doc: Clarify scope of eviction protection of outbound block-relay peers

ariard commented at 1:45 pm on September 4, 2020: member

Block-relay-only peers were introduced by #15759. According to its author, it was intented to make them only immune to outbound peer rotation-based eviction and not from all eviction as modified comment leans to think of.

Clearly indicate that outbound block-relay peers aren’t protected from eviction by the bad/lagging chain logic.

Fix #19863

laanwj added the label P2P on Sep 4, 2020

in src/net_processing.cpp:2025 in b94ebc334a outdated

2020@@ -2021,8 +2021,8 @@ static void ProcessHeadersMessage(CNode& pfrom, CConnman& connman, ChainstateMan
2021         if (!pfrom.fDisconnect && pfrom.IsFullOutboundConn() && nodestate->pindexBestKnownBlock != nullptr) {
2022             // If this is an outbound full-relay peer, check to see if we should protect
2023             // it from the bad/lagging chain logic.
2024-            // Note that block-relay-only peers are already implicitly protected, so we
2025-            // only consider setting m_protect for the full-relay peers.
2026+            // Note that outbound block-relay peers are excluded from this protection and
2027+            // thus passive of eviction by bad/lagging chain logic.

sdaftuar commented at 3:21 pm on September 4, 2020:

How about:

0// Note that outbound block-relay peers are excluded from this protection, and thus always subject to eviction under the bad/lagging chain logic.

sdaftuar commented at 3:24 pm on September 4, 2020:

Also, you may want to consider adding a comment that explains how m_protect is used by stale-tip-based eviction as well. In particular, the stale-tip -> extra full outbound peer logic could cause an existing full outbound to be evicted, but peers with m_protect set will not be chosen for eviction.

ariard commented at 6:38 pm on September 4, 2020:

Thanks for the suggestion. Also added a commit on scope of m_protect w.r.t to both eviction logics.

sdaftuar commented at 3:25 pm on September 4, 2020: member

The comments above the definition of ChainSyncTimeoutState in net_processing.cpp should also be updated.

ariard force-pushed on Sep 4, 2020

ariard commented at 6:42 pm on September 4, 2020: member

Updated at 6ce273b. I guess we could split up m_protect or clarify ChainSyncTimeout name but I don’t want to interfere with actual refactoring of CNodeState (#19398). It would be easier to reorganize structures after completion of this project.

MarcoFalke renamed this:
~~Clarify scope of eviction protection of outbound block-relay peers~~
doc: Clarify scope of eviction protection of outbound block-relay peers
on Sep 5, 2020

MarcoFalke added the label Docs on Sep 5, 2020

[doc] Clarify scope of eviction protection of outbound block-relay peers

Block-relay-only peers were introduced by #15759. According to its
author, it was intented to make them only immune to outbound peer
rotation-based eviction and not from all eviction as modified comment
leans to think of.

Clearly indicate that outbound block-relay peers aren't protected
from eviction by the bad/lagging chain logic.

ac71fe936d

in src/net_processing.cpp:2024 in 61c2a4282e outdated

2020@@ -2021,8 +2021,8 @@ static void ProcessHeadersMessage(CNode& pfrom, CConnman& connman, ChainstateMan
2021         if (!pfrom.fDisconnect && pfrom.IsFullOutboundConn() && nodestate->pindexBestKnownBlock != nullptr) {
2022             // If this is an outbound full-relay peer, check to see if we should protect
2023             // it from the bad/lagging chain logic.
2024-            // Note that block-relay-only peers are already implicitly protected, so we
2025-            // only consider setting m_protect for the full-relay peers.
2026+            // Note that outbound block-relay peers are excluded from this protection, and

naumenkogs commented at 9:25 am on September 7, 2020:

This code is in the conditional && pfrom.IsFullOutboundConn().

