remove all sanity_check and ext_check methods from the library

apoelstra · apoelstra · commit f7756f5e595b · 2026-05-21T13:05:18.000Z
Well, there are sanity checks in the type system (which are private and
make sense) and a sanity_check method in the PSBT module that I didn't
look at. But the rest are gone now.

These should really never have existed. At this point in this commit
series we are pretty close to a point where they serve no purpose at
all; miniscripts constructed with from_ast, from_str and decode are
all sanity-checked at construction with the same set of checks.

We haven't yet attempted to apply these validation parameters to either
of the policy types, or gone through all the non-miniscript descriptor
types, but we'll get there. The next series of PRs are going to overhaul
all the error types in the library based on this validation framework.

I considered deprecating these but we are also deleting the AnalysisError
error that it returns. We could reintroduce them with a return type like
Result&lt;(), Infallible&gt;, which in a decent language would be non-breaking,
but Rust is indecent and this wouldn't really help callers.

Also deletes AnalysisError, ExtParams, and the Analysis variant of the
top-level Error enum!
diff --git a/embedded/src/main.rs b/embedded/src/main.rs
@@ -44,12 +44,6 @@ fn main() -> ! {
     hprintln!("p2sh address {}", p2sh_addr).unwrap();
     assert_eq!(p2sh_addr, "3CJxbQBfWAe1ZkKiGQNEYrioV73ZwvBWns");
 
-    // Check whether the descriptor is safe
-    // This checks whether all spend paths are accessible in bitcoin network.
-    // It maybe possible that some of the spend require more than 100 elements in Wsh scripts
-    // Or they contain a combination of timelock and heightlock.
-    assert!(desc.sanity_check().is_ok());
-
     // Estimate the satisfaction cost
     assert_eq!(desc.max_weight_to_satisfy().unwrap().to_wu(), 288);
     // end miniscript test
diff --git a/examples/big.rs b/examples/big.rs
@@ -75,7 +75,6 @@ fn use_descriptor<K: MiniscriptKey>(d: Descriptor<K>) {
     println!("{}", d);
     println!("{:?}", d);
     println!("{:?}", d.desc_type());
-    println!("{:?}", d.sanity_check());
 }
 
 struct StrPkTranslator {
diff --git a/examples/htlc.rs b/examples/htlc.rs
@@ -25,10 +25,6 @@ fn main() {
     )
     .expect("Resource limits");
 
-    // Check whether the descriptor is safe. This checks whether all spend paths are accessible in
-    // the Bitcoin network. It may be possible that some of the spend paths require more than 100
-    // elements in Wsh scripts or they contain a combination of timelock and heightlock.
-    assert!(htlc_descriptor.sanity_check().is_ok());
     assert_eq!(
         format!("{}", htlc_descriptor),
         "wsh(andor(pk(022222222222222222222222222222222222222222222222222222222222222222),sha256(1111111111111111111111111111111111111111111111111111111111111111),and_v(v:pkh(020202020202020202020202020202020202020202020202020202020202020202),older(4444))))#lfytrjen"
diff --git a/examples/parse.rs b/examples/parse.rs
@@ -13,11 +13,6 @@ fn main() {
     )
     .unwrap();
 
-    // Check whether the descriptor is safe. This checks whether all spend paths are accessible in
-    // the Bitcoin network. It may be possible that some of the spend paths require more than 100
-    // elements in Wsh scripts or they contain a combination of timelock and heightlock.
-    assert!(desc.sanity_check().is_ok());
-
     // Compute the script pubkey. As mentioned in the documentation, script_pubkey only fails
     // for Tr descriptors that don't have some pre-computed data.
     assert_eq!(
diff --git a/examples/psbt_sign_finalize.rs b/examples/psbt_sign_finalize.rs
@@ -20,7 +20,6 @@ fn main() {
     let s = "wsh(t:or_c(pk(027a3565454fe1b749bccaef22aff72843a9c3efefd7b16ac54537a0c23f0ec0de),v:thresh(1,pkh(032d672a1a91cc39d154d366cd231983661b0785c7f27bc338447565844f4a6813),a:pkh(03417129311ed34c242c012cd0a3e0b9bca0065f742d0dfb63c78083ea6a02d4d9),a:pkh(025a687659658baeabdfc415164528065be7bcaade19342241941e556557f01e28))))#7hut9ukn";
     let bridge_descriptor = Descriptor::from_str(s).unwrap();
     //let bridge_descriptor = Descriptor::<bitcoin::PublicKey>::from_str(&s).expect("parse descriptor string");
-    assert!(bridge_descriptor.sanity_check().is_ok());
     println!("Bridge pubkey script: {}", bridge_descriptor.script_pubkey());
     println!("Bridge address: {}", bridge_descriptor.address(Network::Regtest).unwrap());
     println!(
diff --git a/examples/taproot.rs b/examples/taproot.rs
@@ -52,9 +52,6 @@ fn main() {
             .unwrap();
     assert_eq!(desc, expected_desc);
 
