Miniscript support in Output Descriptors (part 1) (wallet)

May 18, 2022

https://github.com/bitcoin/bitcoin/pull/24148

Host: stickies-v  -  PR author: darosior

The PR branch HEAD was ec72f35 at the time of this review club meeting.

Notes

Scope

This is a 2-part Review Club. Since we haven’t covered Miniscript before, we first take some time to get familiar with the general concepts before diving into the actual PR.

• In the first part, we’ll disregard output descriptors and look at Miniscript in general and some of the changes this PR introduces. We’ll focus on the first 6 commits from “miniscript: remove a workaround for a GCC 4.8 bug” to “miniscript: split ValidSatisfactions from IsSane”.

• In the second part, we’ll look at the Miniscript output descriptor implementation. We’ll focus on the last 9 commits from “miniscript: tiny doc fixups” to “qa: functional test Miniscript watchonly support”.

• Some of the questions refer to changes introduced in the PR’s predecessor #24147 which introduced the bulk of the Miniscript logic into Bitcoin Core, so it may be helpful to review that PR too. It also contains a more detailed overview of the various PRs involved in merging Miniscript into the Bitcoin Core codebase.

Introduction

• Miniscript is a language for writing (a subset of) Bitcoin Scripts in a structured way, enabling analysis, composition, generic signing and more. It is not to be confused with the policy language on top of Miniscript which looks similar to Miniscript, but is out of scope for this PR. Andrew Poelstra has a helpful video on “Getting Started with Miniscript”.

• Output script descriptors are strings that contain all the information necessary to allow a wallet or other program to track payments made to or spent from a particular script or set of related scripts (i.e. an address or a set of related addresses such as in an HD wallet).

• Descriptors combine well with Miniscript in allowing a wallet to handle tracking and signing for a larger variety of scripts. Since Bitcoin Core 23.0 descriptor wallets have become the default wallet type.

• This PR #24148 introduces watch-only support for Miniscript descriptors, extending the already existing descriptor language. You’ve probably noticed that both languages have very similar syntax; this is intentional.

Questions

1. Did you review the PR? Concept ACK, approach ACK, tested ACK, or NACK?

2. Which type of analysis enabled by Miniscript would be helpful for which use case or application?

3. What would be a valid Miniscript for a spending policy that unconditionally locks the UTXO for 21 blocks, and then requires a 2-of-3 multisig from Alice, Bob, or Carol? (Note: the Miniscript homepage and https://min.sc/ have easy-to-use tooling available to construct Miniscripts)

4. What does it mean when a node is “sane” or “valid”? Do they mean the same thing?

5. What does it mean for an expression to be non-malleably satisfiable? After SegWit, why do we still need to worry about malleability?

6. Why does Compare now use a non-recursive algorithm, whereas previously the Node::operator== operator was recursive? What is the largest size that queue in Compare can ever grow?

7. How do we keep track of a Node’s type and type properties? Why don’t we just declare them as regular class members? Can we instantiate a Node with multiple type properties at once?

8. In your own words, how does Node::TreeEvalMaybe() work?

9. In Node::CheckTimeLocksMix(), what is the type of "k"_mst? In your own words, what does the << operator do here?

10. Why is Node<Key> templated with Key? What type(s) do we expect Key to take?

11. Why is the Script sizefor a multi or thresh fragment depending on the value of the k threshold?

Meeting Log

1

17:00

<stickies-v> #startmeeting

2

17:00

<svav> Hi

3

17:00

<OliverOffing> Hi

4

17:00

<theStack> hi!

5

17:00

<b10c> hi

6

17:00

<kouloumos> hi

7

17:00

<darosior> hi

8

17:00

<Franko> hi

9

17:00

<michaelfolkson> hi

10

17:00

<__gotcha> hi

11

17:00

<Bayer> Hey everyone

12

17:01

<xyephy> hi

13

17:01

<stickies-v> welcome everyone! This and next week we're looking at #24148 (https://bitcoincore.reviews/24148) which introduces Miniscript support for Output Descriptors. Today we're focusing on general Miniscript concepts, and some of the changes introduced in #24148.

