Stricter jörmungandr binary encoders regarding integer overflow #487
Conversation
Anviking
force-pushed
the
anviking/219/stricter-encoders
branch
2 times, most recently
from
b71a503
to
91da4fb
Compare
Anviking
force-pushed
the
anviking/219/stricter-encoders
branch
from
91da4fb
to
d2f8138
Compare
There was a problem hiding this comment.
The original idea is good, but its implementation needs revisions:
It will be sufficient and give us the same level of guarantees as this PR to use toEnum instead of fromIntegral for unsafe conversions. Conversions is unsafe when the codomain is smaller than the domain.
| unless (length inputs < 256) $ | ||
| fail "number of inputs must be lower than 256" | ||
| unless (length outputs < 256) $ | ||
| fail "number of outputs must be lower than 256" |
There was a problem hiding this comment.
Instead of magic number, it'd be better to use maxBound @Word8 to show where this 256 comes from.
There was a problem hiding this comment.
Done:
unless (length inputs <= fromIntegral (maxBound :: Word8)) $
fail "number of inputs cannot be greater than 255"
maxBound :: Word8is255so I've used255]instead of256)as bound- Preserved the 255 in the message despite the risk of going out of sync
- Avoided to state the entire allowed range, e.g.
number of inputs must be within the range [0,255], since I believe the 0 is a grey-zone.
| putWord8 $ fromIntegral $ length inputs | ||
| putWord8 $ fromIntegral $ length outputs | ||
| putWord8 $ overflowSafeCoerce $ length inputs | ||
| putWord8 $ overflowSafeCoerce $ length outputs |
There was a problem hiding this comment.
We should either check the length with unless or with overflowSafeCoerce. Doing both is overkill.
There was a problem hiding this comment.
Integer type promotions in the deserialisation (Get) shouldn't be too much of a problem. (Unless there are values which cause us to allocate an excessively large amount of memory).
But it's good to add checks in the serialisation (Put) before squeezing values into 8 bits - as you have done.
I am wondering what we should do about the error handling here. Should transactions with >= 255 inputs or outputs be rejected at the API level, or should we wait for serialisation to fail and return that error? I think the latter is OK, as long as it's clear to the user why the error happens.
We will most likely never create a transaction with more than 255 inputs, because of the way our CS work. So it's unlikely that such transaction would make it to being serialized. Having said that, I'd be more inclined to catch the erroneous transaction much earlier and avoid creating it in a first place. Failures in the Binary module should really be our last-resort / safety net; being the sign that something went wrong in the upper layers. |
Anviking
force-pushed
the
anviking/219/stricter-encoders
branch
5 times, most recently
from
c1ecfd0
to
aa8851a
Compare
|
New approach:
|
- Particulary in encoders (putX) - Somewhat for decoders (getX)
and add a test case for unbalanced transactions
Anviking
force-pushed
the
anviking/219/stricter-encoders
branch
from
aa8851a
to
b399323
Compare
KtorZ
modified the milestones:
Jörmungandr Integration Testing,
Jörmungandr High-level integration
Issue Number
#219
Overview
fromIntegralwithtoEnumwhere it might overflow.Comments