Merge bitcoin/bitcoin#33011: log: rate limiting followups

5c74a0b config: add DEBUG_ONLY -logratelimit (Eugene Siegel)
9f3b017 test: logging_filesize_rate_limit improvements (stickies-v)
350193e test: don't leak log category mask across tests (stickies-v)
05d7c22 test: add ReadDebugLogLines helper function (stickies-v)
3d630c2 log: make m_limiter a shared_ptr (stickies-v)
e8f9c37 log: clean up LogPrintStr_ and Reset, prefix all logs with "[*]" when there are suppressions (Eugene Siegel)
3c7cae4 log: change LogLimitStats to struct LogRateLimiter::Stats (Eugene Siegel)
8319a13 log: clarify RATELIMIT_MAX_BYTES comment, use RATELIMIT_WINDOW (Eugene Siegel)
5f70bc8 log: remove const qualifier from arguments in LogPrintFormatInternal (Eugene Siegel)
b8e92fb log: avoid double hashing in SourceLocationHasher (Eugene Siegel)
616bc22 test: remove noexcept(false) comment in ~DebugLogHelper (Eugene Siegel)

Pull request description:

  Followups to #32604.

  There are two behavior changes:
  - prefixing with `[*]` is done to all logs (regardless of `should_ratelimit`) per [this comment](bitcoin/bitcoin#32604 (comment)).
  - a DEBUG_ONLY `-disableratelimitlogging` flag is added by default to functional tests so they don't encounter rate limiting.

ACKs for top commit:
  stickies-v:
    re-ACK 5c74a0b
  achow101:
    ACK 5c74a0b
  l0rinc:
    Code review ACK 5c74a0b

Tree-SHA512: d32db5fcc28bb9b2a850f0048c8062200a3725b88f1cd9a0e137da065c0cf9a5d22e5d03cb16fe75ea7494801313ab34ffec7cf3e8577cd7527e636af53591c4

Author: achow101

src/init.cpp

@@ -1400,10 +1400,14 @@ bool AppInitMain(NodeContext& node, interfaces::BlockAndHeaderTipInfo* tip_info)
         }
     }, std::chrono::minutes{5});
 
-    LogInstance().SetRateLimiting(std::make_unique<BCLog::LogRateLimiter>(
-        [&scheduler](auto func, auto window) { scheduler.scheduleEvery(std::move(func), window); },
-        BCLog::RATELIMIT_MAX_BYTES,
-        1h));
+    if (args.GetBoolArg("-logratelimit", BCLog::DEFAULT_LOGRATELIMIT)) {
+        LogInstance().SetRateLimiting(BCLog::LogRateLimiter::Create(
+            [&scheduler](auto func, auto window) { scheduler.scheduleEvery(std::move(func), window); },
+            BCLog::RATELIMIT_MAX_BYTES,
+            BCLog::RATELIMIT_WINDOW));
+    } else {
+        LogInfo("Log rate limiting disabled");
+    }
 
     assert(!node.validation_signals);
     node.validation_signals = std::make_unique<ValidationSignals>(std::make_unique<SerialTaskRunner>(scheduler));

src/init/common.cpp

@@ -38,6 +38,7 @@ void AddLoggingArgs(ArgsManager& argsman)
     argsman.AddArg("-logsourcelocations", strprintf("Prepend debug output with name of the originating source location (source file, line number and function name) (default: %u)", DEFAULT_LOGSOURCELOCATIONS), ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-logtimemicros", strprintf("Add microsecond precision to debug timestamps (default: %u)", DEFAULT_LOGTIMEMICROS), ArgsManager::ALLOW_ANY | ArgsManager::DEBUG_ONLY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-loglevelalways", strprintf("Always prepend a category and level (default: %u)", DEFAULT_LOGLEVELALWAYS), ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
+    argsman.AddArg("-logratelimit", strprintf("Apply rate limiting to unconditional logging to mitigate disk-filling attacks (default: %u)", BCLog::DEFAULT_LOGRATELIMIT), ArgsManager::ALLOW_ANY | ArgsManager::DEBUG_ONLY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-printtoconsole", "Send trace/debug info to console (default: 1 when no -daemon. To disable logging to file, set -nodebuglogfile)", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-shrinkdebugfile", "Shrink debug.log file on client startup (default: 1 when no -debug)", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
 }

src/logging.cpp

@@ -371,23 +371,30 @@ static size_t MemUsage(const BCLog::Logger::BufferedLog& buflog)
            memusage::MallocUsage(sizeof(memusage::list_node<BCLog::Logger::BufferedLog>));
 }
 
