| blob | 7cc69b3b4c7f279a3a0d590f25cf382582510dbb |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2019, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file circuitstats.c
9 *
10 * \brief Maintains and analyzes statistics about circuit built times, so we
11 * can tell how long we may need to wait for a fast circuit to be constructed.
12 *
13 * By keeping these statistics, a client learns when it should time out a slow
14 * circuit for being too slow, and when it should keep a circuit open in order
15 * to wait for it to complete.
16 *
17 * The information here is kept in a circuit_built_times_t structure, which is
18 * currently a singleton, but doesn't need to be. It's updated by calls to
19 * circuit_build_times_count_timeout() from circuituse.c,
20 * circuit_build_times_count_close() from circuituse.c, and
21 * circuit_build_times_add_time() from circuitbuild.c, and inspected by other
22 * calls into this module, mostly from circuitlist.c. Observations are
23 * persisted to disk via the or_state_t-related calls.
24 */
26 #define CIRCUITSTATS_PRIVATE
52 #undef log
53 #include <math.h>
57 buildtimeout_set_event_t type);
60 #define CBT_BIN_TO_MS(bin) ((bin)*CBT_BIN_WIDTH + (CBT_BIN_WIDTH/2))
62 /** Global list of circuit build times */
63 // XXXX: Add this as a member for entry_guard_t instead of global?
64 // Then we could do per-guard statistics, as guards are likely to
65 // vary in their own latency. The downside of this is that guards
66 // can change frequently, so we'd be building a lot more circuits
67 // most likely.
70 #ifdef TOR_UNIT_TESTS
71 /** If set, we're running the unit tests: we should avoid clobbering
72 * our state file or accessing get_options() or get_or_state() */
74 #else
75 #define unit_tests 0
78 /** Return a pointer to the data structure describing our current circuit
79 * build time history and computations. */
82 {
84 }
86 /** As get_circuit_build_times, but return a mutable pointer. */
87 circuit_build_times_t *
89 {
91 }
93 /** Return the time to wait before actually closing an under-construction, in
94 * milliseconds. */
95 double
97 {
99 }
101 /** Return the time to wait before giving up on an under-construction circuit,
102 * in milliseconds. */
103 double
105 {
107 }
109 /**
110 * This function decides if CBT learning should be disabled. It returns
111 * true if one or more of the following conditions are met:
112 *
113 * 1. If the cbtdisabled consensus parameter is set.
114 * 2. If the torrc option LearnCircuitBuildTimeout is false.
115 * 3. If we are a directory authority
116 * 4. If we fail to write circuit build time history to our state file.
117 * 5. If we are configured in Single Onion mode
118 */
119 int
121 {
123 }
125 /** As circuit_build_times_disabled, but take options as an argument. */
126 int
129 {
139 /* LearnCircuitBuildTimeout and Single Onion Services are
140 * incompatible in two ways:
141 *
142 * - LearnCircuitBuildTimeout results in a low CBT, which
143 * Single Onion use of one-hop intro and rendezvous circuits lowers
144 * much further, producing *far* too many timeouts.
145 *
146 * - The adaptive CBT code does not update its timeout estimate
147 * using build times for single-hop circuits.
148 *
149 * If we fix both of these issues someday, we should test
150 * these modes with LearnCircuitBuildTimeout on again. */
152 options);
156 #if 0
158 "CircuitBuildTime learning is disabled. "
161 state_disabled);
165 #if 0
167 "CircuitBuildTime learning is not disabled. "
170 state_disabled);
173 }
174 }
175 }
177 /**
178 * Retrieve and bounds-check the cbtmaxtimeouts consensus parameter.
179 *
180 * Effect: When this many timeouts happen in the last 'cbtrecentcount'
181 * circuit attempts, the client should discard all of its history and
182 * begin learning a fresh timeout value.
