This is a new implementation of the incremental merkle tree used by our
scheme to witness commitments to spendable value. It serves as a fixed-sized
accumulator.
This new construction has a much simpler API surface area, avoids memory
safety issues, remains pruned at all times, avoids serialization edge cases,
has more efficient insertion, and is abstract over the depth and hash
function used at the type level.
Further, it lays the groundwork for efficient "fast-forwarding" of witnesses
into the tree as the treestate is updated.
After a new block is found or after a few nonces have been tried (currently
after every nonce), the miner checks for global changes. If any of these are
triggered, a new block is built from scratch, which re-initialises the Equihash
input. But if none of the checks are triggered, the miner just updates nTime and
continues mining - without updating the Equihash input to account for the new
block header. This bugfix corrects the behaviour by regenerating the Equihash
input in both situations.
Automated performance measurement
Supersedes #843 because that one would have merged into the wrong branch. (Oh yeah and I rebased).
**REBASED AND FORCE PUSHED**
All blocks before the first subsidy halving block, with the exception of
the genesis block, must contain an output which sends 20% of the block
subsidy value to a scriptPubKey `FOUNDERS_REWARD_SCRIPT`.
Changing the order of difficulty calculation operations to divide first doesn't
affect the result significantly, but ensures we never overflow the arith_uint256
during multiplication and get an artificial jump in difficulty.
Changes to bloom tests were done by running the following commands:
sed -i 's/\(CDataStream stream(ParseHex(".\{152\}\)\(.\{8\}\)/\100000000000000000000000000000000000000000000000000000000\200/' src/test/bloom_tests.cpp
sed -i 's/\(vector<unsigned char> vch = ParseHex(".\{152\}\)\(.\{8\}\)/\100000000000000000000000000000000000000000000000000000000\200/' src/test/bloom_tests.cpp
and then reverting the single change to the transaction line.
The main and test networks are configured to use parameters that are currently
low-memory but usable with the basic solver; they will be increased once the
solver is optimised. The regtest network is configured to have extremely low
memory usage for speed.
Note that Bitcoin's double-hasher is used for the difficulty check. This does
not match the paper, but is simpler than changing the block header
serialization. Single hashing is kept for the EquiHash solver because there is
no requirement on execution time there, only on memory usage.
Some specifics on consensus changes:
* Transactions must be anchored to a real anchor in the chain.
* Anchors are pushed and popped during ConnectBlock/DisconnectBlock as appropriate.
* DisconnectTip triggers evictions, under some circumstances, of transactions in the
mempool which are anchored to roots that are no longer valid.
* Commitments append to the tree at the current best root during ConnectBlock.
* PourTxs cannot appear in coinbase transactions.
* Transactions can only contain empty vin/vouts if they contain a PourTx.
* PourTx public values must be well-formed (not negative or too large).
* Transactions cannot have the same serial twice throughout all PourTxs.
Transactions of version 2 and above contain a `vpour` field which is a vector of `CPourTx`
objects that embody our protocol. We introduce serialization primitives for boost::array
(we intend for changing the amount of inputs and outputs in the circuit to be simple).
SIGHASH_* operations hash this field like any other for now.
Previously, the undo weren't being flushed during a reindex because
fKnown was set to true in FindBlockPos. That is the correct behaviour
for block files as they aren't being touched, but undo files are
touched.
This changes the behaviour to always flush when switching to a new file
(even for block files, though that isn't really necessary).
Rebased-From: 22e780737db57bcb18b3824eb8158e19a4775cb6
Github-Pull: #6948
af6edac *: alias -h for --help (Daniel Cousens)
131d7f9 Change URLs to https in debian/control (Matt Corallo)
7ce2c91 Update debian/changelog and slight tweak to debian/control (Matt Corallo)
4fbfebe Correct spelling mistakes in doc folder (Mitchell Cash)
e42bf16 Clarification of unit test build instructions. (Eric Lombrozo)
54f9dee Update bluematt-key, the old one is long-since revoked (Matt Corallo)
bfc6154 [Trivial] Fixed typo when referring to a previous section in depends/README.md [skip ci] (Chris Kleeschulte)
9e45157 build: disable -Wself-assign (Wladimir J. van der Laan)
33d6825 Bugfix: Allow mining on top of old tip blocks for testnet (fixes testnet-in-a-box use case) (Luke Dashjr)
87a797a build: Remove dependency of bitcoin-cli on secp256k1 (Wladimir J. van der Laan)
a33cd5b [trivial] Fix rpc message "help generate" (MarcoFalke)
6fd0019 Drop "with minimal dependencies" from description (Zak Wilcox)
2394f4d Split bitcoin-tx into its own package (Zak Wilcox)
1e672ae Include bitcoin-tx binary on Debian/Ubuntu (Zak Wilcox)
b3eaa30 [Qt] Raise debug window when requested (MarcoFalke)
01878c9 Fix locking in GetTransaction. (Alex Morcos)
9b9acc2 Fix spelling of Qt (Diego Viola)
f720c5f Enable policy enforcing GetMedianTimePast as the end point of lock-time constraints (Mark Friedenbach)
a1d3c6f Add rules--presently disabled--for using GetMedianTimePast as endpoint for lock-time calculations (Mark Friedenbach)
Transactions are not allowed in the memory pool or selected for inclusion in a block until their lock times exceed chainActive.Tip()->GetMedianTimePast(). However blocks including transactions which are only mature under the old rules are still accepted; this is *not* the soft-fork required to actually rely on the new constraint in production.
The lock-time code currently uses CBlock::nTime as the cutoff point for time based locked transactions. This has the unfortunate outcome of creating a perverse incentive for miners to lie about the time of a block in order to collect more fees by including transactions that by wall clock determination have not yet matured. By using CBlockIndex::GetMedianTimePast from the prior block instead, the self-interested miner no longer gains from generating blocks with fraudulent timestamps. Users can compensate for this change by simply adding an hour (3600 seconds) to their time-based lock times.
If enforced, this would be a soft-fork change. This commit only adds the functionality on an unexecuted code path, without changing the behaviour of Bitcoin Core.
6af25b0 Add BIP65 to getblockchaininfo softforks list (Peter Todd)
ba1da90 Show softfork status in getblockchaininfo (Wladimir J. van der Laan)
70a427b CLTV: Add more tests to improve coverage (Esteban Ordano)
c5a27f4 Add RPC tests for the CHECKLOCKTIMEVERIFY (BIP65) soft-fork (Peter Todd)
5e82e1c Add CHECKLOCKTIMEVERIFY (BIP65) soft-fork logic (Peter Todd)
6ea5ca4 Enable CHECKLOCKTIMEVERIFY as a standard script verify flag (Peter Todd)
4fa7a04 Replace NOP2 with CHECKLOCKTIMEVERIFY (BIP65) (Peter Todd)
6ec08db Move LOCKTIME_THRESHOLD to src/script/script.h (Peter Todd)
684636b Make CScriptNum() take nMaxNumSize as an argument (Peter Todd)
Nagle appears to be a significant contributor to latency now that the static
sleeps are gone. Most of our messages are relatively large compared to
IP + TCP so I do not expect this to create enormous overhead.
This may also reduce traffic burstyness somewhat.
Conflicts:
src/net.cpp
Rebased-From: a4e28b3d1e5c95eb0c87f144851cd65048c3e0bc
Github-Pull: #6867
* Raise the debug window when hidden behind other windows
* Switch to the debug window when on another virtual desktop
* Show the debug window when minimized
This change is a conceptual copy of 5ffaaba and 382e9e2
GetTransaction needs to lock cs_main until ReadBlockFromDisk completes, the data inside CBlockIndex's can change since pruning. This lock was held by all calls to GetTransaction except rest_tx.
To bridge the time until a dynamic method for determining this fee is
merged.
This is especially aimed at the stable releases (0.10, 0.11) because
full mempool limiting, as will be in 0.12, is too invasive and risky to
backport.
Github-Pull: #6793
Rebased-From: 28e3249e53b8ef7516636df0f1406466a513095d 4e2efb3c5fde4b1e332cc032e3dc4082ec4e3cac
The main effect is to exit processing for recently-rejected hashes,
in case they are pushed to us without prior advertisement. This
behavior was seen in the wild.
An additional effect is to do early checks for mempool or mapOrphan
existence. No logging or nDoS tracking is needed for failures of
these checks.
Four cases included:
* The CLTV operand type mismatches the tx locktime. In the script it is
1 (interpreted as block height), but in the tx is 500000000
(interpreted as date)
* The stack is empty when executing OP_CLTV
* The tx is final by having only one input with MAX_INT sequence number
* The operand for CLTV is negative (after OP_0 OP_1 OP_SUB)
Rebased-From: cb54d17355864fa08826d6511a0d7692b21ef2c9
Transactions that fail CLTV verification will be rejected from the
mempool, making it easy to test the feature. However blocks containing
"invalid" CLTV-using transactions will still be accepted; this is *not*
the soft-fork required to actually enable CLTV for production use.
Rebased-From: ffd75adce01a78b3461b3ff05bcc2b530a9ce994
<nLockTime> CHECKLOCKTIMEVERIFY -> <nLockTime>
Fails if tx.nLockTime < nLockTime, allowing the funds in a txout to be
locked until some block height or block time in the future is reached.
Only the logic and unittests are implemented; this commit does not have
any actual soft-fork logic in it.
Thanks to Pieter Wuille for rebase.
Credit goes to Gregory Maxwell for the suggestion of comparing the
argument against the transaction nLockTime rather than the current
time/blockheight directly.
Rebased-From: bc60b2b4b401f0adff5b8b9678903ff8feb5867b
While the existing numeric opcodes are all limited to 4-byte bignum
arguments, new opcodes will need different limits.
Rebased-From: 99088d60d8a7747c6d1a7fd5d8cd388be1b3e138
This adds SCRIPT_VERIFY_LOW_S to STANDARD_SCRIPT_VERIFY_FLAGS which
will make the node require the canonical 'low-s' encoding for
ECDSA signatures when relaying or mining.
Consensus behavior is unchanged.
The rational is explained in a81cd96805ce6b65cca3a40ebbd3b2eb428abb7b:
Absent this kind of test ECDSA is not a strong signature as given
a valid signature {r, s} both that value and {r, -s mod n} are valid.
These two encodings have different hashes allowing third parties a
vector to change users txids. These attacks are avoided by picking
a particular form as canonical and rejecting the other form(s); in
the of the LOW_S rule, the smaller of the two possible S values is
used.
If widely deployed this change would eliminate the last remaining
known vector for nuisance malleability on boring SIGHASH_ALL
p2pkh transactions. On the down-side it will block most
transactions made by sufficiently out of date software.
Unlike the other avenues to change txids on boring transactions this
one was randomly violated by all deployed bitcoin software prior to
its discovery. So, while other malleability vectors where made
non-standard as soon as they were discovered, this one has remained
permitted. Even BIP62 did not propose applying this rule to
old version transactions, but conforming implementations have become
much more common since BIP62 was initially written.
Bitcoin Core has produced compatible signatures since a28fb70e in
September 2013, but this didn't make it into a release until 0.9
in March 2014; Bitcoinj has done so for a similar span of time.
Bitcoinjs and electrum have been more recently updated.
This does not replace the need for BIP62 or similar, as miners can
still cooperate to break transactions. Nor does it replace the
need for wallet software to handle malleability sanely[1]. This
only eliminates the cheap and irritating DOS attack.
[1] On the Malleability of Bitcoin Transactions
Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, Łukasz Mazurek
http://fc15.ifca.ai/preproceedings/bitcoin/paper_9.pdf
Rebased-From: b196b685c9089b74fd4ff3d9a28ea847ab36179b
Github-Pull: #6769
This avoids that premature return in the condition that a new chain is initialized
results in NULL pointer errors due to recentReject not being constructed.
Also add assertions where it is used.
(cherry picked from commit a8d0407c4fcf7c4e8ed0e8edabd204f7a4efa477)
Nodes can have divergent policies on which transactions they will accept
and relay. This can cause you to repeatedly request and reject the same
tx after its inved to you from various peers which have accepted it.
Here we add rolling bloom filter to keep track of such rejections,
clearing the filter every time the chain tip changes.
Credit goes to Alex Morcos, who created the patch that this code is
based on.
Original code by Peter Todd. Refactored to not construct the
filter at startup time by Pieter Wuille.
(cherry picked from commit 0847d9cb5fcd2fdd5a21bde699944d966cf5add9)
While CBloomFilter is usually used with an explicitly set nTweak,
CRollingBloomFilter is only used internally. Requiring every caller to
set nTweak is error-prone and redundant; better to have the class handle
that for you with a high-quality randomness source.
Additionally when clearing the filter it makes sense to change nTweak as
well to recover from a bad setting, e.g. due to insufficient randomness
at initialization, so the clear() method is replaced by a reset() method
that sets a new, random, nTweak value.
(cherry picked from commit d2d7ee0e863b286e1c9f9c54659d494fb0a7712d)
45bfa13 PARTIAL: typofixes (found by misspell_fixer) (Veres Lajos)
21c406e add support for miniupnpc api version 14 (Pavel Vasin)
13bd5a7 rpc-tests: re-enable rpc-tests for Windows (Cory Fields)
ccc4ad6 net: Set SO_REUSEADDR for Windows too (Cory Fields)
1f6772e add unit test for CNetAddr::GetGroup. (Alex Morcos)
13642a5 Fix masking of irrelevant bits in address groups. (Alex Morcos)
6b51b9b Replace boost::reverse_lock with our own. (Casey Rodarmor)
626c5e6 Make sure we re-acquire lock if a task throws (Casey Rodarmor)
4877053 Add missing files to files.md (fanquake)
f171fee Handle leveldb::DestroyDB() errors on wipe failure (Adam Weiss)
c5b89fe Fix race condition on test node shutdown (Casey Rodarmor)
4a37410 Handle no chain tip available in InvalidChainFound() (Ross Nicoll)
f6d29a6 Use unique name for AlertNotify tempfile (Casey Rodarmor)
e6adac7 Delay initial pruning until after wallet init (Adam Weiss)
e0020d4 Make sure LogPrint strings are line-terminated (J Ross Nicoll)
7ff9d12 Make sure LogPrintf strings are line-terminated (Wladimir J. van der Laan)
5a39133 build: fix libressl detection (Cory Fields)
f6355e6 Avoid leaking file descriptors in RegisterLoad (Casey Rodarmor)
60457d3 locking: fix a few small issues uncovered by -Wthread-safety (Cory Fields)
a496e11 Remove bash test note from rpc-tests readme (fanquake)
49c6a64 tests: Remove old sh-based test framework (Wladimir J. van der Laan)
a37567d Add autogen.sh to source tarball. (randy-waterhouse)
1f4d7cf travis: for travis generating an extra build (Cory Fields)
Sean Bowe
Taylor Hornby
Nathan Wilcox
Jack Grigg
zkbot
Taylor Hornby
Wladimir J. van der Laan
Pieter Wuille
Mark Friedenbach
Alex Morcos
Gregory Maxwell
Daniel Cousens
Eric Lombrozo
Luke Dashjr
MarcoFalke
Diego Viola
Tom Harding
Peter Todd
Esteban Ordano