/Users/eugenesiegel/btc/bitcoin/src/node/eviction.cpp

Source (jump to first uncovered line)
// Copyright (c) 2022 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <node/eviction.h>

#include <algorithm>
#include <array>
#include <chrono>
#include <cstdint>
#include <functional>
#include <map>
#include <vector>


static bool ReverseCompareNodeMinPingTime(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
{
    return a.m_min_ping_time > b.m_min_ping_time;
}

static bool ReverseCompareNodeTimeConnected(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
{
    return a.m_connected > b.m_connected;
}

static bool CompareNetGroupKeyed(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b) {
    return a.nKeyedNetGroup < b.nKeyedNetGroup;
}

static bool CompareNodeBlockTime(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
{
    // There is a fall-through here because it is common for a node to have many peers which have not yet relayed a block.
    if (a.m_last_block_time != b.m_last_block_time) return a.m_last_block_time < b.m_last_block_time;
    if (a.fRelevantServices != b.fRelevantServices) return b.fRelevantServices;
    return a.m_connected > b.m_connected;
}

static bool CompareNodeTXTime(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
{
    // There is a fall-through here because it is common for a node to have more than a few peers that have not yet relayed txn.
    if (a.m_last_tx_time != b.m_last_tx_time) return a.m_last_tx_time < b.m_last_tx_time;
    if (a.m_relay_txs != b.m_relay_txs) return b.m_relay_txs;
    if (a.fBloomFilter != b.fBloomFilter) return a.fBloomFilter;
    return a.m_connected > b.m_connected;
}

// Pick out the potential block-relay only peers, and sort them by last block time.
static bool CompareNodeBlockRelayOnlyTime(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
{
    if (a.m_relay_txs != b.m_relay_txs) return a.m_relay_txs;
    if (a.m_last_block_time != b.m_last_block_time) return a.m_last_block_time < b.m_last_block_time;
    if (a.fRelevantServices != b.fRelevantServices) return b.fRelevantServices;
    return a.m_connected > b.m_connected;
}

/**
 * Sort eviction candidates by network/localhost and connection uptime.
 * Candidates near the beginning are more likely to be evicted, and those
 * near the end are more likely to be protected, e.g. less likely to be evicted.
 * - First, nodes that are not `is_local` and that do not belong to `network`,
 *   sorted by increasing uptime (from most recently connected to connected longer).
 * - Then, nodes that are `is_local` or belong to `network`, sorted by increasing uptime.
 */
struct CompareNodeNetworkTime {
    const bool m_is_local;
    const Network m_network;
    CompareNodeNetworkTime(bool is_local, Network network) : m_is_local(is_local), m_network(network) {}
    bool operator()(const NodeEvictionCandidate& a, const NodeEvictionCandidate& b) const
    {
        if (m_is_local && a.m_is_local != b.m_is_local) return b.m_is_local;
        if ((a.m_network == m_network) != (b.m_network == m_network)) return b.m_network == m_network;
        return a.m_connected > b.m_connected;
    };
};

//! Sort an array by the specified comparator, then erase the last K elements where predicate is true.
template <typename T, typename Comparator>
static void EraseLastKElements(
    std::vector<T>& elements, Comparator comparator, size_t k,
    std::function<bool(const NodeEvictionCandidate&)> predicate = [](const NodeEvictionCandidate& n) { return true; })
{
    std::sort(elements.begin(), elements.end(), comparator);
    size_t eraseSize = std::min(k, elements.size());
    elements.erase(std::remove_if(elements.end() - eraseSize, elements.end(), predicate), elements.end());
}

void ProtectNoBanConnections(std::vector<NodeEvictionCandidate>& eviction_candidates)
{
    eviction_candidates.erase(std::remove_if(eviction_candidates.begin(), eviction_candidates.end(),
                                             [](NodeEvictionCandidate const& n) {
                                                 return n.m_noban;
                                             }),
                              eviction_candidates.end());
}

