| blob | c6ea2fff975353a46e4285ef922c839e3819046c |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2019, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file circuitstats.c
9 *
10 * \brief Maintains and analyzes statistics about circuit built times, so we
11 * can tell how long we may need to wait for a fast circuit to be constructed.
12 *
13 * By keeping these statistics, a client learns when it should time out a slow
14 * circuit for being too slow, and when it should keep a circuit open in order
15 * to wait for it to complete.
16 *
17 * The information here is kept in a circuit_built_times_t structure, which is
18 * currently a singleton, but doesn't need to be. It's updated by calls to
19 * circuit_build_times_count_timeout() from circuituse.c,
20 * circuit_build_times_count_close() from circuituse.c, and
21 * circuit_build_times_add_time() from circuitbuild.c, and inspected by other
22 * calls into this module, mostly from circuitlist.c. Observations are
23 * persisted to disk via the or_state_t-related calls.
24 */
26 #define CIRCUITSTATS_PRIVATE
52 #undef log
53 #include <math.h>
57 buildtimeout_set_event_t type);
60 #define CBT_BIN_TO_MS(bin) ((bin)*CBT_BIN_WIDTH + (CBT_BIN_WIDTH/2))
62 /** Global list of circuit build times */
63 // XXXX: Add this as a member for entry_guard_t instead of global?
64 // Then we could do per-guard statistics, as guards are likely to
65 // vary in their own latency. The downside of this is that guards
66 // can change frequently, so we'd be building a lot more circuits
67 // most likely.
70 #ifdef TOR_UNIT_TESTS
71 /** If set, we're running the unit tests: we should avoid clobbering
72 * our state file or accessing get_options() or get_or_state() */
74 #else
75 #define unit_tests 0
78 /** Return a pointer to the data structure describing our current circuit
79 * build time history and computations. */
82 {
84 }
86 /** As get_circuit_build_times, but return a mutable pointer. */
87 circuit_build_times_t *
89 {
91 }
93 /** Return the time to wait before actually closing an under-construction, in
94 * milliseconds. */
95 double
97 {
99 }
101 /** Return the time to wait before giving up on an under-construction circuit,
102 * in milliseconds. */
103 double
105 {
107 }
109 /**
110 * This function decides if CBT learning should be disabled. It returns
111 * true if one or more of the following conditions are met:
112 *
113 * 1. If the cbtdisabled consensus parameter is set.
114 * 2. If the torrc option LearnCircuitBuildTimeout is false.
115 * 3. If we are a directory authority
116 * 4. If we fail to write circuit build time history to our state file.
117 * 5. If we are configured in Single Onion mode
118 */
119 int
121 {
123 }
125 /** As circuit_build_times_disabled, but take options as an argument. */
126 int
129 {
139 /* LearnCircuitBuildTimeout and Single Onion Services are
140 * incompatible in two ways:
141 *
142 * - LearnCircuitBuildTimeout results in a low CBT, which
143 * Single Onion use of one-hop intro and rendezvous circuits lowers
144 * much further, producing *far* too many timeouts.
145 *
146 * - The adaptive CBT code does not update its timeout estimate
147 * using build times for single-hop circuits.
148 *
149 * If we fix both of these issues someday, we should test
150 * these modes with LearnCircuitBuildTimeout on again. */
152 options);
156 #if 0
158 "CircuitBuildTime learning is disabled. "
161 state_disabled);
165 #if 0
167 "CircuitBuildTime learning is not disabled. "
170 state_disabled);
173 }
174 }
175 }
177 /**
178 * Retrieve and bounds-check the cbtmaxtimeouts consensus parameter.
179 *
180 * Effect: When this many timeouts happen in the last 'cbtrecentcount'
181 * circuit attempts, the client should discard all of its history and
182 * begin learning a fresh timeout value.
