Skip to content

fix(net): bound signing message vector intake#7418

Merged
PastaPastaPasta merged 3 commits into
dashpay:developfrom
thepastaclaw:fix/llmq-signing-vector-bounds
Jul 13, 2026
Merged

fix(net): bound signing message vector intake#7418
PastaPastaPasta merged 3 commits into
dashpay:developfrom
thepastaclaw:fix/llmq-signing-vector-bounds

Conversation

@thepastaclaw

@thepastaclaw thepastaclaw commented Jul 7, 2026

Copy link
Copy Markdown

Depends on #7439. Please review only the two command-specific commits here.

Issue being fixed or feature implemented

LLMQ signing P2P messages previously deserialized peer-controlled vectors before enforcing the existing per-message count limits. This hardens the signing message intake path so oversized counts are rejected before vector materialization.

This intentionally does not include the QFCOMMITMENT dynamic-bitset fix.

What was done?

  • Use the shared runtime-bounded vector reader for signing message batches in NetSigning::ProcessMessage.
  • Bound CBatchedSigShares::sigShares declaratively with LIMITED_VECTOR.
  • Retain explicit running-total accounting for QBSIGSHARES, where many individually valid batches could exceed the aggregate cap.
  • Ban peers on malformed or oversized signing vectors.
  • Add unit coverage for the exact boundary and oversized batched sig-share vectors.

The reusable bounded-vector serialization primitives are introduced separately in #7439.

How Has This Been Tested?

  • src/test/test_dash --run_test=llmq_utils_tests
  • src/test/test_dash --run_test=serialize_tests
  • test/lint/lint-whitespace.py
  • test/lint/lint-circular-dependencies.py

Breaking Changes

None.

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated relevant unit/integration/functional/e2e tests
  • I have made corresponding changes to the documentation
  • I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 93b5df71-1cf5-4a49-85c1-27e7725dd43a

📥 Commits

Reviewing files that changed from the base of the PR and between 4f129b6 and 8ff75e0.

📒 Files selected for processing (3)
  • src/llmq/net_signing.cpp
  • src/llmq/net_signing.h
  • src/test/llmq_utils_tests.cpp
🚧 Files skipped from review as they are similar to previous changes (3)
  • src/llmq/net_signing.h
  • src/test/llmq_utils_tests.cpp
  • src/llmq/net_signing.cpp

Walkthrough

LLMQ signing-message deserialization now applies message-specific vector limits and bans peers when oversized payloads trigger failures. Batched signature shares are decoded incrementally with outer-batch and cumulative inner-share limits. Serialization and tests cover these boundaries.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Peer
  participant NetSigning
  participant UnserializeBatchedSigShares
  participant BanNode

  Peer->>NetSigning: send LLMQ signing message
  NetSigning->>UnserializeBatchedSigShares: decode payload with size limits
  alt within limits
    UnserializeBatchedSigShares-->>NetSigning: decoded batches
  else oversized payload
    UnserializeBatchedSigShares-->>NetSigning: throw std::ios_base::failure
    NetSigning->>BanNode: BanNode(pfrom.GetId())
    NetSigning-->>Peer: rethrow failure
  end
Loading

Possibly related PRs

  • dashpay/dash#7439: Introduces bounded vector deserialization APIs used by NetSigning::ProcessMessage.
  • dashpay/dash#7448: Derives MAX_MSGS_TOTAL_BATCHED_SIGS from Consensus::MAX_LLMQ_SIZE, which this change uses for bounded LLMQ payload decoding.

Suggested reviewers: knst, udjinm6

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 30.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed Title is concise and accurately summarizes the main change: bounding signing message vector intake.
Description check ✅ Passed Description matches the patch, covering bounded vector intake, batched sig-share limits, bans, and tests.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bc151dee36

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread src/llmq/net_signing.cpp Outdated
std::vector<CBatchedSigShares> msgs;
vRecv >> msgs;
size_t msg_size{0};
if (!ReadLimitedVector(vRecv, msgs, MAX_MSGS_TOTAL_BATCHED_SIGS, msg_size)) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Ban QBSIGSHARES peers with oversized inner counts

When a peer sends a QBSIGSHARES message whose outer vector is within the new limit but one CBatchedSigShares::sigShares count is greater than 400, this call throws from CBatchedSigShares::Unserialize instead of returning false. Unlike the QSIGSHARESINV branch, this path has no local catch that calls BanNode; PeerManagerImpl::ProcessMessages catches std::exception and only logs it, so the peer remains connected and can repeatedly trigger the oversized inner-vector path even though oversized outer/total counts are banned.