14

17:01

<stickies-v> but first, do we have any first timers joining us today?

15

17:01

<__gotcha> Yup

16

17:01

<paul_c> hey guys, first timer here!

17

17:02

<svav> Where did the newcomers find out about this meeting please?

18

17:02

<stickies-v> hey __gotcha , paul_c , so glad you can join us today!

19

17:02

<paul_c> I was at BTC 2022 and attended an Open Source Stage session Gloria was a part of. I learned a lot from that panel and just wanted to reach out to say hi.

20

17:02

<stickies-v> feel free to just ask when you have questions, no need to ask for permission or anything

21

17:02

<__gotcha> @josibake_ mentioned review club during chaincode seminar

22

17:02

<larryruane> Hi

23

17:03

<stickies-v> a big thank you to the expert & PR author darosior for being here, I appreciate your help in guiding this conversation, because:

24

17:03

<svav> Ok thanks newcomers and welcome!

25

17:03

<stickies-v> disclaimer: I picked tis PR just because I'm excited about the potential Miniscript brings, but I'm still relatively new to this codebase - so please keep me honest and I welcome all of your input/corrections :-)

26

17:03

<stickies-v> that said, who got the chance to review the PR or read the notes?

27

17:04

<svav> I read the notes

28

17:04

<__gotcha> read part of the notes

29

17:04

<paul_c> Skimmed the notes and just finished watching the linked Andrew Poelstra video

30

17:04

<OliverOffing> I read the notes and reviewed ~4 of the commits

31

17:04

<theStack> read the notes, didn't review code changes in detail

32

17:04

<__gotcha> and part of the linked documentation

33

17:04

<brunoerg_> hi

34

17:05

<brunoerg_> read the notes

35

17:05

<kouloumos> read the notes, didn't review code

36

17:05

<svav> An intro to Output Descriptors https://github.com/bitcoin/bitcoin/blob/master/doc/descriptors.md

37

17:06

<__gotcha> read that one

38

17:06

<stickies-v> alright not too much code review so good to start with a few general concept questions first then, it's important to understand what miniscript is about

39

17:06

<stickies-v> (svav great to have read up on that already - next week we'll dive into output descriptors)

40

17:06

<Azor> Hi

41

17:07

<stickies-v> starting off with the first question to get creatie about use cases: which type of analysis enabled by Miniscript would be helpful for which use case or application?

42

17:08

<OliverOffing> Finding smaller scripts that are equivalent in behavior

43

17:08

<stickies-v> (or more general, if you just have a cool use case for Miniscript but don't know which type of analysis it relates to - shoot!)

44

17:08

<darosior> For instance, the analysis of the maximum witness size is helpful for "second layer" protocols to assign fee bumping reserves, since they can then estimate the worst case size of the transaction (if not signed with exotic sighash types).

45

17:09

<theStack> OliverOffing: +1, also thought about that (i think smaller is pretty much always better, in order to save fees, independently of the conrete usecase)

46

17:09

<stickies-v> OliverOffing: yeah absolutely, one of the (hand-crafted) transaction templates used on LN (I believe it's the commitment tx?) was found to be slightly suboptimal thanks to Miniscript analysis

47

17:10

<darosior> OliverOffing: in general, since Miniscript is only a subset of Script some policies tend to be more optimizable "by hand". But then you lose all the guarantees given by Miniscript for just a few witness units. :)

48

17:11

<__gotcha> dariosor: which guarantees are you referring to ?

49

17:11

<darosior> But it did happen that the policy compiler found more optimal Script (for instance IIRC in the anchor output proposal for Lightning one of the Scripts was found using the policy compiler)

50

17:11

<stickies-v> personally I think composition is really interesting, where multiple parties (e.g. in an advanced kind of multi-sig) can provide complex subexpressions without everyone having to understand the other party's spending conditions

51

17:11

<darosior> __gotcha: soundness and correctness mainly, but also malleability prevention

52

17:12

<__gotcha> darosior: what is soundness in this context ?

