files. It would be nice to have a message for each block along the lines of UpdateChain: processed block 00000000000000a9d.... at height=1234 . Something less verbose, like on message every 1000 blocks, would also be fine. Otherwise it might end up snowing under important events at the tip.

getblockchaininfo should contain fields to measure the progress of catching up in the background (and there needs to be something for the GUI to access, that can wait).

How do plan to handle block pruning? Do we just split -prune in half while catchup is in progress? Do we double the minimum prune setting (when used with this feature)?

Just an FYI - I had a working POC of this that would have worked fine with the chainstate hash in the source code: https://gist.github.com/n1bor/55b25d72cd3c24eef85f7e24d549ef7a

One interesting thing is if you write a lot of data to a leveldb database that is mostly sorted by key (or at least big chunks are ) it is very efficient.

@Sjors thanks very much for testing.

it crashed when I stopped the node and started it again

You found a bug in how the init process interacts with an assumed-valid chainstate. I needed to add nChainTx reconstruction to LoadBlockIndex() and make some allowances for the assumed-valid chain in RewindBlockIndex(). The details of the fix are mostly contained in https://github.com/bitcoin/bitcoin/pull/15606/commits/7d10a00daca80c6a8e68196ae7c016c1123d91fe, but we also now write BLOCK_OPT_WITNESS into the appropriate CBlockIndex entries during snapshot activation (https://github.com/bitcoin/bitcoin/pull/15606/commits/7bfbb78b445efbefa5238b4d23290ad4d4db05cf#diff-24efdb00bfbe56b140fb006b562cc70bR5001).

Consider pausing IBD while loading the file.

On your advice I’m now acquiring cs_main during snapshot activation for clarity when testing, but I think that closer to merge we should undo this. The snapshot chainstate can populate on a separate thread while traditional IBD starts and I don’t think either slows the other down since they’re running on separate threads and writing to separate data structures (the block index excluded).

Note that you can isolate most of the snapshot-related logs with tail -f debug.log | grep '[snapshot]'.

Once we reach the tip and it starts syncing from genesis in the background, the log is too quiet.

I’ve added a [background validation] UpdateTip: ... message for every 2000 blocks synced in the background.

How do plan to handle block pruning?

Since we don’t expect (or support handling) reorgs in the background validation chainstate, we prune it aggressively (within 1 block of tip; see https://github.com/bitcoin/bitcoin/pull/15606/commits/e37372a0236b12dff422eaeca643db7d64f58b48#diff-24efdb00bfbe56b140fb006b562cc70bR3635). Given current pruning precision, this seems like a rounding error and so I think should be sufficient.

Thanks again for testing. The most recent version of this PR is rebased and should be usable.

getblockchaininfo should contain fields to measure the progress of catching up in the background (and there needs to be something for the GUI to access, that can wait).

You can currently get a sense of this with the (maybe temporary? but definitely poorly named) monitorsnapshot RPC. Suggestions on how to roll this into getblockchaininfo are welcome. Maybe a background: key that contains a nested version of the same information?

Consider pausing IBD while loading the file. acquiring cs_main during snapshot activation for clarity when testing I don’t think either slows the other down since they’re running on separate threads

It’s not about performance, but about being able to debug. I think we should keep this in for at least one release, because it’s easier than the grep approach. It could also make sense to wait ~60 seconds after the snapshot is loaded before resuming the original IBD. That way the log looks like:

• IBD…
• rpc call to load snapshot (if RPC debug is enabled)
• pauze IBD
• loading snapshot
• snapshot loaded, begin sync from snapshot
• little bit of sync from snapshot
• IBD resumed
• interwoven log entries from both syncs

we prune it aggressively (within 1 block of tip)

Pruning normally flushes dbcache though, are you preventing that?

Maybe a background: key that contains a nested version of the same information?

That seems better (or snapshot), since otherwise you have to call monitorsnapshot to even find out anything is happening.

Did another test (on Ubuntu) and was able to create a snapshot and load it in a fresh datadir.

When I tried to make a snapshot while still in IBD, the chain reorged down to the specified height and then immedidately shot up again to the tip, before making a (presumable wrong) snapshot. Easiest solution is for the demo script to check if initialblockdownload is false.

Perhaps related, but I managed to corrupt the node that I took the snapshot from:

02019-05-08T17:35:39Z Checking all blk files are present...
12019-05-08T17:35:40Z Initializing chainstate Chainstate [ibd] @ height -1 (null)
2bitcoind: validation.cpp:2448: void CChainState::PruneBlockIndexCandidates(): Assertion `!setBlockIndexCandidates.empty()' failed.

