The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #31061 (refactor: Check translatable format strings at compile-time by maflcko)
• #31042 (build: Rename PACKAGE_* variables to CLIENT_* by hebasto)
• #30997 (build: Switch to Qt 6 by hebasto)
• #30930 (netinfo: add peer services column and outbound-only option by jonatack)
• #30221 (wallet: Ensure best block matches wallet scan state by achow101)
• #29936 (fuzz: wallet: add target for CreateTransaction by brunoerg)
• #29418 (rpc: provide per message stats for global traffic via new RPC 'getnetmsgstats' by vasild)
• #28710 (Remove the legacy wallet and BDB dependency by achow101)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

🚧 At least one of the CI tasks failed.
_{Debug: https://github.com/bitcoin/bitcoin/runs/30382700932}

🚧 At least one of the CI tasks failed.
_{Debug: https://github.com/bitcoin/bitcoin/runs/30701048188}

Latest force-push increases the scope of this PR, see updated PR description for an overview. In a nutshell:

• all non-bilingual_str format/strprintf usage is now compile-time checked. Format errors are returned as strings instead of thrown as error, but throwing behaviour can be maintained through tfm::format_raw.
• the const std::string& format overload is removed because it's unnecessary

Thanks a lot @maflcko and @l0rinc for your review!

Force-pushed to address @maflcko's comment about generally not letting tinyformat throw format errors, instead of just for the util::ConstevalFormatString overloads. Most notably, this changes behaviour for the bilingual_str format overload to also not throw.

Force-pushed to rebase addressing a merge conflict, preserve tfm::format_error throwing behaviour for DEBUG builds to improve visibility into programming errors before they manifest, and improve an error string.

Thank you for your thoughtful review @ryanofsky. tl;dr I share your concerns, but I think I have a different opinion on the trade-offs made.

I think everyone here is in agreement that compile-time checks (ideally with std::format) are the proper way forward, and everything else is a temporary patch. I think there are differing views on what we do in the meanwhile. It appears, especially without std::format and having to deal with unverified translated strings, that implementing bulletproof compile-time checking on format strings is not really feasible or the best use of our time.

I don't think putting "error while formatting log message" in a std::string and then returning that std::string is a good way for a C API to return errors, especially errors that are almost certainly bugs in the code.

I agree that returning error strings is not a good way to handle errors in general, but I don't think throwing a std::runtime_error is a good way to deal with programming errors either. Typically, these would be handled with assert statements (which is also tinyformat's default), but crashing the node for malformed (usually) informational strings seems perhaps unnecessarily strict, in similar vein to our usage of CHECK_NONFATAL instead of assert?

Can you agree that the concept of not exposing tfm::format_error to callsites makes sense in our codebase, at least philosophically? Fomat errors should never occur at run-time, even if they still can at present. If you agree with that, then I think it all comes down to what we do before we have full compile-time checking? It appears you prefer keeping the increased visibility when errors occur, whereas in this PR I prioritize not crashing the software in case we do miss it or if it's part of an erroneously translated format string.

I've force-pushed to preserve tfm::format_error throwing behaviour in DEBUG builds to keep more of the visibility without reducing stability. If you still feel like that new behaviour is still not an improvement over master (which is a view I can absolutely understand), I will drop the last commit and rework the first ones a bit. Even though the intent of the original version of this PR was to fix a regression, I'd be happy to change course and keep just the first commits that force more compile-time checks, without changing run-time behaviour, which I think everyone here agrees is an improvement.

EDIT: I also think the new uses of .c_str() are gross, though I didn't look into why those are necessary and that is not my main objection to this PR.

The const std::string& overload was dropped so that the util::ConstevalFormatString overload could be forced for all string literals. Although I don't like the additional .c_str() usage this introduced, it is mostly limited to fuzz and bitcoin-cli, and I think is worth the trade-off?

