Check for jumping clock in *format_*stats functions

None of these were real bugs (yet), because the callers made sure
everything was fine. Make it more explicit. Suggested by Nick

src/or/geoip.c

@@ -976,7 +976,8 @@ geoip_dirreq_stats_term(void)
 }
 
 /** Return a newly allocated string containing the dirreq statistics
- * until <b>now</b>, or NULL if we're not collecting dirreq stats. */
+ * until <b>now</b>, or NULL if we're not collecting dirreq stats. Caller
+ * must ensure start_of_dirreq_stats_interval is in the past. */
 char *
 geoip_format_dirreq_stats(time_t now)
 {
@@ -992,6 +993,8 @@ geoip_format_dirreq_stats(time_t now)
   if (!start_of_dirreq_stats_interval)
     return NULL; /* Not initialized. */
 
+  tor_assert(now >= start_of_dirreq_stats_interval);
+
   format_iso_time(t, now);
   v2_ips_string = geoip_get_client_history(GEOIP_CLIENT_NETWORKSTATUS_V2);
   v3_ips_string = geoip_get_client_history(GEOIP_CLIENT_NETWORKSTATUS);
@@ -1351,7 +1354,8 @@ geoip_entry_stats_term(void)
 }
 
 /** Return a newly allocated string containing the entry statistics
- * until <b>now</b>, or NULL if we're not collecting entry stats. */
+ * until <b>now</b>, or NULL if we're not collecting entry stats. Caller
+ * must ensure start_of_entry_stats_interval lies in the past. */
 char *
 geoip_format_entry_stats(time_t now)
 {
@@ -1362,6 +1366,8 @@ geoip_format_entry_stats(time_t now)
   if (!start_of_entry_stats_interval)
     return NULL; /* Not initialized. */
 
+  tor_assert(now >= start_of_entry_stats_interval);
+
   data = geoip_get_client_history(GEOIP_CLIENT_CONNECT);
   format_iso_time(t, now);
   tor_asprintf(&result, "entry-stats-end %s (%u s)\nentry-ips %s\n",

src/or/rephist.c

@@ -2114,7 +2114,8 @@ _compare_int(const void *x, const void *y)
 }
 
 /** Return a newly allocated string containing the exit port statistics
- * until <b>now</b>, or NULL if we're not collecting exit stats. */
+ * until <b>now</b>, or NULL if we're not collecting exit stats. Caller
+ * must ensure start_of_exit_stats_interval is in the past. */
 char *
 rep_hist_format_exit_stats(time_t now)
 {
@@ -2133,6 +2134,8 @@ rep_hist_format_exit_stats(time_t now)
   if (!start_of_exit_stats_interval)
     return NULL; /* Not initialized. */
 
+  tor_assert(now >= start_of_exit_stats_interval);
+
   /* Go through all ports to find the n ports that saw most written and
    * read bytes.
    *
@@ -2456,7 +2459,8 @@ rep_hist_reset_buffer_stats(time_t now)
 }
 
 /** Return a newly allocated string containing the buffer statistics until
- * <b>now</b>, or NULL if we're not collecting buffer stats. */
+ * <b>now</b>, or NULL if we're not collecting buffer stats. Caller must
+ * ensure start_of_buffer_stats_interval is in the past. */
 char *
 rep_hist_format_buffer_stats(time_t now)
 {
@@ -2475,6 +2479,8 @@ rep_hist_format_buffer_stats(time_t now)
   if (!start_of_buffer_stats_interval)
     return NULL; /* Not initialized. */
 
+  tor_assert(now >= start_of_buffer_stats_interval);
+
   /* Calculate deciles if we saw at least one circuit. */
   memset(processed_cells, 0, SHARES * sizeof(int));
   memset(circs_in_share, 0, SHARES * sizeof(int));
@@ -2874,7 +2880,8 @@ rep_hist_note_or_conn_bytes(uint64_t conn_id, size_t num_read,
 }
 
 /** Return a newly allocated string containing the connection statistics
- * until <b>now</b>, or NULL if we're not collecting conn stats. */
+ * until <b>now</b>, or NULL if we're not collecting conn stats. Caller must
+ * ensure start_of_conn_stats_interval is in the past. */
 char *
 rep_hist_format_conn_stats(time_t now)
 {
@@ -2883,6 +2890,8 @@ rep_hist_format_conn_stats(time_t now)
   if (!start_of_conn_stats_interval)
     return NULL; /* Not initialized. */
 
+  tor_assert(now >= start_of_conn_stats_interval);
+
   format_iso_time(written, now);
   tor_asprintf(&result, "conn-bi-direct %s (%d s) %d,%d,%d,%d\n",
                written,