Merge pull request #399 from jl2012/patch-22

BIP141 script failure clarifications

bip-0141.mediawiki

@@ -98,9 +98,9 @@ If the version byte is 0, and the witness program is 32 bytes:
 * The <code>witnessScript</code> is deserialized, and executed after normal script evaluation with the remaining witness stack (≤ 520 bytes for each stack item).
 * The script must not fail, and result in exactly a single TRUE on the stack.
 
-If the version byte is 0, but the witness program is neither 20 nor 32 bytes, the script must fail.
+If the version byte is 0, but the witness program is neither 20 nor 32 bytes, the script must fail.<ref>For example, a scriptPubKey with OP_0 followed by a 40-byte non-zero data push will fail due to incorrect program size. However, a scriptPubKey with OP_0 followed by a 41-byte non-zero data push will pass, since it is not considered to be a witness program</ref>
 
-If the version byte is 1 to 16, no further interpretation of the witness program or witness happens, and there is no size restriction for the witness. These versions are reserved for future extensions.
+If the version byte is 1 to 16, no further interpretation of the witness program or witness stack happens, and there is no size restriction for the witness stack. These versions are reserved for future extensions.<ref>For backward compatibility, for any version byte from 0 to 16, the script must fail if the witness program has a <code>CastToBool</code> value of zero. However, having a hash like this is a successful preimage attack against the hash function, and the risk is negligible.</ref>
 
 === Other consensus critical limits ===