OrderBookIsNotCrossed invariant

[robertDurst]

Description

This PR introduces a new invariant, named OrderBookIsNotCrossed.

Background:

Pre-protocol 10 was allowing in some cases the order book to be in a crossed state. The example from CAP-0004 reads:

“In transaction 1, account A creates an offer selling 100 X at a price of 10 Y / 1 X.
In transaction 2, account B creates an offer selling 1 stroop Y at a price of 1 X / 10 Y.
As of protocol version 9, nothing is exchanged and the book remains crossed.”

Put very simply, a crossed state is one such that the top of the book contains a highest bid higher than the lowest ask.

Implementation Overview

This invariant, unlike the previous five, requires some state to determine the highest bid and the lowest ask. For this, I utilize a nested map data structure to simulate an order book, which is updated upon each call of checkOnOperationApply based on the offer entries in LedgerTxnDelta. Since this invariant will be used by the fuzzing code in #2182, which requires a reset of state between execution cycles, I have introduced a resetForFuzzer method to the base invariant class.

Open Questions

• Naming -- IsNot does not flow off the tongue
• Method of determining best order -- for now I just iterate through all orders for a given asset pair and take the highest/lowest (O(N)). This should be fine for small order books in fuzzing, but is not production ready.
• Initial in-memory order book state -- for now there is no way to initialize an order book. For fuzzing I believe this is fine, however it may be something we want (however, this in-memory structure in general is certainly not a production approach).

Checklist

• Reviewed the contributing document
• Rebased on top of master (no merge commits)
• Ran clang-format v5.0.0 (via make format or the Visual Studio extension)
• Compiles
• Ran all tests

[jonjove]

The ordering of the commits doesn't make that much sense to me and should probably be revisited (for example, the first commit registers an invariant that isn't even defined yet).

[jonjove]

For both AssetOrders and OrderBook, serializing the key to string is not a C++ idiom. Write a template specialization of std::hash instead. See ledger/LedgerHashUtils.h for inspiration.

[jonjove]

The change you made is not what I meant, let's discuss further offline.

[jonjove]

Not needed (along with getAssetID) in accordance with the comment about specializing std::hash. As a general remark: if you are writing a comment to describe the specific structure that a string must have, then you would probably be better off using a struct instead.

[jonjove]

Why not just copy offer1 and modify it directly?

[jonjove]

You want auto const& here and many other places in this file.

[jonjove]

Why not use genApplyCheckCreateOffer here? (This question applies in multiple places in this file)

[jonjove]

Passing around the operations is kind of clunky. The invariant only depends on the assets in the operation, so you should be able to prepare them in these functions.

[jonjove]

Why put a section directly inside another section? (This applies in multiple places in this file)

[marta-lokhova]

I don't think you need this include

[robertDurst]

I think I do. Invariant.h only includes:

#include <memory>
#include <string>

[marta-lokhova]

I don't think you need this.

[robertDurst]

As far as I can tell I do, won't compile without and it is also in most of the other invariant tests.

[robertDurst]

@marta-lokhova and @jonjove I have refactored per your feedback. Thanks -- I think this is quite a bit cleaner now!

Since some of the refactors were more involved, the diffs may make review a bit harder. To address this I tried to sensibly organize my changes into a few commits labeled [pr fix], however if a) this organization does not make sense or b) it would be easier if I just re-org'd everything together, let me know and I can fix up ASAP.

[robertDurst]

Updated for proper template specialization for std::hash for Asset instead of getAssetId--> std::string approach.

[robertDurst]

Changed header to WIP -- realize this does not properly account for PathPayment. It makes the assumption only a single asset pair will be modified and thus only checks if a single asset pair's orders are crossed. Will change header back when fixed.

