Merge branch 'develop' of https://github.com/dashpay/dash into develop

.cirrus.yml

@@ -128,7 +128,10 @@ task:
   << : *GLOBAL_TASK_TEMPLATE
   container:
     image: ubuntu:focal
+    cpu: 4  # Increase CPU and memory to avoid timeout
+    memory: 16G
   env:
+    MAKEJOBS: "-j8"
     FILE_ENV: "./ci/test/00_setup_env_native_fuzz.sh"
 
 task:

.github/ISSUE_TEMPLATE/good_first_issue.md

@@ -15,7 +15,7 @@ assignees: ''
 
 #### Useful skills:
 
-<!-- (For example, “C++11 std::thread”, “Qt5 GUI and async GUI design” or “basic understanding of Bitcoin mining and the Bitcoin Core RPC interface”.) -->
+<!-- (For example, “std::thread”, “Qt5 GUI and async GUI design” or “basic understanding of Bitcoin mining and the Bitcoin Core RPC interface”.) -->
 
 #### Want to work on this issue?
 

.github/workflows/guix-build.yml

@@ -1,15 +1,18 @@
 name: Guix Build
 
+permissions:
+  packages: write
+
 on:
-  pull_request:
-    types: [ labeled ]
-  workflow_dispatch:
+  pull_request_target:
+  push:
 
 jobs:
-  build:
-    runs-on: [ "self-hosted", "linux", "x64", "ubuntu-core" ]
-    if: contains(github.event.pull_request.labels.*.name, 'guix-build')
-    timeout-minutes: 480
+  build-image:
+    runs-on: ubuntu-latest
+    outputs:
+      image-tag: ${{ steps.prepare.outputs.image-tag }}
+      repo-name: ${{ steps.prepare.outputs.repo-name }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -22,37 +25,72 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Commit variables
-        id: dockerfile
+        id: prepare
         run: |
           echo "hash=$(sha256sum ./dash/contrib/containers/guix/Dockerfile | cut -d ' ' -f1)" >> $GITHUB_OUTPUT
           echo "host_user_id=$(id -u)" >> $GITHUB_OUTPUT
           echo "host_group_id=$(id -g)" >> $GITHUB_OUTPUT
+          BRANCH_NAME=$(echo "${GITHUB_REF##*/}" | tr '[:upper:]' '[:lower:]')
+          REPO_NAME=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+          echo "::set-output name=image-tag::${BRANCH_NAME}"
+          echo "::set-output name=repo-name::${REPO_NAME}"
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: ${{ github.workspace }}/dash
           build-args: |
-            USER_ID=${{ steps.dockerfile.outputs.host_user_id }}
-            GROUP_ID=${{ steps.dockerfile.outputs.host_group_id }}
+            USER_ID=${{ steps.prepare.outputs.host_user_id }}
+            GROUP_ID=${{ steps.prepare.outputs.host_group_id }}
           build-contexts: |
             docker_root=${{ github.workspace }}/dash/contrib/containers/guix
           file: ./dash/contrib/containers/guix/Dockerfile
-          load: true
-          tags: guix_ubuntu:latest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          push: true
+          tags: |
+            ghcr.io/${{ steps.prepare.outputs.repo-name }}/dashcore-guix-builder:${{ steps.prepare.outputs.image-tag }}
+            ghcr.io/${{ steps.prepare.outputs.repo-name }}/dashcore-guix-builder:latest
+          cache-from: type=registry,ref=ghcr.io/${{ steps.prepare.outputs.repo-name }}/dashcore-guix-builder:latest
+          cache-to: type=inline,mode=max
+
+  build:
+    needs: build-image
+    # runs-on: [ "self-hosted", "linux", "x64", "ubuntu-core" ]
+    runs-on: ubuntu-latest
+#    if: ${{ contains(github.event.pull_request.labels.*.name, 'guix-build') }}
+    strategy:
+      matrix:
+        build_target: [x86_64-linux-gnu, arm-linux-gnueabihf, aarch64-linux-gnu, riscv64-linux-gnu, x86_64-w64-mingw32, x86_64-apple-darwin, arm64-apple-darwin]
 
-      - name: Restore Guix cache and depends
+    timeout-minutes: 480
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: dash
+          fetch-depth: 0
+
+      - name: Cache Guix and depends
         id: guix-cache-restore
-        uses: actions/cache/restore@v3
+        uses: actions/cache@v3
         with:
           path: |
             ${{ github.workspace }}/.cache
             ${{ github.workspace }}/dash/depends/built
             ${{ github.workspace }}/dash/depends/sources
             ${{ github.workspace }}/dash/depends/work
-          key: ${{ runner.os }}-guix
+            /gnu/store
+          key: ${{ runner.os }}-guix-${{ matrix.build_target }}-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-guix-${{ matrix.build_target }}
+            ${{ runner.os }}-guix-
 