Useful? React with 👍 / 👎.

@thepastaclaw

thepastaclaw commented Jul 7, 2026

Copy link
Copy Markdown
Author

🔍 Review in progress — actively reviewing now (commit 8ff75e0)

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

⚠️ Potential Merge Conflicts Detected

This PR has potential conflicts with the following open PRs:

Please coordinate with the authors of these PRs to avoid merge conflicts.

@github-actions github-actions Bot mentioned this pull request Jul 7, 2026
5 tasks
@thepastaclaw thepastaclaw force-pushed the fix/llmq-signing-vector-bounds branch from bc151de to ce347a1 Compare July 7, 2026 18:49

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce347a1381

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread src/llmq/signing_shares.h Outdated
{
READWRITE(VARINT(obj.sessionId), obj.sigShares);
READWRITE(VARINT(obj.sessionId));
if (ser_action.ForRead()) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid compiling the read branch for serialization

In SERIALIZE_METHODS, Ser passes a const CBatchedSigShares&, and this is a regular if, so the read branch is still compiled for the serialize instantiation. That branch mutates obj.sigShares with clear()/reserve()/emplace_back(), which is const in that instantiation, so builds that serialize CBatchedSigShares (for example CNetMsgMaker::Make(NetMsgType::QBSIGSHARES, msgs) in CSigSharesManager::SendMessages) fail to compile; split the read/write paths with the serialization helpers instead of a runtime branch.

Useful? React with 👍 / 👎.

@thepastaclaw thepastaclaw left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

Source: reviewers: opus general failed (extra-usage quota), gpt-5.5 general completed; opus dash-core-commit-history failed (extra-usage quota), gpt-5.5 dash-core-commit-history completed; coordinator portability candidate validated by gpt-5.5 verifier. Verifier: gpt-5.5 fallback after opus quota failure.

Prior reconciliation: prior-1 is STILL VALID; both commits still use generic fix: subjects instead of an LLMQ area prefix, so the prior nitpick is carried forward.

Carried-forward prior findings: 1 nitpick (Use an LLMQ area prefix for commit subjects).

New findings in latest delta: 1 blocking build portability issue. The newly added bounded deserialization helpers list-initialize size_t from ReadCompactSize, which is a build-breaking narrowing conversion on Dash's documented 32-bit targets.

🔴 1 blocking | 💬 1 nitpick(s)

1 additional finding(s) omitted (not in diff).

🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `src/llmq/net_signing.cpp`:
- [BLOCKING] src/llmq/net_signing.cpp:30-44: Avoid narrowing ReadCompactSize into size_t
  `ReadCompactSize` returns `uint64_t`, but the new readers store it with braced initialization in `const size_t size{...}`. Dash still documents 32-bit depends/Guix targets such as `i686-pc-linux-gnu` and `arm-linux-gnueabihf`, where `size_t` is 32 bits; on those targets, list-initializing `size_t` from a non-constant `uint64_t` is ill-formed and the file will not compile. Read the compact size into a `uint64_t`, check it against the small max bound, then cast to `size_t` after the check. The same braced narrowing pattern also appears in `CBatchedSigShares` at `src/llmq/signing_shares.h:159`.

Note: GitHub does not allow me to submit REQUEST_CHANGES on my own PR, so this is posted as a COMMENT while preserving the verified blocking finding.

Comment thread src/llmq/net_signing.cpp Outdated
@thepastaclaw thepastaclaw changed the title llmq: bound signing message vector intake fix(net): bound signing message vector intake Jul 7, 2026
@thepastaclaw thepastaclaw force-pushed the fix/llmq-signing-vector-bounds branch from b040df8 to 44cc759 Compare July 7, 2026 22:12
@thepastaclaw

Copy link
Copy Markdown
Author

Addressed the review feedback for the ReadCompactSize narrowing issue and force-pushed the squashed branch update to fix/llmq-signing-vector-bounds.