183 */
184 static int32_t
186 {
190 CBT_DEFAULT_MAX_RECENT_TIMEOUT_COUNT,
191 CBT_MIN_MAX_RECENT_TIMEOUT_COUNT,
192 CBT_MAX_MAX_RECENT_TIMEOUT_COUNT);
196 "circuit_build_times_max_timeouts() called, cbtmaxtimeouts is"
198 cbt_maxtimeouts);
199 }
202 }
204 /**
205 * Retrieve and bounds-check the cbtnummodes consensus parameter.
206 *
207 * Effect: This value governs how many modes to use in the weighted
208 * average calculation of Pareto parameter Xm. A value of 3 introduces
209 * some bias (2-5% of CDF) under ideal conditions, but allows for better
210 * performance in the event that a client chooses guard nodes of radically
211 * different performance characteristics.
212 */
213 static int32_t
215 {
217 CBT_DEFAULT_NUM_XM_MODES,
218 CBT_MIN_NUM_XM_MODES,
219 CBT_MAX_NUM_XM_MODES);
223 "circuit_build_times_default_num_xm_modes() called, cbtnummodes"
225 num);
226 }
229 }
231 /**
232 * Retrieve and bounds-check the cbtmincircs consensus parameter.
233 *
234 * Effect: This is the minimum number of circuits to build before
235 * computing a timeout.
236 */
237 static int32_t
239 {
241 CBT_DEFAULT_MIN_CIRCUITS_TO_OBSERVE,
242 CBT_MIN_MIN_CIRCUITS_TO_OBSERVE,
243 CBT_MAX_MIN_CIRCUITS_TO_OBSERVE);
247 "circuit_build_times_min_circs_to_observe() called, cbtmincircs"
249 num);
250 }
253 }
255 /** Return true iff <b>cbt</b> has recorded enough build times that we
256 * want to start acting on the timeout it implies. */
257 int
259 {
261 }
263 /**
264 * Retrieve and bounds-check the cbtquantile consensus parameter.
265 *
266 * Effect: This is the position on the quantile curve to use to set the
267 * timeout value. It is a percent (10-99).
268 */
269 double
271 {
273 CBT_DEFAULT_QUANTILE_CUTOFF,
274 CBT_MIN_QUANTILE_CUTOFF,
275 CBT_MAX_QUANTILE_CUTOFF);
279 "circuit_build_times_quantile_cutoff() called, cbtquantile"
281 num);
282 }
285 }
287 /**
288 * Retrieve and bounds-check the cbtclosequantile consensus parameter.
289 *
290 * Effect: This is the position on the quantile curve to use to set the
291 * timeout value to use to actually close circuits. It is a percent
292 * (0-99).
293 */
294 static double
296 {
298 /* Cast is safe - circuit_build_times_quantile_cutoff() is capped */
301 CBT_DEFAULT_CLOSE_QUANTILE,
302 CBT_MIN_CLOSE_QUANTILE,
303 CBT_MAX_CLOSE_QUANTILE);
307 "circuit_build_times_close_quantile() called, cbtclosequantile"
309 }
315 }
317 }
319 /**
320 * Retrieve and bounds-check the cbttestfreq consensus parameter.
321 *
322 * Effect: Describes how often in seconds to build a test circuit to
323 * gather timeout values. Only applies if less than 'cbtmincircs'
324 * have been recorded.
325 */
326 static int32_t
328 {
330 CBT_DEFAULT_TEST_FREQUENCY,
331 CBT_MIN_TEST_FREQUENCY,
332 CBT_MAX_TEST_FREQUENCY);
337 num);
338 }
341 }
343 /**
344 * Retrieve and bounds-check the cbtmintimeout consensus parameter.
345 *
346 * Effect: This is the minimum allowed timeout value in milliseconds.
347 * The minimum is to prevent rounding to 0 (we only check once
348 * per second).
349 */
350 static int32_t
352 {
354 CBT_DEFAULT_TIMEOUT_MIN_VALUE,
355 CBT_MIN_TIMEOUT_MIN_VALUE,
356 CBT_MAX_TIMEOUT_MIN_VALUE);
361 num);
362 }
364 }
366 /**
367 * Retrieve and bounds-check the cbtinitialtimeout consensus parameter.
