Refactor Script::bytes_to_asm_fmt to use iterator

[Kixunil]

Because of this change being somewhat large I didn't do it together with #658.
I also don't mind if this is merged after Taproot (feel free to put off review).

This refactors `Script::bytes_to_asm_fmt`` function to use an iterator
instead of index. Such change makes it easier to reason about overflows
or out-of-bounds accesses. As a result this also fixes three unlikely
overflows and happens to improve formatting to not output space at the
beginning in some weird cases.

To improve robustness even better it also moves read_uint
implementation to internal function which returns a more specific error
type which can be exhaustively matched on to guarantee correct error
handling. Probably because of lack of this the code was previously
checking the same condition twice, the second time being unreachable and
attempting to behave differently than the first one.

Finally this uses macro to deduplicate code which differs only in single
number, ensuring the code stays in sync across all branches.

I also attempted to get this work with no_panic crate to prove absence of panic but looks
like the compiler can not do that. (Yes, I did change writer to be trivial and a bunch of other things.)
If someone wants to give it a try I can publish that change.

Unresolved question

Since Error seems to be related to script execution maybe UintError should be public?
At least NumericOverflow variant is strange.

[apoelstra]

Wow! This is a huge improvement over the buggy C-style code.

ACK 55c6277

[TheBlueMatt]

Would be really nice to get a fuzz test for this, though.

[apoelstra]

Will let @Kixunil answer Matt's comments before merging.

[Kixunil]

Yeah, I hoped I can get rustc to prove there's no panic which would make fuzz redundant. Sadly I was unable to do it so fuzz it will be.

[sanket1729]

I would like to review this(hopefully by tomorrow). Requesting to hold off merging till then

[dr-orlovsky]

Just a small nit. Do not approve yet since run out of time to complete review and will do it later

[dr-orlovsky]

Nit: I do not see any harm of doing derives here with just a single line. But pls do not discard other reviews just because of this one Nit

[Kixunil]

The type is private (at least for now) and none of the derives is needed, so let's not needlessly blow up compile time. If we decide to make it public (I'm in favor of this) there will be all applicable derives and trait impls.

[dr-orlovsky]

"data types should eagerly implement derives" (from rust guidelines). :)

I am not insisting at all, just trying to understand the logic. Ok, the logic is not to blow the computing time.

However from my experience frequently these private error types become public and ppl forget to add derives to them - at least it cost me a lot of time to update rust-secp256k1, rust-bitcoin and minor crates with derives required to do a proper error handling on my own error types :(

[apoelstra]

I'd rather not add gratuitous derives. I find it confusing to read derives on private types because then I need to understand why they are needed.

If this type ever becomes public we can add derives at that time.

[Kixunil]

@dr-orlovsky I should have realized there's "public" word missing in that line when reviewing. Yeah, forgetting is unfortunate. Maybe have some checklists for various common tasks that could include this when changing a type to public? I'm thinking of something similar LND has.

[dr-orlovsky]

utACK 659468681743458e5467bbb92e47ee3c6f084411 with two nits

[RCasatta]

maybe even be more strict with size > 8 since we haven't arch greater than 64 bits?

[apoelstra]

I agree. This line is clever but we probably don't get any extra generality vs just using 8 as a bound.

[Kixunil]

Was thinking about it but felt wrong to return NumericOverflow for what is actually too large input. Was also thinking of

enum UintSize {
    OneByte = 1,
    TwoBytes = 2,
    FourBytes = 4,
    EightBytes = 8,
}

This enforces sane values but is API-breaking and a bit cumbersome. Maybe worth it considering most uses will use literal anyway?

(Also, maybe "width" is better than "size"?)

[Kixunil]

I have force-pushed all obvious style changes. Will address size checking when replied and fuzz test in a different commit, not sure if I will have time to do it today.

[Kixunil]

CI error: error: failed to run LLVM passes: unknown pass name 'sancov'

[dr-orlovsky]

@Kixunil this is known issue: #667

#664 will fix that and after we will need a rebase for nearly all PRs

[Kixunil]

Rebased on top of master to include #664 and added the fuzz test. Disclaimer: didn't try to compile the fuzz test, (ab)using CI for that.

[Kixunil]

@dr-orlovsky that was not CI related but my mistake. :)

[dr-orlovsky]

utACK 0e1b993, however extended test will be welcome (see my comment)

[dr-orlovsky]

We may need tests with > 1 push opcode to check formatting when multiple mixed instructions are present

[sanket1729]

ACK 0e1b993 as this PR as it for bytes_to_asm_fmt. Though I would like to note the panic in instructions API I mentioned previously is not addressed by this.

#658 (review)

This instructions().next().next() should panic for the last testcase in the first commit on 32 bit machines.

[Kixunil]

@sanket1729 ah, I got confused when reading your comment previously. You're right there's a bunch of similar issues. I hope I can look at them soon. (In a different PR, also changing the slice to iterator) I came here just for quick sync need to go AFK.

[dr-orlovsky]

@TheBlueMatt comment was addressed, so merging now