fix!: use the same version along all protx special transactions#7302
fix!: use the same version along all protx special transactions#7302knst wants to merge 16 commits into
Conversation
|
⛔ Blockers found — Sonnet deferred (commit 9a86b08) |
✅ No Merge Conflicts DetectedThis PR currently has no conflicts with other open PRs. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ed4d9c63ea
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| ptx.nVersion = DeploymentToProtxVersion(WITH_LOCK(::cs_main, return chainman.ActiveChain().Tip()), chainman, | ||
| /*is_basic_override=*/!use_legacy); |
There was a problem hiding this comment.
Clamp update_registrar version for legacy masternodes
When DEPLOYMENT_V24 is active, this assignment makes protx update_registrar default to version 3, but legacy masternodes (dmn->pdmnState->nVersion == LegacyBLS) are still required by IsVersionChangeValid in src/evo/specialtxman.cpp to move to version 2 before any higher version. As a result, the RPC now constructs transactions that fail with bad-protx-version-upgrade for legacy nodes, which breaks the legacy→basic upgrade path (and related registrar updates) via the standard RPC. update_service and revoke already avoid this with a BasicBLS clamp, so update_registrar is now inconsistent and regresses behavior introduced by this commit.
Useful? React with 👍 / 👎.
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThis PR restructures ProTx version handling by introducing a shared Estimated code review effort: 4 (Complex) | ~75 minutes Sequence Diagram(s)sequenceDiagram
participant RPC as RPC (protx_register/update)
participant Validation as validation.cpp
participant SpecialTxMan as specialtxman.cpp
participant ProviderTx as CProRegTx/CProUpRegTx/CProUpServTx/CProUpRevTx
RPC->>Validation: DeploymentToProtxVersion(pindexPrev, chainman, override)
Validation-->>RPC: nVersion
RPC->>ProviderTx: construct payload with nVersion
RPC->>SpecialTxMan: submit transaction
SpecialTxMan->>SpecialTxMan: GetValidatedPayload<ProTx>(tx, pindexPrev, chainman, state)
SpecialTxMan->>Validation: DeploymentToProtxVersion(pindexPrev, chainman)
Validation-->>SpecialTxMan: max allowed version
SpecialTxMan->>ProviderTx: IsTriviallyValid(state)
ProviderTx-->>SpecialTxMan: valid/invalid + reject reason
SpecialTxMan-->>RPC: accepted payload or bad-protx-version error
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ed4d9c6 to
f94f7cc
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
src/evo/providertx.h (1)
95-99: ⚡ Quick win
GetValidatedPayload<T>is not full validation.These comments overstate the helper’s contract. As implemented in
src/evo/specialtxman.cpp,GetValidatedPayloadonly covers payload decoding, deployment-gated version bounds, andIsTriviallyValid(...); callers still needCheckPro*Txfor collateral, masternode-list, signature, input-hash, and version-transition checks. Please reword this so future call sites don’t treat the helper as sufficient consensus validation.Also applies to: 160-164, 211-215, 265-269
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/evo/providertx.h` around lines 95 - 99, The comment for IsTriviallyValid overstresses GetValidatedPayload<T> — update the wording to clearly state that GetValidatedPayload<T> only performs payload decoding, deployment-gated version bounds checks and calls IsTriviallyValid, and that callers must still run full consensus checks (e.g., CheckProRegTx / CheckProUpServTx or other CheckPro*Tx functions) to validate collateral, masternode-list state, signatures, input-hash and version-transition rules; change the docstring near IsTriviallyValid and the similar comments at the other three locations to explicitly list those remaining checks and not present GetValidatedPayload<T> as full validation.src/test/evo_trivialvalidation.cpp (1)
61-64: ⚡ Quick winAdd a post-v24 fixture path here.
This runner still collapses the matrix to
"legacy"vs"basic", so none of the new version-3 behavior introduced in this PR gets exercised. Please add an"extaddr"/post-v24 branch and vectors for at leastCProUpRegTxandCProUpRevTx.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/test/evo_trivialvalidation.cpp` around lines 61 - 64, The test currently only selects between "basic" and "legacy" via test[2].get_str() when setting pindexPrev, so post-v24/extaddr vectors aren't exercised; update the selection logic (replace the two-way ternary around pindexPrev or add an if/else/switch) to handle a third value "extaddr" and pick an appropriate CBlockIndex from chainman.ActiveChain() for the post-v24 path, and add corresponding test vectors for CProUpRegTx and CProUpRevTx in the test matrix so the "extaddr" branch is executed during the trivial validation runner.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/evo/specialtxman.h`:
- Around line 101-103: The template function GetValidatedPayload is defined in a
.cpp which will cause linker errors because the tests instantiate it for
concrete types; fix by either moving the full template definition into the
header where it's declared (so the compiler can instantiate for CProRegTx,
CProUpServTx, CProUpRegTx, CProUpRevTx) or, if you keep the definition in
specialtxman.cpp, add explicit template instantiations for
GetValidatedPayload<CProRegTx>, GetValidatedPayload<CProUpServTx>,
GetValidatedPayload<CProUpRegTx>, and GetValidatedPayload<CProUpRevTx> in that
.cpp so the linker sees the generated symbols.
---
Nitpick comments:
In `@src/evo/providertx.h`:
- Around line 95-99: The comment for IsTriviallyValid overstresses
GetValidatedPayload<T> — update the wording to clearly state that
GetValidatedPayload<T> only performs payload decoding, deployment-gated version
bounds checks and calls IsTriviallyValid, and that callers must still run full
consensus checks (e.g., CheckProRegTx / CheckProUpServTx or other CheckPro*Tx
functions) to validate collateral, masternode-list state, signatures, input-hash
and version-transition rules; change the docstring near IsTriviallyValid and the
similar comments at the other three locations to explicitly list those remaining
checks and not present GetValidatedPayload<T> as full validation.
In `@src/test/evo_trivialvalidation.cpp`:
- Around line 61-64: The test currently only selects between "basic" and
"legacy" via test[2].get_str() when setting pindexPrev, so post-v24/extaddr
vectors aren't exercised; update the selection logic (replace the two-way
ternary around pindexPrev or add an if/else/switch) to handle a third value
"extaddr" and pick an appropriate CBlockIndex from chainman.ActiveChain() for
the post-v24 path, and add corresponding test vectors for CProUpRegTx and
CProUpRevTx in the test matrix so the "extaddr" branch is executed during the
trivial validation runner.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: e2a718c8-ebeb-4c10-8f6b-eedbc74713c3
📒 Files selected for processing (17)
src/evo/deterministicmns.hsrc/evo/dmnstate.hsrc/evo/netinfo.cppsrc/evo/providertx.cppsrc/evo/providertx.hsrc/evo/simplifiedmns.hsrc/evo/smldiff.hsrc/evo/specialtxman.cppsrc/evo/specialtxman.hsrc/evo/types.hsrc/llmq/commitment.cppsrc/rpc/evo.cppsrc/test/data/trivially_invalid.jsonsrc/test/evo_trivialvalidation.cppsrc/validation.cppsrc/validation.htest/lint/lint-circular-dependencies.py
💤 Files with no reviewable changes (3)
- src/evo/dmnstate.h
- src/evo/smldiff.h
- src/evo/deterministicmns.h
✅ Files skipped from review due to trivial changes (5)
- src/llmq/commitment.cpp
- src/evo/types.h
- src/test/data/trivially_invalid.json
- test/lint/lint-circular-dependencies.py
- src/evo/simplifiedmns.h
🚧 Files skipped from review as they are similar to previous changes (5)
- src/evo/netinfo.cpp
- src/validation.cpp
- src/validation.h
- src/evo/specialtxman.cpp
- src/evo/providertx.cpp
thepastaclaw
left a comment
There was a problem hiding this comment.
Code Review
The refactor is sound but introduces a regression in the non-legacy protx update_registrar RPC: after V24 activates, it produces a v3 ProUpRegTx that consensus rejects when the masternode is still in LegacyBLS state, and also trips a CHECK_NONFATAL when the caller reuses the existing legacy operator key. Sibling RPCs (update_service, revoke) have the correct BasicBLS clamp and update_registrar should match. Test coverage for the newly-permitted v3 ProUpRegTx/ProUpRevTx path is also missing.
Reviewed commit: f94f7cc
🔴 1 blocking | 🟡 1 suggestion(s)
1 additional finding
🟡 suggestion: No regression coverage for the newly-permitted v3 ProUpRegTx/ProUpRevTx path
src/test/evo_trivialvalidation.cpp (lines 60-64)
This PR removes the bad-protx-version-tx-type consensus check that previously rejected CProUpRegTx/CProUpRevTx at version 3, and routes the test harness through the same GetValidatedPayload path consensus uses. However, the harness still only accepts "basic" and "legacy" vectors and leaves a TODO for extended addresses, so none of the new acceptance rules are actually exercised at a post-V24 height. Adding a v3 ProUpRegTx/ProUpRevTx vector validated against a post-V24 pindexPrev would lock in the new contract and protect against accidental re-introduction of the dropped check.
🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.
In `src/rpc/evo.cpp`:
- [BLOCKING] lines 1139-1140: `protx update_registrar` produces an invalid v3 payload for legacy-state masternodes after V24
After V24 activates, `DeploymentToProtxVersion(tip, chainman, /*is_basic_override=*/!use_legacy)` returns `ProTxVersion::ExtAddr` (3) for the non-legacy path. Previously, `GetMaxFromDeployment<CProUpRegTx>` capped this at `BasicBLS` (2) for registrar updates. Two consequences:
1. If the underlying masternode is still at state version `LegacyBLS` (1), `IsVersionChangeValid` (specialtxman.cpp:907-909) rejects the v3 jump with `bad-protx-version-upgrade`. There is no longer a working non-legacy RPC path to migrate a legacy masternode via `update_registrar`.
2. If the caller leaves the operator key unchanged, `ptx.pubKeyOperator` is reused from `dmn->pdmnState`, which is legacy. The `CHECK_NONFATAL(ptx.pubKeyOperator.IsLegacy() == (ptx.nVersion == ProTxVersion::LegacyBLS))` at line 1159 then trips (true == false).
The sibling wrappers `protx update_service` (1014-1018) and `protx revoke` (1268-1272) already clamp to BasicBLS in this case. `update_registrar` needs the same clamp. Real-world impact is limited because V24 is `NEVER_ACTIVE` on mainnet/testnet, but the regression is real and silently breaks devnet/regtest setups.
In `src/test/evo_trivialvalidation.cpp`:
- [SUGGESTION] lines 60-64: No regression coverage for the newly-permitted v3 ProUpRegTx/ProUpRevTx path
This PR removes the `bad-protx-version-tx-type` consensus check that previously rejected `CProUpRegTx`/`CProUpRevTx` at version 3, and routes the test harness through the same `GetValidatedPayload` path consensus uses. However, the harness still only accepts `"basic"` and `"legacy"` vectors and leaves a TODO for extended addresses, so none of the new acceptance rules are actually exercised at a post-V24 height. Adding a v3 ProUpRegTx/ProUpRevTx vector validated against a post-V24 `pindexPrev` would lock in the new contract and protect against accidental re-introduction of the dropped check.
| ptx.nVersion = DeploymentToProtxVersion(WITH_LOCK(::cs_main, return chainman.ActiveChain().Tip()), chainman, | ||
| /*is_basic_override=*/!use_legacy); |
There was a problem hiding this comment.
🔴 Blocking: protx update_registrar produces an invalid v3 payload for legacy-state masternodes after V24
After V24 activates, DeploymentToProtxVersion(tip, chainman, /*is_basic_override=*/!use_legacy) returns ProTxVersion::ExtAddr (3) for the non-legacy path. Previously, GetMaxFromDeployment<CProUpRegTx> capped this at BasicBLS (2) for registrar updates. Two consequences:
-
If the underlying masternode is still at state version
LegacyBLS(1),IsVersionChangeValid(specialtxman.cpp:907-909) rejects the v3 jump withbad-protx-version-upgrade. There is no longer a working non-legacy RPC path to migrate a legacy masternode viaupdate_registrar. -
If the caller leaves the operator key unchanged,
ptx.pubKeyOperatoris reused fromdmn->pdmnState, which is legacy. TheCHECK_NONFATAL(ptx.pubKeyOperator.IsLegacy() == (ptx.nVersion == ProTxVersion::LegacyBLS))at line 1159 then trips (true == false).
The sibling wrappers protx update_service (1014-1018) and protx revoke (1268-1272) already clamp to BasicBLS in this case. update_registrar needs the same clamp. Real-world impact is limited because V24 is NEVER_ACTIVE on mainnet/testnet, but the regression is real and silently breaks devnet/regtest setups.
source: ['claude', 'codex']
🤖 Fix this with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.
In `src/rpc/evo.cpp`:
- [BLOCKING] lines 1139-1140: `protx update_registrar` produces an invalid v3 payload for legacy-state masternodes after V24
After V24 activates, `DeploymentToProtxVersion(tip, chainman, /*is_basic_override=*/!use_legacy)` returns `ProTxVersion::ExtAddr` (3) for the non-legacy path. Previously, `GetMaxFromDeployment<CProUpRegTx>` capped this at `BasicBLS` (2) for registrar updates. Two consequences:
1. If the underlying masternode is still at state version `LegacyBLS` (1), `IsVersionChangeValid` (specialtxman.cpp:907-909) rejects the v3 jump with `bad-protx-version-upgrade`. There is no longer a working non-legacy RPC path to migrate a legacy masternode via `update_registrar`.
2. If the caller leaves the operator key unchanged, `ptx.pubKeyOperator` is reused from `dmn->pdmnState`, which is legacy. The `CHECK_NONFATAL(ptx.pubKeyOperator.IsLegacy() == (ptx.nVersion == ProTxVersion::LegacyBLS))` at line 1159 then trips (true == false).
The sibling wrappers `protx update_service` (1014-1018) and `protx revoke` (1268-1272) already clamp to BasicBLS in this case. `update_registrar` needs the same clamp. Real-world impact is limited because V24 is `NEVER_ACTIVE` on mainnet/testnet, but the regression is real and silently breaks devnet/regtest setups.
kwvg
left a comment
There was a problem hiding this comment.
Concept NACK
From commit d86d571
CProRegTx and CProUpServTx used to be the only type of protx that have
a different version. It is theoretically acceptable in assumption that
there is no new features or version will ever be introduced for protx
special transaction.
The versioning system made an assumption that any change in ProTx structures will affect all fields uniformly, leaving certain fields v2 and others v3 allows us to prevent unexpected upgrades based on changes to fields that were never modified and thus prevents the propagation of serialisation directives based on fields never changed.
Even if the RPC sets the version we intend, removing a way to distinguish what txType is allowed to set the version at the consensus level means a patch in RPC could allow corruption of the masternode list as it'll see a v3 transaction, assume v3 serialization and then on client restart, cannot recognise the bytes on disk as it's v2 bytes but v3 version.
A theoretical v4 would follow the same pattern, set the version where the fields could be updated (always at creation OR for existing nodes, when the relevant ProTx is submitted) and then version-solve accordingly. The current system doesn't block that.
Let's assume that revocation is now at v4, future rules could force that you first upgrade to v3 by submitting a new ProUpRegTx (explicit user action that submits the new ser format) to then use v4 ProUpRevTx (to avoid getting a v2 to v4 not allowed error).
| return state.Invalid(TxValidationResult::TX_CONSENSUS, "bad-protx-version-upgrade"); | ||
| } | ||
|
|
||
| if (tx_type != TRANSACTION_PROVIDER_UPDATE_SERVICE && tx_version == ProTxVersion::ExtAddr) { |
There was a problem hiding this comment.
The reason we have version transition rules is to prevent the node from being classed as ExtAddr without actually opting in to it at creation or by explicitly updating the service.
Especially since once the version is upgraded the serialisation format changes. By classifying all transactions ExtAddr, a revoke transaction could indicate that the node intends to follow ExtAddr serialization when that was a) not the user's intention and b) will cause serialization mismatches which are very dependent on the version (see below)
Lines 78 to 79 in 4a0fd85
|
|
||
|
|
||
| /** | ||
| * This helper does some trivial validations that doesn't depends on collateral and |
There was a problem hiding this comment.
These changes are valuable but must be decoupled from changes in consensus behavior
| /** Get highest permissible ProTx version based on deployment status | ||
| * Note: The override is needed because some RPCs need to use deployment status information for everything *except* | ||
| * the BLS version upgrade since they are specializations for a specific BLS version. This is a one-off. | ||
| * TODO: Resolve this oddity. Consider deprecating legacy BLS-only RPCs so we can remove them eventually. |
There was a problem hiding this comment.
| * TODO: Resolve this oddity. Consider deprecating legacy BLS-only RPCs so we can remove them eventually. |
We can probably drop this TODO since the legacy RPCs won't be going anywhere even after deprecation due to hard requirements in functional tests, we already have network rules to enforce the deprecation at a consensus level but the RPCs themselves remain indispensible.
No, they would not, because:
|
The issue isn't the new node creation path, it's the upgrade path, say
But without at a minimum restricting the upgrade path, a specially crafted transaction could update the expected serialization to v3 with a ProUpRevTx (despite holding no service data but now allowed to mark itself as v3) and then on restart, when reading the masternode list and encountering a v3, find the v2 bytes unrecognizable and emit an error. |
I will write some extra tests; PR is draft temporary |
|
This pull request has conflicts, please rebase. |
f94f7cc to
a016390
Compare
|
This pull request has conflicts, please rebase. |
a016390 to
ff6151b
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ff6151b1a7
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| if (obj.nVersion >= ProTxVersion::ExtAddr) { | ||
| READWRITE(obj.payouts); |
There was a problem hiding this comment.
Backfill payouts when service updates promote v2 states
Because v3 states now take the payouts branch, a basic v2 masternode upgraded by a post-v24 ProUpServTx loses its owner payee: the service-update path in CSpecialTxProcessor::RebuildListFromBlock can raise nVersion from 2 to 3 while only converting netInfo, and v2 states have an empty payouts vector because they serialized scriptPayout. After that, GetOwnerPayouts(state) returns an empty list, so masternode payment construction omits the owner payout (and callers that use .front() can fail) until a registrar update backfills it. Please migrate scriptPayout to LegacyPayoutAsList when any non-registrar version bump crosses ExtAddr.
Useful? React with 👍 / 👎.
thepastaclaw
left a comment
There was a problem hiding this comment.
Preliminary review — Codex only
Carried-forward prior findings: all four remain valid at their rebased commits and are retained below. New findings in latest delta: none; the range-diff confirms the latest push is a substantially equivalent rebase and the final regression-test commit is unchanged. Separate cumulative source verification confirms two blocking issues: version-3 ProRegTx data is reinterpreted incompatibly, and v1-to-v3 state upgrades retain the legacy operator-key encoding.
Validated blockers were found in the Codex precheck. Sonnet is deferred until a fresh Codex revalidation clears the blocker gate.
Review provenance
- Codex reviewers:
gpt-5.6-sol— general (completed),gpt-5.6-sol— dash-core-commit-history (completed) - Verifier:
gpt-5.6-sol— verifier - Sonnet: not run (deferred by blocker gate)
🔴 2 blocking | 🟡 2 suggestion(s) | 💬 1 nitpick(s)
4 additional finding(s) omitted (not in diff).
1 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.
🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.
In `src/evo/providertx.h`:
- [BLOCKING] src/evo/providertx.h:105-114: Do not reinterpret existing version-3 ProRegTx payloads
Before this PR, version 3 serialized a single `scriptPayout`; only version 4 serialized a payout count followed by `MasternodePayoutShare` records. The same version-3 bytes are now decoded using the version-4 layout, so an existing v3 payload's script length becomes the payout count and the remaining fields become misaligned. Such transactions cannot be reliably replayed, and the equivalent threshold change in `CDeterministicMNState` also makes existing full v3 EvoDB states incompatible. This is reachable on persistent devnets because their v24 deployment has been eligible since July 2025. Preserve the old v3 representation or introduce a distinct version and an explicit compatibility/reset path.
In `src/evo/specialtxman.cpp`:
- [BLOCKING] src/evo/specialtxman.cpp:47-55: Normalize and re-key the operator key during v1-to-v3 upgrades
A post-v24 ProUpServTx can upgrade a v1 state to v3 without changing `pubKeyOperator`, and a same-key ProUpRegTx follows the same pattern. `SetStateVersion()` migrates payouts and netInfo but leaves `CBLSLazyPublicKey` encoded as legacy; the early return preserves that mismatch. Operator-key uniqueness is indexed by the wrapper's serialized `GetHash()`, while `UpdateUniqueProperty()` skips updates when two wrappers represent the same mathematical key. A v3 registration using the basic encoding of that existing key can therefore evade `bad-protx-dup-key`. Snapshot serialization can later normalize the wrapper without rebuilding the index, making acceptance dependent on reconstruction history. Re-encode the key for the target version, re-key the unique-property map when its serialized hash changes, and test duplicate rejection before and after reload.
In `<commit:82ea67efdf5>`:
- [SUGGESTION] <commit:82ea67efdf5>:1: Fold the payout migration fix and regression test into the version merge
Commit 82ea67efdf5 directly corrects behavior introduced by 811a222fdd5 by migrating `scriptPayout` before `SetStateVersion()` can return early, while 3742fe5aca0 adds the matching regression coverage. Leaving these separate makes the unsquashed history contain a known-bad intermediate version-merge commit where a v4-to-v3 state migration can lose the owner payout. Fold the correction and its regression coverage into 811a222fdd5.
In `<commit:203bf3f1795>`:
- [SUGGESTION] <commit:203bf3f1795>:1: Squash or reword the review-feedback test commit
Commit 203bf3f1795 retains the subject `test: address review comments about preserving v2 / v3 version for dmnstate`, which records transient review context instead of the durable behavior covered by the test. Fold it into the logical versioning change or reword it to describe v24 ProTx state-version preservation.
| const bool needs_extended = nVersion >= ProTxVersion::ExtAddr; | ||
| // Before the early-return: ProUpServ pre-sets nVersion, so migrate scriptPayout into the ExtAddr | ||
| // payout list here or it would be skipped. | ||
| if (needs_extended && state_mn.payouts.empty() && !state_mn.scriptPayout.empty()) { | ||
| state_mn.payouts = LegacyPayoutAsList(state_mn.scriptPayout); | ||
| state_mn.scriptPayout.clear(); | ||
| } | ||
| if (state_mn.nVersion == nVersion && state_mn.netInfo->CanStorePlatform() == needs_extended) { | ||
| return true; |
There was a problem hiding this comment.
🔴 Blocking: Normalize and re-key the operator key during v1-to-v3 upgrades
A post-v24 ProUpServTx can upgrade a v1 state to v3 without changing pubKeyOperator, and a same-key ProUpRegTx follows the same pattern. SetStateVersion() migrates payouts and netInfo but leaves CBLSLazyPublicKey encoded as legacy; the early return preserves that mismatch. Operator-key uniqueness is indexed by the wrapper's serialized GetHash(), while UpdateUniqueProperty() skips updates when two wrappers represent the same mathematical key. A v3 registration using the basic encoding of that existing key can therefore evade bad-protx-dup-key. Snapshot serialization can later normalize the wrapper without rebuilding the index, making acceptance dependent on reconstruction history. Re-encode the key for the target version, re-key the unique-property map when its serialized hash changes, and test duplicate rejection before and after reload.
source: ['codex']
|
This pull request has conflicts, please rebase. |
3742fe5 to
bab83b5
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bab83b52e5
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| if (target_version >= ProTxVersion::ExtAddr) { | ||
| newState->payouts = opt_proTx->nVersion >= ProTxVersion::ExtAddr |
There was a problem hiding this comment.
Normalize operator keys on registrar version promotion
When this branch now runs for target_version == ExtAddr, a legacy masternode can be promoted by a v3 ProUpRegTx that reuses the same operator key encoded with the basic scheme. The earlier operator_changed check stays false because lazy BLS keys compare by the underlying key, so the guarded SetLegacy(false) above is skipped and the in-memory v3 state plus unique-property map keep hashing the operator key with the legacy serialization until a reload. In that legacy-to-v3 registrar path, later duplicate checks against normal basic/v3 operator keys can miss; normalize pubKeyOperator whenever the target version crosses out of LegacyBLS, not only when the key changes.
Useful? React with 👍 / 👎.
bab83b5 to
ae6c94f
Compare
…rdingly code style
thepastaclaw
left a comment
There was a problem hiding this comment.
Preliminary review — Codex only
At exact head ae6c94f, both carried compatibility blockers remain: version-3 payload/state bytes are reinterpreted with the former version-4 payout layout, and v1-to-v3 promotion leaves the operator key and uniqueness index under incompatible encodings. All six indexed prior findings are STILL_VALID; the latest supplement only removes a redundant nested cs_main lock and introduces no new finding. Diff checks and Python syntax checks passed, but no configured C++ test binary was available.
Validated blockers were found in the Codex precheck. Sonnet is deferred until a fresh Codex revalidation clears the blocker gate.
Review provenance
- Codex reviewers:
gpt-5.6-sol— general (failed),gpt-5.6-sol— dash-core-commit-history (failed),gpt-5.6-sol— general (completed),gpt-5.6-sol— dash-core-commit-history (completed) - Verifier:
gpt-5.6-sol— verifier - Sonnet: not run (deferred by blocker gate)
🔴 2 blocking | 🟡 2 suggestion(s) | 💬 1 nitpick(s)
4 additional finding(s) omitted (not in diff).
2 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.
🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.
In `src/evo/providertx.h`:
- [BLOCKING] src/evo/providertx.h:105-114: Do not reinterpret existing version-3 ProRegTx payloads
Before this PR, version 3 serialized scriptPayout, while only version 4 serialized a payout count followed by payout-share records. The current nVersion >= ExtAddr branch therefore decodes existing v3 bytes using a different layout: the script's CompactSize length becomes payouts_count and subsequent script bytes are consumed as payout records. The analogous threshold change in src/evo/dmnstate.h:104-107 also reinterprets persisted v3 deterministic-MN states, which were reachable through post-V24 service updates. Preserve the original v3 representation or introduce a distinct version with an explicit persistent-state migration.
In `<commit:fbf2b56f4af>`:
- [SUGGESTION] <commit:fbf2b56f4af>:1: Fold the payout migration fix and regression test into the version merge
Commit fbf2b56f4af corrects payout migration introduced by 8da92675008, while ae6c94f2466 adds the matching regression coverage. The unsquashed stack therefore retains an intermediate version-merge commit where promotion to v3 can lose the owner payout. Fold the correction and test into 8da92675008 so every retained commit has valid migration behavior.
In `<commit:b7092704cd7>`:
- [SUGGESTION] <commit:b7092704cd7>:1: Squash or reword the review-feedback test commit
Commit b7092704cd7 remains titled `test: address review comments about preserving v2 / v3 version for dmnstate`, which records transient review context instead of the durable behavior under test. Fold it into the relevant versioning change or reword it to describe V24 ProTx state-version preservation.
…dation This commit replaces usage of helpers GetPayload+IsTrivialValid to GetValidatedPayload It unifies validation between regression tests and production code and useful for the next commits in PR
CProRegTx and CProUpServTx used to be the only type of protx that have a different version. It is theoretically acceptable in assumption that there is no new features or version will ever be introduced for protx special transaction. Though, for better compatibility for futher version, unification, simplicity of documentation and to reduce user's confusions for after-v24 version of CProUpRegTx and CProUpRevTx are allowed to be "ext addresses" even they don't have any network related fields _at the moment_ So, since now: - version 1: legacy BLS, extended addresses disallowed (pre v19 fork) - version 2: basic BLS, extended addresses disallowed (since v19 fork) - version 3: basic BLS, extended addresses allowed, multi-payouts allowed (since v24 fork) NOTE: there are also classes CSimplifiedMNListEntry and CDeterministicMNState use the same enum for its version; moreover CDeterministicMNState inherits version directly from CProRegTx. This refactoring doesn't contradict or conflict this behavior
It helps to drop multiple circular dependencies for providertx <-> validation.h as a side effect
ae6c94f to
9a86b08
Compare
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
|
Force-pushed to fix regression test failure after rebase on the top of CI should succeed now |
thepastaclaw
left a comment
There was a problem hiding this comment.
Preliminary review — Codex only
At exact HEAD 9a86b08, both carried-forward blocking compatibility defects and all four dispatcher-indexed history findings remain valid. No prior finding is resolved, and the latest delta introduces no new finding; it is a 16-commit rebase with base-context adaptations. git diff --check, Python syntax validation, and circular-dependency lint passed; no C++ test binary was available.
Validated blockers were found in the Codex precheck. Sonnet is deferred until a fresh Codex revalidation clears the blocker gate.
Review provenance
- Codex reviewers:
gpt-5.6-sol— general (failed),gpt-5.6-sol— dash-core-commit-history (failed),gpt-5.6-sol— general (failed),gpt-5.6-sol— dash-core-commit-history (failed),gpt-5.6-sol— general (completed),gpt-5.6-sol— dash-core-commit-history (completed) - Verifier:
gpt-5.6-sol— verifier - Sonnet: not run (deferred by blocker gate)
🔴 2 blocking | 🟡 2 suggestion(s) | 💬 1 nitpick(s)
4 additional finding(s) omitted (not in diff).
2 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.
🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.
In `src/evo/providertx.h`:
- [BLOCKING] src/evo/providertx.h:105-114: Do not reinterpret existing version-3 ProRegTx payloads
Carried forward from 42f8aee6c200. Dash v23.1.7 serialized every version-3 ProRegTx with a single scriptPayout, while the pre-PR develop branch reserved the payout-count and payout-share layout for version 4. This branch changes the threshold to ExtAddr, so an existing v3 script's CompactSize length is decoded as payouts_count and the remaining bytes are consumed as payout records, causing historical v3 transactions to fail replay or decode incorrectly. The same threshold change in src/evo/dmnstate.h:104-107 reinterprets existing v3 deterministic-masternode state bytes. Version 3 was permitted after V24 activation, including persistent devnets whose deployment became eligible on July 1, 2025, and the PR description provides no reset or migration policy. Preserve the deployed v3 layout, introduce a distinct version for payout shares, or provide an explicit compatible migration path.
In `<commit:8b9c2e80532>`:
- [SUGGESTION] <commit:8b9c2e80532>:1: Fold the payout migration fix and regression test into the version merge
Carried forward from prior-2d624508-1. Commit 8b9c2e80532 directly corrects behavior introduced by c01a1ed19a7: it migrates scriptPayout before SetStateVersion() can return early and guards the consumer against the resulting empty payout list. Commit 9a86b0871a2 adds the corresponding regression test. Fold the correction and test into c01a1ed19a7 so the retained version-merge commit does not contain a known-bad state migration.
In `<commit:1c41191d363>`:
- [SUGGESTION] <commit:1c41191d363>:1: Squash or reword the review-feedback test commit
Carried forward from prior-2d624508-2. Commit 1c41191d363 remains titled test: address review comments about preserving v2 / v3 version for dmnstate, which records transient review context instead of the durable V24 behavior under test. Fold it into the logical versioning change or reword it to describe ProTx state-version preservation.
Issue being fixed or feature implemented
Until now, CProRegTx and CProUpServTx were the only ProTx subtypes that could carry a higher version (v3, ext-addresses). With v4 introduced with masternode payout this gap is even more strange.
What was done?
For better forward-compatibility, uniform documentation, and less user confusion, after v24 CProUpRegTx and CProUpRevTx are also allowed to use the "ext-addresses" version, even though they don't carry any network-related fields at the moment.
Functionality of "multi-payout" is merged to v3 protx; v4 protx are removed.
They both activated by v24 fork and that's possible that multiple-payout masternode is using external address; it's completely find situation and existing v4 separation is artificial.
From now on:
NOTE: CSimplifiedMNListEntry and CDeterministicMNState use the same enum for its version; moreover CDeterministicMNState inherits version directly from CProRegTx. This refactoring is possible due already existing versioning of state's object.
It also simplifies the implementation, drops the dependency of evo/providertx.h on validation.h and reduces the number of circular dependencies over evo/providertx.
The regression test now goes through the same GetValidatedPayload helper that consensus uses, instead of calling GetTxPayload + IsTriviallyValid directly.
How Has This Been Tested?
Run unit / functional tests.
Breaking Changes
After v24, CProUpRegTx and CProUpRevTx may now be serialized at version 3, which they were previously not eligible for. The bad-protx-version-tx-type consensus check is removed accordingly so these txes are accepted at version 3.
v4 protx is removed by merging functionality to v3. They are activated by the same fork and this diversion is not required.
Checklist: