refactor: consolidate activeMasternodeInfo{Cs} into CActiveMasternodeManager, create NodeContext alias, reduce globals usage

[kwvg]

Additional Information

• CActiveMasternodeManager, unlike other managers, is conditionally initialized (specifically, when the node is hosting a masternode). This means that checks need to be made to ensure that the conditions needed to initialize the manager are true or that the pointer leads to a valid manager instance.

  As the codebase currently checks (and fast-fails) based on the node being in "masternode mode" (fMasternodeMode) or not, we will continue with this approach, but with additional assertions after the masternode mode check if the manager exists.

• Though, since activeMasternodeInfo(Cs) are global variables, they can be accessed regardless of whether the corresponding manager exists. This means some parts of the codebase attempt to fetch information about the (nonexistent) active masternode before determining if it should use the masternode mode path or not (looking at you, CMNAuth::ProcessMessage)

  Moving them into CActiveMasternodeManager meant adding checks before attempting to access information about the masternode, as they would no longer be accessible with dummy values (here) on account of being part of the conditionally initialized manager.

  • In an attempt to opportunistically dereference the manager, CDKGSessionManager (accepting a pointer) was dereferencing the manager before passing it to CDKGSessionHandler. This was done under the assumption that CDKGSessionManager would only ever be initialized in masternode mode.

    This is not true. I can confirm that because I spent a few days trying to debug test failures. CDKGSessionHandler is initialized in two scenarios:

    • In masternode mode
    • If the -watchquorums flag is enabled

    The latter scenario doesn't initialize CActiveMasternodeManager.

    Furthermore, the DKG round thread is started unconditionally (here) and the CDKGSessionHandler::StartThreads > CDKGSessionHandler::StartThread > CDKGSessionHandler::PhaseHandlerThread > CDKGSessionHandler::HandleDKGRound > CDKGSessionHandler::InitNewQuorum > CActiveMasternodeManager::GetProTxHash call chain reveals an attempt to fetch active masternode information without any masternode mode checks.

    This behaviour has now been changed and the thread will only be spun up if in masternode mode.

  • Dereferencing so far has been limited to objects that primarily hold data (like CCoinJoinBroadcastTx or CGovernanceObject) as they should not have knowledge of node's state (that responsibility lies with whatever manager manipulates those objects), perform one-off operations and static functions.

• activeMasternodeInfo allowed its members to be read-write accessible to anybody who asked. Additionally, signing and decrypting involved borrowing the operator secret key from the active masternode state to perform those operations.

  This behaviour has now been changed. The internal state is now private and accessible read-only as a const ref (or copy) and Decrypt/Sign functions have been implemented to allow those operations to happen without having another manager access the operator private key in order to do so.

• You cannot combine a WITH_LOCK and an Assert (in either mutex or accessed value), doing so will cause errors if -Werror=thread-safety is enabled. This is why asserts are added even when it would intuitively seem that Assert would've been more appropriate to use.

Future Considerations

Currently there are no unit tests that test the functionality of CActiveMasternodeManager as it's never initialized in test contexts, breakage had to be found using functional tests. Perhaps some (rudimentary) tests for CActiveMasternodeManager may prove to be valuable.

Breaking Changes

Not really. Some behaviour has been modified but nothing that should necessitate updates or upgrades.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas (note: N/A)
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation (note: N/A)
• I have assigned this pull request to a milestone (for repository code-owners and collaborators only)

[PastaPastaPasta]

Since this isn't backports; it'd be nice to have Clang-Diff format clean: https://github.com/dashpay/dash/actions/runs/8316932637/job/22757066218?pr=5940

[UdjinM6]

Since this isn't backports; it'd be nice to have Clang-Diff format clean: https://github.com/dashpay/dash/actions/runs/8316932637/job/22757066218?pr=5940

I look at these clang-diff suggestions and I hate most of it tbh...

[knst]

I look at these clang-diff suggestions and I hate most of it tbh...

I have an idea: #5942

[knst]

this code is equivalent due to || property.

[PastaPastaPasta]

👍 please revert

[kwvg]

Was a stylistic choice to keep the check for masternode mode and the check that relies on the previous check that masternode mode is active on separate lines. Reading the function without context gives the impression those are two separate conditions being checked while the second condition itself relies on the first condition's result.

[PastaPastaPasta]

clang-tidy will be annoyed about two if blocks next to each other with duplicate bodies

[knst]

why changed order?

[kwvg]

To enforce the correct order of changes.