void ProtectOutboundConnections(std::vector<NodeEvictionCandidate>& eviction_candidates)
{
    eviction_candidates.erase(std::remove_if(eviction_candidates.begin(), eviction_candidates.end(),
                                             [](NodeEvictionCandidate const& n) {
                                                 return n.m_conn_type != ConnectionType::INBOUND;
                                             }),
                              eviction_candidates.end());
}

void ProtectEvictionCandidatesByRatio(std::vector<NodeEvictionCandidate>& eviction_candidates)
{
    // Protect the half of the remaining nodes which have been connected the longest.
    // This replicates the non-eviction implicit behavior, and precludes attacks that start later.
    // To favorise the diversity of our peer connections, reserve up to half of these protected
    // spots for Tor/onion, localhost, I2P, and CJDNS peers, even if they're not longest uptime
    // overall. This helps protect these higher-latency peers that tend to be otherwise
    // disadvantaged under our eviction criteria.
    const size_t initial_size = eviction_candidates.size();
    const size_t total_protect_size{initial_size / 2};

    // Disadvantaged networks to protect. In the case of equal counts, earlier array members
    // have the first opportunity to recover unused slots from the previous iteration.
    struct Net { bool is_local; Network id; size_t count; };
    std::array<Net, 4> networks{
        {{false, NET_CJDNS, 0}, {false, NET_I2P, 0}, {/*localhost=*/true, NET_MAX, 0}, {false, NET_ONION, 0}}};

    // Count and store the number of eviction candidates per network.
    for (Net& n : networks) {
        n.count = std::count_if(eviction_candidates.cbegin(), eviction_candidates.cend(),
                                [&n](const NodeEvictionCandidate& c) {
                                    return n.is_local ? c.m_is_local : c.m_network == n.id;
                                });
    }
    // Sort `networks` by ascending candidate count, to give networks having fewer candidates
    // the first opportunity to recover unused protected slots from the previous iteration.
    std::stable_sort(networks.begin(), networks.end(), [](Net a, Net b) { return a.count < b.count; });

    // Protect up to 25% of the eviction candidates by disadvantaged network.
    const size_t max_protect_by_network{total_protect_size / 2};
    size_t num_protected{0};

    while (num_protected < max_protect_by_network) {
        // Count the number of disadvantaged networks from which we have peers to protect.
        auto num_networks = std::count_if(networks.begin(), networks.end(), [](const Net& n) { return n.count; });
        if (num_networks == 0) {
            break;
        }
        const size_t disadvantaged_to_protect{max_protect_by_network - num_protected};
        const size_t protect_per_network{std::max(disadvantaged_to_protect / num_networks, static_cast<size_t>(1))};
        // Early exit flag if there are no remaining candidates by disadvantaged network.
        bool protected_at_least_one{false};

        for (Net& n : networks) {
            if (n.count == 0) continue;
            const size_t before = eviction_candidates.size();
            EraseLastKElements(eviction_candidates, CompareNodeNetworkTime(n.is_local, n.id),
                               protect_per_network, [&n](const NodeEvictionCandidate& c) {
                                   return n.is_local ? c.m_is_local : c.m_network == n.id;
                               });
            const size_t after = eviction_candidates.size();
            if (before > after) {
                protected_at_least_one = true;
                const size_t delta{before - after};
                num_protected += delta;
                if (num_protected >= max_protect_by_network) {
                    break;
                }
                n.count -= delta;
            }
        }
        if (!protected_at_least_one) {
            break;
        }
    }

    // Calculate how many we removed, and update our total number of peers that
    // we want to protect based on uptime accordingly.
    assert(num_protected == initial_size - eviction_candidates.size());
    const size_t remaining_to_protect{total_protect_size - num_protected};
    EraseLastKElements(eviction_candidates, ReverseCompareNodeTimeConnected, remaining_to_protect);
}

[[nodiscard]] std::optional<NodeId> SelectNodeToEvict(std::vector<NodeEvictionCandidate>&& vEvictionCandidates)
{
    // Protect connections with certain characteristics

    ProtectNoBanConnections(vEvictionCandidates);

    ProtectOutboundConnections(vEvictionCandidates);

