Add checkBlock() to Mining interface #31981

pull Sjors wants to merge 5 commits into bitcoin:master from Sjors:2025/03/checkBlock changing 16 files +493 −229
  1. Sjors commented at 11:04 AM on March 4, 2025: member

    This PR adds the IPC equivalent of the getblocktemplate RPC in proposal mode.

    In order to do so it has TestBlockValidity return error reasons as a string instead of BlockValidationState. This avoids complexity in IPC code for handling the latter struct.

    The new Mining interface method is used in miner_tests.

    It's not used by the getblocktemplate and generateblock RPC calls, see #31981 (review)

    The inconclusive-not-best-prevblk check is moved from RPC code to TestBlockValidity.

    Test coverage is increased by mining_template_verification.py.

    Superseedes #31564

    Background

    Verifying block templates (no PoW)

    Stratum v2 allows miners to generate their own block template. Pools may wish (or need) to verify these templates. This typically involves comparing mempools, asking miners to providing missing transactions and then reconstructing the proposed block.^0 This is not sufficient to ensure a proposed block is actually valid. In some schemes miners could take advantage of incomplete validation^1.

    The Stratum Reference Implementation (SRI), currently the only Stratum v2 implementation, collects all missing mempool transactions, but does not yet fully verify the block.^2. It could use the getblocktemplate RPC in proposal mode, but using IPC is more performant, as it avoids serialising up to 4 MB of transaction data as JSON.

    (although SRI could use this PR, the Template Provider role doesn't need it, so this is not part of #31098)

  2. DrahtBot commented at 11:04 AM on March 4, 2025: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--006a51241073e994b41acfe9ec718e94-->

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/31981.

    <!--021abf342d371248e50ceaed478a90ca-->

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK TheCharlatan, ryanofsky, davidgumberg, achow101
    Concept ACK ismaelsadeeq

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

    <!--174a7506f384e20aa4161008e828411d-->

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #32317 (kernel: Separate UTXO set access from validation functions by TheCharlatan)
    • #29415 (Broadcast own transactions only via short-lived Tor or I2P connections by vasild)
    • #26201 (Remove Taproot activation height by Sjors)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

    <!--5faf32d7da4f0f540f40219e4f7537a3-->

  3. Sjors commented at 11:39 AM on March 4, 2025: member

    I also salvaged the functional tests from 15d841e41bb61f435dd3e60e99fa4db47d34a3a6.

  4. laanwj added the label Mining on Mar 4, 2025
  5. DrahtBot added the label Needs rebase on Mar 12, 2025
  6. Sjors force-pushed on Mar 13, 2025
  7. Sjors commented at 8:30 AM on March 13, 2025: member

    Rebased after #31283.

  8. DrahtBot removed the label Needs rebase on Mar 13, 2025
  9. DrahtBot added the label Needs rebase on Mar 14, 2025
  10. Sjors force-pushed on Mar 14, 2025
  11. Sjors commented at 9:03 AM on March 14, 2025: member

    Rebased after #31974 (trivial conflict with 3b33fd9424a2b4edbdc1745339e3541ab4b90af5).

  12. DrahtBot removed the label Needs rebase on Mar 14, 2025
  13. ryanofsky requested review from Copilot on Apr 8, 2025
  14. Copilot commented at 8:40 PM on April 8, 2025: none

    Copilot reviewed 13 out of 15 changed files in this pull request and generated 1 comment.

    <details> <summary>Files not reviewed (2)</summary>

    • src/ipc/capnp/mining.capnp: Language not supported
    • src/test/ipc_test.capnp: Language not supported

      </details>

    <details> <summary>Comments suppressed due to low confidence (1)</summary>

    src/node/interfaces.cpp:1098

    • Correct the comment formatting by removing the '=' in '/=check_merkle_root=/' to read '/check_merkle_root=/' for clarity.
    return chainman().TestBlockValidity(block, reason, /*check_pow=*/options.check_pow, /*=check_merkle_root=*/options.check_merkle_root);

    </details>

  15. in src/node/types.h:91 in e6e170cf6c outdated 
      85 | @@ -85,6 +86,17 @@ struct BlockWaitOptions {
  86 |      CAmount fee_threshold{MAX_MONEY};
  87 |  };
  88 |  
  89 | +struct BlockCheckOptions {
  90 | +    /**
  91 | +     * Set false to omit the merkle root heck
    Copilot commented at 8:40 PM on April 8, 2025:

    Typo in the comment: change 'heck' to 'check'.

         * Set false to omit the merkle root check
    l0rinc commented at 8:42 PM on April 8, 2025:

    Can we turn this off?

    maflcko commented at 6:38 AM on April 9, 2025:

    Can we turn this off?

    Probably best discussed in a separate brainstorming issue, but if this can find typos without false positives before real review and before merge, it seems acceptable. Obviously it can't do any real review and this is the first time I've seen it used, so I am likely missing downsides.

    ryanofsky commented at 4:47 PM on April 9, 2025:

    re: #31981 (review)

    I actually requested the review since I was curious what it would do. It seems a bit afraid to be opinionated though and might be more useful if we added guidelines https://docs.github.com/en/enterprise-cloud@latest/copilot/using-github-copilot/code-review/configuring-coding-guidelines

    Sjors commented at 11:04 AM on April 25, 2025:

    Fixed typo since I had to retouch anyway.

  16. in src/rpc/mining.cpp:744 in 1d029c23a1 outdated 
     746 | -            }
 747 | -            BlockValidationState state;
 748 | -            TestBlockValidity(state, chainman.GetParams(), chainman.ActiveChainstate(), block, chainman.m_blockman.LookupBlockIndex(block.hashPrevBlock), /*fCheckPOW=*/false, /*fCheckMerkleRoot=*/true);
 749 | -            return BIP22ValidationResult(state);
 750 | +            std::string reason;
 751 | +            bool res{chainman.TestBlockValidity(block, reason, /*check_pow=*/false, /*check_merkle_root=*/true)};
    ryanofsky commented at 4:01 PM on April 9, 2025:

    In commit "validation: refactor TestBlockValidity" (1d029c23a143f1b9110377967a7c4a20ee75058d)

    it seems like there could be change in behavior here since BIP22ValidationResult would previously throw an exception on error and now it will just return an error string.

