refactor: remove deprecated TxidFromString() in favour of transaction_identifier::FromHex() #30532
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. |
There was a problem hiding this comment.
Concept ACK 2cad2ef
nit regarding PR summary:
Specifically, it is lacking length checks to ensure input is exactly 64 characters.
->
Specifically, it does it's best to recover from length-mismatches, recover from untrimmed whitespace, 0x-prefix and garbage at the end, instead of simply requiring exactly 64 hex-only characters.
| @@ -240,7 +235,7 @@ void CoinControlDialog::lockCoin() | |||
| if (contextMenuItem->checkState(COLUMN_CHECKBOX) == Qt::Checked) | |||
| contextMenuItem->setCheckState(COLUMN_CHECKBOX, Qt::Unchecked); | |||
|
|
|||
| COutPoint outpt(TxidFromString(contextMenuItem->data(COLUMN_ADDRESS, TxHashRole).toString().toStdString()), contextMenuItem->data(COLUMN_ADDRESS, VOutRole).toUInt()); | |||
| COutPoint outpt(Txid::FromHex(contextMenuItem->data(COLUMN_ADDRESS, TxHashRole).toString().toStdString()).value(), contextMenuItem->data(COLUMN_ADDRESS, VOutRole).toUInt()); | |||
There was a problem hiding this comment.
This will now throw std::bad_optional_access instead of.. trying to make sense of a potentially non-conforming hex string and continuing. I guess that's fair. :) Not sure on the guarantees of a valid hex-string here.
There was a problem hiding this comment.
There's no user input here, this dialog just shows coins that are already in the wallet (and thus validated), so I think this is a safe change?
There was a problem hiding this comment.
Probably safe. I clicked around a bunch in the Coin Control dialog in both tree & list nodes. Wasn't able to have the debugger detect anything that failed to parse as txid's in any of these functions except for when right-clicking the parent tree item to have the menu be shown, correctly disabling lock/unlock actions.
b6080f2 to
30c7351
Compare
|
🚧 At least one of the CI tasks failed. HintsMake sure to run all tests locally, according to the documentation. The failure may happen due to a number of reasons, for example:
Leave a comment here, if you need help tracking down a confusing failure. |
|
Force pushed to:
Thanks, updated PR description. |
src/test/uint256_tests.cpp
Outdated
| TestFromHex64Chars<uint256>(); | ||
| TestFromHex64Chars<Txid>(); | ||
| TestFromHex64Chars<Wtxid>(); |
There was a problem hiding this comment.
Very nice to see the additional coverage!
IMHO it is overkill to be testing the Txid/Wtxid clients of FromHex here.
There was a problem hiding this comment.
Would you prefer we don't test {T, Wt}xid::FromHex() at all, or in a different way? At the moment these won't catch anything as {T, Wt}xid::FromHex() is just wrapping the uint256 one, but I thought it'd be prudent to add the tests already for when the wrappers are reimplemented in the future for whatever reason, and this approach doesn't add much overhead? So, just a way to enforce the interface remains stable?
There was a problem hiding this comment.
In reply to https://github.com/bitcoin/bitcoin/pull/30532/files#r1696752519:
I'm not too worried about {T, Wt}xid::FromHex diverging in behavior. But maybe someone else can chime in to tie-break.
There was a problem hiding this comment.
Welcoming more input here, yeah. To draw a parallel: TxidFromString was also "just a wrapper".
Edit: my biggest concern with this code is actually that we're testing transaction_identifier logic in uint256 tests, but creating a header just for this seems like too much of a hassle atm.
| @@ -240,7 +235,7 @@ void CoinControlDialog::lockCoin() | |||
| if (contextMenuItem->checkState(COLUMN_CHECKBOX) == Qt::Checked) | |||
| contextMenuItem->setCheckState(COLUMN_CHECKBOX, Qt::Unchecked); | |||
|
|
|||
| COutPoint outpt(TxidFromString(contextMenuItem->data(COLUMN_ADDRESS, TxHashRole).toString().toStdString()), contextMenuItem->data(COLUMN_ADDRESS, VOutRole).toUInt()); | |||
| COutPoint outpt(Txid::FromHex(contextMenuItem->data(COLUMN_ADDRESS, TxHashRole).toString().toStdString()).value(), contextMenuItem->data(COLUMN_ADDRESS, VOutRole).toUInt()); | |||
There was a problem hiding this comment.
Probably safe. I clicked around a bunch in the Coin Control dialog in both tree & list nodes. Wasn't able to have the debugger detect anything that failed to parse as txid's in any of these functions except for when right-clicking the parent tree item to have the menu be shown, correctly disabling lock/unlock actions.
30c7351 to
24a6de3
Compare
|
Force pushed to address review comments by removing the new fuzz target and updating the existing one instead, and updating a docstring in coincontroldialog.cpp. No other changes. |
There was a problem hiding this comment.
ACK 24a6de3
Minor reservation, but not blocking: https://github.com/bitcoin/bitcoin/pull/30532/files#r1695679909
Tried to break bitcoin-qt Coin Control dialog on the previous revision (30c7351) without success and confirmed that only comments and fuzz code have changed since then.
(Passed make check).
src/test/uint256_tests.cpp
Outdated
| TestFromHex64Chars<uint256>(); | ||
| TestFromHex64Chars<Txid>(); | ||
| TestFromHex64Chars<Wtxid>(); |
There was a problem hiding this comment.
In reply to https://github.com/bitcoin/bitcoin/pull/30532/files#r1696752519:
I'm not too worried about {T, Wt}xid::FromHex diverging in behavior. But maybe someone else can chime in to tie-break.
There was a problem hiding this comment.
Only left some test-only style-nits. Feel free to ignore.
review ACK 24a6de3 🎨
Show signature
Signature:
untrusted comment: signature from minisign secret key on empty file; verify via: minisign -Vm "${path_to_any_empty_file}" -P RWTRmVTMeKV5noAMqVlsMugDDCyyTSbA3Re5AkUrhvLVln0tSaFWglOw -x "${path_to_this_whole_four_line_signature_blob}"
RUTRmVTMeKV5npGrKx1nqXCw5zeVHdtdYURB/KlyA/LMFgpNCs+SkW9a8N95d+U4AP1RJMi+krxU1A3Yux4bpwZNLvVBKy0wLgM=
trusted comment: review ACK 24a6de35857e88d968ef90cd6fbcda0003f0e3e 🎨
myhszgeXHcG4zBfV085OKVMVT0Z23g+tNmrxR3lxWUxa1Q7mYqyLKn6T29n/APMWsREgWDZ9DtN5m9mZ+ZEHDw==
| Txid txid_3{TxidFromString("0xee707be5201160e32c4fc715bec227d1aeea5940fb4295605e7373edce3b1a93")}; | ||
| Txid txid_1{Txid::FromHex("bd0f71c1d5e50589063e134fad22053cdae5ab2320db5bf5e540198b0b5a4e69").value()}; | ||
| Txid txid_2{Txid::FromHex("b4749f017444b051c44dfd2720e88f314ff94f3dd6d56d40ef65854fcd7fff6b").value()}; | ||
| Txid txid_3{Txid::FromHex("ee707be5201160e32c4fc715bec227d1aeea5940fb4295605e7373edce3b1a93").value()}; |
There was a problem hiding this comment.
style nit in the last commit: Could combine all test changes of this form into the previous test-only commit, so that similar test-only changes are grouped together?
There was a problem hiding this comment.
The reason I organized it like this was to keep TxidFromString() test coverage until the same commit it was removed, whereas WtxidFromString is a test-only function and could be safely removed beforehand. Gonna leave as is for now since I think it's quite reviewable in the current shape, too?
There was a problem hiding this comment.
Would have preferred the test changes in one commit too, but as you said, it is very reviewable already.
24a6de3 to
9113f6b
Compare
There was a problem hiding this comment.
Force-pushed to address test-only style nits, and generalizing TestFromHex() further to allow for testinguint160 too.
| Txid txid_3{TxidFromString("0xee707be5201160e32c4fc715bec227d1aeea5940fb4295605e7373edce3b1a93")}; | ||
| Txid txid_1{Txid::FromHex("bd0f71c1d5e50589063e134fad22053cdae5ab2320db5bf5e540198b0b5a4e69").value()}; | ||
| Txid txid_2{Txid::FromHex("b4749f017444b051c44dfd2720e88f314ff94f3dd6d56d40ef65854fcd7fff6b").value()}; | ||
| Txid txid_3{Txid::FromHex("ee707be5201160e32c4fc715bec227d1aeea5940fb4295605e7373edce3b1a93").value()}; |
There was a problem hiding this comment.