  • d168c8452b2: reads bounded net message CompactSize counts as uint64_t, checks the limit, then casts to size_t.
  • 19392f213e1: applies the same checked-cast pattern inside CBatchedSigShares.
  • 44cc7599966: preserves the if constexpr serialization compile fix on top.

Validation: ./autogen.sh, ./configure --without-gui, make -C src llmq/libbitcoin_node_a-net_signing.o llmq/libbitcoin_node_a-signing_shares.o -j4, make -C src test/test_dash -j4, src/test/test_dash --run_test=llmq_utils_tests, and git diff --check upstream/develop..HEAD all passed.

Verifier re-run: verifier-dash-7418-44cc7599 confirmed the narrowing finding is fixed and the if constexpr compile fix remains intact.

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr view 7418 --repo dashpay/dash --json headRefName,headRefOid,commits --jq '.headRefName, .headRefOid'
echo "---"
gh pr diff 7418 --repo dashpay/dash | head -300

Length of output: 8399


Verified the updated diff on fix/llmq-signing-vector-bounds (commit 44cc759):

  • ReadLimitedVector/ReadBatchedSigShares now read the CompactSize as uint64_t, validate against the limit, and only then narrow to size_t before materializing elements — this resolves the narrowing/overflow concern from the earlier round.
  • The same checked-cast pattern is applied inside CBatchedSigShares::SERIALIZE_METHODS for the inner sigShares vector, bounded by MAX_MSGS_TOTAL_BATCHED_SIGS, while the if constexpr (ser_action.ForRead()) split correctly preserves write-path behavior (READWRITE(obj.sigShares)).
  • The new batched_sig_shares_rejects_oversized_inner_vector unit test exercises exactly this inner-vector overflow path and checks that sigShares remains empty after the thrown exception.
  • Error handling paths consistently BanNode + throw on std::ios_base::failure, matching the existing pattern for QSIGSHARESINV/QGETSIGSHARES.

This all looks correct and addresses the narrowing issue. Nice work.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@thepastaclaw thepastaclaw left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

The current source fixes the prior ReadCompactSize narrowing problem by reading into uint64_t, checking the bound, and casting only after the check. One in-scope blocker remains: the top commit is a one-line compile fix for serialization code introduced by an earlier commit, leaving the permanent stack with a non-building intermediate commit unless it is squashed or reordered. The prior commit-subject nitpick also still applies because the LLMQ changes are still recorded with generic fix: subjects.

Source: reviewers: opus general failed; gpt-5.5 general completed; opus dash-core-commit-history failed; gpt-5.5 dash-core-commit-history completed. Verifier: gpt-5.5 completed. Failed lanes are retained in local artifacts.

Prior reconciliation:

  • prior-1 FIXED: ReadCompactSize is now read into uint64_t, checked against the message bound, then cast to size_t after the check in src/llmq/net_signing.cpp and src/llmq/signing_shares.h.
  • prior-2 STILL VALID: the current stack still uses generic fix: subjects for LLMQ signing commits.

Carried-forward prior findings:

  • [NITPICK] <commit:19392f213e1>:1 — Use an LLMQ area prefix for commit subjects.

New findings in latest delta:

  • [BLOCKING] <commit:44cc7599966>:1 — Squash the serialization compile fix into the commit it repairs.

🔴 1 blocking | 💬 1 nitpick(s)

🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `<commit:44cc7599966>`:
- [BLOCKING] <commit:44cc7599966>:1: Squash the serialization compile fix into the commit it repairs
  Commit `44cc7599966` only changes `if (ser_action.ForRead())` to `if constexpr (ser_action.ForRead())` in `CBatchedSigShares`. That repairs code introduced in `19392f213e1`: `SERIALIZE_METHODS` instantiates serialization with a `const CBatchedSigShares&`, and without `if constexpr` the read-only branch that calls `clear()`, `reserve()`, and `emplace_back()` on `obj.sigShares` is still compiled for the const serialization path. Dash's PR hygiene requires each commit to build on its own, so leaving this as a separate top commit preserves a non-compiling intermediate state. Squash `44cc7599966` into `19392f213e1`, or otherwise rewrite the stack so the serialization commit is buildable.

