PLT-7583 Validator optimizations #12
Conversation
Script hashes all match.
There was a problem hiding this comment.
Thank you. The diffs where very useful too.
@paluh and I reviewed them, and we have some comments. One he will post himself.
We are not sure whether it is possible to keep makeIsDataIndexed with the asData, but if it is possible it would be desirable. So that is why I am asking for changes.
In addition to that, I've noticed that ScriptTypes.hs corresponds to Script/Types.hs, not sure if it would be better to have the same naming in both to make it easier to compare.
In the same line, we could order things in marlowe-cardano in the same way than in marlowe-plutus. But that would be a different PR, ofc.
| | Assert Observation Contract | ||
| deriving stock (Generic, Data) | ||
| deriving newtype (ToData, FromData, UnsafeFromData, Haskell.Eq, Haskell.Ord, Haskell.Show) | ||
| |] |
There was a problem hiding this comment.
I cannot find a makeIsDataIndexed for Contract type. Should there be?
There was a problem hiding this comment.
Using asData makes makeIsDataIndexed redundant because the patterns include that information. I'll double-check the TH source code for makeIsDataIndexed, just to be 100% sure.
There was a problem hiding this comment.
In the same line, we could order things in marlowe-cardano in the same way than in marlowe-plutus.
If you're referring to the ordering in the semantics files, we'd have to change those in marlowe-cardano because the order in marlowe-plutus is (unfortunately) constrained by the way GHC handles TH: i.e., identifiers don't resolve during compilation of the module unless the ordering declares them in a particular sequence.
I think we should reorder and clean up the marlowe module in marlowe-cardano, maybe when we upgrade to Conway near the start of PI5. Typeclass instances etc. are scattered about the file in a not very logical order. @jhbertra has some ideas for improvements.
There was a problem hiding this comment.
Ah, if it is not possible to be explicit in marlowe-plutus then it makes sense
There was a problem hiding this comment.
@bwbush isn't makeIsDataIndexed replaced in the TH block by deriving stock (Data,...) which is "constructor order dependent" derivation of the encoding instance:
There was a problem hiding this comment.
Actually, makeIsDataIndexed is replaced by asData, whose splice expands to explicitly numbering the constructors in their order of appearance. The deriving stock Data refers to the type Data.Data (Data) in the base library and doesn't particularly relate to Plutus.
There was a problem hiding this comment.
Ah, if it is not possible to be explicit in marlowe-plutus then it makes sense
I've added a comment documenting this in 392246d.
There was a problem hiding this comment.
@bwbush, we had an interesting discussion with @palas that seems pretty important and is related to the semantic changes after migration to asData. I'm not sure if we understand asData so please correct me if I'm wrong below.
Our understanding of asData semantics:
-
asDatamakes the decoding of theContractlazy (without memoization) - we decodeBuiltinDataon demand when we pattern match on a value. -
If we consider a decoding failure, it will happen lazily as well.
-
If the above is true then we can probably say that every value of type
Awhich was previously represented as strict data type (so the set of values did not contain⊥, right?) in the context ofasDatais turned intoA ∪ { ⊥ }. -
If the above is true then this is probably a problem from formalization point of view because we have to change the spec (semantics would work over
Contract ∪ { ⊥ }instead ofContract). -
What is also important is that we can show using a specific example that lazy validation which triggers exceptions can change semantics of the Marlowe program (example follows).
Change of the Marlowe Semantics - example:
-
Let's analyze specific example which causes violation of existing termination guarantees.
-
Let's compare evaluation of our specific example to the evaluation of the same but merkleized contract with strict data representation. Merkleization encodes laziness in a bit different manner but can probably be approximated as
Case (Contract ∪ { ⊥ })meaning if the hash is invalid (or lost) then decoding of a specific branch can "stale forever". -
The difference with merkleization is that the timeout branch of
Whenis always revealed in a merkleized contract. The timeout branch itself can contain a contract which may include aWhencontract with a timeout which has to be revealed as well, and so on. Therefore, the timeout branch must contain a fully decoded "timeout based" path to aClose. -
In the case of
asDataused overContract, there's a possibility that a malicious actor forges a datum on the chain and puts an invalid piece of data in the timeout branch which actually has to containContractvalue. Decoding of this timeout continuation will trigger runtime exception. -
The difference really boils down to
Contract ∪ { ⊥ }vsCase (Contract ∪ { ⊥ })in this case. -
Let's consider a hypothetical contract decoded lazily using
asData:When [ Case (Deposit ...) (When [] timeout INVALID_DATA)] timeout Close- If the user performs the
Depositthe semantics won't enforce decoding of theINVALID_DATAin the same step (we don't have to pattern match on this case when timeout is not reached). - If that is true then we end up in a continuation which locks the funds.
-
If we consider the same but strictly decoded merkleized contract:
When [ Case (Deposit ...) hashOfTheContinuatation] timeout Close- When we are applying input we have to provide the next part of the contract corresponding to the
hashOfTheContinuationfully decoded. - So in this case we actually have to decode contract
When [] timeout INVALID_DATAtogether withINVALID_DATA. - So if the
INVALID_DATAdoesn't encodeContractand is part of the initial hash then the input application will not happen because we cannot provide a contract which is correctly decoded and is corresponding to the hash value. - So merkleization doesn't cause locking in this particular case because we it is impossible to perform the
Deposit.
Discussion:
-
Is the above understanding of
asDatacorrect? -
If that is true shouldn't migration to
asDatabe considered as a breaking change and enforce changes in formalization of the semantics? -
We can say that the above attack vector is unrealistic because datum decoding and inspection of the contract is a natural step which every user or DApp should perform before applying any input. So is this a really harmful change in the semantics? Should we allow this new semantics on the chain?
-
Should we perhaps apply
asDataonly to theCasedata type so it preserves similar timeout branch semantics to the merkleized contract? -
If we do this (apply to the
Casedata type only), maybe we can just usedata Contract = ... | When [Case BuiltinData] Timeout Contract | ...(which somewhat mimics merkleized case):- It requires full decoding of the timeout branch (all the way down to the
Close) - It explicitly says which parts of the contract decoding can crash in the evaluation loop of the semantics at runtime (with
asDatawe have the same problem but encoded implicitly I think).
- It requires full decoding of the timeout branch (all the way down to the
CC: @jhbertra
The above might not be correct because the Marlowe-Cardano specification requires that that output contract from |
…as used. In response to review comment #12 (comment).
|
I started wondering - maybe |
|
Here is evidence that corrupt data is only detected later in the contracts's lifecycle. |
1. Removed `PlutusTx.asData` for `Contract`. 2. Added `PlutusTx.asData` for `Cases`, with cabal flag default `False`. 3. Added cabal flag for `PlutusTx.asData` for `Action`, with default `True`.
bwbush
requested review from
paluh and
ramsay-t
and removed request for
jhbertra
Fixed in c0b42fc. |
|
@palas, @paluh, @ramsay-t in 69decf6 I removed |
|
Cool. Thanks! |
|
See https://nbviewer.org/gist/bwbush/eb372f077a444021e9ede95699e442b5/PLT-9055.ipynb for test results. |
PlutusTx.asDataforState.PlutusTx.asDataforAction.Value.geq, but with fallback.marlowe-cardanorepository, but tests still rely on that (for consistency).Note to reviewers
Here is an efficient way to compare the validator files where were renamed or relocated:
git clone git@github.com:input-output-hk/marlowe-plutus --single-branch \ --branch PLT-7583 marlowe-plutus.new git clone git@github.com:input-output-hk/marlowe-plutus --single-branch \ --branch main marlowe-plutus.main git clone git@github.com:input-output-hk/marlowe-cardano --single-branch \ --branch PLT-8148-plutus1.15.0.0-feature marlowe-cardano.feature vimdiff marlowe-plutus.new/marlowe-plutus/src/Language/Marlowe/Plutus/Semantics/Types/Address.hs \ marlowe-cardano.feature/marlowe/src/Language/Marlowe/Core/V1/Semantics/Types/Address.hs vimdiff marlowe-plutus.new/marlowe-plutus/src/Language/Marlowe/Plutus/Semantics/Types.hs \ marlowe-cardano.feature/marlowe/src/Language/Marlowe/Core/V1/Semantics/Types.hs vimdiff marlowe-plutus.new/marlowe-plutus/src/Language/Marlowe/Plutus/Semantics.hs \ marlowe-cardano.feature/marlowe/src/Language/Marlowe/Core/V1/Semantics.hs vimdiff marlowe-plutus.new/marlowe-plutus/src/Language/Marlowe/Plutus/ScriptTypes.hs \ marlowe-cardano.feature/marlowe/src/Language/Marlowe/Scripts/Types.hs vimdiff marlowe-plutus.new/marlowe-plutus/src/Language/Marlowe/Plutus/Script.hs \ marlowe-plutus.main/marlowe-plutus/src/Language/Marlowe/Plutus/Semantics.hs