Change SignedAmount MAX and MIN to equal +/- MAX_MONEY

[jamillambert]

To prevent rounding errors converting to and from f64 change SignedAmount MAX and MIN to +/- MAX_MONEY which are within the limit in f64 that has issues.

Add checks to from_str_in, checked_add, checked_sub and checked_mul that the result is within MIN and MAX.

Modify tests to work with new MIN and MAX.

Discussed in #3688 and #3691

[coveralls]

Pull Request Test Coverage Report for Build 12272289434

Details

• 18 of 18 (100.0%) changed or added relevant lines in 2 files are covered.
• 1 unchanged line in 1 file lost coverage.
• Overall coverage increased (+0.01%) to 82.925%

---

Files with Coverage Reduction	New Missed Lines	%
units/src/amount/signed.rs	1	71.51%

Totals
Change from base Build 12269599764:	0.01%
Covered Lines:	20295
Relevant Lines:	24474

---

💛 - Coveralls

[yancyribbens]

I think a more consistent name is from_sats_checked like I added here: #3703

[jamillambert]

I think from_sats_checked is related to addressing #3696. This is just a private function created so the code is not repeated for the min/max check in the various other functions. But if the public function is created it could be used for the check as well I guess.

[yancyribbens]

But if we add a check for MIN to from_sats_checked, then we don't need check_min_max.

[tcharding]

As a private helper function this looks fine to me. Since its private I'd shorten the docs though. Also checking min first seems a bit cleaner to me

    /// Checks the amount is within the allowed range.
    const fn check_min_max(self) -> Option<SignedAmount> {
        if self.0 < Self::MIN.0 || self.0 > Self::MAX.0 {
            None
        } else {
            Some(self)
        }
    }

[yancyribbens]

If we are going to enforce a lower bound that's not i64::MIN , should that be MIN_MONEY? Not sure since core doesn't.

[jamillambert]

I have no strong opinion either way on adding a MIN_MONEY or leaving as it is. But lean towards not adding one since there was already discussion of removing MAX_MONEY.

[tcharding]

-1 to adding MIN_MONEY

[yancyribbens]

Yeah I'm inclined to agree

[yancyribbens]

I don't think this makes sense to check twice. There's a way to do this where we don't need to check self.0.checked_add(rhs.0) as well as .check_min_max(). right? same for the other operations.

[yancyribbens]

In other words, do a checked add, and if the results exceed MAX_MONEY, then NONE else Some(signed_amount)

[jamillambert]

I don't understand what you mean by check twice. The first checked_add() will only fail if it overflows, it has nothing to do with our MAX invariant. There is only one check for MIN and MAX, the .check_min_max() private function. I made it this way so that the check for all the public functions are not repeated and are done by one function which returns the Option.

[yancyribbens]

The first checked_add() will only fail if it overflows

Right. This check doesn't need to happen is what I'm saying. If two numbers are added together and the result is less than MAX_MONEY like what you do in check_min_max then you don't also need to check that the two numbers when added together don't overflow. IE less than MAX_MONEY implies not overflow.

[jamillambert]

But I still need to handle the case where the addition overflows. I can't check if the sum is greater than MAX if adding the numbers overflows, therefore I use i64::checked_add

[yancyribbens]

this could be verified with an assertion added to a test. My point is that checked_add should check that adding two numbers is not greater than MAX_MONEY, then if is not greater than MAX_MONEY you don't need to check that it overflows do you?

[tcharding]

This change looks correct to me.

[yancyribbens]

It's not incorrect to check both that it is not greater than MAX_MONEY and not greater than i64::MAX just unnecessary.

[tcharding]

\me says a little prayer "please lord give me patience"

[yancyribbens]

same here, if checked_sub is greater than MIN, then return Some else None.

[yancyribbens]

ditto

[yancyribbens]

I had already put in a PR for this, if that commits first you'll need to rebase.

[jamillambert]

Rebased to remove conflict. I kept it as MAX.0 and not .to_sats() to be consistent with the other changes

[tcharding]

This change is unnecessary.

[yancyribbens]

This PR conflicts with #3703 and #3697 which I've been waiting to get feedback on. It would be appreciated if you don't agree with those PRs to comment on them with your suggestions. I do agree that MIN should probably be redefined at some point as you have done in this PR.

[jamillambert]

This PR conflicts with #3703 and #3697 which I've been waiting to get feedback on. It would be appreciated if you don't agree with those PRs to comment on them with your suggestions. I do agree that MIN should probably be redefined at some point as you have done in this PR.

I have rebased to remove the conflict with #3697. #3703 deals with the issue #3696 which we decided to deal with separately to changing the MAX value to the lower MAX_MONEY. This PR is just applying what was done in #3693 to SignedAmount.

[yancyribbens]

This PR is just applying what was done in #3693 to SignedAmount.

What issue is this addressing then if not issue 3696? The reason I point out the conflict with 3703 is that I don't think we need both from_sats_checked as introduced in 3703 and check_min_max here.

[tcharding]

-1 to adding MIN_MONEY

[tcharding]

This change is unnecessary.

[tcharding]

Perhaps this better expresses what this match is doing

            (true, sat) if sat > SignedAmount::MIN.to_sat().unsigned_abs() => Err(ParseAmountError(
                ParseAmountErrorInner::OutOfRange(OutOfRangeError::too_small()),
            )),

[jamillambert]

Yes, thanks that is clearer. It did seem odd to check a min against a max even though it's the same thing.

[tcharding]

This change looks correct to me.

[tcharding]

As a private helper function this looks fine to me. Since its private I'd shorten the docs though. Also checking min first seems a bit cleaner to me

    /// Checks the amount is within the allowed range.
    const fn check_min_max(self) -> Option<SignedAmount> {
        if self.0 < Self::MIN.0 || self.0 > Self::MAX.0 {
            None
        } else {
            Some(self)
        }
    }

[jamillambert]

Thanks for the reviews. I have made the suggested changes.

[jamillambert]

Needs #3721

[tcharding]

ACK 4b926e1

[apoelstra]

ACK 4b926e1; successfully ran local tests