-    // Check whether the descriptors are safe.
-    assert!(desc.sanity_check().is_ok());
-
     // Descriptor type and version should match respectively for taproot
     let desc_type = desc.desc_type();
     assert_eq!(desc_type, DescriptorType::Tr);
diff --git a/fuzz/fuzz_targets/parse_descriptor_priv.rs b/fuzz/fuzz_targets/parse_descriptor_priv.rs
@@ -10,7 +10,6 @@ fn do_test(data: &[u8]) {
 
     if let Ok((desc, _)) = Descriptor::parse_descriptor(secp, &data_str) {
         let _output = desc.to_string();
-        let _sanity_check = desc.sanity_check();
     }
 }
 
diff --git a/src/descriptor/bare.rs b/src/descriptor/bare.rs
@@ -47,12 +47,6 @@ impl<Pk: MiniscriptKey> Bare<Pk> {
     /// get the inner
     pub fn as_inner(&self) -> &Miniscript<Pk, BareCtx> { &self.ms }
 
-    /// Checks whether the descriptor is safe.
-    pub fn sanity_check(&self) -> Result<(), Error> {
-        self.ms.sanity_check()?;
-        Ok(())
-    }
-
     /// Computes an upper bound on the difference between a non-satisfied
     /// `TxIn`'s `segwit_weight` and a satisfied `TxIn`'s `segwit_weight`
     ///
diff --git a/src/descriptor/mod.rs b/src/descriptor/mod.rs
@@ -24,7 +24,7 @@ use sync::Arc;
 use crate::expression::FromTree as _;
 use crate::miniscript::decode::Terminal;
 use crate::miniscript::limits::MAX_PUBKEYS_PER_MULTISIG;
-use crate::miniscript::{satisfy, Legacy, Miniscript, Segwitv0};
+use crate::miniscript::{satisfy, Legacy, Miniscript, ScriptContext as _, Segwitv0, Tap};
 use crate::plan::{AssetProvider, Plan};
 use crate::prelude::*;
 use crate::{
@@ -305,26 +305,6 @@ impl<Pk: MiniscriptKey> Descriptor<Pk> {
         }
     }
 
-    /// Checks whether the descriptor is safe.
-    ///
-    /// Checks whether all the spend paths in the descriptor are possible on the
-    /// bitcoin network under the current standardness and consensus rules. Also
-    /// checks whether the descriptor requires signatures on all spend paths and
-    /// whether the script is malleable.
-    ///
-    /// In general, all the guarantees of miniscript hold only for safe scripts.
-    /// The signer may not be able to find satisfactions even if one exists.
-    pub fn sanity_check(&self) -> Result<(), Error> {
-        match *self {
-            Descriptor::Bare(ref bare) => bare.sanity_check(),
-            Descriptor::Pkh(_) => Ok(()),
-            Descriptor::Wpkh(ref wpkh) => wpkh.sanity_check(),
-            Descriptor::Wsh(ref wsh) => wsh.sanity_check(),
-            Descriptor::Sh(ref sh) => sh.sanity_check(),
-            Descriptor::Tr(ref tr) => tr.sanity_check(),
-        }
-    }
-
     /// Computes an upper bound on the difference between a non-satisfied
     /// `TxIn`'s `segwit_weight` and a satisfied `TxIn`'s `segwit_weight`
     ///
@@ -1139,12 +1119,10 @@ impl<Pk: FromStrKey> FromStr for Descriptor<Pk> {
         let top = expression::Tree::from_str(s)?;
         let ret = Self::from_tree(top.root())?;
         if let Descriptor::Tr(ref inner) = ret {
-            // FIXME preserve weird/broken behavior from 12.x.
-            // See https://github.com/rust-bitcoin/rust-miniscript/issues/734
-            ret.sanity_check()?;
             for item in inner.leaves() {
                 item.miniscript()
-                    .ext_check(&crate::miniscript::analyzable::ExtParams::sane())?;
+                    .validate(&Tap::SANE)
+                    .map_err(Error::Validation)?;
             }
         }
         Ok(ret)
diff --git a/src/descriptor/segwitv0.rs b/src/descriptor/segwitv0.rs
@@ -53,12 +53,6 @@ impl<Pk: MiniscriptKey> Wsh<Pk> {
     #[deprecated(since = "8.0.0", note = "use format!(\"{:#}\") instead")]
     pub fn to_string_no_checksum(&self) -> String { format!("{:#}", self) }
 
