To be clear, there are a lot of changed lines across 64 files. But that is rather the point of this pull request - any side chain that changes the type for representing money from int64_t to something else has to change all these lines, thereby making it more difficult to share patches or rebase to keep the side chain up to date.

One of the few user visible changes that result from this is the use of strings instead of integers or doubles in the JSON-RPC.

Couldn't you accomplish mostly the same (but easier to review that behaviour is unchanged) with typedef uint64_t CMoney ?

Sure, for other chains the definition of CMoney may be more complex, but that's not our problem.

@laanwj, no all the code which assumes CMoney is an integer would have to change (and there's quite a bit of that). This pull request only allows a specific subset of arithmetic functionality, and requires explicit casts (with rounding modes) to treat the money value as anything else. Explicit is better than implicit, especially when the point is to maintain code compatibility across implementations with different underlying types.

I'm fine with a type to encapsulate the representation and arithmetic of monetary amounts, but does it really need to deal with conversion from/to human readable format too?

Especially since it's depended on by core, that feels like functionality that belongs on a higher level. Leaving that in util makes the impact of the patch smaller too.

NACK from me. I don't think this passes the cost-to-review-for-correctness versus potential-benefit-for-Bitcoin test.

@sipa util.h is loaded by core.cpp. I have no problem reverting that change, if that is the consensus decision. I just thought it was cleaner this way.

@gavinandresen is there anything I could do along the lines of additional tests to make it easier to be confident that it's correct?

How far do we want to go to facilitate altcoins? Well, I'm fine if it is a matter of renaming types, but not if it gives us more maintenance or testing overhead.

Hence I'd suggest splitting this up.

• I like the idea of using a "money" type. Changing this throughout the source code will result in a lot of line changes, but is easy to review. Defining a typedef for uint64_t would be the straightforward way. This will already do most of the work of making code easier to port over without adding code.
• Changing around the edge-cases where CMoney is treated as int: we don't need to change these in Bitcoin. If it's a small change in the GUI code, I'm fine with it if it makes it easier to use the GUI for altcoins. But in the core/ consensus code: keep the code as-is. Altcoins most likely don't want to literally take changes there over anyway.

I also agree with @sipa. Don't put formatting on the number type. I'm in favor of separating data and operations on it.

@laanwj I think you are underestimating the importance of semantic explicitness and type safety here. A simple typedef int64_t CMoney would leave a half-dozen lines of code scattered around the project which have in-built assumptions about the integer properties of the money type, and worse leave open the possibility of new hidden dependencies being introduced undetected. That's the key aspect of this pull request, and really the only thing which makes it interesting: adding a semantically explicit, generic, and type checked API as an interface to the underlying money type. I could split it into separate commits if you it is deemed necessary for review.

Regarding formatting, I'm not sure I understand. Aren't FormatMoney and ParseMoney the exceptions in the code base? Most other types have a ToString method and use serialization methods for reading data structures out of streams -- ParseMoney isn't the same thing exactly, but the analogy is close. Having toString() and static fromString() methods is generally good C++ conventions, and a common pattern in frameworks like Qt.

Maybe it does belong in util.cpp. I just want to understand the reasoning better.

A ToString() method is useful for debugging, but I don't think it should be used for interaction with humans. Even for conversion of data types like CKey or CKeyId there is a separate module (base58) for conversion to the human form.

We're not quite there yet, but I like to see the code evolve to a point where we can split off a "core data structures" library, which only contains definitions for structures used by the protocol and their serializations. That includes serialize, core, protocol, just the data types from script (not verification/signing), and if committed UTXOs become normative, also part of coins. No logging, no fee policy constants, and preferably no dependencies at all.

@maaku I'll only accept this if the introduced money type has exactly the same behavior as int64_t. Defining division to be different, for example, or rounding, is not acceptable. If you insist on using a class that's possible (and can also be straightforward), but it's somewhat harder to verify than a simple typedef.

Having a few lines scattered around the code that assume that the money type is integer is fine. For bitcoin this will never change. I'm sorry to say, but making it easier for altcoins to merge our code changes is not high on my priority list. I'm okay with renaming types but not anything that has more risk or stresses our already very limited testing and review capacity.

