.

mccoystevens78-web commented at 1:06 am on November 6, 2025: none

doc: rpc: fix case typo in `finalizepsbt` help (final_scriptwitness) ff05bebcc4

test: set par=2 in default config for functional test framework

Depending on the host machine, a default `par` value can spawn up to 15 script verification threads for each node.
Running the functional test suite with default `par` can exhaust file descriptors or hit other resource limits when many threads are spawned.
These threads are mostly idle and the same code paths are executed with a value of `par=2`.
Limit this to 2 for functional tests that do not override the default option.

Co-authored-by: maflcko <6399679+maflcko@users.noreply.github.com>

dda5228e02

Merge bitcoin/bitcoin#33484: doc: rpc: fix case typo in `finalizepsbt` help (final_scriptwitness)

ff05bebcc4262966b117082a67dc4c63a3f67d2d doc: rpc: fix case typo in `finalizepsbt` help (final_scriptwitness) (Sebastian Falbesoner)

Pull request description:

  The lower-case spelling matches the `decodepsbt` result field:
  https://github.com/bitcoin/bitcoin/blob/200150beba6601237036bc01ee10f6a0a2246c3d/src/rpc/rawtransaction.cpp#L871
  https://github.com/bitcoin/bitcoin/blob/200150beba6601237036bc01ee10f6a0a2246c3d/src/rpc/rawtransaction.cpp#L1253

ACKs for top commit:
  l0rinc:
    ACK ff05bebcc4262966b117082a67dc4c63a3f67d2d
  rkrux:
    Ah crACK ff05bebcc4262966b117082a67dc4c63a3f67d2d

Tree-SHA512: c0a0e29e95fed3fcee4df4f3fc87b32774d76bebadcda5aa010bc45142727536d6a71e4c0e70564db8bdb734e8647c80953793ac9ecd6c434345e972f8d9b7b0

d8fe258cd6

ci: Reduce Alpine musl task to md runner size

Per https://github.com/bitcoin/bitcoin/pull/33480#discussion_r2387381492

444409ff2b

net: merge AlreadyConnectedToAddress() and FindNode(CNetAddr)

`CConnman::AlreadyConnectedToAddress()` is the only caller of
`CConnman::FindNode(CNetAddr)`, so merge the two in one function.

The unit test that checked whether `AlreadyConnectedToAddress()` ignores
the port is now unnecessary because now the function takes a `CNetAddr`
argument. It has no access to the port.

3a4d1a25cf

wallet, log: reduce unconditional logging during load

The removed statements were logged up to two or three times for each loaded
wallet. The SQLite version only needs to be logged once.
The full wallet path is dropped, since the existing unconditional
logging while loading wallets is sufficient (also reduces anonymization
efforts in case of sharing logs).

Co-authored-by: Martin Zumsande <mzumsande@gmail.com>

fc861332b3

ci: use latest versions of lint deps

Some of the versions used here are > 2 years old. i.e mypy. Use the
latest avilable versions, except for LIEF, which is generally changed
with Guix.

d4f47f9771

fuzz: don't bypass_limits for most mempool harnesses

Using bypass_limits=true is essentially fuzzing part of a
reorg only, and results in TRUC invariants unable to be
checked. Remove most instances of bypassing limits, leaving
one harness able to do so.

bbe8e9063c

Mempool: Do not enforce TRUC checks on reorg

Not enforcing TRUC topology on reorg was the intended
behavior, but the appropriate bypass argument was not
checked.

This mistake means we could potentially invalidate a long
chain of perfectly incentive-compatible transactions that
were made historically, including subsequent non-TRUC
transactions, all of which may have been very high feerate.

Lastly, it wastes CPU cycles doing topology checks since
this behavior cannot actually enforce the topology in
general for the reorg setting.

26e71c237d

test: add more TRUC reorg coverge 06df14ba75

Merge bitcoin/bitcoin#33487: ci: use latest versions of lint deps

d4f47f97715c7b6a2879e99c62f09ccead8cc4cd ci: use latest versions of lint deps (fanquake)

Pull request description:

  Some of the versions used here are > 2 years old. i.e `mypy`. Use the latest avilable versions, except for LIEF, which is generally changed with Guix.

  Side note. I can't remember the last time one of these tools (mypy, ruff, vulture) actually caught an issue in the lint job.

ACKs for top commit:
  maflcko:
    lgtm ACK d4f47f97715c7b6a2879e99c62f09ccead8cc4cd
  janb84:
    lgtm ACK d4f47f97715c7b6a2879e99c62f09ccead8cc4cd
  hebasto:
    ACK d4f47f97715c7b6a2879e99c62f09ccead8cc4cd, I have reviewed the code and it looks OK.

Tree-SHA512: 8b312535c9fea8e76d58f517ada6d6ea7a119c5e03c8cb84a41b5b6ca80dfaaff65a81478bdc1a5acf734cfb0bc66a8b3ba5400db8973c43ca913b07568abfe4

25212dfdb4

depends: Fix `$(package)_fetched` target

Ensure the download timestamp is created only after a successful
download.

771978952a

depends: Drop redundant check for downloaded file

The `fetch_file` commands are invoked for the `$($(package)_fetched)`
target, so the existence of the download stamp has already been tested.

46135d90ea

ci: expose all ACTIONS_* vars

When using `docker buildx build` in conjunction with the `gha` backend
cache type, it's important to specify the URL and TOKEN needed to
authenticate.

On Cirrus runners this is working with only `ACTIONS_CACHE_URL` and
`ACTIONS_RUNTIME_TOKEN`, but this is not enough for the GitHub backend.

Fix this by exporting all `ACTIONS_*` variables.

This fixes cache restore/save on forks or where GH-hosted runners are
being used.

bc706955d7

depends: Use hash instead of file name for package download stamp

The package version is still included for convenience.

6de8051263

depends: Update URL for `qrencode` package source tarball

The https://fukuchi.org/ homepage no longer links to the source tarball,
and previously available files appear to have been removed. The homepage
now instructs users to download source tarballs from the GitHub releases
page instead.

The diff between the source trees is immaterial.

93a70a42d3

p2p: Use different inbound inv timer per network

Currently nodes schedule their invs to all inbound peers at the same time.
It is trivial to make use this timing pattern for fingerprinting
identities on different networks. Using a separate timers for each network will
make the fingerprinting harder.

0f7d4ee4e8

Merge bitcoin/bitcoin#33299: wallet: reduce unconditional logging during load

fc861332b351c9390400054ff74193ce26eb0713 wallet, log: reduce unconditional logging during load (furszy)

Pull request description:

  Currently the unconditional log during init with a default wallet happens three times:
  ```
  2025-09-03T19:57:16Z init message: Verifying wallet(s)…
  2025-09-03T19:57:16Z Using SQLite Version 3.45.1
  2025-09-03T19:57:16Z Using wallet XXX/.bitcoin/regtest
  2025-09-03T19:57:16Z Using SQLite Version 3.45.1
  2025-09-03T19:57:16Z Using wallet XXX/.bitcoin/regtest
  (...)
  2025-09-03T19:57:16Z Using SQLite Version 3.45.1
  2025-09-03T19:57:16Z Using wallet XXX/.bitcoin/regtest
  2025-09-03T19:57:16Z init message: Loading wallet…
  ```
  For non-default wallets it's logged two times.

  That seems a bit too much, so just log the SQLite version just one, and remove the log for the full path of the wallet, since it's already clear from other logs which wallet is being loaded.

ACKs for top commit:
  achow101:
    ACK fc861332b351c9390400054ff74193ce26eb0713
  furszy:
    utACK fc861332b351c9390400054ff74193ce26eb0713
  stickies-v:
    ACK fc861332b351c9390400054ff74193ce26eb0713

Tree-SHA512: ca45c8ede985e6feab0cb93d718a6d633691276ca6e5f13f6471759f11dee98b312e1c802a7fb42c7fa859b6edc44a8c54b9e2ca389655cf028aebf2dabe51f6

8f73d95221

pubkey: Return tweaks from BIP32 derivation

MuSig2 needs the BIP32 derivation tweaks in order to sign with a key
derived from the aggregate pubkey.

4b24bfeab9

sign: Include taproot output key's KeyOriginInfo in sigdata 9baff05e49

Add MuSig2SecNonce class for secure allocation of musig nonces c06a1dc86f

signingprovider: Add musig2 secnonces

Adds GetMuSig2SecNonces which returns secp256k1_musig_secnonce*, and
DeleteMuSig2Session which removes the MuSig2 secnonce from wherever it
was retrieved. FlatSigningProvider stores it as a pointer to a map of
session id to secnonce so that deletion will actually delete from the
object that actually owns the secnonces.

The session id is just a unique identifier for the caller to determine
what secnonces have been created.

4d8b4f5336

psbt: MuSig2 data in Fill/FromSignatureData d99a081679

musig: Add MuSig2AggregatePubkeys variant that validates the aggregate

A common pattern that MuSig2 functions will use is to aggregate the
pubkeys to get the keyagg_cache and then validate the aggregated pubkey
against a provided aggregate pubkey. A variant of MuSig2AggregatePubkeys
is added which does that.

The functionality of GetMuSig2KeyAggCache and GetCPubKeyFromMuSig2KeyAggCache
are included in MuSig2AggregatePubkeys (and used internally) so there is
no expectation that callers will need these so they are made static.

82ea67c607

sign: Add CreateMuSig2Nonce 512b17fc56

sign: Add CreateMuSig2PartialSig bf69442b3f

sign: Add CreateMuSig2AggregateSig 258db93889

sign: Create MuSig2 signatures for known MuSig2 aggregate keys

When creating Taproot signatures, if the key being signed for is known
to be a MuSig2 aggregate key, do the MuSig2 signing algorithms.

First try to create the aggregate signature. This will fail if there are
not enough partial signatures or public nonces. If it does fail, try to
create a partial signature with all participant keys. This will fail for
those keys that we do not have the private keys for, and if there are
not enough public nonces. Lastly, if the partial signatures could not be
created, add our own public nonces for the private keys that we know, if
they do not yet exist.

4a273edda0

wallet: Keep secnonces in DescriptorScriptPubKeyMan 68ef954c4c

test: Test MuSig2 in the wallet ac599c4a9c

test: increase timeout in p2p_leak_tx.py

With a low but not negligible probability in the order
of 10^-6 the exponential timer NextInvToInBounds can lead
to an interval >60s, making the test fail.
Also uses mocktime to speed up the test and fixes a
non-matching on_inv override.

Co-authored-by: Vasil Dimov <vd@FreeBSD.org>

576dd97cb9

test: fix (w)txid confusion in p2p_leak_tx.py

Before, we'd send a MSG_TX with a wtxid in it, which
would always result in a notfound answer

99bc552980

test: make notfound_on_unannounced more reliable

By using mocktime, we will always hit both the notfound
branch and the tx sent branch.
The previous version didn't achieve that due to timing
issues.

Co-authored-by: Martin Zumsande <mzumsande@gmail.com>

14ae71f323

Merge bitcoin/bitcoin#33260: test: Use extra_port() helper in feature_bind_extra.py

fabc2615af26c61a503f23ae4fd0353f90602bbe test: Use extra_port() helper in feature_bind_extra.py (MarcoFalke)

Pull request description:

  This is a refactor for self-validating and self-documenting code.

  Currently, the test assumes that extra ports are available and just increments them without checking. However, this may not be the case when the test is modified to use more ports. In this case, the tests may fail intermittently and the failure is hard to debug.

  Fix this confusion, by calling `p2p_port` each time. This ensures the required `assert n <= MAX_NODES` is checked each time.

  Closes https://github.com/bitcoin/bitcoin/issues/33250

ACKs for top commit:
  achow101:
    ACK fabc2615af26c61a503f23ae4fd0353f90602bbe
  janb84:
    crACK fabc2615af26c61a503f23ae4fd0353f90602bbe
  w0xlt:
    ACK fabc2615af26c61a503f23ae4fd0353f90602bbe

Tree-SHA512: 1eff00be7f43104ae8a66e79fbf64075ec22bb20f392ac1e4c8a7dd694d4f1760aa44ea54ab7b1f2b947ab018851ab3c10d3c717714c0bee4d8d24617594c2bb

7502d4e940

Merge bitcoin/bitcoin#33453: docs: Undeprecate datacarrier and datacarriersize configuration options

451ba9ada41f687c0e4bb34d5925374a68a8f8a3 datacarrier: Undeprecate configuration option (Anthony Towns)

Pull request description:

  Removes the deprecation for the `datacarrier` and `datacarriersize` options by reverting commit 0b4048c73385166144d0b3e76beb9a2ac4cc1eca from https://github.com/bitcoin/bitcoin/pull/32406

  **Many current Bitcoin Core users want to continue using this option**
  This statement is based on public postings from many Bitcoin Core users and not a formal survey. AJ Towns’ observation from [#32406](https://github.com/bitcoin/bitcoin/pull/32406/commits/0b4048c73385166144d0b3e76beb9a2ac4cc1eca#r2084024874) that “_for now there seem to be a bunch of users who like the option_” has only become more apparent in the months since.

  **The deprecation intent is unclear to users**
  This echo’s Ava Chow’s comment from #32714 that “_IMO we should not have removal warnings if there is no current plan to actually remove them._” In months since that comment, partially due to increased feedback from Bitcoin Core users wanting to keep this option, there is even less likelihood of a near term plan to remove these options. That leaves Bitcoin Core users in an unclear situation: the option could be removed in the next version or perhaps never. Removing the deprecation gives clarity for their planning purposes. Deprecating the option in the future, preferably with a removal schedule to better inform users, would still be possible.

  **Minimal downsides to removing deprecation**
  As a best practice, Bitcoin Core has avoided an option when the developers cannot articulate when they should be used. There is non-zero maintenance cost to keeping this code around (although leaving the options deprecated for a long time has the same effect). “Don’t offer users footguns” is also a good principle, but with this option, there seems to be only small impacts that can quickly be remedied by changing the option value by Bitcoin Core users. There already exist in Bitcoin Core more potentially-user-harmful options/values than what datacarrier might cause.

ACKs for top commit:
  ajtowns:
    ACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3
  darosior:
    That said, certain users care strongly about using those options. In these conditions, i do not see the project removing the option anytime soon. Therefore i think it's technically incorrect (and confusing) to mark it as deprecated. utACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3 on removing the deprecation.
  instagibbs:
    crACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3
  Raimo33:
    ACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3
  Ademan:
    utACK 451ba9a
  ryanofsky:
    Code review ACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3
  marcofleon:
    ACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3
  achow101:
    ACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3
  moonsettler:
    ACK https://github.com/bitcoin/bitcoin/commit/451ba9ada41f687c0e4bb34d5925374a68a8f8a3
  ismaelsadeeq:
    utACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3 🛰️
  jonatack:
    ACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3
  Zero-1729:
    crACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3
  vasild:
    ACK 451ba9ada41f687c0e4bb34d5925374a68a8f8a3

Tree-SHA512: b83fc509f5dd820976596e1ae9fb69a22ada567e0e0ac88da5fc5e940a46d8894b40cc70c3eff2cbdabd4da5ec913f0d18c1632fc906f210b308855868410699

cc4a2cc6bd

Merge bitcoin/bitcoin#28584: Fuzz: extend CConnman tests

0802398e749c5e16fa7085cd87c91a31bbe043bd fuzz: make it possible to mock (fuzz) CThreadInterrupt (Vasil Dimov)
6d9e5d130d2e1d052044e9a72d44cfffb5d3c771 fuzz: add CConnman::SocketHandler() to the tests (Vasil Dimov)
3265df63a48db187e0d240ce801ee573787fed80 fuzz: add CConnman::InitBinds() to the tests (Vasil Dimov)
91cbf4dbd864b65ba6b107957f087d1d305914b2 fuzz: add CConnman::CreateNodeFromAcceptedSocket() to the tests (Vasil Dimov)
50da7432ec1e5431b243aa30f8a9339f8e8ed97d fuzz: add CConnman::OpenNetworkConnection() to the tests (Vasil Dimov)
e6a917c8f8e0f1a0fa71dc9bbb6e1074f81edea3 fuzz: add Fuzzed NetEventsInterface and use it in connman tests (Vasil Dimov)
e883b37768812d96feec207a37202c7d1b603c1f fuzz: set the output argument of FuzzedSock::Accept() (Vasil Dimov)

Pull request description:

  Extend `CConnman` fuzz tests to also exercise the methods `OpenNetworkConnection()`, `CreateNodeFromAcceptedSocket()`, `InitBinds()` and `SocketHandler()`.

  Previously fuzzing those methods would have resulted in real socket functions being called in the operating system which is undesirable during fuzzing. Now that https://github.com/bitcoin/bitcoin/pull/21878 is complete all those are mocked to a fuzzed socket and a fuzzed DNS resolver (see how `CreateSock` and `g_dns_lookup` are replaced in the first commit).

ACKs for top commit:
  achow101:
    ACK 0802398e749c5e16fa7085cd87c91a31bbe043bd
  jonatack:
    Review re-ACK 0802398e749c5e16fa7085cd87c91a31bbe043bd
  dergoegge:
    Code review ACK 0802398e749c5e16fa7085cd87c91a31bbe043bd

Tree-SHA512: a717d4e79f42bacf2b029c821fdc265e10e4e5c41af77cd4cb452cc5720ec83c62789d5b3dfafd39a22cc8c0500b18169aa7864d497dded729a32ab863dd6c4d

f41f97240c

ci: Remove bash -c from cmake invocation using eval 50194029e7

Drop support for EOL macOS 13 fadad7a494

fuzz: Drop unused workaround after Apple-Clang bump 1aaaaa078b

Merge bitcoin/bitcoin#33401: ci: Remove bash -c from cmake invocation using eval

50194029e7c2581b751931080f5999785a39929f ci: Remove bash -c from cmake invocation using eval (Brandon Odiwuor)

Pull request description:

  Follow up to https://github.com/bitcoin/bitcoin/pull/32970

  https://github.com/bitcoin/bitcoin/pull/32970#r2213730157

  > Does `cmake -S ...` still need to be wrapped in `bash -c "..."`?

  https://github.com/bitcoin/bitcoin/pull/32970#r2213741192
  > It is not trivial to replace. Maybe the `eval` hack from below can be used:
  >
  > ```shell
  >   # parses TEST_RUNNER_EXTRA as an array which allows for multiple arguments such as TEST_RUNNER_EXTRA='--exclude "rpc_bind.py --ipv6"'
  >
  >   eval "TEST_RUNNER_EXTRA=($TEST_RUNNER_EXTRA)"
  > ```
  >however, I haven't tried this yet.

  https://github.com/bitcoin/bitcoin/pull/32970#r2213801696
  > Yeah, the eval hack should work:
  >
  > ```
  > $ export T="-DREDUCE_EXPORTS=ON -DCMAKE_CXX_FLAGS='-Wno-psabi     -Wno-error=maybe-uninitialized'";  eval "T=($T)"; for i in "${T[@]}"; do  echo "_${i}_" ; done
  > _-DREDUCE_EXPORTS=ON_
  > _-DCMAKE_CXX_FLAGS=-Wno-psabi     -Wno-error=maybe-uninitialized_
  > ```
  >
  > (can be done in a follow-up)

  This replaces the `bash -c` wrapper with an eval-based array parsing to preserve spaces in flag values (e.g., in CMAKE_CXX_FLAGS), allowing ShellCheck to lint the cmake command

ACKs for top commit:
  maflcko:
    lgtm ACK 50194029e7c2581b751931080f5999785a39929f
  hebasto:
    ACK 50194029e7c2581b751931080f5999785a39929f.

Tree-SHA512: 6fd22569e2c719a8d13805f18e1e7e3b8eb57d0a6307f2e7175988b25750eafb7c8260796c8e7350db67d622dbe97e6af7bab8ee52187bb8e8eeae3740a47c01

acc7f2a433

net: avoid recursive m_nodes_mutex lock in DisconnectNode()

Have `CConnman::DisconnectNode()` iterate `m_nodes` itself instead of
using `FindNode()`. This avoids recursive mutex lock and drops the only
caller of `FindNode()` which used the return value for something else
than a boolean found/notfound.

4268abae1a

net: change FindNode() to not return a node and rename it

All callers of `CConnman::FindNode()` use its return value `CNode*` only
as a boolean null/notnull. So change that method to return `bool`.

This removes the dangerous pattern of handling a `CNode` object (the
return value of `FindNode()`) without holding `CConnman::m_nodes_mutex`
and without having that object's reference count incremented for the
duration of the usage.

Also rename the method to better describe what it does.

2a4450ccbb

doc: clarify peer address in getpeerinfo and addnode RPC help

The returned value in `getpeerinfo/addr` could be a hostname as well as
an IP address and the `:port` part could be missing. It is displayed
from `CNode::m_addr_name` which could have been set from RPC `addnode`
where the argument is allowed to be a hostname and an optional port.

87e7f37918

Merge bitcoin/bitcoin#32326: net: improve the interface around FindNode() and avoid a recursive mutex lock

87e7f37918d42c28033e9f684db52f94eeed617b doc: clarify peer address in getpeerinfo and addnode RPC help (Vasil Dimov)
2a4450ccbbe30f6522c3108f136b2b867b2a87fe net: change FindNode() to not return a node and rename it (Vasil Dimov)
4268abae1a1d06f2c4bd26b85b3a491719217fae net: avoid recursive m_nodes_mutex lock in DisconnectNode() (Vasil Dimov)
3a4d1a25cf949eb5f27d6dfd4e1b4a966b2cde75 net: merge AlreadyConnectedToAddress() and FindNode(CNetAddr) (Vasil Dimov)

Pull request description:

  `CConnman::FindNode()` would lock `m_nodes_mutex`, find the node in `m_nodes`, release the mutex and return the node. The current code is safe but it is a dangerous interface where a caller may end up using the node returned from `FindNode()` without owning `m_nodes_mutex` and without having that node's reference count incremented.

  Change `FindNode()` to return a boolean since all but one of its callers used its return value to check whether a node exists and did not do anything else with the return value.

  Remove a recursive lock on `m_nodes_mutex`.

  Rename `FindNode()` to better describe what it does.

ACKs for top commit:
  achow101:
    ACK 87e7f37918d42c28033e9f684db52f94eeed617b
  furszy:
    Code review ACK 87e7f37918d42c28033e9f684db52f94eeed617b
  hodlinator:
    re-ACK 87e7f37918d42c28033e9f684db52f94eeed617b

Tree-SHA512: 44fb64cd1226eca124ed1f447b4a1ebc42cc5c9e8561fc91949bbeaeaa7fa16fcfd664e85ce142e5abe62cb64197c178ca4ca93b3b3217b913e3c498d0b7d1c9

75353a0163

test: add assumevalid scenarios scaffold

Increase the test to 6 nodes and add flows for baseline, deep anchor, and too-recent cases, plus scaffolding for off-best-header, not-in-assumevalid,
and reindex gates.
Assertions are minimal here; follow-ups add reason checks.

Co-authored-by: Hodlinator <172445034+hodlinator@users.noreply.github.com>

4fad4e992c

validation: log initial script verification state

Replaced `atomic<bool>` with `std::optional<bool>` (logged once on first observation). Safe because `ConnectBlock` holds `cs_main`.\
After this change, the state is logged before the very first `UpdateTip` line.

Co-authored-by: Eunovo <eunovo9@gmail.com>
Co-authored-by: Hodlinator <172445034+hodlinator@users.noreply.github.com>
Co-authored-by: w0xlt <woltx@protonmail.com>

9bc298556c

refactor: untangle assumevalid decision branches

Flatten nested conditionals into a linear gating sequence for readability and precise logging. No functional change, TODOs are addressed in next commit

f2ea6f04e7

log: separate script verification reasons

Replace `fScriptChecks` with `script_check_reason` and log the precise reason when checks are enabled; log a plain "Disabling" when they are skipped.
Adjust the functional test to assert the new reason strings.

Co-authored-by: w0xlt <woltx@protonmail.com>
Co-authored-by: Eunovo <eunovo9@gmail.com>
Co-authored-by: Hodlinator <172445034+hodlinator@users.noreply.github.com>
Co-authored-by: TheCharlatan <seb.kung@gmail.com>
Co-authored-by: Andrew Toth <andrewstoth@gmail.com>

6c13a38ab5

log: split assumevalid ancestry-failure-reason message

When the assumevalid ancestry check fails, log a precise reason:
- "block height above assumevalid height" if the block is above the assumevalid block (the default reason)
- "block not in of assumevalid chain" otherwise

The new split was added under the existing condition to simplify conceptually that the two cases are related.
It could still be useful to know when the block is just above the assumevalid block or when it's not even on the same chain.

Update the functional test to assert the new reason strings. No behavior change.

Co-authored-by: Hodlinator <172445034+hodlinator@users.noreply.github.com>

45bd891465

net: support overriding the proxy selection in ConnectNode()

Normally `ConnectNode()` would choose whether to use a proxy and which
one. Make it possible to override this from the callers and same for
`OpenNetworkConnection()` - pass down the proxy to `ConnectNode()`.

Document both functions.

This is useful if we want to open connections to IPv4 or IPv6 peers
through the Tor SOCKS5 proxy.

Also have `OpenNetworkConnection()` return whether the connection
succeeded or not. This can be used when the caller needs to keep track
of how many (successful) connections were opened.

c76de2eea1

rpc: refactor: use string_view in Arg/MaybeArg

Modernizes interface by not forcing users to deal with raw pointers,
without adding copying overhead. Generalizes the logic of whether
we return by value or by optional/pointer.

In cases where functions take a `const std::string&` and it would
be too much work to update them, a string copy is made (which was
already happening anyway).

b3bf18f0ba

refactor: increase string_view usage

Update select functions that take a const std::string& to take a
std::string_view instead. In a next commit, this allows us to use
the {Arg,MaybeArg}<std::string_view> helper.

037830ca0d

rpc: refactor: use more (Maybe)Arg<std::string_view>

Use the {Arg,MaybeArg}<std::string_view> helper in all places where
it is a trivial change. In many places, this simplifies the logic
and reduces duplication of default values.

b63428ac9c

Merge bitcoin/bitcoin#33504: Mempool: Do not enforce TRUC checks on reorg

06df14ba75be5f48cf9c417424900ace17d1cf4d test: add more TRUC reorg coverge (Greg Sanders)
26e71c237d9d2197824b547f55ee3a0a60149f92 Mempool: Do not enforce TRUC checks on reorg (Greg Sanders)
bbe8e9063c15dc230553e0cbf16d603f5ad0e4cf fuzz: don't bypass_limits for most mempool harnesses (Greg Sanders)

Pull request description:

  This was the intended behavior but our tests didn't cover the scenario where in-block transactions themselves violate TRUC topological constraints.

  The behavior in master will potentially lead to many erroneous evictions during a reorg, where evicted TRUC packages may be very high feerate and make sense to mine all together in the next block and are well within the normal anti-DoS chain limits.

  This issue exists since the merge of https://github.com/bitcoin/bitcoin/pull/28948/files#diff-97c3a52bc5fad452d82670a7fd291800bae20c7bc35bb82686c2c0a4ea7b5b98R956

ACKs for top commit:
  sdaftuar:
    ACK 06df14ba75be5f48cf9c417424900ace17d1cf4d
  glozow:
    ACK 06df14ba75b
  ismaelsadeeq:
    Code review ACK 06df14ba75be5f48cf9c417424900ace17d1cf4d

Tree-SHA512: bdb6e4dd622ed8b0b11866263fff559fcca6e0ca1c56a884cca9ac4572f0026528a63a9f4c8a0660df2f5efe0766310a30e5df1d6c560f31e4324ea5d4b3c1a8

1ed00a0d39

ci: use a more generic way of finding mt.exe

This sets up a vs developer command prompt and should hopefully should
be more resilient to upstream changes

Co-authored-by: David Gumberg <davidzgumberg@gmail.com>

e1a1b14c93

ci: Check windows manifests for all executables

The other executables have manifests and these should be checked in
addition to bitcoind. Skipping fuzz.exe, bench_bitcoin.exe and
test_bitcoin-qt.exe as they do not have manifests.

156927903d

tests: add unit tests for CBlockIndex::GetAncestor and LastCommonAncestor 2e09d66fbb

chain: make use of pskip in LastCommonAncestor (optimization)

By using the pskip pointer, which regularly allows jumping back much faster
than pprev, the forking point between two CBlockIndex entries can be found
much faster.

A simulation shows that no more than 136 steps are needed to jump anywhere
within the first 2^20 block heights, and on average 65 jumps for uniform
forking points around that height.

3635d62f5a

test: addrman: check isTerrible when time is more than 10min in the future 8e47ed6906

Merge bitcoin/bitcoin#33434: depends: static libxcb-cursor

eca50854e1cb04e20478bd3df4762e18520a3611 depends: static libxcb_cursor (fanquake)

Pull request description:

  Remove the runtime requirement of `libxcb-cursor`. This library is no-longer present on modern Ubuntu.
  Fixes #33432.
  Also related to #32097.

ACKs for top commit:
  davidgumberg:
    Addendum ACK https://github.com/bitcoin/bitcoin/commit/eca50854e1cb04e20478bd3df4762e18520a3611
  willcl-ark:
    Code review ACK eca50854e1cb04e20478bd3df4762e18520a3611

Tree-SHA512: d545a03baf5030de64874b79add87b6ef5f95eb5ca31aa66007ee03554103d2eda5e56dfd4395d0a12e24b2e489457e4f19ed9e6d390351c72a0da630f03cc42

007900ee9b

Merge bitcoin/bitcoin#33482: contrib: fix macOS deployment with no translations

7b5261f7ef3d88361204c40eb10c0d9dc44f5ed7 contrib: fix using macdploy script without translations. (amisha)

Pull request description:

  **Description**
  From what I deciphered reading the line https://github.com/bitcoin/bitcoin/blob/master/contrib/macdeploy/macdeployqtplus#L390 is that qt translations are optional to have hence we should be able to build without it but the case where the flag translations_dir falls back to its default Null value it raises this error.

  The config comments also mentioned that adding translation file is optional.

  ```
  ./macdeployqtplus --help
  usage: macdeployqtplus [-h] [-verbose [VERBOSE]] [-no-plugins] [-no-strip] [-translations-dir path] [-zip zip] app-bundle

  Improved version of macdeployqt. Outputs a ready-to-deploy app in a folder "dist" and optionally wraps it in a .zip file. Note, that the "dist" folder will be deleted before deploying on each run. Optionally, Qt translation files
  (.qm) can be added to the bundle.
  ```

  **Steps to reproduce**
  So I was following the general steps to set up app on macos however I didn't download any qt translations presuming it was optional from the comment linkedin in PR, so to reproduce if you have translation directories in place ull need to delete them and then try to build the file, otherwise don't download it at all and try to build it. It should fail on that flag as translations dir was never downloaded.

  **Approach taken**
  I have moved the code which adds language files under the if statement that first checks if the value of the flag is not Null before referencing it.

ACKs for top commit:
  ismaelsadeeq:
    ACK 7b5261f7ef3d88361204c40eb10c0d9dc44f5ed7

Tree-SHA512: 8d51b17569e42c9feb95e1be17b1551c708a05eb44b82c74db0b25e07006b4ee223d64484f8bdb2ee1420f6e571686561ae1c09bd3362f77dcbb507bc5085f86

86eaa4d6cd

Merge bitcoin/bitcoin#33121: test: fix p2p_leak_tx.py

14ae71f323dd011c6d51470ea15cf00750970f65 test: make notfound_on_unannounced more reliable (David Gumberg)
99bc552980d9a10da03e4b90c390bcd6cae686be test: fix (w)txid confusion in p2p_leak_tx.py (Martin Zumsande)
576dd97cb91ecff7d95898a0dc79b9b1a8a8f4f2 test: increase timeout in p2p_leak_tx.py (Martin Zumsande)

Pull request description:

  This fixes two issues with `p2p_leak_tx.py`:

  1.) #33090: As far as I can see, this is just the randomness of `NextInvToInbounds`/ `rand_exp_duration`, which has a probability of `e^-(60s/5s) = 6.14×10^−6` to result in a period > 60s (our waiting time), so that the test would fail every 160k runs... Doubling the timeout should be sufficient to lower the probability drastically.

  2.) The subtest `test_notfound_on_unannounced_tx` has some (w)txid confusion: we send a `MSG_TX`-type getdata with a `wtxid` in it, which necessarily always results in a NOTFOUND. Fixed this, and change the subtest to be more deterministic based on `mocktime`.

ACKs for top commit:
  stratospher:
    ACK 14ae71f. nice restructuring using mocktime!
  davidgumberg:
    reACK https://github.com/bitcoin/bitcoin/commit/14ae71f323dd011c6d51470ea15cf00750970f65
  vasild:
    ACK 14ae71f323dd011c6d51470ea15cf00750970f65

Tree-SHA512: be5a4ca7bf56f82b6fa04d90ef9312dc2e6f8ff7ddf70b39d979dc42fbdd823157109b8b5dc46eb7f81ac1e816f40e6966b3c8a7d384aadee01e2189c20d3e3a

cfb0d74698

Merge bitcoin/bitcoin#33533: test: addrman: check isTerrible when time is more than 10min in the future

8e47ed6906d5e381498681e2cab9f2e318597705 test: addrman: check isTerrible when time is more than 10min in the future (brunoerg)

Pull request description:

  This PR adds test coverage to kill the following mutant (https://corecheck.dev/mutation/src/addrman.cpp#L76):
  ```diff
  diff --git a/src/addrman.cpp b/src/addrman.cpp
  index 9c3a24db90..0ffd349315 100644
  --- a/src/addrman.cpp
  +++ b/src/addrman.cpp
  @@ -73,7 +73,7 @@ bool AddrInfo::IsTerrible(NodeSeconds now) const
       }

       if (nTime > now + 10min) { // came in a flying DeLorean
  -        return true;
  +        return false;
       }
  ```

  When the `nTime` is set 10 minutes in the future the addr should be marked as terrible.

ACKs for top commit:
  Crypt-iQ:
    crACK 8e47ed6906d5e381498681e2cab9f2e318597705
  danielabrozzoni:
    tACK 8e47ed6906d5e381498681e2cab9f2e318597705
  marcofleon:
    Nice, code review ACK 8e47ed6906d5e381498681e2cab9f2e318597705

Tree-SHA512: b53b3aa234a73ec7808cb1555916ac64dd707f230ec290a1712493ece8e274a060e16d862b31df0f744804ebd3c0c2825c49becb7d3040cc358e48c4002524cb

25dbe4bc86

Merge bitcoin/bitcoin#33485: test: set par=2 in default config for functional test framework

dda5228e02ca6a839bf87ae7dbd133547563816a test: set par=2 in default config for functional test framework (Andrew Toth)

Pull request description:

  Depending on the host machine, a default `par` value can spawn up to 15 script verification threads for each node. Running the functional test suite with default `par` can exhaust file descriptors or hit other resource limits when many threads are spawned. These threads are mostly idle and the same code paths are executed with a value of `par=2`. Limit this to 2 for functional tests that do not override the default option.

ACKs for top commit:
  maflcko:
    lgtm ACK dda5228e02ca6a839bf87ae7dbd133547563816a
  pablomartin4btc:
    ACK dda5228e02ca6a839bf87ae7dbd133547563816a
  l0rinc:
    Code review ACK dda5228e02ca6a839bf87ae7dbd133547563816a
  theStack:
    ACK dda5228e02ca6a839bf87ae7dbd133547563816a

Tree-SHA512: 4459972330ff50ac7391141db6382579de09d84e68959eaeb5f20972bb9daf9aac1bd68355028ded9ee65e838c12dbd53e6f3bb6cdc375d269f666c19a19eaec

2578da69f4

Merge bitcoin/bitcoin#33464: p2p: Use network-dependent timers for inbound inv scheduling

0f7d4ee4e8281ed141a6ebb7e0edee7b864e4dcf p2p: Use different inbound inv timer per network (Martin Zumsande)
94db966a3bb52a3677eb5f762447202ed3889f0f net: use generic network key for addrcache (Martin Zumsande)

Pull request description:

  Currently, `NextInvToInbounds` schedules  each round of `inv` at the same time for all inbound peers. It's being done this way because with a separate timer per peer (like it's done for outbounds), an attacker could do multiple connections to learn about the time a transaction arrived. (#13298).

  However, having a single timer for inbounds of all networks is also an obvious fingerprinting vector: Connecting to a suspected pair of privacy-network and clearnet addresses and observing the `inv` pattern makes it trivial to confirm or refute that they are the same node.

  This PR changes it such that a separate timer is used for each network.
  It uses the existing method  from `getaddr` caching and generalizes it to be saved in a new field `m_network_key` in `CNode` which will be used for both `getaddr` caching and `inv` scheduling, and can also be used for any future anti-fingerprinting measures.

ACKs for top commit:
  sipa:
    utACK 0f7d4ee4e8281ed141a6ebb7e0edee7b864e4dcf
  stratospher:
    reACK 0f7d4ee.
  naiyoma:
    Tested ACK 0f7d4ee4e8281ed141a6ebb7e0edee7b864e4dcf
  danielabrozzoni:
    reACK 0f7d4ee4e8

Tree-SHA512: e197c3005b2522051db432948874320b74c23e01e66988ee1ee11917dac0923f58c1252fa47da24e68b08d7a355d8e5e0a3ccdfa6e4324cb901f21dfa880cd9c

a33bd767a3

Fix windows libc++ fs::path fstream compile errors

As reported by hebasto in https://github.com/bitcoin/bitcoin/issues/33545,
newer libc++ versions implementing https://wg21.link/lwg3430 will no longer
implicitly convert `fs::path` objects to `std::filesystem::path` objects when
constructing `std::ifstream` and `std::ofstream` types.

This is not a problem in Unix systems since `fs::path` objects use
`std::string` as their native string type, but it causes compile errors on
Windows which use `std::wstring` as their string type, since `fstream`s can't
be constructed from `wstring`s.

Fix the windows libc++ compile errors by adding a new `fs::path::std_path()`
method and using it construct `fstream`s more portably.

Additionally, delete `fs::path`'s implicit `native_string` conversion so these
errors will not go undetected in the future, even though there is not currently
a CI job testing Windows libc++ builds.

b0113afd44

Simplify fs::path by dropping filename() and make_preferred() overloads

These overloads were needed to allow passing `fs::path` objects directly to
libstdc++'s `fstream` constructors, but after the previous commit, there is no
longer any remaining code that does pass `fs::path` objects to `fstream`
constructors. Writing new code which does this is also discouraged because the
standard has been updated in https://wg21.link/lwg3430 to disallow it.

Dropping these also means its no longer possible to pass `fs::path` arguments
directly to `fstream::open` in libstdc++, which is somewhat unfortunate but not
a big loss because it is already not possible to pass them to the constructor.
So this commit updates `fstream::open` calls.

Additionally, this change required updates to src/bitcoin.cpp since it was
relying on the overloaded filename() method.

c864a4c194

Merge bitcoin/bitcoin#33454: net: support overriding the proxy selection in ConnectNode()

c76de2eea18076f91dd80b52f66ba790f071a2b1 net: support overriding the proxy selection in ConnectNode() (Vasil Dimov)

Pull request description:

  Normally `ConnectNode()` would choose whether to use a proxy and which one. Make it possible to override this from the callers and same for `OpenNetworkConnection()` - pass down the proxy to `ConnectNode()`.

  Document both functions.

  This is useful if we want to open connections to IPv4 or IPv6 peers through the Tor SOCKS5 proxy.

  Also have `OpenNetworkConnection()` return whether the connection succeeded or not. This can be used when the caller needs to keep track of how many (successful) connections were opened.

  ---

  This is part of [#29415 Broadcast own transactions only via short-lived Tor or I2P connections](https://github.com/bitcoin/bitcoin/pull/29415). Putting it in its own PR to reduce the size of #29415 and because it does not depend on the other commits from there.

ACKs for top commit:
  stratospher:
    ACK c76de2e.
  optout21:
    ACK c76de2eea18076f91dd80b52f66ba790f071a2b1
  mzumsande:
    Code Review ACK c76de2eea18076f91dd80b52f66ba790f071a2b1
  andrewtoth:
    ACK c76de2eea18076f91dd80b52f66ba790f071a2b1

Tree-SHA512: 1d266e4280cdb1d0599971fa8b5da58b1b7451635be46abb15c0b823a1e18cf6e7bcba4a365ad198e6fd1afee4097d81a54253fa680c8b386ca6b9d68d795ff0

452ea59281

Merge bitcoin/bitcoin#33489: build: Drop support for EOL macOS 13

1aaaaa078bb2efed126e3f41ecf7c81ccf005818 fuzz: Drop unused workaround after Apple-Clang bump (MarcoFalke)
fadad7a49477cd61fbbfe20a0a61023c2d4d70a1 Drop support for EOL macOS 13 (MarcoFalke)

Pull request description:

  Now that macOS 13 is EOL (https://en.wikipedia.org/wiki/MacOS_Ventura), it seems odd to still support it.

  (macOS Ventura 13.7.8 received its final security update on 20 Aug 2025: https://support.apple.com/en-us/100100)

  This patch will only be released in version 31.x, another 6 months out from now.

  So:

  * Update the depends build and release note template to drop EOL macOS 13.
  * As a result, update the earliest Xcode to version 16 in CI.
  * Also, bump the macOS CI runner to version 15, to avoid issues when version 14 will be at its EOL in about 1 year.

  This also allows to drop a small workaround in the fuzz tests and unlocks libcpp hardening (https://github.com/bitcoin/bitcoin/pull/33462)

ACKs for top commit:
  stickies-v:
    re-ACK 1aaaaa078bb2efed126e3f41ecf7c81ccf005818
  l0rinc:
    code review ACK 1aaaaa078bb2efed126e3f41ecf7c81ccf005818
  hodlinator:
    re-ACK 1aaaaa078bb2efed126e3f41ecf7c81ccf005818
  hebasto:
    ACK 1aaaaa078bb2efed126e3f41ecf7c81ccf005818.

Tree-SHA512: 6d247a8432ef8ea8c6ff2a221472b278f8344346b172980299507f9898bb9e8e16480c128b1f4ca692bcbcc393da2b2fd6895ac5f118bc09e0f30f910529d20c

919e6d01e9

Set minimum supported Windows version to 1903 (May 2019 Update)

This version is the minimum required to support the UTF-8 code page
(CP_UTF8).

dccbb17806

cmake: Set process code page to UTF-8 on Windows

Additionally, this change adds app manifests to targets that were
previously missing them.

f366408492

Remove no longer necessary `WinCmdLineArgs` class

This change removes one use case of `std::wstring_convert`, which is
deprecated in C++17 and removed in C++26. Other uses remain for now.

06d0be4e22

Switch to ANSI Windows API in `Win32ErrorString()` function dbe770d921

Switch to ANSI Windows API in `fsbridge::fopen()` function 53e4951a5b

ci: Use native platform for win-cross task fa6fd16f36

Squashed 'src/ipc/libmultiprocess/' changes from 47d79db8a552..a4f929696490

a4f929696490 Merge bitcoin-core/libmultiprocess#224: doc: fix typos
f4344ae87da0 Merge bitcoin-core/libmultiprocess#222: test, ci: Fix threadsanitizer errors in mptest
1434642b3804 doc: fix typos
73d22ba2e930 test: Fix tsan race in thread busy test
b74e1bba014d ci: Use tsan-instrumented cap'n proto in sanitizers job
c332774409ad test: Fix failing exception check in new thread busy test
ca3c05d56709 test: Use KJ_LOG instead of std::cout for logging
7eb1da120ab6 ci: Use tsan-instrumented libcxx in sanitizers job
ec86e4336e98 Merge bitcoin-core/libmultiprocess#220: Add log levels and advertise them to users via logging callback
515ce93ad349 Logging: Pass LogData struct to logging callback
213574ccc43d Logging: reclassify remaining log messages
e4de0412b430 Logging: Break out expensive log messages and classify them as Trace
408874a78fdc Logging: Use new logging macros
67b092d835cd Logging: Disable logging if messsage level is less than the requested level
d0a1ba7ebf21 Logging: add log levels to mirror Core's
463a8296d188 Logging: Disable moving or copying Logger
83a2e10c0b03 Logging: Add an EventLoop constructor to allow for user-specified log options
58cf47a7fc8c Merge bitcoin-core/libmultiprocess#221: test default PassField impl handles output parameters
db03a663f514 Merge bitcoin-core/libmultiprocess#214: Fix crash on simultaneous IPC calls using the same thread
afcc40b0f1e8 Merge bitcoin-core/libmultiprocess#213: util+doc: Clearer errors when attempting to run examples + polished docs
6db669628387 test In|Out parameter
29cf2ada75ea test default PassField impl handles output parameters
1238170f68e8 test: simultaneous IPC calls using same thread
eb069ab75d83 Fix crash on simultaneous IPC calls using the same thread
ec03a9639ab5 doc: Precision and typos
2b4348193551 doc: Where possible, remove links to ryanofsky/bitcoin/
286fe469c9c9 util: Add helpful error message when failing to execute file

git-subtree-dir: src/ipc/libmultiprocess
git-subtree-split: a4f92969649018ca70f949a09148bccfeaecd99a

0f01e1577f

Merge commit '0f01e1577f7c6734eb345139a12aba329ef22a5f' into pr/subtree-6 eda91b07fd

Merge bitcoin/bitcoin#33515: Improve LastCommonAncestor performance + add tests

3635d62f5a935801e26a0d5fa2cb5e2dbbb42f9b chain: make use of pskip in LastCommonAncestor (optimization) (Pieter Wuille)
2e09d66fbb7bb253ce90ffcda026ce58426ba4e4 tests: add unit tests for CBlockIndex::GetAncestor and LastCommonAncestor (Pieter Wuille)

Pull request description:

  In theory, the `LastCommonAncestor` function in chain.cpp can take $\mathcal{O}(n)$ time, walking over the entire chain, if the forking point is very early, which could take ~milliseconds. I expect this to be very rare in normal occurrences, but it seems nontrivial to reason about worst cases as it's accessible from several places in net_processing.

  This PR modifies the algorithm to make use of the `CBlockIndex::pskip` skip pointers to find the forking point in sublinear time (a simulation shows that for heights up to $34 \cdot 4^k - 2$ and $k \geq 8$, no more than $k^2 + 10k + 13$ steps are ever needed), in a way that should be nearly free - at worst the same number of memory accesses should be made, with a tiny increase in computation.

  As it appears we didn't really have tests for this function, unit tests are added for that function as well as `CBlockIndex::GetAncestor()`.

  This is inspired by https://github.com/bitcoin/bitcoin/pull/32180#discussion_r2394877881

ACKs for top commit:
  optout21:
    ACK 3635d62f5a935801e26a0d5fa2cb5e2dbbb42f9b
  achow101:
    ACK 3635d62f5a935801e26a0d5fa2cb5e2dbbb42f9b
  vasild:
    ACK 3635d62f5a935801e26a0d5fa2cb5e2dbbb42f9b
  mzumsande:
    Code Review ACK 3635d62f5a935801e26a0d5fa2cb5e2dbbb42f9b
  furszy:
    ACK 3635d62f5a935801e26a0d5fa2cb5e2dbbb42f9b
  stratospher:
    ACK 3635d62f5a935801e26a0d5fa2cb5e2dbbb42f9b.

Tree-SHA512: f9b7dea1e34c1cc1ec1da3fb9e90c4acbf4aaf0f04768844f538201efa6b11eeeefc97b720509e78c21878977192e2c4031fd8974151667e2e756247002b8164

de1dc6b47b

Merge bitcoin/bitcoin#32998: Bump SCRIPT_VERIFY flags to 64 bit

652424ad162b63d73ecb6bd65bd26946e90c617f test: additional test coverage for script_verify_flags (Anthony Towns)
417437eb01ac014c57aca47f44d7f8d3da351987 script/verify_flags: extend script_verify_flags to 64 bits (Anthony Towns)
3cbbcb66efc39c6566ab31836e4eb582b77581d2 script/interpreter: make script_verify_flag_name an ordinary enum (Anthony Towns)
bddcadee82daf3ed1441820a0ffc4c5ef78f64f1 script/verify_flags: make script_verify_flags type safe (Anthony Towns)
a5ead122fe060e7e582914dcb7acfaeee7a8ac48 script/interpreter: introduce script_verify_flags typename (Anthony Towns)
4577fb2b1e098c3f560b1ff50a37ebfef2af5f32 rpc: have getdeploymentinfo report script verify flags (Anthony Towns)
a3986935f073be799a35dfa92ab5004e12b35467 validation: export GetBlockScriptFlags() (Anthony Towns)
5db8cd2d37eba3ca6abc66386a3b9dc2185fa3ce Move mapFlagNames and FormatScriptFlags logic to script/interpreter.h (Anthony Towns)

Pull request description:

  We currently use 21 of 32 possible bits for `SCRIPT_VERIFY_*` flags, with open PRs that may use 8 more (#29247, #31989, #32247, #32453). The mutinynet fork that has included many experimental soft fork features is [already reusing bits here](https://github.com/benthecarman/bitcoin/blob/d4a86277ed8a0712e03fbbce290e9209165e049c/src/script/interpreter.h#L175-L195). Therefore, bump this to 64 bits.

  In order to make it easier to update this logic in future, this PR also introduces a dedicated type for the script flags, and disables implicit conversion between that type and the underlying integer type. To make verifying that this change doesn't cause flags to disappear, this PR also resurrects the changes from #28806 so that the script flags that are consensus enforced on each block can be queried via getdeploymentinfo.

ACKs for top commit:
  instagibbs:
    reACK https://github.com/bitcoin/bitcoin/pull/32998/commits/652424ad162b63d73ecb6bd65bd26946e90c617f
  achow101:
    ACK 652424ad162b63d73ecb6bd65bd26946e90c617f
  darosior:
    ACK 652424ad162b63d73ecb6bd65bd26946e90c617f
  theStack:
    Code-review ACK 652424ad162b63d73ecb6bd65bd26946e90c617f :flags:

Tree-SHA512: 7b30152196cdfdef8b9700b571b7d7d4e94d28fbc5c26ea7532788037efc02e4b1d8de392b0b20507badfdc26f5c125f8356a479604a9149b8aae23a7cf5549f

d735e2e9b3

Merge bitcoin/bitcoin#32513: ci: remove 3rd party js from windows dll gha job

156927903d64297500dd73380908c654b07bfb1a ci: Check windows manifests for all executables (Max Edwards)
e1a1b14c9359751a4d0117a27a303d1f1d3ed30f ci: use a more generic way of finding mt.exe (Max Edwards)
7ae0497eef8f5b37fc1184897a5bbc9f023dfa67 ci: remove 3rd party js from windows dll gha job (Max Edwards)

Pull request description:

  The windows job uses the external dependency `ilammy/msvc-dev-cmd` which runs javascript. We use this to put various tools on the path such as `MSBuild.exe` and `mt.exe`. We can remove this dependency and use `vswhere.exe` directly to find these tools and create a "[Developer command prompt](https://github.com/microsoft/vswhere/wiki/Start-Developer-Command-Prompt#using-powershell)" as someone would on their dev machine.

  While in this area of the code, this PR also runs some additional manifest checks on the windows binaries.

  Fixes: #32508

ACKs for top commit:
  davidgumberg:
    crACK 156927903d64297
  hebasto:
    ACK 156927903d64297500dd73380908c654b07bfb1a.

Tree-SHA512: df640dff27579a1c95daddc5a5ba8fd655bbd0a6f2aff74d0f63439c7185c0b18a90abfee3f1f032fe833cd19b822ef71812f44b24c4c044222e46d01c271864

ec5841888d

Merge bitcoin/bitcoin#33494: depends: Update URL for `qrencode` package source tarball

93a70a42d30fa2f9404b76d5bbdb5ea316fc1032 depends: Update URL for `qrencode` package source tarball (Hennadii Stepanov)
6de80512632afe612a3427463c94ac51f90f5203 depends: Use hash instead of file name for package download stamp (Hennadii Stepanov)
46135d90ea9002e273f2a75283444afd080b81b1 depends: Drop redundant check for downloaded file (Hennadii Stepanov)
771978952a98a0da2d215c9ed8c5db13250ad58d depends: Fix `$(package)_fetched` target (Hennadii Stepanov)

Pull request description:

  The https://fukuchi.org/ homepage no longer links to the source tarball, and previously available files appear to have been removed. The homepage now instructs users to download source tarballs from the GitHub [releases](https://github.com/fukuchi/libqrencode/releases) page instead.

  The diff between the source trees is immaterial:
  ```diff
  --- old
  +++ new
  @@ -1,19 +1,16 @@
   27e7deccd2925c94e4190ee64794a051199f215f145f76fd664cdebedbbf8a35  acinclude.m4
  -e1e35b1309482f699a9700a2065a0bce09c2108dd1f78ba7bfbe0f7f0bdcd2e6  aclocal.m4
   a9308eec78790720dbcd5452ab8f241b5f1c6939ccf3389917b8e78cb2b58c9e  autogen.sh
   aa36725d577048f0370dc7415a1acb578fbdfb531c1b384a836d9360a81f6f5c  bitstream.c
   3feaacd7d096834fc5956215598564ec287ad443185c4433c3f8007cc53ceaa6  bitstream.h
   21bd5a34c90d3d6ee540ceb48c3d5aea5f21bd6b829ef3112db832af0bd423d8  ChangeLog
   f8a7a94c9622fab721df47e8121533ebfcb79885aca01ecec2fff00dfb84caef  cmake/FindIconv.cmake
   6345e7eecb92473f361a8eb98dd373aa09cae79a43408cf4b42b00b411c9c197  CMakeLists.txt
  -031d560570eab2eda57c2f9ee9952445002f8bf4a23965fcaf43bbc2c61590e2  config.h.in
  -d2f42cc5771b69f2d2ecd4b31509864ae2b18b25c823986390bb372ee07030fa  configure
   02867a8ea08206c84d5f4c05f41a15c639291091e3dfac27f3a9029d8f5d3028  configure.ac
   a9bdde5616ecdd1e980b44f360600ee8783b1f99b8cc83a2beb163a0a390e861  COPYING
   76c41754bccbf69a60fb7833776637c60b86f59104705c0a5cea9ee3a2968f3d  Doxyfile
   36d84f714cf28397b02d6c44860106a7cb858fc6d25239a2698a72fa5136e5c3  libqrencode.pc.in
   f0ce93a7e1b1f0fab87dd071ec3c8dd80a567d778dfc5930d9f375d676ecb9a0  Makefile.am
  -507c2385fb49c5724e8e3dfca97feb24cbdd4e651f3f0bfa62524e60088091a0  Makefile.in
  +dcb782b1b382328c0bce9194944bdcc65a6035d8e9f89e39436ed2e55ae8b969  makeREADME.sh
   6046d347c6c564fc13a24dc0a15a09a83023e00a4e0d0f23029a81f86ac4d024  mask.c
   9f853cee7d72191a8dbf018b7a86c0f0b6ca661e27a51fab677af911f2ff9e7e  mask.h
   a4e17b68d8db573e152132ebcbdc837b55415c12027f81232662db645faf79f0  mmask.c
  @@ -30,7 +27,7 @@
   6e9ff66002b4a839c6e78bcd6a55342d9eb8b289273fa838441b27ee9969e293  qrinput.h
   68831e02ee1ba602b1937328abec000e616c4472d9dc40067dd45ab7072df172  qrspec.c
   a2a9a5af4d62015e82b48b8316aea2b70031dcdc1ed2b829c0102ea5dc02aca2  qrspec.h
  -8730d006f1d45b90dc0ef9a20e4119420f15b37a09483c929baa4225e21f7900  README
  +a56773b55989ea5cae8a43f2d845ce0afa9576a26170937fbe36a69fee953cd4  README.md
   ace480f2e16001e276c73a5e965c282915ad81e2c28cce3ef574b5a8db7210e8  rsecc.c
   c731ebe26d58d5e5df3b2d694de0fb1c4ae80a36cf0559c49b04e989dee8b182  rsecc.h
   8ed1af4414b5628845519581c82bf51ba2b4dee1f8352c1fd01b50afcd0a0ed7  split.c
  @@ -46,7 +43,6 @@
   e26b20198a7393b3c060891876fa45edb81488aef9df6d6cf45893a605e5e5e4  tests/decoder.h
   adabfbddb0f25de2e2cae970195fcfdf11ad1fa66ce64e237d83f821346f64c4  tests/frame
   23c283a3d3b5f1bbb3108603ebf05d7a95951ba86a288e09140eab612a5eb258  tests/Makefile.am
  -c8b819bf7f00c979ab0b6f0d0fb10289d2006bc6acda1737d2f1c383a60e1e66  tests/Makefile.in
   ebd71b937d4d39f382f8c57f362a01f11fd617b66dbdf6f1a3c4897c8c42e235  tests/prof_qrencode.c
   d4adcb234d4c31473cd9ffedd1bfa9645ba336d426640ba5893dfe6e75db171d  tests/pthread_qrencode.c
   62298641504b0a2c1d199cd7f656cb376959200169042de76f7c5950d2d42395  tests/rscode.c
  @@ -63,6 +59,7 @@
   cf5792cbfb92ba46f7f5f14b98f00813b0e7e4f5e7c790c6a28793774474bf26  tests/test_monkey.c
   3a2c58346d57f6bb2a634d6febf3c65ac524259a2d789657f8d60c678bf8d658  tests/test_mqrspec.c
   b9d8c569ba36a2258cb1ad0d1f85ce4fb2935fad519e902bade59aa9772321aa  tests/test_qrencode.c
  +785fe14a6f8bc096b20ec271771fb09f22f29eb4f9d729f5b40d6b4cc824ce36  tests/test_qrenc.sh
   d0eee6eddf98ee4595c07f7da40c7de548651bf839b26995756e94db2599451f  tests/test_qrinput.c
   ace7885e435ef77cc127da0ac23c724498aaa8d80d53b908063f79c9f0b7acce  tests/test_qrspec.c
   fde9c2735ce94be51e1b0bbffe65415aa3afd2da5bd4c0e2c5e50e1a2f1ea3f7  tests/test_rs.c
  @@ -71,12 +68,4 @@
   6f35c0e1235b31d0068c4ab175d8110c736e60df0309d4be7b3e57dd62d316f6  tests/URI_testset.inc
   6be3983fc397cd5dade1dd219ad6cbe7977f416410b1509984006ecec51605b5  tests/view_qrcode.c
   92b5be1ca2239399232d51503715c848dae9bf3db71b1f03157bfa9779826910  TODO
  -c8af04e62bad4ab75dafd22119026e5e3943f385bdcbe7731a4938102453754c  use/compile
  -1d9048b0ac9d4d1dfce7aa4e3a0b59ccfd32db2f7693814aa6f4c778560f5669  use/config.guess
   b522487f9c47661d321367d133f3d41247dd16d435f2d4b9c643dee95bf65eee  use/config.rpath
  -5bf0da2576ebb21ab60a9d9291a85b40af0e956a9eafb709ca8b20dcb105f4ee  use/config.sub
  -732bcd6b9e23f241e015d71b0a3a862104053aba20718c1f56b292cee7e29371  use/depcomp
  -608b76d735bb2ec2bcb1271644c3d5e7a428fb8d2338e114e8a48ebf91ccfd23  use/install-sh
  -2304d53af1f63b76a11651efdd18578adf2bda1ffc2c257100cba374b55f284b  use/ltmain.sh
  -f038345dab184e538098d22a8edc423762da66a90ebe269f23bfef85287cd30c  use/missing
  -7c1ae35455771ae32050c2ed109e3d297160b6d1a2f70b0278cf6968e5e7e98c  use/test-driver
  ```

  ---

  **UPDATE 2025-09-30**

  A few commits have been added:

  1. The first commit fixes the `$(package)_fetched` target, which erroneously succeeds on the second run after a failure on the master branch:
  ```
  $ gmake -C depends clean-all
  $ gmake -C depends qrencode_fetched FALLBACK_DOWNLOAD_PATH="https://fallback.invalid"
  $ gmake -C depends qrencode_fetched FALLBACK_DOWNLOAD_PATH="https://fallback.invalid"
  $ echo $?
  0
  ```
  With the first commit applied:
  ```
  $ gmake -C depends clean-all
  $ gmake -C depends qrencode_fetched FALLBACK_DOWNLOAD_PATH="https://fallback.invalid"
  $ gmake -C depends qrencode_fetched FALLBACK_DOWNLOAD_PATH="https://fallback.invalid"
  $ echo $?
  2
  ```

  2. The second and third commits allow the depends build subsystem to detect when the source tarball content has been modified and needs to be re-downloaded, even if the file name remains the same.

ACKs for top commit:
  m3dwards:
    ACK 93a70a42d30fa2f9404b76d5bbdb5ea316fc1032
  achow101:
    ACK 93a70a42d30fa2f9404b76d5bbdb5ea316fc1032
  vasild:
    ACK 93a70a42d30fa2f9404b76d5bbdb5ea316fc1032
  janb84:
    ACK 93a70a42d30fa2f9404b76d5bbdb5ea316fc1032

Tree-SHA512: 38b7c029070426196c747fc45c9d00bae534eeeb2d9cd9f221580fce8380f4f8aecb6c48b2563e322edd8c9534f5dd42d8f4e110ada42bb83568cf2dcfb7dc22

b510893d00

doc: how to update a subtree a1226bc760

ci: add libcpp hardening flags to macOS fuzz job

Follows up to
https://github.com/bitcoin/bitcoin/pull/33425#issuecomment-3323149107.

e4c04f7759

ci: Refactor get_previous_releases step in win-test-cross task

This refactor does not change behavior, but allows the step to be
re-used in other tasks, such as a mac-test-cross task

fa8c750a0a

ci: Add macOS cross task for arm64 fad5a7101c

Revert "depends: Use hash instead of file name for package download stamp"

This reverts commit 6de80512632afe612a3427463c94ac51f90f5203.

a89a822e6e

Revert "depends: Update URL for `qrencode` package source tarball"

This reverts commit 93a70a42d30fa2f9404b76d5bbdb5ea316fc1032.

e4335a3192

depends: Use $(package)_file_name when downloading from the fallback 671b774d1b

ci: Properly include $FILE_ENV in DEPENDS_HASH

$FILE_ENV has a full relative path already, prepending with ci/test/
results in a non-existent path which means that DEPENDS_HASH was not
actually committing to the test's environment file.

ceeb53adcd

Update ci.yml b35341b9ba

doc: test: update TestShell example instructions/options

The `createwallet` RPC doesn't return the empty passphrase
warning anymore if no passphrase was passed explicitly.
The `noshutdown` parameter key was removed in commit
fa0dc09b9002f0bcae63af6af8d37fb3e0040ef4, so remove it from
the table.

53874f7934

test: add functional test for `TestShell` (matching doc example) 57f7c68821

Merge bitcoin/bitcoin#33584: ci: upgrade GitHub Action to download-artifact@v5

b35341b9ba63a0108596e56e9eecc851a4558d98 Update ci.yml (Coder)

Pull request description:

  Release notes:https://github.com/actions/download-artifact/releases/tag/v5.0.0

  Change:
  uses: actions/download-artifact@v4 -> uses: actions/download-artifact@v5

ACKs for top commit:
  maflcko:
    lgtm ACK b35341b9ba63a0108596e56e9eecc851a4558d98
  willcl-ark:
    ACK b35341b9ba63a0108596e56e9eecc851a4558d98
  hebasto:
    ACK b35341b9ba63a0108596e56e9eecc851a4558d98, I have reviewed the code and it looks OK.

Tree-SHA512: f82dd0fe3ca8d431b9ff6ef9f23a4f2e92a1463c6f55fbe9b46b9e13750d311bd2aa915a8570f76600363b3a1ccbf394c95216cfac0f6db30846d9be7ec7c4cf

d44b860cd0

Merge bitcoin/bitcoin#33581: ci: Properly include $FILE_ENV in DEPENDS_HASH

ceeb53adcd0a6a87a65c8ebbb20472c15c502dfd ci: Properly include $FILE_ENV in DEPENDS_HASH (Ava Chow)

Pull request description:

  $FILE_ENV has a full relative path already, prepending with ci/test/ results in a non-existent path which means that DEPENDS_HASH was not actually committing to the test's environment file.

ACKs for top commit:
  maflcko:
    lgtm ACK ceeb53adcd0a6a87a65c8ebbb20472c15c502dfd

Tree-SHA512: 80a7a23676ff8bf2f48a7d3c5897217f11d7d4d4f8a54897d2b7c42689585d2d63e45fad2b8f4c442111f128a87eeb6edeac2b25c79862e6bc035eeb1ebc7f4e

90b2884ce4

Merge bitcoin/bitcoin#33568: doc: how to update a subtree

a1226bc760c70a22ef4a197d5690aca4d83cb74c doc: how to update a subtree (Sjors Provoost)

Pull request description:

  We have instructions on how to verify a subtree update, but not on how to perform one.

ACKs for top commit:
  yuvicc:
    ACK a1226bc760c70a22ef4a197d5690aca4d83cb74c
  achow101:
    ACK a1226bc760c70a22ef4a197d5690aca4d83cb74c
  janb84:
    ACK a1226bc760c70a22ef4a197d5690aca4d83cb74c
  furszy:
    ACK a1226bc760c70a22ef4a197d5690aca4d83cb74c

Tree-SHA512: ba3ccc56a9f1c7f461e0db9699612e1fd64b7c72bfd1dae63d4cb830db416871a493820d3a7924c19b6ce353fc20c5fe07578b053dec6ea68273a007cbebc512

6b4a92b0fa

build: Bump clang minimum supported version to 17 faed118fb3

refactor: Revert "disable self-assign warning for tests"

This reverts commit 53372f21767be449bb452fc3f5fe7f16286ae371.

fa0fa0f700

Merge bitcoin/bitcoin#33577: Revert "depends: Update URL for `qrencode` package source tarball"

e4335a31920cd390d936cd51cc4478a234db1276 Revert "depends: Update URL for `qrencode` package source tarball" (Ava Chow)
a89a822e6eb58c9598099d4dbdf7df90d97eb1e2 Revert "depends: Use hash instead of file name for package download stamp" (Ava Chow)

Pull request description:

  The new URL breaks CI on the current release branches, see https://github.com/bitcoin/bitcoin/pull/33494#issuecomment-3380802351.

  The old URL also no longer exists so the tarball is fetched from the depends sources cache that we host, but the original tarball has already been overwritten on there. We will need to manually reinstate the original tarball.

ACKs for top commit:
  m3dwards:
    utACK e4335a31920cd390d936cd51cc4478a234db1276
  maflcko:
    review ACK e4335a31920cd390d936cd51cc4478a234db1276 💤
  glozow:
    ACK e4335a31920cd390d936cd51cc4478a234db1276

Tree-SHA512: a5028342d77b4768daaec8688acd364795d683aed2bea0407c7827d44f814a97d50cc3b30c2de2a8296a2b212115fe1e76c57685a74e93387fc57afdabb93bd2

cd1b7fa1ff

Merge bitcoin/bitcoin#33518: Update libmultiprocess subtree to support reduced logging

0f01e1577f7c6734eb345139a12aba329ef22a5f Squashed 'src/ipc/libmultiprocess/' changes from 47d79db8a552..a4f929696490 (Ryan Ofsky)

Pull request description:

  Includes:

  - https://github.com/bitcoin-core/libmultiprocess/pull/213
  - https://github.com/bitcoin-core/libmultiprocess/pull/214
  - https://github.com/bitcoin-core/libmultiprocess/pull/221
  - https://github.com/bitcoin-core/libmultiprocess/pull/220
  - https://github.com/bitcoin-core/libmultiprocess/pull/222
  - https://github.com/bitcoin-core/libmultiprocess/pull/224

  The change https://github.com/bitcoin-core/libmultiprocess/pull/220 is needed to support #33517 and fix poor performance in some cases caused by slow logging.

  The changes can be verified by running `test/lint/git-subtree-check.sh src/ipc/libmultiprocess` as described in [developer notes](https://github.com/bitcoin/bitcoin/blob/master/doc/developer-notes.md#subtrees) and [lint instructions](https://github.com/bitcoin/bitcoin/tree/master/test/lint#git-subtree-checksh)

ACKs for top commit:
  Sjors:
    utACK eda91b07fd9f2a6af3c31659d51f51aacf8989c4
  theuni:
    utACK eda91b07fd9f2a6af3c31659d51f51aacf8989c4.

Tree-SHA512: 43c2f47bb95f56181f3ce8cf41380e83b1c00b363a7c732d735a9115ed251fa2c2c9bd096d9be011e47503047a740b2e05c9a79d7e4170a4de9c20ad0de3e501

becf150013

refactor: Construct g_verify_flag_names on first use faa9d10c84

doc: bump the template macOS version

It makes more sense to have a higher OS version than one that is not
supported

f6567527d8

Merge bitcoin/bitcoin#33573: doc: bump the template macOS version

f6567527d8dafa70335de782511791165bb89ccb doc: bump the template macOS version (kevkevinpal)

Pull request description:

  Motivated by https://github.com/bitcoin/bitcoin/pull/33489#issuecomment-3361601497

  The minimum version of MacOS for this repo is now 14 and above so it makes sense to update the issue template to reflect that.
  We are now using a higher version but since it is just a bug template, there is no need to put the lowest version we support.

ACKs for top commit:
  maflcko:
    lgtm ACK f6567527d8dafa70335de782511791165bb89ccb
  l0rinc:
    ACK f6567527d8dafa70335de782511791165bb89ccb
  janb84:
    ACK f6567527d8dafa70335de782511791165bb89ccb

Tree-SHA512: 701b161bda25245996c94b6d2119b5cc85a34917551dcf8c92ffacf3aa80fa7fe84bb3497edc7e600c5b2443de13a6f6107fc7289721e585b16c4972d07a796c

d2987102dd

multiprocess: update multiprocess EventLoop construction to use options

This uses the constructors recently added upstream.

9d068225ee

multiprocess: align our logging with libmultiprocess's

Without this change, logging (even if unused) may account for a
substantial portion of bitcoin-node's and/or client's runtime cpu usage, due
to libmultiprocess's expensive message serialization.

This (along with some recent upstream changes) avoids the overhead by opting
out of log handling for messages that we're not interested in.

Info, Warning, and Error are logged unconditionally to match our behavior
elsewhere. See BCLog::Logger::GetCategoryLogLevel .

0626b90f50

qt: add createwallet, createwalletdescriptor, and migratewallet to history filter 4e352efa2c

doc: archive release notes for v30.0 8d6e49158e

txgraph: Make level of Cluster implicit (optimization)

This reduces per-Cluster memory usage by making Clusters not aware of their
own level. Instead, track it either in calling code, or infer it based on
the transactions in them.

d40302fbaf

txgraph: move some sanity checks from Cluster to TxGraphImpl (refactor) 2b1d302508

txgraph: avoid holes in DepGraph positions (mem optimization) b1637a90de

depgraph: add memory usage control (feature)

Co-Authored-By: Lőrinc <pap.lorinc@gmail.com>

bb5cb222ae

txgraph: keep data structures compact (mem optimization) 4ba562e5f4

txgraph: keep track of Cluster memory usage (preparation) 7680bb8fd4

txgraph: expose memory usage estimate function (feature) 04c808ac4c

txgraph: avoid accessing other Cluster internals (refactor)

This adds 4 functions to Cluster to help implement Merge() and Split() without
needing access to the internals of the other Cluster. This is a preparation for
a follow-up that will make Clusters a virtual class whose internals are abstracted
away.

2602d89edd

txgraph: make Cluster an abstract class (refactor) 726b995739

txgraph: comment fixes (doc fix) 6baf12621f

txgraph: abstract out creation of empty Clusters (refactor) e93b0f09cc

txgraph: give Clusters a range of intended tx counts (preparation) e346250732

txgraph: add SingletonClusterImpl (mem optimization)

This adds a specialized Cluster implementation for singleton clusters, saving
a significant amount of memory by avoiding the need for m_depgraph, m_mapping,
and m_linearization, and their overheads.

023cd5a546

refactor: assert newly-created parent cache entry has zero memory usage

During `BatchWrite`, the parent entry is created under a guard that guarantees insertion, so the new `Coin` is default-constructed and empty.
Assert this invariant to document why there is no `cachedCoinsUsage` decrement before the assignment at this site.

Co-authored-by: Andrew Toth <andrewstoth@gmail.com>

67cff8bec9

refactor: remove redundant usage tracking from `CoinsViewCacheCursor`

When a coin is spent via `SpendCoin()`, `cachedCoinsUsage` is already decremented and the coin's `scriptPubKey` is cleared, so `DynamicMemoryUsage()` is `0`.

`CoinsViewCacheCursor::NextAndMaybeErase()` was subtracting usage again when erasing spent entries.
Replace it with an assert that documents spent coins have zero dynamic memory usage by the time the cursor encounters them.

Remove the now-unnecessary `usage` reference from the cursor's constructor and member variables.

39cf8bb3d0

coins: fix `cachedCoinsUsage` accounting to prevent underflow

Move the `cachedCoinsUsage` subtract in `AddCoin()` to after the `possible_overwrite` check.
Previously a throw before assignment decremented the counter without changing the entry, which corrupted accounting and later underflowed.

In `Flush()`, reset `cachedCoinsUsage` to `0` only when `BatchWrite()` succeeds and `cacheCoins` is actually cleared. In production `BatchWrite()` returns `true`, so this mostly affects tests. On failure, leave the counter unchanged to keep it in sync with the cache.

The existing `Flush()` workaround in fuzzing was also removed now that the source of the problem was fixed, so the fuzzer no longer needs `coins_view_cache.Flush()` to realign `cachedCoinsUsage` after an exception.
Replace the prior `expected_code_path` tracking with direct assertions. The role of the variable was to verify that code execution follows only expected paths, either successful addition, or if it's an exception, the message is verified and checked that overwrite was disallowed.

With these changes the counter stays consistent across success and exception paths, so we can finally remove the `UBSan` suppressions for `CCoinsViewCache` that were masking the issue.

Included a unit test as well, attempting to add a different coin to the same outpoint without allowing overwrites and make sure it throws.
We use `SelfTest()` to validates accounting, and check that the cache remains usable.

Co-authored-by: Ryan Ofsky <ryan@ofsky.org>
Co-authored-by: w0xlt <woltx@protonmail.com>

d7c9d6c291

coins: only adjust `cachedCoinsUsage` on `EmplaceCoinInternalDANGER` insert

`EmplaceCoinInternalDANGER()` incremented `cachedCoinsUsage` even when `try_emplace` did not insert (duplicate key), inflating the counter.
This is mostly reachable in tests today since `AssumeUTXO` does not overwrite.

Increment only on successful insert, and capture `coin.DynamicMemoryUsage()` before the move so accounting uses the correct value.

Fuzz: add an `EmplaceCoinInternalDANGER` path to exercise insert-only accounting.
Unit test: emplace two different coins at the same outpoint (with different `DynamicMemoryUsage()`), verify `SelfTest()` passes and `AccessCoin(outpoint)` returns the first coin.

Co-authored-by: Andrew Toth <andrewstoth@gmail.com>
Co-authored-by: w0xlt <woltx@protonmail.com>

24d861da78

Merge bitcoin/bitcoin#33580: depends: Use $(package)_file_name when downloading from the fallback

671b774d1b58c491b53f2b2f6ee42fb6b65a0e71 depends: Use $(package)_file_name when downloading from the fallback (Ava Chow)

Pull request description:

  The server hosting the fallbacks uses `make download` so the files are only available with their overridden names rather than the original name on the upstream source. We should therefore also use the overridden name when downloading from the fallback.

  Fixes https://github.com/bitcoin-core/bitcoincore.org/issues/1168

ACKs for top commit:
  theuni:
    utACK 671b774d1b58c491b53f2b2f6ee42fb6b65a0e71. I was going to PR the same change.
  janb84:
    ut ACK 671b774d1b58c491b53f2b2f6ee42fb6b65a0e71
  hebasto:
    ACK 671b774d1b58c491b53f2b2f6ee42fb6b65a0e71, tested with the following patch:

Tree-SHA512: ba010adb64900d8d748487cc1a658e2b163872354f4e7b38c4dfc37a14fcb22fec4379a635d2c6788c64dd46bef0d94aa3eb6f522ec700680e886d5468678031

563747971b

Merge bitcoin/bitcoin#33601: doc: archive release notes for v30.0

8d6e49158e3a1b3215484b5d139c5d8a3fffc4c9 doc: archive release notes for v30.0 (fanquake)

Pull request description:

  Archive v30.0 release notes.

ACKs for top commit:
  janb84:
    ACK 8d6e49158e3a1b3215484b5d139c5d8a3fffc4c9
  willcl-ark:
    ACK 8d6e49158e3a1b3215484b5d139c5d8a3fffc4c9

Tree-SHA512: 322daee16e8d46808c3b669d9c893172eccefe5dafcd79646c9d265360bd606df7be1222a6c12c16517dec88ae1fee6d1aaa7e71761cc5d7fdc8b5e0bdc82292

93b56e95c0

Merge bitcoin/bitcoin#33558: ci: Use native platform for win-cross task

fa6fd16f36e1240cda58a46e1717b02e8d3172a3 ci: Use native platform for win-cross task (MarcoFalke)

Pull request description:

  Forcing the architecture to amd64 is no longer required. Dropping it should have some benefits:

  * Faster CI speed on other arches (riscv64, arm, ...)
  * Unlock the CI task to run on riscv64 at all

ACKs for top commit:
  hebasto:
    ACK fa6fd16f36e1240cda58a46e1717b02e8d3172a3, tested on Ubuntu 24.04, RISC-V.

Tree-SHA512: 68a3fc90cc22ab085d6946deb106e50b22e06eebc61523a9dcb53b38a50021a19da26cc29e2cd20f4673ffc5cc10f441dacca7cc799782258351609d9fa04969

64a7c7cbb9

doc: archive release notes for v29.2 c11a3dcc88

miner: fix empty mempool case for waitNext()

Block template fees are calculated by looping over new_tmpl->vTxFees
and return (early) once the fee_threshold is exceeded.

This left an edge case when the mempool is empty, which this commit
fixes and adds a test for. It does so by using std::accumulate instead
of manual loops.

Also update interface_ipc.py to account for the new behavior.

Co-authored-by: Raimo33 <claudio.raimondi@protonmail.com>

8f7673257a

Merge bitcoin/bitcoin#33508: ci: fix buildx gha cache authentication on forks

bc706955d740f8a59bec78e44d33e80d1cca373b ci: expose all ACTIONS_* vars (willcl-ark)

Pull request description:

  When using `docker buildx build` in conjunction with the `gha` backend cache type (as we do in our CI) it's important to specify the URL and TOKEN needed to authenticate.

  On Cirrus runners this is working with only `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_TOKEN`, but this is not enough for the GitHub backend.

  Fix this by exporting all `ACTIONS_*` variables.

  This fixes docker build layer cache restore/save on forks or where GH-hosted runners are being used, and addresses https://github.com/bitcoin/bitcoin/issues/31965#issuecomment-3324707093

ACKs for top commit:
  m3dwards:
    ACK bc706955d740f8a59bec78e44d33e80d1cca373b
  maflcko:
    lgtm ACK bc706955d740f8a59bec78e44d33e80d1cca373b

Tree-SHA512: 13e973bb1c1ca5448dd6c3c176fb5ce39c725886ba2012d3253158205309a7038a1430135b37400e1f2f69408a9d0f4e2b3c5f0515154a593ec382ab7db10266

6c4fe401e9

randomenv: Fix MinGW dllimport warning for `environ`

Extends 7703884 to guard environ declaration on all Windows builds, not just MSVC.
In the mingw-w64 headers (used by llvm-mingw), environ is defined as a macro which expands through _environ to (* __p__environ()), a call to a dllimport function, causing the same inconsistent linkage warning as MSVC.

Use WIN32 instead of _MSC_VER to match the platform-specific guards already used throughout the file.

The warning occurs with llvm-mingw (both UCRT and MSVCRT variants as tested by Hebasto), but not with the mingw-w64 toolchain currently used in CI (as mentioned by fanquake).

Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>

9610b0d1e2

test: change log rate limit version gate from 299900 to 290100 7b544341c0

Merge bitcoin/bitcoin#33157: cluster mempool: control/optimize TxGraph memory usage

023cd5a5469ad61205bf7bb1135895f2b4a20ea9 txgraph: add SingletonClusterImpl (mem optimization) (Pieter Wuille)
e34625073253132c4b711b3c33ee50be60290e35 txgraph: give Clusters a range of intended tx counts (preparation) (Pieter Wuille)
e93b0f09cc2ad7b743f896a09c48d584dfcc2787 txgraph: abstract out creation of empty Clusters (refactor) (Pieter Wuille)
6baf12621f66f124cadffe4bb00cd11b75a7c3ea txgraph: comment fixes (doc fix) (Pieter Wuille)
726b995739ab7b88fb5d1c85a33e6c68a4e146bc txgraph: make Cluster an abstract class (refactor) (Pieter Wuille)
2602d89edd04693d0ebbc6b3c87a7c3fe90dcf40 txgraph: avoid accessing other Cluster internals (refactor) (Pieter Wuille)
04c808ac4c47dcbaffa06476403db649c757436e txgraph: expose memory usage estimate function (feature) (Pieter Wuille)
7680bb8fd48d2357d3c1a7b8121a6ad88d2f6ccf txgraph: keep track of Cluster memory usage (preparation) (Pieter Wuille)
4ba562e5f4e4aa2f390e6f3e871be9b0d216794e txgraph: keep data structures compact (mem optimization) (Pieter Wuille)
bb5cb222ae55a61646cb721ed19618ed332d37ff depgraph: add memory usage control (feature) (Pieter Wuille)
b1637a90deb8528a6892dbc1065876583b5075d6 txgraph: avoid holes in DepGraph positions (mem optimization) (Pieter Wuille)
2b1d30250877ba2576cfc6d56fe5aa0d9e77f706 txgraph: move some sanity checks from Cluster to TxGraphImpl (refactor) (Pieter Wuille)
d40302fbaf41bcb70939db534111f490d7eed5c1 txgraph: Make level of Cluster implicit (optimization) (Pieter Wuille)

Pull request description:

  Part of #30289.

  This adds a few optimizations to reduce `TxGraph`'s memory usage, and makes sure that dynamic memory it uses doesn't linger after shrinking clusters. Finally, it exposes a function `GetMainMemoryUsage()` to compute `TxGraph`'s approximate memory usage.

  It makes the `Cluster` type abstract, with two instances (`SingletonClusterImpl` for 1-transaction clusters, and `GenericClusterImpl` for others).

  On my 64-bit system, I obtain the following numbers:
  * `SingletonClusterImpl`: 48 bytes, plus 16 bytes malloc overhead in its `unique_ptr`, plus 8-byte pointer in `m_clusters`
  * `GenericClusterImpl`: 104 bytes, plus 16 bytes malloc overhead in its `unique_ptr`, plus 8-byte pointer in `m_clusters`, plus 72 bytes malloc overhead inside its vectors and `DepGraph`, plus 40 bytes per transaction in those.
  * `TxGraphImpl::Entry`: 72 bytes per transaction
  * `TxGraphImpl::ChunkData`: 8 bytes, plus 56 bytes in `std::set` overhead + malloc overhead, all per chunk.
  * `TxGraph::Ref`: 16 bytes per transaction

  This overall amounts to 200 bytes per cluster, plus 64 bytes per chunk, plus 128 bytes per transaction, but only 224 bytes overall per singleton cluster.

ACKs for top commit:
  l0rinc:
    code review reACK 023cd5a5469ad61205bf7bb1135895f2b4a20ea9
  instagibbs:
    reACK 023cd5a5469ad61205bf7bb1135895f2b4a20ea9
  ismaelsadeeq:
    reACK 023cd5a5469ad61205bf7bb1135895f2b4a20ea9  🚢
  glozow:
    reACK 023cd5a5469ad61205bf7bb1135895f2b4a20ea9

Tree-SHA512: c957b27f47318be7c25d71453df2ae9d4e7bf21dab13b6e5e975cca122a221a99b15c584872491225785d276a9165f090675ee0f4460a2775bd3271933e3b246

fdcf67de80

Merge bitcoin/bitcoin#33612: test: change log rate limit version gate

7b544341c0021dd713f05bc439ee190de911930c test: change log rate limit version gate from 299900 to 290100 (Eugene Siegel)

Pull request description:

  Change the version gate from 299900 to 290100 for bypassing the log rate limit in case an explicit version is set in the functional test framework.

  See discussion here: https://github.com/bitcoin/bitcoin/pull/33225#discussion_r2287838255

ACKs for top commit:
  maflcko:
    lgtm ACK 7b544341c0021dd713f05bc439ee190de911930c
  janb84:
    ACK 7b544341c0021dd713f05bc439ee190de911930c
  stickies-v:
    ACK 7b544341c0021dd713f05bc439ee190de911930c

Tree-SHA512: c07c8741dfdeca87c49748b7082c2ecb829da391908316f35daef7292bc017814a89f04e16e738f3a105541bbc38e4feb5bca3fb6ab718a1dc1de7c70a9c8a58

6e1adbbaa1

TxGraph: change m_excluded_clusters

Change BlockBuilderImpl's m_excluded_clusters to unordered
set since ordering is not used.

Change the set to a set of sequence numbers for a modest
stability increase under fuzz testing.

9b43428c96

Merge bitcoin/bitcoin#33610: doc: archive release notes for v29.2

c11a3dcc88950d35cc8a97c6afba7d8f7eff9883 doc: archive release notes for v29.2 (fanquake)

Pull request description:

ACKs for top commit:
  janb84:
    ACK c11a3dcc88950d35cc8a97c6afba7d8f7eff9883
  stickies-v:
    ACK c11a3dcc88950d35cc8a97c6afba7d8f7eff9883, matches https://github.com/bitcoin/bitcoin/blob/3226616493289b111997bb107e569fef54386743/doc/release-notes.md

Tree-SHA512: bb566000d6907f70785f45878208479c01df7aa3a50f46ccf9156478bbc798d56b64f5c3fd6555900e03fe44ad7021c0513ed711c22eec4a783e84cd89f8a73c

9314113b29

test: P2SH sig ops are only counted with `SCRIPT_VERIFY_P2SH` flag 3a10d700bc

Merge bitcoin/bitcoin#33517: multiprocess: Fix high overhead from message logging

0626b90f507db68610a69feec86deb712dd095a1 multiprocess: align our logging with libmultiprocess's (Cory Fields)
9d068225ee2b79da43e264994cd84279655a2210 multiprocess: update multiprocess EventLoop construction to use options (Cory Fields)

Pull request description:

  This fixes https://github.com/bitcoin-core/libmultiprocess/issues/215 on Core's side. ~It depends on https://github.com/bitcoin-core/libmultiprocess/pull/220 being merged upstream, and a PR to update our subtree. I've included a subtree merge from my repo here for now, but will rebase on top of the merge from upstream once it's in.~ Edit: Rebased on top of #33518.

  For context: before https://github.com/bitcoin-core/libmultiprocess/pull/220, libmultiprocess serializesd every log message parameter, even if that message was ultimately going to be discarded. The upstream PR accomplished 2 main things:
  - Creates logging categories, similar to Core's
  - Using macros, avoids serializing parameters for disabled log levels.

  That allowed the expensive serialization to be skipped, but the default log level is `Trace`. This PR updates our usage of libmultiprocess options to honor our log categories and levels.

  Because of the substantial unnecessary overhead (see the [flamegraphs](https://github.com/bitcoin-core/libmultiprocess/issues/215). Logging accounts for 50% of my application's cpu time, and nearly 10% of bitcoin-node's, both of which go to ~0% once fixed), it'd be a shame to ship the first multiprocess binaries without this fixed. So I propose that we also backport this (and the required libmultiprocess subtree merge) ~to v30. Sorry about the timing~ :(

  Edit: Didn't make it for v30, but it would still make sense to backport for a v30.1.

ACKs for top commit:
  Sjors:
    ACK 0626b90f507db68610a69feec86deb712dd095a1
  TheCharlatan:
    ACK 0626b90f507db68610a69feec86deb712dd095a1
  sipa:
    utACK 0626b90f507db68610a69feec86deb712dd095a1

Tree-SHA512: 70b63b62d1f6de547f4d4775538d7bcaf32f57d8a72c5b26762b57755810c8be6942d9dfebab43cf1c1d8d025a555f72a48e9ebf3d84f8d40d6592ca801cda5d

db4bde0b03

Merge bitcoin/bitcoin#29675: wallet: Be able to receive and spend inputs involving MuSig2 aggregate keys

ac599c4a9cb3b2d424932d3fd91f9eed17426827 test: Test MuSig2 in the wallet (Ava Chow)
68ef954c4c59802a6810a462eaa8dd61728ba820 wallet: Keep secnonces in DescriptorScriptPubKeyMan (Ava Chow)
4a273edda0ec10f0c5ae5d94b9925fa334d1c6e6 sign: Create MuSig2 signatures for known MuSig2 aggregate keys (Ava Chow)
258db938899409c8ee1cef04e16ba1795ea0038d sign: Add CreateMuSig2AggregateSig (Ava Chow)
bf69442b3f5004dc3df5a1b1d752114ba68fa5f4 sign: Add CreateMuSig2PartialSig (Ava Chow)
512b17fc56eac3a2e2b9ba489b5423d098cce0db sign: Add CreateMuSig2Nonce (Ava Chow)
82ea67c607cde6187d7082429d27b927dc21c0c6 musig: Add MuSig2AggregatePubkeys variant that validates the aggregate (Ava Chow)
d99a081679e16668458512aba2fd13a3e1bdb09f psbt: MuSig2 data in Fill/FromSignatureData (Ava Chow)
4d8b4f53363f013ed3972997f0b05b9c19e9db9d signingprovider: Add musig2 secnonces (Ava Chow)
c06a1dc86ff2347538e95041ab7b97af25342958 Add MuSig2SecNonce class for secure allocation of musig nonces (Ava Chow)
9baff05e494443cd82708490f384aa3034ad43bd sign: Include taproot output key's KeyOriginInfo in sigdata (Ava Chow)
4b24bfeab9d6732aae3e69efd33105792ef1198f pubkey: Return tweaks from BIP32 derivation (Ava Chow)
f14876213aad0e67088b75cae24323db9f2576d8 musig: Move synthetic xpub construction to its own function (Ava Chow)
fb8720f1e09f4e41802f07be53fb220d6f6c127f sign: Refactor Schnorr sighash computation out of CreateSchnorrSig (Ava Chow)
a4cfddda644f1fc9a815b2d16c997716cd63554a tests: Clarify why musig derivation adds a pubkey and xpub (Ava Chow)
39a63bf2e7e38dd3f30b5d1a8f6b2fff0e380d12 descriptors: Add a doxygen comment for has_hardened output_parameter (Ava Chow)
2320184d0ea87279558a8e6cbb3bccf5ba1bb781 descriptors: Fix meaning of any_key_parsed (Ava Chow)

Pull request description:

  This PR implements MuSig2 signing so that the wallet can receive and spend from imported `musig(0` descriptors.

  The libsecp musig module is enabled so that it can be used for all of the MuSig2 cryptography.

  Secnonces are handled in a separate class which holds the libsecp secnonce object in a `secure_unique_ptr`. Since secnonces must not be used, this class has no serialization and will only live in memory. A restart of the software will require a restart of the MuSig2 signing process.

ACKs for top commit:
  fjahr:
    tACK ac599c4a9cb3b2d424932d3fd91f9eed17426827
  rkrux:
    lgtm tACK ac599c4a9cb3b2d424932d3fd91f9eed17426827
  theStack:
    Code-review ACK ac599c4a9cb3b2d424932d3fd91f9eed17426827 :old_key:

Tree-SHA512: 626b9adc42ed2403e2f4405321eb9ce009a829c07d968e95ab288fe4940b195b0af35ca279a4a7fa51af76e55382bad6f63a23bca14a84140559b3c667e7041e

48aa0e98d0

node: change a tx-relay on/off flag to enum

Previously the `bool relay` argument to `BroadcastTransaction()`
designated:

```
relay=true: add to the mempool and broadcast to all peers
relay=false: add to the mempool
```

Change this to an `enum`, so it is more readable and easier to extend
with a 3rd option. Consider these example call sites:

```cpp
Paint(true);
// Or
Paint(/*is_red=*/true);
```

vs

```cpp
Paint(RED);
```

The idea for putting `TxBroadcastMethod` into `node/types.h` by Ryan.

Co-authored-by: Ryan Ofsky <ryan@ofsky.org>

07a926474b

Merge bitcoin/bitcoin#33462: ci: add libcpp hardening flags to macOS fuzz job

e4c04f7759b0b390189410f5ef3ad5faa5354698 ci: add libcpp hardening flags to macOS fuzz job (fanquake)

Pull request description:

  Follows up to https://github.com/bitcoin/bitcoin/pull/33425#issuecomment-3323149107.

ACKs for top commit:
  maflcko:
    lgtm ACK e4c04f7759b0b390189410f5ef3ad5faa5354698. The qa-assets repo has a libc++ debug run, so this isn't required, but it seems fast enough to not hurt.

Tree-SHA512: 6c0dc90528ca867df49027eebf2d1c417a7395f9f94779076ace48e3e4b21771e7d99e8b3ed75ca56da87153418a446075429aa6b9ec5cd4b6b8cb5b0c25c1d7

2f7a50f67c

Squashed 'src/secp256k1/' changes from b9313c6e1a..d543c0d917

d543c0d917 Merge bitcoin-core/secp256k1#1734: Introduce (mini) unit test framework
f44c1ebd96 Merge bitcoin-core/secp256k1#1719: ci: DRY workflow using anchors
a44a339384 Merge bitcoin-core/secp256k1#1750: ci: Use clang-snapshot in "MSan" job
15d014804e ci: Drop default for `inputs.command` in `run-in-docker-action`
1decc49a1f ci: Use YAML anchor and aliases for repeated "CI script" steps
dff1bc107d ci, refactor: Generalize use of `matrix.configuration.env_vars`
4b644da199 ci: Use YAML anchor and aliases for repeated "Print logs" steps
a889cd93df ci: Bump `actions/checkout` version
574c2f3080 ci: Use YAML anchor and aliases for repeated "Checkout" steps
53585f93b7 ci: Use clang-snapshot in "MSan" job
6894c964f3 Fix Clang 21+ `-Wuninitialized-const-pointer` warning when using MSan
2b7337f63a Merge bitcoin-core/secp256k1#1756: ci: Fix image caching and apply other improvements
f163c35897 ci: Set `DEBIAN_FRONTEND=noninteractive`
70ae177ca0 ci: Bump `docker/build-push-action` version
b2a95a420f ci: Drop `tags` input for `docker/build-push-action`
122014edb3 ci: Add `scope` parameter to `cache-{to,from}` options
2f4546ce56 test: add --log option to display tests execution
95b9953ea4 test: Add option to display all available tests
953f7b0088 test: support running specific tests/modules targets
0302c1a3d7 test: add --help for command-line options
9ec3bfe22d test: adapt modules to the new test infrastructure
48789dafc2 test: introduce (mini) unit test framework
baa265429f Merge bitcoin-core/secp256k1#1727: docs: Clarify that callback can be called more than once
4d90585fea docs: Improve API docs of _context_set_illegal_callback
895f53d1cf docs: Clarify that callback can be called more than once
de6af6ae35 Merge bitcoin-core/secp256k1#1748: bench: improve context creation in ECDH benchmark
5817885153 Merge bitcoin-core/secp256k1#1749: build: Fix warnings in x86_64 assembly check
ab560078aa build: Fix warnings in x86_64 assembly check
10dab907e7 Merge bitcoin-core/secp256k1#1741: doc: clarify API doc of `secp256k1_ecdsa_recover` return value
dfe284ed2d bench: improve context creation in ECDH benchmark
7321bdf27b doc: clarify API doc of `secp256k1_ecdsa_recover` return value
b475654302 Merge bitcoin-core/secp256k1#1745: test: introduce group order byte-array constant for deduplication
9cce703863 refactor: move 'gettime_i64()' to tests_common.h
0c91c56041 test: introduce group order byte-array constant for deduplication
88be4e8d86 Merge bitcoin-core/secp256k1#1735: musig: Invalidate secnonce in secp256k1_musig_partial_sign
36e76952cb Merge bitcoin-core/secp256k1#1738: check-abi: remove support for obsolete CMake library output location (src/libsecp256k1.so)
399b582a5f Split memclear into two versions
4985ac0f89 Merge bitcoin-core/secp256k1#1737: doc: mention ctx requirement for `_ellswift_create` (not secp256k1_context_static)
7ebaa134a7 check-abi: remove support for obsolete CMake library output location (src/libsecp256k1.so)
806de38bfc doc: mention ctx requirement for `_ellswift_create` (not secp256k1_context_static)
03fb60ad2e Merge bitcoin-core/secp256k1#1681: doc: Recommend clang-cl when building on Windows
d93380fb35 Merge bitcoin-core/secp256k1#1731: schnorrsig: Securely clear buf containing k or its negation
8113671f80 Merge bitcoin-core/secp256k1#1729: hash: Use size_t instead of int for RFC6979 outlen copy
325d65a8cf Rename and clear var containing k or -k
960ba5f9c6 Use size_t instead of int for RFC6979 outlen copy
737912430d ci: Add more tests for clang-cl
7379a5bed3 doc: Recommend clang-cl when building on Windows
f36afb8b3d Merge bitcoin-core/secp256k1#1725: tests: refactor tagged hash verification
5153cf1c91 tests: refactor tagged hash tests
d2dcf52091 Merge bitcoin-core/secp256k1#1726: docs: fix broken link to Tromer's cache.pdf paper
489a43d1bf docs: fix broken link to eprint cache.pdf paper
d599714147 Merge bitcoin-core/secp256k1#1722: docs: Exclude modules' `bench_impl.h` headers from coverage report
0458def51e doc: Add `--gcov-ignore-parse-errors=all` option to `gcovr` invocations
1aecce5936 doc: Add `--merge-mode-functions=separate` option to `gcovr` invocations
106a7cbf41 doc: Exclude modules' `bench_impl.h` headers from coverage report
a9e955d3ea autotools, docs: Adjust help string for `--enable-coverage` option
e523e4f90e Merge bitcoin-core/secp256k1#1720: chore(ci): Fix typo in Dockerfile comment
24ba8ff168 chore(ci): Fix typo in Dockerfile comment
74b8068c5d Merge bitcoin-core/secp256k1#1717: test: update wycheproof test vectors
c25c3c8a88 test: update wycheproof test vectors
20e3b44746 Merge bitcoin-core/secp256k1#1688: cmake: Avoid contaminating parent project's cache with `BUILD_SHARED_LIBS`
2c076d907a Merge bitcoin-core/secp256k1#1711: tests: update Wycheproof
7b07b22957 cmake: Avoid contaminating parent project's cache with BUILD_SHARED_LIBS
5433648ca0 Fix typos and spellings
9ea54c69b7 tests: update Wycheproof files

git-subtree-dir: src/secp256k1
git-subtree-split: d543c0d917a76a201578948701cc30ef336e0fe6

3cbf7cb3e6

Update secp256k1 subtree to latest master 879c21045e

Merge bitcoin/bitcoin#33624: test: P2SH sig ops are only counted with `SCRIPT_VERIFY_P2SH`

3a10d700bc1889b3690097efc935c5a4ba5966bb test: P2SH sig ops are only counted with `SCRIPT_VERIFY_P2SH` flag (brunoerg)

Pull request description:

  This PR adds a test case for `GetTransactionSigOpCost` to check that P2SH sig ops are only counted when `SCRIPT_VERIFY_P2SH` flag is set.

  Kills the following [mutant](https://corecheck.dev/mutation/src/consensus/tx_verify.cpp#L150):

  ```diff
  diff --git a/src/consensus/tx_verify.cpp b/src/consensus/tx_verify.cpp
  index 9d09872597..cc7cdaaf8f 100644
  --- a/src/consensus/tx_verify.cpp
  +++ b/src/consensus/tx_verify.cpp
  @@ -147,7 +147,7 @@ int64_t GetTransactionSigOpCost(const CTransaction& tx, const CCoinsViewCache& i
       if (tx.IsCoinBase())
           return nSigOps;

  -    if (flags & SCRIPT_VERIFY_P2SH) {
  +    if (1==1) {
           nSigOps += GetP2SHSigOpCount(tx, inputs) * WITNESS_SCALE_FACTOR;
       }
  ```

ACKs for top commit:
  l0rinc:
    Tested ACK 3a10d700bc1889b3690097efc935c5a4ba5966bb
  maflcko:
    re-lgtm ACK 3a10d700bc1889b3690097efc935c5a4ba5966bb
  instagibbs:
    ACK 3a10d700bc1889b3690097efc935c5a4ba5966bb
  janb84:
    tested ACK 3a10d700bc1889b3690097efc935c5a4ba5966bb

Tree-SHA512: f560b4f9f2ce5c5fdd0a86e7e1f8ea27a8c6fda0327a6186a0c21e2c06ef13beeb017686db1688cace68812a01701abe46e8e1a095afefc6f2aed6ed96ba8288

b1f8a13702

Merge bitcoin/bitcoin#33480: ci: Turn CentOS config into Alpine musl config

444409ff2b78d8f3e541bd6e883af8da7adfd264 ci: Reduce Alpine musl task to md runner size (MarcoFalke)
fa6b2e9efece2d728bdc257c36c95db03e1a7bc4 ci: Turn centos config into alpine musl config (MarcoFalke)

Pull request description:

  Fixes https://github.com/bitcoin/bitcoin/issues/33437

  Historically, the centos task was added to add CI coverage for old packages and 32-bit depends builds, but both are now covered by different tasks.

  The CentOS task aligns with Ubuntu/Debian CI tasks in terms of libc usage, but (slightly) differs in package naming and update philosophy. I am not aware of the task ever discovering a centos-related issue, so it seems fine to recycle it into an Alpine Linux task.

  The main difference would be that musl libc is now used. Also, busybox is used in Alpine, so in theory the busybox install could be removed from the arm CI task in the future.

  Packaging considerations: All packages should roughly be the same (gcc remains at version 14, python remains at version 3.12, etc). Also, all packages are from the Alpine main track, coming with 2 years of support. The only exception is the py3-pip package (https://pkgs.alpinelinux.org/packages?name=py3-pip&branch=v3.22&repo=&arch=riscv64) from the community track, however, I don't expect any issues arising from that.

ACKs for top commit:
  janb84:
    reACK 444409ff2b78d8f3e541bd6e883af8da7adfd264
  willcl-ark:
    ACK 444409ff2b78d8f3e541bd6e883af8da7adfd264

Tree-SHA512: fd1a1da0fd766591e44a57dbdb84f9b3b47ca92113a429bba139ee5fef54714b8fe509c321e7b3a470c29b4af7d9eab9786e1660b9effb862ecea52824f458aa

ea17618c11

Merge bitcoin/bitcoin#33549: ci: Add macOS cross task for arm64-apple-darwin

fad5a7101cc3dccbb525cfe9afc105aace8da88e ci: Add macOS cross task for arm64 (MarcoFalke)
fa8c750a0aff9c03270b71a91536639f3922eed8 ci: Refactor get_previous_releases step in win-test-cross task (MarcoFalke)

Pull request description:

  Cross compiling to Intel macOS seems fine, but it would be good to cross compile to arm64-apple-darwin as well.

  Further reading:

  * https://en.wikipedia.org/wiki/Mac_transition_to_Apple_silicon#Timeline.
  * It is harder to find native Intel macOS hardware (E.g. GitHub is in the process of dropping it: https://github.blog/changelog/2025-07-11-upcoming-changes-to-macos-hosted-runners-macos-latest-migration-and-xcode-support-policy-updates/#macos-13-is-closing-down)

ACKs for top commit:
  Sjors:
    utACK fad5a7101cc3dccbb525cfe9afc105aace8da88e
  hodlinator:
    crACK fad5a7101cc3dccbb525cfe9afc105aace8da88e

Tree-SHA512: ce96ac9f68f594584dc910555bd34590084e3e45ca02a22d4949e88bb569de3bf87ebf6b5c6718ae82d7750a98212b72f6dab80bddfc9652a57180fbdda97f42

40e7d4cd0d

test: Move get_binary_paths and Binaries to util.py

Can be reviewed with the git options
--color-moved=dimmed-zebra --color-moved-ws=ignore-all-space

fa9f495308

test: Move export_env_build_path to util.py fa75ef4328

ci: use Debian Trixie for macOS cross job

This will use Clang & LLVM 19.

91b5cbaabb

guix: patch around riscv issue with newer (2.40+) binutils

See https://sourceware.org/bugzilla/show_bug.cgi?id=28509.
https://sourceware.org/git/?p=glibc.git;a=commit;h=68389203832ab39dd0dbaabbc4059e7fff51c29b.

Needed for the next commit, which bumps the time-machine.

7b5cc276aa

guix: update time-machine to 5cb84f2013c5b1e48a7d0e617032266f1e6059e2

Package updates:
(base) glibc 2.35 -> 2.39
binutils 2.38 -> 2.41
diffutils 3.8 -> 3.10
gawk 5.2.1 -> 5.3.0
git-minimal 2.45.2 -> 2.46.0
grep 3.8 -> 3.11
gzip 1.12 -> 1.13
linux-headers 6.1.106 -> 6.1.119
make 4.3 -> 4.4.1
xz 5.2.8 -> 5.4.5

CMake 3.30 becomes available.
Clang/LLVM 19 becomes available.

9570ddbec9

guix: use Clang & LLVM 19 for macOS build 9f2a6927d3

guix: remove python-pydantic-core input from LIEF

It's propagated by python-pydantic-2.

59c4898994

Merge bitcoin/bitcoin#32313: coins: fix `cachedCoinsUsage` accounting in `CCoinsViewCache`

24d861da7894add47747eff69dd3fc71fbcdd7d0 coins: only adjust `cachedCoinsUsage` on `EmplaceCoinInternalDANGER` insert (Lőrinc)
d7c9d6c2914aadd711544908d0fad8857a809c72 coins: fix `cachedCoinsUsage` accounting to prevent underflow (Lőrinc)
39cf8bb3d0d9ee84544d161bf66d90d5e2a1a140 refactor: remove redundant usage tracking from `CoinsViewCacheCursor` (Lőrinc)
67cff8bec9094e968f36d351fb2e38c9bf563757 refactor: assert newly-created parent cache entry has zero memory usage (Lőrinc)

Pull request description:

  ### Summary

  This PR fixes `cachedCoinsUsage` accounting bugs in `CCoinsViewCache` that caused UBSan `unsigned-integer-overflow` violations during testing. The issues stemmed from incorrect decrement timing in `AddCoin()`, unconditional reset in `Flush()` on failure, and incorrect increment in `EmplaceCoinInternalDANGER()` when insertion fails.

  ### Problems Fixed

  **1. `AddCoin()` underflow on exception**
  - Previously decremented `cachedCoinsUsage` *before* the `possible_overwrite` validation
  - If validation threw, the map entry remained unchanged but counter was decremented
  - This corrupted accounting and later caused underflow
  - **Impact**: Test-only in current codebase, but unsound accounting that could affect future changes

  **2. `Flush()` accounting drift on failure**
  - Unconditionally reset `cachedCoinsUsage` to 0, even when `BatchWrite()` failed
  - Left the map populated while the counter read zero
  - **Impact**: Test-only (production `BatchWrite()` returns `true`), but broke accounting consistency

  **3. Cursor redundant usage tracking**
  - `CoinsViewCacheCursor::NextAndMaybeErase()` subtracted usage when erasing spent entries
  - However, `SpendCoin()` already decremented and cleared the `scriptPubKey`, leaving `DynamicMemoryUsage()` at 0
  - **Impact**: Redundant code that obscured actual accounting behavior

  **4. `EmplaceCoinInternalDANGER()` double-counting**
  - Incremented `cachedCoinsUsage` even when `try_emplace` did not insert (duplicate key)
  - Inflated the counter on duplicate attempts
  - **Impact**: Mostly test-reachable (AssumeUTXO doesn't overwrite in production), but incorrect accounting

  ### Testing

  To reproduce the historical UBSan failures on the referenced baseline and to verify the fix, run:
  ```
  MAKEJOBS="-j$(nproc)" FILE_ENV="./ci/test/00_setup_env_native_fuzz.sh" ./ci/test_run_all.sh
  ```

  The change was tested with the related unit and fuzz test, and asserted before/after each `cachedCoinsUsage` change (in production code and fuzz) that the calculations are still correct by recalculating them from scratch.

  <details>
  <summary>Details</summary>

  ```C++
  bool CCoinsViewCache::CacheUsageValid() const
  {
      size_t actual{0};
      for (auto& entry : cacheCoins | std::views::values) actual += entry.coin.DynamicMemoryUsage();
      return actual == cachedCoinsUsage;
  }
  ```
  or
  ```patch
  diff --git a/src/coins.cpp b/src/coins.cpp
  --- a/src/coins.cpp(revision fd3b1a7f4bb2ac527f23d4eb4cfa40a3215906e5)
  +++ b/src/coins.cpp(revision 872a05633bfdbd06ad82190d7fe34b42d13ebfe9)
  @@ -96,6 +96,7 @@
           fresh = !it->second.IsDirty();
       }
       if (!inserted) {
  +        Assert(cachedCoinsUsage >= it->second.coin.DynamicMemoryUsage());
           cachedCoinsUsage -= it->second.coin.DynamicMemoryUsage();
       }
       it->second.coin = std::move(coin);
  @@ -133,6 +134,7 @@
   bool CCoinsViewCache::SpendCoin(const COutPoint &outpoint, Coin* moveout) {
       CCoinsMap::iterator it = FetchCoin(outpoint);
       if (it == cacheCoins.end()) return false;
  +    Assert(cachedCoinsUsage >= it->second.coin.DynamicMemoryUsage());
       cachedCoinsUsage -= it->second.coin.DynamicMemoryUsage();
       TRACEPOINT(utxocache, spent,
              outpoint.hash.data(),
  @@ -226,10 +228,12 @@
               if (itUs->second.IsFresh() && it->second.coin.IsSpent()) {
                   // The grandparent cache does not have an entry, and the coin
                   // has been spent. We can just delete it from the parent cache.
  +                Assert(cachedCoinsUsage >= itUs->second.coin.DynamicMemoryUsage());
                   cachedCoinsUsage -= itUs->second.coin.DynamicMemoryUsage();
                   cacheCoins.erase(itUs);
               } else {
                   // A normal modification.
  +                Assert(cachedCoinsUsage >= itUs->second.coin.DynamicMemoryUsage());
                   cachedCoinsUsage -= itUs->second.coin.DynamicMemoryUsage();
                   if (cursor.WillErase(*it)) {
                       // Since this entry will be erased,
  @@ -279,6 +283,7 @@
   {
       CCoinsMap::iterator it = cacheCoins.find(hash);
       if (it != cacheCoins.end() && !it->second.IsDirty() && !it->second.IsFresh()) {
  +        Assert(cachedCoinsUsage >= it->second.coin.DynamicMemoryUsage());
           cachedCoinsUsage -= it->second.coin.DynamicMemoryUsage();
           TRACEPOINT(utxocache, uncache,
                  hash.hash.data(),
  ```

  </details>

ACKs for top commit:
  optout21:
    reACK 24d861da7894add47747eff69dd3fc71fbcdd7d0
  andrewtoth:
    ACK 24d861da7894add47747eff69dd3fc71fbcdd7d0
  sipa:
    ACK 24d861da7894add47747eff69dd3fc71fbcdd7d0
  w0xlt:
    ACK https://github.com/bitcoin/bitcoin/pull/32313/commits/24d861da7894add47747eff69dd3fc71fbcdd7d0

Tree-SHA512: ff1b756b46220f278ab6c850626a0f376bed64389ef7f66a95c994e1c7cceec1d1843d2b24e8deabe10e2bdade2a274d9654ac60eb2b9bf471a71db8a2ff496c

f76e1ae389

Merge bitcoin/bitcoin#33469: TxGraph: change m_excluded_clusters

9b43428c96872f0fbbbab4c066c6010fc18c6cc4 TxGraph: change m_excluded_clusters (Greg Sanders)

Pull request description:

  Change BlockBuilderImpl's m_excluded_clusters to unordered set since ordering is not used.

  Change the set to a set of sequence numbers for a modest stability increase under fuzz testing.

ACKs for top commit:
  sipa:
    ACK 9b43428c96872f0fbbbab4c066c6010fc18c6cc4
  marcofleon:
    tACK 9b43428c96872f0fbbbab4c066c6010fc18c6cc4
  glozow:
    ACK 9b43428c96872f0fbbbab4c066c6010fc18c6cc4

Tree-SHA512: 140a492af93f3eff756847a8168aab2624bb7df407f177dde6f3b07e9db2d0ced6b125e2b126f4957ccd054272056bedf74f9f0e64a80d90c16fd94e0fa86a44

e14451ac87

Squashed 'src/leveldb/' changes from aba469ad6a..cad64b151d

cad64b151d Merge bitcoin-core/leveldb-subtree#57: doc: fix typos
157ed16be9 doc: fix typos

git-subtree-dir: src/leveldb
git-subtree-split: cad64b151dabe9ffe9771a54d7c9dbfb3355cefb

f21162d819

Update leveldb subtree to latest master 54ffe3de5b

doc: archive release notes for v28.3 ceea24b921

Merge bitcoin/bitcoin#33642: doc: archive release notes for v28.3

ceea24b92153d799dfaed1874c86d91c5d002d68 doc: archive release notes for v28.3 (fanquake)

Pull request description:

ACKs for top commit:
  stickies-v:
    ACK ceea24b92153d799dfaed1874c86d91c5d002d68 - matches https://github.com/bitcoin/bitcoin/blob/da5f5de4055ecad75490820c0f51db007a0a7d8f/doc/release-notes.md

Tree-SHA512: 56b449c456c221cfb15722356ee3028de8f788c6d35ea6055161024dd03b860a38deeca5f6cf3a70e62a6d02b0d07793fed17aeae514306cdd2bd79aa703f65a

4371740beb

Merge bitcoin/bitcoin#33641: Update leveldb subtree to latest master

f21162d8193319d3cdd43cecd66ee5389632533b Squashed 'src/leveldb/' changes from aba469ad6a..cad64b151d (fanquake)

Pull request description:

  Rather than continue to close PRs/"Send these upstream" i.e: #33638, #33148, #22664, #13781; just fix the typos.

  Includes https://github.com/bitcoin-core/leveldb-subtree/pull/57.

ACKs for top commit:
  l0rinc:
    ACK 54ffe3de5b1d15f10516ea536a12e13cd7d338f3
  cedwies:
    ACK 54ffe3d
  stickies-v:
    ACK 54ffe3de5b1d15f10516ea536a12e13cd7d338f3

Tree-SHA512: cc4d758ee95a1943f14e800472dfef24d5598a1dfafede32300821bc27e02a80ae97ea12ee87643b395b204262c7bc28e64d421a3d375d46bef7782381fd4362

e744fd1249

[doc] correct topology requirements in submitpackage helptext 3d22282564

Merge bitcoin/bitcoin#33630: doc: correct topology requirements in submitpackage helptext

3d222825642bfb052ce40cbc1c69318a0d8835bf [doc] correct topology requirements in submitpackage helptext (glozow)

Pull request description:

  This doc is outdated since #31385. Also made it explicit that a singleton is ok.

  Can be backported to 30.x, but doesn't need to be backported earlier ("if any" covers #31096).

ACKs for top commit:
  janb84:
    ACK 3d222825642bfb052ce40cbc1c69318a0d8835bf
  instagibbs:
    ACK 3d222825642bfb052ce40cbc1c69318a0d8835bf

Tree-SHA512: 95e40630a5b2a571029c0657c20a5e2a1cf1789913b868cee314c1a9fcb9a09fccdd3c87f3f15a8eb95c5ff9b83f8adee0661f86619bf21965866b6f6a76dfd0

d30f149360

build: Move CMAKE_SKIP_INSTALL_RPATH from CMake to Guix script

Remove CMAKE_SKIP_INSTALL_RPATH from CMakeLists.txt and add CMAKE_SKIP_RPATH to the Guix build script. This keeps build-environment-specific settings in the build scripts rather than hardcoded in the CMake configuration.

4b41f99d57

Merge bitcoin/bitcoin#33625: Update secp256k1 subtree to latest master

3cbf7cb3e6ac51492b354732bddbb4f58ce97ed3 Squashed 'src/secp256k1/' changes from b9313c6e1a..d543c0d917 (fanquake)

Pull request description:

  Updates the subtree to https://github.com/bitcoin-core/secp256k1/commit/d543c0d917a76a201578948701cc30ef336e0fe6
  Related to #33284.

ACKs for top commit:
  hebasto:
    ACK 879c21045eba64b3dc875f6f2c2c579abecde1d0.
  janb84:
    ACK 879c21045eba64b3dc875f6f2c2c579abecde1d0

Tree-SHA512: 1802cd84959b5c935170792f458651f30431fe8340ead7966ff381c1c0c3a9f6c21bbb8dd96a07482ffed49642ded49e80b61802e688b8351956b111dffd5a78

0eeae4d174

Merge bitcoin/bitcoin#33633: test: [move-only] binary utils to utils.py

fa75ef4328f638221bcf85fcbefa885122084622 test: Move export_env_build_path to util.py (MarcoFalke)
fa9f495308afdc3c9c1a98a8a28234340986eb53 test: Move get_binary_paths and Binaries to util.py (MarcoFalke)

Pull request description:

  Having the binary related utils sit in the test_framework.py is fine. However, they are mostly stand-alone utils, which may be used externally.

  So move them to utils.py, to allow easier external use. The diff is trivial and can be reviewed via the git options `--color-moved=dimmed-zebra --color-moved-ws=ignore-all-space`.

ACKs for top commit:
  kevkevinpal:
    ACK [fa75ef4](https://github.com/bitcoin/bitcoin/pull/33633/commits/fa75ef4328f638221bcf85fcbefa885122084622)
  Sjors:
    lgtm ACK fa75ef4328f638221bcf85fcbefa885122084622
  yuvicc:
    Code review ACK fa75ef4328f638221bcf85fcbefa885122084622
  janb84:
    ACK fa75ef4328f638221bcf85fcbefa885122084622
  musaHaruna:
    Code Review ACK [fa75ef4](https://github.com/bitcoin/bitcoin/pull/33633/commits/fa75ef4328f638221bcf85fcbefa885122084622)
  enirox001:
    ACK [fa75ef4](https://github.com/bitcoin/bitcoin/commit/fa75ef4328f638221bcf85fcbefa885122084622)

Tree-SHA512: f382118484cb5495e8888214437e72c81727d54f97b3c09dfd996faab6cb6643c4c2d816b89ab82de73fc091c36ed7b8744c7d34a443b6adc415eb06697ef6ea

689ec28d1d

Merge bitcoin/bitcoin#33470: build: Move CMAKE_SKIP_INSTALL_RPATH from CMake to Guix script

4b41f99d57d822dfc258865d1dad03204fe0380f build: Move CMAKE_SKIP_INSTALL_RPATH from CMake to Guix script (Henry Romp)

Pull request description:

  Remove `CMAKE_SKIP_INSTALL_RPATH` from CMakeLists.txt and add `CMAKE_SKIP_RPATH` to the Guix build script. This keeps build-environment-specific settings in the build scripts rather than hardcoded in the CMake configuration.

ACKs for top commit:
  purpleKarrot:
    ACK 4b41f99d57d822dfc258865d1dad03204fe0380f
  janb84:
    re ACK 4b41f99d57d822dfc258865d1dad03204fe0380f

Tree-SHA512: 74d6af382476d731f10f9833978d670e9981c160ba306d0e9d4b1ad1e9b9960b8d03a3b9b608e234edb1c0c2c7a2b4f9f606a2a7887b7a153792159e71ae9b21

abe7cbfe1a

ci: Drop libFuzzer from msan fuzz task fa70e23de7

ci: Remove unused MAYBE_CPUSET

The option is currently unused. If it is used again in the future, it
could trivially be added back.

Also, the logic is just a single undocumented python command one-liner.

So remove it for now.

fa72a2bd5c

ci: Move buildx command to python script

This has a few benefits:

* The shellcheck SC2086 warning is disabled for the whole command, but
  is only needed for the DOCKER_BUILD_CACHE_ARG env var.  So in Python,
  only pass this one env var to shlex.split() for proper word splitting.
* Future logic improvements can be implemented in Python.

The comments are moved, which can be checked via the git options:
--color-moved=dimmed-zebra --color-moved-ws=ignore-all-space

fab64a5d6f

ci: Only write docker build images to Cirrus cache

Other cache providers offer too little space for this to be useful.

fabe0e07de

Merge bitcoin/bitcoin#33370: ci: use Mold linker for asan-lsan-ubsan-integer-no-depends-usdt workflow

f031536f2d267655a0fb40ab84d03e7ffa903d4c ci: use Mold linker for asan-lsan-ubsan-integer-no-depends-usdt workflow (Brandon Odiwuor)

Pull request description:

  Follow up to https://github.com/bitcoin/bitcoin/pull/32888#pullrequestreview-2993523631 and https://github.com/bitcoin/bitcoin/pull/32888#issuecomment-3044773485

  >>Can we use `mold` as a linker in other Linux based system workflows ? dependencies [we have](https://github.com/bitcoin/bitcoin/blob/master/doc/dependencies.md#compiler) seem to satisfy the deps here https://github.com/rui314/mold?tab=readme-ov-file#how-to-build
  >
  > Sure, happy to review a follow-up. Only place to avoid it would probably the ci tasks that mirror the guix build (win-cross, mac-cross)

  Updated the `ASan + LSan + UBSan + integer, no depends, USDT` workflow to use `mold` linker

ACKs for top commit:
  maflcko:
    lgtm ACK f031536f2d267655a0fb40ab84d03e7ffa903d4c

Tree-SHA512: 35a4cb3eec732bee3f18a3ea70e49b1c99b8e88624a0bb28eca8f3d72ed0835af8773307a27c750b89fc6d969ff20dd87b840d755b7fd14d3cb6ab68d9f587b9

c862936d16

test: Use unassigned p2p_port instead of hardcoded 60000 in p2p_i2p_ports.py fa20275db3

ci: Doc ASLR workaround for sanitizer tasks fa0e36156c

Merge bitcoin/bitcoin#33550: Fix windows libc++ `fs::path` `fstream` compile errors

c864a4c1940d682f7eb6fdb3b91b18d638b59330 Simplify fs::path by dropping filename() and make_preferred() overloads (Ryan Ofsky)
b0113afd44b4c7c0d0da9883424bd2978de3d18c Fix windows libc++ fs::path fstream compile errors (Ryan Ofsky)

Pull request description:

  Drop support for passing `fs::path` directly to `std::ifstream` and `std::ofstream` constructors and `open()` functions, because as reported by hebasto in https://github.com/bitcoin/bitcoin/issues/33545, after https://wg21.link/lwg3430 there is no way this can continue to work in windows builds, and there are already compile errors compiling for windows with newer versions of libc++.

  Instead, add an `fs::path::std_path()` method that returns `std::filesystem::path` references and use it where needed.

ACKs for top commit:
  hebasto:
    ACK c864a4c1940d682f7eb6fdb3b91b18d638b59330.
  l0rinc:
    Code review ACK c864a4c1940d682f7eb6fdb3b91b18d638b59330
  maflcko:
    re-ACK c864a4c1940d682f7eb6fdb3b91b18d638b59330 🌥

Tree-SHA512: d22372692ab86244e2b2caf4c5e9c9acbd9ba38df5411606b75e428474eabead152fc7ca1afe0bb0df6b818351211a70487e94b40a17b68db5aa757604a0ddf6

3fee0754a2

ci: add Valgrind fuzz e4b04630bc

Merge bitcoin/bitcoin#33670: test: Use unassigned p2p_port instead of hardcoded 60000 in p2p_i2p_ports.py

fa20275db32c5b9b0fe35effe2d1cf3d958e7310 test: Use unassigned p2p_port instead of hardcoded 60000 in p2p_i2p_ports.py (MarcoFalke)

Pull request description:

  The goal is to fix https://github.com/bitcoin/bitcoin/issues/30030.

  The root cause it unclear. However, hard-coding the port to 60000 does not seem ideal anyway. This could break in an unlikely setting where so many functional tests are run, such that the port is occupied. Also, it could fail when `TEST_RUNNER_PORT_MIN` is set sufficiently high. (This is purely theoretical, as I don't think anyone would run a command like this, but on current master it fails, and on this pull it passes: `TEST_RUNNER_PORT_MIN=60000 ./bld-cmake/test/functional/p2p_i2p_ports.py --portseed=0`)

  So fix those issues (and hopefully also 30030) by using an unoccupied p2p_port.

  The logic is similar to the `extra_port()` logic in the `feature_bind_extra.py` test.

ACKs for top commit:
  laanwj:
    Code review ACK fa20275db32c5b9b0fe35effe2d1cf3d958e7310
  mzumsande:
    ACK fa20275db32c5b9b0fe35effe2d1cf3d958e7310

Tree-SHA512: ac5487ca195db9ca746b78b8add91d0b9ef59cc3be0cdb7fbd9f76d42549eea68a61c32b4f5a162e01f3777959110f9f8d56ff05af6a13a9f61ea5be5b7d8631

c211d18322

Merge bitcoin/bitcoin#33570: randomenv: Fix MinGW dllimport warning for `environ`

9610b0d1e28aeda02a2ddcf1f0591ae577c3e88e randomenv: Fix MinGW dllimport warning for `environ` (Lőrinc)

Pull request description:

  Related to https://github.com/bitcoin/bitcoin/pull/33550#issuecomment-3378978210

  Extends 7703884 to guard environ declaration on all Windows builds, not just MSVC.

  In the `mingw-w64` headers (used by `llvm-mingw`), `environ` is defined as a macro which  expands through [`_environ`](https://github.com/msys2-contrib/mingw-w64/blob/cdb052f1d4056cd510cb83197b55868427b87476/mingw-w64-headers/crt/stdlib.h#L262-L264) to `(* __p__environ())`, a call to a `dllimport` function, causing the same inconsistent linkage warning as MSVC.

  Use `WIN32` instead of `_MSC_VER` to match the platform-specific guards already used throughout the file.

  The warning occurs with `llvm-mingw` (both `UCRT` and `MSVCRT` variants as tested by Hebasto), but not with the `mingw-w64` toolchain currently used in CI (as mentioned by fanquake).

  ----

  The error was reproduced by adding a temporary [nightly build](https://github.com/l0rinc/bitcoin-core-nightly/pull/4) pointing to https://github.com/l0rinc/bitcoin/pull/45. On `master` the failure can be seen in https://github.com/l0rinc/bitcoin-core-nightly/pull/2

  before:
  https://github.com/l0rinc/bitcoin-core-nightly/actions/runs/18327936488/job/52196728885?pr=2

  <details>
  <summary>Details</summary>

  ```
  /home/runner/work/bitcoin-core-nightly/bitcoin-core-nightly/src/randomenv.cpp:61:15: warning: '__p__environ' redeclared without 'dllimport' attribute: previous 'dllimport' ignored [-Winconsistent-dllimport]
     61 | extern char** environ; // NOLINT(readability-redundant-declaration): Necessary on some platforms
        |               ^
  /home/runner/work/bitcoin-core-nightly/bitcoin-core-nightly/llvm_mingw_toolchain/aarch64-w64-mingw32/include/stdlib.h:656:17: note: expanded from macro 'environ'
    656 | #define environ _environ
        |                 ^
  /home/runner/work/bitcoin-core-nightly/bitcoin-core-nightly/llvm_mingw_toolchain/aarch64-w64-mingw32/include/stdlib.h:225:21: note: expanded from macro '_environ'
    225 | #define _environ (* __p__environ())
        |                     ^
  /home/runner/work/bitcoin-core-nightly/bitcoin-core-nightly/llvm_mingw_toolchain/aarch64-w64-mingw32/include/stdlib.h:221:27: note: previous declaration is here
    221 |   _CRTIMP char ***__cdecl __p__environ(void);
        |                           ^
  /home/runner/work/bitcoin-core-nightly/bitcoin-core-nightly/llvm_mingw_toolchain/aarch64-w64-mingw32/include/stdlib.h:221:3: note: previous attribute is here
    221 |   _CRTIMP char ***__cdecl __p__environ(void);
        |   ^
  /home/runner/work/bitcoin-core-nightly/bitcoin-core-nightly/llvm_mingw_toolchain/aarch64-w64-mingw32/include/_mingw.h:52:40: note: expanded from macro '_CRTIMP'
     52 | #      define _CRTIMP  __attribute__ ((__dllimport__))
        |                                        ^
  1 warning generated.
  ```

  </details>

  after:
  https://github.com/l0rinc/bitcoin-core-nightly/actions/runs/18329616268/job/52201940831?pr=4

  <details>
  <summary>Details</summary>

  ```
  [ 28%] Building CXX object src/util/CMakeFiles/bitcoin_util.dir/__/randomenv.cpp.obj
  ```

  </details>

  Note that there are some other remaining warnings in the logs that will be fixed in separate PRs

ACKs for top commit:
  sipa:
    utACK 9610b0d1e28aeda02a2ddcf1f0591ae577c3e88e if this makes the compilers happy
  laanwj:
    Code review ACK 9610b0d1e28aeda02a2ddcf1f0591ae577c3e88e
  hebasto:
    re-ACK 9610b0d1e28aeda02a2ddcf1f0591ae577c3e88e.

Tree-SHA512: a9e39d288b663ed24cbbbae228850e6f02d417d8781a3ac3d0b3db0b7ff734bbd62fddb9f57b8f77daab4e9c016ff66906ebc5fb2de7635ef539ef7f4dc2eaba

98c4994d0f

Merge bitcoin/bitcoin#33639: ci: Only write docker build images to Cirrus cache

fabe0e07de1ad2f26da62f3ebe0e9be3f939b1f8 ci: Only write docker build images to Cirrus cache (MarcoFalke)
fab64a5d6fd7d2c19f73342e11f33d50cddff512 ci: Move buildx command to python script (MarcoFalke)
fa72a2bd5c80d27d4875744dc01bec943e6b43f0 ci: Remove unused MAYBE_CPUSET (MarcoFalke)

Pull request description:

  The `DOCKER_BUILD_CACHE_ARG` env var holds the options on how to use cache providers. Storing the image layers is useful for the Cirrus cache provider, because it offers 10GB per runner (https://cirrus-runners.app/setup/#speeding-up-the-cache). The cached image layers can help to avoid issues when the upstream package manager infra (apt native, apt llvm, pip, apk, git clone, ...) has outages or network issues.

  However, on the GitHub Actions cache provider, a *total* cache of 10GB is offered for the whole repo. This cache must be shared with the depends cache, and the ccache, as well as the previous releases cache. So it is already full and trying to put the docker build layers into it will lead to an overflow.

  Fix it by only writing to the docker cache on Cirrus.

  Also, `DOCKER_BUILD_CACHE_ARG` requires a `shellcheck disable=SC2086` on the full build command. Fix that as well by using `shlex.split` from Python on just this variable.

ACKs for top commit:
  m3dwards:
    ACK fabe0e07de1ad2f26da62f3ebe0e9be3f939b1f8
  cedwies:
    reACK fabe0e0
  l0rinc:
    Code review ACK fabe0e07de1ad2f26da62f3ebe0e9be3f939b1f8
  willcl-ark:
    ACK fabe0e07de1ad2f26da62f3ebe0e9be3f939b1f8

Tree-SHA512: 4f471f080007fdd0c3bc97b0cfe0e9c0457e5029a7ccde1d784d30eb4752e5eb309cd4b122b182bce31f1b986c8a9f3e9a49da1768bedbb2b1f64f70183680ba

1569bcc387

Merge bitcoin/bitcoin#33461: ci: add Valgrind fuzz

e4b04630bcf59ea03c1373777a0167af699f92a4 ci: add Valgrind fuzz (fanquake)

Pull request description:

  Valgrind fuzz runtime?

ACKs for top commit:
  dergoegge:
    ACK e4b04630bcf59ea03c1373777a0167af699f92a4

Tree-SHA512: 0d62da6baf10fb59e3a32df8af72bd0f371e72a725fdea8dfd08f0242634b3c8bcdbf86ff8777ccada0570d13f20ebf8e21a2f935570f3463097b9d411e7b3ce

7d27af98c7

ci: Use os.environ[key] access when value must be set

The other code in this file is using this pattern to throw when a key is
unset, instead of silently returning a None when using os.getenv(key)
with no default value specified.

So use the pattern here as well. As the env vars are always set, this
should be a refactor that does not change the behavior.

fa8e4de5c3

ci: Allow overwriting check option in run() helper

The bool is forced to check=True, but some commands may want to
explicitly use kwargs to disable it.

This refactor is needed for the next commit.

fa4dbe04d7

ci: Retry image building once on failure

The build scripts inside the image retry after a failure. However, there
may be some rare network failures inside the container engine. For
example, when pulling the underlying base image, or when pulling the
docker cache.

Thus, retry after a failure once, which should hopefully fix
https://github.com/bitcoin/bitcoin/issues/33640.

fa6aa9f42f

test: set number of RPC server threads to 2

The default `-rpcthreads` value spawns 16 HTTP server threads for each node.
Running the functional test suite with default `rpcthreads` can exhaust file
descriptors or hit other resource limits very easily.
Moreover, having 16 threads is unnecessary since they are mostly idle. We
run RPC calls on a single RPC connection and wait for it result synchronously.
There is (almost) never two RPC calls occurring concurrently.
Because of this, the threads are mostly idle, so we can safely limit the number
of them to two.

e9cd45e3d3

Merge bitcoin/bitcoin#33674: ci: Doc ASLR workaround for sanitizer tasks

fa0e36156cba535846ae2ecfaaa554d7f14fcdfd ci: Doc ASLR workaround for sanitizer tasks (MarcoFalke)

Pull request description:

  Fixes https://github.com/bitcoin/bitcoin/issues/30674

ACKs for top commit:
  fanquake:
    ACK fa0e36156cba535846ae2ecfaaa554d7f14fcdfd

Tree-SHA512: 9811a35526c707a6b2438e4f15d1ea765c9ecf1786cb37cd23e3bc5d65a25623f276a74b4a70c24492126a87514845111741290fc3095206decf17ee2c52dd2a

11684c9ce2

Merge bitcoin/bitcoin#32266: depends: Avoid `warning: "_FORTIFY_SOURCE" redefined` for `libevent`

fe71a4b139f3a142468c2e931775813bc8f9d2ad depends: Avoid `warning: "_FORTIFY_SOURCE" redefined` for `libevent` (Hennadii Stepanov)

Pull request description:

  On Alpine Linux 3.12.3, compiling the `libevent` package produces multiple warnings:
  ```
  $ gmake -C depends -j $(nproc) libevent
  <snip>
  <command-line>: warning: "_FORTIFY_SOURCE" redefined
  <built-in>: note: this is the location of the previous definition
  <snip>
  ```

  This PR fixes these warnings.

ACKs for top commit:
  shahsb:
    ACK https://github.com/bitcoin/bitcoin/pull/32266/commits/fe71a4b139f3a142468c2e931775813bc8f9d2ad
  maflcko:
    lgtm ACK fe71a4b139f3a142468c2e931775813bc8f9d2ad
  theuni:
    utACK fe71a4b139f3a142468c2e931775813bc8f9d2ad

Tree-SHA512: 0a3ffb2a4cf811bce93addac8e5394cf6b3d79a46245cbdd8488771b9b51e56f66cd9222548138041e69183d52ad4b909d3d1441593f9d79d557d6c000fb324b

1c85d06232

Merge bitcoin/bitcoin#33679: test: set number of RPC server threads to 2

e9cd45e3d3c7592265ebf67387090b3df1501df4 test: set number of RPC server threads to 2 (furszy)

Pull request description:

  The default `-rpcthreads` value spawns 16 HTTP server threads for each node.
  Running the functional test suite with default `rpcthreads` can exhaust file
  descriptors or hit other resource limits very easily (more when tests are run
  in parallel).
  Furthermore, having 16 threads is unnecessary since they are mostly idle. We
  run RPC calls on a single RPC connection and wait for it result synchronously.
  There is (almost) never two RPC calls occurring concurrently.
  Because of this, the threads are mostly idle, so we can safely limit the number
  of them to two.

  Note for reviewers:
  I checked this does not introduce any timing regression but would be good
  to double-check it on your end too. We could add another thread if needed.
  Just the 16 threads default value is too high and unnecessary.

ACKs for top commit:
  maflcko:
    lgtm ACK e9cd45e3d3c7592265ebf67387090b3df1501df4
  l0rinc:
    ACK e9cd45e3d3c7592265ebf67387090b3df1501df4
  kevkevinpal:
    ACK [e9cd45e](https://github.com/bitcoin/bitcoin/pull/33679/commits/e9cd45e3d3c7592265ebf67387090b3df1501df4)
  andrewtoth:
    ACK e9cd45e3d3c7592265ebf67387090b3df1501df4

Tree-SHA512: a777286f4a890fb87f5df72cd2ccfdc628657206a4b3e995044e5a0d12987b8c78a7cf7d684cc4e92605aa782aaeebc44e9f754752c3a524152fac94fa30f4b5

d32f9525e4

doc: mention key removal in rpc interface modification

A discussion in a previous PR 32618 prompted me to add this note.

944e5ff848

Merge bitcoin/bitcoin#33566: miner: fix empty mempool case for waitNext()

8f7673257a1a86717c1d83770dc857fc254df107 miner: fix empty mempool case for waitNext() (Sjors Provoost)

Pull request description:

  Block template fees are calculated by looping over `new_tmpl->vTxFees` and return (early) once the `fee_threshold` is exceeded.

  This left an edge case when the mempool is empty, which this commit fixes and adds a test for.

  Also update `test/functional/interface_ipc.py` to reflect the new behavior,

  Fixes https://github.com/Sjors/sv2-tp/issues/9

ACKs for top commit:
  optout21:
    ACK 8f7673257a1a86717c1d83770dc857fc254df107
  cedwies:
    tACK 8f76732
  sipa:
    utACK 8f7673257a1a86717c1d83770dc857fc254df107
  zaidmstrr:
    Concept ACK [8f76732](https://github.com/bitcoin/bitcoin/pull/33566/commits/8f7673257a1a86717c1d83770dc857fc254df107)

Tree-SHA512: ef200fe95e96f810e425283bc37f945c4bf5efa16f4b74820b8a07968f30c5146bca213a372124be84b48beead5dfd35f2b5d10d188d0a465f847ebab61de10a

211bf6c975

Merge bitcoin/bitcoin#33600: refactor: Construct g_verify_flag_names on first use

faa9d10c84bc6b465cbca266468990cc716b4300 refactor: Construct g_verify_flag_names on first use (MarcoFalke)

Pull request description:

  The current usage of the `g_verify_flag_names` map seems fine and I can not see a static initialization order fiasco here.

  However, it seems brittle to hope this remains the case in the future. Also, it triggers a msan false-positive in the fuzz CI task. (C.f https://github.com/bitcoin-core/qa-assets/actions/runs/18352815555/job/52413137315?pr=241#step:7:5245)

  So just apply the "Construct on first use" idiom.

ACKs for top commit:
  kevkevinpal:
    ACK [faa9d10](https://github.com/bitcoin/bitcoin/pull/33600/commits/faa9d10c84bc6b465cbca266468990cc716b4300)
  ajtowns:
    ACK faa9d10c84bc6b465cbca266468990cc716b4300
  janb84:
    lgtm ACK faa9d10c84bc6b465cbca266468990cc716b4300
  stickies-v:
    ACK faa9d10c84bc6b465cbca266468990cc716b4300

Tree-SHA512: 6685dfc91c99a8245722e07fac99a7a6d58586c30964be7ccd74a176dfbf00c6255c8594621e2909640763924f51d3efd4ce65ed65eaeeb1d05c2fd01fe63604

99cb2054bd

Merge bitcoin/bitcoin#33172: test: p2p block malleability

d0e1bbad016cc4949094daea2934712f92dfeecd test: repeat block malleability test with relayable block over P2P (Musa Haruna)

Pull request description:

  This PR adds a functional test to repeat the existing malleability check for oversized coinbase witness nonce size using a block that is small enough to be relayed over the P2P network.

  This addresses the TODO in test_block_malleability by ensuring behavior is consistent between submitblock RPC and P2P relay.

ACKs for top commit:
  maflcko:
    lgtm ACK d0e1bbad016cc4949094daea2934712f92dfeecd
  janb84:
    re ACK d0e1bbad016cc4949094daea2934712f92dfeecd
  glozow:
    utACK d0e1bbad016cc4949094daea2934712f92dfeecd

Tree-SHA512: 05aec4fade5af8043f40274a8d2f3cf3f540acd038138975bdefbbbc81e105792d6d2588256a2ee5ddb1e05b37fe2d0b3d287160d2dbe86e1aac7cfa9cc02116

70a6fb5e5a

Merge bitcoin/bitcoin#32579: p2p: Correct unrealistic headerssync unit test behavior

cc5dda1de333cf7aa10e2237ee2c9221f705dbd9 headerssync: Make HeadersSyncState more flexible and move constants (Hodlinator)
8fd1c2893e6768223069d8b2fdec033b026cb2eb test(headerssync): Test returning of pow_validated_headers behavior (Hodlinator)
7b00643ef5f932116ee303af9984312b27c040f1 test(headerssync): headers_sync_chainwork test improvements (Hodlinator)
04eeb9578c60ce5661f285f6bde996569fafdcc3 doc(test): Improve comments (Hodlinator)
fe896f8faa7883f33169fe3e6dddb91feaca23e1 refactor(test): Store HeadersSyncState on the stack (Hodlinator)
f03686892a9c07e87e6dd12027d988fe188b1f9e refactor(test): Break up headers_sync_state (Hodlinator)
e984618d0b9946dc11f1087adf22a4cfbf9c1a77 refactor(headerssync): Process spans of headers (Hodlinator)
a4ac9915a95eb865779cf4627dd518d94c01032b refactor(headerssync): Extract test constants ahead of breakup into functions (Hodlinator)

Pull request description:

  ### Background

  As part of the release process we often run *contrib/devtools/headerssync-params.py* and increase the values of the constants `HEADER_COMMITMENT_PERIOD` and `REDOWNLOAD_BUFFER_SIZE` in *src/headerssync.cpp* as per *doc/release-process.md* (example: 11a2d3a63e90cdc1920ede3c67d52a9c72860e6b). This helps fine tune the memory consumption per `HeadersSyncState`-instance in the face of malicious peers.

  (The `REDOWNLOAD_BUFFER_SIZE`/`HEADER_COMMITMENT_PERIOD` ratio determines how many Headers Sync commitment bits must match between PRESYNC & REDOWNLOAD phases before we start permanently storing headers from a peer. For more details see comments in *src/headerssync.h* and *contrib/devtools/headerssync-params.py*).

  ### Problem: Not feeding back headers until completing sync

  During v30 release process #33274 made `REDOWNLOAD_BUFFER_SIZE` exceed the `target_blocks` constant used to control the length of chains generated for testing Headers Sync (`15000`, *headers_sync_chainwork_tests.cpp*).

  The `HeadersSyncState::m_redownloaded_headers`-buffer now does not reach the `REDOWNLOAD_BUFFER_SIZE`-threshold during those unit tests. As a consequence `HeadersSyncState::PopHeadersReadyForAcceptance()` will not start feeding back headers until the PoW threshold has been met. While this will not cause the unit test to start failing on master, it means we have gone from testing behavior that resembles mainnet (way more than `REDOWNLOAD_BUFFER_SIZE` headers to reach the PoW limit), to behavior that is not possible/expected there.

  ### Solution

  Avoid testing this unrealistic condition of completing Headers Sync before reaching `REDOWNLOAD_BUFFER_SIZE` by making tests able to define their own values through the new `HeadersSyncParams` instead of having them hard-coded for all chains & tests.

  ### Commits

  * First 6 commits refactor and improve the unit tests in order to clarify latter changes.
  * We then add checks for the behavior around the `REDOWNLOAD_BUFFER_SIZE` threshold.
  * The main change: we extract the section from *headerssync.cpp* containing the constants to *kernel/chainparams.cpp*, making `HeadersSyncState` no longer hard-coded to mainnet.

  ### Notes

  This PR used to be called "headerssync: Preempt unrealistic unit test behavior".

ACKs for top commit:
  l0rinc:
    reACK cc5dda1de333cf7aa10e2237ee2c9221f705dbd9
  marcofleon:
    code review ACK cc5dda1de333cf7aa10e2237ee2c9221f705dbd9
  danielabrozzoni:
    reACK cc5dda1de333cf7aa10e2237ee2c9221f705dbd9

Tree-SHA512: ccc824dcbbb8ad5ae98c3bf5808b38467aac0230739898a758c9b939eecd74f982df088fa0ba81cc1c1732f19a607b135a6e9577bb9fcf7f8570567ce92f66e6

161864a038

test: Update BIP324 test vectors

based on https://github.com/bitcoin/bips/pull/2016

51877f2fc5

Merge bitcoin/bitcoin#32588: util: Abort on failing CHECK_NONFATAL in debug builds

fa37153288ca420420636046ef6b8c4ba7e5a478 util: Abort on failing CHECK_NONFATAL in debug builds (MarcoFalke)
fa0dc4bdffb06b6f0c192fe1aa02b4dfdcdc6e15 test: Allow testing of check failures (MarcoFalke)
faeb58fe668662d8262c4cc7c54ad2af756dbe3b refactor: Set G_ABORT_ON_FAILED_ASSUME when G_FUZZING_BUILD (MarcoFalke)

Pull request description:

  A failing `CHECK_NONFATAL` will throw an exception. This is fine and even desired in production builds, because the program may catch the exception and give the user a way to easily report the bug upstream.

  However, in debug development builds, exceptions for internal bugs are problematic:

  * The exception could accidentally be caught and silently ignored
  * The exception does not include a full stacktrace, possibly making debugging harder

  Fix all issues by turning the exception into an abort in debug builds.

  This can be tested by reverting the hunks to `src/rpc/node.cpp` and `test/functional/rpc_misc.py` and then running the functional or fuzz tests.

ACKs for top commit:
  achow101:
    ACK fa37153288ca420420636046ef6b8c4ba7e5a478
  ryanofsky:
    Code review ACK fa37153288ca420420636046ef6b8c4ba7e5a478, just catching subprocess.CalledProcessError in test fixing up a comment since last review
  stickies-v:
    ACK fa37153288ca420420636046ef6b8c4ba7e5a478

Tree-SHA512: 2d892b838ccef6f9b25a066e7c2f6cd6f5acc94aad1d91fce62308983bd3f5c5d724897a76de4e3cc5c3678ddadc87e2ee8c87362965373526038e598dfb0101

af78d36512

Merge bitcoin/bitcoin#33666: ci: Drop libFuzzer from msan fuzz task

fa70e23de75baaf8c1ef6836ffe8ca73562c8937 ci: Drop libFuzzer from msan fuzz task (MarcoFalke)

Pull request description:

  libFuzzer is mostly unmaintained (https://llvm.org/docs/LibFuzzer.html#status), and it isn't really needed by the CI tasks. While it provides some additional stats like rss or the max input byte size, they are not essential. Dropping libFuzzer here would also drop the "60 seconds sanity check" for empty folders, but I think this is an acceptable price to pay to silence false-positives that were hit for years.

  Also, there seems to be a history of intermittent false-positive msan warnings (https://github.com/bitcoin/bitcoin/pull/33600#issuecomment-3391921802).

  It is unclear what exactly is causing the false-positives, so just disable libFuzzer in this task for now, to work around them.

ACKs for top commit:
  kevkevinpal:
    ACK [fa70e23](https://github.com/bitcoin/bitcoin/pull/33666/commits/fa70e23de75baaf8c1ef6836ffe8ca73562c8937)
  dergoegge:
    ACK fa70e23de75baaf8c1ef6836ffe8ca73562c8937

Tree-SHA512: c3e5958b8378ba30f51d923f97a84dec2ee60af8b9c2a4f13bc8de486a490031468371120e421384aa198ffec591db554e636935ab3c6d4de5e870238f5079f2

f6ba97cea1

ci: Export the container id in python script

This refactor does not change behavior, but it has a few benefits:

* The shellcheck SC2086 warning is disabled for the whole command, but
  is only needed for the CI_CONTAINER_CAP env var. So in Python, only
  pass this one env var to shlex.split() for proper word splitting.
* Future logic improvements can be implemented in Python.

The comments are moved, which can be checked via the git options:
--color-moved=dimmed-zebra --color-moved-ws=ignore-all-space

fabe516440

ci: Document why IN_GETOPT_BIN env var is needed on macOS

This was added in commit b705bade44973e61655d5f847f49d97fb5bb8393, but I
keep forgetting the background that this is needed for the retry Bash
script. So document it.

5555bce994

test: Use same rpc timeout for authproxy and cli 66667d6512

refactor/doc: Add blockman param to `GetTransaction` doc comment and reorder out param 1a1f46c228

Merge bitcoin/bitcoin#33252: p2p: add `DifferenceFormatter` fuzz target and invariant check

65a10fc3c52ea09a4794345bcf607dff908c783a p2p: add assertion for BlockTransactionsRequest indexes (frankomosh)
58be359f6b240528e4df23296dec65202f28a773 fuzz: add a target for DifferenceFormatter Class (frankomosh)

Pull request description:

  Adds a fuzz test for the [`DifferenceFormatter`](https://github.com/bitcoin/bitcoin/blob/e3f416dbf7633b2fb19c933e5508bd231cc7e9cf/src/blockencodings.h#L22-L42) (used in [`BlockTransactionsRequest`](https://github.com/bitcoin/bitcoin/blob/master/src/blockencodings.h#L44-L54), [BIP 152](https://github.com/bitcoin/bips/blob/master/bip-0152.mediawiki)). The DifferenceFormatter class implements differential encoding for compact block transactions (BIP 152). This PR ensures that its strictly-monotonic property is maintained. It complements the tests in [`blocktransactionsrequest_deserialize`](https://github.com/bitcoin/bitcoin/blob/9703b7e6d563ea58f83a6eca819562365404f4ab/src/test/fuzz/deserialize.cpp#L314).

  Additionally, there's an added invariant check after GETBLOCKTXN deserialization in `net_processing.cpp`.

ACKs for top commit:
  Crypt-iQ:
    tACK 65a10fc3c52ea09a4794345bcf607dff908c783a
  achow101:
    ACK 65a10fc3c52ea09a4794345bcf607dff908c783a
  dergoegge:
    Code review ACK 65a10fc3c52ea09a4794345bcf607dff908c783a

Tree-SHA512: 70659cf045e99bb5f753763c7ddac094cb2883c202c899276cbe616889afa053b2d5e831f99d6386d4d1e4118cd35fa0b14b54667853fe067f6efe2eb77b4097

00ad998d95

Merge bitcoin/bitcoin#32983: rpc: refactor: use string_view in Arg/MaybeArg

b63428ac9ce2c903670409b3e47b9f6730917ae8 rpc: refactor: use more (Maybe)Arg<std::string_view> (stickies-v)
037830ca0dbb6ede9f9d72691c756f4bae6c97e2 refactor: increase string_view usage (stickies-v)
b3bf18f0bac0ffe18206ee20642e11264ba0c99d rpc: refactor: use string_view in Arg/MaybeArg (stickies-v)

Pull request description:

  The `RPCHelpMan::{Arg,MaybeArg}` helpers avoid copying (potentially) large strings by returning them as `const std::string*` (`MaybeArg`) or `const std::string&` (`Arg`). For `MaybeArg`, this has the not-so-nice effect that users need to deal with raw pointers, potentially also requiring new functions (e.g. [`EnsureUniqueWalletName` ](https://github.com/bitcoin/bitcoin/pull/32845/commits/d127b25199118756122232d9aafff19f1922869b#diff-d8bfcfbdd5fa7d5c52d38c1fe5eeac9ce5c5a794cdfaf683585140fa70a32374R32)) with raw pointers being implemented.

  This PR aims to improve on this by returning a trivially copyable `std::string_view` (`Arg`) or `std::optional<std::string_view>` (`MaybeArg`), modernizing the interface without introducing any additional copying overhead. In doing so, it also generalizes whether we return by value or by pointer/reference using `std::is_trivially_copyable_v` instead of defining the types manually.

  In cases where functions currently take a `const std::string&` and it would be too much work / touching consensus logic to update them (`signmessage.cpp`), a `std::string` copy is made (which was already happening anyway).

  The last 2 commits increase usage of the `{Arg,MaybeArg}<std::string_view>` helpers, and could be dropped/pruned if anything turns out to be controversial - I just think it's a nice little cleanup.

ACKs for top commit:
  maflcko:
    re-ACK b63428ac9ce2c903670409b3e47b9f6730917ae8 🎉
  achow101:
    ACK b63428ac9ce2c903670409b3e47b9f6730917ae8
  pablomartin4btc:
    re-ACK [b63428a](https://github.com/bitcoin/bitcoin/commit/b63428ac9ce2c903670409b3e47b9f6730917ae8)
  w0xlt:
    reACK https://github.com/bitcoin/bitcoin/pull/32983/commits/b63428ac9ce2c903670409b3e47b9f6730917ae8

Tree-SHA512: b4942c353a1658c22a88d8c9b402c288ad35265a3b88aa2072b1f9b6d921cd073194ed4b00b807cb48ca440f47c87ef3d8e0dd1a5d814be58fc7743f26288277

c6c4edf324

Merge bitcoin/bitcoin#33336: log: print every script verification state change

45bd8914658a675d00aa9c83373d6903a8a9ece8 log: split assumevalid ancestry-failure-reason message (Lőrinc)
6c13a38ab51caf1fa7502f746e33bbf86153a541 log: separate script verification reasons (Lőrinc)
f2ea6f04e79b6646b9320a910694a22c5520977d refactor: untangle assumevalid decision branches (Lőrinc)
9bc298556cb02cfa1382bbaa9e5638006b403576 validation: log initial script verification state (Lőrinc)
4fad4e992c49a532e3a8928965f242cb311eeb29 test: add assumevalid scenarios scaffold (Lőrinc)
91ac64b0a66fc792eabd0a9bb5bb22459c852c6d log: reword `signature validations` to `script verification` in `assumevalid` log (Lőrinc)

Pull request description:

  ### Summary

  Users can encounter cases where script checks are unexpectedly enabled (e.g. after reindex, or when `assumevalid`/`minimumchainwork` gates fail). Without an explicit line, they must infer state from the absence of a message, which is incomplete and error-prone.
  The existing "Assuming ancestors of block …" line does not reliably indicate whether script checks are actually enabled, which makes debugging/benchmarking confusing.

  ### What this changes

  We make the initial **script-verification** state explicit and log **why** checks are enabled to avoid confusion.
  * Always log the first script-verification state on startup, **before** the first `UpdateTip`.
  * Flatten the nested `assumevalid` conditionals into a linear gating sequence for readability.
  * Extend the functional test to assert the old behavior with the new reason strings.

  This is a **logging-only** test change it shouldn't change any other behavior.

  ### Example output

  The state (with reason) is logged at startup and whenever the reason changes, e.g.:

  * `Disabling script verification at block #904336 (000000000000000000014106b2082b1a18aaf3091e8b337c6fed110db8c56620).`
  * `Enabling script verification at block #912527 (000000000000000000010bb6aa3ecabd7d41738463b6c6621776c2e40dbe738a): block too recent relative to best header.`
  * `Enabling script verification at block #912684 (00000000000000000001375cf7b90b2b86e559d05ed92ca764d376702ead3858): block height above assumevalid height.`

  ------

  Follow-up to https://github.com/bitcoin/bitcoin/pull/32975#discussion_r2329269037

ACKs for top commit:
  Eunovo:
    re-ACK https://github.com/bitcoin/bitcoin/pull/33336/commits/45bd8914658a675d00aa9c83373d6903a8a9ece8
  achow101:
    ACK 45bd8914658a675d00aa9c83373d6903a8a9ece8
  hodlinator:
    re-ACK 45bd8914658a675d00aa9c83373d6903a8a9ece8
  yuvicc:
    ACK 45bd8914658a675d00aa9c83373d6903a8a9ece8
  andrewtoth:
    ACK 45bd8914658a675d00aa9c83373d6903a8a9ece8
  ajtowns:
    ACK 45bd8914658a675d00aa9c83373d6903a8a9ece8

Tree-SHA512: 58328d7c418a6fe18f1c7fe1dd31955bb6fce8b928b0df693f6200807932eb5933146300af886a80a1d922228d93faf531145186dae55ad4ad1f691970732eca

0eb554728c

Merge bitcoin/bitcoin#33210: fuzz: enhance wallet_fees by mocking mempool stuff

5ded99a7f007b142f6b0ec89e0c71ef281b42684 fuzz: MockMempoolMinFee in wallet_fees (brunoerg)
c9a7a198d9e81e99de99a2aaff1687d13d6674e8 test: move MockMempoolMinFee to util/txmempool (brunoerg)
adf67eb21baf39a222b65480e45ae76f093e8f66 fuzz: create FeeEstimatorTestingSetup to set fee_estimator (brunoerg)
ff10a37e99271125a9ece92bae571f7b78fb9e22 fuzz: mock CBlockPolicyEstimator in wallet_fuzz (brunoerg)
f591c3becafcdd7c81722c647865a1f908b6469a fees: make estimateSmartFee/HighestTargetTracked virtual for mocking (brunoerg)
19273d0705fcd2fbde686bc3b5b2375f691e303d fuzz: set mempool options in wallet_fees (brunoerg)

Pull request description:

  Some functions in `wallet/fees.cpp` (fuzzed by the wallet_fees target) depends on some mempool stuff - e.g. relay current min fee, smart fee and max blocks estimation, relay dust fee and other ones. For better fuzzing of it, it would be great to have these values/interactions. That said, this PR enhances the `wallet_fees` target by:

  - Setting mempool options - `min_relay_feerate`,  `dust_relay_feerate` and `incremental_relay_feerate` - when creating the `CTxMemPool`.
  - Creates a `ConsumeMempoolMinFee` function which is used to have a mempool min fee (similar approach from `MockMempoolMinFee` from unit test).
  - Mock `CBlockPolicyEstimator` - estimateSmartFee/HighestTagretTracket functions, especifically. It's better to mock it then trying to interact to CBlockPolicyEstimator in order to have some effective values due to performance.

  Note that I created `FeeEstimatorTestingSetup` because we cannot set `m_node.fee_estimator` in `ChainTestingSetup` since fae8c73d9e4eba4603447bb52b6e3e760fbf15f8.

ACKs for top commit:
  maflcko:
    re-ACK 5ded99a7f007b142f6b0ec89e0c71ef281b42684 🎯
  ismaelsadeeq:
    Code review ACK 5ded99a7f007b142f6b0ec89e0c71ef281b42684

Tree-SHA512: 13d2af042098afd237ef349437021ea841069d93d4c3e3a32e1b562c027d00c727f375426709d34421092993398caf7ba8ff19077982cb6f470f8938a44e7754

1916c51cd8

Merge bitcoin/bitcoin#32813: clang-format: make formatting deterministic for different formatter versions

13f36c020f0329b5e975282b45292fdf2a495e31 clang-format: regenerate configs (Lőrinc)

Pull request description:

  Updates `.clang-format` file to reflect [latest supported Clang-Format standards](https://releases.llvm.org/16.0.0/tools/clang/docs/ClangFormatStyleOptions.html) while preserving most of the existing formatting behavior.

  Note that [`AfterStruct` brace placement](https://github.com/bitcoin/bitcoin/pull/32414#discussion_r2072678126) was originally aligned here with `AfterClass`, but was reverted by reviewer demand.

ACKs for top commit:
  maflcko:
    re-ACK 13f36c020f0329b5e975282b45292fdf2a495e31 🖼
  achow101:
    ACK 13f36c020f0329b5e975282b45292fdf2a495e31
  hodlinator:
    re-ACK 13f36c020f0329b5e975282b45292fdf2a495e31

Tree-SHA512: 02bd9d8a22a9af268297aeddd1f2b2cce079fddd0e1f764d6e9650bb614cb7bcfbd20b38d6e4e5db1744b3dd1ba540380010c085f2cbc0be8aa936f21d27d8de

f54ffb4bc1

fees: refactor: rename policy_fee_tests.cpp to feerounder_tests.cpp

- Also remame the test suite name to match the new name.

6dfdd7e034

fees: refactor: rename fees to block_policy_estimator

- Also move it to policy/fees and update the includes

06db08a435

fees: rename fees_args to block_policy_estimator_args

- Also move them to policy/fees/ and update includes
- Note: the block_policy_estimator_args.h include in block_policy_estimator_args.cpp was done manually.

ab49480d9b

fees: return current block height in estimateSmartFee 1a7fb5eeee

Merge bitcoin/bitcoin#33688: test: Update BIP324 test vectors

51877f2fc5eb02b4229258b4b43731c4da843793 test: Update BIP324 test vectors (Tim Ruffing)

Pull request description:

  This updates the hardcoded test vectors from BIP324. The test vectors had to be regenerated (in the aux files of the BIP) because there was a bug in the script used for generating them (https://github.com/bitcoin/bips/pull/2016).

ACKs for top commit:
  jonatack:
    ACK 51877f2fc5eb02b4229258b4b43731c4da843793
  theStack:
    ACK 51877f2fc5eb02b4229258b4b43731c4da843793

Tree-SHA512: 59f4075e286067b11fce98667c860f3083b6cca8a2e49da8783ccdce8e32c34fd3e1943191d24dcf5bb68d8a2540726d99f7c29e8b0f104032ccb82423ca8d82

9bd9ec00b2

ci: remove Python version comment from mac config 865432869c

ci: use pycapnp 2.2.1 in mac native job

Drop using the git clone & install.

53b34c80c6

Merge bitcoin/bitcoin#29640: Fix tiebreak when loading blocks from disk (and add tests for comparing chain ties)

0465574c127907df9b764055a585e8281bae8d1d test: Fixes send_blocks_and_test docs (Sergi Delgado Segura)
09c95f21e71d196120e6c9d0b1d1923a4927408d test: Adds block tiebreak over restarts tests (Sergi Delgado Segura)
18524b072e6bdd590a9f6badd15d897b5ef5ce54 Make nSequenceId init value constants (Sergi Delgado Segura)
8b91883a23aac64a37d929eeae81325e221d177d Set the same best tip on restart if two candidates have the same work (Sergi Delgado Segura)
5370bed21e0b04feca6ec09738ecbe792095a338 test: add functional test for complex reorgs (Pieter Wuille)
ab145cb3b471d07a2e8ee79edde46ec67f47d580 Updates CBlockIndexWorkComparator outdated comment (Sergi Delgado Segura)

Pull request description:

  This PR grabs some interesting bits from https://github.com/bitcoin/bitcoin/pull/29284 and fixes some edge cases in how block tiebreaks are dealt with.

  ## Regarding #29284

  The main functionality from the PR was dropped given it was not an issue anymore, however, reviewers pointed out some comments were outdated https://github.com/bitcoin/bitcoin/pull/29284#discussion_r1522023578 (which to my understanding may have led to thinking that there was still an issue) it also added test coverage for the aforementioned case which was already passing on master and is useful to keep.

  ## New functionality

  While reviewing the superseded PR, it was noticed that blocks that are loaded from disk may face a similar issue (check https://github.com/bitcoin/bitcoin/pull/29284#issuecomment-1994317785 for more context).

  The issue comes from how tiebreaks for equal work blocks are handled: if two blocks have the same amount of work, the one that is activatable first wins, that is, the one for which we have all its data (and all of its ancestors'). The variable that keeps track of this, within `CBlockIndex` is `nSequenceId`, which is not persisted over restarts. This means that when a node is restarted, all blocks loaded from disk are defaulted the same `nSequenceId`: 0.
  Now, when trying to decide what chain is best on loading blocks from disk, the previous tiebreaker rule is not decisive anymore, so the `CBlockIndexWorkComparator` has to default to its last rule: whatever block is loaded first (has a smaller memory address).

  This means that if multiple same work tip candidates were available before restarting the node, it could be the case that the selected chain tip after restarting does not match the one before.

  Therefore, the way `nSequenceId` is initialized is changed to:

  - 0 for blocks that belong to the previously known best chain
  - 1 to all other blocks loaded from disk

ACKs for top commit:
  sipa:
    utACK 0465574c127907df9b764055a585e8281bae8d1d
  TheCharlatan:
    ACK 0465574c127907df9b764055a585e8281bae8d1d
  furszy:
    Tested ACK 0465574c127907df9b764055a585e8281bae8d1d.

Tree-SHA512: 161da814da03ce10c34d27d79a315460a9c98d019b85ee35bc5daa991ed3b6a2e69a829e421fc70d093a83cf7a2e403763041e594df39ed1991445e54c16532a

56e9703968

Merge bitcoin/bitcoin#32504: test: descriptor: cover invalid multi/multi_a cases

58e55b17e632dbd4425dd64825b087f242ac4b7b test: descriptor: cover invalid multi/multi_a cases (brunoerg)

Pull request description:

  This PR adds test coverage for invalid `multi()` and `multi_a()` cases, see:

  1. https://github.com/bitcoin/bitcoin/blob/53eb5593f0a1a8ae5cf0fabea58e2f22193a5c55/src/script/descriptor.cpp#L1819-L1821

  2.  https://github.com/bitcoin/bitcoin/blob/53eb5593f0a1a8ae5cf0fabea58e2f22193a5c55/src/script/descriptor.cpp#L1835-L1837

  3. https://github.com/bitcoin/bitcoin/blob/53eb5593f0a1a8ae5cf0fabea58e2f22193a5c55/src/script/descriptor.cpp#L1838-L1840

  We could also exercise to exceed the number of keys - 20 for `multi` and 999 for `multi_a`.

ACKs for top commit:
  maflcko:
    lgtm ACK 58e55b17e632dbd4425dd64825b087f242ac4b7b
  darosior:
    utACK 58e55b17e632dbd4425dd64825b087f242ac4b7b
  glozow:
    ACK 58e55b17e632dbd4425dd64825b087f242ac4b7b

Tree-SHA512: 0983e9c70e4bef13fa21b2e22e17c2e86eda0950f6271a42b24b91eef22c3277659a862a78bd511c9e14c92859070b3bf2968cfa24de0a1397de1f824946c757

5e1f626ac3

Merge bitcoin/bitcoin#31514: wallet: allow label for non-ranged external descriptor (if `internal=false`) & disallow label for ranged descriptors

664657ed134365588914c2cf6a3975ce368a4f49 bugfix: disallow label for ranged descriptors & allow external non-ranged descriptors to have label (scgbckbone)

Pull request description:

  Motivation:
  * ranged descriptors MUST not be able to have label (current impl allows it)
  * external non-ranged descriptor MUST be able to have label (current impl disallows it, **if** `internal=false` is provided via importdescriptor user data)

  Repro steps:
  * create blank wallet and import descriptors
  * external has `label=test` (not internal)
  ```
      conn = bitcoind.create_wallet(wallet_name=w_name, disable_private_keys=True, blank=True,
                                    passphrase=None, avoid_reuse=False, descriptors=True)
      descriptors = [
          {
              "timestamp": "now",
              "label": "test",
              "active": True,
              "desc": "wpkh([0f056943/84h/1h/0h]tpubDC7jGaaSE66Pn4dgtbAAstde4bCyhSUs4r3P8WhMVvPByvcRrzrwqSvpF9Ghx83Z1LfVugGRrSBko5UEKELCz9HoMv5qKmGq3fqnnbS5E9r/0/*)#erexmnep",
              "internal": False
          },
          {
              "desc": "wpkh([0f056943/84h/1h/0h]tpubDC7jGaaSE66Pn4dgtbAAstde4bCyhSUs4r3P8WhMVvPByvcRrzrwqSvpF9Ghx83Z1LfVugGRrSBko5UEKELCz9HoMv5qKmGq3fqnnbS5E9r/1/*)#ghu8xxfe",
              "active": True,
              "internal": True,
              "timestamp": "now"
          },
      ]
      r = conn.importdescriptors(descriptors)
      print(r)
  ```
  response:
  ```
  [{'error': {'code': -8,
              'message': 'Internal addresses should not have a label'},
    'success': False,
    'warnings': ['Range not given, using default keypool range']},
   {'success': True,
    'warnings': ['Range not given, using default keypool range']}]
  ```
  But in above, ONLY external has a label.

  If you remove `internal: False` from external descriptor import object - it will import no problem:
  ```
  [{'success': True,
    'warnings': ['Range not given, using default keypool range']},
   {'success': True,
    'warnings': ['Range not given, using default keypool range']}]

  ```
  Even tho it should NOT, as the descriptor is ranged. Current implementation relies on checking user provided data to decide whether desc is ranged.

ACKs for top commit:
  achow101:
    ACK 664657ed134365588914c2cf6a3975ce368a4f49
  rkrux:
    lgtm crACK 664657ed134365588914c2cf6a3975ce368a4f49

Tree-SHA512: 9e70aea620019c29950ba417d4ae38d65cd94a4f6fcabbc021d67b031de1c44c27d6f6f5cb7e6950a099eb6e58bed9be764d4c6347195daeccb14a5d95c123b2

80bb7012be

Merge bitcoin/bitcoin#33185: guix: update time-machine to 5cb84f2013c5b1e48a7d0e617032266f1e6059e2

59c4898994bde3d86168075f0031c9d5a9ac5c8f guix: remove python-pydantic-core input from LIEF (fanquake)
9f2a6927d3a9fc1ac536f8fb24a89582e39f24d6 guix: use Clang & LLVM 19 for macOS build (fanquake)
9570ddbec9cb20c268f78ff5e581a65e00864773 guix: update time-machine to 5cb84f2013c5b1e48a7d0e617032266f1e6059e2 (fanquake)
7b5cc276aa0a7aeea7e535b0fd30a0b6811000d9 guix: patch around riscv issue with newer (2.40+) binutils (fanquake)
91b5cbaabbca49a8bd9df6da2506070b31482892 ci: use Debian Trixie for macOS cross job (fanquake)

Pull request description:

  https://codeberg.org/guix/guix/commit/5cb84f2013c5b1e48a7d0e617032266f1e6059e2 isn't super recent, but it's enough to get access to some newer packages, such as LLVM 19, and avoids having to add any further work arounds for things that we know are fixed later (i.e nsis). Once things upstream have stabilized a bit more (the `core-updates` branch was fairly recently merged), we could look at bumping to something newer.

  Package updates:
  (base) glibc 2.35 -> 2.39
  binutils 2.38 -> 2.41
  diffutils 3.8 -> 3.10
  gawk 5.2.1 -> 5.3.0
  git-minimal 2.45.2 -> 2.46.0
  grep 3.8 -> 3.11
  gzip 1.12 -> 1.13
  linux-headers 6.1.106 -> 6.1.119
  make 4.3 -> 4.4.1
  xz 5.2.8 -> 5.4.5

  CMake 3.30 becomes available.
  Clang/LLVM 19 becomes available.

  Could be used for #32764.

ACKs for top commit:
  hebasto:
    re-ACK 59c4898994bde3d86168075f0031c9d5a9ac5c8f.
  willcl-ark:
    ACK 59c4898994bde3d86168075f0031c9d5a9ac5c8f

Tree-SHA512: c44965d5a315e4c862f5e40d8e98c645713405fec72a61055f95b6c68b7d2dcc69a61a084e397a4556d4c1df18f1cfa7a905234643fe4a7df9c58d486e26c097

27cd7f5049

Merge bitcoin/bitcoin#31308: ci, iwyu: Treat warnings as errors for specific directories

02d2b5a11c921ef71c971ee80eb3dfbc75c8cb0d ci, iwyu: Treat warnings as errors for specific directories (Hennadii Stepanov)
57a3eac387bd26689aed7682b248b648dba42779 refactor: Fix includes in `index` directory (Hennadii Stepanov)
bdb8eadcdc193f398ebad83911d3297b5257e721 refactor: Fix includes in `crypto` directory (Hennadii Stepanov)
56f2a689a2016ba2ae9cc40833447dff648af809 ci: Do not patch `leveldb` to workaround UB in "tidy" CI job (Hennadii Stepanov)

Pull request description:

  This PR is the first step towards treating IWYU warnings as errors. At this stage, it applies only to the `crypto` and `index` directories.

ACKs for top commit:
  maflcko:
    re-ACK 02d2b5a11c921ef71c971ee80eb3dfbc75c8cb0d 💮
  ryanofsky:
    Code review ACK 02d2b5a11c921ef71c971ee80eb3dfbc75c8cb0d. Just rebased and update tidy patch comment again since last review
  willcl-ark:
    ACK 02d2b5a11c921ef71c971ee80eb3dfbc75c8cb0d

Tree-SHA512: 1c966e01c47bf3e7d225faa3b819367f757430e2d71e9582fa82d67307aabe3f0d76f69346ee180192e7f5ab194ecc58d2b8ecf178eab26ba3309a6b55bff4b6

24434c1284

ci: Update Clang in "tidy" job

This change updates to IWYU 0.25, which is compatible with Clang 21.
Fixes new "modernize-use-default-member-init" warnings.
The warning in `interpreter.cpp` is a false positive, so it has been
suppressed.

5efdb0ef30

clang-tidy: Disable `ArrayBound` check in src/ipc and src/test 5d784bebaf

Merge bitcoin/bitcoin#32867: doc: mention key removal in rpc interface modification

944e5ff848f656d2ee6202b2330f3ae178ad0fbe doc: mention key removal in rpc interface modification (rkrux)

Pull request description:

  A discussion in a previous PR 32618 prompted me to add this note: https://github.com/bitcoin/bitcoin/pull/32618#discussion_r2181951390

  <!--
  *** Please remove the following help text before submitting: ***

  Pull requests without a rationale and clear improvement may be closed
  immediately.

  GUI-related pull requests should be opened against
  https://github.com/bitcoin-core/gui
  first. See CONTRIBUTING.md
  -->

  <!--
  Please provide clear motivation for your patch and explain how it improves
  Bitcoin Core user experience or Bitcoin Core developer experience
  significantly:

  * Any test improvements or new tests that improve coverage are always welcome.
  * All other changes should have accompanying unit tests (see `src/test/`) or
    functional tests (see `test/`). Contributors should note which tests cover
    modified code. If no tests exist for a region of modified code, new tests
    should accompany the change.
  * Bug fixes are most welcome when they come with steps to reproduce or an
    explanation of the potential issue as well as reasoning for the way the bug
    was fixed.
  * Features are welcome, but might be rejected due to design or scope issues.
    If a feature is based on a lot of dependencies, contributors should first
    consider building the system outside of Bitcoin Core, if possible.
  * Refactoring changes are only accepted if they are required for a feature or
    bug fix or otherwise improve developer experience significantly. For example,
    most "code style" refactoring changes require a thorough explanation why they
    are useful, what downsides they have and why they *significantly* improve
    developer experience or avoid serious programming bugs. Note that code style
    is often a subjective matter. Unless they are explicitly mentioned to be
    preferred in the [developer notes](/doc/developer-notes.md), stylistic code
    changes are usually rejected.
  -->

  <!--
  Bitcoin Core has a thorough review process and even the most trivial change
  needs to pass a lot of eyes and requires non-zero or even substantial time
  effort to review. There is a huge lack of active reviewers on the project, so
  patches often sit for a long time.
  -->

ACKs for top commit:
  maflcko:
    lgtm ACK 944e5ff848f656d2ee6202b2330f3ae178ad0fbe
  stickies-v:
    ACK 944e5ff848f656d2ee6202b2330f3ae178ad0fbe
  glozow:
    lgtm ACK 944e5ff848f656d2ee6202b2330f3ae178ad0fbe

Tree-SHA512: f64c086c99e7c73a3ae7d60b2e8e06c8e7a3a49305a66d5c5a96db9b4ebbd01928ab5ccbcbdac26f400d16662f84469c448625e1f55ec2a9a920eff8a05fc379

de15e52f09

Merge bitcoin/bitcoin#33218: refactor: rename `fees.{h,cpp}` to `fees/block_policy_estimator.{h,cpp}`

1a7fb5eeeef3575c1e7c27915c9b98695191299d fees: return current block height in estimateSmartFee (ismaelsadeeq)
ab49480d9be4e54aa9db1247b8499f957ba9d166 fees: rename fees_args to block_policy_estimator_args (ismaelsadeeq)
06db08a43568910702207a7963b375e1a7446689 fees: refactor: rename fees to block_policy_estimator (ismaelsadeeq)
6dfdd7e034dd3620f0f8ed54dfe20fa407b5382f fees: refactor: rename policy_fee_tests.cpp to feerounder_tests.cpp (ismaelsadeeq)

Pull request description:

  This PR is a simple refactoring that does four things:

  1. Renames `test/policy_fee_tests.cpp` to `test/feerounder_tests.cpp`.
  2. Renames `policy/fees.{h,cpp}` to `policy/fees/block_policy_estimator.{h,cpp}`.
  3. Renames `policy/fees_args.cpp` to `policy/fees/block_policy_estimator_args.cpp`.
  4. Modifies `estimateSmartFee` to return the block height at which the estimate was made by adding a `best_height` unsigned int value to the `FeeCalculation` struct.

  **Motivation**

  In preparation for adding a new fee estimator, the `fees` directory is created so we can organize code into `block_policy_estimator` and `mempool` because

  a) It would be clunky to add more code directly under `fees`.
  b) Having `policy/fees.{h,cpp}` and `policy/mempool.{h,cpp}` would also be undesirable.

  Therefore, it makes sense to structure the it as `policy/fees/block_policy_estimator`, `policy/fees/mempool`, etc.
  Hence test file were also updated accordingly.

  The current block height is also returned because later in #30157 we log the height at which each estimate is made (at the debug log category of  fee estimation :) ). This feature is particularly useful for empirical data analysis.

ACKs for top commit:
  maflcko:
    re-ACK 1a7fb5eeeef3575c1e7c27915c9b98695191299d 🐤
  polespinasa:
    re ACK 1a7fb5eeeef3575c1e7c27915c9b98695191299d
  willcl-ark:
    ACK 1a7fb5eeeef3575c1e7c27915c9b98695191299d
  janb84:
    re ACK 1a7fb5eeeef3575c1e7c27915c9b98695191299d

Tree-SHA512: fef7ace2a9f262ec0361fb7a46df5108afc46b5c4b059caadf2fd114740aefbb2592389d11646c13d0e28bf0ef2cfcfbab3e659c4d4288b8ebe64725fd1963c0

1abc8fa308

Merge bitcoin/bitcoin#33546: test: add functional test for `TestShell` (matching doc example)

57f7c68821d96cc096db624cb06b7a252d038300 test: add functional test for `TestShell` (matching doc example) (Sebastian Falbesoner)
53874f7934d50f68ea46df68b2bcd11bad834730 doc: test: update TestShell example instructions/options (Sebastian Falbesoner)

Pull request description:

  This PR adds a functional framework test for the `TestShell` class. The primary motivation for this is to avoid that the example instructions for the interactive Python shell in `test-shell.md` get outdated or broken without noticing, a problem we had already several times in the past (see #26520, #27906, #31415). Having a copy is still not perfect, as docs and functional test have to be kept in sync, but I don't expect this to be a problem in practice, assuming the hint in the functional test comment is hopefully noticed if changes are made.

  Alternatively, the example instructions in `test-shell.md` could be removed with a hint to the functional test (I tend to prefer to keep the docs as-is though, showing the full REPL interaction).

  The first commit contain two small removal fix-ups in `test-shell.md` regarding the result of the `createwallet` RPC call and the mentioning of the `noshutdown` option that was removed earlier (see #31620). Could be backported to v30.

ACKs for top commit:
  brunoerg:
    ACK 57f7c68821d96cc096db624cb06b7a252d038300
  stratospher:
    ACK 57f7c68.
  pinheadmz:
    ACK 57f7c68821d96cc096db624cb06b7a252d038300

Tree-SHA512: 25c35af46b742bbefce7838708437529bbf613fa3d1f0fba590cacef0acdde82b3a78c7a01459c73eaac26ce3f1041e54092d098f0fc94a8c76ac0b4f4970338

5a58d4915e

Merge bitcoin/bitcoin#32380: Modernize use of UTF-8 in Windows code

53e4951a5b5b9d166d278db4240513d09b447f58 Switch to ANSI Windows API in `fsbridge::fopen()` function (Hennadii Stepanov)
dbe770d9210666a366f055d52b9f34fa8a3d7305 Switch to ANSI Windows API in `Win32ErrorString()` function (Hennadii Stepanov)
06d0be4e22cef08fd7517f42ee82a44475c6363b Remove no longer necessary `WinCmdLineArgs` class (Hennadii Stepanov)
f366408492f6205ee20fe23e5104813de45dd4b1 cmake: Set process code page to UTF-8 on Windows (Hennadii Stepanov)
dccbb178065f05810a0fad57a86bca2f10995ecf Set minimum supported Windows version to 1903 (May 2019 Update) (Hennadii Stepanov)

Pull request description:

  The main goal is to remove [deprecated](https://github.com/bitcoin/bitcoin/issues/32361) code (removed in C++26).

  This PR employs Microsoft's modern [approach](https://learn.microsoft.com/en-us/windows/apps/design/globalizing/use-utf8-code-page) to handling UTF-8:
  > Until recently, Windows has emphasized "Unicode" -W variants over -A APIs. However, recent releases have used the ANSI code page and -A APIs as a means to introduce UTF-8 support to apps. If the ANSI code page is configured for UTF-8, then -A APIs typically operate in UTF-8. This model has the benefit of supporting existing code built with -A APIs without any code changes.

  TODO:
  - [x] Handle application manifests properly when building with MSVC.
  - [x] Bump the minimum supported Windows version to 1903 (May 2019 Update).
  - [x] Remove all remaining use cases of the deprecated `std:wstring_convert`.
      - The instance in `subprocess.h` will be addressed in a follow-up PR, as additional tests are likely needed.
      - The usage in `common/system.cpp` is handled in https://github.com/bitcoin/bitcoin/pull/32566.

  Resolves partially https://github.com/bitcoin/bitcoin/issues/32361.

ACKs for top commit:
  laanwj:
    re-ACK 53e4951a5b5b9d166d278db4240513d09b447f58
  hodlinator:
    re-ACK 53e4951a5b5b9d166d278db4240513d09b447f58
  davidgumberg:
    untested crACK https://github.com/bitcoin/bitcoin/commit/53e4951a5b5b9d166d278db4240513d09b447f58

Tree-SHA512: 0dbe9badca8b979ac2b4814fea6e4a7e53c423a1c96cb76ce894253137d3640a87631a5b22b9645e8f0c2a36a107122eb19ed8e92978c17384ffa8b9ab9993b5

3bb30658e6

Merge bitcoin/bitcoin#33693: ci: use pycapnp 2.2.1

53b34c80c631ee3f5ae652315592924f6935e0f1 ci: use pycapnp 2.2.1 in mac native job (fanquake)
865432869c0d20482d2869abef4d0ac6aaf4deb0 ci: remove Python version comment from mac config (fanquake)

Pull request description:

  Switch to using v2.2.1 in the mac native job. Remove the git clone & install step.

ACKs for top commit:
  maflcko:
    lgtm ACK 53b34c80c631ee3f5ae652315592924f6935e0f1
  l0rinc:
    crACK 53b34c80c631ee3f5ae652315592924f6935e0f1
  hebasto:
    ACK 53b34c80c631ee3f5ae652315592924f6935e0f1.

Tree-SHA512: e756694c14431aacb3e48104331da88285c7500b4c4599c698f50d721d428ffe61258be075ef526b93c15aa3331f38535ca95249a2ef3ebfc804f61479095d9b

dd82c6c5d0

Merge bitcoin/bitcoin#33677: ci: Retry image building once on failure

5555bce994b648f836c35a02570f22ae9ad36da3 ci: Document why IN_GETOPT_BIN env var is needed on macOS (MarcoFalke)
fabe516440c96bb7a6a6902195684d3802d64139 ci: Export the container id in python script (MarcoFalke)
fa6aa9f42faac78aefee98af3a536ae7113ab61e ci: Retry image building once on failure (MarcoFalke)
fa4dbe04d7824f58a0083b07e86912d33efc9f7e ci: Allow overwriting check option in run() helper (MarcoFalke)
fa8e4de5c31dc7dceb3f12143aab0d1c46cdb080 ci: Use os.environ[key] access when value must be set (MarcoFalke)

Pull request description:

  This should fix https://github.com/bitcoin/bitcoin/issues/33640.

  It also contains a few refactor cleanups, which are explained in the corresponding commits.

ACKs for top commit:
  l0rinc:
    Code review reACK 5555bce994b648f836c35a02570f22ae9ad36da3
  kevkevinpal:
    ACK [5555bce](https://github.com/bitcoin/bitcoin/pull/33677/commits/5555bce994b648f836c35a02570f22ae9ad36da3)
  davidgumberg:
    crACK https://github.com/bitcoin/bitcoin/pull/33677/commits/5555bce994b648f836c35a02570f22ae9ad36da3

Tree-SHA512: f1ea95b0650e57d6a9f97c575a11ee461832c0715c3d1a24dbfe12ccc5366f295639d4c4827f1d01da460ddf00917ecaa627e7dbd12e405770db6c53c3778a9c

292ea0eb89

Merge bitcoin/bitcoin#33555: build: Bump clang minimum supported version to 17

fa0fa0f70087d08fe5a54832b96799bd14293279 refactor: Revert "disable self-assign warning for tests" (MarcoFalke)
faed118fb30fbc303e9d4c70569abfee397f1759 build: Bump clang minimum supported version to 17 (MarcoFalke)

Pull request description:

  Most supported operating systems ship with clang-17 (or later), so bump the minimum to that and allow new code to drop workarounds for previous clang bugs.

  (Apart from dropping the small workaround, this bump allows the `ci_native_nowallet_libbitcoinkernel` CI to run on riscv64 without running into an ICE with clang-16.)

  This patch will only be released in version 31.x, next year (2026).

  For reference:

  * https://packages.debian.org/bookworm/clang-19
  * https://packages.ubuntu.com/noble/clang (clang-18)
  * CentOS-like 8/9/10 ship clang-17 (and later) via Stream
  * FreeBSD 12/13 ship clang-17 (and later) via packages
  * OpenSuse Tumbleweed ships with https://software.opensuse.org/package/clang (clang21); No idea about OpenSuse Leap

  On operating systems where the clang version is not shipped by default, the user would have to use GCC, or install clang in a different way. For example:

  * https://packages.debian.org/bookworm/g++ (g++-12)
  * https://packages.ubuntu.com/jammy/g++ (g++-11)
  * https://apt.llvm.org/, or nix, or guix, or compile clang from source, ...

  *Ubuntu 22.04 LTS does not ship with clang-16 (the previous minimum required), nor with clang-17, so one of the above workarounds is needed there.*

  macOS 14 is unaffected, and the previous minimum requirement of Xcode15.0 remains, see also https://github.com/bitcoin/bitcoin/blob/919e6d01e93a57d991ed456bc67c43605583ada8/depends/hosts/darwin.mk#L3-L4. (Modulo compiling the fuzz tests, which requires https://github.com/bitcoin/bitcoin/blob/919e6d01e93a57d991ed456bc67c43605583ada8/.github/workflows/ci.yml#L149)

ACKs for top commit:
  janb84:
    Concept ACK fa0fa0f70087d08fe5a54832b96799bd14293279
  l0rinc:
    Code review ACK fa0fa0f70087d08fe5a54832b96799bd14293279
  hebasto:
    ACK fa0fa0f70087d08fe5a54832b96799bd14293279.

Tree-SHA512: 5973cec39982f80b8b43e493cde012d9d1ab75a0362300b007d155db9f871c6341e7e209e5e63f0c3ca490136b684683de270136d62cb56f6b00b0ac0331dc36

72511fd02e

fuzz: refactor memcpy to std::ranges::copy to work around ubsan warn

Using std::ranges::copy from the C++ standard library has a few benefits
here:

* It has the additional benefit of being a bit more type safe and
  document the byte cast explicitly.
* The compiler will likely optimize it to the same asm, but performance
  doesn't really matter here anyway.
* It works around an UB-Sanitizer bug, when the source range is empty.

Fixes https://github.com/bitcoin/bitcoin/issues/33643

fa4b52bd16

ci: fix lint docker caching

Fixes: 33735

Correct runner type selection for the lint job.

This was erroneously left-out during refactor of the runner selection
mechanism in #33302 causing the lint job to run on GH hosts (and
therefore not be able to acces local cirrus caches).

0b3b8a3be1

doc: update Guix INSTALL.md b4d0288c46

ci: Add missing python3-dev package for riscv64 facf8b771a

Merge bitcoin/bitcoin#32924: test: add valid tx test with minimum-sized ECDSA signature (8 bytes DER-encoded)

5fa81e239a39d161a6d5aba7bcc7e1f22a5be777 test: add valid tx test with minimum-sized ECDSA signature (8 bytes DER-encoded) (Sebastian Falbesoner)

Pull request description:

  Currently in our tests, all ECDSA signatures passing verification have sizes of 69 bytes and above (that's the DER-encoded size, i.e. counted without the sighash flag byte) [1]. This PR adds test coverage for the minimum-sized valid case of 8 bytes, by taking an interesting testnet transaction that I stumbled upon:
  https://mempool.space/testnet/tx/c6c232a36395fa338da458b86ff1327395a9afc28c5d2daa4273e410089fd433
  Note that this is a very obscure construction that only works because the public key used isn't contained in the locking script, but calculated and provided later at spending time (see https://bitcointalk.org/index.php?topic=1729534.msg17309060#msg17309060 for an explainer), to match the message (sighash) and picked signature. So this doesn't represent a use-case that really makes sense in practice, but it can still appear in a block (not in mempool though, due to `SCRIPT_VERIFY_CONST_SCRIPTCODE`), and having test-coverage seems useful.

  Can be tested with same patch below (tests crash with the condition `>= 9`, but pass with `>= 8`).

  [1] this can be verified by applying the following patch and running the tests:
  ```diff
  diff --git a/src/pubkey.cpp b/src/pubkey.cpp
  index a4ca9a170a..bee0caa603 100644
  --- a/src/pubkey.cpp
  +++ b/src/pubkey.cpp
  @@ -288,7 +288,9 @@ bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchS
       /* libsecp256k1's ECDSA verification requires lower-S signatures, which have
        * not historically been enforced in Bitcoin, so normalize them first. */
       secp256k1_ecdsa_signature_normalize(secp256k1_context_static, &sig, &sig);
  -    return secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pubkey);
  +    bool ret = secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pubkey);
  +    if (ret) assert(vchSig.size() >= 69);
  +    return ret;
   }
  ```

ACKs for top commit:
  ajtowns:
    ACK 5fa81e239a39d161a6d5aba7bcc7e1f22a5be777 lgtm
  fjahr:
    tACK 5fa81e239a39d161a6d5aba7bcc7e1f22a5be777
  real-or-random:
    utACK https://github.com/bitcoin/bitcoin/pull/32924/commits/5fa81e239a39d161a6d5aba7bcc7e1f22a5be777 interesting case

Tree-SHA512: d1f0612fdb71c9238ca0420f574f6f246e60dbd11970b23f21d082c759a89ff98a13b12a1f6266f14f20539ec437b7ab79322082278da32984ddfee2d8893356

c281bb6837

Merge bitcoin/bitcoin#33698: test: Use same rpc timeout for authproxy and cli

66667d6512294fd5dd02161b7c68c19af0865865 test: Use same rpc timeout for authproxy and cli (MarcoFalke)

Pull request description:

  It seems odd to use different timeouts (and timeout factors) depending on whether the Python RPC proxy is used, or the bitcoin rpc command line interface.

  Fix it by using the same timeout.

  This can be tested by introducing a timeout error and checking it happens with and without `--usecli` after the exact same time.

  Example timeout error:

  ```diff
  diff --git a/test/functional/mining_template_verification.py b/test/functional/mining_template_verification.py
  index de0833c596..e0f93a2b1e 100755
  --- a/test/functional/mining_template_verification.py
  +++ b/test/functional/mining_template_verification.py
  @@ -173,7 +173,7 @@ class MiningTemplateVerificationTest(BitcoinTestFramework):

           self.log.info("Submitting this block should succeed")
           assert_equal(node.submitblock(block.serialize().hex()), None)
  -        node.waitforblockheight(2)
  +        node.waitforblockheight(200000)

       def transaction_test(self, node, block_0_height, tx):
           self.log.info("make block template with a transaction")
  ```

  Example cmd: `./bld-cmake/test/functional/mining_template_verification.py --timeout-factor=0.1 --usecli`.

ACKs for top commit:
  brunoerg:
    ACK 66667d6512294fd5dd02161b7c68c19af0865865
  stickies-v:
    tACK 66667d6512294fd5dd02161b7c68c19af0865865

Tree-SHA512: c8c21d8b9fb60ab192e3bbd45b317b96a40e10bf03704148613ac3cbdaae4abc2c03c4afbd504309ea0958201267c0d2a4bc5b40aa020917175c47e080ffe292

6f359695c3

test: resolve symlinks in which result for capnp 51093d6ae1

Merge bitcoin/bitcoin#33743: fuzz: refactor memcpy to std::ranges::copy to work around ubsan warn

fa4b52bd16189d40761c5976b8427e30779aba23 fuzz: refactor memcpy to std::ranges::copy to work around ubsan warn (MarcoFalke)

Pull request description:

  Using std::ranges::copy from the C++ standard library has a few benefits here:

  * It has the additional benefit of being a bit more type safe and document the byte cast explicitly.
  * The compiler will likely optimize it to the same asm, but performance doesn't really matter here anyway.
  * It has defined semantics for empty source ranges.

  Fixes https://github.com/bitcoin/bitcoin/issues/33643

ACKs for top commit:
  marcofleon:
    tACK fa4b52bd16189d40761c5976b8427e30779aba23
  dergoegge:
    utACK fa4b52bd16189d40761c5976b8427e30779aba23

Tree-SHA512: 04fcf096e3cfc526e996c9313ec6e0a4d12c382fa19cb846b51564d33de2f0ef78a588fc6a936da0c76ca8bc9d9db4a824c36d99413db4f538a98239864d48f0

8eda7210eb

Merge bitcoin/bitcoin#33746: ci: Add missing python3-dev package for riscv64

facf8b771a192ba17c8c4f9c43f248d83b3c8015 ci: Add missing python3-dev package for riscv64 (MarcoFalke)

Pull request description:

  This is required to compile the pip wheels on native riscv64.

ACKs for top commit:
  fanquake:
    ACK facf8b771a192ba17c8c4f9c43f248d83b3c8015

Tree-SHA512: 7305deda4f2a7c2be5a82f4fcbc110f20a154374d98442e56d50175edda7f37a68b8e4cc1d84fc1fbc69ec1cc28559bbe795cc553fae8bd2e5effc36b0e534a2

305384a037

ci: gha: Set debug_pull_request_number_str annotation fa9d0f994b

test: Format strings in `*.rs`

`format!` strings may contain variables within the string
representation. This is a lint as of a recent `rustc` nightly version.

78d4d36730

Merge bitcoin/bitcoin#33753: test: Format strings in `test_runner`

78d4d36730d44de93690b43f900a9202517291f6 test: Format strings in `*.rs` (rustaceanrob)

Pull request description:

  `format!` strings may contain variables within the string representation. This is a lint as of a recent `rustc` nightly version.

ACKs for top commit:
  maflcko:
    lgtm ACK 78d4d36730d44de93690b43f900a9202517291f6
  TheCharlatan:
    ACK 78d4d36730d44de93690b43f900a9202517291f6
  rkrux:
    crACK 78d4d36730d44de93690b43f900a9202517291f6

Tree-SHA512: d6da94682dfa35964be4d7bba323847bae040dcec921e3d4ee2f25400751fa3af40fafe27805c2d6587d00a8ff54cc6af22ca46bf8911f13a200e73e77daa019

3cd4263bf6

Merge bitcoin/bitcoin#33749: test: ipc: resolve symlinks in `which capnp`

51093d6ae1d415b8dfa47f11cb634a87bd97e8a9 test: resolve symlinks in which result for capnp (David Gumberg)

Pull request description:

  On Fedora, `/bin/` and `/usr/bin` are symlinked, and on one of my boxes (although I could not reproduce this behavior in a docker container), `/bin` comes before `/usr/bin` in `$PATH`, so `which capnp` reports `/bin/capnp`, and `capnp_dir` is set to `/include`, and the test fails:

  ```console
  $ ./build/test/functional/interface_ipc.py
  2025-10-30T20:43:43.753812Z TestFramework (INFO): PRNG seed is: 8370468257027235753
  2025-10-30T20:43:43.754163Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_b9kjzj2a
  terminate called after throwing an instance of 'kj::ExceptionImpl'
    what():  mp/proxy.capnp:6: failed: Import failed: /capnp/c++.capnp
  Aborted (core dumped)
  ```

  This changes the functional test to resolve any symlinks in the `capnp` binary path reported by `which`.

ACKs for top commit:
  TheCharlatan:
    utACK 51093d6ae1d415b8dfa47f11cb634a87bd97e8a9
  ryanofsky:
    Code review ACK 51093d6ae1d415b8dfa47f11cb634a87bd97e8a9

Tree-SHA512: 17a3e16c3ef50d19e65c18bd12636f287b41e54fc14629e2eb6efb8f9532af7e0e0d404e4e234eeba92473b7ae18d97144a953d28523670308e78e4c4fbb7137

832a57673a

Merge bitcoin/bitcoin#31645: [IBD] coins: increase default UTXO flush batch size to 32 MiB

b6f8c48946cbfceb066de660c485ae1bd2c27cc1 coins: increase default `dbbatchsize` to 32 MiB (Lőrinc)
8bbb7b8bf8e3b2b6465f318ec102cc5275e5bf8c refactor: Extract default batch size into kernel (Lőrinc)

Pull request description:

  This change is part of [[IBD] - Tracking PR for speeding up Initial Block Download](https://github.com/bitcoin/bitcoin/pull/32043)

  ### Summary

  When the in-memory UTXO set is flushed to LevelDB (after IBD or AssumeUTXO load), it does so in batches to manage memory usage during the flush.
  A hidden `-dbbatchsize` config option exists to modify this value. This PR only changes the default from `16` MiB to `32` MiB.
  Using a larger default reduces the overhead of many small writes and improves I/O efficiency (especially on HDDs). It may also help LevelDB optimize writes more effectively (e.g., via internal ordering).
  The change is meant to speed up a critical part of IBD: dumping the accumulated work to disk.

  ### Context

  The UTXO set has grown significantly since [2017](https://github.com/bitcoin/bitcoin/pull/10148/files#diff-d102b6032635ce90158c1e6e614f03b50e4449aa46ce23370da5387a658342fdR26-R27), when the original fixed 16 MiB batch size was chosen.

  With the current multi-gigabyte UTXO set and the common practice of using larger `-dbcache` values, the fixed 16 MiB batch size leads to several inefficiencies:

  * Flushing the entire UTXO set often requires thousands of separate 16 MiB write operations.
  * Particularly on HDDs, the cumulative disk seek time and per-operation overhead from numerous small writes significantly slow down the flushing process.
  * Each `WriteBatch` call incurs internal LevelDB overhead (e.g., MemTable handling, compaction triggering logic). More frequent, smaller batches amplify this cumulative overhead.

  Flush times of 20-30 minutes are not uncommon, even on capable hardware.

  ### Considerations

  As [noted by sipa](https://github.com/bitcoin/bitcoin/pull/31645#issuecomment-2587500105), flushing involves a temporary memory usage increase as the batch is prepared. A larger batch size naturally leads to a larger peak during this phase. Crashing due to OOM during a flush is highly undesirable, but now that [#30611](https://github.com/bitcoin/bitcoin/pull/30611) is merged, the most we'd lose is the first hour of IBD.

  Increasing the LevelDB write batch size from 16 to 32 MiB raised the measured peaks by ~70 MiB in my tests during UTXO dump. The option remains hidden, and users can always override it.

  The increased peak memory usage (detailed below) is primarily attributed to LevelDB's `leveldb::Arena` (backing MemTables) and the temporary storage of serialized batch data (e.g., `std::string` in `CDBBatch::WriteImpl`).

  Performance gains are most pronounced on systems with slower I/O (HDDs), but some SSDs also show measurable improvements.

  ### Measurements:

  AssumeUTXO proxy, multiple runs with error bars (flushing time is faster that the measured loading + flushing):
  * Raspberry Pi, dbcache=500: ~30% faster with 32 MiB vs 16 MiB, peak +~75 MiB and still < 1 GiB.
  * i7 + HDD: results vary by dbcache, but 32 MiB usually beats 16 MiB and tracks close to 64 MiB without the larger peak.
  * i9 + fast NVMe: roughly flat across 16/32/64 MiB. The goal here is to avoid regressions, which holds.

  ### Reproducer:

  ```bash
  # Set up a clean demo environment
  rm -rfd demo && mkdir -p demo

  # Build Bitcoin Core
  cmake -B build -DCMAKE_BUILD_TYPE=Release && cmake --build build -j$(nproc)

  # Start bitcoind with minimal settings without mempool and internet connection
  build/bin/bitcoind -datadir=demo -stopatheight=1
  build/bin/bitcoind -datadir=demo -blocksonly=1 -connect=0 -dbcache=3000 -daemon

  # Load the AssumeUTXO snapshot, making sure the path is correct
  # Expected output includes `"coins_loaded": 184821030`
  build/bin/bitcoin-cli -datadir=demo -rpcclienttimeout=0 loadtxoutset ~/utxo-880000.dat

  # Stop the daemon and verify snapshot flushes in the logs
  build/bin/bitcoin-cli -datadir=demo stop
  grep "FlushSnapshotToDisk: completed" demo/debug.log
  ```

  ---

  This PR originally proposed 64 MiB, then a dynamic size, but both were dropped: 64 MiB increased peaks more than desired on low-RAM systems, and the dynamic variant underperformed across mixed hardware. 32 MiB is a simpler default that captures most of the gains with a modest peak increase.

  For more details see: https://github.com/bitcoin/bitcoin/pull/31645#issuecomment-3234329502
  ---

  While the PR isn't about IBD in general, rather about a critical section of it, I have measured a reindex-chainstate until 900k blocks, showing a 1% overall speedup:

  <details>
  <summary>Details</summary>

  ```python
  COMMITS="e6bfd95d5012fa1d91f83bf4122cb292afd6277f af653f321b135a59e38794b537737ed2f4a0040b"; \
  STOP=900000; DBCACHE=10000; \
  CC=gcc; CXX=g++; \
  BASE_DIR="/mnt/my_storage"; DATA_DIR="$BASE_DIR/BitcoinData"; LOG_DIR="$BASE_DIR/logs"; \
  (echo ""; for c in $COMMITS; do git fetch -q origin $c && git log -1 --pretty='%h %s' $c || exit 1; done; echo "") && \
  hyperfine \
    --sort command \
    --runs 1 \
    --export-json "$BASE_DIR/rdx-$(sed -E 's/(\w{8})\w+ ?/\1-/g;s/-$//'<<<"$COMMITS")-$STOP-$DBCACHE-$CC.json" \
    --parameter-list COMMIT ${COMMITS// /,} \
    --prepare "killall bitcoind 2>/dev/null; rm -f $DATA_DIR/debug.log; git checkout {COMMIT}; git clean -fxd; git reset --hard && \
      cmake -B build -G Ninja -DCMAKE_BUILD_TYPE=Release && ninja -C build bitcoind && \
      ./build/bin/bitcoind -datadir=$DATA_DIR -stopatheight=$STOP -dbcache=1000 -printtoconsole=0; sleep 10" \
    --cleanup "cp $DATA_DIR/debug.log $LOG_DIR/debug-{COMMIT}-$(date +%s).log" \
    "COMPILER=$CC ./build/bin/bitcoind -datadir=$DATA_DIR -stopatheight=$STOP -dbcache=$DBCACHE -reindex-chainstate -blocksonly -connect=0 -printtoconsole=0"

  e6bfd95d50 Merge bitcoin-core/gui#881: Move `FreespaceChecker` class into its own module
  af653f321b coins: derive `batch_write_bytes` from `-dbcache` when unspecified

  Benchmark 1: COMPILER=gcc ./build/bin/bitcoind -datadir=/mnt/my_storage/BitcoinData -stopatheight=900000 -dbcache=10000 -reindex-chainstate -blocksonly -connect=0 -printtoconsole=0 (COMMIT = e6bfd95d5012fa1d91f83bf4122cb292afd6277f)
    Time (abs ≡):        25016.346 s               [User: 30333.911 s, System: 826.463 s]

  Benchmark 2: COMPILER=gcc ./build/bin/bitcoind -datadir=/mnt/my_storage/BitcoinData -stopatheight=900000 -dbcache=10000 -reindex-chainstate -blocksonly -connect=0 -printtoconsole=0 (COMMIT = af653f321b135a59e38794b537737ed2f4a0040b)
    Time (abs ≡):        24801.283 s               [User: 30328.665 s, System: 834.110 s]

  Relative speed comparison
          1.01          COMPILER=gcc ./build/bin/bitcoind -datadir=/mnt/my_storage/BitcoinData -stopatheight=900000 -dbcache=10000 -reindex-chainstate -blocksonly -connect=0 -printtoconsole=0 (COMMIT = e6bfd95d5012fa1d91f83bf4122cb292afd6277f)
          1.00          COMPILER=gcc ./build/bin/bitcoind -datadir=/mnt/my_storage/BitcoinData -stopatheight=900000 -dbcache=10000 -reindex-chainstate -blocksonly -connect=0 -printtoconsole=0 (COMMIT = af653f321b135a59e38794b537737ed2f4a0040b)
  ```

  </details>

ACKs for top commit:
  laanwj:
    Concept and code review ACK b6f8c48946cbfceb066de660c485ae1bd2c27cc1
  TheCharlatan:
    ACK b6f8c48946cbfceb066de660c485ae1bd2c27cc1
  andrewtoth:
    ACK b6f8c48946cbfceb066de660c485ae1bd2c27cc1

Tree-SHA512: a72008feca866e658f0cb4ebabbeee740f9fb13680e517b9d95eaa136e627a9dd5ee328456a2bf040401f4a1977ffa7446ad13f66b286b3419ff0c35095a3521

da6f041e39

Merge bitcoin/bitcoin#33683: refactor/doc: Add blockman param to GetTransaction doc comment

1a1f46c2285994908df9c11991c1f363c9733087 refactor/doc: Add blockman param to `GetTransaction` doc comment and reorder out param (Musa Haruna)

Pull request description:

  Follow-up to [#27125](https://github.com/bitcoin/bitcoin/pull/27125#discussion_r1190350876)

  This PR addresses a minor documentation and style nit mentioned during review:

  - Adds the missing `@param[in] blockman` line to the `GetTransaction()` doc comment.
  - Moves the output parameter `hashBlock` to the end of both the function
    declaration and definition, as suggested in the comment.

ACKs for top commit:
  l0rinc:
    ACK 1a1f46c2285994908df9c11991c1f363c9733087
  maflcko:
    re-lgtm-ut-cr-rfm-ACK 1a1f46c2285994908df9c11991c1f363c9733087
  kevkevinpal:
    reACK [1a1f46c](https://github.com/bitcoin/bitcoin/pull/33683/commits/1a1f46c2285994908df9c11991c1f363c9733087)

Tree-SHA512: 5807a1ae6c383e691e948648dcb1e029620eaff3dcdff73d88c6dc268a7af5559a30c491b72f038b3f7e812e1845f4f063b49bd3671edfac1bb3a170c84be4f5

422b468229

Merge bitcoin/bitcoin#33567: node: change a tx-relay on/off flag to enum

07a926474b5a6fa1d3d4656362a0117611f6da2f node: change a tx-relay on/off flag to enum (Vasil Dimov)

Pull request description:

  Previously the `bool relay` argument to `BroadcastTransaction()` designated:

  ```
  relay=true: add to the mempool and broadcast to all peers
  relay=false: add to the mempool
  ```

  Change this to an `enum`, so it is more readable and easier to extend with a 3rd option. Consider these example call sites:

  ```cpp
  Paint(true);
  // Or
  Paint(/*is_red=*/true);
  ```

  vs

  ```cpp
  Paint(RED);
  ```

  The idea for putting `TxBroadcastMethod` into `node/types.h` by Ryan.

  ---

  This is part of [#29415 Broadcast own transactions only via short-lived Tor or I2P connections](https://github.com/bitcoin/bitcoin/pull/29415). Putting it in its own PR to reduce the size of #29415 and because it does not logically depend on the other commits from there.

ACKs for top commit:
  optout21:
    ACK 07a926474b5a6fa1d3d4656362a0117611f6da2f
  kevkevinpal:
    ACK [07a9264](https://github.com/bitcoin/bitcoin/pull/33567/commits/07a926474b5a6fa1d3d4656362a0117611f6da2f)
  laanwj:
    Concept and code review ACK 07a926474b5a6fa1d3d4656362a0117611f6da2f. Agree with the general reasoning and the change in #29415 is a valid motivation to change this interface.
  glozow:
    utACK 07a926474b5a6fa1d3d4656362a0117611f6da2f

Tree-SHA512: ec8f6fa56a6d2422a0fbd5941ff2792685e8d8e7b9dd50bba9f3e21ed9b4a4a26c89b0d7e4895d48f30b7a635f2eddd894af26b5266410952cbdaf5c40b42966

25c45bb0d0

Merge bitcoin/bitcoin#33754: ci: gha: Set debug_pull_request_number_str annotation

fa9d0f994b45a94e3f26c01e395c58ff59f47f43 ci: gha: Set debug_pull_request_number_str annotation (MarcoFalke)

Pull request description:

  GitHub Actions does not offer any way to determine the pull request number in a machine readable way from the checks API. See https://github.com/bitcoin/bitcoin/issues/27178#issuecomment-1503475232.

  However, the pull request number can be useful for external tools to act on CI results.

  Fix that by using a check run annotation for a single task named `debug_pull_request_number_str`.

  This should re-enable the 'CI Failed' labelling mechanism via https://github.com/maflcko/DrahtBot/commit/1f24cc1ab9be8ad35fbb3a44aaa073bf669a7685.

ACKs for top commit:
  l0rinc:
    code review ACK fa9d0f994b45a94e3f26c01e395c58ff59f47f43
  willcl-ark:
    ACK fa9d0f994b45a94e3f26c01e395c58ff59f47f43

Tree-SHA512: d872b81afeaef603006bb65f18acafdff2771acf2b70af4ab6b46167b0826e96b1ac434bba2020833107922eaf1e73f59a50782a535ba04ea16921f1828d42ca

746d36cc80

ci: fix configure docker action inputs

The options used were wrong in two ways: firstly they were not enforced
as a "choice" (i.e. invalid input valudes could be provided without
error) and one of the options was listed as `gh` when we passed it as
`gha` from ci.yml.

"Fix" this by removing the choice altogether but sanity-testing the
input value against an expected list using a GHA "warning" to notify of
unknown inputs.

7632e0ba31

Merge bitcoin-core/gui#901: Add createwallet, createwalletdescriptor, and migratewallet to history filter

4e352efa2ce756c668664486c99d003eef530e0c qt: add createwallet, createwalletdescriptor, and migratewallet to history filter (WakeTrainDev)

Pull request description:

  Added `createwallet`, `createwalletdescriptor` and `migratewallet` RPC commands to the Qt console history filter since they may include passphrases or other sensitive data that should not be stored in command history.

ACKs for top commit:
  pablomartin4btc:
    utACK 4e352efa2ce756c668664486c99d003eef530e0c
  hebasto:
    ACK 4e352efa2ce756c668664486c99d003eef530e0c.

Tree-SHA512: dc6a12b95173b1e476d483381df3d74add88a1e225c90b1b60db59eab6d504a2496b66890ccec28c691745e405a3053d72afda9d80ae96a703f12cd256e4ebd6

745eb053a4

ci: use LLVM libcxx 21.1.5 3784d15bcd

ci: run native fuzz with MSAN job

Set the timout to 150, to give some leeway to the slow GHA runners, that
were close to timing out with a 120m limit.

1e6e32fa8a

Merge bitcoin/bitcoin#32301: test: cover invalid codesep positions for signature in taproot

81e5c8385b9ec170c97190a97c560a39ccfc544a test: cover invalid codesep positions for signature in taproot (Greg Sanders)

Pull request description:

  There is some basic coverage, but I felt like adding some boundary conditions where the only issue is the codesep value would be nice.

ACKs for top commit:
  ajtowns:
    ACK 81e5c8385b9ec170c97190a97c560a39ccfc544a
  TheCharlatan:
    ACK 81e5c8385b9ec170c97190a97c560a39ccfc544a

Tree-SHA512: de74895c3bb49854987654720ebcefea2f47c4a55ba6ab4a52878f6a9a0bd8b3085afa3485101610327fa8d35c3d074542f58540e126460bd4bea918cb0054ee

56329beaee

Merge bitcoin/bitcoin#33445: ci: Update Clang in "tidy" job

5d784bebaff5e3acc0b5180ee51d9a16aec0e356 clang-tidy: Disable `ArrayBound` check in src/ipc and src/test (Hennadii Stepanov)
5efdb0ef305624e5f3666441e761c658f38a8b39 ci: Update Clang in "tidy" job (Hennadii Stepanov)

Pull request description:

  This PR:

  1. Updates to [IWYU 0.25](https://github.com/include-what-you-use/include-what-you-use/releases/tag/0.25), which is compatible with Clang 21.

  2. Fixes new "modernize-use-default-member-init" warnings. The warning in `interpreter.cpp` is a [false positive](https://github.com/llvm/llvm-project/issues/160394), so it has been suppressed.

ACKs for top commit:
  maflcko:
    review ACK 5d784bebaff5e3acc0b5180ee51d9a16aec0e356 🎒
  ryanofsky:
    Code review ACK 5d784bebaff5e3acc0b5180ee51d9a16aec0e356, just adding clang version comment since last review.

Tree-SHA512: a1d853675ec064170ee0f1cd16be6a900676588d4a1e7b5def8733933b140ba1a9520ec6f6a42bf7638b2ff7cf2fe4d5866d407f68b677b49d2bd68ff345f735

1cd8d9fe5c

Merge bitcoin/bitcoin#33574: doc: update Guix INSTALL.md

b4d0288c467f82a94041b51d10d38e66bb5c33ae doc: update Guix INSTALL.md (fanquake)

Pull request description:

  It's somewhat annoying that Guix is falling out of being packaged by distros. For some more context, see https://lwn.net/Articles/1035491/.
  > However, it is likely that the [Guix](https://guix.gnu.org/en/) package manager will soon be removed from the repositories for Debian 13 and Debian 12 ("bookworm", also called oldstable).

  This seems to be happening. You can't `apt install guix` using the current release of Debian. https://packages.debian.org/search?keywords=guix. Guix is not going to be included in next release of Ubuntu (`25.10`): https://packages.ubuntu.com/search?keywords=guix.

  Looking at https://aur.archlinux.org/packages/guix, comments over the last few months seem to indicate that the build is broken.

  A 1.5.0 release is planned for sometime in January 2026: https://codeberg.org/guix/release-planning/wiki/release-1.5.0-project/. So hopefully the situation is going to improve in future.

ACKs for top commit:
  willcl-ark:
    ACK b4d0288c467f82a94041b51d10d38e66bb5c33ae
  hebasto:
    ACK b4d0288c467f82a94041b51d10d38e66bb5c33ae.

Tree-SHA512: 545f3529af82c18556ddfe104c01f77e28da31018a44047812450565a9b3bad3afa60f714b375c06c3a10aed722d54500846aa70a8069c5fe2d96b26d426b6c1

2593ed1b5f

Merge bitcoin/bitcoin#33744: ci: Fix lint runner selection (and docker cache)

7632e0ba312a372259897c68fd7c7eb723df3738 ci: fix configure docker action inputs (will)
0b3b8a3be1a0db0dfc634acca1d9305dc0fbfae6 ci: fix lint docker caching (will)

Pull request description:

  Fixes: #33735

  Correct runner type selection for the lint job.

  This was erroneously left-out during refactor of the runner selection mechanism in #33302 causing the lint job to run on GH hosts (and therefore not be able to acces local cirrus caches).

ACKs for top commit:
  maflcko:
    re-ACK 7632e0ba312a372259897c68fd7c7eb723df3738 📞
  hebasto:
    ACK 7632e0ba312a372259897c68fd7c7eb723df3738.

Tree-SHA512: b228a79d13ed80c75fc5e51c4fb93c7fad1cb33c00a659afe65033ce09d95e6ac84e01627f2e58e640ff483d798ac1b9e23f14d31a9c045fd99367059ceef5b4

75baff98fc

Merge bitcoin/bitcoin#33626: ci: run native fuzz with MSAN job

1e6e32fa8a64daa21c9c9de437f7a12745ed4a4e ci: run native fuzz with MSAN job (fanquake)
3784d15bcd500d8707a8b422c406230494458acb ci: use LLVM libcxx 21.1.5 (fanquake)

Pull request description:

  I think this job should exist in this repo (not just qa-assets), if the alternative is double-handling changes to the interpreter. #32998 made changes which were then re-changed in #33600, to work around a false positive.

  The unchached runtime of this job with `-lg` is `~32m`, with `-md` it's `~43m`.

  Timeout is set to 150m, as the slow GHA runners were close to hitting a 120m limit.

ACKs for top commit:
  maflcko:
    lgtm ACK 1e6e32fa8a64daa21c9c9de437f7a12745ed4a4e
  dergoegge:
    utACK 1e6e32fa8a64daa21c9c9de437f7a12745ed4a4e

Tree-SHA512: afd4cb0039f4f49ddc23f5553a5bf6d5ceffbc12d91acd6890d5cc40c30b7421b23d04f305983d94c862daa6fc07535b1331d7fa2a8ebfe9f19c20d83d95c692

5ffa63d681

Create devcontainer.json 126dca0aea

DrahtBot added the label Backport on Nov 6, 2025

DrahtBot commented at 1:06 am on November 6, 2025: contributor

♻️ Automatically closing for now based on heuristics. Please leave a comment, if this was erroneous. Generally, please focus on creating high-quality, original content that demonstrates a clear understanding of the project’s requirements and goals.

DrahtBot closed this on Nov 6, 2025

DrahtBot commented at 1:06 am on November 6, 2025: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/33798.

Reviews

See the guideline for information on the review process. A summary of reviews will appear here.

achow101 renamed this:
~~Patch 1~~
.
on Nov 6, 2025

bitcoin locked this on Nov 6, 2025

. #33798

Code Coverage & Benchmarks

Reviews