Cirrus failures:

In file included from init.cpp:55:
./txorphanage.h:50:28: error: reading variable 'm_orphans' requires holding mutex 'g_cs_orphans' [-Werror,-Wthread-safety-analysis]
    size_t Size() { return m_orphans.size(); };
                           ^
1 error generated.
make[2]: *** [libbitcoin_server_a-init.o] Error 1
make[2]: *** Waiting for unfinished jobs....
  CXX      libbitcoin_server_a-net_processing.o
In file included from net_processing.cpp:29:
./txorphanage.h:50:28: error: reading variable 'm_orphans' requires holding mutex 'g_cs_orphans' [-Werror,-Wthread-safety-analysis]
    size_t Size() { return m_orphans.size(); };
                           ^
net_processing.cpp:410:59: error: expected ';' at end of declaration list
    CRollingBloomFilter m_recent_rejects{120000, 0.000001} GUARDED_BY(cs_main);
                                                          ^
                                                          ;
net_processing.cpp:429:73: error: expected ';' at end of declaration list
    CRollingBloomFilter m_recent_confirmed_transactions{48000, 0.000001} GUARDED_BY(m_recent_confirmed_transactions_mutex);
                                                                        ^
                                                                        ;
3 errors generated.

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• test: Implicitly sync after generate* to preempt races and intermittent test failures #22567 by MarcoFalke
• test: Implicitly sync after generate* to preempt races and intermittent test failures #20362 by MarcoFalke
• test: Extend stale tip test #18470 by MarcoFalke

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

Strong Concept ACK

I find the suggested code easier to reason about from a safety and correctness perspective.

The build failure is because Assume breaks static lock analysis. One way to fix is to assign the assumed-value to a bool first.

Thanks Marco! I've just reverted these checks to assert() for now.

@jnewbery Help me to understand the motivation for "[net processing] Move consistency checks to PeerManagerImpl dtor" commit please.

My current understanding is following. A consistency is an invariant that the PeerManagerImpl class must hold. It's ctor's job to establish class's invariants, and member functions' job to preserve invariants. Delegating such a task to dtor seems unusual for me.

Help me to understand the motivation for "[net processing] Move consistency checks to PeerManagerImpl dtor" commit please.

My current understanding is following. A consistency is an invariant that the PeerManagerImpl class must hold. It's ctor's job to establish class's invariants, and member functions' job to preserve invariants. Delegating such a task to dtor seems unusual for me.

I think that's fair. My reasoning was that these invariant checks are all test/development asserts. We'd hope that they'd never be hit in the wild. They currently run when the peer count drops to zero, but if there's an inconsistency then, we'd expect those invariants to also be false when the PeerManagerImpl is destructed on shutdown.

My motivation is that I want to pull some of these members out from being guarded by cs_main. The global counts like m_outbound_peers_with_protect_from_disconnect and m_wtxid_relay_peers don't actually need to be atomically updated with the correspondingCNodeState member variables m_chain_sync.m_protect and m_wtxid_relay. We could pull those things out of cs_main and just make them separate atomics and that'd be safe, but not obviously so. FinalizeNode() is called by the same thread that increments the counters, so there's no way that they can be non-zero whilst the final peer is being removed. However, if other threads were able to increment the counters, these invariants would no longer be true. That's not the case if we move the invariant checks to the destructor. Inside the dtor, we know that no other thread can be mutating the members, so the counters must be at zero.

🕵️ @sipa has been requested to review this pull request as specified in the REVIEWERS file.

@hebasto - there are various changes to net_processing logging happening in 21527, so I've removed the changes to the destructor here until those land. Let me know if you think the remaining changes to the constructor in this PR are worth keeping.

Also rebased on current master.

Code review ACK b26a5ad

I was confused by the asserts prior to this PR. Also there are two typos in the commit messages "contetx" should be "context"?

Thanks @Crypt-iQ. I've corrected the typos in the commit logs.

I was confused by the asserts prior to this PR.

These were to ensure that recentRejects wasn't null before dereferencing it. No need for that now that m_recent_rejects is not a pointer.

