headerssync: Add headers cache

[hodlinator]

While we do want to avoid OOM-attacks through CVE-2024-52916, we can still serve the happy path by caching headers up to a reasonable chain height.

Cuts out time/bandwidth re-downloading same headers from same peer - good for both local and remote node, especially over slow/flaky connections. Even more helpful when the local node has flaky connection to all other nodes.

Queries the machine for free RAM and takes up to 10% of it for the cache. (Which is released when syncing ends).

[l0rinc]

Great initiative on optimizing the headers sync – definitely a worthwhile area, I'm very happy somebody's working on this, it was also on my list of things to tackle!
Welcome to the team Benchoors \:D/

---

The idea of caching headers to skip network redownload is solid, however, the current approach using an in-memory RAM cache with automatic sizing heuristics raises a few key concerns:

• Disk caching (raw file or even LevelDB) seems much more scalable, avoids significant RAM pressure during PRESYNC (which could be high), and might offer comparable performance gains given network latency is the main bottleneck. While RAM is faster, disk avoids complex sizing logic and scales better for the future. Have you considered caching in batches to disk instead?
• If we keep ram caching, the automatic sizing (GetFreeRAM, time estimates, various bounds) is complex and potentially fragile. Would a simpler approach, like a user-configurable -headerscachesize=MB (with a conservative default), be more predictable and robust?
• Some of the logic seems ripe for extraction into a helper method, and some explanatory comments might be better suited for commit messages.
• Probably irrelevant, but was wondering that if we're not redownloading, do we still care about "honest nodes" (as long as it's not obvious spam)?

I will review this later in more detail, only had this much energy at the end of the weekend :)

[l0rinc]

I'm not sure we can get away with this, in other cases the user can provide the size of the desired cache.
If we will keep it, I am very much against introducing dead code, the commit that adds a functionality should also show its use - at least in test, though I prefer real usage to be able to decide if it's the best solution to a given problem or not.

Each commit should be self-contained and its utility immediately demonstrable, the problem should come before the solution, but currently I see the solution in a commit, but not the problem description.

[hodlinator]

Yep, it is a bit of a departure (interesting potential direction for other settings as well IMO). We mostly do headers-sync on initial startup, after that the memory is freed. Maybe there is some condition where we've been running offline for a while and then reconnect that would re-trigger it too. It might be good to also provide an -arg to override the otherwise dynamic cache size though, will look into that.

I think having an independent commit "lays the breadcrumbs of the story", showing there are only dependencies in one direction (HeadersSyncState -> GetFreeRAM()). But I can see your point too. Merged it into where it is used.

[l0rinc]

Still not sure why we need this, now that there's a dedicated arg for it. We're not trying to guess dbcache size either - or whether we're on a HDD or SSD (though that would actually be a good idea :p).
We've relied on expert users instead of heuristics mostly, seems simpler to try that here as well - we can estimate it automatically in a follow-up, would go for the simpler solution first.

[hodlinator]

I think we probably should be "guessing" dbcache size as well. A minor part of this PR is bringing that up for discussion. But moved to a later commit for now, so it's easy to drop if there is more push-back.

[l0rinc]

I'd do both of them in a separate PR (base memory defaults on available memory), I don't think you want to spend your time defending this part of the code in this PR, seems like a different concern. You'd have to test this on a gazillion operating system and compilers and versions...

[l0rinc]

hmmm, why?

[hodlinator]

Was somehow worried about consuming too much RAM.. but we already cap it at 10% below, so removed this, which simplifies things, thanks!

[l0rinc]

This may be a bit harsh, but why are we caching to memory, why not cache to disk directly? (via a small buffer, of course, like we do with blocks, see https://github.com/bitcoin/bitcoin/blob/master/src/net_processing.cpp#L114)

We can expect SSDs to be a lot faster by the time this is merged and used - but modern ones are already very close to RAM speed, basically same order of magnitude - and still several orders of magnitude faster than redownloading them:

NVMe has hit almost 4 GB/s in transfer speeds, which is really incredible. This is no where near modern DDR4 speeds… DDR4 is generally around 20 GB/s, with higher speeds hitting 25 GB/s.

RAM latency is lower, but we don't really need that here as far as I understood, we have a predictable read/write order (given some buffering) - very similarly to the actual block download, which also saves and rereads the blocks when the windows is full - and we could likely read/write header batches of 10.000 or whatever, we don't have to store them separately, if my understanding is correct.
Saving and prefetching can even be done on a separate thread if need be (if indeed the iteration order is mostly deterministic).
Predictable read could also be fast on a lousy HDD.

While (de)serialization would add some extra, it's actually quite trivial and we header sync would mimic the pattern used by block downloads (maybe even reuse some of the setup). Could be solved automatically if we saved these to LevelDB instead of separate files - might be slow, dunno, but I think it's worth considering, since I think we can assume that the headers should always fit to disk, but not always into memory.