In `<commit:19392f213e1>`:
- [NITPICK] <commit:19392f213e1>:1: Use an LLMQ area prefix for commit subjects
  The current PR stack still uses generic subjects: `fix: bound batched sig-share intake`, `fix: bound LLMQ signing vector intake`, and `fix: compile batched sig share serialization`. These commits are all scoped to LLMQ signing, while Dash's commit convention uses an area prefix such as `llmq:`. Reword the surviving commits after the squash so the permanent history is scoped consistently.

Note: GitHub does not allow me to submit REQUEST_CHANGES on my own PR, so this is posted as a COMMENT while preserving the verified blocking finding.

@thepastaclaw thepastaclaw force-pushed the fix/llmq-signing-vector-bounds branch from 44cc759 to d32884e Compare July 7, 2026 23:12
@thepastaclaw

Copy link
Copy Markdown
Author

Addressed the remaining self-review history feedback with a tree-equivalent branch rewrite.

What changed:

  • Squashed the if constexpr serialization compile fix into the batched sig-share intake commit it repaired.
  • Reworded the surviving commits with the llmq: area prefix.
  • Verified the rewritten tree matches the prior reviewed head 44cc7599966 exactly.

New head: d32884eb689.

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr view 7418 --repo dashpay/dash --json headRefName,headRefOid --jq '.headRefName, .headRefOid'
echo "---diff---"
gh pr diff 7418 --repo dashpay/dash > /tmp/pr7418.diff
wc -l /tmp/pr7418.diff
echo "---compare trees---"
git -C . rev-parse HEAD 2>/dev/null || true

Length of output: 599


🏁 Script executed:

#!/bin/bash
set -euo pipefail
cat /tmp/pr7418.diff

Length of output: 8178


Confirmed: the diff for the new head (d32884eb689a66bc8a6020082ec9565d5f685e8b) is byte-for-byte identical in content to what was previously reviewed at 44cc7599966a4185aa8568e067c54eeb9315c20e — the narrowing fix (uint64_t read → limit check → static_cast<size_t>) is intact in both ReadLimitedVector/ReadBatchedSigShares in src/llmq/net_signing.cpp and in the inner sigShares deserialization loop in src/llmq/signing_shares.h, and the if constexpr (ser_action.ForRead()) split is preserved. The new unit test batched_sig_shares_rejects_oversized_inner_vector in src/test/llmq_utils_tests.cpp is unchanged as well.

This is a pure history rewrite (squash + commit-message rewording), not a code change — the tree matches the previously reviewed head as you stated. No new findings from my side.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@thepastaclaw thepastaclaw left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

The latest push rewrote the stack without changing the final tree relative to 44cc7599966a4185aa8568e067c54eeb9315c20e, so I verified this as a cumulative current-head review. The current stack contains two scoped llmq: commits, and the serialization if constexpr repair is folded into the commit that introduces the bounded CBatchedSigShares deserialization. No in-scope correctness, security, or PR-hygiene findings remain.

Source: reviewers: opus general failed; gpt-5.5 general completed; opus dash-core-commit-history failed; gpt-5.5 dash-core-commit-history completed. Verifier: gpt-5.5 completed. Failed lanes are retained in local artifacts.

Prior reconciliation:

  • prior-1 FIXED: the standalone 44cc7599966 serialization compile-fix commit is gone, and 2a2bc9d2251 directly contains if constexpr (ser_action.ForRead()) in src/llmq/signing_shares.h.
  • prior-2 FIXED: both current commits use the llmq: area prefix: llmq: bound batched sig-share intake and llmq: bound LLMQ signing vector intake.

Carried-forward prior findings: None.

New findings in latest delta: None.

No findings.

Note: GitHub does not allow me to submit APPROVE on my own PR, so this exact-SHA clean review is posted as a COMMENT.

@UdjinM6

UdjinM6 commented Jul 8, 2026

Copy link
Copy Markdown

pls see 80779e7 for some suggestions

@thepastaclaw thepastaclaw force-pushed the fix/llmq-signing-vector-bounds branch from d32884e to d862d6c Compare July 8, 2026 21:16
@thepastaclaw

Copy link
Copy Markdown
Author

Applied UdjinM6’s 80779e77c3 suggestions and folded them into the existing two logical commits instead of leaving a separate fixup commit.

