The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #26415 (rpc,rest: faster getblock and rest_block by reading raw block by andrewtoth)
• #26288 (Enable -Wstring-concatenation and -Wstring-conversion on clang builds by Empact)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

Reading the block file will fail if (a) the file was removed or (b) if CBlockIndex::nStatus does not have the BLOCK_HAVE_DATA bit set at the time of calling GetBlockPos() in ReadBlockFromDisk. In this PR you cover (a) but not (b), is that right? BlockManager::PruneOneBlockFile unsets the bit during pruning before UnlinkPrunedFiles is called, so it seems to like the race could still happen.

Yes, that sounds right to me. However, after this change #17161 will not really be a problem. Since getting the block position inside ReadBlockFromDisk will return an empty position if nStatus does not have BLOCK_HAVE_DATA, the read will fail. Having the read fail should be fine as long as the error can be handled gracefully (like RPC/REST/ZMQ/net_processing) but in validation code cs_main should remain locked so it can't happen.

The real issue this solves is on Windows where if after pindex->GetBlockPos() is called and the file is opened then the files are unlinked. This will cause the file to not be removed. From https://en.cppreference.com/w/cpp/io/c/remove

If the file is currently open by the current or another process, the behavior of this function is implementation-defined

I think we should just avoid that happening altogether since "implementation-defined" sounds scary. This was suggested in #11913 (review) and mentioned in #13903 (comment) as well.

Another strategy could be to not unset CBlockIndex::nFile and CBlockIndex::nDataPos when calling BlockManager::PruneOneBlockFile and then not check for BLOCK_HAVE_DATA in CBlockIndex::GetBlockPos(). That way a read will still succeed even if the block is set to be pruned but the file has not been removed. Then nFile and nDataPos can be zeroed in UnlinkPrunedFiles. But that seems like a bigger change for not much more benefit.

This seems like only a partial fix, since we should be checking BLOCK_HAVE_DATA within the lock. Otherwise, there's still a race after we check it and the block is read, where the block could be pruned.

OTOH, maybe we should just handle missing block files more gracefully than a failed assertion...

Closing in favor of #26533.