The reason I organized it like this was to keep TxidFromString() test coverage until the same commit it was removed, whereas WtxidFromString is a test-only function and could be safely removed beforehand. Gonna leave as is for now since I think it's quite reviewable in the current shape, too?
There was a problem hiding this comment.
lgtm. No real changes other than test fixups.
re-ACK 9113f6b 🍷
Show signature
Signature:
untrusted comment: signature from minisign secret key on empty file; verify via: minisign -Vm "${path_to_any_empty_file}" -P RWTRmVTMeKV5noAMqVlsMugDDCyyTSbA3Re5AkUrhvLVln0tSaFWglOw -x "${path_to_this_whole_four_line_signature_blob}"
RUTRmVTMeKV5npGrKx1nqXCw5zeVHdtdYURB/KlyA/LMFgpNCs+SkW9a8N95d+U4AP1RJMi+krxU1A3Yux4bpwZNLvVBKy0wLgM=
trusted comment: re-ACK 9113f6b605f9e0a3b438561837f1f4e4142ad3c7 🍷
zpDwXlcOI4l11MhTUagbDaSkMEEIAWBDTmYF6+SCff3iMIuYxOqry2UPAJrGEeZCFMmzcnvMp4iJ1MLSOdVCCA==
Simultaneously cover transaction_identifier::FromHex()
The newly introduced Wtxid::FromHex is more robust and removes the need for a WtxidFromString helper function
TxidFromString was deprecated due to missing 64-character length-check and hex-check, replace it with the more robust Txid::FromHex.
9113f6b to
f553e6d
Compare
Just as a note, the GitHub compare between A and B (or similarly, |
|
re-ACK f553e6d 🔻 Show signatureSignature: |
| void TestFromHex() | ||
| { | ||
| constexpr unsigned int num_chars{T::size() * 2}; | ||
| static_assert(num_chars <= 64); // this test needs to be modified to allow for more than 64 hex chars |
There was a problem hiding this comment.
nit: what is the purpose of the comment? Sounds like a todo, but I guess it's just a warning - which the assert already states clearly.
There was a problem hiding this comment.
it's just a brief explanation on why this assertion is here, happy to remove if you feel strongly about it but i think it's fine as is
| @@ -27,7 +28,11 @@ 10000 FUZZ_TARGET(hex) | |||
| assert(ToLower(random_hex_string) == hex_data); | |||
| } | |||
| (void)IsHexNumber(random_hex_string); | |||
| (void)uint256::FromHex(random_hex_string); | |||
| if (uint256::FromHex(random_hex_string)) { | |||
| assert(random_hex_string.length() == 64); | |||
There was a problem hiding this comment.
would it make sense to deduplicate (and therefore document) all the 64 constants used in the PR
There was a problem hiding this comment.
I'm not sure, internally we're using base_blob::size() quite a bit already but I think for this test it makes sense to hardcode 64 since this function deals with user input, so we really do want to make sure this keeps expecting 64 characters. I don't think there are any other 64 constants in this PR that would benefit from being deduplicated or documented further?
| } | ||
| { | ||
| // check that non-hex characters are not accepted | ||
| std::string invalid_chars{R"( !"#$%&'()*+,-./:;<=>?@GHIJKLMNOPQRSTUVWXYZ[\]^_`ghijklmnopqrstuvwxyz{|}~)"}; |
There was a problem hiding this comment.
nit: let's add some multi-byte unicode values here:
| std::string invalid_chars{R"( !"#$%&'()*+,-./:;<=>?@GHIJKLMNOPQRSTUVWXYZ[\]^_`ghijklmnopqrstuvwxyz{|}~)"}; | |
| std::string invalid_chars{R"( !"#$%&'()*+,-./:;<=>?@GHIJKLMNOPQRSTUVWXYZ[\]^_`ghijklmnopqrstuvwxyz{|}~ő💣)"}; |
There was a problem hiding this comment.
