PLT-3564 PLT-6070 PLT-6071 PLT-6072 PLT-6073 PLT-5817 Safety checks for REST and CLI #622
Conversation
| (ContractId contractId, safetyErrors) <- run MarloweV1 minting' | ||
| liftIO | ||
| $ if null safetyErrors | ||
| then hPutStrLn stderr "Safety analysis found no errors in the contract." | ||
| else do | ||
| hPutStrLn stderr "Safety analysis found the following errors in the contract:" | ||
| BS8.hPutStrLn stderr $ Yaml.encode safetyErrors |
There was a problem hiding this comment.
Safety errors are printed as YAML to stderr. Another approach would have been to have these written to a file.
| @@ -143,7 +143,7 @@ instance Arbitrary Web.PostTransactionsRequest where | |||
| shrink = genericShrink | |||
|
|
|||
| instance Arbitrary (Web.CreateTxEnvelope tx) where | |||
| arbitrary = Web.CreateTxEnvelope <$> arbitrary <*> arbitrary | |||
| arbitrary = Web.CreateTxEnvelope <$> arbitrary <*> arbitrary <*> resize 5 arbitrary | |||
There was a problem hiding this comment.
The property-based tests become slow if we let large contracts/transactions be generated in the Arbitrary instance for safety errors. Five seems a good enough size limit here.
marlowe-runtime/marlowe-tx/Main.hs
Outdated
| @@ -214,6 +219,14 @@ getOptions = execParser $ info (helper <*> parser) infoMod | |||
| , showDefault | |||
| ] | |||
|
|
|||
| analysisTimeoutParser = option (fromInteger <$> auto) $ mconcat | |||
| [ long "analysis-timeout" | |||
| , value 15 | |||
There was a problem hiding this comment.
The slow phase of the safety analysis is limited to 15 seconds by default, at the marlowe-tx level.
| . either | ||
| (pure . TransactionValidationError transaction . show) | ||
| (const $ TransactionWarning transaction <$> V1.txOutWarnings txOutput) |
There was a problem hiding this comment.
Failures in the analysis of safety are server errors, but the results of successful safety analysis are returned as [SafetyError].
| -- Fast analysis of safety: examines bounds for transactions. | ||
| contractSafetyErrors = checkContract networkId roleTokens version contract' continuations |
There was a problem hiding this comment.
There is no time limit on the fast analysis of safety, because that doesn't use z3 to find all paths through the contract and it doesn't execute any Plutus transactions.
| , "detail" .= ("No roles are present in the contract, but a roles currency was specified." :: String) | ||
| , "fatal" .= False |
There was a problem hiding this comment.
Marked as non-fatal because an extraneous roles policy ID doesn't affect execution.
| , "detail" .= ("This role token was specified for minting, but that role is not present in the contract." :: String) | ||
| , "role-name" .= String (T.decodeUtf8 $ fromBuiltin tokenName) | ||
| , "fatal" .= False |
There was a problem hiding this comment.
Marked as non-fatal because minting an extra role token doesn't affect execution.
| , "detail" .= ("At some point in during its executation, the contract may hold more native tokens than permitted by the ledger rules." :: String) | ||
| , "bytes" .= natural | ||
| , "fatal" .= False |
There was a problem hiding this comment.
Marked as non-fatal because this is an estimate, and the slow analysis would identify if this truly occurs in any transaction.
| , "detail" .= ("This transaction's size may exceed the limit permitted by the ledger rules." :: String) | ||
| , "transaction" .= transaction | ||
| , "bytes" .= natural | ||
| , "fatal" .= False |
There was a problem hiding this comment.
Marked as non-fatal because this is an estimate, and the slow analysis would identify if this truly occurs in any transaction.
| , "detail" .= ("This transaction's Plutus execution cost may exceed the limit permitted by the ledger rules." :: String) | ||
| , "transaction" .= transaction | ||
| , "cost" .= exBudget | ||
| , "fatal" .= False |
There was a problem hiding this comment.
Marked as non-fatal because this is an estimate, and the slow analysis would identify if this truly occurs in any transaction.
| , "detail" .= ("A Marlowe semantics warning is reported for this transaction." :: String) | ||
| , "transaction" .= transaction | ||
| , "warning" .= warning | ||
| , "fatal" .= False |
There was a problem hiding this comment.
Marked as non-fatal because semantics warnings don't prevent execution.
| , "detail" .= ("The contract is missing a continuation that is not present in its map of continuations." :: String) | ||
| , "hash" .= toJSON (EncodeBase16 $ fromBuiltin datumHash) | ||
| , "fatal" .= False |
There was a problem hiding this comment.
Should this be fatal or non-fatal? One might choose to not supply the full set of continuations for analysis.
| , "detail" .= ("The safety analysis exceeded the allotted time." :: String) | ||
| , "fatal" .= False |
There was a problem hiding this comment.
Should this be fatal or non-fatal?
bwbush
force-pushed
the
PLT-5817
branch
2 times, most recently
from
aec3a6b
to
346a17b
Compare
| @@ -360,6 +361,7 @@ in | |||
|
|
|||
| marlowe-tx = mkOperableWithProbes { | |||
| package = marlowe-tx; | |||
| runtimeInputs = [ z3 ]; | |||
There was a problem hiding this comment.
@jhbertra, is this the only derivation where the new runtime dependency of marlowe-tx on z3 will need to be added?
There was a problem hiding this comment.
