Prevent allocator underflow

[hannahhoward]

Goals

Address scenario that could cause an underflow in the allocator (leading to total allocated
being very high)

The scenario is:

• peer 1 allocates block amount x
• peer 2 allocates block amount y >= 1
• peer 1 call to deallocate block amount x+1 (this shouldn't happen somehow it does). We protect against peer 1 allocation going below zero by setting it to 0, but the global total is now : y-1 (x+y - (x+1))
• peer 2 deallocates entirely. total is now -1 (no check of total allocated >= 0 after peer deallocation). on unsigned int this becomes MaxUint64

Implementation

• Add test to demonstrate issues
• Add precautionary check on peer deallocations to prevent underflow
• When deallocating blocks that are greater than total peer memory, only subtract total peer memory from global total, since that's what is actually deallocated
• Add logging to all these unusual scenarios to try to understand how often they are happening

[rvagg]

peer 1 call to deallocate block amount x+1 (this shouldn't happen somehow it does).

So we still have a persistent bug in here somewhere and should be on the lookout for causes? Are we confident this is happening from the data we're getting from live use?