    // Deterministically select 4 peers to protect by netgroup.
    // An attacker cannot predict which netgroups will be protected
    EraseLastKElements(vEvictionCandidates, CompareNetGroupKeyed, 4);
    // Protect the 8 nodes with the lowest minimum ping time.
    // An attacker cannot manipulate this metric without physically moving nodes closer to the target.
    EraseLastKElements(vEvictionCandidates, ReverseCompareNodeMinPingTime, 8);
    // Protect 4 nodes that most recently sent us novel transactions accepted into our mempool.
    // An attacker cannot manipulate this metric without performing useful work.
    EraseLastKElements(vEvictionCandidates, CompareNodeTXTime, 4);
    // Protect up to 8 non-tx-relay peers that have sent us novel blocks.
    EraseLastKElements(vEvictionCandidates, CompareNodeBlockRelayOnlyTime, 8,
                       [](const NodeEvictionCandidate& n) { return !n.m_relay_txs && n.fRelevantServices; });

    // Protect 4 nodes that most recently sent us novel blocks.
    // An attacker cannot manipulate this metric without performing useful work.
    EraseLastKElements(vEvictionCandidates, CompareNodeBlockTime, 4);

    // Protect some of the remaining eviction candidates by ratios of desirable
    // or disadvantaged characteristics.
    ProtectEvictionCandidatesByRatio(vEvictionCandidates);

    if (vEvictionCandidates.empty()) return std::nullopt;

    // If any remaining peers are preferred for eviction consider only them.
    // This happens after the other preferences since if a peer is really the best by other criteria (esp relaying blocks)
    //  then we probably don't want to evict it no matter what.
    if (std::any_of(vEvictionCandidates.begin(),vEvictionCandidates.end(),[](NodeEvictionCandidate const &n){return n.prefer_evict;})) {
        vEvictionCandidates.erase(std::remove_if(vEvictionCandidates.begin(),vEvictionCandidates.end(),
                                  [](NodeEvictionCandidate const &n){return !n.prefer_evict;}),vEvictionCandidates.end());
    }

    // Identify the network group with the most connections and youngest member.
    // (vEvictionCandidates is already sorted by reverse connect time)
    uint64_t naMostConnections;
    unsigned int nMostConnections = 0;
    std::chrono::seconds nMostConnectionsTime{0};
    std::map<uint64_t, std::vector<NodeEvictionCandidate> > mapNetGroupNodes;
    for (const NodeEvictionCandidate &node : vEvictionCandidates) {
        std::vector<NodeEvictionCandidate> &group = mapNetGroupNodes[node.nKeyedNetGroup];
        group.push_back(node);
        const auto grouptime{group[0].m_connected};

        if (group.size() > nMostConnections || (group.size() == nMostConnections && grouptime > nMostConnectionsTime)) {
            nMostConnections = group.size();
            nMostConnectionsTime = grouptime;
            naMostConnections = node.nKeyedNetGroup;
        }
    }

    // Reduce to the network group with the most connections
    vEvictionCandidates = std::move(mapNetGroupNodes[naMostConnections]);

    // Disconnect from the network group with the most connections
    return vEvictionCandidates.front().id;
}