I recovered with -reindex and then made the snapshot more carefully.

When I restart the node during the snapshot sync, I notice that monitorsnapshot returns the wrong values for verification_progress of snapshot (e.g. 0.142) which doesn’t go up much until you restart again (initialblockdownload: false). I restarted a few times, and then it suddenly showed 0.9999 again.

The new logging every 2000 blocks feature doesn’t work after restart.

The snapshot successfully validated, but when I try to shutdown gracefully it doesn’t get beyond the “dumped mempool” message. Probably a thread locking issue; no crazy CPU or memory usage. I had to use kill -9, but fortunately it still worked at the next start.

I haven’t tried pruning yet.

Can you split out d94356e086a2240773a42649ce6ef785b3a3d4b5 into a separate pull request? I need this for some of my fuzzing projects.

See #16703

On macOS 10.14.6 I’m seeing a warning:

0validation.cpp:2222:64: warning: lambda capture 'func_name' is not required to be captured for this use [-Wunused-lambda-capture]
1    auto log_progress = [pindexNew, &coins_view, &chainParams, func_name](
2                                                             ~~^~~~~~~~~
3validation.cpp:4184:50: warning: comparison of integers of different signs: 'int64_t' (aka 'long long') and 'size_t' (aka 'unsigned long') [-Wsign-compare]
4        if (nCheckLevel >= 3 && curr_coins_usage <= chainstate.m_coinstip_cache_size_bytes) {
5                                ~~~~~~~~~~~~~~~~ ^  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
62 warnings generated.

Can you make the snapshot a bit more recent?

I tried loading the snapshot I created back in May and noticed 2019-08-28T12:11:37Z [snapshot] waiting to see blockheader 000000000000001629aa3af57b421626b17c233ad0cd7197dfcc77389fe7b85e in headers chain before snapshot activation burried in the log. Oops, that’s a testnet snapshot :-) But this causes the RPC call to hang and makes it difficult to exit bitcoind, so we should probably detect this.

Update: I made a fresh snapshot of a more recent block. When trying to import it the debug log said 2019-08-28T17:34:46Z [snapshot] assumeutxo value in snapshot metadata not valid for height 592000 - refusing to load snapshot, but the RPC returned a cryptic error code: -32603. error message: Unable to load UTXO snapshot ....

flushing snapshot chainstate to disk takes 10+ minutes. Can this step be skipped if -dbcache is large enough?

Is this ignoring my -dbcache setting?

02019-08-28T17:55:49Z [Chainstate [snapshot] @ height 592003 (0000000000000000000919cc22af382ead360cd7a27572e19a2b6ac42baa6745)] resized coinsdb cache to 0.4 MiB
12019-08-28T17:55:49Z [Chainstate [snapshot] @ height 592003 (0000000000000000000919cc22af382ead360cd7a27572e19a2b6ac42baa6745)] resized coinstip cache to 499.5 MiB
22019-08-28T17:55:49Z Cache size (8699974960) exceeds total space (1523763712)

I made a torrent tracker for these snapshots, as well as limited capacity seeding:

• mainnet: magnet:?xt=urn:btih:556fb8dcc50059a62b0694f576a14e249156ab99&dn=utxo%5Fsnapshot%5F570000.dat&tr=udp%3A%2F%2Ftracker.bitcoin.sprovoost.nl%3A6969
• testnet: magnet:?xt=urn:btih:8780d3e8e336986a7fede11bea3e1209e2b25e41&dn=utxo%5Fsnapshot%5Ftestnet%5F1512062.dat&tr=udp%3A%2F%2Ftracker.bitcoin.sprovoost.nl%3A6969

At the moment, the tip of this branch is broken - there’s a lock inversion between the new g_chainman.m_cs_chainstates lock and mempool.cs. It’s proven tricky to untangle because ChainstateActive() (which requires g_chainman.m_cs_chainstates) is called so pervasively.

I tried swapping out m_cs_chainstates for cs_main since they’re pretty much always overlapping anyways, but that’s a non-starter because you can’t call g_chainman.GetAll() on top of chainstate->ActivateBestChain() because ABC asserts that cs_main isn’t held (to drain the validation queue).

I’m trying to work out the lowest-impact fix.