-    /// Checks whether the descriptor is safe.
-    pub fn sanity_check(&self) -> Result<(), Error> {
-        self.ms.sanity_check()?;
-        Ok(())
-    }
-
     /// Computes an upper bound on the difference between a non-satisfied
     /// `TxIn`'s `segwit_weight` and a satisfied `TxIn`'s `segwit_weight`
     ///
@@ -249,15 +243,6 @@ impl<Pk: MiniscriptKey> Wpkh<Pk> {
     #[deprecated(since = "8.0.0", note = "use format!(\"{:#}\") instead")]
     pub fn to_string_no_checksum(&self) -> String { format!("{:#}", self) }
 
-    /// Checks whether the descriptor is safe.
-    pub fn sanity_check(&self) -> Result<(), Error> {
-        if self.pk.is_uncompressed() {
-            Err(Error::ContextError(ScriptContextError::CompressedOnly(self.pk.to_string())))
-        } else {
-            Ok(())
-        }
-    }
-
     /// Computes an upper bound on the difference between a non-satisfied
     /// `TxIn`'s `segwit_weight` and a satisfied `TxIn`'s `segwit_weight`
     ///
diff --git a/src/descriptor/sh.rs b/src/descriptor/sh.rs
@@ -132,16 +132,6 @@ impl<Pk: MiniscriptKey> Sh<Pk> {
     /// Create a new p2sh wrapper for the given wsh descriptor
     pub fn new_with_wsh(wsh: Wsh<Pk>) -> Self { Self { inner: ShInner::Wsh(wsh) } }
 
-    /// Checks whether the descriptor is safe.
-    pub fn sanity_check(&self) -> Result<(), Error> {
-        match self.inner {
-            ShInner::Wsh(ref wsh) => wsh.sanity_check()?,
-            ShInner::Wpkh(ref wpkh) => wpkh.sanity_check()?,
-            ShInner::Ms(ref ms) => ms.sanity_check()?,
-        }
-        Ok(())
-    }
-
     /// Create a new p2sh wrapped wsh sortedmulti descriptor from threshold
     /// `k` and Vec of `pks`
     pub fn new_wsh_sortedmulti(
diff --git a/src/descriptor/tr/mod.rs b/src/descriptor/tr/mod.rs
@@ -139,14 +139,6 @@ impl<Pk: MiniscriptKey> Tr<Pk> {
         }
     }
 