53

17:13

<darosior> __gotcha: to expand, Script may sometimes have surprising behaviour and a Script that look to do something might actually not behave this way in all cases

54

17:13

<darosior> __gotcha: soundness in this context means basically "you can't bypass the conditions"

55

17:13

<michaelfolkson> I like the "make sure it can only be spent with me signing" (on all possible paths)

56

17:14

<michaelfolkson> CEO always has to sign for example

57

17:14

<__gotcha> iow proper combination of "and" and "or".

58

17:14

<darosior> __gotcha: from the website, "consensus sound: It is not possible to construct a witness that is consensus valid for a Script unless the spending conditions are met. Since standardness rules permit only a subset of consensus-valid satisfactions (by definition), this property also implies standardness soundness. "

59

17:15

<darosior> __gotcha: then to not lock yourself out of your funds you also want completeness "consensus and standardness complete: Assuming the resource limits listed in the previous section are not violated and there is no timelock mixing, for every set of met conditions that are permitted by the semantics, a witness can be constructed that passes Bitcoin's

60

17:15

<darosior> consensus rules and common standardness rules."

61

17:16

<__gotcha> darosior: thx

62

17:16

<stickies-v> lots of ideas here, nice! let's move on

63

17:16

<stickies-v> what would be a valid Miniscript for a spending policy that unconditionally locks the UTXO for 21 blocks, and then requires a 2-of-3 multisig from Alice, Bob, or Carol? (See https://bitcoin.sipa.be/miniscript or https://min.sc/)

64

17:17

<theStack> playing around with the min.sc tool resulted in this (i've replaced the hex-strings of the keys replaced by "key_{a,b,c}"):

65

17:17

<theStack> wsh(and_v(v:multi(2, key_a, key_b, key_c), older(21)))

66

17:17

<michaelfolkson> I got and(thresh(3,pk(alice),pk(bob),pk(carol)),older(21))

67

17:17

<michaelfolkson> Oops policy

68

17:17

<michaelfolkson> and_v(and_v(v:pk(alice),and_v(v:pk(bob),v:pk(carol))),older(21))

69

17:18

<__gotcha> I was closer to theStack proposal

70

17:19

<stickies-v> michaelfolkson: it was (intentionally) a bit of a trick question, but that's *policy* you posted instead of Miniscript. We use both in the discussion here, but just wanted to highlight that there is a difference. Does everyone understand the difference?

71

17:19

<OliverOffing> I don't sorry

72

17:20

<__gotcha> policy compiles to miniscript which compiles to Script ?

73

17:20

<darosior> michaelfolkson: the Miniscript you posted is a 3-of-3 or i'm missing something?

74

17:20

<stickies-v> theStack: that seems correct, except I believe the `wsh()` wrapper is specifically for Output Descriptors, and not part of Miniscript

75

17:20

<sipa> Well, the distinction is fuzzy.

76

17:21

<michaelfolkson> Oops again

77

17:21

<sipa> I think of Miniscript's "language" mostly a project to extend the descriptor language.

78

17:21

<michaelfolkson> and_v(v:multi(2,alice,bob,carol),older(21))

79

17:21

<sipa> When all of this is done, nobody should care about the distinction anymore.

80

17:21

<michaelfolkson> Yeah theStack was right unsurprisingly :)

81

17:22

<stickies-v> sipa: that would certainly help avoid confusion! (and thank you for joining us)

82

17:22

<__gotcha> sipa: not sure I understand your last statement

83

17:22

<darosior> __gotcha: just to be clear Miniscript doesn't "compile" to Script (maybe the word works but it can lead to confusion), each Miniscript fragment maps to a specific Script

84

17:22

<ls55> Is Policy the Miniscript's language ?

