policy: Remove unused locktime flags #24080
Conversation
|
Please don't review yet. This happens to compile, but depends on #24067 to be safe. |
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
902e4aa to
f5fa07c
Compare
f5fa07c to
fa17b37
Compare
This checks finality at the current Tip, so clarify this in its name.
-BEGIN VERIFY SCRIPT-
ren() { sed -i "s/\<$1\>/$2/g" $( git grep -l "$1" ./src/ ) ; }
ren CheckSequenceLocks CheckSequenceLocksAtTip
ren CheckFinalTx CheckFinalTxAtTip
-END VERIFY SCRIPT-
fa17b37 to
fa8d4d9
Compare
|
Concept ACK |
|
ACK fa8d4d9 I split up the first commit quite a bit to see what was going on; branch is here in case that makes anyone else's review easier. I didn't notice all the Bit surprised at calling them "policy" functions -- finality is a consensus question; but this does impact the mempool, and when we generate blocks from the mempool we check finality again there too. |
I call them policy, because they don't affect the validity of blocks. They can at most affect validitity of txs added to the mempool. |
Sorry, I didn't word that very well. Let me start again from scratch, since I want to add something anyway. My concern was that these functions might be consensus critical, in that if you don't check that they're correct when you put transactions into the mempool, you might then see them in the mempool and populate a block template with them, and after mining the block discover that the block is consensus invalid. (Hopefully that logic is obvious, as far as it goes!) However, I was thinking that that turns out to be okay because But, looking again, as far as I can see, So I think that means (EDIT: this isn't invalidating my ACK, just critiquing the comment in the header, and checking my understanding of what's going on) |
|
I think this is true for any mempool logic. If priority had a bug to allow txs with negative fee into the mempool, it would also kill the miner. Not sure what to do now. I can replace "policy" with "mempool" in the pull request subject line? |
I'd call it a consensus bug if we accepted a tx with negative fee into the mempool (and certainly a consensus bug if that tx then made it into a block template). Some parts of mempool acceptance are consensus critical, because we don't re-check them when accepting a block; some parts are consensus critical because we don't re-check them when generating a block; in my opinion, "policy" is any remaining things that wouldn't result in an invalid block being generated/accepted. At the moment, as I understand it, CheckFinalTx is just policy, but CheckSequenceLocks is consensus critical at least when generating blocks?
I don't think anything needs to be done right now. Could consider adding a |
Is it insufficient to be using Line 170 in 25d045a
Line 2167 in 25d045a |
In so far as you want getblocktemplate to give you something you can mine, rather than an error, yeah? (Better than giving an invalid template and not discovering until after you've mined an otherwise valid block though) |
There was a problem hiding this comment.
ACK fa8d4d9, agree the default arg flags is a massive footgun and just setting max flags is weird. Adding AtTip to the names makes sense to me, since they're both testing for next block and only ever used for {,re}addition to mempool.
Oh okay I see what you're saying, yes, it will catch an invalid template but won't give you a valid one. I actually don't know what the next step would be if you're a miner and have generated an invalid template because there's an invalid transaction in the mempool. I guess you need to delete mempool.dat and restart (and hopefully file a bug report). Or you could |
|
Changed back to "validation" from "policy" in follow-up #24564 |
|
Yeah, it's a pretty bad bug if |
fa8d4d9 scripted-diff: Clarify CheckFinalTxAtTip name (MarcoFalke) fa4e30b policy: Remove unused locktime flags (MarcoFalke) Pull request description: The locktime flags have many issues: * They are passed in by a default argument, which is fragile. It has already lead to bugs like the one fixed in commit e30b6ea. * They are negative (signed), which doesn't make sense for flags (unsigned in general). According to the review comments when the code was added: "The max on the flags is a fairly weird operation." (bitcoin#6566 (comment)) * No call site relies on the default argument and they all pass in a single compile-time constant, rendering most of the code dead and untested. * The dead code calls `GetAdjustedTime` (network adjusted time), which has its own issues. See bitcoin#4521 Fix all issues by removing them ACKs for top commit: ajtowns: ACK fa8d4d9 theStack: Code-review ACK fa8d4d9 glozow: ACK fa8d4d9, agree the default arg `flags` is a massive footgun and just setting max flags is weird. Adding `AtTip` to the names makes sense to me, since they're both testing for *next* block and only ever used for {,re}addition to mempool. Tree-SHA512: 79f4a52f34909eb598d88bbae7afe8abe5f85f45c128483d16aa83dacd0e5579e561b725d01b1e9a931d1821012a51ad2bc6fb2867f8d09ee541f9d234d696f8