I think this needs to be added to compose.nix as well. You could add this to run-local-service:
export PATH="$PATH:${lib.makeBinPath [ z3 ]}"
| , NonPositiveBalance <$> arbitrary <*> arbitrary | ||
| , DuplicateAccount <$> arbitrary <*> arbitrary | ||
| , DuplicateChoice <$> arbitrary | ||
| , DuplicateBoundValue <$> arbitrary |
There was a problem hiding this comment.
FYI @bwbush :
I don't know if DuplicateChoice, DuplicateBoundValue are the same things but next handles cases where some inputs are shadowed by the previous ones ... next doesn't propose invalid applies...
For Deposit, next also handle Identical Evaluated Deposits... something we can't really check at "compile" time, but is 2 identical deposits in a when regardless their value could be considered as a warning ?
There was a problem hiding this comment.
These Duplicate... warnings apply to the state of the contract, not to actions like deposits.
| instance ToJSON SafetyError where | ||
| toJSON MissingRolesCurrency = | ||
| object | ||
| [ "error" .= ("MissingRolesCurrency" :: String) |
There was a problem hiding this comment.
It's surprising that you need to help the type inference to serialize here (xxxx:: String)
There was a problem hiding this comment.
Not at all, with OverloadedStrings the type of a string literal is polymorphic, because it is desugarred as
fromString ("MissingRolesCurrency" :: String)And in this context, we have
(.= "error") :: forall a. ToJSON a => a ->PairSo the type a is polymorphic in both its introduction (the output of fromString) and elimination (the input of (.= "error")), thus ambiguous.
| @@ -1,3 +1,5 @@ | |||
| -- editorconfig-checker-disable-file | |||
There was a problem hiding this comment.
Should we remove this ? now that we disabled the feature ?
| , containers | ||
| , eventuo11y >=0.9 && <0.11 | ||
| , eventuo11y >=0.9 && <0.11 |
There was a problem hiding this comment.
@bwbush you have confilcts with the cabals you have modified and the main because of the formatter .... maybe you should do a cabal-fmt --inplace --no-tabular **/*.cabal in your commits before rebasing...
There was a problem hiding this comment.
If you rebase and run pre-commit run --all this should be reverted now.
There was a problem hiding this comment.
although hlint will fail until #626 is merged.
| @@ -1,3 +1,5 @@ | |||
| -- editorconfig-checker-disable-file | |||
There was a problem hiding this comment.
You can get rid of this now
| @@ -1,3 +1,5 @@ | |||
| -- editorconfig-checker-disable-file | |||
|
|
|||
| Added | ||
| ----- | ||
|
|
||
| - Create command outputs results of contract safety analysis. |
There was a problem hiding this comment.
This shouldn't have its own changelog.d folder - this is part of the marlowe-runtime component, not a separate one
There was a problem hiding this comment.
Thanks. We should probably document which folders should not have change logs.
| Added | ||
| ----- | ||
|
|
||
| - Fifteen-second timeout for contract safety analysis. |
There was a problem hiding this comment.
We are not doing changelog tracking in this folder
marlowe-runtime/marlowe-tx/Main.hs
Outdated
| @@ -1,7 +1,8 @@ | |||
| -- editorconfig-checker-disable-file | |||
|
|
|||
| @@ -1,3 +1,5 @@ | |||
| -- editorconfig-checker-disable-file | |||
|
|
|||
| @@ -1,3 +1,5 @@ | |||
| -- editorconfig-checker-disable-file | |||
|
|
|||
| @@ -1,3 +1,5 @@ | |||
| -- editorconfig-checker-disable-file | |||
|
|
|||
| @@ -1,3 +1,5 @@ | |||
| -- editorconfig-checker-disable-file | |||
|
|
|||
| @@ -1,3 +1,5 @@ | |||
| -- editorconfig-checker-disable-file | |||
|
|
|||
| @@ -1,3 +1,5 @@ | |||
| -- editorconfig-checker-disable-file | |||
|
|
|||
| txInput <- semiArbitrary context | ||
| txOutput <- arbitrary | ||
| pure Transaction{..} | ||
| shrink _ = mempty |
There was a problem hiding this comment.
Shouldn't we shrink this?
There was a problem hiding this comment.
I was undecided, but it is harmless to shrink this. Fixed in 34f1d7e.
| (changeAddress addresses) | ||
| (toInteger minAda) | ||
| contract' | ||
| continuations |
There was a problem hiding this comment.
Does this actually work? Aren't the safety errors lazily computed in checkTransactions? Z3 will run in IO, so that's fine, that will run in the eval thread, but at the end we have
either throwE (pure . mconcat)
. forM transactions
$ checkTransaction solveConstraints version marloweContext rolesCurrency changeAddressWhich is a bit complex to reason about regarding laziness. Ultimately, the final IO action depends on pattern matching the Either returned by forM, and transitively from each call to checkTransaction, so that will force the evaluation of the fake solveConstraints calls. The only unevaluated expressions here would be pure . TransactionValidationError transaction . show and const $ TransactionWarning <$> V1.txOutWarnings txOutput. How slow is txOutWarnings?
There was a problem hiding this comment.
The txOutWarnings is fast because it is computed from the semantics, not from executing Plutus. However, I think we should demonstrate this as a test case, so I've created the separate ticket PLT-6362.
Added safety analysis report to creation of contracts into
marlowe-runtime-webandmarlowe-runtime-cli.Pre-submit checklist: