I think something is wrong if such a large value is passed in the first place. But the code change looks correct to me anyhow.

@laanwj I agree it should be rare, but there is at least one real world scenario where such an extreme value can be passed without it being a bug at the call site. In PrioritiseTransaction we call FormatMoney(nFeeDelta) on fee deltas. Fee deltas are allowed to be outside of the normal MoneyRange(…) as pointed out by luke-jr in another PR.

AFAICT we don't put a lower or upper bound on fee deltas (besides being CAmount of course), so I thought it was safest to define FormatMoney and ValueFromAmount for the entire CAmount including the std::numeric_limits<CAmount>::min() corner case :)

Some additional context: #20383 (comment) :)

I wasn't able to find a test that covered the negative COIN value scenarios.
Wouldn't It would make sense to test those scenarios since they show up on a basic truth table?

n % COIN

 n %  COIN -->   1  
 n % -COIN -->   1  
-n %  COIN -->  -1  
-n % -COIN -->  -1  

@RandyMcMillan I'm not sure I can think of a scenario when the constant COIN would be <= 0 but I've added a static_assert to make the assumption of COIN > 0 crystal clear for readers of the code :)

Thanks - I was just thinking thru different scenarios for testing. Negative moduli aren't something that comes up very often. :)

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• wallet: introduce setfeerate (an improved settxfee, in sat/vB) #20391 (wallet: introduce setfeerate (an improved settxfee, in sat/vB) by jonatack)
• rpc: deprecate addresses and reqSigs from rpc outputs #20286 (rpc: deprecate addresses and reqSigs from rpc outputs by mjdietzx)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

Thanks. Code review ACK 8d9979e04afdb081d923f79b581586330968ff56

@luke-jr Do you mean in FormatMoney? Leaving the sign in quotient would change the output compared to how it works today, no? This PR is meant as a pure refactoring (aside from the avoidance of the invalid integer negation): I don't want to introduce any change to the output format in this PR.

Right now, we're checking amount < 0 explicitly and prefixing -. If we simply don't negate quotient, strprintf will do the - for us...

@luke-jr I'll let others chime in, and I'll happily adjust to the consensus opinion regarding the suggested extra refactoring :)

Thanks for reviewing! Nits addressed (+ rebase: sorry!). Please re-review :)

When fuzzing the RPC interface I stumbled upon this case again: decoderawtransaction ff0000000001000000000000008004ff0400fffe001f00 will trigger the problematic code path :)

If anyone wants to test this PR vs master:

$ git checkout master
$ CC=clang CXX=clang++ ./configure --with-sanitizers=address,undefined
$ make
$ src/bitcoind &
$ src/bitcoin-cli decoderawtransaction ff0000000001000000000000008004ff0400fffe001f00
core_write.cpp:21:29: runtime error: negation of -9223372036854775808 cannot be represented in type 'CAmount' (aka 'long'); cast to an unsigned type to negate this value to itself
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior core_write.cpp:21:29 in
error: couldn't parse reply from server

The malformed JSON response can be found here.

This PR has three stale ACKs (@laanwj, @MarcoFalke, @luke-jr) and I believe all feedback has been addressed.

Anything left to do here? :)

Would be nice to have this addressed to be able to fuzz direct and indirect callers of FormatMoney and ValueFromAmount with UBSan enabled without hitting these invalid integer negations over and over from different call sites :)

This PR has three stale ACKs and I believe all feedback has been addressed.

Ready for merge after re-review?

re-ACK 1f05dbd