Notes

02019-08-20T17:18:51Z POTENTIAL DEADLOCK DETECTED
12019-08-20T17:18:51Z Previous lock order was:
22019-08-20T17:18:51Z  m_cs_chainstate validation.cpp:2675 (in thread loadblk)
32019-08-20T17:18:51Z  cs_main validation.cpp:2693 (in thread loadblk)
42019-08-20T17:18:51Z  (1) ::mempool.cs validation.cpp:2693 (in thread loadblk)
52019-08-20T17:18:51Z  (2) g_chainman.m_cs_chainstates validation.cpp:86 (in thread loadblk)

which is

ActivateBestChain: LOCK(mempool.cs) -> ConnectTip: LOCK(g_chainman.m_cs_chainstates) via ChainstateActive()

02019-08-20T17:18:51Z Current lock order is:
12019-08-20T17:18:51Z  cs_main init.cpp:1484 (in thread init)
22019-08-20T17:18:51Z  (2) m_cs_chainstates validation.cpp:5507 (in thread init)
32019-08-20T17:18:51Z  cs_main validation.cpp:2046 (in thread init)
42019-08-20T17:18:51Z  (1) cs txmempool.cpp:907 (in thread init)

which is

ChainstateManager.MaybeRebalanceCaches(): LOCK(m_cs_chainstates) -> FlushStateToDisk -> mempool.DynamicMemoryUsage(): LOCK(mempool.cs)

It’s proven tricky to untangle because ChainstateActive() (which requires g_chainman.m_cs_chainstates) is called so pervasively.

Can’t remember what we talked about last time this came up, but maybe m_cs_chainstates should be a shared mutex, that many threads can call lock_shared on simultaneously, and not block unless the chain is being swapped.

That way m_cs_chainstates could be locked at a really broad scope, before cs_main and mempool.cs, but it wouldn’t hurt performance because it would be locked non-exclusively.

I’m hosting some recent snapshots as a torrent (and tracker):

• 570,000 mainnet magnet:?xt=urn:btih:556fb8dcc50059a62b0694f576a14e249156ab99&dn=utxo%5Fsnapshot%5F570000.dat&tr=udp%3A%2F%2Ftracker.bitcoin.sprovoost.nl%3A6969 (made with older version, probably incompatible)
• 600,000 mainnet: magnet:?xt=urn:btih:e3c0b504c8e60c52653706079dbfecc5bcad5e02&dn=utxo%5Fmainnet%5F600000.dat&tr=udp%3A%2F%2Ftracker.bitcoin.sprovoost.nl%3A6969
• 1,600,000 testnet: magnet:?xt=urn:btih:701acffe49e83bce213ff337e52022c11368cdd0&dn=utxo%5Ftestnet%5F1600000.dat&tr=udp%3A%2F%2Ftracker.bitcoin.sprovoost.nl%3A6969

A few quick updates on this branch.

New snapshots

I’ve added an allowed assumeutxo hash at height 600,000 (which you can check with ./contrib/devtools/utxo_snapshot.sh - ./src/bitcoin-cli -datadir=[...]) and have uploaded snapshot files (Google Drive, Google Cloud) for testers’ convenience. We obviously don’t necessarily need to preserve this value for merge, but I figure it’s useful for testing and not unrealistic.

You can test this branch easily by running a script like

 0#!/bin/bash
 1
 2set -e
 3if [ ! -f ./src/bitcoind ]; then
 4  echo "Must be in built bitcoin directory."
 5  exit 1
 6fi
 7SNAPSHOT_LOC=/tmp/utxo.600k.dat
 8DATADIR=/tmp/bitcoin-assumeutxo-test
 9mkdir -p $DATADIR
10
11[ -f ${SNAPSHOT_LOC} ] || curl -L https://storage.googleapis.com/assumeutxo/utxo.600k.dat > $SNAPSHOT_LOC
12/usr/bin/time -v ./src/bitcoind -datadir=$DATADIR -dbcache=4000 -stopatheight=604401 &
13sleep 60
14# Might timeout.
15/usr/bin/time -v ./src/bitcoin-cli -datadir=$DATADIR loadtxoutset $SNAPSHOT_LOC || true
16fg %1

After running this you should end up with a node that’s synced to tip within 60-90 minutes depending on your internet connection and hardware.

Benchmarking

I’ve compared reindexing to height 550,000 for this branch vs. its base (a la previous PRs), and beyond some outlier runs on both sides, this changeset seems to be comparable in performance to master.