-    /// Checks whether the descriptor is safe.
-    pub fn sanity_check(&self) -> Result<(), Error> {
-        for leaf in self.leaves() {
-            leaf.miniscript().sanity_check()?;
-        }
-        Ok(())
-    }
-
     /// Computes an upper bound on the difference between a non-satisfied
     /// `TxIn`'s `segwit_weight` and a satisfied `TxIn`'s `segwit_weight`
     ///
diff --git a/src/lib.rs b/src/lib.rs
@@ -56,11 +56,6 @@
 //!     "3CJxbQBfWAe1ZkKiGQNEYrioV73ZwvBWns"
 //! );
 //!
-//! // Check whether the descriptor is safe. This checks whether all spend paths are accessible in
-//! // the Bitcoin network. It may be possible that some of the spend paths require more than 100
-//! // elements in Wsh scripts or they contain a combination of timelock and heightlock.
-//! assert!(desc.sanity_check().is_ok());
-//!
 //! // Estimate the satisfaction cost.
 //! // scriptSig: OP_PUSH34 <OP_0 OP_32 <32-byte-hash>>
 //! // = (1 + 1 + 1 + 32) * 4 = 140 WU
@@ -139,7 +134,6 @@ pub use crate::descriptor::{DefiniteDescriptorKey, Descriptor, DescriptorPublicK
 pub use crate::error::ParseError;
 pub use crate::expression::{ParseNumError, ParseThresholdError, ParseTreeError};
 pub use crate::interpreter::Interpreter;
-pub use crate::miniscript::analyzable::{AnalysisError, ExtParams};
 pub use crate::miniscript::context::{BareCtx, Legacy, ScriptContext, Segwitv0, SigType, Tap};
 pub use crate::miniscript::decode::Terminal;
 pub use crate::miniscript::satisfy::{Preimage32, Satisfier};
@@ -469,8 +463,6 @@ pub enum Error {
     /// Anything but c:pk(key) (P2PK), c:pk_h(key) (P2PKH), and thresh_m(k,...)
     /// up to n=3 is invalid by standardness (bare)
     NonStandardBareScript,
-    /// Analysis Error
-    AnalysisError(miniscript::analyzable::AnalysisError),
     /// Miniscript is equivalent to false. No possible satisfaction
     ImpossibleSatisfaction,
     /// Bare descriptors don't have any addresses
@@ -535,7 +527,6 @@ impl fmt::Display for Error {
                 up to n=3 is invalid by standardness (bare).
                 "
             ),
-            Error::AnalysisError(ref e) => e.fmt(f),
             Error::ImpossibleSatisfaction => write!(f, "Impossible to satisfy Miniscript"),
             Error::BareDescriptorAddr => write!(f, "Bare descriptors don't have address"),
             Error::PubKeyCtxError(ref pk, ref ctx) => {
@@ -582,7 +573,6 @@ impl std::error::Error for Error {
             LiftError(e) => Some(e),
             ContextError(e) => Some(e),
             TapTreeDepthError(e) => Some(e),
-            AnalysisError(e) => Some(e),
             PubKeyCtxError(e, _) => Some(e),
             AbsoluteLockTime(e) => Some(e),
             RelativeLockTime(e) => Some(e),
@@ -619,11 +609,6 @@ impl From<miniscript::context::ScriptContextError> for Error {
     fn from(e: miniscript::context::ScriptContextError) -> Error { Error::ContextError(e) }
 }
 
-#[doc(hidden)]
-impl From<miniscript::analyzable::AnalysisError> for Error {
-    fn from(e: miniscript::analyzable::AnalysisError) -> Error { Error::AnalysisError(e) }
-}
-
 #[doc(hidden)]
 impl From<bitcoin::secp256k1::Error> for Error {
     fn from(e: bitcoin::secp256k1::Error) -> Error { Error::Secp(e) }
diff --git a/src/miniscript/analyzable.rs b/src/miniscript/analyzable.rs
diff --git a/src/miniscript/mod.rs b/src/miniscript/mod.rs
diff --git a/src/miniscript/types/correctness.rs b/src/miniscript/types/correctness.rs
diff --git a/src/miniscript/types/extra_props.rs b/src/miniscript/types/extra_props.rs
diff --git a/src/miniscript/types/mod.rs b/src/miniscript/types/mod.rs
diff --git a/src/policy/concrete.rs b/src/policy/concrete.rs

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,6 @@ fn use_descriptor<K: MiniscriptKey>(d: Descriptor<K>) {`
`75`	`75`	`println!("{}", d);`
`76`	`76`	`println!("{:?}", d);`
`77`	`77`	`println!("{:?}", d.desc_type());`
`78`		`- println!("{:?}", d.sanity_check());`
`79`	`78`	`}`
`80`	`79`
`81`	`80`	`struct StrPkTranslator {`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,6 @@ fn do_test(data: &[u8]) {`
`10`	`10`
`11`	`11`	`if let Ok((desc, _)) = Descriptor::parse_descriptor(secp, &data_str) {`
`12`	`12`	`let _output = desc.to_string();`
`13`		`- let _sanity_check = desc.sanity_check();`
`14`	`13`	`}`
`15`	`14`	`}`
`16`	`15`