Changes to the state (activeMasternodeInfo) must happen before changes to the manager (activeMasternodeManager), as the next commit changes activeMasternodeInfo to activeMasternodeManager->m_info, the following snippet would ensue if not for the ordering changes.

    if (fMasternodeMode) {
        UnregisterValidationInterface(activeMasternodeManager.get());
        activeMasternodeManager.reset();
    }

    {
        LOCK(activeMasternodeManager->cs);
        // make sure to clean up BLS keys before global destructors are called (they have allocated from the secure memory pool)
        activeMasternodeManager->m_info.blsKeyOperator.reset();
        activeMasternodeManager->m_info.blsPubKeyOperator.reset();
    }

[knst]

Should we active fMasternodeMode earlier as possible because it is widely used all over code base?

For instance, connman that now is initialized after fMasternodeMode flag uses it.
Does it indeed affect its implementation? I don't know, I haven't found a proof. Can it affect implementation? yes, an I can't say opposite before carefully checking of all objects initialized between line 1613 and line 1860 which are old and new initialization position of fMasternodeMode.

Other example is LLMQContext. if LLMQContext would be initialized before initialization of fMasternodeMode then worker qdkgsman would never start c5cd9c3#diff-3ce892d5580c8044e0b4ebc4d1fe596d919788682fc38ccd66913508ff8fc43dR80

so, I'd say that this code moving is a dangerous and could cause hidden bugs that can be discovered years later

[PastaPastaPasta]

It should be totally fine; as the call to LLMQContext::Start is also in AppInitMain; just a few hundred lines later: https://github.com/dashpay/dash/blob/d58e41514d7d93c61cbcd237c855674a87798f38/src/init.cpp#L1959;|

also my guess is that @kwvg was forced to due this by compiler / linter

[PastaPastaPasta]

but referring to commit: 513c3f9 I am curious why we are moving it down?

[kwvg]

The code had to be moved somewhere.

Initialization of activeMasternodeInfo and activeMasternodeManager were disjoint since they were globals in their own right but since activeMasternodeInfo's contents were being subsumed into activeMasternodeManager, the state needed to be initialized after the manager (and later commits remove later initialization by adding it into the manager's constructor).

It was moved downwards instead of upwards because downwards was where the manager was being initialized and to avoid upsetting anything it was kept that way. As a bonus, keeping it downward meant I get to keep passing a dereferenced node.connman.

Is it possible that bugs may show up but the node doesn't start until much later and aside from CDKGSessionManager, I'm not aware of any constructors that check on "masternode mode" status.

[knst]

nit: unrelated

[knst]

if it someone will try to access this object when we are in desctructor - we have a bigger race and locking cs won't help already.
No need cs here

---

I see it is updated in commits later. But at first, you don't need descrtuctor even for unique_ptr, so, can be simplified before refactoring unique_ptr to members.

[kwvg]

That change was made to map where the changes from init.cpp went

[knst]

no need forcely clean m_info; they would be desctroyed as a part of activeMasternodeManager

[PastaPastaPasta]

I think I agree; wouldn't default destructor do the same stuff?

[kwvg]

We got rid of the destructor in 4363e3c

[knst]

btw, why it is here, not in llmq-context? without llmq context activeMasternodeManager has no usage; and it is heavily used in llmq-context.

(not a blocker to get merged, just an opener for a discussion, either way is fine for me)

[kwvg]

Because activeMasternodeManager

• Relies on CConnman and CDeterministicMNManager to exist (source)
• It doesn't depend on LLMQ managers to exist (unlike most LLMQ managers, which depend on each other)
• It's used in MNAuth (source) and CGovernanceManager (source)

It's better suited for a future MNContext after we deglobalize some more.

[github-actions]

This pull request has conflicts, please rebase.

[PastaPastaPasta]

It would be a nice refactor to make activeMasternodeInfo into an optional; or some other type that cannot be accessed accidentally.

[kwvg]

activeMasternodeInfo (now m_info) is an unconditionally initialized part of activeMasternodeManager, which is conditionally initialized. If we had to pass activeMasternodeManager as an optional reference, the argument list would be accepting an std::optional<std::reference_wrapper<CActiveMasternodeManager>> and unwrapping it would involve mn_activeman.value().get() (std::optional, std::reference_wrapper).

It can be made less contrived by using mn_activeman->get() but regardless, it would require that at the start of every function that uses it more than once, we'd have to setup something like...

    auto mn_activeman = m_mn_activeman_ref.value().get();
// [...]
    auto mnList = m_dmnman.GetListAtChainTip();
    auto dmn = WITH_LOCK(mn_activeman.cs, return mnList.GetValidMNByCollateral(mn_activeman.GetOutPoint()));

Arguably we have to do something similar with all the added assertions already but since the codebase is already used to that approach, we've continued on with it. Maybe we could revisit this approach but IMO it's out of the scope of this PR.

[PastaPastaPasta]

please consider: PastaPastaPasta@c52d169

[PastaPastaPasta]

👍 please revert

[PastaPastaPasta]

I'd prefer something like

const uint256 myProTxHash = []() {
    if (fMasternodeMode) {
        return WITH_LOCK(activeMasternodeInfoCs, return activeMasternodeInfo.proTxHash);
    } else {
        return uint256();
    }
}();
    

[kwvg]

Feels overengineered for a variable that doesn't get many opportunities to be mutated (first by CActiveMasternodeManager::GetProTxHash and then by llmq::utils::DeterministicOutboundConnection, which already accepts a const ref).

If the value was passed through multiple functions and is a part of a large function, the tradeoff would be worth the certainty the value was never mutated but this doesn't seem like such a case.

[PastaPastaPasta]

Feels overengineered

only in C++ :D any other modern language would have a syntax that makes this feel more build in instead of "engineered" but the only good way to do think in c++ is to use a lambda.

let myProTxHash = if fMasternodeMode {
    WITH_LOCK(activeMasternodeInfoCs, return activeMasternodeInfo.proTxHash)
} else {
    uint256()
}

I guess in this instance we can do

const uint256 myProTxHash = fMasternodeMode ? 
    WITH_LOCK(activeMasternodeInfoCs, return activeMasternodeInfo.proTxHash) : 
    uint256();

[kwvg]

The latter is acceptable to me but the moment we have to add additional assertions, the former suggestion seems to be the only way to retain constness.

It's been trimmed down though to be more similar to...

const uint256 myProTxHash = [this]() {
    if (!fMasternodeMode) return uint256();
    assert(m_mn_activeman);
    return WITH_LOCK(m_mn_activeman->cs, return m_mn_activeman->GetProTxHash());
}();

Resolved in latest push

[knst]

could be simplified a bit more:

const uint256 myProTxHash = [this]() {
    if (!fMasternodeMode) return uint256{};
    return WITH_LOCK(Assert(m_mn_activeman)->cs, return m_mn_activeman->GetProTxHash());
}();

anyway, this lock cs would be removed once #5940 (comment) is done

and it would become just
const uint256 myProTxHash{fMasternodeMode ? Assert(m_mn_activeman)->GetProTxHash() : uint256{}};

[kwvg]

WITH_LOCK(Assert(m_mn_activeman)->cs, return m_mn_activeman->GetProTxHash()); doesn't work, I've mentioned this in the PR description.

You cannot combine a WITH_LOCK and an Assert (in either mutex or accessed value), doing so will cause errors if -Werror=thread-safety is enabled. This is why asserts are added even when it would intuitively seem that Assert would've been more appropriate to use.

[PastaPastaPasta]

but referring to commit: 513c3f9 I am curious why we are moving it down?

[PastaPastaPasta]

should revert

[PastaPastaPasta]

I think I agree; wouldn't default destructor do the same stuff?

[PastaPastaPasta]

We should lock internally if we are returning a copy; an external lock should only be required for a reference

[kwvg]

We are locking externally as opposed to internally to minimize the amount of code modification (existing code that read with activeMasternodeInfo used to hold the lock before attempting to read from it) and reducing the amount of lock-unlock events (functions that tend to read one value tend to read more).

Internal locking was used for functions introduced in this PR like Decrypt and Sign, because its usage doesn't usually involve accessing other members (where it might be reasonable to refactor the code to have all accesses under one locked scope), the exception to that rule is CMNAuth::PushMNAUTH, which I had to refactor so that it fetches values under one externally locked scope and signs outside, with locking done internally.

[PastaPastaPasta]

Hmm.. Maybe let's add a TODO then? I do think we should only lock externally if we are getting a ref (or something else lifetime bound)

[kwvg]

Done, resolved in latest push

[github-actions]

This pull request has conflicts, please rebase.

[knst]

LGTM 815e4f8

[PastaPastaPasta]

utACK 815e4f8

[UdjinM6]

LGTM, light ACK