 0host         tag                      time       time% maxmem  cpu%  dbcache
 1bench-ssd-2  bench/au.1               9:24:53    0.92  6717.99MB 338%  5000MB
 2bench-ssd-2  bench/au.1               9:23:14    0.92  6770.57MB 339%  5000MB
 3bench-ssd-2  bench/au.master.1        10:08:33   0.99  6654.39MB 315%  5000MB
 4bench-ssd-2  bench/au.master.1        10:13:04   1.00  6697.26MB 313%  5000MB
 5
 6bench-ssd-3  bench/au.master.1        9:26:17    0.93  6743.38MB 337%  5000MB
 7bench-ssd-3  bench/au.master.1        9:24:03    0.93  6748.67MB 338%  5000MB
 8bench-ssd-3  bench/au.1               9:22:35    0.92  6713.50MB 340%  5000MB
 9bench-ssd-3  bench/au.1               10:08:36   1.00  6712.88MB 314%  5000MB
10
11bench-ssd-4  bench/au.1               9:24:59    0.93  6744.43MB 338%  5000MB
12bench-ssd-4  bench/au.1               10:06:09   1.00  6717.30MB 315%  5000MB
13bench-ssd-4  bench/au.master.1        9:23:44    0.93  6695.61MB 339%  5000MB
14bench-ssd-4  bench/au.master.1        9:23:56    0.93  6646.16MB 338%  5000MB
15
16bench-ssd-5  bench/au.master.1        9:18:57    1.00  6715.23MB 341%  5000MB
17bench-ssd-5  bench/au.master.1        9:20:35    1.00  6644.22MB 341%  5000MB
18bench-ssd-5  bench/au.1               9:17:27    0.99  6702.63MB 342%  5000MB
19bench-ssd-5  bench/au.1               9:21:17    1.00  6663.15MB 340%  5000MB

Note of course that as a sort of “meta”-optimization, these benchmarks are solely to ensure that we haven’t introduced any performance regressions into normal operation. The really relevant benchmark here is “time from empty datadir to usable node,” which on one of my more capable machines has gone from ~20hrs to ~1hr.

Next steps

If you want to help move this project forward, the following PRs are prerequisites and once they’re merged I’ll carve off the next changeset:

• #16945
• #17487

Current work

After significantly revising the structure of the snapshot file in #16899, this branch has been substantially rebased to avoid the requirement of any on-disk snapshot metadata once the snapshot has been loaded; instead we look to filesystem state (the presence of a $DATADIR/chainstate_* folder) to signal that we are currently building a snapshot chainstate. Once this chainstate has been fully back validated, we move it over to the regular chainstate/ dir on shutdown. We also used to need on-disk state to restore the “faked” nChainTx data for snapshot-based header chains – we now cache that information in the snapshot’s chainstate itself (https://github.com/bitcoin/bitcoin/pull/15606/commits/87093a94ba311c495a1982f4f47d0c4607789f8f).

I’m currently thinking about how to handle locking semantics (as you might be able to tell from the last commit, which needs to be squashed into the rest of the history at some point) which I can detail further if anyone’s interested.

Commits that can be split out and submitted for review in parallel:

• f416c16b5728c91b071e18ea860a59c0401dcb5d
• ba1f760cdad07331b403966a0d3ab8b3f9898799 (partially, at least)
• e75fbc3087c1ad5039c946a0ac3107d6d2c84b94 (after #18698 ?)

commit 9b665e999bc82b98ff317907370db6f65efb2b43 can be dropped, no? It is already properly marked:

0$ git grep 'bool LoadBlockIndex('
1src/validation.cpp:bool LoadBlockIndex(const CChainParams& chainparams)
2src/validation.h:bool LoadBlockIndex(const CChainParams& chainparams) EXCLUSIVE_LOCKS_REQUIRED(cs_main);
3src/validation.h:    bool LoadBlockIndex(

Quick update. I’ve rebased this PR in such a way that it does not rely on changes in #17487 to avoid being blocked on that going through. If that does merge, it’ll be easy to update this branch to make use of the flush-without-erase behavior.

This needs testing (which I plan to do soon) as it’s been a while since I’ve gone through the whole battery of manual system tests (i.e. actually loading snapshots and syncing). I need to focus on writing a few more functional and unit tests that will obviate most of that manual work. Some intermediate commits here almost certainly have compilation errors.