183 */
184 static int32_t
186 {
190 CBT_DEFAULT_MAX_RECENT_TIMEOUT_COUNT,
191 CBT_MIN_MAX_RECENT_TIMEOUT_COUNT,
192 CBT_MAX_MAX_RECENT_TIMEOUT_COUNT);
196 "circuit_build_times_max_timeouts() called, cbtmaxtimeouts is"
198 cbt_maxtimeouts);
199 }
202 }
204 /**
205 * Retrieve and bounds-check the cbtnummodes consensus parameter.
206 *
207 * Effect: This value governs how many modes to use in the weighted
208 * average calculation of Pareto parameter Xm. A value of 3 introduces
209 * some bias (2-5% of CDF) under ideal conditions, but allows for better
210 * performance in the event that a client chooses guard nodes of radically
211 * different performance characteristics.
212 */
213 static int32_t
215 {
217 CBT_DEFAULT_NUM_XM_MODES,
218 CBT_MIN_NUM_XM_MODES,
219 CBT_MAX_NUM_XM_MODES);
223 "circuit_build_times_default_num_xm_modes() called, cbtnummodes"
225 num);
226 }
229 }
231 /**
232 * Retrieve and bounds-check the cbtmincircs consensus parameter.
233 *
234 * Effect: This is the minimum number of circuits to build before
235 * computing a timeout.
236 */
237 static int32_t
239 {
241 CBT_DEFAULT_MIN_CIRCUITS_TO_OBSERVE,
242 CBT_MIN_MIN_CIRCUITS_TO_OBSERVE,
243 CBT_MAX_MIN_CIRCUITS_TO_OBSERVE);
247 "circuit_build_times_min_circs_to_observe() called, cbtmincircs"
249 num);
250 }
253 }
255 /** Return true iff <b>cbt</b> has recorded enough build times that we
256 * want to start acting on the timeout it implies. */
257 int
259 {
261 }
263 /**
264 * Retrieve and bounds-check the cbtquantile consensus parameter.
265 *
266 * Effect: This is the position on the quantile curve to use to set the
267 * timeout value. It is a percent (10-99).
268 */
269 double
271 {
273 CBT_DEFAULT_QUANTILE_CUTOFF,
274 CBT_MIN_QUANTILE_CUTOFF,
275 CBT_MAX_QUANTILE_CUTOFF);
279 "circuit_build_times_quantile_cutoff() called, cbtquantile"
281 num);
282 }
285 }
287 /**
288 * Retrieve and bounds-check the cbtclosequantile consensus parameter.
289 *
290 * Effect: This is the position on the quantile curve to use to set the
291 * timeout value to use to actually close circuits. It is a percent
292 * (0-99).
293 */
294 static double
296 {
298 /* Cast is safe - circuit_build_times_quantile_cutoff() is capped */
301 CBT_DEFAULT_CLOSE_QUANTILE,
302 CBT_MIN_CLOSE_QUANTILE,
303 CBT_MAX_CLOSE_QUANTILE);
307 "circuit_build_times_close_quantile() called, cbtclosequantile"
309 }
315 }
317 }
319 /**
320 * Retrieve and bounds-check the cbttestfreq consensus parameter.
321 *
322 * Effect: Describes how often in seconds to build a test circuit to
323 * gather timeout values. Only applies if less than 'cbtmincircs'
324 * have been recorded.
325 */
326 static int32_t
328 {
330 CBT_DEFAULT_TEST_FREQUENCY,
331 CBT_MIN_TEST_FREQUENCY,
332 CBT_MAX_TEST_FREQUENCY);
337 num);
338 }
341 }
343 /**
344 * Retrieve and bounds-check the cbtmintimeout consensus parameter.
345 *
346 * Effect: This is the minimum allowed timeout value in milliseconds.
347 * The minimum is to prevent rounding to 0 (we only check once
348 * per second).
349 */
350 static int32_t
352 {
354 CBT_DEFAULT_TIMEOUT_MIN_VALUE,
355 CBT_MIN_TIMEOUT_MIN_VALUE,
356 CBT_MAX_TIMEOUT_MIN_VALUE);
361 num);
362 }
364 }
366 /**
367 * Retrieve and bounds-check the cbtinitialtimeout consensus parameter.
