| blob | 1d969fc7c1163f2d6aebbd418ae503bffebcd5d1 |
1 #!/usr/bin/env python3
2 # Copyright (c) 2015-2016 The Bitcoin Core developers
3 # Distributed under the MIT software license, see the accompanying
4 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 """Test block processing.
7 This reimplements tests from the bitcoinj/FullBlockTestGenerator used
8 by the pull-tester.
10 We use the testing framework in which we expect a particular answer from
11 each test.
12 """
18 import time
21 import struct
28 # Use this class for tests that require behavior other than normal "mininode" behavior.
29 # For now, it is used to serialize a bloated varint (b64).
44 return r
49 return r
52 # Can either run this test as 1 node with expected answers, or two and compare them.
53 # Change the "outcome" variable from each TestInstance object to only do the comparison.
78 # this is a little handier to use than the version in blocktools.py
81 return tx
83 # sign a transaction, using the key we know about
84 # this signs input 0 in tx, which is assumed to be spending output n in spend_tx
89 return
91 tx.vin[0].scriptSig = CScript([self.coinbase_key.sign(sighash) + bytes(bytearray([SIGHASH_ALL]))])
97 return tx
99 def next_block(self, number, spend=None, additional_coinbase_value=0, script=CScript([OP_TRUE]), solve=True):
106 # First create the coinbase
127 return block
132 spendable_outputs = []
134 # save the current tip so it can be spent by a later block
138 # get an output that we previously marked as spendable
142 # returns a test case that asserts that the current tip was accepted
146 # returns a test case that asserts that the current tip was rejected
153 # move the tip back to a previous block
157 # adds transactions to the block and updates state
164 # Update the internal state just like in next_block
170 return block
172 # shorthand for functions
177 # these must be updated if consensus changes
181 # Create a new block
187 # Now we need that block to mature so we can spend the coinbase.
193 yield test
195 # collect spendable outputs now to avoid cluttering the code later on
196 out = []
200 # Start by building a couple of blocks on top (which output is spent is
201 # in parentheses):
202 # genesis -> b1 (0) -> b2 (1)
211 # so fork like this:
212 #
213 # genesis -> b1 (0) -> b2 (1)
214 # \-> b3 (1)
215 #
216 # Nothing should happen at this point. We saw b2 first so it takes priority.
223 # Now we add another block to make the alternative chain longer.
224 #
225 # genesis -> b1 (0) -> b2 (1)
226 # \-> b3 (1) -> b4 (2)
231 # ... and back to the first chain.
232 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
233 # \-> b3 (1) -> b4 (2)
242 # Try to create a fork that double-spends
243 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
244 # \-> b7 (2) -> b8 (4)
245 # \-> b3 (1) -> b4 (2)
253 # Try to create a block that has too much fee
254 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
255 # \-> b9 (4)
256 # \-> b3 (1) -> b4 (2)
261 # Create a fork that ends in a block with too much fee (the one that causes the reorg)
262 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
263 # \-> b10 (3) -> b11 (4)
264 # \-> b3 (1) -> b4 (2)
273 # Try again, but with a valid fork first
274 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
275 # \-> b12 (3) -> b13 (4) -> b14 (5)
276 # (b12 added last)
277 # \-> b3 (1) -> b4 (2)
282 # Deliver the block header for b12, and the block b13.
283 # b13 should be accepted but the tip won't advance until b12 is delivered.
