Code Review: Smart Contract VM 02/13/19

[kantai]

This PR adds the following:

1. Contract interface for executing a transaction within the context of a transaction, with an in-memory implementation of that interface.
2. (define-public ...) function for specifying the public functions in a contract.
3. Support for buffer literals via hex strings or ascii string literals.
4. Type definitions that use the structural representation described in SIP-002 (i.e., (list 3 (buffer 5)))
5. Max value size enforcement
6. Max stack and context depth enforcement

This PR also reimplements the lexer from #908 so that it is a much more standard lexer (and the lexer itself handles literals).

This PR addresses:

#911
#913 -- though this will need to be revisited during the course of the implementation
#914
#915
#917
#918

[kantai]

Pushed some more work into this PR:

Adding type parameters to (define-public ...): #922

• Use loose type admission for maximum buffer/tuple size: basically, we want it so that we enforce a maximum buffer size, but will accept smaller buffers (the containing type is just the maximum of its composite types)

Adding initial implementation of a "Principal" type, parsed as described in SIP-002. I got a little carried away on this and implemented C32 address decoding -- see the implementation in src/address/c32.rs

[jcnelson]

Totally fine that this panics, but could you insert an error message here as well?

[jcnelson]

Alternatively, you could make this type of function unrepresentable by removing is_public from DefinedFunction and instead create a type enumeration like this:

pub enum FunctionTypes {
   PublicFunction(DefinedFunction),
   PrivateFunction(DefinedFunction)
}

Then, you'd simply handle this as a match statement.

[kantai]

Yep, I'll create a new type for this

[jcnelson]

Probably a good idea -- goes along with the general Rust-ism of avoiding non-sensical instantiations by making them unrepresentable in the first place.

[kantai]

Yep

[jcnelson]

"MultiplyDefined"? As in, defined multiple times, or something to do with the multiplication operator?

[kantai]

Ah, it's an error when you use the same variable name multiple times in a variable declaration like, the function definition:

(define (foo a a) (+ a a))

I can rename it to VariableDefinedMultipleTimes

[jcnelson]

You can enforce this in the type system by using [u8; 20] instead of Vec<u8>

[jcnelson]

For these unwrap()s, can you add an error message?

[jcnelson]

Also, how certain are we that these unwrap()s never occur?

[kantai]

Sure -- will add an error message.

These panics should never occur, since the composite values of the tuple should be smaller than MAX_VALUE_SIZE (much smaller than i128::max bytes) and combining them until the tuple is too large would require an extraordinarily large program. However, since the max value size check for tuple (and list) types occurs using the size() method, it's theoretically possible. So I'll change these to raise a ValueTooLarge error.

[jcnelson]

I agree, just as long as we can make it clear somehow that (list "abcdefghijk" "abc") costs as much to process as (list "abcdefghijk" "\x00\x00\x00\x00\x00\x00\x00\x00\x00abc"). We'd also want to be careful about how we "expand" shorter buffer items -- do we left-pad them with 0?

[kantai]

yep -- we'd need to make this clear. I think the behavior we want is that for any functions which accepts two buffers, to treat the smaller buffer as left padded with zeros. currently we don't have any buffer functions (except eq?).

[jcnelson]

How do you want to handle eq? for buffers that get implicitly left-padded with zeros? I don't think \x00abc and abc are necessarily equal. Maybe the buffer type should include a length field internally to avoid this problem?

[kantai]

Yeah, I was just going to comment on this. Those shouldn't be equal. Buffers should have a length, which they do currently (via their vec.len()), but the Buffer type has a maximum length, which is a little silly for a buffer's runtime type (because its length is always equal to its maximum length), but for declared types like public function inputs and datamap keys, values, it makes sense, because the maximum length determines whether or not a given runtime value would be admissable.

[kantai]

(this contradicts my previous response up there --- I don't think we should be automatically extending buffers. if we decide to include buffer functions like strncat, they should specify their padding behavior, if they have any)

[jcnelson]

What is :ascii: here? Is it printable ASCII characters? Also, can we have a lexer test below for ensuring that a code snippit with non-printable characters does not parse?

[jcnelson]

Also, the str type is a unicode string slice. We'll want the lexer to reject non-ASCII strings.

[kantai]

Yeah -- that :ascii: class should actually be :print: for printable ascii characters.

But this lexer will reject non-ASCII strings. None of these matchers will match a non-ascii character, which will cause the lexer to fail (if the lexer cannot process a given character, it exhaust all the matches and returns a ParseError)

[kantai]

Okay -- I pushed changes that addressed all of those issues.

1. Use two types for Global vs. Local contexts.
2. Use two types for public vs. private defined functions.
3. Raise a ValueTooLarge error in the event of an i128 overflow in type size.
4. Use printable ascii character class instead of ascii character class (and add unicode rejection test)
5. Use [u8;20] for the principal data
6. Rename MultiplyDefined error
7. Implement value equality check which checks for data equality not type equality. Will create a new issue for speccing out buffer functions.

[jcnelson]

Thanks! As soon as CircleCI finishes, please go ahead and merge to develop. Thanks also for implementing c32.rs 😀

[kantai]

Thanks for the review! The Circle CI tests look like they've finished successfully (https://circleci.com/gh/blockstack/blockstack-core/1716), so I'll go ahead and merge (Circle github notifications/commit check updates appear to currently be broken).