    Sjors commented at 11:04 AM on April 25, 2025:

    Good point. The original code would return a string in some cases and throw an error in others. Although it's possible nobody uses the getblocktemplate RPC in proposal mode at all, there could be (unmaintained) proprietary software out there using it. So the safest option is to maintain the behavior.

    However it seems there's no change in behavior: BIP22ValidationResult only throws for state.IsError(), not for state.IsInvalid(). I looked through CheckBlock and the functions it calls and none of those can set state.IsError().

    I expanded the commit message to explain this.

  17. in src/rpc/mining.cpp:391 in 1d029c23a1 outdated 
     385 | @@ -386,9 +386,9 @@ static RPCHelpMan generateblock()
 386 |          block.vtx.insert(block.vtx.end(), txs.begin(), txs.end());
 387 |          RegenerateCommitments(block, chainman);
 388 |  
 389 | -        BlockValidationState state;
 390 | -        if (!TestBlockValidity(state, chainman.GetParams(), chainman.ActiveChainstate(), block, chainman.m_blockman.LookupBlockIndex(block.hashPrevBlock), /*fCheckPOW=*/false, /*fCheckMerkleRoot=*/false)) {
 391 | -            throw JSONRPCError(RPC_VERIFY_ERROR, strprintf("TestBlockValidity failed: %s", state.ToString()));
 392 | +        std::string reason;
 393 | +        if (!chainman.TestBlockValidity(block, reason, /*check_pow=*/false, /*check_merkle_root=*/false)) {
 394 | +            throw JSONRPCError(RPC_VERIFY_ERROR, strprintf("TestBlockValidity failed: %s", reason));
    ryanofsky commented at 4:10 PM on April 9, 2025:

    In commit "validation: refactor TestBlockValidity" (1d029c23a143f1b9110377967a7c4a20ee75058d)

    There seems to be a change in behavior here if ValidationState::m_debug_message is set because now it would previous be included in ToString output but now will be dropped.

    Sjors commented at 12:14 PM on April 25, 2025:

    I changed TestBlockValidity to also take a debug argument.

  18. in src/validation.cpp:4644 in 1d029c23a1 outdated 
    4646 | -                       Chainstate& chainstate,
4647 | -                       const CBlock& block,
4648 | -                       CBlockIndex* pindexPrev,
4649 | -                       bool fCheckPOW,
4650 | -                       bool fCheckMerkleRoot)
4651 | +bool ChainstateManager::TestBlockValidity(const CBlock& block, std::string& reason, const bool check_pow, const bool check_merkle_root)
    ryanofsky commented at 4:20 PM on April 9, 2025:

    In commit "validation: refactor TestBlockValidity" (1d029c23a143f1b9110377967a7c4a20ee75058d)

    Most of the changes here seem good, but there are a few things I think could be improved:

    • It seems better to me if this would return a BlockValidationState object instead of a string and a bool, so the valid/invalid/error states could be clearly distinguished, debug information could be returned, and this would fit in better with other validation.h functions using BlockValidationState. Returning BlockValidationState would also let callers use the BIP22ValidationResult univalue conversion function so we could reduce inconsistencies in how RPCs return validation information.
    • Also think it would be good if this function still took a chainstate parameter, since it shouldn't care about which chainstate is active and could work on any chainstate.
    • I think it would be better if this remained a standalone function instead of becoming a ChainstateManager method since it shouldn't need access to private ChainstateManager state and we might want to move it out of validation.cpp at some point to someplace like node/miner.cpp since it is only used by mining code.
    • Probably also better for it not to LOCK(cs_main) to avoid unnecessary recursive mutex locking.
    • Using Assert() consistently here would seem better than using a mix of Assert and Assume. Or if Assume() should be used it would be better to check return value and return an error status, instead of the ignoring failures in release builds.

    Made a commit with all these changes which looks like: bf15692ab9b5f8d68cb84e925c067caebe03efba (branch)

    Sjors commented at 11:15 AM on April 25, 2025:

    Making this return a BlockValidationState means we have to pass it over the interface, which means we can't drop the special handling, see cca5993b26e6223af31fe1ef5bf8a319cb87cf93.

    Sjors commented at 1:27 PM on April 25, 2025:

    None of the Assume checks seem problematic in production. They would just be inconsistent with (my understanding of) previous behavior. I dropped them, since none of the tests and fuzzers tripped over them.

    I dropped the !block.fChecked Assert. The remaining Assert`s are where we would crash anyway.

    Finally I changed the pre-existing assert at the end into an Assume along with a LogError.

    ryanofsky commented at 5:37 PM on May 13, 2025:

    re: #31981 (review)

    Making this return a BlockValidationState means we have to pass it over the interface, which means we can't drop the special handling

    Agree it's not good to pass BlockValidationState over the IPC interface (and the earlier change I posted didn't do that). I just think it it's best if validation.h/cpp uses BlockValidationState to be internally consistent and return the most information to callers.

    None of the Assume checks seem problematic in production.

    Thanks, I should have been clear my issue was just with unchecked Assume statements, not Assume statements in general. If unexpected states occur in releases I think it's best to report them or return them to callers, not ignore them.

    re: #31981 (comment)

    Probably also better for it not to LOCK(cs_main) to avoid unnecessary recursive mutex locking.

    Can you elaborate on this?

    Not too important but there's an effort to replace recursive mutexes with nonrecursive ones in #19303. Suggestion is just to replace the lock with a lock annotation.

    I do think current code as of c1939c43c3addb17c4316d49580762a1e0ec4504 is ok but that it would be nice to keep using BlockValidationState in validation code and return more complete error information. Here are the changes I'd suggest:

    <details><summary>diff</summary> <p>

    --- a/src/node/interfaces.cpp
+++ b/src/node/interfaces.cpp
@@ -1112,7 +1112,11 @@ public:
 
     bool checkBlock(const CBlock& block, const node::BlockCheckOptions& options, std::string& reason, std::string& debug) override
     {
-        return TestBlockValidity(chainman().ActiveChainstate(), block, /*check_pow=*/options.check_pow, /*=check_merkle_root=*/options.check_merkle_root, reason, debug);
+        LOCK(chainman().GetMutex());
+        BlockValidationState state{TestBlockValidity(chainman().ActiveChainstate(), block, /*check_pow=*/options.check_pow, /*=check_merkle_root=*/options.check_merkle_root)};
+        reason = state.GetRejectReason();
+        debug = state.GetDebugMessage();
+        return state.IsValid();
     }
 
     NodeContext* context() override { return &m_node; }
--- a/src/node/miner.cpp
+++ b/src/node/miner.cpp
@@ -173,10 +173,10 @@ std::unique_ptr<CBlockTemplate> BlockAssembler::CreateNewBlock()
     pblock->nBits          = GetNextWorkRequired(pindexPrev, pblock, chainparams.GetConsensus());
     pblock->nNonce         = 0;
 
-    std::string reason;
-    std::string debug;
-    if (m_options.test_block_validity && !TestBlockValidity(m_chainstate, *pblock, /*check_pow=*/false, /*check_merkle_root=*/false, reason, debug)) {
-        throw std::runtime_error(strprintf("TestBlockValidity failed: %s - %s", reason, debug));
+    if (m_options.test_block_validity) {
+        if (BlockValidationState state{TestBlockValidity(m_chainstate, *pblock, /*check_pow=*/false, /*check_merkle_root=*/false)}; !state.IsValid()) {
+            throw std::runtime_error(strprintf("TestBlockValidity failed: %s", state.ToString()));
+        }
     }
     const auto time_2{SteadyClock::now()};
 
--- a/src/rpc/mining.cpp
+++ b/src/rpc/mining.cpp
@@ -387,10 +387,8 @@ static RPCHelpMan generateblock()
         block.vtx.insert(block.vtx.end(), txs.begin(), txs.end());
         RegenerateCommitments(block, chainman);
 
-        std::string reason;
-        std::string debug;
-        if (!miner.checkBlock(block, {.check_merkle_root = false, .check_pow = false}, reason, debug)) {
-            throw JSONRPCError(RPC_VERIFY_ERROR, strprintf("TestBlockValidity failed: %s - %s", reason, debug));
+        if (BlockValidationState state{TestBlockValidity(chainman.ActiveChainstate(), block, /*check_pow=*/false, /*check_merkle_root=*/false)}; !state.IsValid()) {
+            throw JSONRPCError(RPC_VERIFY_ERROR, strprintf("TestBlockValidity failed: %s", state.ToString()));
         }
     }
 
@@ -742,12 +740,7 @@ static RPCHelpMan getblocktemplate()
                 return "duplicate-inconclusive";
             }
 
-            std::string reason;
-            std::string debug;
-            bool res{miner.checkBlock(block, {.check_pow = false}, reason, debug)};
-            if (res) return UniValue::VNULL;
-            LogDebug(BCLog::RPC, "Invalid block: %s", debug);
-            return UniValue{reason};
+            return BIP22ValidationResult(TestBlockValidity(chainman.ActiveChainstate(), block, /*check_pow=*/false, /*check_merkle_root=*/true));
         }
 
         const UniValue& aClientRules = oparam.find_value("rules");
--- a/src/validation.cpp
+++ b/src/validation.cpp
@@ -4648,31 +4648,30 @@ MempoolAcceptResult ChainstateManager::ProcessTransaction(const CTransactionRef&
     return result;
 }
 
-bool TestBlockValidity(Chainstate& chainstate,
-                       const CBlock& block,
-                       const bool check_pow,
-                       const bool check_merkle_root,
-                       std::string& reason,
-                       std::string& debug)
+
+BlockValidationState TestBlockValidity(
+    Chainstate& chainstate,
+    const CBlock& block,
+    const bool check_pow,
+    const bool check_merkle_root)
 {
     // Lock must be held throughout this function for two reasons:
     // 1. We don't want the tip to change during several of the validation steps
     // 2. To prevent a CheckBlock() race condition for fChecked, see ProcessNewBlock()
-    LOCK(chainstate.m_chainman.GetMutex());
+    AssertLockHeld(chainstate.m_chainman.GetMutex());
 
     BlockValidationState state;
     CBlockIndex* tip{Assert(chainstate.m_chain.Tip())};
 
     if (block.hashPrevBlock != *Assert(tip->phashBlock)) {
-        reason = "inconclusive-not-best-prevblk";
-        return false;
+        state.Invalid({}, "inconclusive-not-best-prevblk");
+        return state;
     }
 
     // For signets CheckBlock() verifies the challenge iff fCheckPow is set.
     if (!CheckBlock(block, state, chainstate.m_chainman.GetConsensus(), /*fCheckPow=*/check_pow, /*fCheckMerkleRoot=*/check_merkle_root)) {
-        reason = state.GetRejectReason();
-        debug = state.GetDebugMessage();
-        return false;
+        if (state.IsValid()) state.Error("CheckBlock failed");
+        return state;
     }
 
     /**
@@ -4691,15 +4690,13 @@ bool TestBlockValidity(Chainstate& chainstate,
      */
 
     if (!ContextualCheckBlockHeader(block, state, chainstate.m_blockman, chainstate.m_chainman, tip)) {
-        reason = state.GetRejectReason();
-        debug = state.GetDebugMessage();
-        return false;
+        if (state.IsValid()) state.Error("ContextualCheckBlockHeader failed");
+        return state;
     }
 
     if (!ContextualCheckBlock(block, state, chainstate.m_chainman, tip)) {
-        reason = state.GetRejectReason();
-        debug = state.GetDebugMessage();
-        return false;
+        if (state.IsValid()) state.Error("ContextualCheckBlock failed");
+        return state;
     }
 
     // We don't want ConnectBlock to update the actual chainstate, so create
@@ -4716,16 +4713,17 @@ bool TestBlockValidity(Chainstate& chainstate,
 
     // Set fJustCheck to true in order to update, and not clear, validation caches.
     if(!chainstate.ConnectBlock(block, state, &index_dummy, view, /*fJustCheck=*/true)) {
-        reason = state.GetRejectReason();
-        debug = state.GetDebugMessage();
-        return false;
-    }
-    if (!Assume(state.IsValid())) {
-        LogError("Unexpected invalid validation state");
-        return false;
+        if (state.IsValid()) state.Error("ConnectBlock failed");
+        return state;
     }
 
-    return true;
+    // Ensure no check returned successfully while also setting an invalid state.
+    if (!Assume(state.IsValid())) {
+        LogError("Unexpected invalid state in TestBlockValidity: %s", state.ToString());
+        state.Error("TestBlockValidity failed");
+    }
+
+    return state;
 }
 
 /* This function is called from the RPC code for pruneblockchain */
--- a/src/validation.h
+++ b/src/validation.h
@@ -388,21 +388,23 @@ bool CheckBlock(const CBlock& block, BlockValidationState& state, const Consensu
  *
  * [@param](/bitcoin-bitcoin/contributor/param/)[in]   block       The block we want to process. Must connect to the
  *                          current tip.
- * [@param](/bitcoin-bitcoin/contributor/param/)[in]   chainstate    The chainstate to connect to.
- * [@param](/bitcoin-bitcoin/contributor/param/)[out]  reason      rejection reason (BIP22)
- * [@param](/bitcoin-bitcoin/contributor/param/)[out]  debug       more detailed rejection reason
+ * [@param](/bitcoin-bitcoin/contributor/param/)[in]   chainstate  The chainstate to connect to.
  * [@param](/bitcoin-bitcoin/contributor/param/)[in]   check_pow   perform proof-of-work check, nBits in the header
  *                          is always checked
  * [@param](/bitcoin-bitcoin/contributor/param/)[in]   check_merkle_root check the merkle root
  *
+ * [@return](/bitcoin-bitcoin/contributor/return/) Valid or Invalid state. This doesn't currently return an Error state,
+ *         and shouldn't unless there is something wrong with the existing
+ *         chainstate. (This is different from functions like AcceptBlock which
+ *         can fail trying to save new data.)
+ *
  * For signets the challenge verification is skipped when check_pow is false.
  */
-bool TestBlockValidity(Chainstate& chainstate,
-                       const CBlock& block,
-                       const bool check_pow,
-                       const bool check_merkle_root,
-                       std::string& reason,
-                       std::string& debug);
+BlockValidationState TestBlockValidity(
+    Chainstate& chainstate,
+    const CBlock& block,
+    bool check_pow,
+    bool check_merkle_root) EXCLUSIVE_LOCKS_REQUIRED(cs_main);
 
 /** Check with the proof of work on each blockheader matches the value in nBits */
 bool HasValidProofOfWork(const std::vector<CBlockHeader>& headers, const Consensus::Params& consensusParams);

    </p> </details>

  19. ryanofsky approved
  20. ryanofsky commented at 5:00 PM on April 9, 2025: contributor

    Code review ACK e6e170cf6c67a56b9c14cece66fdc4fab5f3ec6b. Change is nicely implemented and background in the PR description is very helpful. Am a little concerned about possible changes in RPC behavior though and left some comments below.

  21. Sjors commented at 8:22 AM on April 22, 2025: member

    Note to self, figure out if the sigops check needs to be fixed here or in another PR: https://github.com/bitcoin/bitcoin/pull/31624/files#r2053597806

  22. Sjors force-pushed on Apr 25, 2025
  23. Sjors commented at 12:16 PM on April 25, 2025: member

    Rebased, fixed typo found by LLM, clarified non behavior change for proposal mode.

    I added a debug argument to pass along more detailed failure reasons.

    I'm a bit on the fence regarding this suggestion: #31981 (review)

    figure out if the sigops check needs to be fixed here

    No it doesn't. TestBlockValidity first calls CheckBlock which performs the limited sigops check documented in #31624. Later it calls ConnectBlock() which does the thorough check.

  24. maflcko commented at 12:49 PM on April 25, 2025: member

    I've implemented a typo check in DrahtBot and there are more, see #31981 (comment)

    Also, the CI is failing.

  25. DrahtBot added the label CI failed on Apr 25, 2025
  26. DrahtBot commented at 12:50 PM on April 25, 2025: contributor

    <!--85328a0da195eb286784d51f73fa0af9-->

    🚧 At least one of the CI tasks failed. <sub>Debug: https://github.com/bitcoin/bitcoin/runs/41155656918</sub>

    <details><summary>Hints</summary>

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

    </details>

  27. Sjors force-pushed on Apr 25, 2025
  28. Sjors commented at 1:27 PM on April 25, 2025: member

    Forgot to adjust the capnp file. Fixed more typos.

    I moved TestBlockValidity out of ChainstateManager again, and pass in a chainstate parameter as suggested in #31981 (review).

    Probably also better for it not to LOCK(cs_main) to avoid unnecessary recursive mutex locking.

    Can you elaborate on this?

    I also moved the TestBlockValidity arguments around a bit to reduce churn.

  29. Sjors force-pushed on Apr 25, 2025
  30. DrahtBot removed the label CI failed on Apr 25, 2025
  31. in src/validation.cpp:4662 in a0a6dbbe75 outdated 
    4732 | +    index_dummy.nHeight = tip->nHeight + 1;
4733 | +    index_dummy.phashBlock = &block_hash;
4734 | +    CCoinsViewCache tip_view(&chainstate.CoinsTip());
4735 | +    CCoinsView blockCoins;
4736 | +    CCoinsViewCache view(&blockCoins);
4737 | +    view.SetBackend(tip_view);
    davidgumberg commented at 4:56 PM on April 30, 2025: 
        CCoinsViewCache view_dummy(&chainstate.CoinsTip());
    Sjors commented at 2:33 PM on May 14, 2025:

    I'm confused about what you're suggesting here.

    TheCharlatan commented at 12:51 PM on May 27, 2025:

    In commit 981853ab25dc6f967f393ecba57965afb8a822f3

    I would have suggested the same. It is not clear to me why you are introducing a new blockCoins (camel case?) view here. Maybe do some of these TestBlockValidity refactors and documentation in a separate commit. It is not quite clear to me why this should be changed.

    Sjors commented at 2:01 PM on May 27, 2025:

    This doesn't compile, but I assume you also meant to pass view_dummy into the ConnectBlock call below? I don't remember what the original was based on, so took the suggestion.

    ryanofsky commented at 4:58 PM on May 29, 2025:

    re: #31981 (review)

    I don't remember what the original was based on, so took the suggestion.

    Suggestion seems like a good change since it reduces complexity and makes new code more similar to existing code.

    But maybe one possible motivation or advantage of passing ConnectBlock a CCoinsViewCache on top of another CCoinsViewCache on top of chainstate.CoinsTip() instead of passing a single CCoinsViewCache on top of chainstate.CoinsTip() is that this would have ensured that ConnectBlock is only able to read from chainstate.CoinsTip() without modifying it.

    With only a single cache, ConnectBlock could potentially call CCoinsViewCache::Flush() or CCoinsViewCache::Sync() and modify the base UTXO set, which would be bad. But probably a bug like that is unlikely, and there could be better ways of preventing it like adding a read-only option to CCoinsViewCache that disables writing to the base UTXO set.

    Sjors commented at 5:42 AM on May 30, 2025:

    At least we have a test that checks the UTXO set isn't updated: https://github.com/bitcoin/bitcoin/blob/1def3bc3773b3013a92f54daa75acb82c30beaac/test/functional/mining_template_verification.py#L145-L156

    But that doesn't cover all conceivable future ways that we might accidentally flush.

    If we do want to add a belt-and-suspenders way to prevent such a flush, it seems better for a followup.

    there could be better ways of preventing it like adding a read-only option to CCoinsViewCache that disables writing to the base UTXO set

    That seems like the best approach.

  32. in src/validation.cpp:4612 in c1939c43c3 outdated 
    4673 | -    // NOTE: CheckBlockHeader is called by CheckBlock
4674 | -    if (!ContextualCheckBlockHeader(block, state, chainstate.m_blockman, chainstate.m_chainman, pindexPrev)) {
4675 | -        LogError("%s: Consensus::ContextualCheckBlockHeader: %s\n", __func__, state.ToString());
4676 | +    // Lock must be held throughout this function for two reasons:
4677 | +    // 1. We don't want the tip to change during several of the validation steps
4678 | +    // 2. To prevent a CheckBlock() race condition for fChecked, see ProcessNewBlock()
    stringintech commented at 6:12 PM on April 30, 2025:

    Since TestBlockValidity is typically called with a fresh block instance, I'm not seeing how the race condition with fChecked could occur. Could you elaborate on this please?

    Sjors commented at 2:25 PM on May 14, 2025:

    I think you're right that this can't happen in the current codebase. TestBlockValidity is only called by checkBlock(). When this is called via the IPC interface, it will have a fresh CBlock each time (unless we start supporting shared memory between processes). Simiarly when called by the generateblock RPC or getblocktemplate in proposal mode it will have a fresh instance.

    The code in miner_tests.cpp does reuse the same CBlock across multiple calls, though not in parallel.

    Still, it seems like a good precaution against (perhaps unlikely) future regressions.

    stringintech commented at 6:28 PM on May 15, 2025:

    Thank you for the clarification.

  33. ismaelsadeeq commented at 3:33 PM on May 13, 2025: member

    Concept ACK after https://bitcoincore.reviews/31981

  34. Sjors commented at 3:43 PM on May 13, 2025: member

    Thanks. I still need to address the questions by @stringintech.

  35. in test/functional/mining_template_verification.py:41 in c1939c43c3 outdated 
      36 | +class MiningTemplateVerificationTest(BitcoinTestFramework):
  37 | +
  38 | +    def set_test_params(self):
  39 | +        self.num_nodes = 1
  40 | +
  41 | +    def run_test(self):
    ryanofsky commented at 7:35 PM on May 13, 2025:

    In commit "test: more template verification tests" (c1939c43c3addb17c4316d49580762a1e0ec4504)

    Might be nice to split this test up into different methods since most of the checks seem independent. (Could pass in any objects they are sharing in common as arguments)

    Sjors commented at 3:13 PM on May 14, 2025:

    Done (though I didn't put too much effort into making them actually independent).

  36. ryanofsky approved
  37. ryanofsky commented at 7:40 PM on May 13, 2025: contributor

    Code review ACK c1939c43c3addb17c4316d49580762a1e0ec4504. Since last review changes were improving error handling adding many comments, and making TestBlockValidity a standalone method again accepting a chainstate.

    I left another suggestion (and a diff) below to make TestBlockValidity return a BlockValidationState instead of a bool and strings, which I think would be better, but feel free to keep current approach if you prefer.

    Might also be nice to link to the review club discussion in the description (https://bitcoincore.reviews/31981)

  38. DrahtBot requested review from ismaelsadeeq on May 13, 2025
  39. Sjors force-pushed on May 14, 2025
  40. Sjors commented at 3:12 PM on May 14, 2025: member

    I took @ryanofsky's patch to keep BlockValidationState in the interface implementation and validation code.

    Also split the test into multiple functions.

  41. in test/functional/mining_template_verification.py:290 in 28d9d8892a outdated 
     293 | +            block_1["mediantime"] + 1,
 294 | +        )
 295 | +
 296 | +        self.current_tip_test(node, block_2)
 297 | +        self.nbits_test(node, block_2)
 298 | +        self.pow_test(node, block_2)
    ryanofsky commented at 3:38 PM on May 14, 2025:

    In commit "test: more template verification tests" (c759ec1256a5cdc02b6eef1f4c0935c693bb8087)

    Maybe add comment # solve block_2 if that would clarify dependency between pow_test and later tests.

    (Alternately could change pow_test to return a different variable like block_2_solved)

    Sjors commented at 7:23 AM on May 20, 2025:

    It seems Python doesn't believe in const, so I ended up just documenting the test and its call site.

  42. Sjors force-pushed on May 14, 2025
  43. Sjors commented at 5:09 PM on May 14, 2025: member

    Rebased to include the new comment added in #31624.

    The tests I added don't cover the difference in sigops counting. Suggestions are welcome, it could look for "CheckBlock failed" vs "ConnectBlock failed". In any case this could be a followup.

  44. in src/rpc/mining.cpp:390 in 116a9d2dac outdated 
     386 | @@ -387,8 +387,10 @@ static RPCHelpMan generateblock()
 387 |          block.vtx.insert(block.vtx.end(), txs.begin(), txs.end());
 388 |          RegenerateCommitments(block, chainman);
 389 |  
 390 | -        if (BlockValidationState state{TestBlockValidity(chainman.ActiveChainstate(), block, /*check_pow=*/false, /*check_merkle_root=*/false)}; !state.IsValid()) {
 391 | -            throw JSONRPCError(RPC_VERIFY_ERROR, strprintf("TestBlockValidity failed: %s", state.ToString()));
 392 | +        std::string reason;
    ryanofsky commented at 8:55 PM on May 19, 2025:

    In commit "Add checkBlock to Mining interface" (116a9d2daced606e5f35896372da39fd914d3da1)

    Just a thought, but it doesn't seem to me that the changes to rpc/mining.cpp here and below in getblocktemplate are really improvements. They are making code more verbose and changing behavior in ways that don't necessarily seem better (producing an error message with a trailing " - " if debug string is empty here, adding a new LogDebug statement below with only the debug string, not the reason string).

    It seems like the motivation for changing this code is to use the mining interface instead of the mining functions in these RPCs, and while that is ok, it can add some costs like we see in #32547 and should also be less necessary after #32378. No strong opinion, but I think it could be good to stop trying to use the mining interface as much in these RPCs.

    (For testing purposes it seems like it should be sufficient to keep the mining interface a thin wrapper over other functions that doesn't implement much functionality, and call it from some unit tests.)

    Sjors commented at 7:30 AM on May 20, 2025:

    I dropped the changes to rpc/mining.cpp and explained why they're untouched in the commit message. Indeed checkBlock is already covered by the unit tests, and the meat and potatoes is in TestBlockValidity, which both IPC and RPC call.

  45. ryanofsky approved
  46. ryanofsky commented at 9:03 PM on May 19, 2025: contributor

    Code review ACK c759ec1256a5cdc02b6eef1f4c0935c693bb8087. Since last review just rebased, applied some suggested changes to use BlockValidationState, and split the new python test into functions.

  47. DrahtBot added the label Needs rebase on May 20, 2025
  48. Sjors force-pushed on May 20, 2025
  49. Sjors commented at 10:13 AM on May 20, 2025: member

    Trivial rebase after #32562, dropped changes in RPC code and added a comment in the test.

  50. DrahtBot removed the label Needs rebase on May 20, 2025
  51. ryanofsky approved
  52. ryanofsky commented at 3:07 PM on May 20, 2025: contributor

    Code review ACK 975991571de3f11399ca01753e41753e0008b5a0. Since last review just dropped some RPC changes which were not strictly necessary and added test comments

  53. TheCharlatan commented at 12:52 PM on May 27, 2025: contributor

    Concept ACK

  54. Sjors force-pushed on May 27, 2025
  55. ryanofsky approved
  56. ryanofsky commented at 5:14 PM on May 29, 2025: contributor

    Code review ACK 1def3bc3773b3013a92f54daa75acb82c30beaac. Only change since previous review is implementing a previous suggestion and passing a single cache temporary coinsview instead of a double cache to ConnectBlock.

  57. DrahtBot requested review from TheCharlatan on May 29, 2025
  58. in test/functional/mining_template_verification.py:55 in 1def3bc377 outdated 
      31 | +from test_framework.wallet import (
  32 | +    MiniWallet,
  33 | +)
  34 | +
  35 | +
  36 | +class MiningTemplateVerificationTest(BitcoinTestFramework):
    TheCharlatan commented at 12:50 PM on June 11, 2025:

    I'm not sure about adding all these tests. Are they actually improving coverage? I see some extra coverage in the corecheck report for the duplicate case, but that does not seem to warrant this entire test, which I guess is trying to cover a broad selection of possible failure cases, though there seems to be a large overlap with mining_basic.py. Maybe I am missing something? The existing mining_basic.py test is also already documented as being intended to exercise template proposals.

    Sjors commented at 1:05 PM on June 11, 2025:

    The existing coverage probably stems from the standard check after we generate our own block? But those are always valid. The checks here are for block templates from untrusted sources.

    I would imagine we'll expand them later once sv2 pools start actually receiving things from users in the wild. And perhaps we'll need to add additional rejection reasons like a max validation time, that don't apply to our own blocks.

    Sjors commented at 1:08 PM on June 11, 2025:

    It could make sense to depulicate things by moving a few things out of mining_basic.py here.

    TheCharlatan commented at 1:31 PM on June 11, 2025:

    Most of the cases tested here are also triggered in mining_basic.py, so maybe add the few extra ones here to over there? There is also a valid block test right at the beginning there, which implicitly checks that no state change happened.

    Sjors commented at 4:08 PM on June 11, 2025:

    I ended moving all template tests out of mining_basic.py to the new file, giving each test its own function. And then in a separate commit I added additional coverage.

    mining_basic.py is still 500 lines after this, and quite slow. So I think a separate file for this is justifiable.

    TheCharlatan commented at 12:54 PM on June 13, 2025:

    That looks nice, thanks for the changes!

  59. DrahtBot requested review from TheCharlatan on Jun 11, 2025
  60. Sjors force-pushed on Jun 11, 2025
  61. DrahtBot added the label Needs rebase on Jun 11, 2025
  62. in src/validation.cpp:4625 in 86a753d48d outdated 
    4641 | -        LogError("%s: Consensus::CheckBlock: %s\n", __func__, state.ToString());
4642 | -        return false;
4643 | +
4644 | +    // For signets CheckBlock() verifies the challenge iff fCheckPow is set.
4645 | +    if (!CheckBlock(block, state, chainstate.m_chainman.GetConsensus(), /*fCheckPow=*/check_pow, /*fCheckMerkleRoot=*/check_merkle_root)) {
4646 | +        if (state.IsValid()) state.Error("CheckBlock failed");
    davidgumberg commented at 1:13 AM on June 12, 2025:

    I'm a bit confused by the state.IsValid() checks, in what circumstance would the checks fail but state.IsValid() == true?

    Sjors commented at 3:19 PM on June 12, 2025:

    This shouldn't happen, but if it does, we don't want to accidentally approve the block. I added NONFATAL_UNREACHABLE to make this clear.

    ryanofsky commented at 3:51 PM on June 12, 2025:

    re: #31981 (review)

    This shouldn't happen, but if it does, we don't want to accidentally approve the block. I added NONFATAL_UNREACHABLE to make this clear.

    Is that change in the latest push? I don't see it and I'm not sure it would help as nonfatal macros are mostly intended for RPC code and nothing in the IPC code handles them right now. I think I would suggest just adding a comment to this line like:

    if (state.IsValid()) state.Error("CheckBlock failed"); // Should never happen

    Obviously this code sucks but I think it's probably the best way for this PR to deal with the fact that CheckBlock function type and related function types allow returning allow returning two different status values which may be inconsistent.

    Another possible solution would be:

    if (!Assume(!state.IsValid())) state.Error("CheckBlock failed");

    which I wouldn't mind but the double negatives might be too confusing.

    This PR should improve the overall situation by making TestBlockValidity return only one status value not two, but changing other validation functions to stop returning multiple values that could be inconsistent is probably not in scope here.

    Sjors commented at 6:37 AM on June 13, 2025:

    I pushed a few hours later than my comment. It's in 0eac0a27c48a604f9b9f15ef810134cfbd8e6350.

    I don't see it and I'm not sure it would help as nonfatal macros are mostly intended for RPC code and nothing in the IPC code handles them right now.

    This code is exercised by both the IPC and the getblocktemplate proposal RPC. There's also a comment.

    ryanofsky commented at 12:11 PM on June 13, 2025:

    re: #31981 (review)

    In commit "validation: refactor TestBlockValidity" (0eac0a27c48a604f9b9f15ef810134cfbd8e6350)

    I pushed a few hours later than my comment.

    Thanks, that code looks clear and points out that if the functions return failure and success at the same time through their two return values, it's an error that's not expected to happen.

    So it looks fine and I don't think it needs to be changed. Would just point out:

    1. There's need to call state.Error() before NONFATAL_UNREACHABLE in those 4 places, since it throws an exception and the state variable is ignored. The state.Error() calls don't do anything and could be dropped, but they are also harmless and fine to keep if desired.
    2. NONFATAL_UNREACHABLE throws an exception which is something we've tended to do in RPC and wallet code, not really validation code. Validation code avoids exceptions and uses return codes or output parameters instead (or in some cases both, causing ambiguity). But this also seems ok since I don't think there's a clear reason for avoiding exceptions, this is an error case that's never expected to trigger, and this function is more part of mining code than validation code.
    3. Capnp proto code won't pass along the NonFatalCheckError exception if Mining.checkBlock is called over IPC because the signature of that method does not include an error: ErrorType $Proxy.exception("NonFatalCheckError") return values with Build and Read functions mapping ErrorType <-> NonFatalCheckError. Instead errors will be logged on the server and client side and client will raise an ipc::Exception. This is also ok since we never expect this case to happen, but it is what I meant by "nothing in the IPC code handles them right now"
    Sjors commented at 3:10 PM on June 13, 2025:

    I was assuming NONFATAL_UNREACHABLE is only called in debug compilation. But if not then indeed the state.Error() bit isn't needed. Might change that if I need to retouch.

    and this function is more part of mining code than validation code.

    Yes, the imagined use case where pools approve proposed templates means that accidentally approving an invalid block could lead to the pool losing funds. An exception seems fine in that case, even desirable. A crash or lack of response would be fine too.

    Instead errors will be logged on the server and client side and client will raise an ipc::Exception.

    That's fine. If this does happen then the pool operator will have to investigate. Presumably they'll have access to the logs on both the client and server side.

    ryanofsky commented at 11:04 AM on June 14, 2025:

    re: #31981 (review)

    In commit "validation: refactor TestBlockValidity" (a376818df40e6b1c7645ca2e9159072f7ca41fbc)

    If you update, can remove the remaining state.Error call for consistency:

    --- a/src/validation.cpp
+++ b/src/validation.cpp
@@ -4669,10 +4669,7 @@ BlockValidationState TestBlockValidity(
     }
 
     // Ensure no check returned successfully while also setting an invalid state.
-    if (!Assume(state.IsValid())) {
-        LogError("Unexpected invalid state in TestBlockValidity: %s", state.ToString());
-        state.Error("TestBlockValidity failed");
-    }
+    if (!state.IsValid()) NONFATAL_UNREACHABLE();
 
     return state;
 }
    Sjors commented at 12:32 PM on June 14, 2025:

    Oops, missed that one. Done now.

    ryanofsky commented at 1:02 PM on June 14, 2025:

    re: #31981 (review)

    Should have noticed this earlier, but it probably makes sense also to replace if (x) NONFATAL_UNREACHABLE() with CHECK_NONFATAL(!x).

    TheCharlatan commented at 2:03 PM on June 14, 2025:

    I think prefer how it is to be honest. Unreachable does communicate more clearly that this condition should never be reached.

  63. Sjors force-pushed on Jun 12, 2025
  64. Sjors commented at 7:42 AM on June 12, 2025: member

    Rebased after #32421.

    For some reason one of the mining_template_verification.py tests gets stuck with MSAN. I'll try to reproduce. @maflcko is it possible to have CI print a trace when a test fails due to timeout?

  65. DrahtBot removed the label Needs rebase on Jun 12, 2025
  66. DrahtBot added the label CI failed on Jun 12, 2025
  67. Sjors force-pushed on Jun 12, 2025
  68. Sjors commented at 4:47 PM on June 12, 2025: member

    Turns out I got a little carried away by #32421; blocks do still need rehash().

  69. maflcko commented at 7:56 PM on June 12, 2025: member

    @maflcko is it possible to have CI print a trace when a test fails due to timeout?

    From the python side, there should be a trace. I can't check right now, because Google Cloud is down (https://status.cloud.google.com/incidents/ow5i3PPK96RduMcb1SsW), so the logs are missing

  70. DrahtBot removed the label CI failed on Jun 13, 2025
  71. ryanofsky approved
  72. ryanofsky commented at 12:22 PM on June 13, 2025: contributor

    Code review ACK 2984e61ac0b51ccec46bb0159872becccbc4936c, just adding NONFATAL_UNREACHABLE since the last review and making a lot of nice changes to the tests including moving tests from mining_basic.py -> test/functional/mining_template_verification.py and using assert_template to make the tests more readable

  73. in test/functional/mining_template_verification.py:35 in 2984e61ac0 outdated 
      30 | +
  31 | +from test_framework.wallet import (
  32 | +    MiniWallet,
  33 | +)
  34 | +
  35 | +def assert_template(node, block, expect, *, rehash=True, submit=None, solve=True, expect_submit=None):
    davidgumberg commented at 5:53 AM on June 14, 2025:

    https://github.com/bitcoin/bitcoin/pull/31981/commits/79fd4dac1fc0226439d22d77c3ed8f014899e236 (test: move gbt proposal mode tests to new file)

    def assert_template(node, block, expect, *, rehash=True, submit=True, solve=True, expect_submit=None):

    This doesn't change behavior, since we were already checking submission on every block, since

    $ python3 -c "print(None is not False)"
True
  74. in test/functional/mining_template_verification.py:90 in 79fd4dac1f outdated 
      85 | +        bad_block = copy.deepcopy(block)
  86 | +        bad_block.vtx.append(bad_block.vtx[0])
  87 | +        assert_template(node, bad_block, 'bad-txns-duplicate')
  88 | +
  89 | +    def thin_air_spending_test(self, node, block):
  90 | +        self.log.info("Transaction than spends from thin air")
    davidgumberg commented at 5:55 AM on June 14, 2025:

    nit:

            self.log.info("Transaction that spends from thin air")
  75. in test/functional/mining_template_verification.py:46 in 2984e61ac0 outdated 
      41 | +        'mode': 'proposal',
  42 | +        'rules': ['segwit'],
  43 | +    })
  44 | +    assert_equal(rsp, expect)
  45 | +    # Only attempt to submit invalid templates
  46 | +    if submit is not False and expect is not None:
    davidgumberg commented at 6:15 AM on June 14, 2025:

    nit, with above:

        if submit and expect is not None:
  76. davidgumberg approved
  77. davidgumberg commented at 6:56 AM on June 14, 2025: contributor

    utACK 2984e61ac0b51ccec46b

    I'm not super familiar with how the IPC/capnproto schemas work, but the changes to TestBlockValidity() and the getblocktemplate tests look good to me.

  78. Sjors force-pushed on Jun 14, 2025
  79. Sjors commented at 9:35 AM on June 14, 2025: member

    I removed the setting of state.Error before NONFATAL_UNREACHABLE: #31981 (review)

    Also took @davidgumberg's suggestions.

    Both should improve readability.

  80. ryanofsky approved
  81. ryanofsky commented at 11:10 AM on June 14, 2025: contributor

    Code review ACK 8aad3bd81efd6ab70e78c60beedbfc425d609bf0 with minor NONFATAL_UNREACHABLE and assert_template improvements since last review

  82. DrahtBot requested review from davidgumberg on Jun 14, 2025
  83. validation: refactor TestBlockValidity
    Comments are expanded.

Return BlockValidationState instead of passing a reference.
Lock Chainman mutex instead of cs_main.
Remove redundant chainparams and pindexPrev arguments.
Drop defaults for checking proof-of-work and merkle root.

The ContextualCheckBlockHeader check is moved to after CheckBlock,
which is more similar to normal validation where context-free checks
are done first.

Validation failure reasons are no longer printed through LogError(),
since it depends on the caller whether this implies an actual bug
in the node, or an externally sourced block that happens to be invalid.
When called from getblocktemplate, via BlockAssembler::CreateNewBlock(),
this method already throws an std::runtime_error if validation fails.

Additionally it moves the inconclusive-not-best-prevblk check from RPC
code to TestBlockValidity.

There is no behavior change when callling getblocktemplate with proposal.
Previously this would return a BIP22ValidationResult which can throw for
state.IsError(). But CheckBlock() and the functions it calls only use
state.IsValid().

The final assert is changed into Assume, with a LogError.

Co-authored-by: <Ryan Ofsky <ryan@ofsky.org>
    74690f4ed8
  84. ipc: drop BlockValidationState special handling
    The Mining interface avoids using BlockValidationState.
    6077157531
  85. Add checkBlock to Mining interface
    Use it in miner_tests.

The getblocktemplate and generateblock RPC calls don't use this,
because it would make the code more verbose.
    94959b8dee
  86. test: move gbt proposal mode tests to new file
    Additionally this commit gives each test its
own function.

The assert_submitblock helper is absorbed into
assert_template.

Review hint:
git show --color-moved=dimmed-zebra
    10c908808f
  87. Sjors force-pushed on Jun 14, 2025
  88. Sjors force-pushed on Jun 14, 2025
  89. Sjors force-pushed on Jun 14, 2025
  90. test: more template verification tests a18e572328
  91. Sjors force-pushed on Jun 14, 2025
  92. Sjors commented at 12:38 PM on June 14, 2025: member

    I switched to using NONFATAL_UNREACHABLE at the end of the function as well: #31981 (review)

    Compare: https://github.com/bitcoin/bitcoin/compare/8aad3bd81efd6ab70e78c60beedbfc425d609bf0..a18e57232867d946bc35769632fed49e1bf1464f

  93. TheCharlatan approved
  94. TheCharlatan commented at 2:18 PM on June 14, 2025: contributor

    ACK a18e57232867d946bc35769632fed49e1bf1464f

  95. DrahtBot requested review from ryanofsky on Jun 14, 2025
  96. ryanofsky approved
  97. ryanofsky commented at 1:50 PM on June 16, 2025: contributor

    Code review ACK a18e57232867d946bc35769632fed49e1bf1464f just adding another NONFATAL_UNREACHABLE since last review

  99. achow101 commented at 11:15 PM on June 18, 2025: member

    ACK a18e57232867d946bc35769632fed49e1bf1464f

  100. achow101 merged this on Jun 19, 2025
  101. achow101 closed this on Jun 19, 2025
Contributors
SjorsDrahtBotCopilotl0rincmaflckoryanofskydavidgumbergTheCharlatanstringintechismaelsadeeqachow101


davidgumbergismaelsadeeq

Labels
Mining
Linked (view graph)
#28722 Multiprocess tracking issue#31098 Stratum v2 via IPC Mining Interface tracking issue#31564 Add checkblock RPC and checkBlock() to Mining interface#32053 Add test coverage for getblocktemplate fees#33856 kernel, validation: Refactor ProcessNewBlockHeaders to return BlockValidationState
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-28 03:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me