This project is getting to the point where it’s less straightforward to find discrete bits of this draft to carve off for individual merge. Among the next changes are the snapshot activation procedure, the related RPC command for loading a snapshot, and all the little correspondent changes that have to happen in modules like net_processing to have snapshot chainstates actually function. I guess it makes sense to PR the snapshot activation changes (https://github.com/bitcoin/bitcoin/pull/15606/commits/eae9c625b10a7b5e6495ebef8698a98873f4933a) individually, but after that it may be somewhat less straightforward to carve off commits.

I’m wondering how averse people would be to treating much of the remainder of this draft as a single PR, and subsequently finishing off the first phase of assumeutxo in two or so more PRs?

Rebase time now that #19806 landed?

Yup, actively working on it.

Approach ACK / light review ACK 285d5dd3e409c1f14f50c46f18b3b1338f7ab9f6

Looking at the remaining commits it seems like the assumeutxo implementation is actually 75% merged already, and remaining changes are mostly tweaking code that hardcodes or assumes ActiveChainstate to instead handle multiple chainstates.

Current approach of splitting this large PR into medium sized PRs to be reviewed and merged sequentially (starting with #21526) seems reasonable and is probably ideal. I could also imagine a different approach thats splits out the tweaky commits as small obvious 1-commit PRs that could be reviewed in parallel, but this might just be more work and not solve anything.

In an ideal world it would be nice if individual changes here could be accompanied by unit tests confirming the new behaviors, but understandable that this isn’t happening since validation code is not very modular.

utxo-dumpload.61 -> utxo-dumpload.62 (range-diff)

Large rebase encompassing

• many net_processing refactors by @jnewbery @rebroad et al. (#21713)
• @dongcarl’s chainstate deglobalization (#20158)
• pruning updates for the blockfilter index (#15946)
• and probably others I’m forgetting.

In the next few days I’ll be manually testing this, which will require re-adding an actual assumeutxo value in chainparams after generating a recent snapshot. While or after that’s happening, I’ll see about generating a snapshot for use by the functional tests (and then actually writing them).

Torrent for my snapshot at height 685,000: magnet:?xt=urn:btih:bbc943dd7a97bff4bab7a039414e4dae5fbf5a3c&dn=utxo%5Fmainnet%5F685000.dat&tr=udp%3A%2F%2Ftracker.bitcoin.sprovoost.nl%3A6969

To make this snapshot, I rolled back to the correct height: bitcoin-cli invalidateblock 00000000000000000002091619d7ae1596349afb10fe8cb1833a09945db1180d and then called dumptxoutset (same procedure as contrib/devtools/utxo_snapshot.sh).

It’s probably broken given that coins_written is 0

0{
1  "coins_written": 0,
2  "base_hash": "000000000000000000043a68d9e09f48eeb485ac28bde0abb6e0b6cb6e726a21",
3  "base_height": 685000,
4  "path": "...",
5  "assumeutxo": "771ad185615493278a5d62b4fa865ca47cbfc54dbeb3a9157535bc0d856369e4"
6}

When attempting to load for a fresh IBD, by adding the snapshot to chainparams.cpp:

0        m_assumeutxo_data = MapAssumeutxo{
1            {
2                685000,
3                {AssumeutxoHash{uint256S("0x771ad185615493278a5d62b4fa865ca47cbfc54dbeb3a9157535bc0d856369e4")}, 685000},
4            },
5        };

The load loadtxoutset call fails with [snapshot] bad snapshot - coins left over after deserializing 0 coins

Thanks for testing @Sjors. I couldn’t reproduce your bug, but during manual testing I did find a number of issues based upon changes that have happened since last rebase. Subsequently I’ve pushed a bunch of new commits, some of which need to be fixed up. I’ve also done a manual test of the assumeutxo workflow and everything seems to be working properly again.

I also found an issue, possibly new but possibly not, related to restarting bitcoind while using a snapshot that has not yet been fully validated. Basically, faked nTx values were not persisting and so LoadBlockIndex() was failing due to not constructing setBlockIndexCandidates as expected.

In response to the this as well as the recent changes in RewindBlockIndex, I’ve decided to make a change consistent with a previous recommendation from @ryanofsky: instead of mutating “fake” data into the block index for assumed-valid blocks, I’m instead explicitly accounting for the possibility of snapshot use at usage sites (e.g. LoadBlockIndex(), NeedsRedownload()). I think this is easier to reason about instead of relying on some implicit data faking.