I would be very happy if multiple altcoins would do things like changing the money type :D

The debugging/user-string distinction makes sense.

I reverted FormatMoney() and ParseMoney() back into util.cpp, squashed the followon commits, and broke the original commit in two: the first commit does the int64_t -> CMoney change, the second adds type safety by making CMoney a separate class.

I have added documentation about EncodeDouble, and moved the CompressAmount / DecompressAmount code to money.cpp, where it is used by a new CCompressedMoney type, as per comments from sipa. I have also added some basic tests of the EncodeDouble / DecodeDouble routines.

I still don't like invoking rounding code (which, imho, is human-machine conversion stuff, not consensus code, even if it's some special mode for that purpose) from within core data structures. Can't you add an IMPLEMENT_SERIALIZE to CMoney itself, which in Bitcoin's implementation just serializes as int64_t, and READWRITE(nAmount) as before in CTxOut?

There is no rounding code. I stripped all that out; for Bitcoin, conversion to either int64_t or double is lossless and round-trip (although the consensus risk for double is higher due to poor FPU or compiler optimization, and should not be used in consensus code). The ROUND_X modes are present for future-proofing purposes, to ensure that if/when CMoney is changed from integer to some other numeric type, the then lossy conversions to int64_t or double are performed correctly. ROUND_SIGNAL, which is what is used in the consensus code, is a non-rounding mode with the semantics: "do not round under any circumstances, if the value is not lovelessly and round-trip serializable into the target type, throw an exception." Actual rounding modes are only specified for human-machine interface code (e.g. GUI, RPC api) and non-consensus code (e.g. transaction priority).

About serialization, the issue is that how it gets serialized could depend on context. In particular, serialization to int64_t will always be done in some cases, such as bitcoin-compatible nVersion=1 transactions for pegging. So when serializing an output you will need to know nVersion and sometimes inclusion height of the transaction in order to make a decision about serialization format.

So anyway, that's why CTxOut needs to be the way it is, but maybe there is use for native serialization in some contexts.. I haven't thought too much about that. It wouldn't be difficult to add an IMPLEMENT_SERIALIZE to CMoney. The reason it is not there is so that if someone tries such a READWRITE(nValue), they'll get an error and realize they have to think about these things ;)

On Fri, May 23, 2014 at 7:00 PM, Mark Friedenbach
[email protected]:

There is no rounding code. I stripped all that out; for Bitcoin,
conversion to either int64_t or double is lossless and round-trip. The
ROUND_X modes are present for future-proofing purposes, to ensure that
if/when CMoney is changed from integer to some other numeric type, the then
lossy conversions to int64_t or double are performed correctly.
ROUND_SIGNAL, which is what is used in the consensus code, is a
non-rounding mode with the semantics: "do not round under any
circumstances, if the value is not lovelessly and round-trip serializable
into the target type, throw an exception." Actual rounding modes are only
specified for human-machine interface code (e.g. GUI, RPC api) and
non-consensus code (e.g. transaction priority).

Yes, that's my problem. We're mixing code that should utility stuff into
consensus core headers. It's just engineering, but IMHO the one purpose of
CMoney should be to encapsulate the arithmetic semantics and serialization.
But in the actual one place where serialization of values is done, you
bypass the serialization that could be encapsulated there.

Saying that serializing a CTxOut requires invoking some utility to
forcefully cast the encapsulated money type to an int64 and then
serializing that is for me pretty much undoing the single nicest advantage
CMoney could have.

About serialization, the issue is that how it gets serialized could depend
on context. In particular, serialization to int64_t will always be done in
some cases, such as bitcoin-compatible nVersion=1 transactions for pegging.
So when serializing an output you will need to know nVersion and sometimes
inclusion height of the transaction in order to make a decision about
serialization format.

So pass the CTxOut's or CTransactions nVersion to the serialization code
(it has an nVersion argument in all its arguments!), and have CMoney use
that to decide how to serialize.

So anyway, that's why CTxOut needs to be the way it is, but maybe there is
use for native serialization in some contexts.. I haven't thought too much
about that. It wouldn't be difficult to add an IMPLEMENT_SERIALIZE to
CMoney. The reason it is not there is so that if someone tries such a
READWRITE(nValue), they'll get an error and realize they have to think
about these things ;)

Ok then use a separate wrapper like CMoneyCompressor for that, which
perhaps takes the CTransaction's nVersion as an argument.