I think tinyformat's original decision to throw exceptions when invalid format strings were specified was flexible and sound

Note: tinyformat natively asserts that there are no formatting errors, the tfm::format_error is Bitcoin Core-specific.

or an inconsistently enforced check that behaves differently based on build flags.

I don't think this is correct:

(Also nit: the wording of that message doesn't make sense because tinyformat is used to format things other than log messages, and is also useful for low level string manipulation and things like formatting numbers or constructing urls)

Oops, good catch, thanks. This string was lifted from logging.h and I didn't properly update it - done now.

how would you feel about adding an Assume() statement that could fail Debug-builds when formatting fails?

Adding util/check.h to tinyformat.h introduced a couple of circular dependencies so instead I'm using #ifdef DEBUG, but the effect should be the same! (We could expand on this adding a TFM_THROW_FORMAT_ERROR flag (that defaults to set in DEBUG) so it can be added to more CI jobs without overhead if people would like that).

EDIT: I also think the new uses of .c_str() are gross, though I didn't look into why those are necessary and that is not my main objection to this PR.

I removed tfm::format_raw(fmt.original.c_str(), ... in #31061, where it remains just tfm::format(fmt.original, .... Obviously the two pulls conflict a bit, but the conflicts are trivial to solve either way.

Worth bringing back the try/catch in src/test/fuzz/strprintf.cpp for Debug builds?

₿ cmake --preset=libfuzzer -DCMAKE_BUILD_TYPE=Debug
...
₿ cmake --build build_fuzz -j<X>
...
₿ FUZZ=str_printf build_fuzz/src/test/fuzz/fuzz ../qa-assets/fuzz_seed_corpus/str_printf/
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 734467281
INFO: Loaded 1 modules   (1292656 inline 8-bit counters): 1292656 [0x5d5503ee60a0, 0x5d5504021a10), 
INFO: Loaded 1 PC tables (1292656 PCs): 1292656 [0x5d5504021a10,0x5d55053db110), 
INFO:     1133 files found in ../qa-assets/fuzz_seed_corpus/str_printf/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 16446 bytes
terminate called after throwing an instance of 'tinyformat::format_error'
  what():  tinyformat: Not enough conversion specifiers in format string
==59713== ERROR: libFuzzer: deadly signal
    #0 0x5d54f8395fea  (/home/hodlinator/bitcoin/build_fuzz/src/test/fuzz/fuzz 0x5bd1fea)
...
    #30 0x5d54f8245174  (/home/hodlinator/bitcoin/build_fuzz/src/test/fuzz/fuzz 0x5a81174)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 

I'm not in love with the DEBUG separation, but I'm fine with it if others are.

ACK 49f7307

git range-diff 4f33e9a85c3a8f546deddc2f78cf74bceff30315~4..4f33e9a85c3a8f546deddc2f78cf74bceff30315 aba9ce0eb6e67945f2209a17676f356fe9748 7e6..928538e3782ccbb22f54f4a3b1152b1faba95471

1:  1f2d0ffd56 < -:  ---------- move-only: ConstevalFormatString tfm::format to tinyformat.h
2:  c937ebf1ce = 1:  efa6f3f372 tinyformat: remove std::string overload
3:  be7de807c8 = 2:  9329e334eb tinyformat: force compile-time checks for format string literals
4:  4f33e9a85c ! 3:  928538e378 tinyformat: don't throw format string errors
    @@ Commit message
         behaviour, so suppress run-time format errors by returning the error as
         a string instead of throwing a tinyformat::format_error.
     
         In DEBUG builds, tinyformat::format_error throwing behaviour is
         preserved.
     
