API to find funding utxos in psbt

[violet360]

Current status

The API returns a vector of UTXOs and has return type Result<Vec<&TxOut>, Error>

Expected

The return statement should be of type sighash::Prevouts as pointed in #849

[Eunoia1729]

Nit: Next time you may avoid adding/removing blank lines.

[tcharding]

High level review only, thanks!

[Kixunil]

Thanks, the code looks almost good but we really have to fix two more issues I found.

There's another thing: should we use a dedicated error type? I tend towards yes but it can be done later as well. I suggest @violet360 if it's too overwhelming to you to add another error type leave it for later, if you feel like adding it you can do it within this PR.

FTR, this PR will most likely not go to the Taproot release anyway.

[Kixunil]

It doesn't "throw" and error though. It panics. In Rust the usual style of documenting panics is like this:

/// Returns an iterator for the funding UTXOs of the psbt
///
/// For each PSBT input that contains UTXO information `Ok` is returned containing that information.
/// The order of returned items is same as the order of inputs.
///
/// ## Errors
///
/// The function returns error when UTXO information is not present or is invalid.
///
/// ## Panics
///
/// The function panics if the length of transaction inputs is not equal to the length of PSBT inputs.

(See below for "or invalid" case.)

[Kixunil]

Note: you can avoid ref by borrowing: if let Some(witness_utxo) = &psbt_input.witness_utxo
I personally prefer this style and I think it's used in this library but not a big deal. ref has it's own appeal too.

Also perhaps using match on the whole thing would be clearer:

match (&psbt_input.witness_utxo, &psbt_input.non_witness_utxo) {
    (Some(witness_utxo), _) => Ok(witness_utxo),
    (None, Some(non_witness_utxo) => {
        ...
    },
    (None, None) => Err(Error::MissingUtxo),
}

[violet360]

Thanks, the code looks almost good but we really have to fix two more issues I found.

There's another thing: should we use a dedicated error type? I tend towards yes but it can be done later as well. I suggest @violet360 if it's too overwhelming to you to add another error type leave it for later, if you feel like adding it you can do it within this PR.

FTR, this PR will most likely not go to the Taproot release anyway.

yes I too was thinking about generating a seperate error type for psbts but thought it would be an overkill, will try committing that in this PR itself.....

[Kixunil]

Note that it still makes sense to also have the variants in Error and From<PsbtUtxoError> for Error

[Kixunil]

The code is acceptable now. Just some minor details.

Because it's a new non-essential feature this should be merged after 0.28 release.

[Kixunil]

This empty line seems unrelated. It'd be nice to remove it during next push.

[Kixunil]

This doesn't seem grammatically correct but as a non-native I'll defer this to @tcharding

[Kixunil]

Looks great, you just need to squash the commits into one.

[Kixunil]

Oh, forgot to comment before that "Output index should probably be "output index to be consistent with other messages. Sorry.

[tcharding]

Hash Parse Error: is wrong too, a patch put at the front of this PR cleaning that all up would be super useful if you can be bothered. Don't feel obliged though. You will likely touch this line when the error comment is changed anyways.

[tcharding]

Just a few comments, thanks.

[tcharding]

Suggested change

	///Missing both the witness and non-witness utxo
	/// Missing both the witness and non-witness utxo.

[tcharding]

Suggested change

	/// Triggered when output index goes out of bounds of the output in non witness utxo
	/// Triggered when output index does not exist in PSBT input (non-witness) UTXO.

Not sure if the content of this comment is correct but it shows a grammatical improvement, please modify as you see fit.

[Kixunil]

While strictly speaking correct, thinking of it in terms of "out of bounds" feels more natural to me. Won't block if others prefer your suggestion.

[tcharding]

Fair comment, this is a tricky little rustdoc to write succinctly.

[violet360]

out of bound seemed natural to me too, but whatever you guys prefer at the end though.

[tcharding]

How's this?

    /// Triggered when output index is out of bounds in relation to the output in non-witness UTXO.

[Kixunil]

Sounds good. But should it be "triggered"? Maybe "returned is better"?

[violet360]

In case of error, words like triggered, panic, etc. Sound more suitable than "returned".
Maybe "Triggered" would be more suitable here ?

[Kixunil]

My mental model in Rust is that errors are returned (well, they actually are :)). But honestly, I don't care much if others find "triggered" better.

[tcharding]

FWIW we have 'triggered' in one other place in the repo

git grep trig                                                                                                                                                              
src/blockdata/script.rs:1279:        // which triggerred overflow bugs on 32-bit machines in script formatting in the past.

I'm not fussed either way.

[tcharding]

Hash Parse Error: is wrong too, a patch put at the front of this PR cleaning that all up would be super useful if you can be bothered. Don't feel obliged though. You will likely touch this line when the error comment is changed anyways.

[tcharding]

Please no 'random' whitespace changes. The reason is that it makes reviewing the PR harder because reviewers must stop to think what is this, why is it being done, is it correct, is it a step backwards in readability. All easy questions but unnecessary for getting your work merged. The easier you make it for reviewers to ack your work the easier you'll get PR's merged, that's a win for everyone :)

[violet360]

Yes, silly mistake of mine ... will take care of it from next commits.

[tcharding]

Cheers mate, no stress. If I had a dollar for ever mistake I made in this repo in the last three months I'd be fiat rich :)

[dr-orlovsky]

Agree with other comments, just adding my 5 cents

[dr-orlovsky]

Suggested change

	assert_eq!(self.inputs.len(), self.unsigned_tx.input.len());
	assert_debug_eq!(self.inputs.len(), self.unsigned_tx.input.len());

[violet360]

Hi !
you meant debug_assert_eq! instead of assert_debug_eq! right ?

[dr-orlovsky]

Yes, sorry.

[sanket1729]

Sorry for the delayed review. This is a great shape after several iterations and thanks for addressing all the feedback @violet360 .

Everything is good from my side, just the final API naming.

[sanket1729]

On a similar theme for #861, I think we rename this to iter_funding_utxos?

[violet360]

yes, consider it done 👍🏻

[Kixunil]

@dr-orlovsky I disagree with it being debug assert. If the two have different length it's a clear inconsistency of input data and there's no good solution. Debug assert will just allow silent weird bugs in release.

Regarding naming, iter_ is acceptable but unnecessary. Neither str::bytes() nor str::chars() have iter_ prefix and it's fine. Agree with dropping get_ prefix. funding_utxos looks idiomatic and reads well to me.

[violet360]

I also want to improve the error management of psbt, I think there is a lot of room for that, planning to get that done in this PR itself, or maybe a new PR.
Although my suggestions can be wrong but point me in the right direction.

1. Should I create a separate enum psbt and add PsbtHash as the child enum, and add psbt as a child enum of Error, kinda like :

pub enum psbt {
...
  PsbtHash, // psbthash child enum of psbt
/// Missing both the witness and non-witness utxo.
  MissingUtxo,
/// Returned when output index is out of bounds in relation to the output in non-witness UTXO.
  PsbtUtxoOutOfbounds,
..
}
...
pub enum Error {
...
  psbt, 
...
}

2. seems like use psbt::raw <--> psbt::Error and consensus::encode<--> psbt::Error have a circular dependency, do we need to address that?

[sanket1729]

ACK 9f523e0. If there are further iterations, feel free to request review from me.

@dr-orlovsky I disagree with it being debug assert. If the two have different length it's a clear inconsistency of input data and there's no good solution. Debug assert will just allow silent weird bugs in release.

Indeed, asserts should be assert! instead of debug_assert! unless it benchmarked that it affects performance. I had a similar issue in taproot review.
#677 (comment)

Perhaps, that should also be updated to assert! and we can inspect the codebase for misc debug_assert! and change those to assert!

[sanket1729]

I also want to improve the error management of psbt, I think there is a lot of room for that, planning to get that done in this PR itself, or maybe a new PR.

That should be a separate PR.

@violet360, we should take this discussion to #837

[dr-orlovsky]

utACK 9f523e0

[dr-orlovsky]

@sanket1729 sorry, IDK why but your comment does not displays to me.

@Kixunil
My understanding is that whenever there is internal error in the logic of the code, it should be debug_assert*. assert*s are for tests, and if there might be a error in the input data, than it should be a Result with error type returned.

Here, if the supplied PSBT (as an input) have different number of inputs in tx and map, it must error at the moment it was unparsed into PartiallySignedTransaction structure. And if it was not, it is an internal program error.

[sanket1729]

@dr-orlovsky See: https://doc.rust-lang.org/std/macro.debug_assert.html

Quote from the docs:

Replacing assert! with debug_assert! is thus only encouraged after thorough profiling, and more importantly, only in safe code!

[dr-orlovsky]

@Kixunil seems like all your comments were addressed. Can you confirm so we can merge this one?

[Kixunil]

I view the logic bug similar to indexing out of bounds or calling copy_from_slice on non-equal-length slices. These always panic. If the type guaranteed consistency then I'd be in favor of debug_assert!. The code currently can not guarantee consistency because the fields are public. You can construct inconsistent PSBT by just forgetting to push stuff. We could also return Err instead of panicking but this kind of error can only be caused by buggy code, not input data.

You could argue this is not memory-safety issue but I view bugs in bitcoin-related code as seriously as memory safety. People could lose sats.

V2 API will remove this by construction but until then assert_eq! should be the most idiomatic approach.

[violet360]

sorry for the late comment...was busy with some other stuff lately
it seems there is a disagreement at the panic statement, altho I too lean towards !assert_eq but not by experience but by the docs as pointed out by @sanket1729 .
can we conclude?

[tcharding]

it seems there is a disagreement at the panic statement

FWIW, from my reading of this thread there is consensus on assert_eq!.

[Kixunil]

ACK 5afb0ea

[tcharding]

ACK 5afb0ea

[sanket1729]

ACK 5afb0ea. Thanks for being patient with this.

[DanGould]

This interface does not return complete information about the funding utxo. it only returns psbt v0 input map info: TxOut which has script_pubkey and value. Unfortunately, txid, vout, sequence number, and locktime are still only the global map's unsigned_tx. So if for example you want to check some psbt set of input utxos against those in your wallet, as is a standard receiver payjoin check, you need data beyond what this function returns.

It would be nice in the PSBTv2 implementation to return an Input map element with that complete set of data rather than just a TxOut { script_pubkey, locktime}