I'm just saying: if we're introducing a type for encapsulating money
semantics in a separate module, let's get all responsibilities in there.

Ok a CMoneyCompressor-like class (CTxOutValueSerializer?) seems like a reasonable compromise. A little messy because it'll need the transaction metadata inside the txout serializer, but I'll see if I can make it work in a clean way.

Hmm, yeah agree. Putting responsibility about knowledge of transaction versions in money.* isn't very clean. But the inherent problem is that they can't be cleanly separated if they're dependent on each other. Right now, however, this is not a problem in Bitcoin, and my reason for liking this is modularization - not future compatibility with things that Bitcoin itself are unlikely to do.

To be honest I'm still not enthusiastic to merge this at all. As I've said before, it sounds like a overdesign for something that we don't need in bitcoin.

I agree with @laanwj -- NACK on merging this from me, doesn't pass my cost-to-review versus benefit-to-the-codebase test.

@laanwj @gavinandresen This solves actual ongoing maintenance problems being encountered by people using the bitcoin code base today, and is good software engineering for bitcoin. If your only opinion is it lacking in your own review prioritization criteria, that's fine. But please save the NACK for code that you actively want to prevent from being adopted in bitcoin, lest that word lose all meaning. Or am I misunderstanding your intent?

This patch may not fix any of your own problems or pet issues, but it has significant impact on mine and others. It is solving real-world maintenance headaches that are resulting in unnecessarily divergent and less-frequently updated code bases and provides type safety to help prevent future consensus-risk logic errors.

@maaku So if the codebases were less diverged we might expect to see you working upstream more? :)

@gmaxwell, that's the whole point!
On May 23, 2014 12:25 PM, "Gregory Maxwell" [email protected]
wrote:

@maaku https://github.com/maaku So if the codebases were less diverged
we might expect to see you working upstream more? :)

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/4067#issuecomment-44050739
.

Speaking as a maintainer of a alto implementation, strong NACK. I'd hate to find out we accidentally added a consensus critical difference from standard into semantics that mattered; changing alto implementations to in turn match those semantics would be difficult and convoluted, especially on stuff like python where each level of abstraction has a significant performance cost. Why change what isn't broken for the sake of non-bitcoin projects?

Now making a money_value_t typedef is fine and useful for type safety, but only because that doesn't change behaviour.

(s/alto/alt/, stupid android keyboard)

@petertodd It seems we agree. I've said so too - a typedef is fine with me. Let's pull the first commit only, which does just that.

@laanwj ACK on a typedef.

Its worth remembering with optional changes like this that if we create a fork accidentally miners alone end up losing something like $50k/hour, and the reputation of Bitcoin will take a hit. (particularly given the reasons for making this change) I've already spoken to mining pools that stick with 0.8 because they consider the 0.9 changes to be risky; no sense giving them even more reasons to worry.

There are two very different questions here.

One question is whether this is a net improvement to the codebase - independent of the risk. In my opinion, it is, if it actually encapsulated certain responsibilities out of other code. If it helps forked codebases contribute upstream, that's a nice extra benefit.

However, If there is any doubt at all that this might introduce consensus changes, I don't think anyone would even think about merging. If not enough people consider that proven, it will have to wait. If people consider it not worth the review time, it may not be merged at all ever - that's just cost vs. benefits.

Anyway, ACK on a typedef. Let's see where we go from there.

The typedef doesn't solve the problem of the code making assumptions about the type being an int64 (which is the encapsulation/readability improvement that would directly benefit bitcoin). But merging a typedef would be simpler and it would help a little bit with forked codebases.
Another PR replacing the typedef with a full class should be easier to read once the typedef is merged. So, yes, it probably makes sense to separate this PR in two given the fact that the first part is much easier to accept.

@petertodd or anyone else, please point to a single line of code that introduces consensus risk. This patch in no way changes the user- or network-visible behavior of the client It was very carefully constructed with precisely that goal in mind. CMoney is still int64, just wrapped in a class! You'll see in the PR history that I've removed features such as operator/() which were safe but less obviously so.

Making CMoney a typedef has zero type safety benefits. Sorry, but that's how C++ works. It will be treated exactly the same by the compiler as before. Merging just the first commit is better than nothing, and helps me considerably. But all of the direct type safety benefits to bitcoin are in the 2nd commit, and so I strongly recommend reviewing it.

@maaku In Bitcoin even subtle compiler bugs lead to consensus problems; any change is risky. For me to properly review the CMoney class - specifically the idea that it's "just" int64 wrapped in a class - would require me to get out the C++ standard and actually check that there isn't any obscure gotchas.

Again, this is a change primarily for the benefit of other currencies, not Bitcoin. Why should we take that risk just so much smaller alts - or commercial ventures with non-public business plans in the case of sidechains - can benefit? (note how you've included rounding modes, yet they aren't used in the Bitcoin code) We're the ones with tens of thousands of dollars an hour downtime costs.

Since some altcoins seem to benefit from this change, maybe they can merge this first and incorperate it in their next client version. After some production experience, it might be easier to accept this change here.

By encapsulating functionality this increases the quality, maintainability, readability and future extensibility of bitcoin.
"Improve bitcoin's divisibility would be a trivial hardfork if it's required in the future" I have read and written this sentence many times and this PR would actually make it true.
About "any change is risky therefore any change is bad by default", maybe we shouldn't had refactored anything and just left almost everything on the main "module" where it used to be, maybe we shouldn't have decoupled the initial GUI stuff from the rest of the code, maybe we shouldn't separate the wallet from the core to avoid "consensus risks".
Good software engineering practices? Oh, no, those are risky...
Sorry for the sarcasm. Can we go back to concrete criticisms of the changes instead of arguing with vague "any change is risky" arguments?

@leofidus In the case of Freicoin, the main problem is to rebase the few technical changes it has on top of every new bitcoin release. If Freicoin accepts this change but bitcoin doesn't, the rebase won't get any simpler, probably worse. Maybe if bitcoin accepts the typedef, Freicoin can deploy the class version before bitcoin does, but I'm not sure that will be very useful since Freicoin would actually implement another version of the class, not the one equivalent to int64 that bitcoin would use.

@jtimon @leofidus Actually Freicoin has effectively had this change since the first code was written almost two years ago, although we use the GMP mpq_class directly instead of encapsulating it in CMoney, but the result is the same. Any upstream (bitcoin) change which deals with monetary values -- which is just about everything except network code -- results in a merge conflict and requires manual intervention. Likewise any Freicoin changes we want to move upstream require manual editing and re-testing, which is a barrier to all-volunteer efforts.

@jtimon > "Improve bitcoin's divisibility would be a trivial hardfork if it's required in the future" I have read and written this sentence many times and this PR would actually make it true.

By the time Bitcoin is worth the 6x or so orders of magnitude more required to make a divisibility hardfork necessary, changing CMoney would be the least of our worries with regard to a divisibility upgrade.

As for "good software engineering practices", consensus-critical code has very different good practices than normal code. Separating the wallet code - which shouldn't change consensus behavior - from the consensus critical code was a good idea, albeit one that needed to be very carefully evaluated. Making a CMoney class might be a good idea, but there's no need to rush it; a simple typedef is a conservative change that probably will have no impacts. I understand that you want a much less conservative change for your own reasons - Freicoin - but there's simply no reason why the rest of the Bitcoin community should take on risk for your benefit.

Remember that the fact that Freicoin has done this change a long while ago does not help in testing the actual concern, which is that a CMoney class may have different consensus critical behavior to int64. To test that you'd have to actually test the transition period between having int64 and CMoney; Freicoin never did that.

I agree that defining a money type is somewhat 'better software engineering' when looked at it some ways. But I see the future of Bitcoin Core as just Bitcoin Core, not 'Altcoin Core'.

Eventually I want to enshrine the Bitcoin-specific consensus code in a library that as is as small and independent as possible and completely specific to Bitcoin. Altcoins can create their own consensus libraries. I expect there to be little or no code sharing between these. The consensus code does not need to be general.