85

17:22

<sipa> There will just be "the descriptor language".

86

17:22

<sipa> And "the policy language".

87

17:22

<__gotcha> darosior: better wording thanks

88

17:23

<__gotcha> ok so policy and descriptor(miniscript) will remain separated

89

17:23

<sipa> Miniscript is a project to deal with vaguely generic, composable, script.

90

17:23

<OliverOffing> is thresh(2,pk(a),pk(b),pk(c)) == multi(2,pk(a),pk(b))?

91

17:23

<sipa> Rather than just a few simple templates we have now in descriptors (pkh, multi, ...)

92

17:24

<darosior> OliverOffing: well no since in the latter there is no 'c'

93

17:24

<OliverOffing> *forgot to add  pk(c) on the right-hand side

94

17:24

<darosior> Ah

95

17:24

<darosior> OliverOffing: then yes

96

17:24

<__gotcha> ls55: afaik, no

97

17:24

<darosior> But using multi() in this case is more efficient

98

17:25

<__gotcha> darosior: is "thresh" from miniscript or policy ?

99

17:25

<OliverOffing> darosior: thanks. the compiler should be able to find the most efficient implementation though right?

100

17:25

<darosior> __gotcha: both :)

101

17:25

<sipa> @__gotcha Both

102

17:25

<darosior> OliverOffing: yes

103

17:25

<michaelfolkson> This is the policy you feed into the compiler: and(thresh(2,pk(alice),pk(bob),pk(carol)),older(21))

104

17:25

<michaelfolkson> And the compiler spits out the Miniscript with multi in it

105

17:26

<OliverOffing> yes, verified over there too

106

17:26

<stickies-v> moving on to the next question (but always feel free to continue on previous points)

107

17:26

<stickies-v> what does it mean when a node is "sane" or "valid"? Do they mean the same thing?

108

17:27

<theStack> michaelfolkson: which compiler did you use? i found it interesting that your 3-of-3 multisig condition was transformed into two and_v operations

109

17:27

<darosior> theStack: it was wrong, the correct one is identical to yours

110

17:28

<OliverOffing> what's the definition of node? is it one atom of a miniscript expression?

111

17:28

<michaelfolkson> theStack: Been playing around with both listed in the notes. But that was using https://bitcoin.sipa.be/miniscript/

112

17:28

<michaelfolkson> theStack: They should both give the same result

113

17:28

<darosior> OliverOffing: a fragment, eg 'and_v', 'thresh', 'multi', etc..

114

17:28

<darosior> OliverOffing: too many nodes in Bitcoin land :)

115

17:28

<stickies-v> OliverOffing: a Miniscript expression is essentially a tree (see https://miniscript.fun for a visual). Each fragment in the tree is a node

116

17:28

<theStack> darosior: yes i'm aware. still find it interesting that this optimization happened :)

117

17:29

<darosior> theStack: oh sorry i misread

118

17:30

<OliverOffing> i'd guess that sane means that the arguments passed to the fragment match what the fragment type expects (in terms of number of args and types)

119

17:31

<darosior> theStack: the relevant lines in the Rust compiler https://github.com/rust-bitcoin/rust-miniscript/blob/104eb55f13ce39c4043f24637f83411529a460ea/src/policy/compiler.rs#L993-L1002, i'm less familiar with the C++ one but it does have the same behaviour

120

17:31

<sipa> @OliverOffing No, that's validity.

121

17:32

<stickies-v> so we've established the second part of the question that they are indeed not the same :-D

122

17:33

<OliverOffing> Found this on StackExchange: "We use the term valid for any correctly typed Miniscript. And we use the term safe for any sane Miniscript, ie one whose satisfaction isn't malleable, which requires a key for any spending path, etc."

123

17:33

<__gotcha> where are those definitions to be found ?

124

17:33

<ls55> darosior: Does the Rust version use any bindings to the C++ version or is it an entirely different implementation?