fa1fe2e Remove LOCKTIME_MEDIAN_TIME_PAST constant (MarcoFalke) Pull request description: The constant is exposed in policy code, which doesn't make sense: * Wallet and mempool need to assume the flag to be always active to function properly. * Setting (or unsetting) the flag has no effect on policy code. The constant is only used in `ContextualCheckBlock` (consensus code) to set a flag and then read the flag again. I think this can be better achieved by using a `bool`. If there is a need to use a flag in the future, it will be trivial to do so then. (The previous use for the constant was removed in df562d6) ACKs for top commit: Sjors: utACK fa1fe2e glozow: code review ACK fa1fe2e, AFAICT this is safe and makes sense as `SequenceLocks` doesn't use it, wallet/ATMP no longer need it since #24080, and `ContextualCheckBlock` effectively uses it as a roundabout boolean. instagibbs: utACK fa1fe2e Tree-SHA512: de1972498c545d608a09630d77d8c7e38ed50a6ec40d6c0d720310a1647ed5b48b4ace0078c80db10e7f97aacc552fffae251fe3256e9a19a908b933ba2dc552
fa1fe2e Remove LOCKTIME_MEDIAN_TIME_PAST constant (MarcoFalke) Pull request description: The constant is exposed in policy code, which doesn't make sense: * Wallet and mempool need to assume the flag to be always active to function properly. * Setting (or unsetting) the flag has no effect on policy code. The constant is only used in `ContextualCheckBlock` (consensus code) to set a flag and then read the flag again. I think this can be better achieved by using a `bool`. If there is a need to use a flag in the future, it will be trivial to do so then. (The previous use for the constant was removed in df562d6) ACKs for top commit: Sjors: utACK fa1fe2e glozow: code review ACK fa1fe2e, AFAICT this is safe and makes sense as `SequenceLocks` doesn't use it, wallet/ATMP no longer need it since bitcoin#24080, and `ContextualCheckBlock` effectively uses it as a roundabout boolean. instagibbs: utACK fa1fe2e Tree-SHA512: de1972498c545d608a09630d77d8c7e38ed50a6ec40d6c0d720310a1647ed5b48b4ace0078c80db10e7f97aacc552fffae251fe3256e9a19a908b933ba2dc552
…on function fa86710 Clarify that CheckSequenceLocksAtTip is a validation function (MarcoFalke) Pull request description: It has been pointed out that a bug in this function can prevent block template creation. ( #24080 (comment) ) So it seems that the scope of this function is more than "policy". Rename it back to "validation", to partially revert commit fa4e30b. ACKs for top commit: ajtowns: ACK fa86710 - looks fine to me glozow: ACK fa86710 Tree-SHA512: 2e0df8c70df4cbea857977f140a8616cfa7505e74df66c9c9fbcf184670ce3ce7567183c3f76e6f3fe8ca6de0e065b9babde6352d6cb495e71ea077ddedbc3f4
…alidation function fa86710 Clarify that CheckSequenceLocksAtTip is a validation function (MarcoFalke) Pull request description: It has been pointed out that a bug in this function can prevent block template creation. ( bitcoin#24080 (comment) ) So it seems that the scope of this function is more than "policy". Rename it back to "validation", to partially revert commit fa4e30b. ACKs for top commit: ajtowns: ACK fa86710 - looks fine to me glozow: ACK fa86710 Tree-SHA512: 2e0df8c70df4cbea857977f140a8616cfa7505e74df66c9c9fbcf184670ce3ce7567183c3f76e6f3fe8ca6de0e065b9babde6352d6cb495e71ea077ddedbc3f4
Summary:
```
The locktime flags have many issues:
They are passed in by a default argument, which is fragile. It has already lead to bugs like the one fixed in commit e30b6ea.
They are negative (signed), which doesn't make sense for flags (unsigned in general). According to the review comments when the code was added: "The max on the flags is a fairly weird operation." (
BIP-113: Mempool-only median time-past as endpoint for lock-time calculations #6566 (comment))
No call site relies on the default argument and they all pass in a single compile-time constant, rendering most of the code dead and untested.
The dead code calls GetAdjustedTime (network adjusted time), which has its own issues. See
AddTimeData will never update nTimeOffset past 199 samples #4521
Fix all issues by removing them
```
Backport of [[bitcoin/bitcoin#24080 | core#24080]].
Depends on D12949 and D12950.
Test Plan:
ninja all check-all
Reviewers: #bitcoin_abc, sdulfari
Reviewed By: #bitcoin_abc, sdulfari
Subscribers: sdulfari
Differential Revision: https://reviews.bitcoinabc.org/D12951
The locktime flags have many issues:
GetAdjustedTime(network adjusted time), which has its own issues. See AddTimeData will never update nTimeOffset past 199 samples #4521Fix all issues by removing them