368 *
369 * Effect: This is the timeout value to use before computing a timeout,
370 * in milliseconds.
371 */
372 int32_t
374 {
377 CBT_DEFAULT_TIMEOUT_INITIAL_VALUE,
378 CBT_MIN_TIMEOUT_INITIAL_VALUE,
379 CBT_MAX_TIMEOUT_INITIAL_VALUE);
383 "circuit_build_times_initial_timeout() called, "
385 param);
386 }
392 }
394 }
396 /**
397 * Retrieve and bounds-check the cbtrecentcount consensus parameter.
398 *
399 * Effect: This is the number of circuit build times to keep track of
400 * for deciding if we hit cbtmaxtimeouts and need to reset our state
401 * and learn a new timeout.
402 */
403 static int32_t
405 {
408 CBT_DEFAULT_RECENT_CIRCUITS,
409 CBT_MIN_RECENT_CIRCUITS,
410 CBT_MAX_RECENT_CIRCUITS);
414 "circuit_build_times_recent_circuit_count() called, "
416 num);
417 }
420 }
422 /**
423 * This function is called when we get a consensus update.
424 *
425 * It checks to see if we have changed any consensus parameters
426 * that require reallocation or discard of previous stats.
427 */
428 void
431 {
434 /*
435 * First check if we're doing adaptive timeouts at all; nothing to
436 * update if we aren't.
437 */
447 "many circuits we must track to detect network failures "
452 }
457 /*
458 * Technically this is a circular array that we are reallocating
459 * and memcopying. However, since it only consists of either 1s
460 * or 0s, and is only used in a statistical test to determine when
461 * we should discard our history after a sufficient number of 1's
462 * have been reached, it is fine if order is not preserved or
463 * elements are lost.
464 *
465 * cbtrecentcount should only be changing in cases of severe network
466 * distress anyway, so memory correctness here is paramount over
467 * doing acrobatics to preserve the array.
468 */
474 }
476 // Adjust the index if it needs it.
480 }
485 }
486 /* else no change, nothing to do */
488 /*
489 * Weird. This probably shouldn't happen, so log a warning, but try
490 * to do something sensible anyway.
491 */
494 "The cbtrecentcircs consensus parameter came back zero! "
495 "This disables adaptive timeouts since we can't keep track of "
499 }
501 /*
502 * Adaptive timeouts are disabled; this might be because of the
503 * LearnCircuitBuildTimes config parameter, and hence permanent, or
504 * the cbtdisabled consensus parameter, so it may be a new condition.
505 * Treat it like getting num == 0 above and free the circuit history
506 * if we have any.
507 */
510 }
511 }
513 /**
514 * Return the initial default or configured timeout in milliseconds
515 */
516 static double
518 {
522 /*
523 * Check if we have LearnCircuitBuildTimeout, and if we don't,
524 * always use CircuitBuildTimeout, no questions asked.
525 */
533 }
536 }
539 }
541 /**
542 * Reset the build time state.
543 *
544 * Leave estimated parameters, timeout and network liveness intact
545 * for future use.
546 */
547 STATIC void
549 {
555 // Reset timeout and close counts
559 }
561 /**
562 * Initialize the buildtimes structure for first use.
563 *
564 * Sets the initial timeout values based on either the config setting,
565 * the consensus param, or the default (CBT_DEFAULT_TIMEOUT_INITIAL_VALUE).
566 */
567 void
569 {
571 /*
572 * Check if we really are using adaptive timeouts, and don't keep
573 * track of this stuff if not.
574 */
583 }
586 }
588 /**
589 * Free the saved timeouts, if the cbtdisabled consensus parameter got turned
590 * on or something.
591 */
593 void
595 {
600 }
603 }
605 #if 0
606 /**
607 * Rewind our build time history by n positions.