125

17:33

<sipa> It's an entirely separate implementation.

126

17:33

<ls55> sipa: thanks

127

17:34

<sipa> There is a preliminary (but abandoned, I think) Python one too.

128

17:34

<stickies-v> __gotcha: that's a very fair question, the code (especially header files) is always a good place to look for definitions and documentation etc

129

17:34

<stickies-v> https://github.com/darosior/bitcoin/blob/ec72f351134bed229baaefc8ffaa1f72688c5435/src/script/miniscript.h#L852

130

17:34

<theStack> darosior: thanks! obviously min.sc is not using the latest version of rust-miniscript; at least it doesn't transform n-of-n thresholds into and_v operations

131

17:35

<michaelfolkson> https://min.sc/ uses Rust implementation and https://bitcoin.sipa.be/miniscript/ uses C++ implementation. So if they were to give different results that would be worth flagging :)

132

17:35

<darosior> Hint for the question about sanity: what about this miniscript thresh(101,pk(pk_1),pk(pk_2),...pk(pk_101))

133

17:35

<__gotcha> what is the goal of the rust implementation ? as a reference for the C++ ?

134

17:35

<darosior> Is it valid?

135

17:35

<OliverOffing> Yes, valid, is it passes a "type-check"

136

17:35

<sipa> michaelfolkson: There are known differences between the two compilers; they don't attempt to produce identical results.

137

17:35

<stickies-v> The `Node::IsSane()` method has the docstring "Whether the apparent policy of this node matches its script semantics."

138

17:35

<darosior> OliverOffing: exactly! Yet is it easily spendable?

139

17:36

<sipa> __gotcha: The rust implementation was written by people who wanted a rust implementation. The C++ implementation was written by people who wanted a C++ implementation.

140

17:36

<__gotcha> Does that mean that sane is more restricted than valid ?

141

17:36

<OliverOffing> darosior: I guess, if you have the 101 PKs...?

142

17:36

<sipa> Neither is any more a reference than the other.

143

17:36

<stickies-v> __gotcha: yes it does

144

17:36

<michaelfolkson> sipa: Ohh in the cases where they can't be separated? Surely if one Miniscript is superior that is a (minor) flaw of one of the compilers?

145

17:36

<darosior> OliverOffing: there is a catch, see "Resource limitations" at https://bitcoin.sipa.be/miniscript/ :)

146

17:37

<sipa> michaelfolkson: Neither compiler is perfect.

147

17:37

<sipa> (nor do we expect them to be)

148

17:37

<michaelfolkson> So if you really, really cared about most efficient you should run both compilers?

149

17:37

<darosior> __gotcha: yes, also for a place about the definition see the OP of the original Miniscript PR

150

17:37

<sipa> Or write it by hand :D

151

17:38

<OliverOffing> darosior: I understand most resource limitation points there, but what is this one? "Anything but pk(key) (P2PK), pkh(key) (P2PKH), and multi(k,...) up to n=3 is invalid by standardness (bare)."

152

17:39

<darosior> OliverOffing: it's larger than 3600 bytes

153

17:39

<darosior> So it's not standard

154

17:39

<sipa> Note that the C++ miniscript implementation only targets P2WSH (for now).

155

17:39

<OliverOffing> darosior: oh, I missed the "(bare)" :+1: thanks

156

17:40

<theStack> is there any plan to implement the equivalent of an "inline assembler" expression, e.g. something like "bare_script(OP_FOO OP_BAR...)"? (not that i can think of a good use-case, just a random thought :D)

157

17:40

<stickies-v> I guess to summarize sanity, it needs to be valid, consensus and standardness-compliant (e.g. number of operations and script size), have non-malleable solutions, not mix different timelock units (block/time), and not have duplicate keys

158

17:40

<sipa> theStack: That already exists; `pkh(A)` is a valid descriptor, for example. It's a bare P2PKH.

159

17:41

<stickies-v> Di(I hope I got that right?)