287 # b14 is invalid, but the node won't know that until it tries to connect
288 # Tip still can't advance because b12 is missing
294 # Add a block with MAX_BLOCK_SIGOPS and one with one more sigop
295 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
296 # \-> b12 (3) -> b13 (4) -> b15 (5) -> b16 (6)
297 # \-> b3 (1) -> b4 (2)
299 # Test that a block with a lot of checksigs is okay
307 # Test that a block with too many checksigs is rejected
313 # Attempt to spend a transaction created on a different fork
314 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
315 # \-> b12 (3) -> b13 (4) -> b15 (5) -> b17 (b3.vtx[1])
316 # \-> b3 (1) -> b4 (2)
321 # Attempt to spend a transaction created on a different fork (on a fork this time)
322 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
323 # \-> b12 (3) -> b13 (4) -> b15 (5)
324 # \-> b18 (b3.vtx[1]) -> b19 (6)
325 # \-> b3 (1) -> b4 (2)
333 # Attempt to spend a coinbase at depth too low
334 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
335 # \-> b12 (3) -> b13 (4) -> b15 (5) -> b20 (7)
336 # \-> b3 (1) -> b4 (2)
341 # Attempt to spend a coinbase at depth too low (on a fork this time)
342 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
343 # \-> b12 (3) -> b13 (4) -> b15 (5)
344 # \-> b21 (6) -> b22 (5)
345 # \-> b3 (1) -> b4 (2)
353 # Create a block on either side of MAX_BLOCK_BASE_SIZE and make sure its accepted/rejected
354 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
355 # \-> b12 (3) -> b13 (4) -> b15 (5) -> b23 (6)
356 # \-> b24 (6) -> b25 (7)
357 # \-> b3 (1) -> b4 (2)
366 # Make sure the math above worked out to produce a max-sized block
371 # Make the next block one byte bigger and check that it fails
384 # Create blocks with a coinbase input script size out of range
385 # genesis -> b1 (0) -> b2 (1) -> b5 (2) -> b6 (3)
386 # \-> b12 (3) -> b13 (4) -> b15 (5) -> b23 (6) -> b30 (7)
387 # \-> ... (6) -> ... (7)
388 # \-> b3 (1) -> b4 (2)
393 # update_block causes the merkle root to get updated, even with no new
394 # transactions, and updates the required state.
398 # Extend the b26 chain to make sure bitcoind isn't accepting b26
402 # Now try a too-large-coinbase script
410 # Extend the b28 chain to make sure bitcoind isn't accepting b28
414 # b30 has a max-sized coinbase scriptSig.
423 # b31 - b35 - check sigops of OP_CHECKMULTISIG / OP_CHECKMULTISIGVERIFY / OP_CHECKSIGVERIFY
424 #
425 # genesis -> ... -> b30 (7) -> b31 (8) -> b33 (9) -> b35 (10)
426 # \-> b36 (11)
427 # \-> b34 (10)
428 # \-> b32 (9)
429 #
431 # MULTISIG: each op code counts as 20 sigops. To create the edge case, pack another 19 sigops at the end.
432 lots_of_multisigs = CScript([OP_CHECKMULTISIG] * ((MAX_BLOCK_SIGOPS-1) // 20) + [OP_CHECKSIG] * 19)
438 # this goes over the limit because the coinbase has one sigop
445 # CHECKMULTISIGVERIFY
447 lots_of_multisigs = CScript([OP_CHECKMULTISIGVERIFY] * ((MAX_BLOCK_SIGOPS-1) // 20) + [OP_CHECKSIG] * 19)
457 # CHECKSIGVERIFY
469 # Check spending of a transaction in a block which failed to connect
470 #
471 # b6 (3)
472 # b12 (3) -> b13 (4) -> b15 (5) -> b23 (6) -> b30 (7) -> b31 (8) -> b33 (9) -> b35 (10)
473 # \-> b37 (11)
474 # \-> b38 (11/37)
475 #
477 # save 37's spendable output, but then double-spend out11 to invalidate the block
485 # attempt to spend b37's first non-coinbase tx, at which point b37 was still considered valid
490 # Check P2SH SigOp counting
491 #
492 #
493 # 13 (4) -> b15 (5) -> b23 (6) -> b30 (7) -> b31 (8) -> b33 (9) -> b35 (10) -> b39 (11) -> b41 (12)
494 # \-> b40 (12)
495 #
496 # b39 - create some P2SH outputs that will require 6 sigops to spend:
497 #
498 # redeem_script = COINBASE_PUBKEY, (OP_2DUP+OP_CHECKSIGVERIFY) * 5, OP_CHECKSIG
499 # p2sh_script = OP_HASH160, ripemd160(sha256(script)), OP_EQUAL
500 #
506 # Build the redeem script, hash it, use hash to create the p2sh script
507 redeem_script = CScript([self.coinbase_pubkey] + [OP_2DUP, OP_CHECKSIGVERIFY]*5 + [OP_CHECKSIG])
511 # Create a transaction that spends one satoshi to the p2sh_script, the rest to OP_TRUE
512 # This must be signed because it is spending a coinbase
521 # Until block is full, add tx's with 1 satoshi to p2sh_script, the rest to OP_TRUE
523 tx_last = tx
531 break
533 tx_last = tx_new
541 # Test sigops in P2SH redeem scripts
542 #
543 # b40 creates 3333 tx's spending the 6-sigop P2SH outputs from b39 for a total of 19998 sigops.
544 # The first tx has one sigop and then at the end we add 2 more to put us just over the max.
545 #
546 # b41 does the same, less one, so it has the maximum sigops permitted.
547 #
555 new_txs = []
560 # second input is corresponding P2SH output from b39
562 # Note: must pass the redeem_script (not p2sh_script) to the signature hash function
581 # same as b40, but one less sigop
593 # Fork off of b39 to create a constant base again
594 #
595 # b23 (6) -> b30 (7) -> b31 (8) -> b33 (9) -> b35 (10) -> b39 (11) -> b42 (12) -> b43 (13)
596 # \-> b41 (12)
597 #
608 # Test a number of really invalid scenarios
609 #
610 # -> b31 (8) -> b33 (9) -> b35 (10) -> b39 (11) -> b42 (12) -> b43 (13) -> b44 (14)
611 # \-> ??? (15)
613 # The next few blocks are going to be created "by hand" since they'll do funky things, such as having
614 # the first transaction be non-coinbase, etc. The purpose of b44 is to make sure this works.
629 # A block with a non-coinbase as the first tx
644 # A block with no txns
660 # A block with invalid work
669 # A block with timestamp > 2 hrs in the future
676 # A block with an invalid merkle hash
683 # A block with an incorrect POW limit
690 # A block with two coinbase txns
697 # A block w/ duplicate txns
698 # Note: txns have to be in the right position in the merkle tree to trigger this error
705 # Test block timestamps
706 # -> b31 (8) -> b33 (9) -> b35 (10) -> b39 (11) -> b42 (12) -> b43 (13) -> b53 (14) -> b55 (15)
707 # \-> b54 (15)
708 #
714 # invalid timestamp (b35 is 5 blocks back, so its time is MedianTimePast)
720 # valid timestamp
729 # Test CVE-2012-2459
730 #
731 # -> b42 (12) -> b43 (13) -> b53 (14) -> b55 (15) -> b57p2 (16)
732 # \-> b57 (16)
733 # \-> b56p2 (16)
734 # \-> b56 (16)
735 #
736 # Merkle tree malleability (CVE-2012-2459): repeating sequences of transactions in a block without
737 # affecting the merkle root of a block, while still invalidating it.
738 # See: src/consensus/merkle.h
739 #
740 # b57 has three txns: coinbase, tx, tx1. The merkle root computation will duplicate tx.
741 # Result: OK
742 #
743 # b56 copies b57 but duplicates tx1 and does not recalculate the block hash. So it has a valid merkle
744 # root but duplicate transactions.
745 # Result: Fails
746 #
747 # b57p2 has six transactions in its merkle tree:
748 # - coinbase, tx, tx1, tx2, tx3, tx4
749 # Merkle root calculation will duplicate as necessary.
750 # Result: OK.
751 #
752 # b56p2 copies b57p2 but adds both tx3 and tx4. The purpose of the test is to make sure the code catches
753 # duplicate txns that are not next to one another with the "bad-txns-duplicate" error (which indicates
754 # that the error was caught early, avoiding a DOS vulnerability.)
