Code Review: Smart contract VM 01/30/19

[kantai]

This is the first code review submission for the smart contract VM:

This code implements a basic LISP language, with support for ints, bools, tuples, and lists, for now. Recursion in this language is illegal. There is limited run-time type enforcement -- lists must all be single typed, tuples are strongly typed when used with data-map functions, native functions that expect ints, bools, etc. check their argument types.

At the moment, data-map functions like fetch-entry!, etc., all operate within a global context, set by the eval_all function. You can see test programs in the tests/ directory.

[jcnelson]

Should we consider putting an upper bound on how many bytes an inserted entry can be?

[kantai]

I'd rather enforce it at the type level, as in, we should have a maximum byte limit for types, and the database should allow any entry that is a legal type.

[jcnelson]

Agreed re: making Value have a maximum byte size.

[jcnelson]

What happens if args has length 0 or 1? Also, will args ever have length > 2? Same question for native_sub, native_mul, and native_div.

[kantai]

(+ 1 2 3) evaluates to 6.
(+) returns 0

For native_sub (-) errors, (- 1) returns the negation of it's single argument, (- 1 2 3) return -4.

Multiply and divide behave similarly ((*) returns 1, (/) is an error)

[jcnelson]

Got it 👍

[jcnelson]

Why is the ? operator on its own line? Just curious.

[kantai]

The type inference didn't want to work otherwise -- if I move the ? operator up and eliminate the Result<> wrapper:

 --> src/functions/define.rs:31:46
   |
31 |             arguments: arg_names.iter().map(|x| (*x).clone()).collect(),
   |                                              ^ consider giving this closure parameter a type
   |
   = note: type must be known at this point

[jcnelson]

Is the user allowed to define functions that have reserved names?

[kantai]

Right now, it will allow it, though they'll never get called, because lookup_function tries the reserved names first, but it should be an error on define

[jcnelson]

Is the user allowed to define atoms that collide with reserved names?

[kantai]

Same as above -- we need to enforce name legality at define and let -- #914

[jcnelson]

Is there an upper bound on how long a list can be?

[kantai]

Right now, no, but I think we should let the "maximum value size" enforce this (as in, if we have a maximum value size of 1000 bytes, then you cannot have a list of longer than 1000/16 integers, e.g.)

[jcnelson]

Do we want to support alternative radixes? Like, say, base-16?

[kantai]

Maybe -- I was planning on lexing hexstrings into buffers, rather than ints. We could support both. Will create an issue for it.

[jcnelson]

From this code, it looks like the user will not be able to change the runtime behavior of a reserved function by creating a function with the same name. However, I didn't see any code that prevents the user from doing so?

[kantai]

Right -- reserved functions are used first, before a user defined function would be. However, we would want to generate a runtime error at the point of the (define) (and also, when the static analyzer is implemented, a static error). I started an issue #914.

[jcnelson]

This feels weird to me. I think the caller should always supply a contract DB.

[kantai]

Sure, I'll change that -- I'll move "blank db instantiation" to the execute function, the intent of which is just running a program in a single, transient smart contract context. That's not just for our testing purposes, but as a simple path for a developer wanting to test a script.

[jcnelson]

Do we want to accept non-printable characters with this match arm? Or should we just reject those as parse errors? I feel like our smart contract VM shouldn't accept non-printable characters (and should probably not use unicode) in order to ensure that the source code is unambiguous and doesn't have any homoglyph attacks or nefarious VT100 control codes embedded within it (which could manifest if you cat'ed the smart contract code to stdout in a terminal, for example).

[kantai]

Yeah, definitely should cause parse errors. The next code review will have a lexer that enforces that. It'll be a much more traditional munch-lexer.

[jcnelson]

Shouldn't this be a checked_add? What happens if the dimension overflows?

[kantai]

Yep, good catch, thanks

[jcnelson]

How long can this string get? Asking because if we're going to split it, we might end up doing O(poly(n)) work for n occurrences of -. We might want to first count up the number of - occurrences first, and if it's greater than 4, error out.

[kantai]

Won't split only ever do O(n) work ?

[jcnelson]

Depending on the allocator implementation, it could do O(n) malloc()s, which each could take O(log m) time (for m blocks allocated). Not sure what the actual implementation does, but I'm of the school of thought that we should prepare for the worst -- especially since the attacker controls the input.

[kantai]

Okay, yes, avoiding non-constant object instantions is a good idea. Will just switch to using splitn here.

[jcnelson]

This looks really cool! This looks good to me to merge to develop, with one small change: could you put the code and tests under src/core/vm/, instead of blockstack-vm? This way it will be compiled into the blockstack-core binary. Then, I can add a CLI option to blockstack-core to load and run a script using state in an on-disk database (so we can get comfortable testing things out).

[kantai]

Yep, sounds good to me @jcnelson

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (develop@85500cc). Click here to learn what that means.
The diff coverage is 61.51%.

@@            Coverage Diff             @@
##             develop     #908   +/-   ##
==========================================
  Coverage           ?   64.78%           
==========================================
  Files              ?       44           
  Lines              ?     5637           
  Branches           ?        0           
==========================================
  Hits               ?     3652           
  Misses             ?     1985           
  Partials           ?        0

Impacted Files	Coverage Δ
src/util/macros.rs	67% <ø> (ø)
src/chainstate/burn/mod.rs	0% <0%> (ø)
src/burnchains/bitcoin/network.rs	0% <0%> (ø)
src/burnchains/bitcoin/indexer.rs	0% <0%> (ø)
src/core/mod.rs	0% <0%> (ø)
src/burnchains/bitcoin/spv.rs	0% <0%> (ø)
src/util/mod.rs	0% <0%> (ø)
src/main.rs	2.63% <0%> (ø)
src/burnchains/bitcoin/rpc.rs	0% <0%> (ø)
src/chainstate/burn/operations/mod.rs	0% <0%> (ø)
... and 33 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 85500cc...f5a019c. Read the comment docs.

[kantai]

Going forward, can we commit to staying on the stable rust compilers? It's hard for me to keep up with nightly, and I don't think it's a good idea to rely on unstable features in general.

I ripped checked_pow's implementation over from rust's code (https://github.com/milesand/rust/blob/master/src/libcore/num/mod.rs#L857), so we won't need to use nightly anymore. That's actually prepared for 1.34 (not 1.33), which means it's two releases away, which seems like too long for us to be using nightly/beta. Will mark an issue for us to remember to remove the code once 1.34 releases.

[kantai]

Cool -- I'm going to merge this. I think this is also going to merge PR #910.

[blockstack-devops]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.