-BCLog::LogRateLimiter::LogRateLimiter(
-    SchedulerFunction scheduler_func,
-    uint64_t max_bytes,
-    std::chrono::seconds reset_window) : m_max_bytes{max_bytes}, m_reset_window{reset_window}
+BCLog::LogRateLimiter::LogRateLimiter(uint64_t max_bytes, std::chrono::seconds reset_window)
+    : m_max_bytes{max_bytes}, m_reset_window{reset_window} {}
+
+std::shared_ptr<BCLog::LogRateLimiter> BCLog::LogRateLimiter::Create(
+    SchedulerFunction&& scheduler_func, uint64_t max_bytes, std::chrono::seconds reset_window)
 {
-    scheduler_func([this] { Reset(); }, reset_window);
+    auto limiter{std::shared_ptr<LogRateLimiter>(new LogRateLimiter(max_bytes, reset_window))};
+    std::weak_ptr<LogRateLimiter> weak_limiter{limiter};
+    auto reset = [weak_limiter] {
+        if (auto shared_limiter{weak_limiter.lock()}) shared_limiter->Reset();
+    };
+    scheduler_func(reset, limiter->m_reset_window);
+    return limiter;
 }
 
 BCLog::LogRateLimiter::Status BCLog::LogRateLimiter::Consume(
     const std::source_location& source_loc,
     const std::string& str)
 {
     StdLockGuard scoped_lock(m_mutex);
-    auto& counter{m_source_locations.try_emplace(source_loc, m_max_bytes).first->second};
-    Status status{counter.GetDroppedBytes() > 0 ? Status::STILL_SUPPRESSED : Status::UNSUPPRESSED};
+    auto& stats{m_source_locations.try_emplace(source_loc, m_max_bytes).first->second};
+    Status status{stats.m_dropped_bytes > 0 ? Status::STILL_SUPPRESSED : Status::UNSUPPRESSED};
 
-    if (!counter.Consume(str.size()) && status == Status::UNSUPPRESSED) {
+    if (!stats.Consume(str.size()) && status == Status::UNSUPPRESSED) {
         status = Status::NEWLY_SUPPRESSED;
         m_suppression_active = true;
     }
@@ -455,24 +462,26 @@ void BCLog::Logger::LogPrintStr_(std::string_view str, std::source_location&& so
     bool ratelimit{false};
     if (should_ratelimit && m_limiter) {
         auto status{m_limiter->Consume(source_loc, str_prefixed)};
-        if (status == BCLog::LogRateLimiter::Status::NEWLY_SUPPRESSED) {
+        if (status == LogRateLimiter::Status::NEWLY_SUPPRESSED) {
             // NOLINTNEXTLINE(misc-no-recursion)
             LogPrintStr_(strprintf(
                              "Excessive logging detected from %s:%d (%s): >%d bytes logged during "
                              "the last time window of %is. Suppressing logging to disk from this "
                              "source location until time window resets. Console logging "
-                             "unaffected. Last log entry.\n",
+                             "unaffected. Last log entry.",
                              source_loc.file_name(), source_loc.line(), source_loc.function_name(),
                              m_limiter->m_max_bytes,
                              Ticks<std::chrono::seconds>(m_limiter->m_reset_window)),
                          std::source_location::current(), LogFlags::ALL, Level::Warning, /*should_ratelimit=*/false); // with should_ratelimit=false, this cannot lead to infinite recursion
+        } else if (status == LogRateLimiter::Status::STILL_SUPPRESSED) {
+            ratelimit = true;
         }
-        ratelimit = status == BCLog::LogRateLimiter::Status::STILL_SUPPRESSED;
-        // To avoid confusion caused by dropped log messages when debugging an issue,
-        // we prefix log lines with "[*]" when there are any suppressed source locations.
-        if (m_limiter->SuppressionsActive()) {
-            str_prefixed.insert(0, "[*] ");
-        }
+    }
+
+    // To avoid confusion caused by dropped log messages when debugging an issue,
+    // we prefix log lines with "[*]" when there are any suppressed source locations.
+    if (m_limiter && m_limiter->SuppressionsActive()) {
+        str_prefixed.insert(0, "[*] ");
     }
 
     if (m_print_to_console) {
@@ -549,18 +558,17 @@ void BCLog::LogRateLimiter::Reset()
         source_locations.swap(m_source_locations);
         m_suppression_active = false;
     }
-    for (const auto& [source_loc, counter] : source_locations) {
-        uint64_t dropped_bytes{counter.GetDroppedBytes()};
-        if (dropped_bytes == 0) continue;
+    for (const auto& [source_loc, stats] : source_locations) {
+        if (stats.m_dropped_bytes == 0) continue;
         LogPrintLevel_(
-            LogFlags::ALL, Level::Info, /*should_ratelimit=*/false,
-            "Restarting logging from %s:%d (%s): %d bytes were dropped during the last %ss.\n",
+            LogFlags::ALL, Level::Warning, /*should_ratelimit=*/false,
+            "Restarting logging from %s:%d (%s): %d bytes were dropped during the last %ss.",
             source_loc.file_name(), source_loc.line(), source_loc.function_name(),
-            dropped_bytes, Ticks<std::chrono::seconds>(m_reset_window));
+            stats.m_dropped_bytes, Ticks<std::chrono::seconds>(m_reset_window));
     }
 }
 
-bool BCLog::LogLimitStats::Consume(uint64_t bytes)
+bool BCLog::LogRateLimiter::Stats::Consume(uint64_t bytes)
 {
     if (bytes > m_available_bytes) {
         m_dropped_bytes += bytes;

src/logging.h

@@ -18,6 +18,7 @@
 #include <cstring>
 #include <functional>
 #include <list>
+#include <memory>
 #include <mutex>
 #include <source_location>
 #include <string>
@@ -46,10 +47,10 @@ struct SourceLocationHasher {
     size_t operator()(const std::source_location& s) const noexcept
     {
         // Use CSipHasher(0, 0) as a simple way to get uniform distribution.
-        return static_cast<size_t>(CSipHasher(0, 0)
-                                       .Write(std::hash<std::string_view>{}(s.file_name()))
-                                       .Write(s.line())
-                                       .Finalize());
+        return size_t(CSipHasher(0, 0)
+                      .Write(s.line())
+                      .Write(MakeUCharSpan(std::string_view{s.file_name()}))
+                      .Finalize());
     }
 };
 
@@ -104,47 +105,34 @@ namespace BCLog {
     };
     constexpr auto DEFAULT_LOG_LEVEL{Level::Debug};
     constexpr size_t DEFAULT_MAX_LOG_BUFFER{1'000'000}; // buffer up to 1MB of log data prior to StartLogging
-    constexpr uint64_t RATELIMIT_MAX_BYTES{1024 * 1024}; // maximum number of bytes that can be logged within one window
+    constexpr uint64_t RATELIMIT_MAX_BYTES{1024 * 1024}; // maximum number of bytes per source location that can be logged within the RATELIMIT_WINDOW
+    constexpr auto RATELIMIT_WINDOW{1h}; // time window after which log ratelimit stats are reset
+    constexpr bool DEFAULT_LOGRATELIMIT{true};
 
-    //! Keeps track of an individual source location and how many available bytes are left for logging from it.
-    class LogLimitStats
+    //! Fixed window rate limiter for logging.
+    class LogRateLimiter
     {
-    private:
-        //! Remaining bytes in the current window interval.
-        uint64_t m_available_bytes;
-        //! Number of bytes that were not consumed within the current window.
-        uint64_t m_dropped_bytes{0};
-
     public:
-        LogLimitStats(uint64_t max_bytes) : m_available_bytes{max_bytes} {}
-        //! Consume bytes from the window if enough bytes are available.
-        //!
-        //! Returns whether enough bytes were available.
-        bool Consume(uint64_t bytes);
-
-        uint64_t GetAvailableBytes() const
-        {
-            return m_available_bytes;
-        }
-
-        uint64_t GetDroppedBytes() const
-        {
-            return m_dropped_bytes;
-        }
-    };
+        //! Keeps track of an individual source location and how many available bytes are left for logging from it.
+        struct Stats {
+            //! Remaining bytes
+            uint64_t m_available_bytes;
+            //! Number of bytes that were consumed but didn't fit in the available bytes.
+            uint64_t m_dropped_bytes{0};
+
+            Stats(uint64_t max_bytes) : m_available_bytes{max_bytes} {}
+            //! Updates internal accounting and returns true if enough available_bytes were remaining
+            bool Consume(uint64_t bytes);
+        };
 
