In
|
// Regarding use of `minimum_mall` for dissatisfactions: this is correct, because |
|
// dissatisfactions for individual fragments are not required to be unique. (We |
|
// track this property using the `ty.malleability.dissat` field.) |
|
// |
|
// This is because usually dissatisfactions are eventually dropped, e.g. by the |
|
// `j:` wrapper or because at the top-level a dissatisfaction is simply invalid. |
|
// In cases where non-unique dissatisfactions would cause malleability, e.g. in |
|
// the `or_c` or `or_b` fragments which use dissatisfactions as part of their |
|
// satisfactions, we set `ty.malleability.non_malleable` appropriately (and |
|
// potentially reject the whole script at creation time). |
we have this giant blockcomment justifying the use of malleable satisfaction logic when computing dissatisfactions:
// Regarding use of `minimum_mall` for dissatisfactions: this is correct, because
// dissatisfactions for individual fragments are not required to be unique. (We
// track this property using the `ty.malleability.dissat` field.)
//
// This is because usually dissatisfactions are eventually dropped, e.g. by the
// `j:` wrapper or because at the top-level a dissatisfaction is simply invalid.
// In cases where non-unique dissatisfactions would cause malleability, e.g. in
// the `or_c` or `or_b` fragments which use dissatisfactions as part of their
// satisfactions, we set `ty.malleability.non_malleable` appropriately (and
// potentially reject the whole script at creation time).
This is just wrong. There's a lot packed into the claim "we set ty.malleability.non_malleable appropriately".
It is true that if there are multiple non-s dissatisfactions for a fragment, and it's possible that a top-level satisfaction would include a dissatisfaction for that fragment, we mark the total script as malleable.
But this is not true if there is a s dissatisfaction and also a non-s dissatisfaction. In this case the script may still be considered non-malleable. It is the satisfier's responsibility not to choose the s dissatisfaction, even if it's cheaper.
I noticed this trying to fix the existing regression_895 to work with a non-malleable miniscript. After a couple hours of work I finally got one.....and then realized that the satisfier was producing a malleable satisfaction!
I will open a test case for this and a fix.
In
rust-miniscript/src/miniscript/satisfy/sat_dissat.rs
Lines 445 to 454 in bdf50e3
This is just wrong. There's a lot packed into the claim "we set
ty.malleability.non_malleableappropriately".It is true that if there are multiple non-
sdissatisfactions for a fragment, and it's possible that a top-level satisfaction would include a dissatisfaction for that fragment, we mark the total script as malleable.But this is not true if there is a
sdissatisfaction and also a non-sdissatisfaction. In this case the script may still be considered non-malleable. It is the satisfier's responsibility not to choose thesdissatisfaction, even if it's cheaper.I noticed this trying to fix the existing
regression_895to work with a non-malleable miniscript. After a couple hours of work I finally got one.....and then realized that the satisfier was producing a malleable satisfaction!I will open a test case for this and a fix.