[robertDurst]

Latest commit 86e3826 is a bit substantial (hence WIP in header). The most notable changes from the initial PR include:

• utilizing Operation to derive asset pairs for which to check order book is crossed
• proper accounting for all operations that touch the order book (ManageBuyOffer, ManageSellOffer, CreatePassiveOffer, PathPayment, and AllowTrust)
• utilize set for Orders (std::set<OfferEntry, OfferEntryCmp) instead of std::unordered_map<offerId, OfferEntry> since I do not need to look up individual offers by id, but rather am interested in the least priced, or best offers (thinking ahead a bit here to BestOffersTakenInvariant)
• decoupled genApplyCheck methods in testing to gen and applyCheck allowing for multiple offers to be applyCheck'd and also separated updateOrderBook and check to allow for more complex checking later on... again thinking about BestOffersTakenInvariant

[vogel]

std::make_pair can infer types for arguments, so until C++17 please use that

[YanaSneg23]

S

[robertDurst]

Ok will do. Ah cool I see what you mean: https://www.codingame.com/playgrounds/2205/7-features-of-c17-that-will-simplify-your-code/template-argument-deduction-for-class-templates

[vogel]

is does not make sense for those conditions to be inside loop
you can loop from 1 to pp.path.size() - 1 and have those special cases outside of loop

[robertDurst]

Good point. Fixed, simpler now.

[robertDurst]

While this works great for a persistent order book, the fuzzer does not want the order book to persist between fuzzing executions (not even between operations within a single transaction). So I will need to properly reset this. Have it reset properly on a local branch.

Will push this soon.

[jonjove]

Maybe this should be in ledger/LedgerHashUtils.h?

[robertDurst]

Moved

[jonjove]

Using a lambda here is unnecessary. I would just express it directly, as doing so would be shorter than the lambda. An alternative approach would be to remove the lambda, implement this in the .cpp file (leaving the declaration in the .h file), and use the static price method in that translation unit.

[jonjove]

Why not just check the asset-pair for every offer that appears in ltxd, similar to what you did for ALLOW_TRUST but incorporating created offers as well? I think this would be simpler and more reliable than handling each operation type specifically.

[robertDurst]

This simplification is great, and at this point it may seem like I do not utilize operations at all now, which is true. However, I do not believe I should remove the operation inclusion code from the tests because future order book invariants, specifically the one I have locally, wip, BestOffersTaken, relies on the operation for certain parts of its check.

[jonjove]

Nitpick: invraiants -> invariants

[jonjove]

Use front instead of at(0) and back instead of at(size()-1). Also these should be const references.

[jonjove]

Nitpick: le and offer should be const references. This comment applies many places in this file, so I won't post it everywhere but it would be worthwhile for you to look over the file.

[jonjove]

assets contains duplicates, which will be wasteful when checking crossed later. (I believe this is also possible for PATH_PAYMENT)

[robertDurst]

As part of an above change, I loop through Offers and only grab unique asset pairs.

[jonjove]

As far as I can tell, I don't think you are ever actually using these functions?

[robertDurst]

rebased so now I can add it to the appropriate place in the fuzzing code, before and after:

// attempt to apply transaction
txFramePtr->attemptApplication(*mApp, ltx);

[jonjove]

Technically, you only need to check oppositeAssetPair here. The insert on line 35 will do nothing if assetPair is already included.

[robertDurst]

Good point -- fixed.

[jonjove]

Looking closely at this, I'm not sure that this makes sense as implemented. An important piece of context here: it is possible to modify the buying or selling assets on an offer. In those cases, previous and current won't have the same asset pairs.

But in any case, I'm wondering why we should ever care about the previous state? If an order book wasn't crossed and an order was deleted, then it still isn't crossed. If an order book wasn't crossed and an order was modified such that it has the same asset pair, then it will be gathered from the current state. If an order book wasn't crossed and an order was modified such that it doesn't have the same asset pair, then it still isn't crossed. In any of these cases, the previous asset pair isn't useful. Am I missing something here?

[robertDurst]

Thanks, I did not realize you can change the asset, I thought you could only change the price and amount. Good catch.

Very good point -- if a set A of orders on an order book is not crossed, there is no subset B such that it may become crossed. The spread between the lowest ask and the highest bid for the subset B is >= the spread before the deletion of any order A.

[robertDurst]

TLDR they can only be in a less or equally crossed state so if the state was not crossed before it is not crossed now.

[jonjove]

Nitpick: ... const& assetPairs

[jonjove]

I think you forgot to fill in the rest of the code starting from // ... (I only gave you the first part of it). Should need to make some changes through auto const& bids = ....

[MonsieurNicolas]

will reopen later