Code review ACK d6cef4d

Only the commit messages were fixed from b26a5ad, so should be good.

Rebased on master to fix fuzz CI timeout.

Code review ACK 93e881f

Commit message 9e6bf78 has a typo: rejectRejects should be recentRejects

Rebased.

Commit message 9e6bf78 has a typo: rejectRejects should be recentRejects

Fixed. Thank you!

review ACK d5dd3fa 🔠

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

review ACK d5dd3fa1de2f96a7ddfd8b300829c68b93bd4607 🔠
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEE+rVPoUahrI9sLGYTzit1aX5ppUgFAlwqrYAACgkQzit1aX5p
pUhpNwwAjxKP8RmX2H5ReC3tV5MQ/WvFMI9x+WHwIiNcpkRQ8wk4kErsemjnoroT
gEZg/nq3IfgMQL3LvaU270gGOdH3J45TFJtoGCtq+nogV/nU8TwjlCzP0vUsRzfP
3hiarnsn3GIJs9r01uC31GII/TrTSZPDjsKxd9X5aLKAtjsMlB9C5mZdQtQ5CYul
+3QGhnGGZpTIqE9V24dY0sOUrO54UtSW87qaxRXx88MkgVz+LTF1TDjSJy9We6Hj
ehe8OTC9MoHOYJ5rv7aiLsrJ9H28Ntal6w84Q9lts1laTEyMlazegtjIvoUogrP4
eswz53RfJg1APyIDZPn62+xNp3XYIG7ib29L3A/lsjjbw6d862EDOmyjVVloTMcM
Tb7ruvFaZdr8k9TBeKtZ1P/ecEPszUWldCIJ5RXo9iIIGaks7f8OKJNyTmgxjfVj
HOVgn1gwuE2sTQHb6pSuW45JBOslXCrYaCOQNWrCpX29X0iOpT4bJM31WVX1lFzH
TtiamXSG
=v+4O
-----END PGP SIGNATURE-----

cr ACK d5dd3fa

Thanks for the reviews @MarcoFalke, @hebasto, @practicalswift. I've addressed all of the review comments from @hebasto so this is now ready for re-review.

While touching the net_processing.cpp, also a typo which was introduced in #22141 could be fixed:

I was too slow. It's been fixed in #22323.

Thanks for the review @theStack. I didn't realize that the digit separator was permitted after the decimal point. I've taken your suggestion and rebased on master.

ACK fde1bf4 👞

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ACK fde1bf4f6136638e84cdf9806eedaae08e841bbf 👞
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEE+rVPoUahrI9sLGYTzit1aX5ppUgFAlwqrYAACgkQzit1aX5p
pUgIaAv+PZATwaBhcsf9/tfSEfMxRLP+BpK9c5vKV+URqEVG8wL+rV+vi/4Sdv5K
C7aNNt2AXAYZgqnIAvmsg1uL8G3uFZHHAo54ziHVjS7MlrG0+SSg5jKOerW/QjwA
Qb1BJqMP/ra4Jm7PHVcbGTjQg6Z0t3kJ+11jzqpVCRJ21NTPNwajBrrcpNKkdwHP
7sIKPVi5LLvK8V43gwGoAbEl9Dtwj/SfOIkaINpeZv8URYeKLYey3s3yjiO06wH1
9eXj+Sglww9GiPETOBuFMEMKcc9hCktK2oEHMv3U3d5cC12F9Dtjp1NazPNmBnvj
FwNAVbP//HwTIv0oZ+7dsZ/SKNIgKlgXR8fAsKH0ZiD85vC1ZalobhVqkmrRMX86
vW9ZP2Fj8X36Ez6vD+xRvy0cFMs+oQPPE4VLBnysmB5qT8uzcLSvSLTdwklW7FWK
T8XSw4GuNv/l/R7lEARBrkzajpMxtxRxNzvI5Zb7mu5CQWTZxogQFbCji+Vnk7ok
R+vr6Dyk
=9Rfq
-----END PGP SIGNATURE-----