Protect against passing i128::MIN to abs() which causes overflow
#2241
Conversation
rafal-ch
requested review from
xgreenx,
Dentosal and
MitchTurner
as code owners
There was a problem hiding this comment.
Looks like what you want is i32::saturating_abs()
https://doc.rust-lang.org/std/primitive.i32.html#method.saturating_abs
Tiny correction, we want https://doc.rust-lang.org/std/primitive.i128.html#method.saturating_abs |
Nice one, TIL 👍 I've been playing with Updated in: 056ba1e |
| @@ -331,7 +331,7 @@ impl AlgorithmUpdaterV1 { | |||
| .saturating_mul(upcast_percent) | |||
| .saturating_div(100) | |||
| .into(); | |||
| let clamped_change = pd_change.abs().min(max_change); | |||
| let clamped_change = pd_change.saturating_abs().min(max_change); | |||
| unrecorded_blocks: vec![], | ||
| }; | ||
|
|
||
| updater.da_change(i128::MIN / 2, i128::MIN / 2); |
There was a problem hiding this comment.
Let's not test private functions. We should be able to test this with update_l2_block_data. And we can add a SUT and given/when/then.
There was a problem hiding this comment.
Updated in 3047c7e, however, I'm not fully convinced this fits better here.
Rationale:
we need to carefully select the values in order to trigger the "what used to be" an overflow inside da_change(). Now, if we, for example, change how the total_da_rewards_excess is updated here or how we calculate P and D here we may cause the da_change() to be invoked with values that do not cause overflow and the test will pass with both abs() and saturating_abs().
I'm open to suggestions on how we can do this better.
There was a problem hiding this comment.
I'd be okay with removing the test since there are many places in the code that "could" panic if programmed poorly.
It might be worth adding some more aggressive prop testing for those cases, but that could be a separate issue.
There was a problem hiding this comment.
I think this boils down to the fact that people (me, at least) do not associate an "innocent" abs() call with a possible panic. Think unwraps or expects - these are usually caught during the review process and removed from the production code + after removing them, we do not add a test.
So yes, I agree that this test is kinda redundant - I removed it in 7359bd7
What we could do is:
- Spawn a tech-debt issue to review the codebase against unwraps, expects, abs and similar and update relevant places
- Rely on a clippy lint to detect those, but as far as I know there is no such lint. Maybe we can contribute to clippy and add "potential_panic_in_std"? :)
Wdyt?
There was a problem hiding this comment.
Currently we have
#![deny(clippy::arithmetic_side_effects)]
#![deny(clippy::cast_possible_truncation)]
#![deny(warnings)]But I'd be open to adding more for sure.
## Version v0.37.0 ### Added - [1609](#1609): Add DA compression support. Compressed blocks are stored in the offchain database when blocks are produced, and can be fetched using the GraphQL API. - [2290](#2290): Added a new CLI argument `--graphql-max-directives`. The default value is `10`. - [2195](#2195): Added enforcement of the limit on the size of the L2 transactions per block according to the `block_transaction_size_limit` parameter. - [2131](#2131): Add flow in TxPool in order to ask to newly connected peers to share their transaction pool - [2182](#2151): Limit number of transactions that can be fetched via TxSource::next - [2189](#2151): Select next DA height to never include more than u16::MAX -1 transactions from L1. - [2162](#2162): Pool structure with dependencies, etc.. for the next transaction pool module. Also adds insertion/verification process in PoolV2 and tests refactoring - [2265](#2265): Integrate Block Committer API for DA Block Costs. - [2280](#2280): Allow comma separated relayer addresses in cli - [2299](#2299): Support blobs in the predicates. - [2300](#2300): Added new function to `fuel-core-client` for checking whether a blob exists. ### Changed #### Breaking - [2299](#2299): Anyone who wants to participate in the transaction broadcasting via p2p must upgrade to support new predicates on the TxPool level. - [2299](#2299): Upgraded `fuel-vm` to `0.58.0`. More information in the [release](https://github.com/FuelLabs/fuel-vm/releases/tag/v0.58.0). - [2276](#2276): Changed how complexity for blocks is calculated. The default complexity now is 80_000. All queries that somehow touch the block header now are more expensive. - [2290](#2290): Added a new GraphQL limit on number of `directives`. The default value is `10`. - [2206](#2206): Use timestamp of last block when dry running transactions. - [2153](#2153): Updated default gas costs for the local testnet configuration to match `fuel-core 0.35.0`. ## What's Changed * fix: use core-test.fuellabs.net for dnsaddr resolution by @rymnc in #2214 * Removed state transition bytecode from the local testnet by @xgreenx in #2215 * Send whole transaction pool upon subscription to gossip by @AurelienFT in #2131 * Update default gas costs based on 0.35.0 benchmarks by @xgreenx in #2153 * feat: Use timestamp of last block when dry running transactions by @netrome in #2206 * fix(dnsaddr_resolution): use fqdn separator to prevent suffixing by dns resolvers by @rymnc in #2222 * TransactionSource: specify maximum number of transactions to be fetched by @acerone85 in #2182 * Implement worst case scenario for price algorithm v1 by @rafal-ch in #2219 * chore(gas_price_service): define port for L2 data by @rymnc in #2224 * Block producer selects da height to never exceed u64::MAX - 1 transactions from L1 by @acerone85 in #2189 * Weekly `cargo update` by @github-actions in #2236 * Use fees to calculate DA reward and avoid issues with Gwei/Wei conversions by @MitchTurner in #2229 * Protect against passing `i128::MIN` to `abs()` which causes overflow by @rafal-ch in #2241 * Acquire `da_finalization_period` from the command line by @rafal-ch in #2240 * Executor: test Tx_count limit with incorrect tx source by @acerone85 in #2242 * Minor updates to docs + a few typos fixed by @rafal-ch in #2250 * chore(gas_price_service): move algorithm_updater to fuel-core-gas-price-service by @rymnc in #2246 * Use single heavy input in the `transaction_throughput.rs` benchmarks by @xgreenx in #2205 * Enforce the block size limit by @rafal-ch in #2195 * feat: build ARM and AMD in parallel by @mchristopher in #2130 * Weekly `cargo update` by @github-actions in #2268 * chore(gas_price_service): split into v0 and v1 and squash FuelGasPriceUpdater type into GasPriceService by @rymnc in #2256 * feat(gas_price_service): update block committer da source with established contract by @rymnc in #2265 * Use bytes from `unrecorded_blocks` rather from the block from DA by @MitchTurner in #2252 * TxPool v2 General architecture by @AurelienFT in #2162 * Add value delimiter and tests args by @AurelienFT in #2280 * fix(da_block_costs): remove Arc<Mutex<>> on shared_state and expose channel by @rymnc in #2278 * fix(combined_database): syncing auxiliary databases on startup with custom behaviour by @rymnc in #2272 * fix: Manually encode Authorization header for eventsource_client by @Br1ght0ne in #2284 * Address `async-graphql` vulnerability by @MitchTurner in #2290 * Update the WASM compatibility tests for `0.36` release by @rafal-ch in #2271 * DA compression by @Dentosal in #1609 * Use different port for every version compatibility test by @rafal-ch in #2301 * Fix block query complexity by @xgreenx in #2297 * Support blobs in predicates by @Voxelot in #2299 **Full Changelog**: v0.36.0...v0.37.0
Linked Issues
Closes #2210
Description
This PR uses
saturating_abs()instead of "raw"abs()inside theda_change()to prevent overflow oni128::MIN.Before requesting review