Manual testing

I’ve generated a snapshot at 685000 using the utxo_snapshot.sh contrib script.

 0src/bitcoin (? utxo-dumpload-compressed 4dfd3a2) % /usr/bin/time ./contrib/devtools/utxo_snapshot.sh 685000 utxo-685.dat ./src/bitcoin-cli
 1Rewinding chain back to height 685000 (by invalidating 00000000000000000002091619d7ae1596349afb10fe8cb1833a09945db1180d); this may take a while
 2Generating UTXO snapshot...
 3{
 4  "coins_written": 75696073,
 5  "base_hash": "000000000000000000043a68d9e09f48eeb485ac28bde0abb6e0b6cb6e726a21",
 6  "base_height": 685000,
 7  "path": "/home/james/.bitcoin/utxo-685.dat",
 8  "assumeutxo": "a85dd26a5ca449d76bc7cb6103960a2894475f11acef57efb77d833ca84d0ed3",
 9  "nchaintx": 644907744
10}
11Restoring chain to original height; this may take a while
120.01user 0.00system 14:13.84elapsed 0%CPU (0avgtext+0avgdata 4712maxresident)k
132688inputs+0outputs (22major+1584minor)pagefaults 0swaps

I then create a new datadir (~/.bitcoin/utxo-test), start up, and immediately load the snapshot:

0src/bitcoin (? utxo-dumpload-compressed 4dfd3a2) % /usr/bin/time ./src/bitcoin-cli -datadir=/home/james/.bitcoin/utxo-test loadtxoutset ~/.bitcoin/utxo-685.dat
1{
2  "coins_loaded": 75696073,
3  "tip_hash": "000000000000000000043a68d9e09f48eeb485ac28bde0abb6e0b6cb6e726a21",
4  "base_height": 685000,
5  "path": "/home/james/.bitcoin/utxo-685.dat"
6}
70.00user 0.00system 12:49.51elapsed 0%CPU (0avgtext+0avgdata 4348maxresident)k
83536inputs+0outputs (18major+233minor)pagefaults 0swaps

After load, I verified that the snapshot chain successfully syncs to tip, caches rebalance accordingly, and background validation starts. I also verified that the snapshot tip is maintained without issue as new blocks come in.

Next

Functional tests will be added to this branch. I may also add a contrib script that makes “demoing” the assumeutxo workflow more straightforward.

This seems to work better:

0{
1  "coins_written": 74785038,
2  "base_hash": "00000000000000000004331a2b2230ee390f3cd8969c4b533e616a6805ccf918",
3  "base_height": 687000,
4  "path": "/Users/sjors/Library/Application Support/Bitcoin/utxo_mainnet_687000.dat",
5  "assumeutxo": "c6d8016d392df4a9b57c96a432347df3971b78da5b095bd2eafe71da84206892",
6  "nchaintx": 648168241
7}

Torrent: magnet:?xt=urn:btih:65361833886f742cc519003f8f85ebfe26979a36&dn=utxo%5Fmainnet%5F687000.dat&tr=udp%3A%2F%2Ftracker.bitcoin.sprovoost.nl%3A6969

To use the snapshot, edit chainparams.cpp:

0        m_assumeutxo_data = MapAssumeutxo{
1            {
2                687000,
3                {AssumeutxoHash{uint256S("0xc6d8016d392df4a9b57c96a432347df3971b78da5b095bd2eafe71da84206892")}, 648168241},
4            },
5        };

With a fresh datadir I’m able to load this snapshot (-rpcclienttimeout=0 is handy) and sync to the tip. We’ll see if background sync succeeds too…

When loading fails, e.g. because it’s the wrong height, the error returned by the RPC call could be more useful.

On the road to writing actual functional tests (which may be somewhat of a challenge), I’ve added a demo/manual testing script (https://github.com/bitcoin/bitcoin/pull/15606/commits/322a9e9fc1d0edc3297a92618edc912c50bc0fd8) that should allow anyone to get acquainted with the assumeutxo feature.

Using it should be easy; clone this branch, make, and then run ./contrib/devtools/test_utxo_snapshots.sh and follow the instructions. The script itself involves creating a snapshot, modifying the chainparams, and then watching the snapshot-based sync process followed by background validation. It’s also a happy-path test of the changes here. I hope others find it useful, even if it just ends up being an ephemeral thing for testing that is never merged.