         Note: most format string literals are partially validated at compile-time
         through util::ConstevalFormatString. Notably, bilingual_str format strings
         do not have this compile-time validation.
    @@ src/logging.h: template <typename... Args>
     -        try {
     -            log_msg = tfm::format(fmt, args...);
     -        } catch (tinyformat::format_error& fmterr) {
    --            /* Original format string will have newline so don't add one here */
     -            log_msg = "Error \""   std::string{fmterr.what()}   "\" while formatting log message: "   fmt.fmt;
     -        }
              const auto log_msg{tfm::format(fmt, args...)};
    @@ src/test/util_string_tests.cpp
      #include <util/string.h>
      
      #include <boost/test/unit_test.hpp>
      #include <test/util/setup_common.h>
      
      #include <sstream>
      
    @@ src/test/util_string_tests.cpp: BOOST_AUTO_TEST_CASE(ConstevalFormatString_NumSp
      
      BOOST_AUTO_TEST_CASE(tinyformat_ConstevalFormatString)
      {
    -     // Ensure invalid format strings don't throw at run-time.
    -     BOOST_CHECK_EQUAL(tfm::format("%*c", "dummy"), R"(Error "tinyformat: Cannot convert from argument type to integer for use as variable width or precision" while formatting log message: %*c)");
    -     BOOST_CHECK_EQUAL(tfm::format("%2$*3$d", "dummy", "value"), R"(Error "tinyformat: Positional argument out of range" while formatting log message: %2$*3$d)");
          // Ensure invalid format strings don't throw at run-time, when not in DEBUG
      #ifndef DEBUG
          BOOST_CHECK_EQUAL(tfm::format("%*c", "dummy"), R"(Error "tinyformat: Cannot convert from argument type to integer for use as variable width or precision" while formatting: %*c)");
          BOOST_CHECK_EQUAL(tfm::format("%2$*3$d", "dummy", "value"), R"(Error "tinyformat: Positional argument out of range" while formatting: %2$*3$d)");
          std::ostringstream oss;
          tfm::format(oss, "%.*f", 5);
    -     BOOST_CHECK_EQUAL(oss.str(), R"(Error "tinyformat: Too many conversion specifiers in format string" while formatting log message: %.*f)");
          BOOST_CHECK_EQUAL(oss.str(), R"(Error "tinyformat: Too many conversion specifiers in format string" while formatting: %.*f)");
      #endif
      }
      
      
    @@ src/tinyformat.h: TINYFORMAT_FOREACH_ARGNUM(TINYFORMAT_MAKE_MAKEFORMATLIST)
          try {
              detail::formatImpl(out, fmt, list.m_args, list.m_N);
          } catch (tinyformat::format_error& fmterr) {
    -         out << "Error \""   std::string{fmterr.what()}   "\" while formatting log message: "   fmt;
              out << "Error \""   std::string{fmterr.what()}   "\" while formatting: "   fmt;
      #ifdef DEBUG
              throw;
      #endif
          }
      }

Worth bringing back the try/catch in src/test/fuzz/strprintf.cpp for Debug builds?

We should definitely be able to see easily what the invalid values were (and add unit tests for those cases)

I've carved out the first 3 commits into #31149, since other PRs (e.g. #31061 and #31072) somewhat rely on this, and everyone seems in agreement that adding compile-time checks is good. Existing ACKs should be trivially transferable.

Converting this PR to draft until #31149 is merged to keep the controversial error suppression discussion until later.

Worth bringing back the try/catch in src/test/fuzz/strprintf.cpp for Debug builds?

We should definitely be able to see easily what the invalid values were (and add unit tests for those cases)

(Not sure that would add much value, we know the fuzzing will produce mostly garbage format strings that will trigger errors).

🐙 This pull request conflicts with the target branch and needs rebase.

⌛ There hasn't been much activity lately and the patch still needs rebase. What is the status here?

• Is it still relevant? ➡️ Please solve the conflicts to make it ready for review and to ensure the CI passes.
• Is it no longer relevant? ➡️ Please close.
• Did the author lose interest or time to work on this? ➡️ Please close it and mark it 'Up for grabs' with the label, so that it can be picked up in the future.