Why comments about block-relay-only connections belong inside a block related to full conns?

naumenkogs commented at 9:27 am on September 7, 2020:

I would probably prefer to have a good big comment before the following line:

0         if (!pfrom.fDisconnect && pfrom.IsFullOutboundConn() && nodestate->pindexBestKnownBlock != nullptr) {

ariard commented at 2:49 pm on September 7, 2020:

Moved comment above with new referral to ChainSyncTimeout.

ariard force-pushed on Sep 7, 2020

in src/net_processing.cpp:344 in 706f1f0cff outdated

338@@ -334,6 +339,9 @@ struct CNodeState {
339       *     and set a shorter timeout, HEADERS_RESPONSE_TIME seconds in future.
340       *     If their best known block is still behind when that new timeout is
341       *     reached, disconnect.
342+      *
343+      * EXTRA_PEER_CHECK_INTERVAL: after each interval, if we have too many outbound peers,
344+      * drop to the outbound one that least recently announced us a new block.

naumenkogs commented at 7:14 am on September 8, 2020:

* drop to the outbound one that least recently announced us a new block. -> * drop the outbound one that least recently announced us a new block. (“to” does not belong here)

in src/net_processing.cpp:330 in 706f1f0cff outdated

329+      *
330+      * Both are only in effect for outbound, non-manual, non-protected connections.
331+      * Any peer protected (m_protect = true) is not chosen for eviction. Block-relay
332+      * peers are always excluded from protection. A peer is marked as protected under
333+      * the condition of receiving at least a valid connecting header, having a better
334+      * chain than us and not having reached yet MAX_OUTBOUND_PEERS_TO_PROTECT_FROM_DISCONNECT.

naumenkogs commented at 7:17 am on September 8, 2020:

and not having reached yet MAX_OUTBOUND_PEERS_TO_PROTECT_FROM_DISCONNECT makes it sound like the peer is not having reached, not us. I suggest this:

A peer is marked as protected if - it gave us a valid connecting header - it has a better chain than we have - we haven’t reached MAX_OUTBOUND_PEERS_TO_PROTECT_FROM_DISCONNECT yet

ariard force-pushed on Sep 8, 2020

ariard commented at 2:35 pm on September 8, 2020: member

Thanks @naumenkogs, took your last suggestion at b55f979

naumenkogs commented at 10:52 am on September 9, 2020: member

ACK b55f9790194746ce0180fc9fc5e085bdb118432c

jonatack commented at 11:12 am on September 9, 2020: member

Concept ACK

in src/net_processing.cpp:346 in b55f979019 outdated

340@@ -334,6 +341,9 @@ struct CNodeState {
341       *     and set a shorter timeout, HEADERS_RESPONSE_TIME seconds in future.
342       *     If their best known block is still behind when that new timeout is
343       *     reached, disconnect.
344+      *
345+      * EXTRA_PEER_CHECK_INTERVAL: after each interval, if we have too many outbound peers,
346+      * drop the outbound one that least recently announced us a new block.

jonatack commented at 1:04 pm on September 9, 2020:

b55f9790 suggestions

 0-    /** State used to enforce CHAIN_SYNC_TIMEOUT and EXTRA_PEER_CHECK_INTERVAL logics.
 1+    /** State used to enforce CHAIN_SYNC_TIMEOUT and EXTRA_PEER_CHECK_INTERVAL logic.
 2       *
 3       * Both are only in effect for outbound, non-manual, non-protected connections.
 4       * Any peer protected (m_protect = true) is not chosen for eviction. A peer is
 5-      * marked as protected if :
 6+      * marked as protected if all of these are true:
 7       *   - its connection type is IsBlockOnlyConn() == false
 8       *   - it gave us a valid connecting header
 9-      *   - it has a better chain than we have
10       *   - we haven't reached MAX_OUTBOUND_PEERS_TO_PROTECT_FROM_DISCONNECT yet
11+      *   - it has a better chain than we have
12+      *   - it is not already marked as protected

ariard commented at 2:26 pm on September 9, 2020:

Thanks, I’m going to leave it as it is. It’s a bit confusing saying that something is “marked as protected if it is not already marked as protected”.

