Add compile time verification of assumptions we're currently making implicitly/tacitly

[practicalswift]

Add compile time verification of assumptions we're currently making implicitly/tacitly.

As suggested by @sipa in #14239 (comment) and @MarcoFalke in #14479 (comment).

[gmaxwell]

It would be useful for it to get compiled, at least AFAICT adding a false assumption here won't make it fail. :) Concept ACK. Maybe also the #if defined(NDEBUG)? check? Probably every other primitive type we depend on the size of, including the unsigned ones.

[maflcko]

You are only adding a header. Does this need to be included in a cpp file to get compiled?

[practicalswift]

@gmaxwell @MarcoFalke Yes, obviously it needs to be included :-) The inclusion somehow got lost during my latest git commit --amend fixup. Fixing!

[practicalswift]

Now including from src/util/system.h which also is the most included file FWIW :-)

$ git grep -E "^#include " -- "*.cpp" | cut -f2 -d'<' | cut -f1 -d'>' | sort | uniq -c | \
      sort -n | tail -1
     99 util/system.h

Let me know if you can think of a more appropriate file for the include.

[practicalswift]

Added a couple of assumptions and listed important "non-assumptions".

Please help me identify further assumptions and corresponding examples of where we are relying on said assumptions :-)

[jb55]

utACK 8add86e

[practicalswift]

@jb55 Thanks for the review! Can you think of any further assumptions and examples of where we rely on them being true? :-)

[practicalswift]

Moved to src/compat/ and added an explicit non-assumption regarding size_t :-)

[jb55]

re-utACK 7548e6e

[laanwj]

utACK 7548e6e
I'm not 100% sure we make the int=32 bit assumption (more like "int is at least 32 bit" I think? otherwise we use explicitly sized types like int32_t), but I doubt anyone ever tested the code on an architecture with a different integer size so I'm fine with making the assumption.

[practicalswift]

@laanwj If I'm reading GetSizeOfCompactSize, WriteCompactSize and ReadCompactSize correctly we're assuming that int has a width of exactly 32 bits, no?

Example:

/**
 * Compact Size
 * size <  253        -- 1 byte
 * size <= USHRT_MAX  -- 3 bytes  (253 + 2 bytes)
 * size <= UINT_MAX   -- 5 bytes  (254 + 4 bytes)
 * size >  UINT_MAX   -- 9 bytes  (255 + 8 bytes)
 */
inline unsigned int GetSizeOfCompactSize(uint64_t nSize)
{
    if (nSize < 253)             return sizeof(unsigned char);
    else if (nSize <= std::numeric_limits<unsigned short>::max()) return sizeof(unsigned char) + sizeof(unsigned short);
    else if (nSize <= std::numeric_limits<unsigned int>::max())  return sizeof(unsigned char) + sizeof(unsigned int);
    else                         return sizeof(unsigned char) + sizeof(uint64_t);
}

[practicalswift]

@jb55 @laanwj Please re-review after s/BITCOIN_ASSUMPTIONS_H/BITCOIN_COMPAT_ASSUMPTIONS_H/g

[laanwj]

@laanwj If I'm reading GetSizeOfCompactSize, WriteCompactSize and ReadCompactSize correctly we're assuming that int has a width of exactly 32 bits?

You're right, thanks for giving an example.

[maflcko]

Would it make sense to refer to an example for each assumption. That way, we know of at least one example. An alternative would be to just inline the assumptions where they are needed.

[practicalswift]

@MarcoFalke I'm not sure I follow: the examples have been there since this PR first was submitted? :-)

In this specific case the following has been in there all along:

// Assumption: We assume integer widths.
// Example(s): GetSizeOfCompactSize and WriteCompactSize in the serialization
//             code.
static_assert(sizeof(short) == 2, "16-bit short assumed");
static_assert(sizeof(int) == 4, "32-bit int assumed");

:-)

[maflcko]

Ok, my bad. I must have missed them when I last looked at it a few days ago.

[maflcko]

ACK 7cee858

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #15146 (Solve SmartOS FD_ZERO build issue by Empact)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[sipa]

utACK 7cee858