good idea, will add if I have to force push, thanks
There was a problem hiding this comment.
these are just nits, it's fine if we do it next time we touch it, of course
| Txid txid_3{TxidFromString("0xee707be5201160e32c4fc715bec227d1aeea5940fb4295605e7373edce3b1a93")}; | ||
| Txid txid_1{Txid::FromHex("bd0f71c1d5e50589063e134fad22053cdae5ab2320db5bf5e540198b0b5a4e69").value()}; | ||
| Txid txid_2{Txid::FromHex("b4749f017444b051c44dfd2720e88f314ff94f3dd6d56d40ef65854fcd7fff6b").value()}; | ||
| Txid txid_3{Txid::FromHex("ee707be5201160e32c4fc715bec227d1aeea5940fb4295605e7373edce3b1a93").value()}; |
There was a problem hiding this comment.
Would have preferred the test changes in one commit too, but as you said, it is very reviewable already.
| COutPoint outpt(TxidFromString(item->data(COLUMN_ADDRESS, TxHashRole).toString().toStdString()), item->data(COLUMN_ADDRESS, VOutRole).toUInt()); | ||
| if (column != COLUMN_CHECKBOX) return; | ||
| auto txid{Txid::FromHex(item->data(COLUMN_ADDRESS, TxHashRole).toString().toStdString())}; | ||
| if (txid) { // a valid txid means this is a child node, and not a parent node in tree mode |
There was a problem hiding this comment.
Just a comment: Still not sure what ends up being more readable. This, or:
if (auto txid{...}; txid) {
...
There was a problem hiding this comment.
Usually I'd have preferred the if (auto txid{...}) { approach (no need for the ; txid I think), but since we have the docstring anyway I thought the current approach was slightly more readable.
There was a problem hiding this comment.
Though of the same, both are fine with me as well
|
|
||
| #include <boost/test/unit_test.hpp> | ||
|
|
||
| #include <iomanip> | ||
| #include <sstream> | ||
| #include <string> | ||
| #include <string_view> |
There was a problem hiding this comment.
iwyu reports this include as unneeded, but it is obviously used: https://cirrus-ci.com/task/6533090686795776?logs=ci#L17964
There was a problem hiding this comment.
I made util/string.h to export them, but this may be confusing? (Should be harmless either way)
| void TestFromHex() | ||
| { | ||
| constexpr unsigned int num_chars{T::size() * 2}; | ||
| static_assert(num_chars <= 64); // this test needs to be modified to allow for more than 64 hex chars |
There was a problem hiding this comment.
it's just a brief explanation on why this assertion is here, happy to remove if you feel strongly about it but i think it's fine as is
| @@ -27,7 +28,11 @@ FUZZ_TARGET(hex) | |||
| assert(ToLower(random_hex_string) == hex_data); | |||
| } | |||
| (void)IsHexNumber(random_hex_string); | |||
| (void)uint256::FromHex(random_hex_string); | |||
| if (uint256::FromHex(random_hex_string)) { | |||
| assert(random_hex_string.length() == 64); | |||
There was a problem hiding this comment.
I'm not sure, internally we're using base_blob::size() quite a bit already but I think for this test it makes sense to hardcode 64 since this function deals with user input, so we really do want to make sure this keeps expecting 64 characters. I don't think there are any other 64 constants in this PR that would benefit from being deduplicated or documented further?
| } | ||
| { | ||
| // check that non-hex characters are not accepted | ||
| std::string invalid_chars{R"( !"#$%&'()*+,-./:;<=>?@GHIJKLMNOPQRSTUVWXYZ[\]^_`ghijklmnopqrstuvwxyz{|}~)"}; |
There was a problem hiding this comment.
good idea, will add if I have to force push, thanks
| COutPoint outpt(TxidFromString(item->data(COLUMN_ADDRESS, TxHashRole).toString().toStdString()), item->data(COLUMN_ADDRESS, VOutRole).toUInt()); | ||
| if (column != COLUMN_CHECKBOX) return; | ||
| auto txid{Txid::FromHex(item->data(COLUMN_ADDRESS, TxHashRole).toString().toStdString())}; | ||
| if (txid) { // a valid txid means this is a child node, and not a parent node in tree mode |
There was a problem hiding this comment.