Note, actually CHAIN_SYNC_TIMEOUT and EXTRA_PEER_CHECK_INTERVAL are two different logics, thus the plural.

jonatack commented at 2:31 pm on September 9, 2020:

I’m aware. Logic is most often used as an uncountable noun, but it’s not an issue.

While rewriting this, I think it would be good to clarify that the list of conditions is “if all of these” and not “if any of these”.

The reordering suggestion is to follow the order of the actual checks.

I verified that the proposed documentation corresponds to the code.

ariard commented at 1:57 pm on September 10, 2020:

Thanks for the noun suggestion. Took it, also the re-ordering. But not the “it is not already marked as protected” it’s a tautology IMO (it would false future triggering of protection if we don’t due to g_outbound_peers_with_protect_from_disconnect is incremented in same conditional, but technically the state transition is defined without)

[doc] Clarify semantic of peer's m_protect w.r.t to outbound eviction logics

The field m_protect is used to protect from eviction both by bad/lagging
chain and extra outbound peers logics. Outbound block-relay peers are
always excluded from this protection.

d76925478e

ariard force-pushed on Sep 10, 2020

ariard commented at 1:56 pm on September 10, 2020: member

Updated at d769254, with last @jonatack suggestions.

naumenkogs commented at 2:03 pm on September 10, 2020: member

ACK d76925478efd35e6fd835370639f2139b28381e4

in src/net_processing.cpp:327 in d76925478e

326-      * m_protect == false
327-      * Algorithm: if a peer's best known block has less work than our tip,
328+    /** State used to enforce CHAIN_SYNC_TIMEOUT and EXTRA_PEER_CHECK_INTERVAL logic.
329+      *
330+      * Both are only in effect for outbound, non-manual, non-protected connections.
331+      * Any peer protected (m_protect = true) is not chosen for eviction. A peer is

naumenkogs commented at 2:05 pm on September 10, 2020:

I think this explanation actually belongs to the declaration of m_protect better, but I don’t care enough to ask for this… Consider this if you gonna update it.

jonatack commented at 2:22 pm on September 10, 2020: member

ACK d76925478efd35e6fd835370639f2139b28381e4

Thanks for updating @ariard.

ariard closed this on Sep 22, 2020

ariard reopened this on Sep 22, 2020

laanwj merged this on Oct 2, 2020

laanwj closed this on Oct 2, 2020

sidhujag referenced this in commit 2f44b26c5b on Oct 4, 2020

in src/net_processing.cpp:332 in d76925478e

331+      * Any peer protected (m_protect = true) is not chosen for eviction. A peer is
332+      * marked as protected if all of these are true:
333+      *   - its connection type is IsBlockOnlyConn() == false
334+      *   - it gave us a valid connecting header
335+      *   - we haven't reached MAX_OUTBOUND_PEERS_TO_PROTECT_FROM_DISCONNECT yet
336+      *   - it has a better chain than we have

amitiuttarwar commented at 10:21 pm on February 12, 2021:

I don’t think this is quite right?

the relevant part of the check in ProcessHeadersMessage checks nodestate->pindexBestKnownBlock->nChainWork >= ::ChainActive().Tip()->nChainWork, aka would set m_protect to true if they have the same chain tip as we do.

I think saying the peer “has a better chain” is misleading, because then I’d expect a long-running node to usually not have protected peers. Based on the logic I see, I’d expect a long-running node to usually have MAX_OUTBOUND_PEERS_TO_PROTECT_FROM_DISCONNECT.

what do you think?

Fabcien referenced this in commit b5b96199fa on Nov 3, 2021

DrahtBot locked this on Aug 16, 2022

doc: Clarify scope of eviction protection of outbound block-relay peers #19871