Return-Path: <pete@petertodd.org>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 9F590C002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Nov 2022 20:17:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 78CDD408F9
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Nov 2022 20:17:38 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 78CDD408F9
Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key,
 unprotected) header.d=messagingengine.com header.i=@messagingengine.com
 header.a=rsa-sha256 header.s=fm1 header.b=iyG4dklZ
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level: 
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id z2ng3Dhm6O2M
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Nov 2022 20:17:36 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 66E73408BC
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com
 [64.147.123.21])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 66E73408BC
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Nov 2022 20:17:36 +0000 (UTC)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailout.west.internal (Postfix) with ESMTP id A3A7232009E1
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Nov 2022 15:17:33 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute1.internal (MEProxy); Mon, 07 Nov 2022 15:17:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:date:feedback-id
 :feedback-id:from:from:in-reply-to:message-id:mime-version
 :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1667852253; x=
 1667938653; bh=KdguMCYYxvyHBw4tAMN69WbCvg0F8oapflzWaUjgVv8=; b=i
 yG4dklZEZBOrRGTeqtNdpnT50G7rdWPp7FDUgjWnOSdkEYZZDa/0lU6G5w+knOP5
 IGisnUX307glpkA2lWXL08/3fQt+UT86VlzlN/H31KXUJq7N3xPJ5Js+TkpobhAr
 Pjf/u6d72qp8l+zUQ8+NapVFDeFIKC/PYjGLNqjP7tW7hJo233RAA5RXLsZNUHhX
 qSG7zxk/9EpuDCi/jW2ECBF27fvDPbZoe15CKAYtk6M5o5Iobekyhuyr1XcQrMA2
 +NXi1w7rDTKbL99FQS/U8o/ekTVAn1exbNILZBpymVs+rBvuae+6hbENnHle6jkj
 duAm+fwHBUNp9DPAgxLSQ==
X-ME-Sender: <xms:3GdpYwlUDGnTPqFbBlYTaPolqfd-J9nxnDae-QO6yORjtOTffhCC_A>
 <xme:3GdpY_35AVyx5NmMk-BR0st7I6GUHfmTVcN54M7UJhe-ZNpelPVYnW7trMeXzPpsc
 hJNC24XHY9a_3ellhU>
X-ME-Received: <xmr:3GdpY-oWDcZnDEsz5_T9u1Rj2IaH5TT_YXYtqDPCVDrUX8ir_whDa87iT1vmqA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvgedrvdekgddufeefucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesghdtreertd
 dtvdenucfhrhhomheprfgvthgvrhcuvfhougguuceophgvthgvsehpvghtvghrthhouggu
 rdhorhhgqeenucggtffrrghtthgvrhhnpefhteevgeeuvdekheeivdeffeduuedufefhte
 elheffgfelueefieffjeefffeuleenucffohhmrghinhepphgvthgvrhhtohguugdrohhr
 ghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpvg
 htvgesphgvthgvrhhtohguugdrohhrgh
X-ME-Proxy: <xmx:3GdpY8lpxGZnOeqQ4qTRa7p75XhIk17_uqFwTTAqXe7UvXNLkrgsnA>
 <xmx:3GdpY-1kO0htwA5vdNTeIygR2ZAbtPUukd3lw3e8oO3L4EmpRtWc9g>
 <xmx:3GdpYzuDWS9eXx_UNtFJTHSmUMyJ1RqR8cScTz91LDWq6WNRsrFZQQ>
 <xmx:3WdpY8BCY7kiwANe8YXboAzkuFupPQZfVU2cWLmZuxNsolsVpCIu6g>
Feedback-ID: i525146e8:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <bitcoin-dev@lists.linuxfoundation.org>; Mon,
 7 Nov 2022 15:17:32 -0500 (EST)
Received: by localhost (Postfix, from userid 1000)
 id 884855F83B; Mon,  7 Nov 2022 15:17:29 -0500 (EST)
Date: Mon, 7 Nov 2022 15:17:29 -0500
From: Peter Todd <pete@petertodd.org>
To: bitcoin-dev@lists.linuxfoundation.org
Message-ID: <Y2ln2fJ+8+Q0qS0E@petertodd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="SJbM/+xIlehVFAWP"
Content-Disposition: inline
Subject: [bitcoin-dev] Removing BIP-125 Rule #5 Pinning with the
 Always-Replaceable Invariant
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2022 20:17:38 -0000


--SJbM/+xIlehVFAWP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tl;dr: We can remove the problem of Rule #5 pinning by ensuring that all
transactions in the mempool are always replaceable.


Currently Bitcoin Core implements rule #5 of BIP-125:

    The number of original transactions to be replaced and their descendant
    transactions which will be evicted from the mempool must not exceed a t=
otal
    of 100 transactions.

