The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• fuzz: Add UBSan suppressions needed for fuzz tests to not warn under -fsanitize=integer #21000 (fuzz: Add UBSan suppressions needed for fuzz tests to not warn under -fsanitize=integer by practicalswift)
• Add I2P support using I2P SAM #20685 (Add I2P support using I2P SAM by vasild)
• refactor: replace (sizeof(a)/sizeof(a[0])) with C++17 std::size #20429 (refactor: replace (sizeof(a)/sizeof(a[0])) with C++17 std::size by theStack)
• net: fix GetListenPort() to derive the proper port #20196 (net: fix GetListenPort() to derive the proper port by vasild)
• refactor: Cleanup thread ctor calls #19064 (refactor: Cleanup thread ctor calls by hebasto)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

Concept ACK.

Concept:

Concept ACK - thanks for working on this!

Implementation:

Some comments after first read-through of the implementation:

1. Uninitialized read in case of invalid command name

In the "Invalid command name" case then a read (and use) of the uninitialized variable size_or_shortid will take place on L808:

Shameless plug: For those interested in killing the uninitialised read bug class, consider reviewing:

• tests: Add "make check-valgrind" to run the unit tests under Valgrind #17639 – tests: Add make check-valgrind to run the unit tests under Valgrind
• build: Enable Clang's -Wconditional-uninitialized to warn on potential uninitialized reads #17895 – build: Enable Clang's -Wconditional-uninitialized to warn on potential uninitialized reads

2. Use of a locale dependent formatting function itostr(…)

itostr is used here:

itostr calls strprintf which calls tfm::format (tinyformat) which uses the standard C++ formatting stringstream interface which is locale dependent.

Shameless plug: For those interested in permanently killing the locale dependency bug class, consider reviewing:

• init: Clarify C and C++ locale assumptions. Add locale sanity checks to verify assumptions at run-time. #18124 – init: Clarify C and C++ locale assumptions. Add locale sanity checks to verify assumptions at run-time
• tests: Add fuzzing harness testing the locale independence of the strencodings.h functions #18126 – tests: Add fuzzing harness testing the locale independence of the strencodings.h functions
• qt: Kill the locale dependency bug class by not allowing Qt to mess with LC_NUMERIC #18147 – qt: Kill the locale dependency bug class by not allowing Qt to mess with LC_NUMERIC

3. std::exception vs expected std::ios_base::failure

A question: I notice that std::exception is guarded against instead of the expected std::ios_base::failure in case of deserialization errors throughout this PR. Is it intentional? :)

It is somewhat related to another deserialization-exception anomaly I mailed you about back in October last year:

When fuzzing some deserialization code I noticed that `CExtKey::Unserialize(...)`
and `CExtPubKey::(...)` throw `std::runtime_error` instead of the
`std::ios_base::failure` I expected in case of deserialization errors.

I saw that this code was written by you originally: do you remember if there
was a particular reason to go with `std::runtime_error` instead of
`std::ios_base::failure`? If not, do you think it would be safe to change it? :)

The commits in question:
* https://github.com/bitcoin/bitcoin/commit/07685d1bc1b0b815c00a68a5b7b335ffa0d4d90d
* https://github.com/bitcoin/bitcoin/commit/90604f16af63ec066d6561337f476ccd8acec326

These deviations from the expectedstd::ios_base::failure puzzle me - are they intentional, and if so why? I want to learn :)

Very nice to see that the V2TransportDeserializer is fuzzed already from birth! I hope that fuzz testing will be as natural as unit testing when introducing security critical code in the future. Kudos for taking care of it here!

A small comment regarding the fuzzer:

I think the assertion …

assert(msg.m_raw_message_size == CMessageHeader::HEADER_SIZE + msg.m_message_size);

… in the fuzzing harness is guaranteed to hold for V1TransportDeserializer but not for V2TransportDeserializer.

Could that be the case? :)

Add "Waiting for author" tag? :)

Thanks @practicalswift for the review. I tried to fix the exception handling as well as uninitialised read. I also fixed the invalid fuzzing assertion (for V2).

I'm unsure about the locale dependent formatting. What would you recommend instead of itotsr?

@jonasschnelli

I'm unsure about the locale dependent formatting. What would you recommend instead of itotsr?

I recommend ToString(…) (util/string.h) :)

@PastaPastaPasta Worth mentioning for future reviews: we use clang-format in the project so the 11 specific whitespace review comments could be simplified to a one general review comment "Nit: Please use clang-format-diff.py on this diff" :)

Thanks @PastaPastaPasta and @practicalswift. Applied clang-format now.

🐙 This pull request conflicts with the target branch and needs rebase.

_{Want to unsubscribe from rebase notifications on this pull request? Just convert this pull request to a "draft".}

My understanding is that someone else is helping with / taking over these changes, and that the BIP is still being overhauled.
I think we'll be better off with new PRs, and clean discussion when work on the implementation resumes in this repo.
Changes from here are be cherry-picked if / when needed. So I'm going to close this PR for now.

FWIW, I reviewed this repeatedly, hosted a review club meeting on BIP324 (https://bitcoincore.reviews/16202), and proposed a few times to @jonasschnelli to help move this forward. The reply was that help wasn't needed. So I am curious when that changed and who is helping with it, as little seems to be happening?

The BIP overhaul has been ongoing for a long time, and recently @dhruv has taken it over in https://gist.github.com/dhruv/5b1275751bc98f3b64bcafce7876b489.

Thanks for the update, @fanquake.

This PR is superseded by #23233 which is ready for review. I've tried to go over the comment history here and address anything that's wasn't previously.