fuzz coverage

Coverage Report

Created: 2025-10-29 15:27

Line	Count	Source (jump to first uncovered line)
1		// Copyright (c) 2022 The Bitcoin Core developers
2		// Distributed under the MIT software license, see the accompanying
3		// file COPYING or http://www.opensource.org/licenses/mit-license.php.
4
5		#include <node/eviction.h>
6
7		#include <algorithm>
8		#include <array>
9		#include <chrono>
10		#include <cstdint>
11		#include <functional>
12		#include <map>
13		#include <vector>
14
15
16		static bool ReverseCompareNodeMinPingTime(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
17	0	{
18	0	return a.m_min_ping_time > b.m_min_ping_time;
19	0	}
20
21		static bool ReverseCompareNodeTimeConnected(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
22	0	{
23	0	return a.m_connected > b.m_connected;
24	0	}
25
26	0	static bool CompareNetGroupKeyed(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b) {
27	0	return a.nKeyedNetGroup < b.nKeyedNetGroup;
28	0	}
29
30		static bool CompareNodeBlockTime(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
31	0	{
32		// There is a fall-through here because it is common for a node to have many peers which have not yet relayed a block.
33	0	if (a.m_last_block_time != b.m_last_block_time) return a.m_last_block_time < b.m_last_block_time;
34	0	if (a.fRelevantServices != b.fRelevantServices) return b.fRelevantServices;
35	0	return a.m_connected > b.m_connected;
36	0	}
37
38		static bool CompareNodeTXTime(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
39	0	{
40		// There is a fall-through here because it is common for a node to have more than a few peers that have not yet relayed txn.
41	0	if (a.m_last_tx_time != b.m_last_tx_time) return a.m_last_tx_time < b.m_last_tx_time;
42	0	if (a.m_relay_txs != b.m_relay_txs) return b.m_relay_txs;
43	0	if (a.fBloomFilter != b.fBloomFilter) return a.fBloomFilter;
44	0	return a.m_connected > b.m_connected;
45	0	}
46
47		// Pick out the potential block-relay only peers, and sort them by last block time.
48		static bool CompareNodeBlockRelayOnlyTime(const NodeEvictionCandidate &a, const NodeEvictionCandidate &b)
49	0	{
50	0	if (a.m_relay_txs != b.m_relay_txs) return a.m_relay_txs;
51	0	if (a.m_last_block_time != b.m_last_block_time) return a.m_last_block_time < b.m_last_block_time;
52	0	if (a.fRelevantServices != b.fRelevantServices) return b.fRelevantServices;
53	0	return a.m_connected > b.m_connected;
54	0	}
55
56		/**
57		* Sort eviction candidates by network/localhost and connection uptime.
58		* Candidates near the beginning are more likely to be evicted, and those
59		* near the end are more likely to be protected, e.g. less likely to be evicted.
60		* - First, nodes that are not `is_local` and that do not belong to `network`,
61		* sorted by increasing uptime (from most recently connected to connected longer).
62		* - Then, nodes that are `is_local` or belong to `network`, sorted by increasing uptime.
63		*/
64		struct CompareNodeNetworkTime {
65		const bool m_is_local;
66		const Network m_network;
67	0	CompareNodeNetworkTime(bool is_local, Network network) : m_is_local(is_local), m_network(network) {}
68		bool operator()(const NodeEvictionCandidate& a, const NodeEvictionCandidate& b) const
69	0	{
70	0	if (m_is_local && a.m_is_local != b.m_is_local) return b.m_is_local;
71	0	if ((a.m_network == m_network) != (b.m_network == m_network)) return b.m_network == m_network;
72	0	return a.m_connected > b.m_connected;
73	0	};
74		};
75
76		//! Sort an array by the specified comparator, then erase the last K elements where predicate is true.
77		template <typename T, typename Comparator>
78		static void EraseLastKElements(
79		std::vector<T>& elements, Comparator comparator, size_t k,
80	0	std::function<bool(const NodeEvictionCandidate&)> predicate = [](const NodeEvictionCandidate& n) { return true; })
81	0	{
82	0	std::sort(elements.begin(), elements.end(), comparator);
83	0	size_t eraseSize = std::min(k, elements.size());
84	0	elements.erase(std::remove_if(elements.end() - eraseSize, elements.end(), predicate), elements.end());