160

17:41

<sipa> theStack: Also `raw(HEX)` or `addr(ADDR)` are valid descriptors.

161

17:41

<darosior> stickies-v: yep

162

17:41

<sipa> There isn't one that does script assembly... could be added, but I doubt that's very useful. Being able to do fancy things through miniscript is much more usable.

163

17:41

<michaelfolkson> [18:35:05] <darosior> Hint for the question about sanity: what about this miniscript thresh(101,pk(pk_1),pk(pk_2),...pk(pk_101))

164

17:42

<michaelfolkson> I'm not seeing why this is (in)sane

165

17:42

<sipa> michaelfolkson: darosior already answered it above.

166

17:42

<__gotcha> Too big ?

167

17:42

<theStack> sipa: agree that the script assembly one wouldn't be of much use

168

17:42

<sipa> Yeah, it's too big.

169

17:42

<michaelfolkson> sipa: Oh ta

170

17:43

<stickies-v> alright time for the next question, we've already spoken about malleability a bit. What does it mean for an expression to be non-malleably satisfiable? After SegWit, why do we still need to worry about malleability?

171

17:43

<sipa> Good question!

172

17:44

— stickies-v blushes

173

17:44

<theStack> my naive answer to the second questions would be: pre-segwit spending conditions are still valid (and very likely will always be), so we can't just ignore them?

174

17:44

<__gotcha> does malleability introduce fuzziness regarding fees via transaction size ?

175

17:44

<sipa> theStack: In miniscript we definitely have to option to just not support certain things.

176

17:44

<darosior> theStack: it's only defined under wsh() for now

177

17:44

<sipa> Because miniscript is specifically only able to encode a subset of script.

178

17:45

<theStack> sipa, darosior: oh, good to know!

179

17:45

<sipa> And indeed, we're already talking about p2wsh only.

180

17:45

<darosior> __gotcha: hehe great question, yes. It's one of the reason

181

17:45

<stickies-v> from the website: "For now, Miniscript is really only designed for P2WSH and P2SH-P2WSH embedded scripts."

182

17:45

<michaelfolkson> SegWit didn't resolve all forms of malleability. Just signature malleability. If there are different possible witnesses with a complex script malleability is still possible

183

17:46

<sipa> Segwit also didn't remove malleability. It only made it harmless for the purpose of not breaking unbroadcast transactions.

184

17:46

<sipa> But malleability has other effects, which are far less severe, but still existant.

185

17:47

<stickies-v> michaelfolkson: you're right, but what's the problem with having that malleability then? why should we care?

186

17:47

<sipa> Segwit transactions are no less malleable than other ones.

187

17:47

<sipa> __gotcha was close.

188

17:47

<darosior> __gotcha: can you think of other inconveniences of third-party malleability?

189

17:48

<__gotcha> not right now

190

17:48

<michaelfolkson> stickies-v: Why should we care? Hmm if a second layer protocol relied on knowing wtxid? Auditability for how Bitcoin were spent from a complex script?

191

17:49

<stickies-v> oh I missed __gotcha 's answer, yes exactly having a different witness can affect transaction size, and since the absolute fee amount is fixed (that part is not malleable), that would afffect the tx's fee rate - and thus it's ability to get propagated and priority to get mined into a block, which can be problematic

192

17:49

<michaelfolkson> There's a OR(A,B,C). You think it was spent using A but actually it goes on the blockchain with a spend using B

193

17:49

<michaelfolkson> Yeah size and fees is the better one

194

17:50

<__gotcha> stickies-v: thanks for being much more precise :-)

195

17:50

<sipa> That's not malleability. Third parties can't invent a valid signature by B.

196

17:50

<michaelfolkson> sipa: A,B,C are (overlapping) policies :)

197

17:51

<sipa> Ah, sure, in that case.

198

17:51

<darosior> What if a transaction spends a Miniscript which contains a hash using another path? It needs to "dissatisfy" this hash. Once this transaction is broadcast, what can a node on the network do if they want to be a pain?

