additional wireguard bounds for autobahn#3609
Conversation
…c (CON-298 follow-up) Annotates all repeated fields in autobahn.proto with (wireguard.max_count), then generalises the wiring so no per-channel or per-call plumbing is needed: - Plugin now emits WireguardScan([]byte) error on each schema-bearing type instead of init()/registry calls. - protoutils.Unmarshal[T] asserts wireScanner and scans before proto.Unmarshal automatically. - transport.go asserts wireScanner on the channel MessageType, replacing the explicit PreDecode field on ChannelDescriptorT. - Removes PreDecode from ChannelDescriptorT and all four reactor call-sites (blocksync, consensus, evidence, statesync); protection is now derived from the proto type, not the channel config. - Fixes plugin bug: proto3 optional fields were incorrectly treated as oneof variants, generating non-existent wrapper type names. - Wiring tests rewritten to call WireguardScan directly; no-op tests added for channels whose message variants don't reach a capped field. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
api.wireguard.go was generated alongside autobahn.wireguard.go but missed from the initial commit — the giga LaneReq/LaneResp/etc types transitively reach the annotated Autobahn fields and get WireguardScan automatically. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The (wireguard.max_count) options added to autobahn.proto change the embedded raw descriptor in autobahn.pb.go. Regenerated via sei-tendermint/internal/buf.gen.yaml. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sigs, votes, lane_ranges, lane_qcs, and block headers in QC messages are bounded by the validator set size, which is far below 10000. Use 100 as a tighter, more accurate ceiling. Payload.txs stays at 2000. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add TestPlugin_Proto3OptionalDoesNotEmitWrapperType: a message with a proto3 optional field (synthetic oneof in the descriptor, no Go wrapper struct) alongside a capped repeated field. Asserts the plugin does not emit a nonexistent Foo_Bar wrapper type and correctly caps items. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…o gprusak-wireguard
PR SummaryMedium Risk Overview Wireguard behavior: Call sites: Consensus block reassembly, P2P transport, and channel wiring tests switch to Reviewed by Cursor Bugbot for commit d211dc6. Bugbot is set up for automated code reviews on this repo. Configure here. |
|
The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).
|
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #3609 +/- ##
==========================================
- Coverage 59.02% 58.18% -0.85%
==========================================
Files 2215 2153 -62
Lines 182521 174413 -8108
==========================================
- Hits 107731 101477 -6254
+ Misses 65094 63932 -1162
+ Partials 9696 9004 -692
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
| @@ -1274,783 +1274,786 @@ func (this *Pool) Description() (desc *github_com_gogo_protobuf_protoc_gen_gogo_ | |||
| func StakingDescription() (desc *github_com_gogo_protobuf_protoc_gen_gogo_descriptor.FileDescriptorSet) { | |||
| d := &github_com_gogo_protobuf_protoc_gen_gogo_descriptor.FileDescriptorSet{} | |||
| var gzipped = []byte{ | |||
| // 12410 bytes of a gzipped FileDescriptorSet | |||
| 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0xbd, 0x7b, 0x94, 0x1b, 0xe7, | |||
There was a problem hiding this comment.
Why did this file change?
There was a problem hiding this comment.
because gogoproto code embeds transitive proto file descriptors, wireguard.proto in this case.
| genesisTimestamp time.Time | ||
| } | ||
|
|
||
| const MaxValidators = 100 |
There was a problem hiding this comment.
Do we have a common place for all these constraints?
There was a problem hiding this comment.
MaxValidators is committee property, payload constraints are with the payload type
| // See `google.protobuf.Timestamp` for more detailed specification. | ||
| message Timestamp { | ||
| option (hashable.hashable) = true; | ||
| option (wireguard.sized) = true; |
There was a problem hiding this comment.
What happens if someday someone adds a new field and forgot to add this field?
There was a problem hiding this comment.
this annotation is enforcing boundedness of the message size. Adding it later is backward compatible, removing it is not.
| } | ||
|
|
||
| message TestonlySizedLeaf { | ||
| repeated bytes items = 1 [(wireguard.max_total_size) = 3]; |
There was a problem hiding this comment.
nit: add max_size case?
| extend google.protobuf.MessageOptions { | ||
| // sized marks messages that are required to have a bounded maximal wire | ||
| // size according to the wireguard plugin's structural checks. | ||
| bool sized = 414126221; |
There was a problem hiding this comment.
feel free to grab 414126218 and change max_count
There was a problem hiding this comment.
I mean, do we care? It is not like we have a central registry of extension numbers in our repo, so adding a new number requires inspecting all the proto files in the repo. I would feel more comfortable by assigning a random number.
In the next PR, I'll implement computation of the max message size, which then can be validated against the buffer.