Updated head: d862d6cf2a1

What changed:

  • CBatchedSigShares now uses the symmetric COMPACTSIZE + SER_READ serialization pattern like CSigSharesInv.
  • Oversized signing intake rejects now log message type, peer id, and exception text before banning/rethrowing.
  • Added an exact-cap roundtrip test for the inclusive MAX_MSGS_TOTAL_BATCHED_SIGS boundary.

Validation passed:

  • git diff --check origin/fix/llmq-signing-vector-bounds..HEAD
  • COMMIT_RANGE=origin/fix/llmq-signing-vector-bounds..HEAD test/lint/lint-whitespace.py
  • ./autogen.sh && ./configure --without-gui
  • make -C src llmq/libbitcoin_node_a-net_signing.o llmq/libbitcoin_node_a-signing_shares.o test/test_dash -j4
  • src/test/test_dash --run_test=llmq_utils_tests

@thepastaclaw

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@thepastaclaw

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@thepastaclaw

Copy link
Copy Markdown
Author

CI note for linux64_multiprocess-test / Test source on run 28976345609/job 85993505674:

The failing test is the known intermittent feature_asset_locks.py / llmq_test_platform quorum timeout, not a regression from this PR. The job failed after retries in test_v24_fork() -> mine_quorum_2_nodes() -> wait_for_quorum_list() while waiting for the freshly mined platform quorum hash to appear in quorum list.

Scope check: the actual merge-base diff for this PR only changes:

src/llmq/net_signing.cpp
src/llmq/signing_shares.h
src/test/llmq_utils_tests.cpp

The failing feature_asset_locks.py file is not touched by this PR. This failure mode is already tracked as #7310 and was addressed on develop by merged PR #7411; this PR head predates that unrelated test-stabilization change. I left the PR branch untouched: no commits, no rebase, no push, and no CI rerun.

@thepastaclaw

Copy link
Copy Markdown
Author

CI note: linux64_multiprocess-test is red on d862d6cf2a1b due feature_asset_locks.py (test_v24_fork / mine_quorum_2_nodes wait_until timeout after 3 attempts). This is outside the LLMQ signing-vector bounds surface of this PR; all other functional suites on that job passed, and the other CI lanes are green. I don't have admin rights to gh run rerun --failed, so leaving this as a known flaky multiprocess asset-lock timeout rather than changing the PR code for it.

@thepastaclaw thepastaclaw left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

The delta since the prior clean review at d862d6c is a single empty CI-retrigger commit (28c3575) with no file changes. Cumulative revalidation of the substantive commits (b907d3f LLMQ batched sig-share intake bound, d862d6c LLMQ signing vector intake bound) confirms the prior APPROVE still holds on code content. One hygiene suggestion: drop the empty CI-retrigger commit before merge, since Dash Core merges PR stacks without squashing and the project guide explicitly discourages empty CI-retrigger commits.

Source: reviewers: opus general completed; gpt-5.5 general failed; opus dash-core-commit-history completed; gpt-5.5 dash-core-commit-history failed. Verifier: opus completed. Failed lanes are retained in local artifacts.

🟡 1 suggestion(s)

1 additional finding(s) omitted (not in diff).

🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `<commit:28c3575130a>`:
- [SUGGESTION] <commit:28c3575130a>:1: Drop empty CI-retrigger commit before merge
  Commit 28c3575130a ("ci: retrigger linux64_multiprocess-test after feature_asset_locks flake") has zero file changes and was pushed only to re-run CI after an unrelated feature_asset_locks flake. Dash Core merges PR stacks into develop without squashing, so this no-op commit would become permanent history in a consensus-adjacent LLMQ hardening PR — noise in `git log` and a useless step in `git bisect`. The project agent guide (CLAUDE.md / AGENTS.md, PR Hygiene section) explicitly says: "If CI fails for reasons unrelated to the PR, document the evidence instead of pushing empty commits or unrelated changes." Reset to d862d6cf2a1 and force-push, or drop this commit via interactive rebase; capture the flake evidence in a PR comment instead. The two substantive commits (b907d3f, d862d6c) are cleanly scoped and should remain.