Usually I'd have preferred the if (auto txid{...}) { approach (no need for the ; txid I think), but since we have the docstring anyway I thought the current approach was slightly more readable.
18d65d2 test: use uint256::FromUserHex for RANDOM_CTX_SEED (stickies-v) 6819e5a node: use uint256::FromUserHex for -assumevalid parsing (stickies-v) 2e58fdb util: remove unused IsHexNumber (stickies-v) 8a44d7d node: use uint256::FromUserHex for -minimumchainwork parsing (stickies-v) 70e2c87 refactor: add uint256::FromUserHex helper (stickies-v) 85b7cbf test: unittest chainstatemanager_args (stickies-v) Pull request description: Since fad2991, `uint256S` has been [deprecated](fad2991#diff-800776e2dda39116e889839f69409571a5d397de048a141da7e4003bc099e3e2R138) because it is less robust than the `base_blob::FromHex()` introduced in [the same PR](#30482). Specifically, it tries to recover from length-mismatches, recover from untrimmed whitespace, 0x-prefix and garbage at the end, instead of simply requiring exactly 64 hex-only characters. _(see also #30532)_ This PR carves out the few `uint256S` callsites that may potentially prove a bit more controversial to change because they deal with user input and backwards incompatible behaviour change. The main behaviour change introduced in this PR is: - `-minimumchainwork` will raise an error when input is longer than 64 hex digits - `-assumevalid` will raise an error when input contains invalid hex characters, or when it is longer than 64 hex digits - test: the optional RANDOM_CTX_SEED env var will now cause tests to abort when it contains invalid hex characters, or when it is longer than 64 hex digits After this PR, the remaining work to remove `uint256S` completely is almost entirely mechanical and/or test related. I will open that PR once #30560 is merged because it builds on that. ACKs for top commit: hodlinator: re-ACK 18d65d2 l0rinc: ACK 18d65d2 achow101: ACK 18d65d2 ryanofsky: Code review ACK 18d65d2. Very nice change that cleans up the API, adds checking for invalid values, makes parsing of values more consistent, and adds test coverage. Tree-SHA512: ec118ea3d56e1dfbc4c79acdbfc797f65c4d2107b0ca9577c848b4ab9b7cb8d05db9f3c7fe8441a09291aca41bf671572431f4eddc59be8fb53abbea76bbbf86
8756ccd scripted-diff: Replace ParseHex[<std::byte>]("str") -> "str"_hex[_u8] (Hodlinator) 9cb6873 refactor: Prepare for ParseHex -> ""_hex scripted-diff (Hodlinator) 50bc017 refactor: Hand-replace some ParseHex -> ""_hex (Hodlinator) 5b74a84 util: Add consteval ""_hex[_v][_u8] literals (l0rinc) dc5f6f6 test refactor: util_tests - parse_hex clean up (Hodlinator) 2b5e6ef refactor: Make XOnlyPubKey tolerate constexpr std::arrays (Hodlinator) 403d86f refactor: vector -> span in CCrypter (Hodlinator) bd0830b refactor: de-Hungarianize CCrypter (Hodlinator) d99c816 refactor: Improve CCrypter related lines (Hodlinator) 7e1d9a8 refactor: Enforce lowercase hex digits for consteval uint256 (Hodlinator) Pull request description: Motivation: * Validates and converts the hex string into bytes at compile time instead of at runtime like `ParseHex()`. * Eliminates runtime dependencies: #30377 (comment), #30048 (comment) * Has stricter requirements than `ParseHex()` (disallows whitespace and uppercase hex digits) and replaces it in a bunch of places. * Makes it possible to derive other compile time constants. * Minor: should shave off a few runtime CPU cycles. `""_hex` produces `std::array<std::byte>` as the momentum in the codebase is to use `std::byte` over `uint8_t`. Also makes `uint256` hex string constructor disallow uppercase hex digits. Discussed: #30560 (comment) Surprisingly does not change the size of the Guix **bitcoind** binary (on x86_64-linux-gnu) by 1 single byte. Spawned already merged PRs: #30436, #30482, #30532, #30560. ACKs for top commit: l0rinc: ACK 8756ccd stickies-v: Rebase re-ACK 8756ccd, no changes since a096215 ryanofsky: Code review ACK 8756ccd, just rebasing since last review and taking advantage of CScript constructors in #29369, also tweaking a code comment Tree-SHA512: 9b2011b7c37e0ef004c669f8601270a214b388916316458370f5902c79c2856790b1b2c7c123efa65decad04886ab5eff95644301e0d84358bb265cf1f8ec195