368 *
369 * Effect: This is the timeout value to use before computing a timeout,
370 * in milliseconds.
371 */
372 int32_t
374 {
377 CBT_DEFAULT_TIMEOUT_INITIAL_VALUE,
378 CBT_MIN_TIMEOUT_INITIAL_VALUE,
379 CBT_MAX_TIMEOUT_INITIAL_VALUE);
383 "circuit_build_times_initial_timeout() called, "
385 param);
386 }
392 }
394 }
396 /**
397 * Retrieve and bounds-check the cbtrecentcount consensus parameter.
398 *
399 * Effect: This is the number of circuit build times to keep track of
400 * for deciding if we hit cbtmaxtimeouts and need to reset our state
401 * and learn a new timeout.
402 */
403 static int32_t
405 {
408 CBT_DEFAULT_RECENT_CIRCUITS,
409 CBT_MIN_RECENT_CIRCUITS,
410 CBT_MAX_RECENT_CIRCUITS);
414 "circuit_build_times_recent_circuit_count() called, "
416 num);
417 }
420 }
422 /**
423 * This function is called when we get a consensus update.
424 *
425 * It checks to see if we have changed any consensus parameters
426 * that require reallocation or discard of previous stats.
427 */
428 void
431 {
434 /*
435 * First check if we're doing adaptive timeouts at all; nothing to
436 * update if we aren't.
437 */
447 "many circuits we must track to detect network failures "
452 }
457 /*
458 * Technically this is a circular array that we are reallocating
459 * and memcopying. However, since it only consists of either 1s
460 * or 0s, and is only used in a statistical test to determine when
461 * we should discard our history after a sufficient number of 1's
462 * have been reached, it is fine if order is not preserved or
463 * elements are lost.
464 *
465 * cbtrecentcount should only be changing in cases of severe network
466 * distress anyway, so memory correctness here is paramount over
467 * doing acrobatics to preserve the array.
468 */
474 }
476 // Adjust the index if it needs it.
480 }
485 }
486 /* else no change, nothing to do */
488 /*
489 * Weird. This probably shouldn't happen, so log a warning, but try
490 * to do something sensible anyway.
491 */
494 "The cbtrecentcircs consensus parameter came back zero! "
495 "This disables adaptive timeouts since we can't keep track of "
499 }
501 /*
502 * Adaptive timeouts are disabled; this might be because of the
503 * LearnCircuitBuildTimes config parameter, and hence permanent, or
504 * the cbtdisabled consensus parameter, so it may be a new condition.
505 * Treat it like getting num == 0 above and free the circuit history
506 * if we have any.
507 */
510 }
511 }
513 /**
514 * Return the initial default or configured timeout in milliseconds
515 */
516 static double
518 {
522 /*
523 * Check if we have LearnCircuitBuildTimeout, and if we don't,
524 * always use CircuitBuildTimeout, no questions asked.
525 */
533 }
536 }
539 }
541 /**
542 * Reset the build time state.
543 *
544 * Leave estimated parameters, timeout and network liveness intact
545 * for future use.
546 */
547 STATIC void
549 {
555 // Reset timeout and close counts
559 }
561 /**
562 * Initialize the buildtimes structure for first use.
563 *
564 * Sets the initial timeout values based on either the config setting,
565 * the consensus param, or the default (CBT_DEFAULT_TIMEOUT_INITIAL_VALUE).
566 */
567 void
569 {
571 /*
572 * Check if we really are using adaptive timeouts, and don't keep
573 * track of this stuff if not.
574 */
583 }
586 }
588 /**
589 * Free the saved timeouts, if the cbtdisabled consensus parameter got turned
590 * on or something.
591 */
593 void
595 {
600 }
603 }
605 #if 0
606 /**
607 * Rewind our build time history by n positions.