@thepastaclaw thepastaclaw force-pushed the fix/llmq-signing-vector-bounds branch from 28c3575 to f3c35ba Compare July 10, 2026 02:19
@thepastaclaw

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@thepastaclaw thepastaclaw left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

Carried-Forward Prior Findings

None. The sole prior finding (net_signing.h:34-36, doc comment overstating when the QBSIGSHARES aggregate limit is enforced) is FIXED at 430a702 — verified directly against git show 430a7024021 -- src/llmq/net_signing.h and the current source: the comment now reads 'throws std::ios_base::failure once detected' instead of the inaccurate 'before the offending element is decoded,' which correctly covers both the outer-count guard (net_signing.cpp:29-32, pre-decode) and the running-aggregate guard (net_signing.cpp:35-41, which fully decodes the crossing batch via vRecv >> msgs.back() at line 37 before comparing and throwing at lines 39-40).

New Findings In Latest Delta

All three commit-history lanes (codex, sonnet5, opus) independently converge on one commit-hygiene suggestion: the new commit 430a702 is a 2-line doc correction to prose introduced one commit earlier in this same unmerged PR (c9a1944). Since the PR has never shipped, this is a same-PR fixup that should be squashed into c9a1944 rather than left as a standalone entry in permanent history. I independently confirmed via git log --oneline that 430a702 sits directly after c9a1944 with no intervening commits, and via git show that it touches only the exact lines c9a1944 introduced. This is a valid, low-risk suggestion aligned with the project's atomic-commit guidance.

All other cumulative code (bounded intake across QSIGSHARE/QSIGSESANN/QSIGSHARESINV/QGETSIGSHARES/QBSIGSHARES, LIMITED_VECTOR capping on CBatchedSigShares::sigShares, uniform peer banning, and the dedicated aggregate-boundary unit tests) was re-verified and found correct — no new defects. Two additional open public threads referenced as evidence (QBSIGSHARES inner-count banning, and a claimed SERIALIZE_METHODS read-branch compile issue) were independently checked against source and do not hold at this SHA: UnserializeBatchedSigShares is called inside the try/catch at net_signing.cpp:121-130, so a LIMITED_VECTOR throw during batch decode is caught and bans the peer; and SERIALIZE_METHODS/READWRITE dispatch Ser/Unser via compile-time tag overload resolution, so the read path is never instantiated for the const-serializing case (an already-accepted pattern used identically elsewhere in the codebase).

Source (experiment sonnet-primary-opus-quarter-sample-20260710, cohort sonnet_opus_sample, bucket 0): reviewers codex/general=gpt-5.6-sol(completed); sonnet5/general=claude-sonnet-5(completed); opus/general=claude-opus-4-8(completed); codex/dash-core-commit-history=gpt-5.6-sol(completed); sonnet5/dash-core-commit-history=claude-sonnet-5(completed); opus/dash-core-commit-history=claude-opus-4-8(completed); verifier=verifier-sonnet5-7418-1783751800=claude-sonnet-5; orchestrator=openai/gpt-5.6-sol reasoning=high (orchestration-only, not a reviewer/verifier).

🟡 1 suggestion(s)

🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `src/llmq/net_signing.h`:
- [SUGGESTION] src/llmq/net_signing.h:34-36: Squash the doc-fix commit into the commit that introduced the inaccuracy
  Commit 430a7024021 ("llmq: correct batched sig-share decoder docs") only rewrites the two-line UnserializeBatchedSigShares doc comment that was introduced one commit earlier in this same unmerged PR, by c9a194401f6 ("llmq: cover QBSIGSHARES aggregate sig-share bound with a testable decoder"). That comment has never shipped to develop, so this is the classic same-PR fixup pattern — a review thread flagged an inaccuracy in prose that was never correct in permanent history, and the very next commit corrects it. Left as a standalone commit, it leaves a bodyless 'correct docs' entry in git log/blame immediately after the commit it patches, which is confusing once the review conversation that prompted it is gone. Fold 430a7024021 into c9a194401f6 with `git rebase -i --autosquash` (or an explicit `fixup!`) so the decoder ships with accurate documentation from the moment it's introduced. The other three commits in the stack (c0af1562af5, 89c0933aa1c, c9a194401f6) are substantive, correctly ordered, and need no change.

Comment thread src/llmq/net_signing.h
@thepastaclaw

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@thepastaclaw thepastaclaw force-pushed the fix/llmq-signing-vector-bounds branch from 430a702 to 4f129b6 Compare July 11, 2026 07:22

@thepastaclaw thepastaclaw left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

Carried-Forward Prior Findings

None. The sole prior finding (net_signing.h:34-36, "squash the doc-fix commit into the commit that introduced the inaccuracy") is FIXED: the commit stack at the current head is exactly 3 commits (c0af156, 89c0933, 4f129b6) with no standalone doc-fix entry, and net_signing.h:34-36 already reads the corrected 'throws std::ios_base::failure once detected' wording inside the commit that introduces UnserializeBatchedSigShares — verified directly via git log --oneline and a Read of the current source, not inferred from the empty two-dot delta alone.

New Findings In Latest Delta

None. The literal 430a702..4f129b6 delta is tree-empty (a history rewrite, not rebase noise), so there is nothing new to surface from it. I independently re-verified the cumulative diff (net_signing.cpp/.h, signing_shares.h, llmq_utils_tests.cpp) against the checked-out source at 4f129b6: all four LLMQ signing intake paths (QSIGSHARE, QSIGSESANN, QSIGSHARESINV/QGETSIGSHARES, QBSIGSHARES) bound peer-controlled counts before/while decoding; ReadCompactSize results are staged in uint64_t (no size_t narrowing); CBatchedSigShares::sigShares is capped via the standard LIMITED_VECTOR/Using<LimitedVectorFormatter<n>> template-dispatch mechanism (confirmed via serialize.h:594,996-1012 — this is compile-time Ser/Unser template dispatch, not a runtime if branch, so the previously-flagged 'compiling the read branch into serialization' concern does not apply to this code); an oversized inner vector throws std::ios_base::failure from inside UnserializeBatchedSigShares, which propagates to the QBSIGSHARES try/catch at net_signing.cpp:121-130 and results in BanNode being called (so the previously-flagged 'no local catch/ban for oversized inner counts' concern also does not apply); and the aggregate-boundary tests in llmq_utils_tests.cpp call the real production decoder UnserializeBatchedSigShares directly. No new defects found.

Source (experiment sonnet-primary-opus-quarter-sample-20260710, cohort sonnet_primary, bucket 1): reviewers codex/general=gpt-5.6-sol(completed); sonnet5/general=claude-sonnet-5(completed); codex/dash-core-commit-history=gpt-5.6-sol(completed); sonnet5/dash-core-commit-history=claude-sonnet-5(completed); verifier=verifier-sonnet5-7418-1783755776=claude-sonnet-5; orchestrator=openai/gpt-5.6-sol reasoning=high (orchestration-only, not a reviewer/verifier).

Note: posted as a COMMENT review because GitHub does not allow approving my own PR.

@thepastaclaw

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@thepastaclaw

thepastaclaw commented Jul 11, 2026

Copy link
Copy Markdown
Author

CI note for exact head 4f129b609e3: linux64_tsan-test hit the known p2p_node_network_limited.py --v2transport timing flake tracked in #7288.

All three retries failed at connect_nodes(0, 2) with AssertionError: Error: peer disconnected. The combined log shows the pruned node legitimately processing the below-NODE_NETWORK_LIMITED block request and disconnecting peer 2 before connect_nodes() observes its expected pong.

This PR changes only the LLMQ signing intake/decoder files and tests (src/llmq/net_signing.cpp, src/llmq/net_signing.h, src/llmq/signing_shares.h, and src/test/llmq_utils_tests.cpp), with no overlap with that functional test or connection helper. The branch is proper as-is and has been left completely untouched: no commit, push, rebase, empty commit, or CI rerun. Maintainers can rerun CI if concerned.

Occurrence recorded on #7288: #7288 (comment)

PastaPastaPasta added a commit that referenced this pull request Jul 13, 2026
a54fcbe fix: reject custom LLMQ sizes above the maximum supported quorum size (PastaClaw)

Pull request description:

  ## Issue being fixed

  Devnet and regtest LLMQ size overrides accepted quorum sizes above 400 even though the signing protocol cannot carry them. Signing-session inventories and batched signature-share messages are capped at 400, so an oversized custom quorum could start successfully but fail later when peers exchange signing shares.

