I think this is the wrong approach.

I think this is the wrong approach.

That's at least ensure sync between wallet and chain tips otherwise all calls to BlockUntilSyncedToCurrentChain are just pointless, they don't do what is supposed to do. Your patch looks fine but not what we want when calls a function like BlockUntilSyncedToCurrentChain

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• Fix wallet unload race condition #18338 (wip: Fix wallet unload race condition by promag)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@promag the problem is not the queued connection / disconnection, actually

void UnregisterValidationInterface(CValidationInterface* pwalletIn) {
    if (g_signals.m_internals) {
        g_signals.m_internals->m_connMainSignals.erase(pwalletIn);
    }
}

signal is received before disconnect is called by erasing the caller.

Fix unit test and rebase.

Let's clarify a bit more.

void disconnect() override
{
    if (m_notifications) {
        m_notifications = nullptr; // <---------------- it makes no sense to be before unregister
        UnregisterValidationInterface(this);
    }
}

Since ValidationInterfaceConnections calls destructors in reverse order, for a bad luck UpdatedBlockTip is disconnected last which is not held the mutex but update time by atomic variable.
Running in testnet for at least an hour in parallel with

#!/bin/bash
while [ 1 ]
do
    src/bitcoin-cli -testnet loadwallet test
    src/bitcoin-cli -testnet unloadwallet test
done

no crashes anymore.

while holding wallet lock and then test handler still exists in BlockConnected/BlockDisconnected

i don't think that's right approach to me.

@promag, @ryanofsky i have another, looking better to me, solution ensuring there is no background tasks, but i've not push since it's not well tested

diff --git a/src/scheduler.cpp b/src/scheduler.cpp
index 7cb7754fd..17c26be74 100644
--- a/src/scheduler.cpp
+++ b/src/scheduler.cpp
@@ -199,12 +199,16 @@ void SingleThreadedSchedulerClient::AddToProcessQueue(std::function<void ()> fun
 }
 
 void SingleThreadedSchedulerClient::EmptyQueue() {
-    assert(!m_pscheduler->AreThreadsServicingQueue());
-    bool should_continue = true;
+    if (!m_pscheduler->AreThreadsServicingQueue())
+        return;
+    auto hasCallbacks = [this]() -> bool {
+        LOCK(m_cs_callbacks_pending);
+        return !m_callbacks_pending.empty();
+    };
+    auto should_continue = hasCallbacks();
     while (should_continue) {
         ProcessQueue();
-        LOCK(m_cs_callbacks_pending);
-        should_continue = !m_callbacks_pending.empty();
+        should_continue = hasCallbacks();
     }
 }
 
diff --git a/src/validationinterface.cpp b/src/validationinterface.cpp
index 1deb93c97..87ade954c 100644
--- a/src/validationinterface.cpp
+++ b/src/validationinterface.cpp
@@ -90,6 +90,7 @@ void RegisterValidationInterface(CValidationInterface* pwalletIn) {
 void UnregisterValidationInterface(CValidationInterface* pwalletIn) {
     if (g_signals.m_internals) {
         g_signals.m_internals->m_connMainSignals.erase(pwalletIn);
+        g_signals.FlushBackgroundCallbacks();
     }
 }
 
diff --git a/src/wallet/wallet.cpp b/src/wallet/wallet.cpp
index 4c36caed8..51732c0ae 100644
--- a/src/wallet/wallet.cpp
+++ b/src/wallet/wallet.cpp
@@ -111,7 +111,7 @@ static void ReleaseWallet(CWallet* wallet)
     wallet->WalletLogPrintf("Releasing wallet\n");
     wallet->BlockUntilSyncedToCurrentChain();
     wallet->m_chain_notifications_handler.reset();
-    WITH_LOCK(wallet->cs_wallet, wallet->Flush());
+    wallet->Flush();
     delete wallet;
     // Wallet is now released, notify UnloadWallet, if any.
     {

Flushing callback right after disconnecting signals should effectively ensure we don't have pending and it will not need atomic notification pointer or so.

re: #18279 (comment)

@promag, @ryanofsky i have another, looking better to me, solution ensuring there is no background tasks, but i've not push since it's not well tested

This fix is very similar to c372219 from #18280, and probably we should review and merge #18280 when it's ready and close this PR.

In my opinion though, waiting for notifications is a fragile fix that will slow down wallet unloading and node shutdown without good reason. A better fix would be to switch to shared pointers instead of raw pointers and fix the use-after-delete bug more directly: 06d2b53 (branch, comment)

This fix is very similar to c372219 from #18280, and probably we should review and merge #18280 when it's ready and close this PR.

Still no to me, changes in BlockUntilSyncedToCurrentChain are significant to me.

Also sync should be in UnregisterValidationInterface to be applied in all cases.

Still no to me, changes in BlockUntilSyncedToCurrentChain are significant to me.

Of course no need to close this PR if you want to make other improvements, but I hope you can review #18280 when it's ready as a fix for the original issue. Also would encourage closing this PR and opening a new one if the new version will differ substantially, so the review comment history will be intelligible.

I would also caution that while BlockUntilSyncedToCurrentChain can definitely be cleaned up, its purpose is ensuring consistent results between RPC calls and it shouldn't be changed to block longer than actually necessary to fix real bugs.

Also sync should be in UnregisterValidationInterface to be applied in all cases.

This is only true when unregistering wallets, as far as I know. Not things like indexes. Also if we fix shared_ptr reference counting with 06d2b53 (branch, comment) it should not even be necessary for wallets. No reason conceptually wallets should have to wait for events they don't care about just to fix a pointer lifetime issue

This is only true when unregistering wallets, as far as I know. Not things like indexes.

No, that's not correct to me,

Maybe m_notifications should be an atomic pointer too since m_notifications is get and set from different threads, though probably the synchronization done by boost signals & the scheduler prevents bugs from it not being atomic

doing in UnregisterValidationInterface it ensures notification is not accessed in race condition.

No reason conceptually wallets should have to wait for events they don't care about just to fix a pointer lifetime issue

Agree with this.

From #18280:

From boost signal documentation at https://www.boost.org/doc/libs/1_72_0/doc/html/signals2/thread-safety.html:

When a signal is invoked by calling signal::operator(), the invocation first acquires a lock on the signal's mutex. Then it obtains a handle to the signal's slot list and combiner. Next it releases the signal's mutex, before invoking the combiner to iterate through the slot list.

This means that UnregisterValidationInterface doesn't prevent more calls to that interface.

But just calling SyncWithValidationInterfaceQueue (which BlockUntilSyncedToCurrentChain might call) doesn't fully fix the issue because on shutdown the scheduler thread is stopped earlier.

Obviously there are various possible fixes, like #18280 or 06d2b53. But this approach is clearly not good.