For this goal I think inside the consensus code it is good to have more low-level concreteness, not more abstractions. Recently we already went from the CBigNum type to well-defined, concrete uint256/uint160/CScriptNum types.

However in the rest of the code that interfaces with client applications (RPC), or the user, or provides some other interface, a more abstract interface that isolates from the specific representation of money inside the system is useful.

Since it seems that nobody would oppose to the innocuous typedef change, I think that probably it would be wise to separate that (which is not that interesting IMO but could be easily accepted) from the class approach to encapsulate serialization and arithmetic, which is clearly much more controversial.
I also think that the second commit/PR would be easier to review if it was separated in smaller and more clear commits.

Please tell me if I'm going off-topic or I should move this to the mailing list, I'm trying to understand the reasoning better since I feel it can help me with my own pull requests.
Although I don't understand @laanwj's argument that an abstraction on top of the low-level well-defined int64 type is risky or undesirable in consensus code, I can understand how changes that could potentially accept consensus are risky and therefore we must be more conservative about them, even if I disagree with the "this is completely useless for bitcoin and only useful for altchains" claim.

On the other hand, I don't understand the "review-costs" arguments. If someone doesn't have time to review certain change or doesn't think it's a priority to do so, that's completely understandable. Not reviewing a PR for this reason and leaving it in limbo is one thing. But justifying a NACK to "cut review costs" seems at the very least premature to me.
Maybe I'm missing something, but ideally NACKs should be in the form of: "This should never be merged becase A and B break X, Y and Z", "This would be more acceptable by also implementing tests X, Y and Z" or "this PR doesn't seem complete without also implementing A, B and C". The more concrete the objections are, the less frustrating it is for the developer trying to contribute and the more educational for the contributor or in general to other potential contributors reading the pull requests with the objective of educating themselves on how to properly try to contribute.

Again, my apologies if this is not the place for these later observations.

Am I understanding this correctly that leaving consensus-code unmodified (or typedef'ed) and introducing CMoney in the rest of the codebase would be a compromise which would help everyone (bitcoin has no fork risk but better modularization, freicoin has less work merging changes)? I can at least say that that version would benefit Dogecoin, which would mean that you would also get more help from us testing it.

@jtimon It's not so much about 'review costs', because review will almost certainly not find all bugs/inconsistencies. It is the costs of some unexpected change causing a fork. Years after Satoshi left people are still finding small unexpected cases in the consensus code.

Just that no one can point them out from glancing at the code doesn't mean that no problems exist. Making the code (maybe) a bit more readable and consistent is just not worth that. I hope you understand. If the potential benefits don't outweigh the potential trouble no one wants to take the risk to merge it, and a NACK is in order. That's better than keeping it in limbo forever, IMO.

@leofidus Yes if this could be done only outside the consensus code, it would be acceptable. That'd require an interface layer between the consensus code and the rest, which would be a good thing anyway. It is aligned with the goal of making a consensus library.

Automatic sanity-testing: FAILED MERGE, see http://jenkins.bluematt.me/pull-tester/p4067_fc1cd73d0ff73e26da2548193c630b3b8a4d630b/ for test log.

This pull does not merge cleanly onto current master
This test script verifies pulls every time they are updated. It, however, dies sometimes and fails to test properly. If you are waiting on a test, please check timestamps to verify that the test.log is moving at http://jenkins.bluematt.me/pull-tester/current/
Contact BlueMatt on freenode if something looks broken.

Closing this in favor of #4234.

After #4234 has been merged, a rebased version of this should be much easier to review.

@jtimon You could save yourself the trouble. As I've said multiple times (also above here), I'm willing to go as far as type-defing the money type. That's what we did, so as far as I'm concerned this issue is now closed.

Maybe this goes too far, but wouldn't be nice to have a class and convert the functions in utilmoneystr to methods of that class?
Maybe just moving that to amount.o would be enough?

At least please keep core data structure definition and human interaction separate. So no, don't move any utilmoneystr to amount.o or CAmount - that would imply having everything using any core datastructure at all depend on that conversion code.

I'm for keeping the data type and operations such as formatting on it decoupled. Especially as formatting could be done in different ways, depending on the context, it's not an innate property of the type, and indeed not necessary by all clients.