43cd83b test: move uint256_tests/operator_with_self to arith_uint256_tests (stickies-v) c6c994c test: remove test-only uint160S (stickies-v) 62cc465 test: remove test-only uint256S (stickies-v) adc00ad test: remove test-only arith_uint256S (stickies-v) f51b237 refactor: rpc: use uint256::FromHex for ParseHashV (stickies-v) Pull request description: _Continuation of #30569._ Since fad2991, `uint256S()` has been [deprecated](fad2991#diff-800776e2dda39116e889839f69409571a5d397de048a141da7e4003bc099e3e2R138) because it is less robust than the `base_blob::FromHex()` introduced in #30482. Specifically, it tries to recover from length-mismatches, recover from untrimmed whitespace, 0x-prefix and garbage at the end, instead of simply requiring exactly 64 hex-only characters. (see also #30532) This PR removes `uint256S()` (and `uint160S()`) completely, with no non-test behaviour change. Specifically, the main changes in this PR are: - the (minimal) last non-test usage of `uint256S()` in `ParseHashV()` is removed without behaviour change, which can partially be verified by cherry-picking and/or modifying [this test commit](stickies-v@1f2b0fa)). - the test usage of `uint{160,256}S()` is removed, largely replacing it with `uint{160,256}::FromHex()` where applicable, potentially modifying the test by removing non-hex characters or dropping the test entirely if removing non-hex characters makes it redundant - the now unused `uint{160,256}S()` functions are removed completely. - unit test coverage on converting `uint256` <-> `arith_uint256` through `UintToArith256()` and `ArithToUint256()` is beefed up, and `arith_uint256` tests are moved to `arith_uint256_tests.cpp`, removing the `uint256_tests.cpp` dependency on `uint256h`, mirroring how the code is structured. _Note: `uint256::FromUserHex()` exists to more leniently construct uint256 from user input, allowing "0x" prefixes and too-short-input, as safer alternative to `uint256S()` where necessary._ ACKs for top commit: l0rinc: reACK 43cd83b hodlinator: re-ACK 43cd83b ryanofsky: Code review ACK 43cd83b. Only code change is a small refactoring which looks good. The rest of the PR is all test changes, which I only lightly reviewed, but seem to be positive and do what's described Tree-SHA512: 48147a4c6af671597df0f72c1b477ae4631cd2cae4645ec54d0e327611ff302c9899e344518c81242cdde82930f6ad23a3a7e6e0b80671816e9f457b9de90a5c
Since fab6ddb,
TxidFromString()has been deprecated because it is less robust than thetransaction_identifier::FromHex()introduced in the same PR. Specifically, it tries to recover from length-mismatches, recover from untrimmed whitespace, 0x-prefix and garbage at the end, instead of simply requiring exactly 64 hex-only characters.In this PR,
TxidFromStringis removed completely to clean up the code and prevent further unsafe usage. Unit and fuzz test coverage onuint256::FromHex()and functions that wrap it is increased.Note:
TxidFromSringallowed users to prefix strings with "0x", this is no longer allowed fortransaction_identifier::FromHex(), so a helper function for input validation may prove helpful in the future (this overlaps with theuint256::uint256S()vsuint256::FromHex()future cleanup). It is not relevant to this PR, though, besides the fact that this unused (except for in tests) functionality is removed.The only users of
TxidFromStringare:test, where it is straightforward to drop in the newFromHex()methods without much further concernqtcoincontrol. There is no need for input validation here, but txids are not guaranteed to be 64 characters. This is already handled by the existing code, so again, usingFromHex()here seems quite straightforward.Addresses @maflcko's suggestion: #30482 (comment)
Also removes
WtxidFromString(), which is a test-only helper function.Testing GUI changes
To test the GUI coincontrol affected lines,
regtestis probably the easiest way to quickly get some test coins, you can use e.g.