-    /**
-     * Fixed window rate limiter for logging.
-     */
-    class LogRateLimiter
-    {
     private:
         mutable StdMutex m_mutex;
 
-        //! Counters for each source location that has attempted to log something.
-        std::unordered_map<std::source_location, LogLimitStats, SourceLocationHasher, SourceLocationEqual> m_source_locations GUARDED_BY(m_mutex);
-        //! True if at least one log location is suppressed. Cached view on m_source_locations for performance reasons.
+        //! Stats for each source location that has attempted to log something.
+        std::unordered_map<std::source_location, Stats, SourceLocationHasher, SourceLocationEqual> m_source_locations GUARDED_BY(m_mutex);
+        //! Whether any log locations are suppressed. Cached view on m_source_locations for performance reasons.
         std::atomic<bool> m_suppression_active{false};
+        LogRateLimiter(uint64_t max_bytes, std::chrono::seconds reset_window);
 
     public:
         using SchedulerFunction = std::function<void(std::function<void()>, std::chrono::milliseconds)>;
@@ -154,9 +142,12 @@ namespace BCLog {
          *                          reset_window interval.
          * @param max_bytes         Maximum number of bytes that can be logged for each source
          *                          location.
-         * @param reset_window      Time window after which the byte counters are reset.
+         * @param reset_window      Time window after which the stats are reset.
          */
-        LogRateLimiter(SchedulerFunction scheduler_func, uint64_t max_bytes, std::chrono::seconds reset_window);
+        static std::shared_ptr<LogRateLimiter> Create(
+            SchedulerFunction&& scheduler_func,
+            uint64_t max_bytes,
+            std::chrono::seconds reset_window);
         //! Maximum number of bytes logged per location per window.
         const uint64_t m_max_bytes;
         //! Interval after which the window is reset.
@@ -201,7 +192,7 @@ namespace BCLog {
         size_t m_buffer_lines_discarded GUARDED_BY(m_cs){0};
 
         //! Manages the rate limiting of each log location.
-        std::unique_ptr<LogRateLimiter> m_limiter GUARDED_BY(m_cs);
+        std::shared_ptr<LogRateLimiter> m_limiter GUARDED_BY(m_cs);
 
         //! Category-specific log level. Overrides `m_log_level`.
         std::unordered_map<LogFlags, Level> m_category_log_levels GUARDED_BY(m_cs);
@@ -270,7 +261,7 @@ namespace BCLog {
         /** Only for testing */
         void DisconnectTestLogger() EXCLUSIVE_LOCKS_REQUIRED(!m_cs);
 
-        void SetRateLimiting(std::unique_ptr<LogRateLimiter>&& limiter) EXCLUSIVE_LOCKS_REQUIRED(!m_cs)
+        void SetRateLimiting(std::shared_ptr<LogRateLimiter> limiter) EXCLUSIVE_LOCKS_REQUIRED(!m_cs)
         {
             StdLockGuard scoped_lock(m_cs);
             m_limiter = std::move(limiter);
@@ -343,7 +334,7 @@ static inline bool LogAcceptCategory(BCLog::LogFlags category, BCLog::Level leve
 bool GetLogCategory(BCLog::LogFlags& flag, std::string_view str);
 
 template <typename... Args>
-inline void LogPrintFormatInternal(std::source_location&& source_loc, const BCLog::LogFlags flag, const BCLog::Level level, const bool should_ratelimit, util::ConstevalFormatString<sizeof...(Args)> fmt, const Args&... args)
+inline void LogPrintFormatInternal(std::source_location&& source_loc, BCLog::LogFlags flag, BCLog::Level level, bool should_ratelimit, util::ConstevalFormatString<sizeof...(Args)> fmt, const Args&... args)
 {
     if (LogInstance().Enabled()) {
         std::string log_msg;