85	0	} Unexecuted instantiation: eviction.cpp:_ZL18EraseLastKElementsI21NodeEvictionCandidate22CompareNodeNetworkTimeEvRNSt3__16vectorIT_NS2_9allocatorIS4_EEEET0_mNS2_8functionIFbRKS0_EEE Unexecuted instantiation: eviction.cpp:_ZL18EraseLastKElementsI21NodeEvictionCandidatePFbRKS0_S2_EEvRNSt3__16vectorIT_NS5_9allocatorIS7_EEEET0_mNS5_8functionIFbS2_EEE
86
87		void ProtectNoBanConnections(std::vector<NodeEvictionCandidate>& eviction_candidates)
88	0	{
89	0	eviction_candidates.erase(std::remove_if(eviction_candidates.begin(), eviction_candidates.end(),
90	0	[](NodeEvictionCandidate const& n) {
91	0	return n.m_noban;
92	0	}),
93	0	eviction_candidates.end());
94	0	}
95
96		void ProtectOutboundConnections(std::vector<NodeEvictionCandidate>& eviction_candidates)
97	0	{
98	0	eviction_candidates.erase(std::remove_if(eviction_candidates.begin(), eviction_candidates.end(),
99	0	[](NodeEvictionCandidate const& n) {
100	0	return n.m_conn_type != ConnectionType::INBOUND;
101	0	}),
102	0	eviction_candidates.end());
103	0	}
104
105		void ProtectEvictionCandidatesByRatio(std::vector<NodeEvictionCandidate>& eviction_candidates)
106	0	{
107		// Protect the half of the remaining nodes which have been connected the longest.
108		// This replicates the non-eviction implicit behavior, and precludes attacks that start later.
109		// To favorise the diversity of our peer connections, reserve up to half of these protected
110		// spots for Tor/onion, localhost, I2P, and CJDNS peers, even if they're not longest uptime
111		// overall. This helps protect these higher-latency peers that tend to be otherwise
112		// disadvantaged under our eviction criteria.
113	0	const size_t initial_size = eviction_candidates.size();
114	0	const size_t total_protect_size{initial_size / 2};
115
116		// Disadvantaged networks to protect. In the case of equal counts, earlier array members
117		// have the first opportunity to recover unused slots from the previous iteration.
118	0	struct Net { bool is_local; Network id; size_t count; };
119	0	std::array<Net, 4> networks{
120	0	{{false, NET_CJDNS, 0}, {false, NET_I2P, 0}, {/localhost=/true, NET_MAX, 0}, {false, NET_ONION, 0}}};
121
122		// Count and store the number of eviction candidates per network.
123	0	for (Net& n : networks) {
124	0	n.count = std::count_if(eviction_candidates.cbegin(), eviction_candidates.cend(),
125	0	[&n](const NodeEvictionCandidate& c) {
126	0	return n.is_local ? c.m_is_local : c.m_network == n.id;
127	0	});
128	0	}
129		// Sort `networks` by ascending candidate count, to give networks having fewer candidates
130		// the first opportunity to recover unused protected slots from the previous iteration.
131	0	std::stable_sort(networks.begin(), networks.end(), [](Net a, Net b) { return a.count < b.count; });
132
133		// Protect up to 25% of the eviction candidates by disadvantaged network.
134	0	const size_t max_protect_by_network{total_protect_size / 2};
135	0	size_t num_protected{0};
136
137	0	while (num_protected < max_protect_by_network) {
138		// Count the number of disadvantaged networks from which we have peers to protect.
139	0	auto num_networks = std::count_if(networks.begin(), networks.end(), [](const Net& n) { return n.count; });
140	0	if (num_networks == 0) {
141	0	break;
142	0	}
143	0	const size_t disadvantaged_to_protect{max_protect_by_network - num_protected};
144	0	const size_t protect_per_network{std::max(disadvantaged_to_protect / num_networks, static_cast<size_t>(1))};
145		// Early exit flag if there are no remaining candidates by disadvantaged network.
146	0	bool protected_at_least_one{false};
147
148	0	for (Net& n : networks) {
149	0	if (n.count == 0) continue;
150	0	const size_t before = eviction_candidates.size();
151	0	EraseLastKElements(eviction_candidates, CompareNodeNetworkTime(n.is_local, n.id),
152	0	protect_per_network, [&n](const NodeEvictionCandidate& c) {
153	0	return n.is_local ? c.m_is_local : c.m_network == n.id;
154	0	});
155	0	const size_t after = eviction_candidates.size();
156	0	if (before > after) {
157	0	protected_at_least_one = true;
158	0	const size_t delta{before - after};
159	0	num_protected += delta;
160	0	if (num_protected >= max_protect_by_network) {
161	0	break;
162	0	}
163	0	n.count -= delta;
164	0	}
165	0	}
166	0	if (!protected_at_least_one) {
167	0	break;
168	0	}
169	0	}
170
171		// Calculate how many we removed, and update our total number of peers that
172		// we want to protect based on uptime accordingly.
173	0	assert(num_protected == initial_size - eviction_candidates.size());
174	0	const size_t remaining_to_protect{total_protect_size - num_protected};
175	0	EraseLastKElements(eviction_candidates, ReverseCompareNodeTimeConnected, remaining_to_protect);
176	0	}
177
178		[[nodiscard]] std::optional<NodeId> SelectNodeToEvict(std::vector<NodeEvictionCandidate>&& vEvictionCandidates)
179	0	{
180		// Protect connections with certain characteristics
181
182	0	ProtectNoBanConnections(vEvictionCandidates);
183
184	0	ProtectOutboundConnections(vEvictionCandidates);
185
186		// Deterministically select 4 peers to protect by netgroup.
187		// An attacker cannot predict which netgroups will be protected
188	0	EraseLastKElements(vEvictionCandidates, CompareNetGroupKeyed, 4);
189		// Protect the 8 nodes with the lowest minimum ping time.
190		// An attacker cannot manipulate this metric without physically moving nodes closer to the target.
191	0	EraseLastKElements(vEvictionCandidates, ReverseCompareNodeMinPingTime, 8);
192		// Protect 4 nodes that most recently sent us novel transactions accepted into our mempool.
193		// An attacker cannot manipulate this metric without performing useful work.
194	0	EraseLastKElements(vEvictionCandidates, CompareNodeTXTime, 4);
195		// Protect up to 8 non-tx-relay peers that have sent us novel blocks.
196	0	EraseLastKElements(vEvictionCandidates, CompareNodeBlockRelayOnlyTime, 8,
197	0	[](const NodeEvictionCandidate& n) { return !n.m_relay_txs && n.fRelevantServices; });
198
199		// Protect 4 nodes that most recently sent us novel blocks.
200		// An attacker cannot manipulate this metric without performing useful work.
201	0	EraseLastKElements(vEvictionCandidates, CompareNodeBlockTime, 4);
202
203		// Protect some of the remaining eviction candidates by ratios of desirable
204		// or disadvantaged characteristics.
205	0	ProtectEvictionCandidatesByRatio(vEvictionCandidates);
206
207	0	if (vEvictionCandidates.empty()) return std::nullopt;
208
209		// If any remaining peers are preferred for eviction consider only them.
210		// This happens after the other preferences since if a peer is really the best by other criteria (esp relaying blocks)
211		// then we probably don't want to evict it no matter what.
212	0	if (std::any_of(vEvictionCandidates.begin(),vEvictionCandidates.end(),[](NodeEvictionCandidate const &n){return n.prefer_evict;})) {
213	0	vEvictionCandidates.erase(std::remove_if(vEvictionCandidates.begin(),vEvictionCandidates.end(),
214	0	[](NodeEvictionCandidate const &n){return !n.prefer_evict;}),vEvictionCandidates.end());
215	0	}
216
217		// Identify the network group with the most connections and youngest member.
218		// (vEvictionCandidates is already sorted by reverse connect time)
219	0	uint64_t naMostConnections;
220	0	unsigned int nMostConnections = 0;
221	0	std::chrono::seconds nMostConnectionsTime{0};
222	0	std::map<uint64_t, std::vector<NodeEvictionCandidate> > mapNetGroupNodes;
223	0	for (const NodeEvictionCandidate &node : vEvictionCandidates) {
224	0	std::vector<NodeEvictionCandidate> &group = mapNetGroupNodes[node.nKeyedNetGroup];
225	0	group.push_back(node);
226	0	const auto grouptime{group[0].m_connected};
227
228	0	if (group.size() > nMostConnections \|\| (group.size() == nMostConnections && grouptime > nMostConnectionsTime)) {
229	0	nMostConnections = group.size();
230	0	nMostConnectionsTime = grouptime;
231	0	naMostConnections = node.nKeyedNetGroup;
232	0	}
233	0	}
234
235		// Reduce to the network group with the most connections
236	0	vEvictionCandidates = std::move(mapNetGroupNodes[naMostConnections]);
237
238		// Disconnect from the network group with the most connections
239	0	return vEvictionCandidates.front().id;
240	0	}