756 # b57 - a good block with 2 txs, don't submit until end
763 # b56 - copy b57, add a duplicate tx
772 # b57p2 - a good block with 6 tx'es, don't submit until end
782 # b56p2 - copy b57p2, duplicate two non-consecutive tx's
798 # Test a few invalid tx types
799 #
800 # -> b35 (10) -> b39 (11) -> b42 (12) -> b43 (13) -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17)
801 # \-> ??? (17)
802 #
804 # tx with prevout.n out of range
815 # tx with output value > input value out of range
822 # reset to good chain
828 # Test BIP30
829 #
830 # -> b39 (11) -> b42 (12) -> b43 (13) -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17)
831 # \-> b61 (18)
832 #
833 # Blocks are not allowed to contain a transaction whose id matches that of an earlier,
834 # not-fully-spent transaction in the same chain. To test, make identical coinbases;
835 # the second one should be rejected.
836 #
846 # Test tx.isFinal is properly rejected (not an exhaustive tx.isFinal test, that should be in data-driven transaction tests)
847 #
848 # -> b39 (11) -> b42 (12) -> b43 (13) -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17)
849 # \-> b62 (18)
850 #
864 # Test a non-final coinbase is also rejected
865 #
866 # -> b39 (11) -> b42 (12) -> b43 (13) -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17)
867 # \-> b63 (-)
868 #
878 # This checks that a block with a bloated VARINT between the block_header and the array of tx such that
879 # the block is > MAX_BLOCK_BASE_SIZE with the bloated varint, but <= MAX_BLOCK_BASE_SIZE without the bloated varint,
880 # does not cause a subsequent, identical block with canonical encoding to be rejected. The test does not
881 # care whether the bloated block is accepted or rejected; it only cares that the second block is accepted.
882 #
883 # What matters is that the receiving node should not reject the bloated block, and then reject the canonical
884 # block on the basis that it's the same as an already-rejected block (which would be a consensus failure.)
885 #
886 # -> b39 (11) -> b42 (12) -> b43 (13) -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17) -> b64 (18)
887 # \
888 # b64a (18)
889 # b64a is a bloated block (non-canonical varint)
890 # b64 is a good block (same as b64 but w/ canonical varint)
891 #
895 # make it a "broken_block," with non-canonical serialization
902 # use canonical serialization to calculate size
911 # comptool workaround: to make sure b64 is delivered, manually erase b64a from blockstore
924 # Spend an output created in the block itself
925 #
926 # -> b42 (12) -> b43 (13) -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17) -> b64 (18) -> b65 (19)
927 #
936 # Attempt to spend an output created later in the same block
937 #
938 # -> b43 (13) -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17) -> b64 (18) -> b65 (19)
939 # \-> b66 (20)
947 # Attempt to double-spend a transaction created in a block
948 #
949 # -> b43 (13) -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17) -> b64 (18) -> b65 (19)
950 # \-> b67 (20)
951 #
952 #
961 # More tests of block subsidy
962 #
963 # -> b43 (13) -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17) -> b64 (18) -> b65 (19) -> b69 (20)
964 # \-> b68 (20)
965 #
966 # b68 - coinbase with an extra 10 satoshis,
967 # creates a tx that has 9 satoshis from out[20] go to fees
968 # this fails because the coinbase is trying to claim 1 satoshi too much in fees
969 #
970 # b69 - coinbase with extra 10 satoshis, and a tx that gives a 10 satoshi fee
971 # this succeeds
972 #
986 # Test spending the outpoint of a non-existent transaction
987 #
988 # -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17) -> b64 (18) -> b65 (19) -> b69 (20)
989 # \-> b70 (21)
990 #
994 bogus_tx.sha256 = uint256_from_str(b"23c70ed7c0506e9178fc1a987f40a33946d4ad4c962b5ae3a52546da53af0c5c")
1002 # Test accepting an invalid block which has the same hash as a valid one (via merkle tree tricks)
1003 #
1004 # -> b53 (14) -> b55 (15) -> b57 (16) -> b60 (17) -> b64 (18) -> b65 (19) -> b69 (20) -> b72 (21)
1005 # \-> b71 (21)
1006 #
1007 # b72 is a good block.
1008 # b71 is a copy of 72, but re-adds one of its transactions. However, it has the same hash as b71.
1009 #
1031 # Test some invalid scripts and MAX_BLOCK_SIGOPS
1032 #
1033 # -> b55 (15) -> b57 (16) -> b60 (17) -> b64 (18) -> b65 (19) -> b69 (20) -> b72 (21)
1034 # \-> b** (22)
1035 #
1037 # b73 - tx with excessive sigops that are placed after an excessively large script element.
1038 # The purpose of the test is to make sure those sigops are counted.
1039 #
1040 # script is a bytearray of size 20,526
1041 #
1042 # bytearray[0-19,998] : OP_CHECKSIG
1043 # bytearray[19,999] : OP_PUSHDATA4
1044 # bytearray[20,000-20,003]: 521 (max_script_element_size+1, in little-endian format)
1045 # bytearray[20,004-20,525]: unread data (script_element)
1046 # bytearray[20,526] : OP_CHECKSIG (this puts us over the limit)
1047 #
1065 # b74/75 - if we push an invalid script element, all prevous sigops are counted,
1066 # but sigops after the element are not counted.
1067 #
1068 # The invalid script element is that the push_data indicates that
1069 # there will be a large amount of data (0xffffff bytes), but we only
1070 # provide a much smaller number. These bytes are CHECKSIGS so they would
1071 # cause b75 to fail for excessive sigops, if those bytes were counted.
1072 #
1073 # b74 fails because we put MAX_BLOCK_SIGOPS+1 before the element
1074 # b75 succeeds because we put MAX_BLOCK_SIGOPS before the element
1075 #
1076 #
1104 # Check that if we push an element filled with CHECKSIGs, they are not counted
1115 # Test transaction resurrection
1116 #
1117 # -> b77 (24) -> b78 (25) -> b79 (26)
1118 # \-> b80 (25) -> b81 (26) -> b82 (27)
1119 #
1120 # b78 creates a tx, which is spent in b79. After b82, both should be in mempool
1121 #
1122 # The tx'es must be unsigned and pass the node's mempool policy. It is unsigned for the
1123 # rather obscure reason that the Python signature code does not distinguish between
1124 # Low-S and High-S values (whereas the bitcoin code has custom code which does so);
1125 # as a result of which, the odds are 50% that the python code will use the right
1126 # value and the transaction will be accepted into the mempool. Until we modify the
1127 # test framework to support low-S signing, we are out of luck.
1128 #
1129 # To get around this issue, we construct transactions which are not signed and which
1130 # spend to OP_TRUE. If the standard-ness rules change, this test would need to be
1131 # updated. (Perhaps to spend to a P2SH OP_TRUE script)
1132 #
1150 # mempool should be empty
1166 # now check that tx78 and tx79 have been put back into the peer's mempool
1173 # Test invalid opcodes in dead execution paths.
1174 #
1175 # -> b81 (26) -> b82 (27) -> b83 (28)
1176 #
1191 # Reorg on/off blocks that have OP_RETURN in them (and try to spend them)
1192 #
1193 # -> b81 (26) -> b82 (27) -> b83 (28) -> b84 (29) -> b87 (30) -> b88 (31)
1194 # \-> b85 (29) -> b86 (30) \-> b89a (32)
1195 #
1196 #
1234 # trying to spend the OP_RETURN output is rejected
1241 # Test re-org of a week's worth of blocks (1088 blocks)
1242 # This test takes a minute or two and can be accomplished in memory
1243 #
1262 yield test1
1263 chain1_tip = i
1265 # now create alt chain of same length
1271 yield test2
1273 # extend alt chain to trigger re-org
1277 # ... and re-org back to the first chain