608 */
609 static void
611 {
620 }
626 }
629 "Rewound history by %d places. Current index: %d. "
631 }
634 /**
635 * Mark this circuit as timed out, but change its purpose
636 * so that it continues to build, allowing us to measure
637 * its full build time.
638 */
639 void
641 {
643 CIRC_EVENT_FAILED,
644 END_CIRC_REASON_TIMEOUT);
646 CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT);
647 /* Record this event to check for too many timeouts
648 * in a row. This function does not record a time value yet
649 * (we do that later); it only counts the fact that we did
650 * have a timeout. We also want to avoid double-counting
651 * already "relaxed" circuits, which are counted in
652 * circuit_expire_building(). */
659 first_hop_succeeded);
660 }
661 }
663 /**
664 * Perform the build time work that needs to be done when a circuit
665 * completes a hop.
666 *
667 * This function decides if we should record a circuit's build time
668 * in our histogram data and other statistics, and if so, records it.
669 * It also will mark circuits that have already timed out as
670 * measurement-only circuits, so they can continue to build but
671 * not get used.
672 *
673 * For this, we want to consider circuits that will eventually make
674 * it to the third hop. For circuits longer than 3 hops, we want to
675 * record their build time when they reach the third hop, but let
676 * them continue (and not count them later). For circuits that are
677 * exactly 3 hops, this will count them when they are completed. We
678 * do this so that CBT is always gathering statistics on circuits
679 * of the same length, regardless of their type.
680 */
681 void
683 {
687 /* If circuit build times are disabled, let circuit_expire_building()
688 * handle it.. */
691 }
693 /* Is this a circuit for which the timeout applies in a straight-forward
694 * way? If so, handle it below. If not, just return (and let
695 * circuit_expire_building() eventually take care of it).
696 */
699 }
704 /* Check if we would have timed out already. If so, change the
705 * purpose here. But don't do any timeout handling here if there
706 * are no circuits opened yet. Save it for circuit_expire_building()
707 * (to allow it to handle timeout "relaxing" over there). */
711 /* Circuits are allowed to last longer for measurement.
712 * Switch their purpose and wait. */
718 }
719 }
721 /* If the circuit is built to exactly the DEFAULT_ROUTE_LEN,
722 * add it to our buildtimes. */
724 /* If the circuit build time is much greater than we would have cut
725 * it off at, we probably had a suspend event along this codepath,
726 * and we should discard the value.
727 */
735 /* Only count circuit times if the network is live */
741 }
746 }
747 }
748 }
749 }
751 /**
752 * Add a new build time value <b>time</b> to the set of build times. Time
753 * units are milliseconds.
754 *
755 * circuit_build_times <b>cbt</b> is a circular array, so loop around when
756 * array is full.
757 */
758 int
760 {
766 }
776 /* Save state every n circuit builds */
779 }
782 }
784 /**
785 * Return maximum circuit build time
786 */
787 static build_time_t
789 {
796 }
798 }
800 #if 0
801 /** Return minimum circuit build time */
802 build_time_t
804 {
811 }
814 }
816 }
819 /**
820 * Calculate and return a histogram for the set of build times.
821 *
822 * Returns an allocated array of histrogram bins representing
823 * the frequency of index*CBT_BIN_WIDTH millisecond
824 * build times. Also outputs the number of bins in nbins.
825 *
826 * The return value must be freed by the caller.
827 */
831 {
839 // calculate histogram
847 }
850 }
852 /**
853 * Return the Pareto start-of-curve parameter Xm.
854 *
855 * Because we are not a true Pareto curve, we compute this as the
856 * weighted average of the N most frequent build time bins. N is either
857 * 1 if we don't have enough circuit build time data collected, or
858 * determined by the consensus parameter cbtnummodes (default 3).
859 */
860 static build_time_t
862 {
874 // Only use one mode if < 1000 buildtimes. Not enough data
875 // for multiple.
881 /* Determine the N most common build times */
885 }
892 }
893 }
894 }
901 }
903 /* bin_counts can become zero if all of our last CBT_NCIRCUITS_TO_OBSERVE
904 * circuits were abandoned before they completed. This shouldn't happen,
905 * though. We should have reset/re-learned a lower timeout first. */
909 "No valid circuit build time data out of %d times, %u modes, "
913 }
919 done:
924 }
926 /**
927 * Output a histogram of current circuit build times to
928 * the or_state_t state structure.
929 */
930 void
933 {
940 // write to state
951 }
954 // compress the histogram by skipping the blanks
961 }
966 }
969 }
971 /**
972 * Shuffle the build times array.
973 *
974 * Adapted from http://en.wikipedia.org/wiki/Fisher-Yates_shuffle
975 */
976 static void
980 {
984 "uses to calculate build times is less than the number stored "
985 "in your state file. Decreasing the circuit time history from "
987 CBT_NCIRCUITS_TO_OBSERVE);
988 }
992 "observations in your state file. That's far too many; probably "
995 }
997 /* This code can only be run on a compact array */
1003 }
1005 /* Since the times are now shuffled, take a random CBT_NCIRCUITS_TO_OBSERVE
1006 * subset (ie the first CBT_NCIRCUITS_TO_OBSERVE values) */
1009 }
1010 }
1012 /**
1013 * Filter old synthetic timeouts that were created before the
1014 * new right-censored Pareto calculation was deployed.
1015 *
1016 * Once all clients before 0.2.1.13-alpha are gone, this code
1017 * will be unused.
1018 */
1019 static int
1021 {
1032 num_filtered++;
1037 }
1038 }
1041 "We had %d timeouts out of %d build times, "
1047 }
1049 /**
1050 * Load histogram from <b>state</b>, shuffling the resulting array
1051 * after we do so. Use this result to estimate parameters and
1052 * calculate the timeout.
1053 *
1054 * Return -1 on error.
1055 */
1056 int
1059 {
1070 }
1072 /* build_time_t 0 means uninitialized */
1090 build_time_t ms;
1101 }
1111 }
1116 "Too many build times in state file. "
1122 }
1126 }
1127 N++;
1130 }
1131 }
1137 }
1141 "Corrupt state file? Build times count mismatch. "
1147 }
1151 /* Verify that we didn't overwrite any indexes */
1155 tot_values++;
1156 }
1164 "Corrupt state file? Shuffled build times mismatch. "
1170 }
1176 }
1178 done:
1181 }
1183 /**
1184 * Estimates the Xm and Alpha parameters using
1185 * http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation
1186 *
1187 * The notable difference is that we use mode instead of min to estimate Xm.
1188 * This is because our distribution is frechet-like. We claim this is
1189 * an acceptable approximation because we are only concerned with the
1190 * accuracy of the CDF of the tail.
1191 */
1192 STATIC int
1194 {
1200 /* http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation */
1201 /* We sort of cheat here and make our samples slightly more pareto-like
1202 * and less frechet-like. */
1205 /* If Xm came back 0, then too many circuits were abandoned. */
1214 }
1219 abandoned_count++;
1224 }
1225 n++;
1226 }
1228 /*
1229 * We are erring and asserting here because this can only happen
1230 * in codepaths other than startup. The startup state parsing code
1231 * performs this same check, and resets state if it hits it. If we
1232 * hit it at runtime, something serious has gone wrong.
1233 */
1237 }
1241 /* This can happen if Xm is actually the *maximum* value in the set.
1242 * It can also happen if we've abandoned every single circuit somehow.
1243 * In either case, tell the caller not to compute a new build timeout. */
1245 "Could not determine largest build time (%d). "
1249 }
1254 // Estimator comes from Eq #4 in:
1255 // "Bayesian estimation based on trimmed samples from Pareto populations"
1256 // by Arturo J. Fernández. We are right-censored only.
1262 }
1264 /**
1265 * This is the Pareto Quantile Function. It calculates the point x
1266 * in the distribution such that F(x) = quantile (ie quantile*100%
1267 * of the mass of the density function is below x on the curve).
1268 *
1269 * We use it to calculate the timeout and also to generate synthetic
1270 * values of time for circuits that timeout before completion.
1271 *
1272 * See http://en.wikipedia.org/wiki/Quantile_function,
1273 * http://en.wikipedia.org/wiki/Inverse_transform_sampling and
1274 * http://en.wikipedia.org/wiki/Pareto_distribution#Generating_a_
1275 * random_sample_from_Pareto_distribution
1276 * That's right. I'll cite wikipedia all day long.
1277 *
1278 * Return value is in milliseconds, clamped to INT32_MAX.
1279 */
1280 STATIC double
1283 {
1289 /* If either alpha or p are 0, we would divide by zero, yielding an
1290 * infinite (double) result; which would be clamped to INT32_MAX.
1291 * Instead, initialise ret to INT32_MAX, and skip over these
1292 * potentially illegal/trapping divides by zero.
1293 */
1301 }
1302 }
1306 }
1309 }
1311 #ifdef TOR_UNIT_TESTS
1312 /** Pareto CDF */
1313 double
1315 {
1321 }
1324 #ifdef TOR_UNIT_TESTS
1325 /**
1326 * Generate a synthetic time using our distribution parameters.
1327 *
1328 * The return value will be within the [q_lo, q_hi) quantile points
1329 * on the CDF.
1330 */
1331 build_time_t
1334 {
1336 build_time_t ret;
1339 /* Generate between [q_lo, q_hi) */
1340 /*XXXX This is what nextafter is supposed to be for; we should use it on the
1341 * platforms that support it. */
1351 /* circuit_build_times_calculate_timeout returns <= INT32_MAX */
1356 }
1359 #ifdef TOR_UNIT_TESTS
1360 /**
1361 * Estimate an initial alpha parameter by solving the quantile
1362 * function with a quantile point and a specific timeout value.
1363 */
1364 void
1367 {
1368 // Q(u) = Xm/((1-u)^(1/a))
1369 // Q(0.8) = Xm/((1-0.8))^(1/a)) = CircBuildTimeout
1370 // CircBuildTimeout = Xm/((1-0.8))^(1/a))
1371 // CircBuildTimeout = Xm*((1-0.8))^(-1/a))
1372 // ln(CircBuildTimeout) = ln(Xm)+ln(((1-0.8)))*(-1/a)
1373 // -ln(1-0.8)/(ln(CircBuildTimeout)-ln(Xm))=a
1379 }
1382 /**
1383 * Returns true if we need circuits to be built
1384 */
1385 int
1387 {
1388 /* Return true if < MIN_CIRCUITS_TO_OBSERVE */
1390 }
1392 /**
1393 * Returns true if we should build a timeout test circuit
1394 * right now.
1395 */
1396 int
1398 {
1401 }
1403 /**
1404 * How long should we be unreachable before we think we need to check if
1405 * our published IP address has changed.
1406 */
1407 #define CIRCUIT_TIMEOUT_BEFORE_RECHECK_IP (60*3)
1409 /**
1410 * Called to indicate that the network showed some signs of liveness,
1411 * i.e. we received a cell.
1412 *
1413 * This is used by circuit_build_times_network_check_live() to decide
1414 * if we should record the circuit build timeout or not.
1415 *
1416 * This function is called every time we receive a cell. Avoid
1417 * syscalls, events, and other high-intensity work.
1418 */
1419 void
1421 {
1426 "Tor now sees network activity. Restoring circuit build "
1427 "timeout recording. Network was down for %d seconds "
1433 }
1437 /* Tell control.c */
1439 }
1441 /**
1442 * Non-destructively scale all of our circuit success, timeout, and close
1443 * counts down by a factor of two. Scaling in this way preserves the
1444 * ratios between succeeded vs timed out vs closed circuits, so that
1445 * our statistics don't change when we scale.
1446 *
1447 * This is used only in the rare event that we build more than
1448 * INT32_MAX circuits. Since the num_circ_* variables are
1449 * uint32_t, we won't even be close to overflowing them.
1450 */
1451 void
1453 {
1457 }
1459 /**
1460 * Called to indicate that we "completed" a circuit. Because this circuit
1461 * succeeded, it doesn't count as a timeout-after-the-first-hop.
1462 *
1463 * (For the purposes of the cbt code, we consider a circuit "completed" if
1464 * it has 3 hops, regardless of its final hop count. We do this because
1465 * we're trying to answer the question, "how long should a circuit take to
1466 * reach the 3-hop count".)
1467 *
1468 * This is used by circuit_build_times_network_check_changed() to determine
1469 * if we had too many recent timeouts and need to reset our learned timeout
1470 * to something higher.
1471 */
1472 void
1474 {
1475 // Count circuit success
1478 // If we're going to wrap int32, scale everything
1481 }
1483 /* Check for NULLness because we might not be using adaptive timeouts */
1490 }
1491 }
1493 /**
1494 * A circuit just timed out. If it failed after the first hop, record it
1495 * in our history for later deciding if the network speed has changed.
1496 *
1497 * This is used by circuit_build_times_network_check_changed() to determine
1498 * if we had too many recent timeouts and need to reset our learned timeout
1499 * to something higher.
1500 */
1501 static void
1504 {
1505 // Count circuit timeout
1508 // If we're going to wrap int32, scale everything
1511 }
1513 /* Check for NULLness because we might not be using adaptive timeouts */
1521 }
1522 }
1523 }
1525 /**
1526 * A circuit was just forcibly closed. If there has been no recent network
1527 * activity at all, but this circuit was launched back when we thought the
1528 * network was live, increment the number of "nonlive" circuit timeouts.
1529 *
1530 * This is used by circuit_build_times_network_check_live() to decide
1531 * if we should record the circuit build timeout or not.
1532 */
1533 static void
1536 {
1539 // Count circuit close
1542 // If we're going to wrap int32, scale everything
1545 }
1547 /*
1548 * Check if this is a timeout that was for a circuit that spent its
1549 * entire existence during a time where we have had no network activity.
1550 */
1560 "A circuit somehow completed a hop while the network was "
1561 "not live. The network was last live at %s, but the circuit "
1562 "launched at %s. It's now %s. This could mean your clock "
1564 }
1568 "Tor has not observed any network activity for the past %d "
1572 /* Tell control.c */
1578 }
1579 }
1580 }
1582 /**
1583 * When the network is not live, we do not record circuit build times.
1584 *
1585 * The network is considered not live if there has been at least one
1586 * circuit build that began and ended (had its close_ms measurement
1587 * period expire) since we last received a cell.
1588 *
1589 * Also has the side effect of rewinding the circuit time history
1590 * in the case of recent liveness changes.
1591 */
1592 int
1594 {
1597 }
1600 }
1602 /**
1603 * Returns true if we have seen more than MAX_RECENT_TIMEOUT_COUNT of
1604 * the past RECENT_CIRCUITS time out after the first hop. Used to detect
1605 * if the network connection has changed significantly, and if so,
1606 * resets our circuit build timeout to the default.
1607 *
1608 * Also resets the entire timeout history in this case and causes us
1609 * to restart the process of building test circuits and estimating a
1610 * new timeout.
1611 */
1612 STATIC int
1614 {
1621 /* how many of our recent circuits made it to the first hop but then
1622 * timed out? */
1625 }
1626 }
1628 /* If 80% of our recent circuits are timing out after the first hop,
1629 * we need to re-estimate a new initial alpha and timeout. */
1632 }
1640 }
1643 #define MAX_TIMEOUT ((int32_t) (INT32_MAX/2))
1644 /* Check to see if this has happened before. If so, double the timeout
1645 * to give clients on abysmally bad network connections a shot at access */
1654 }
1658 }
1659 #undef MAX_TIMEOUT
1664 "Your network connection speed appears to have changed. Resetting "
1667 total_build_times);
1670 }
1672 /**
1673 * Count the number of timeouts in a set of cbt data.
1674 */
1675 double
1677 {
1681 timeouts++;
1682 }
1683 }
1689 }
1691 /**
1692 * Count the number of closed circuits in a set of cbt data.
1693 */
1694 double
1696 {
1700 closed++;
1701 }
1702 }
1708 }
1710 /**
1711 * Store a timeout as a synthetic value.
1712 *
1713 * Returns true if the store was successful and we should possibly
1714 * update our timeout estimate.
1715 */
1716 int
1720 {
1725 }
1727 /* Record this force-close to help determine if the network is dead */
1730 /* Only count timeouts if network is live.. */
1733 }
1737 }
1739 /**
1740 * Update timeout counts to determine if we need to expire
1741 * our build time history due to excessive timeouts.
1742 *
1743 * We do not record any actual time values at this stage;
1744 * we are only interested in recording the fact that a timeout
1745 * happened. We record the time values via
1746 * circuit_build_times_count_close() and circuit_build_times_add_time().
1747 */
1748 void
1751 {
1756 }
1758 /* Register the fact that a timeout just occurred. */
1761 /* If there are a ton of timeouts, we should reset
1762 * the circuit build timeout. */
1764 }
1766 /**
1767 * Estimate a new timeout based on history and set our timeout
1768 * variable accordingly.
1769 */
1770 static int
1772 {
1773 build_time_t max_time;
1790 "Circuit build timeout of %dms is beyond the maximum build "
1794 }
1798 "Circuit build measurement period of %dms is more than twice "
1799 "the maximum build time we have ever observed. Capping it to "
1802 }
1804 /* Sometimes really fast guard nodes give us such a steep curve
1805 * that this ends up being not that much greater than timeout_ms.
1806 * Make it be at least 1 min to handle this case. */
1811 }
1813 /**
1814 * Exposed function to compute a new timeout. Dispatches events and
1815 * also filters out extremely high timeout values.
1816 */
1817 void
1819 {
1823 /*
1824 * Just return if we aren't using adaptive timeouts
1825 */
1837 /* This shouldn't happen because of MAX() in timeout_worker above,
1838 * but doing it just in case */
1840 }
1841 }
1849 "Based on %d circuit times, it looks like we don't need to "
1850 "wait so long for circuits to finish. We will now assume a "
1857 timeout_rate);
1860 "Based on %d circuit times, it looks like we need to wait "
1861 "longer for circuits to finish. We will now assume a "
1868 timeout_rate);
1871 "Set circuit build timeout to %lds (%fms, %fms, Xm: %d, a: %f,"
1876 }
1877 }
1879 #ifdef TOR_UNIT_TESTS
1880 /** Make a note that we're running unit tests (rather than running Tor
1881 * itself), so we avoid clobbering our state file. */
1882 void
1884 {
1886 }
1889 void
1891 {
1893 }
1895 static void
1897 buildtimeout_set_event_t type)
1898 {
1915 }
1917 /* The timeout rate is the ratio of the timeout count over
1918 * the total number of circuits attempted. The total number of
1919 * circuits is (timeouts+succeeded), since every circuit
1920 * either succeeds, or times out. "Closed" circuits are
1921 * MEASURE_TIMEOUT circuits whose measurement period expired.
1922 * All MEASURE_TIMEOUT circuits are counted in the timeouts stat
1923 * before transitioning to MEASURE_TIMEOUT (in
1924 * circuit_build_times_mark_circ_as_measurement_only()).
1925 * MEASURE_TIMEOUT circuits that succeed are *not* counted as
1926 * "succeeded". See circuit_build_times_handle_completed_hop().
1927 *
1928 * We cast the denominator
1929 * to promote it to double before the addition, to avoid int32
1930 * overflow. */
1936 }
1939 "TIMEOUT_MS=%lu XM=%lu ALPHA=%f CUTOFF_QUANTILE=%f "
1944 timeout_rate,
1946 close_rate);
1951 }