As of Bitcoin Core v24.0rc3, this rule is implemented via the
MAX_REPLACEMENT_CANDIDATES limit in GetEntriesForConflicts:

    // Rule #5: don't consider replacing more than MAX_REPLACEMENT_CANDIDAT=
ES
    // entries from the mempool. This potentially overestimates the number =
of actual
    // descendants (i.e. if multiple conflicts share a descendant, it will =
be counted multiple
    // times), but we just want to be conservative to avoid doing too much =
work.
    if (nConflictingCount > MAX_REPLACEMENT_CANDIDATES) {
        return strprintf("rejecting replacement %s; too many potential repl=
acements (%d > %d)\n",
                         txid.ToString(),
                         nConflictingCount,
                         MAX_REPLACEMENT_CANDIDATES);
    }

There is no justification for this rule beyond avoiding "too much work"; the
exact number was picked at random when the BIP was written to provide an
initial conservative limit, and is not justified by benchmarks or memory us=
age
calculations. It may in fact be the case that this rule can be removed enti=
rely
as the overall mempool size limits naturally limit the maximum number of
possible replacements.


But for the sake of argument, let's suppose some kind of max replacement li=
mit
is required. Can we avoid rule #5 pinning? The answer is yes, we can, with =
the
following invariant:

    No transaction may be accepted into the mempool that would cause another
    transaction to be unable to be replaced due to Rule #5.

We'll call this the Replaceability Invariant. Implementing this rule is sim=
ple:
for each transaction maintain an integer, nReplacementCandidates. When a
non-conflicting transaction is considered for acceptance to the mempool, ve=
rify
that nReplacementCandidates + 1 < MAX_REPLACEMENT_CANDIDATES for each
unconfirmed parent. When a transaction is accepted, increment
nReplacementCandidates by 1 for each unconfirmed parent.

When a *conflicting* transaction is considered for acceptance, we do _not_ =
need
to verify anything: we've already guaranteed that every transaction in the
mempool is replaceable! The only thing we may need to do is to decrement
nReplacementCandidates by however many children we have replaced, for all
unconfirmed parents.

When a block is mined, note how the nReplacementCandidates of all unconfirm=
ed
transactions remains unchanged because a confirmed transaction can't spend =
an
unconfirmed txout.

The only special case to handle is a reorg that changes a transaction from
confirmed to unconfirmed. Setting nReplacementCandidates to
MAX_REPLACEMENT_CANDIDATES would be fine in that very rare case.


Note that like the existing MAX_REPLACEMENT_CANDIDATES check, the
Replaceability Invariant overestimates the number of transactions to be
replaced in the event that multiple children are spent by the same transact=
ion.
That's ok: diamond tx graphs are even more unusual than unconfirmed childre=
n,
and there's no reason to bend over backwards to accomodate them.

Prior art: this proposed rule is similar in spirit to the package limits ar=
eady
implemented in Bitcoin Core.

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--SJbM/+xIlehVFAWP
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmNpZ8wACgkQLly11TVR
LzezDw/8DNG8Stac5svYqva2Jd/RDziBtTdWqoRsmw58AIbOer5X8WClltO+ALko
gUY2EB3WTbFY/WfXG9XcIXnboJ/uTuw5H55R0bzYTS4P9O8Fjz50xyk4A194C/Nm
6K6lwZsI1qLkupiWkp/58MHN9KzDbCYgmMgJfROsmXUysjm0RDUpUQ/En73PUgbH
3pnpZbme3ozbPRW124SF4VsH/+7tZRMK3bqCbH0vm2ovTFV7w4R4qH+CQY2sw34+
820I4NFa+CxcEpztoIMZYiCD3psMyrXUmacBvdC2iFZowht3gTSphsuzjE9U+/5P
K9c3W4Z/34bC+ZjumBbUnjMUOTgBxfC4G3JtYIwvIUuyUSPrDtIlbzuE4wZn/e4Q
xPOCzfWayRUAaTrQNWEoQrWAdWpJBci7z5WYFL9aoNqXFjvtmULEnjlWCPStjW/l
sveon93uwlZvYjtjBagNrMzg3BjCPHXTGaSWbV3CYH+JBp5RXdmVYV7A+FRFU4wP
XcqPiWyv78fMk6gydj/rco/BWpNXFoqqwZ4csCRLI0CgPbqdWmHxYE0WDYcwtF/u
n14S8Tf+Hg37htNWU+4kIJYDQkSvtBx9z2Ve82WKx0noHry0qLwoy2zz5BpRGkN8
8qQ9aeEW5xtkmz0/X4cu0LWHBj2qBa5kgnvL4u89j8Ky9vx4/n4=
=Vg3Z
-----END PGP SIGNATURE-----

--SJbM/+xIlehVFAWP--