It may result in simpler code (since we can just assume that everything is cached, no need for 30 year and 10% memory limits and redownload fallbacks), better scaling (we expect more headers in 30 years) and basically the same speed gain compared to redownloading?

[hodlinator]

My initial goal is using resources that are available on slightly beefier nodes.

Since adding logic for caching to disk adds extra complexity, I'd prefer either doing it in a follow-up PR (saving review-energy for the other aspects in this PR), or possibly in a separate commit at the end of the PR.

Probably would just use one contiguous file without LevelDB since we don't need to do lookups, just write and read in order from genesis/start to sufficient chainwork.
Might be good to have one file for every 100'000 headers in order to be able to delete them after they have been consumed (read), as I think we start downloading and storing blocks to disk in parallel with that process.

Is there some other reason for doing something closer to block storage?

[l0rinc]

Is there some other reason for doing something closer to block storage?

We don't have to, of course, but I think we need a good reason to do it differently since it's a very similar problem.

Since adding logic for caching to disk adds extra complexity, I'd prefer either doing it in a follow-up PR (saving review-energy for the other aspects in this PR), or possibly in a separate commit at the end of the PR.

I'm not sure that's the case, quite the opposite, I'd expect it to be simpler. But you've spent more time on it than I have...
Memory is finite, not sure it scale with the blockchain. But the disk kinda' has to and I'm not sure it would be measurably slower to do it on disk, but with memory we have to worry about OOM and other attacks all the time.

[l0rinc]

Is the happy path even likely? What's the smallest thing that can ruin a happy path, a single invalid header that isn't part of the longest chain?
Won't that become a new attack vector - i.e. the lightest attack that will make the happy path unfeasible, derailing caching (which isn't problematic now, may be problematic in a few decades). It's likely a lot better than previous DOS threats, but with disk caching we can likely even handle invalid attempts (e.g. 10% invalid or whatever), which would likely be more robust.

[hodlinator]

Already on master: During PRESYNC, just as in REDOWNLOAD we both check hashPrevBlock and check PermittedDifficultyTransition (nBits). We must be given headers that fulfill this in-order from our selected headers sync-peer.

The happy path is the most likely. Edge-cases:

• Malicious node (SneakyRedownload-test).
• Selecting other node that hasn't fully synced the chain either, giving us insufficient work (TooLittleWork-test).
• Connection lost.

Don't see potential for a new attack, but maybe I'm missing something?

[l0rinc]

I still need to understand what the worst case scenario is before and after this change - will try to find out myself (e.g. what kind of attacks are possible before and after)

[l0rinc]

seems to me saving to disk could solve this as well

[hodlinator]

Not in this case I don't think, even if we were to permit more headers being stored to disk (5min blocktimes?), we would still have a cap on the cache size eventually - so this would still need to be handled.

[hodlinator]

Thank you for your initial feedback!

I'm very happy somebody's working on this, it was also on my list of things to tackle!
Welcome to the team Benchoors :D/

Nice!

the current approach using an in-memory RAM cache with automatic sizing heuristics raises a few key concerns

• Disk caching
• ... automatic sizing (GetFreeRAM, time estimates, various bounds) ... Would a simpler approach, like a user-configurable -headerscachesize=MB

Please see inline comments.

• Some of the logic seems ripe for extraction into a helper method, and some explanatory comments might be better suited for commit messages.

Extracted ComputeHeadersCacheMax(), any other specific suggestions?

Probably irrelevant, but was wondering that if we're not redownloading, do we still care about "honest nodes" (as long as it's not obvious spam)?

We have a minimum proof of work threshold which is hardcoded for a given release. This threshold triggers the PRESYNC -> REDOWNLOAD state change. We could have a malicious node attempt to feed us an ultra-long but low work chain. If our node has the cache but is running an old release far in the future (with an old threshold), it will fill the cache and then fall back to the behavior on master of verifying headers are connected and conform to difficulty adjustments, but proceed to throw them away. So the old node is still not going to go into some pathological case unless we remove the cap on the headers cache.

---

A mid-level aspect I've been considering is doing things like adding an extra state PRESYNC -> +CONSUMECACHE+ -> REDOWNLOAD. But HeadersSyncState exposes state-specific methods publicly (GetState(), GetPresyncHeight(), GetPresyncTime(), GetPresyncWork(), NextHeadersRequestLocator()), so I've avoided it so far. Any ideas on that level?

---

Changes in latest push:

• Extracted ComputeHeadersCacheMax().
• Changed HeadersSyncState-ctor to take bytes instead of header count.
• Renamed HeadersSyncState::m_download_state -> m_state as we aren't tracking any other state enums within that class.
• Extracted ProcessPresync() and ProcessRedownload() methods to reduce indentation.
• Added -headerssynccache=MB arg.
• Added reference to recent BitMEX blog entry in commit message.
• Adjusted comments and other minutia.

[hodlinator]

Yep, it is a bit of a departure (interesting potential direction for other settings as well IMO). We mostly do headers-sync on initial startup, after that the memory is freed. Maybe there is some condition where we've been running offline for a while and then reconnect that would re-trigger it too. It might be good to also provide an -arg to override the otherwise dynamic cache size though, will look into that.

I think having an independent commit "lays the breadcrumbs of the story", showing there are only dependencies in one direction (HeadersSyncState -> GetFreeRAM()). But I can see your point too. Merged it into where it is used.

[hodlinator]

Was somehow worried about consuming too much RAM.. but we already cap it at 10% below, so removed this, which simplifies things, thanks!

[hodlinator]

Not in this case I don't think, even if we were to permit more headers being stored to disk (5min blocktimes?), we would still have a cap on the cache size eventually - so this would still need to be handled.

[hodlinator]

My initial goal is using resources that are available on slightly beefier nodes.

Since adding logic for caching to disk adds extra complexity, I'd prefer either doing it in a follow-up PR (saving review-energy for the other aspects in this PR), or possibly in a separate commit at the end of the PR.

Probably would just use one contiguous file without LevelDB since we don't need to do lookups, just write and read in order from genesis/start to sufficient chainwork.
Might be good to have one file for every 100'000 headers in order to be able to delete them after they have been consumed (read), as I think we start downloading and storing blocks to disk in parallel with that process.

Is there some other reason for doing something closer to block storage?

[hodlinator]

Already on master: During PRESYNC, just as in REDOWNLOAD we both check hashPrevBlock and check PermittedDifficultyTransition (nBits). We must be given headers that fulfill this in-order from our selected headers sync-peer.

The happy path is the most likely. Edge-cases:

• Malicious node (SneakyRedownload-test).
• Selecting other node that hasn't fully synced the chain either, giving us insufficient work (TooLittleWork-test).
• Connection lost.

Don't see potential for a new attack, but maybe I'm missing something?

[hodlinator]

Latest push:

• Unbroke p2p_headers_presync fuzz-test in favor of TODO, which is an admission of guilt, there you go. :)
  (headerssync: Add headers cache #3 (comment))

[l0rinc]

this short-circuiting is a bit counter-intuitive

[hodlinator]

Specifying the size means we override the dynamic calculation, but we still need to convert bytes -> header count. Tried to clarify in latest push.

[l0rinc]

I will have to debug this properly, I don't understand any of this yet :/

[l0rinc]

I'll debug it properly this week, only did a lightweight sweep again to get you some early feedback. Sorry for the lack of depth, will do that shortly.

[l0rinc]

749f17c

Needs more explanation, I don't have enough context.
"lower" than what? What happens when we're "returning"?

[hodlinator]

Attempted to improve commit message:

- fuzz: Specify lower limit of mock-time instead of returning
-
- Should reduce wasted runs, through less code complexity.
+ fuzz(headerssync): Specify minimum for mock-time
+
+ That way we can always proceed instead of just exiting the fuzz target, wasting cycles. Also reduces code complexity.

[l0rinc]

Any idea why it was done like that before?

auto age = rand();
if x < 120 do shit
else return false

seems indeed simpler to do

auto age = rand(0, 120)

(you could likely commit this in a separate PR as well)

[hodlinator]

My guess is either the author didn't know of the min parameter or it was added afterwards. I think it's small and non-controversial enough to sneak into this PR for now.

[l0rinc]

You can do both

[l0rinc]

It seems it was already available at the time of the pr

[l0rinc]

yeah, this is what I mean X x = X:x; // sets X x to x (X)

[hodlinator]

Yeah, seems kind of naked if removing the comment completely though. Could change it to "Central tracker of state machine's state", but not sure it's enough of an improvement.

[l0rinc]

It's not just the comment, state is too general, everything is a state.
Can we find a better name - or if not, can we refactor, not being able to find a proper name is a strong code smell

[hodlinator]

Having a State m_state field in a C++ state machine is certainly not unheard of. Would m_current_state be nicer in your eyes?

[l0rinc]

No, it doesn't help me in understanding the behavior better. Again, it's like a variable called "thing" ... it indicates a bigger problem

[l0rinc]

can we rather avoid this instead? Or at least print something instead of a comment? I hate comments, it's a sign that we've given up :(

[hodlinator]

Changed assume condition to: Assume(m_state != State::FINAL).

Would love proper support for error strings in asserts/assume.

[l0rinc]

This is worse than before, m_state != State::FINAL is always true

[hodlinator]

Inside case State::FINAL, m_state != State::FINAL is always false, triggering failure. This is a common idiom for documenting what condition has failed.

[l0rinc]

Yeah, but ideally we shouldn't be able to get to an illegal state in the first place - though it's not your code that is at fault here, but maybe we can reduce the invalid possibilities

[l0rinc]

Do we really need this? We should be able to pre-size this quite precisely, maybe even make it an array and use its bounds.

[hodlinator]

Changed to use vector::capacity() for now. Would be nice to have a terse way of preventing the vector from accidentally re-allocating.

[l0rinc]

Or an array, making sure it's heap allocated

[hodlinator]

I take it you mean a C array? We would end up with 3 fields in HeadersSyncState instead of 1:

const size_t m_headers_cache_size; // Equivalent to vector::capacity()
CompressedHeader* const m_headers_cache; // Fixed memory blob, nice!
size_t m_headers_cache_count; // Equivalent to vector::size()

[l0rinc]

Yeah, but passing it around as an std::span.
I don't really have enough experience (as discussed in the other thread) about std::array for big values, so not sure if we can force it to heap allocation or not. Let me know if you do.

[hodlinator]

std::array is off the table since the size is fixed at compile time, and we will want to determine the size at runtime.

Maybe m_presync_height can be used in place of m_headers_cache_count as long as it is checked against m_headers_cache_size which it may exceed.

[l0rinc]

You're right, we have to make it dynamic, for a second I thought that if it depends on dbcache size, it's not runtime anymore, lol

[l0rinc]

And there's also the upper bound of 10% mem currently

[l0rinc]

40e9538
This is a huge commit, can you break it up meaningfully?

[hodlinator]

Broke out the RAM-querying to later commit.

I thought about making the cache_bytes parameter to the HeadersSyncState-ctor default to std::nullopt or 0 and then introduce all the setting of that value in subsequent commits, but it felt too contrived, not leaving that commit in an acceptable state. Files with call-sites sending in that value are more than a handful, but they are quite simple.

[l0rinc]

Let's discuss in person why you think that's an important part of this change

[l0rinc]

aren't we subtracting the max possible headers (for some reason I don't yet understand)?

[hodlinator]

No, this is just the cache, hopefully dropping "max" from the variable name helps.

[l0rinc]

Q: I don't yet understand how it can that be negative (that's why we need the std::max now, right)? But I'll debug it, you don't have to explain it, just documenting my surprises. Breaking it up into smaller named symbols could help.

[l0rinc]

"redownload" from "cache"?

[l0rinc]

Pushing my first impressions while I'm reviewing

[l0rinc]

Q: I don't yet understand how it can that be negative (that's why we need the std::max now, right)? But I'll debug it, you don't have to explain it, just documenting my surprises. Breaking it up into smaller named symbols could help.

[l0rinc]

Or an array, making sure it's heap allocated

[l0rinc]

Let's discuss in person why you think that's an important part of this change

[l0rinc]

This is worse than before, m_state != State::FINAL is always true

[l0rinc]

It's not just the comment, state is too general, everything is a state.
Can we find a better name - or if not, can we refactor, not being able to find a proper name is a strong code smell

[l0rinc]

Can we use 20_MiB here?

[l0rinc]

nit: I personally don't find 1 * more readable than sizeof(CompressedHeader)

[l0rinc]

as stated before, we likely need to rename the method now, since we're not "downloading" from a cache anymore

[l0rinc]

I'd do both of them in a separate PR (base memory defaults on available memory), I don't think you want to spend your time defending this part of the code in this PR, seems like a different concern. You'd have to test this on a gazillion operating system and compilers and versions...

[l0rinc]

It seems it was already available at the time of the pr

[l0rinc]

This is a lot better than commenting all overt the place, love it!

[l0rinc]

nit: would be great to avoid all these const vector& references and use std::span instead, but that would require prod code change as well, so maybe next time

[l0rinc]

nit: HeadersGeneratorSetup::GenerateHeaders seems to have a leftover return at the end (and ;;)

[l0rinc]

Suggested change

	// more headers can be requested. For a low-work-chain, this should causes
	// more headers can be requested. For a low-work-chain, this should cause

[l0rinc]

Q: what's the role of the lookahead buffer after this change?

[l0rinc]

maybe this could come after the test breakup (or maybe even the same commit), it seems to follow the same logic

[l0rinc]

this could be problematic on 32 bit system, we should likely err if this is too big for some reason:

Suggested change

	options.headerssync_cache_bytes = *value << 20; // MiB -> byte conversion
	options.headerssync_cache_bytes = *value * 1_MiB;

[l0rinc]

to avoid guarding m_headers_cache for additional pushes and querying .capacity in this awkward way, we could hide it behind a struct, something like:

template<typename T>
class FixedCache {
    std::vector<T> data;
    std::size_t const cap;

[l0rinc]

this may bare a comment stating that when we detect any problem the cache is completely wiped.
And can this also be a ClearShrink instead?