199

17:52

<__gotcha> darosior: what is "containing a hash" ?

200

17:52

<darosior> __gotcha: say for instance a sha256() fragment is part of the Miniscript, but not in the branch used to spend

201

17:53

<darosior> Replacing the hash dissatisfaction by any 32 bytes string will not invalidate the witness

202

17:53

<__gotcha> ok

203

17:53

<darosior> And then for instance the first node i'm broadcasting it to can just take my transaction and send a different version to all nodes on the network

204

17:54

<__gotcha> what would be the goal in that case ?

205

17:54

<OliverOffing> does "non-malleably satisfiable" perhaps mean that there's no way to use a same witness data to construct a dissatisfaction of one of the fragments?

206

17:54

<__gotcha> if the witness is longer, it gets less priority

207

17:54

<stickies-v> to make it specific, I think an example of a policy of which the Miniscript does not have a satisfaction that's guaranteed to be non-malleable is `or(and(older(21), pk(A)), thresh(2, pk(A), pk(B)))`

208

17:55

<darosior> This will increase the bandwidth usage of compact relay for everyone, since the miner will mine a transaction that is not exactly the same as every node has in its mempool

209

17:55

<__gotcha> darosior: but not in the case you just described, right ?

210

17:55

<__gotcha> ok, as an attack against the network as a whole iiuc

211

17:55

<darosior> OliverOffing: See "Malleability" at https://bitcoin.sipa.be/miniscript/ for a definition of a non-malleable satisfaction

212

17:56

<darosior> __gotcha: yeah, as a "nuisance" more than an attack let's say

213

17:56

<stickies-v> okay only a few minutes left, let's do a quick question on the code just so we can say we've covered it!

214

17:56

<stickies-v> in `Node::CheckTimeLocksMix()`, what is the type of `"k"_mst`? In your own words, what does the `<<` operator do here?

215

17:57

<__gotcha> stickies-v: which line ?

216

17:57

<stickies-v> (link: https://github.com/darosior/bitcoin/blob/ec72f351134bed229baaefc8ffaa1f72688c5435/src/script/miniscript.h#L846)

217

17:58

<theStack> the type of `"k"_mst` is `Type`, which seems to be just a uint32_t with some helper methods on top

218

17:59

<stickies-v> theStack: yes correct!

219

17:59

<OliverOffing> `<<` looks like a bitwise mask/operation to me

220

17:59

<sipa> @OliverOffing That's correct, but I'd say that's an implementation detail. What does it *mean* for the types involved?

221

17:59

<stickies-v> `"k"_mst` is converted into a `Type` instance through the user-defined literal (https://en.cppreference.com/w/cpp/language/user_literal) `operator"" _mst` (https://github.com/darosior/bitcoin/blob/ec72f351134bed229baaefc8ffaa1f72688c5435/src/script/miniscript.h#L129)

222

17:59

<OliverOffing> left shift probably

223

17:59

<__gotcha> naive cpp newbie question, is that operator overloading ?

224

18:00

<sipa> @OliverOffing No.

225

18:00

<theStack> (maybe people will hate me but my personal opinion is that overloading shift operators is a terrible practice)

226

18:00

<sipa> @__gotcha Yes.

227

18:00

<__gotcha> theStack: totally agree

228

18:00

<ls55> theStack:+1

229

18:00

<stickies-v> `<<` checks that every type property that the right hand has, the left hand also has

230

18:00

<sipa> @theStack Fair enough... do you have a better suggestion? :)

231

18:01

<stickies-v> or to quote the docstring: "Check whether the left hand's properties are superset of the right's (= left is a subtype of right)."

232

18:02

<stickies-v> thank you all for bringing your A game today. Unfortunately we're out of time for this session, but there's more Miniscript joy next week. Same place, same time! Thank you again to darosior and sipa for guiding us all through this.

233

18:02

<stickies-v> #endmeeting