> On 19 Sep 2017, at 11:09 AM, Luke Dashjr via bitcoin-dev wrote: > > On Tuesday 19 September 2017 12:46:30 AM Mark Friedenbach via bitcoin-dev > wrote: >> After the main discussion session it was observed that tail-call semantics >> could still be maintained if the alt stack is used for transferring >> arguments to the policy script. > > Isn't this a bug in the cleanstack rule? > > (Unrelated...) > > Another thing that came up during the discussion was the idea of replacing all > the NOPs and otherwise-unallocated opcodes with a new OP_RETURNTRUE > implementation, in future versions of Script. This would immediately exit the > program (perhaps performing some semantic checks on the remainder of the > Script) with a successful outcome. > > This is similar to CVE-2010-5141 in a sense, but since signatures are no > longer Scripts themselves, it shouldn't be exploitable. > > The benefit of this is that it allows softforking in ANY new opcode, not only > the -VERIFY opcode variants we've been doing. That is, instead of merely > terminating the Script with a failure, the new opcode can also remove or push > stack items. This is because old nodes, upon encountering the undefined > opcode, will always succeed immediately, allowing the new opcode to do > literally anything from that point onward. > > Luke > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev I have implemented OP_RETURNTRUE in an earlier version of MAST (BIP114) but have given up the idea, for 2 reasons: 1. I’ve updated BIP114 to allow inclusion of scripts in witness, and require them to be signed. In this way users could add additional conditions for the validity of a signature. For example, with OP_CHECKBLOCKHASH, it is possible to make the transaction valid only in the specified chain. (More discussion in https://github.com/jl2012/bips/blob/vault/bip-0114.mediawiki#Additional_scripts_in_witness ) 2. OP_RETURNTRUE does not work well with signature aggregation. Signature aggregation will collect (pubkey, message) pairs in a tx, combine them, and verify with one signature. However, consider the following case: OP_RETURNTRUE OP_IF OP_CHECKSIGVERIFY OP_ENDIF OP_TRUE For old nodes, the script terminates at OP_RETURNTRUE, and it will not collect the (pubkey, message) pair. If we use a softfork to transform OP_RETURNTRUE into OP_17 (pushing the number 17 to the stack), new nodes will collect the (pubkey, message) pair and try to aggregate with other pairs. This becomes a hardfork. -------- Technically, we could create ANY op code with an OP_NOP. For example, if we want OP_MUL, we could have OP_MULVERIFY, which verifies if the 3rd stack item is the product of the top 2 stack items. Therefore, OP_MULVERIFY OP_2DROP is functionally same as OP_MUL, which removes the top 2 items and returns the product. The problem is it takes more witness space. If we don’t want this ugliness, we could use a new script version for every new op code we add. In the new BIP114 (see link above), I suggest to move the script version to the witness, which is cheaper.