       - name: Create .cache folder if missing
         if: steps.guix-cache-restore.outputs.cache-hit != 'true'
@@ -67,8 +105,8 @@ jobs:
             -v ${{ github.workspace }}/dash:/src/dash \
             -v ${{ github.workspace }}/.cache:/home/ubuntu/.cache \
             -w /src/dash \
-            guix_ubuntu:latest && \
-          docker exec guix-daemon bash -c '/usr/local/bin/guix-start'
+            ghcr.io/${{ needs.build-image.outputs.repo-name }}/dashcore-guix-builder:${{ needs.build-image.outputs.image-tag }} && \
+          docker exec guix-daemon bash -c 'HOSTS=${{ matrix.build_target }} /usr/local/bin/guix-start'
 
       - name: Ensure build passes
         run: |
@@ -77,17 +115,15 @@ jobs:
             exit 1
           fi
 
-      - name: Save Guix cache and depends
-        id: guix-cache-save
-        uses: actions/cache/save@v3
+      - name: Compute SHA256 checksums
+        continue-on-error: true # It will complain on depending on only some hosts
+        run: |
+          HOSTS=${{ matrix.build_target }} ./dash/contrib/containers/guix/scripts/guix-check ${{ github.workspace }}/dash
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
         with:
+          name: guix-artifacts-${{ matrix.build_target }}
           path: |
-            ${{ github.workspace }}/.cache
-            ${{ github.workspace }}/dash/depends/built
-            ${{ github.workspace }}/dash/depends/sources
-            ${{ github.workspace }}/dash/depends/work
-          key: ${{ steps.guix-cache-restore.outputs.cache-primary-key }}
+            ${{ github.workspace }}/dash/guix-build*/output/${{ matrix.build_target }}/
 
-      - name: Compute SHA256 checksums
-        run: |
-          ./dash/contrib/containers/guix/scripts/guix-check ${{ github.workspace }}/dash

.github/workflows/merge-check.yml

@@ -1,8 +1,13 @@
 name: Check Merge Fast-Forward Only
 
+permissions:
+  pull-requests: write
+
 on:
   push:
-  pull_request:
+  pull_request_target:
+  pull_request_review:
+    types: [submitted]
 
 jobs:
   check_merge:
@@ -27,3 +32,17 @@ jobs:
           else
             git merge --ff-only ${{ github.sha }}
           fi
+
+      - name: add labels
+        uses: actions-ecosystem/action-add-labels@v1
+        if: failure()
+        with:
+          labels: |
+            needs rebase
+
+      - name: comment
+        uses: mshick/add-pr-comment@v2
+        if: failure()
+        with:
+          message: |
+            This pull request has conflicts, please rebase.

.github/workflows/predict-conflicts.yml

@@ -1,7 +1,9 @@
 name: "Check Potential Conflicts"
+
 on:
-  - pull_request_target
-  - pull_request_review
+  pull_request_target:
+  pull_request_review:
+    types: [submitted]
 
 permissions:
   contents: read

contrib/containers/ci/Dockerfile

@@ -65,8 +65,8 @@ RUN apt-get update && apt-get install $APT_ARGS \
     make \
     tk-dev \
     xz-utils
-ENV PYENV_ROOT "/usr/local/pyenv"
-ENV PATH "${PYENV_ROOT}/shims:${PYENV_ROOT}/bin:${PATH}"
+ENV PYENV_ROOT="/usr/local/pyenv"
+ENV PATH="${PYENV_ROOT}/shims:${PYENV_ROOT}/bin:${PATH}"
 RUN curl https://pyenv.run | bash \
     && pyenv update \
     && pyenv install $PYTHON_VERSION \
@@ -92,8 +92,8 @@ ARG USER_ID=1000
 ARG GROUP_ID=1000
 
 # add user with specified (or default) user/group ids
-ENV USER_ID ${USER_ID}
-ENV GROUP_ID ${GROUP_ID}
+ENV USER_ID="${USER_ID}"
+ENV GROUP_ID="${GROUP_ID}"
 RUN groupadd -g ${GROUP_ID} dash
 RUN useradd -u ${USER_ID} -g dash -s /bin/bash -m -d /home/dash dash
 
@@ -117,12 +117,12 @@ RUN apt-get update && apt-get install $APT_ARGS \
 ARG CPPCHECK_VERSION=2.13.0
 RUN curl -sL "https://github.com/danmar/cppcheck/archive/${CPPCHECK_VERSION}.tar.gz" | tar -xvzf - --directory /tmp/
 RUN cd /tmp/cppcheck-${CPPCHECK_VERSION} && mkdir build && cd build && cmake .. && cmake --build . -j 8
-ENV PATH "/tmp/cppcheck-${CPPCHECK_VERSION}/build/bin:${PATH}"
+ENV PATH="/tmp/cppcheck-${CPPCHECK_VERSION}/build/bin:${PATH}"
 RUN mkdir /usr/local/share/Cppcheck && ln -s /tmp/cppcheck-${CPPCHECK_VERSION}/cfg/ /usr/local/share/Cppcheck/cfg
 
 ARG SHELLCHECK_VERSION=v0.7.1
 RUN curl -sL "https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" | tar --xz -xf - --directory /tmp/
-ENV PATH "/tmp/shellcheck-${SHELLCHECK_VERSION}:${PATH}"
+ENV PATH="/tmp/shellcheck-${SHELLCHECK_VERSION}:${PATH}"
 
 # This is a hack. It is needed because gcc-multilib and g++-multilib are conflicting with g++-arm-linux-gnueabihf. This is
 # due to gcc-multilib installing the following symbolic link, which is needed for -m32 support. However, this causes

contrib/containers/deploy/Dockerfile

@@ -5,11 +5,11 @@ LABEL description="Dockerised DashCore, built from CI"
 ARG USER_ID
 ARG GROUP_ID
 
-ENV HOME /home/dash
+ENV HOME="/home/dash"
 
 # add user with specified (or default) user/group ids
-ENV USER_ID ${USER_ID:-1000}
-ENV GROUP_ID ${GROUP_ID:-1000}
+ENV USER_ID="${USER_ID:-1000}"
+ENV GROUP_ID="${GROUP_ID:-1000}"
 RUN groupadd -g ${GROUP_ID} dash && \
     useradd -u ${USER_ID} -g dash -s /bin/bash -m -d /home/dash dash && \
     mkdir /home/dash/.dashcore && \

contrib/containers/deploy/Dockerfile.GitHubActions.Dispatch

@@ -50,11 +50,11 @@ ARG USER_ID
 ARG GROUP_ID
 ARG TAG
 
-ENV HOME /home/dash
+ENV HOME="/home/dash"
 
 # add user with specified (or default) user/group ids
-ENV USER_ID ${USER_ID:-1000}
-ENV GROUP_ID ${GROUP_ID:-1000}
+ENV USER_ID="${USER_ID:-1000}"
+ENV GROUP_ID="${GROUP_ID:-1000}"
 RUN groupadd -g ${GROUP_ID} dash && \
     useradd -u ${USER_ID} -g dash -s /bin/bash -m -d /home/dash dash  && \
     mkdir /home/dash/.dashcore && \

contrib/containers/guix/Dockerfile

@@ -26,7 +26,7 @@ ARG guix_checksum_aarch64=72d807392889919940b7ec9632c45a259555e6b0942ea7bfd13110
 ARG guix_checksum_x86_64=236ca7c9c5958b1f396c2924fcc5bc9d6fdebcb1b4cf3c7c6d46d4bf660ed9c9
 ARG builder_count=32
 
-ENV PATH /usr/local/bin:/usr/local/guix/current/bin:$PATH
+ENV PATH="/usr/local/bin:/usr/local/guix/current/bin:$PATH"
 
 # Application Setup
 # https://guix.gnu.org/manual/en/html_node/Application-Setup.html

contrib/devtools/security-check.py

@@ -146,6 +146,12 @@ def check_PE_control_flow(binary) -> bool:
         return True
     return False
 
+def check_PE_Canary(binary) -> bool:
+    '''
+    Check for use of stack canary
+    '''
+    return binary.has_symbol('__stack_chk_fail')
+
 def check_MACHO_NOUNDEFS(binary) -> bool:
     '''
     Check for no undefined references.
@@ -203,6 +209,7 @@ def check_MACHO_control_flow(binary) -> bool:
     ('NX', check_NX),
     ('RELOC_SECTION', check_PE_RELOC_SECTION),
     ('CONTROL_FLOW', check_PE_control_flow),
+    ('Canary', check_PE_Canary),
 ]
 
 BASE_MACHO = [

contrib/devtools/test-security-check.py

@@ -94,19 +94,19 @@ def test_PE(self):
         cc = determine_wellknown_cmd('CC', 'x86_64-w64-mingw32-gcc')
         write_testcode(source)
 
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--disable-nxcompat','-Wl,--disable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-no-pie','-fno-PIE']),
-            (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA NX RELOC_SECTION CONTROL_FLOW'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--disable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-no-pie','-fno-PIE']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--disable-nxcompat','-Wl,--disable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-no-pie','-fno-PIE','-fno-stack-protector']),
+            (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA NX RELOC_SECTION CONTROL_FLOW Canary'))
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--disable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-no-pie','-fno-PIE','-fstack-protector-all', '-lssp']),
             (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA RELOC_SECTION CONTROL_FLOW'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-no-pie','-fno-PIE']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-no-pie','-fno-PIE','-fstack-protector-all', '-lssp']),
             (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA CONTROL_FLOW'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-pie','-fPIE']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-pie','-fPIE','-fstack-protector-all', '-lssp']),
             (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA CONTROL_FLOW'))  # -pie -fPIE does nothing unless --dynamicbase is also supplied
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--disable-high-entropy-va','-pie','-fPIE']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--disable-high-entropy-va','-pie','-fPIE','-fstack-protector-all', '-lssp']),
             (1, executable+': failed HIGH_ENTROPY_VA CONTROL_FLOW'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE','-fstack-protector-all', '-lssp']),
             (1, executable+': failed CONTROL_FLOW'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE', '-fcf-protection=full']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE', '-fcf-protection=full','-fstack-protector-all', '-lssp']),
             (0, ''))
 
         clean_files(source, executable)

contrib/guix/Dockerfile

@@ -15,12 +15,12 @@ ARG guix_checksum_aarch64=72d807392889919940b7ec9632c45a259555e6b0942ea7bfd13110
 ARG guix_checksum_x86_64=236ca7c9c5958b1f396c2924fcc5bc9d6fdebcb1b4cf3c7c6d46d4bf660ed9c9
 ARG builder_count=32
 
-ENV PATH /root/.config/guix/current/bin:$PATH
+ENV PATH="/root/.config/guix/current/bin:$PATH"
 
 # Application Setup
 # https://guix.gnu.org/manual/en/html_node/Application-Setup.html
-ENV GUIX_LOCPATH /root/.guix-profile/lib/locale
-ENV LC_ALL en_US.UTF-8
+ENV GUIX_LOCPATH="/root/.guix-profile/lib/locale"
+ENV LC_ALL="en_US.UTF-8"
 
 RUN guix_file_name=guix-binary-${guix_version}.$(uname -m)-linux.tar.xz    && \
     eval "guix_checksum=\${guix_checksum_$(uname -m)}"                     && \

contrib/install_db4.sh

@@ -32,16 +32,15 @@ check_exists() {
 sha256_check() {
   # Args: <sha256_hash> <filename>
   #
-  if check_exists sha256sum; then
-    echo "${1}  ${2}" | sha256sum -c
+  if [ "$(uname)" = "FreeBSD" ]; then
+    # sha256sum exists on FreeBSD, but takes different arguments than the GNU version
+    sha256 -c "${1}" "${2}"
+  elif check_exists sha256sum; then
+    echo "${1} ${2}" | sha256sum -c
   elif check_exists sha256; then
-    if [ "$(uname)" = "FreeBSD" ]; then
-      sha256 -c "${1}" "${2}"
-    else
-      echo "${1}  ${2}" | sha256 -c
-    fi
+    echo "${1} ${2}" | sha256 -c
   else
-    echo "${1}  ${2}" | shasum -a 256 -c
+    echo "${1} ${2}" | shasum -a 256 -c
   fi
 }
 

src/Makefile.test.include

@@ -307,6 +307,7 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/psbt.cpp \
  test/fuzz/random.cpp \
  test/fuzz/rolling_bloom_filter.cpp \
+ test/fuzz/rpc.cpp \
  test/fuzz/script.cpp \
  test/fuzz/script_bitcoin_consensus.cpp \
  test/fuzz/script_descriptor_cache.cpp \

src/bench/wallet_balance.cpp

@@ -21,8 +21,7 @@ static void WalletBalance(benchmark::Bench& bench, const bool set_dirty, const b
     CWallet wallet{test_setup->m_node.chain.get(), test_setup->m_node.coinjoin_loader.get(), "", CreateMockWalletDatabase()};
     {
         wallet.SetupLegacyScriptPubKeyMan();
-        bool first_run;
-        if (wallet.LoadWallet(first_run) != DBErrors::LOAD_OK) assert(false);
+        if (wallet.LoadWallet() != DBErrors::LOAD_OK) assert(false);
     }
     auto handler = test_setup->m_node.chain->handleNotifications({&wallet, [](CWallet*) {}});