608 */
609 static void
611 {
620 }
626 }
629 "Rewound history by %d places. Current index: %d. "
631 }
634 /**
635 * Mark this circuit as timed out, but change its purpose
636 * so that it continues to build, allowing us to measure
637 * its full build time.
638 */
639 void
641 {
643 CIRC_EVENT_FAILED,
644 END_CIRC_REASON_TIMEOUT);
646 CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT);
647 /* Record this event to check for too many timeouts
648 * in a row. This function does not record a time value yet
649 * (we do that later); it only counts the fact that we did
650 * have a timeout. We also want to avoid double-counting
651 * already "relaxed" circuits, which are counted in
652 * circuit_expire_building(). */
659 first_hop_succeeded);
660 }
661 }
663 /**
664 * Perform the build time work that needs to be done when a circuit
665 * completes a hop.
666 *
667 * This function decides if we should record a circuit's build time
668 * in our histogram data and other statistics, and if so, records it.
669 * It also will mark circuits that have already timed out as
670 * measurement-only circuits, so they can continue to build but
671 * not get used.
672 *
673 * For this, we want to consider circuits that will eventually make
674 * it to the third hop. For circuits longer than 3 hops, we want to
675 * record their build time when they reach the third hop, but let
676 * them continue (and not count them later). For circuits that are
677 * exactly 3 hops, this will count them when they are completed. We
678 * do this so that CBT is always gathering statistics on circuits
679 * of the same length, regardless of their type.
680 */
681 void
683 {
687 /* If circuit build times are disabled, let circuit_expire_building()
688 * handle it.. */
691 }
693 /* Is this a circuit for which the timeout applies in a straight-forward
694 * way? If so, handle it below. If not, just return (and let
695 * circuit_expire_building() eventually take care of it).
696 */
699 }
704 /* Check if we would have timed out already. If so, change the
705 * purpose here. But don't do any timeout handling here if there
706 * are no circuits opened yet. Save it for circuit_expire_building()
707 * (to allow it to handle timeout "relaxing" over there). */
711 /* Circuits are allowed to last longer for measurement.
712 * Switch their purpose and wait. */
718 }
719 }
721 /* If the circuit is built to exactly the DEFAULT_ROUTE_LEN,
722 * add it to our buildtimes. */
724 /* If the circuit build time is much greater than we would have cut
725 * it off at, we probably had a suspend event along this codepath,
726 * and we should discard the value.
727 */
735 /* Only count circuit times if the network is live */
741 }
746 }
747 }
748 }
749 }
751 /**
752 * Add a new build time value <b>time</b> to the set of build times. Time
753 * units are milliseconds.
754 *
755 * circuit_build_times <b>cbt</b> is a circular array, so loop around when
756 * array is full.
757 */
758 int
760 {
766 }
776 /* Save state every n circuit builds */
779 }
782 }
784 /**
785 * Return maximum circuit build time
786 */
787 static build_time_t
789 {
796 }
798 }
800 #if 0
801 /** Return minimum circuit build time */
802 build_time_t
804 {
811 }
814 }
816 }
819 /**
820 * Calculate and return a histogram for the set of build times.
821 *
822 * Returns an allocated array of histrogram bins representing
823 * the frequency of index*CBT_BIN_WIDTH millisecond
824 * build times. Also outputs the number of bins in nbins.
825 *
826 * The return value must be freed by the caller.
827 */
831 {
839 // calculate histogram
847 }
850 }
852 /**
853 * Return the Pareto start-of-curve parameter Xm.
854 *
855 * Because we are not a true Pareto curve, we compute this as the
856 * weighted average of the N most frequent build time bins. N is either
857 * 1 if we don't have enough circuit build time data collected, or
858 * determined by the consensus parameter cbtnummodes (default 3).
859 */
860 static build_time_t
862 {
874 // Only use one mode if < 1000 buildtimes. Not enough data
875 // for multiple.
881 /* Determine the N most common build times */
885 }
892 }
893 }
894 }
901 }
903 /* bin_counts can become zero if all of our last CBT_NCIRCUITS_TO_OBSERVE
904 * circuits were abandoned before they completed. This shouldn't happen,
905 * though. We should have reset/re-learned a lower timeout first. */
909 "No valid circuit build time data out of %d times, %u modes, "
913 }
919 done:
924 }
926 /**
927 * Output a histogram of current circuit build times to
928 * the or_state_t state structure.
929 */
930 void
933 {
940 // write to state
951 }
954 // compress the histogram by skipping the blanks
961 }
966 }
969 }
971 /**
972 * Shuffle the build times array.
973 *
974 * Adapted from http://en.wikipedia.org/wiki/Fisher-Yates_shuffle
975 */
976 static void
980 {
984 "uses to calculate build times is less than the number stored "
985 "in your state file. Decreasing the circuit time history from "
987 CBT_NCIRCUITS_TO_OBSERVE);
988 }
992 "observations in your state file. That's far too many; probably "
995 }
997 /* This code can only be run on a compact array */
1003 }
1005 /* Since the times are now shuffled, take a random CBT_NCIRCUITS_TO_OBSERVE
1006 * subset (ie the first CBT_NCIRCUITS_TO_OBSERVE values) */
1009 }
1010 }
1012 /**
1013 * Load histogram from <b>state</b>, shuffling the resulting array
1014 * after we do so. Use this result to estimate parameters and
1015 * calculate the timeout.
1016 *
1017 * Return -1 on error.
1018 */
1019 int
1022 {
1033 }
1035 /* build_time_t 0 means uninitialized */
1053 build_time_t ms;
1064 }
1074 }
1079 "Too many build times in state file. "
1085 }
1089 }
1090 N++;
1093 }
1094 }
1100 }
1104 "Corrupt state file? Build times count mismatch. "
1110 }
1114 /* Verify that we didn't overwrite any indexes */
1118 tot_values++;
1119 }
1127 "Corrupt state file? Shuffled build times mismatch. "
1133 }
1137 done:
1140 }
1142 /**
1143 * Estimates the Xm and Alpha parameters using
1144 * http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation
1145 *
1146 * The notable difference is that we use mode instead of min to estimate Xm.
1147 * This is because our distribution is frechet-like. We claim this is
1148 * an acceptable approximation because we are only concerned with the
1149 * accuracy of the CDF of the tail.
1150 */
1151 STATIC int
1153 {
1159 /* http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation */
1160 /* We sort of cheat here and make our samples slightly more pareto-like
1161 * and less frechet-like. */
1164 /* If Xm came back 0, then too many circuits were abandoned. */
1173 }
1177 n++;
1179 abandoned_count++;
1184 n++;
1185 }
1186 }
1188 /*
1189 * We are erring and asserting here because this can only happen
1190 * in codepaths other than startup. The startup state parsing code
1191 * performs this same check, and resets state if it hits it. If we
1192 * hit it at runtime, something serious has gone wrong.
1193 */
1197 }
1201 /* This can happen if Xm is actually the *maximum* value in the set.
1202 * It can also happen if we've abandoned every single circuit somehow.
1203 * In either case, tell the caller not to compute a new build timeout. */
1205 "Could not determine largest build time (%d). "
1209 }
1211 /* This is the "Maximum Likelihood Estimator" for parameter alpha of a Pareto
1212 * Distribution. See:
1213 * https://en.wikipedia.org/wiki/Pareto_distribution#Estimation_of_parameters
1214 *
1215 * The division in the estimator is done with subtraction outside the ln(),
1216 * with the sum occurring in the for loop above.
1217 *
1218 * This done is to avoid the precision issues of logs of small values.
1219 */
1226 }
1228 /**
1229 * This is the Pareto Quantile Function. It calculates the point x
1230 * in the distribution such that F(x) = quantile (ie quantile*100%
1231 * of the mass of the density function is below x on the curve).
1232 *
1233 * We use it to calculate the timeout and also to generate synthetic
1234 * values of time for circuits that timeout before completion.
1235 *
1236 * See http://en.wikipedia.org/wiki/Quantile_function,
1237 * http://en.wikipedia.org/wiki/Inverse_transform_sampling and
1238 * http://en.wikipedia.org/wiki/Pareto_distribution#Generating_a_
1239 * random_sample_from_Pareto_distribution
1240 * That's right. I'll cite wikipedia all day long.
1241 *
1242 * Return value is in milliseconds, clamped to INT32_MAX.
1243 */
1244 STATIC double
1247 {
1253 /* If either alpha or p are 0, we would divide by zero, yielding an
1254 * infinite (double) result; which would be clamped to INT32_MAX.
1255 * Instead, initialise ret to INT32_MAX, and skip over these
1256 * potentially illegal/trapping divides by zero.
1257 */
1265 }
1266 }
1270 }
1273 }
1275 #ifdef TOR_UNIT_TESTS
1276 /** Pareto CDF */
1277 double
1279 {
1285 }
1288 #ifdef TOR_UNIT_TESTS
1289 /**
1290 * Generate a synthetic time using our distribution parameters.
1291 *
1292 * The return value will be within the [q_lo, q_hi) quantile points
1293 * on the CDF.
1294 */
1295 build_time_t
1298 {
1300 build_time_t ret;
1303 /* Generate between [q_lo, q_hi) */
1304 /*XXXX This is what nextafter is supposed to be for; we should use it on the
1305 * platforms that support it. */
1315 /* circuit_build_times_calculate_timeout returns <= INT32_MAX */
1320 }
1323 #ifdef TOR_UNIT_TESTS
1324 /**
1325 * Estimate an initial alpha parameter by solving the quantile
1326 * function with a quantile point and a specific timeout value.
1327 */
1328 void
1331 {
1332 // Q(u) = Xm/((1-u)^(1/a))
1333 // Q(0.8) = Xm/((1-0.8))^(1/a)) = CircBuildTimeout
1334 // CircBuildTimeout = Xm/((1-0.8))^(1/a))
1335 // CircBuildTimeout = Xm*((1-0.8))^(-1/a))
1336 // ln(CircBuildTimeout) = ln(Xm)+ln(((1-0.8)))*(-1/a)
1337 // -ln(1-0.8)/(ln(CircBuildTimeout)-ln(Xm))=a
1343 }
1346 /**
1347 * Returns true if we need circuits to be built
1348 */
1349 int
1351 {
1352 /* Return true if < MIN_CIRCUITS_TO_OBSERVE */
1354 }
1356 /**
1357 * Returns true if we should build a timeout test circuit
1358 * right now.
1359 */
1360 int
1362 {
1365 }
1367 /**
1368 * How long should we be unreachable before we think we need to check if
1369 * our published IP address has changed.
1370 */
1371 #define CIRCUIT_TIMEOUT_BEFORE_RECHECK_IP (60*3)
1373 /**
1374 * Called to indicate that the network showed some signs of liveness,
1375 * i.e. we received a cell.
1376 *
1377 * This is used by circuit_build_times_network_check_live() to decide
1378 * if we should record the circuit build timeout or not.
1379 *
1380 * This function is called every time we receive a cell. Avoid
1381 * syscalls, events, and other high-intensity work.
1382 */
1383 void
1385 {
1390 "Tor now sees network activity. Restoring circuit build "
1391 "timeout recording. Network was down for %d seconds "
1397 }
1401 /* Tell control.c */
1403 }
1405 /**
1406 * Non-destructively scale all of our circuit success, timeout, and close
1407 * counts down by a factor of two. Scaling in this way preserves the
1408 * ratios between succeeded vs timed out vs closed circuits, so that
1409 * our statistics don't change when we scale.
1410 *
1411 * This is used only in the rare event that we build more than
1412 * INT32_MAX circuits. Since the num_circ_* variables are
1413 * uint32_t, we won't even be close to overflowing them.
1414 */
1415 void
1417 {
1421 }
1423 /**
1424 * Called to indicate that we "completed" a circuit. Because this circuit
1425 * succeeded, it doesn't count as a timeout-after-the-first-hop.
1426 *
1427 * (For the purposes of the cbt code, we consider a circuit "completed" if
1428 * it has 3 hops, regardless of its final hop count. We do this because
1429 * we're trying to answer the question, "how long should a circuit take to
1430 * reach the 3-hop count".)
1431 *
1432 * This is used by circuit_build_times_network_check_changed() to determine
1433 * if we had too many recent timeouts and need to reset our learned timeout
1434 * to something higher.
1435 */
1436 void
1438 {
1439 // Count circuit success
1442 // If we're going to wrap int32, scale everything
1445 }
1447 /* Check for NULLness because we might not be using adaptive timeouts */
1454 }
1455 }
1457 /**
1458 * A circuit just timed out. If it failed after the first hop, record it
1459 * in our history for later deciding if the network speed has changed.
1460 *
1461 * This is used by circuit_build_times_network_check_changed() to determine
1462 * if we had too many recent timeouts and need to reset our learned timeout
1463 * to something higher.
1464 */
1465 static void
1468 {
1469 // Count circuit timeout
1472 // If we're going to wrap int32, scale everything
1475 }
1477 /* Check for NULLness because we might not be using adaptive timeouts */
1485 }
1486 }
1487 }
1489 /**
1490 * A circuit was just forcibly closed. If there has been no recent network
1491 * activity at all, but this circuit was launched back when we thought the
1492 * network was live, increment the number of "nonlive" circuit timeouts.
1493 *
1494 * This is used by circuit_build_times_network_check_live() to decide
1495 * if we should record the circuit build timeout or not.
1496 */
1497 static void
1500 {
1503 // Count circuit close
1506 // If we're going to wrap int32, scale everything
1509 }
1511 /*
1512 * Check if this is a timeout that was for a circuit that spent its
1513 * entire existence during a time where we have had no network activity.
1514 */
1524 "A circuit somehow completed a hop while the network was "
1525 "not live. The network was last live at %s, but the circuit "
1526 "launched at %s. It's now %s. This could mean your clock "
1528 }
1532 "Tor has not observed any network activity for the past %d "
1536 /* Tell control.c */
1542 }
1543 }
1544 }
1546 /**
1547 * When the network is not live, we do not record circuit build times.
1548 *
1549 * The network is considered not live if there has been at least one
1550 * circuit build that began and ended (had its close_ms measurement
1551 * period expire) since we last received a cell.
1552 *
1553 * Also has the side effect of rewinding the circuit time history
1554 * in the case of recent liveness changes.
1555 */
1556 int
1558 {
1561 }
1564 }
1566 /**
1567 * Returns true if we have seen more than MAX_RECENT_TIMEOUT_COUNT of
1568 * the past RECENT_CIRCUITS time out after the first hop. Used to detect
1569 * if the network connection has changed significantly, and if so,
1570 * resets our circuit build timeout to the default.
1571 *
1572 * Also resets the entire timeout history in this case and causes us
1573 * to restart the process of building test circuits and estimating a
1574 * new timeout.
1575 */
1576 STATIC int
1578 {
1585 /* how many of our recent circuits made it to the first hop but then
1586 * timed out? */
1589 }
1590 }
1592 /* If 80% of our recent circuits are timing out after the first hop,
1593 * we need to re-estimate a new initial alpha and timeout. */
1596 }
1604 }
1607 #define MAX_TIMEOUT ((int32_t) (INT32_MAX/2))
1608 /* Check to see if this has happened before. If so, double the timeout
1609 * to give clients on abysmally bad network connections a shot at access */
1618 }
1622 }
1623 #undef MAX_TIMEOUT
1628 "Your network connection speed appears to have changed. Resetting "
1631 total_build_times);
1634 }
1636 /**
1637 * Count the number of timeouts in a set of cbt data.
1638 */
1639 double
1641 {
1645 timeouts++;
1646 }
1647 }
1653 }
1655 /**
1656 * Count the number of closed circuits in a set of cbt data.
1657 */
1658 double
1660 {
1664 closed++;
1665 }
1666 }
1672 }
1674 /**
1675 * Store a timeout as a synthetic value.
1676 *
1677 * Returns true if the store was successful and we should possibly
1678 * update our timeout estimate.
1679 */
1680 int
1684 {
1689 }
1691 /* Record this force-close to help determine if the network is dead */
1694 /* Only count timeouts if network is live.. */
1697 }
1701 }
1703 /**
1704 * Update timeout counts to determine if we need to expire
1705 * our build time history due to excessive timeouts.
1706 *
1707 * We do not record any actual time values at this stage;
1708 * we are only interested in recording the fact that a timeout
1709 * happened. We record the time values via
1710 * circuit_build_times_count_close() and circuit_build_times_add_time().
1711 */
1712 void
1715 {
1720 }
1722 /* Register the fact that a timeout just occurred. */
1725 /* If there are a ton of timeouts, we should reset
1726 * the circuit build timeout. */
1728 }
1730 /**
1731 * Estimate a new timeout based on history and set our timeout
1732 * variable accordingly.
1733 */
1734 static int
1736 {
1737 build_time_t max_time;
1754 "Circuit build timeout of %dms is beyond the maximum build "
1758 }
1762 "Circuit build measurement period of %dms is more than twice "
1763 "the maximum build time we have ever observed. Capping it to "
1766 }
1768 /* Sometimes really fast guard nodes give us such a steep curve
1769 * that this ends up being not that much greater than timeout_ms.
1770 * Make it be at least 1 min to handle this case. */
1775 }
1777 /**
1778 * Exposed function to compute a new timeout. Dispatches events and
1779 * also filters out extremely high timeout values.
1780 */
1781 void
1783 {
1787 /*
1788 * Just return if we aren't using adaptive timeouts
1789 */
1801 /* This shouldn't happen because of MAX() in timeout_worker above,
1802 * but doing it just in case */
1804 }
1805 }
1813 "Based on %d circuit times, it looks like we don't need to "
1814 "wait so long for circuits to finish. We will now assume a "
1821 timeout_rate);
1824 "Based on %d circuit times, it looks like we need to wait "
1825 "longer for circuits to finish. We will now assume a "
1832 timeout_rate);
1835 "Set circuit build timeout to %lds (%fms, %fms, Xm: %d, a: %f,"
1840 }
1841 }
1843 #ifdef TOR_UNIT_TESTS
1844 /** Make a note that we're running unit tests (rather than running Tor
1845 * itself), so we avoid clobbering our state file. */
1846 void
1848 {
1850 }
1853 void
1855 {
1857 }
1859 static void
1861 buildtimeout_set_event_t type)
1862 {
1879 }
1881 /* The timeout rate is the ratio of the timeout count over
1882 * the total number of circuits attempted. The total number of
1883 * circuits is (timeouts+succeeded), since every circuit
1884 * either succeeds, or times out. "Closed" circuits are
1885 * MEASURE_TIMEOUT circuits whose measurement period expired.
1886 * All MEASURE_TIMEOUT circuits are counted in the timeouts stat
1887 * before transitioning to MEASURE_TIMEOUT (in
1888 * circuit_build_times_mark_circ_as_measurement_only()).
1889 * MEASURE_TIMEOUT circuits that succeed are *not* counted as
1890 * "succeeded". See circuit_build_times_handle_completed_hop().
1891 *
1892 * We cast the denominator
1893 * to promote it to double before the addition, to avoid int32
1894 * overflow. */
1900 }
1903 "TIMEOUT_MS=%lu XM=%lu ALPHA=%f CUTOFF_QUANTILE=%f "
1908 timeout_rate,
1910 close_rate);
1915 }