  ## What was done

  - Define `Consensus::MAX_LLMQ_SIZE` as the authoritative 400-member protocol maximum.
  - Tie `MAX_MSGS_TOTAL_BATCHED_SIGS` to that shared maximum so the limits cannot drift.
  - Reject oversized `-llmqdevnetparams`, `-llmqtestparams`, `-llmqtestinstantsendparams`, and `-llmqtestplatformparams` values during chain-parameter construction.
  - Cover normal custom values, the inclusive 400-member boundary, and 401-member rejection for all four override paths.

  This is a fail-fast configuration fix discovered while reviewing #7418. It does not change mainnet or testnet parameters, and accepted custom sizes at or below 400 retain their existing behavior.

  ## Validation

  - Full unit suite: 744 test cases passed.
  - `feature_llmq_signing.py`: both variants passed.
  - Direct startup checks: 401-member devnet/regtest overrides fail with the intended error; 400-member overrides start normally.
  - `git diff --check`
  - whitespace lint
  - circular-dependency lint
  - Independent pre-PR review: `ship`, no findings.

  ## Scope

  This intentionally adds only the missing upper bound. Existing behavior for zero, negative, or otherwise inconsistent custom size/threshold pairs is unchanged.

ACKs for top commit:
  PastaPastaPasta:
    utACK a54fcbe

Tree-SHA512: 95bd40c487be20866263db83104f0840e2999bac88d828c55d0584bd386cc8f2ddcff0a99dfb71b110ad5550e942f82efda909ad7624c61c72d7fcd188903eff
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@UdjinM6

UdjinM6 commented Jul 13, 2026

Copy link
Copy Markdown

89c0933 is not signed, lgtm otherwise

thepastaclaw and others added 2 commits July 13, 2026 17:07
The QSIGSHARE, QSIGSESANN and QSIGSHARESINV/QGETSIGSHARES handlers each
decoded a std::vector unbounded before comparing the resulting count
against a callsite-specific cap. That lets a malicious peer force us to
allocate and decode arbitrarily large batches before we reject them.

Replace the post-decode size checks with the shared
UnserializeVectorWithMaxSize primitive, which reads the CompactSize
prefix with the default range-checked ReadCompactSize (rejecting any
count above the generic MAX_SIZE cap before this tighter callsite
max_size is even applied), compares the resulting size_t directly
against max_size with no separate uint64_t staging, and returns false
without consuming any element on rejection. Convert the false return
into an ios_base::failure so the surrounding catch uniformly logs, bans
the peer, and rethrows for any decode failure — matching the existing
QSIGSHARESINV/QGETSIGSHARES behavior on a malformed stream.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…oder

The self-review of the batched sig-share intake bounds flagged one gap: the
running-total abort in the QBSIGSHARES handler — where many individually-valid
batches together exceed MAX_MSGS_TOTAL_BATCHED_SIGS — had no direct unit
coverage. The check lived inline in NetSigning::ProcessMessage, so the only way
to reach it was to drive a full P2P message through the handler.

Extract the QBSIGSHARES decode loop into a free function,
llmq::UnserializeBatchedSigShares(CDataStream&), that production calls inside
the existing try/catch. Wire format, peer banning, and logging semantics are
unchanged — the callsite still logs, bans, and rethrows on any
ios_base::failure. The extracted decoder is the exact code that runs in
production, so the new tests exercise the real path rather than a mirror.

Add three targeted cases in llmq_utils_tests:
- oversized outer batch count (built from empty batches so only the outer-count
  guard, not an end-of-stream artifact, can reject it),
- oversized running aggregate across batches each within the per-batch cap,
- an aggregate exactly at the cap, which must decode intact.

Both count guards were mutation-verified: neutralizing either guard makes its
corresponding test fail and no other.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@thepastaclaw thepastaclaw force-pushed the fix/llmq-signing-vector-bounds branch from 4f129b6 to 8ff75e0 Compare July 13, 2026 22:08

@UdjinM6 UdjinM6 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK 8ff75e0

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@PastaPastaPasta PastaPastaPasta merged commit 2406ebc into dashpay:develop Jul 13, 2026
44 checks passed
@UdjinM6 UdjinM6 modified the milestone: 24 Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants