Behaviour of OP_CHECKMULTISIG in bitcoind docs not match docs

[gsalgado]

Location: https://bitcoin.org/en/developer-reference#term-op-checkmultisig

The dev guide says that OP_CHECKMULTISIG "[...] compares each of public keys against each of the signatures looking for ECDSA matches", but bitcoind doesn't seem to do that. Instead, for every signature it starts looking for a matching pubkey from the pubkey that last matched a signature.

If my reading of the code is correct, a redeem script of the form "sig2 sig1 2 pubkey1 pubkey2 pubkey3 3 OP_CHECKMULTISIG" would evaluate to false in bitcoind but the docs suggest that would work.

[harding]

@gsalgado nice catch! Thanks! I just read the function, and it seems to match your description, so I'll update the docs. (Although I'm pasting annotated Bitcoin Core code below in case somebody knows I'm misreading it.)

bool fSuccess = true;
while (fSuccess && nSigsCount > 0)
{
    valtype& vchSig    = stacktop(-isig);
    valtype& vchPubKey = stacktop(-ikey);

    // Check signature
    //G sig2 sig1 2 pubkey1 pubkey2 pubkey3 3 would fail
    //
    //H Iteration 1: CheckSig(sig2, pubkey1)
    //H    FAIL: isig is not increased; ikey is increased
    //H Iteration 2: CheckSig(sig2, pubkey2)
    //H    SUCCESS: isig is increased; ikey is increased
    //H Iteration 3: CheckSig(sig1, pubkey3)
    //H    FAIL: ikey is increased
    //H    ULTIMATE FAIL, no more keys to check
    if (CheckSig(vchSig, vchPubKey, scriptCode, txTo, nIn, nHashType))
    {
        isig++;
        nSigsCount--;
    }
    ikey++;
    nKeysCount--;

    // If there are more signatures left than keys left,
    // then too many signatures have failed
    if (nSigsCount > nKeysCount)
        fSuccess = false;

}

[gsalgado]

Thanks for taking care of that, @harding !