EOF: less restricted stack validation

[gumb0]

https://notes.ethereum.org/Fk1TksgjTxOotvQNL07mEQ#Less-restricted-validation-algorithm

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (534d4e4) 97.88% compared to head (9a8e160) 97.98%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #676      +/-   ##
==========================================
+ Coverage   97.88%   97.98%   +0.09%     
==========================================
  Files         113      113              
  Lines       10631    11155     +524     
==========================================
+ Hits        10406    10930     +524     
  Misses        225      225              

Flag	Coverage Δ
blockchaintests	59.70% <0.00%> (-0.18%)	⬇️
statetests	62.18% <96.87%> (+0.01%)	⬆️
statetests-silkpre	24.48% <0.00%> (-1.14%)	⬇️
unittests	96.07% <100.00%> (+0.20%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
lib/evmone/eof.cpp	83.56% <100.00%> (-0.08%)	⬇️
test/unittests/eof_stack_validation_test.cpp	100.00% <100.00%> (ø)
test/unittests/eof_validation_test.cpp	100.00% <100.00%> (ø)
test/unittests/evm_eof_rjump_test.cpp	100.00% <100.00%> (ø)

... and 1 file with indirect coverage changes

[gumb0]

The spec could have been relaxed to

Suggested change

	return expected_stack_height.min == successor_stack_height.min &&
	expected_stack_height.max == successor_stack_height.max;
	return expected_stack_height.min >= successor_stack_height.min &&
	expected_stack_height.max <= successor_stack_height.max;

but it was decided to have strict equality for simlicity.

[chfast]

Leave this comment in the code.

Also, I'd swap the arguments: successor_stack_height.min <= required_stack_height.

[pdobacz]

I thought for a while what other test cases we could have. Some ideas, choose which make sense in your opinion:

1. RJUMP(IV) sequence of maximum possible length, doing hops from one to the other
2. RJUMPI(V) sequence of maximum possible length, all targeting same instruction
3. stack_height.min/max range maximally broad
4. maximum number of code sections
5. CALLF sequence of maximum possible length
6. [RJUMPI, RETF] sequence of maximum ...
7. [RJUMPI, JUMPF] sequence ...

For each of these situations test if stack validation behaves - one valid code, one invalid.

[pdobacz]

this comment should be moved above

[chfast]

Maybe use Go convention test_name/index but too late now.

[chfast]

Suggested change

	const auto varstack = push0() + rjumpi(2, 0) + OP_PUSH0 + OP_PUSH0;
	const auto varstack = push0() + rjumpi(2, 0) + push0() + push0();

[chfast]

In this case the error may be confusing. Any ideas?

[gumb0]

I think we wouldn't be able to distinguish really unreachable instructions from those reachable only via backwards jump (because we validate in a linear forwards pass)

So we could only make this error message more general, something like instruction_not_reachabe_via_forward_control_flow or even more general invalid_instruction_order. I don't have better ideas yet.

[chfast]

Let's leave it for later.

[chfast]

Suggested change

	std::vector<StackHeightRange> stack_heights(code.size(), {LOC_UNVISITED, LOC_UNVISITED});
	std::vector<StackHeightRange> stack_heights(code.size());

[chfast]

Leave this comment in the code.

Also, I'd swap the arguments: successor_stack_height.min <= required_stack_height.

[chfast]

Handling the successor_offset == current_offset case here is slightly confusing. Maybe just separate this case and handle it as no-op? Or at least a comment would be nice.

[gumb0]

It's not a no-op (good that tests detected this), I've added a comment why.

[chfast]

By no-op I mean that the validity condition is always true because in this case successor_stack_height is required_stack_height. Or I'm missing something.

We could handle this separately for clarity and test coverage visibility. As follows:

if (successor_offset == current_offset) // self-referencing jump
    return true;

But I'm insisting on this. I'm mostly verifying my understanding.

[gumb0]

Yes, you're missing something as I tried to explain in the comment. The stack height still needs to be checked in this case.

Here's the code that would be broken: PUSH0 RJUMPI(-3) STOP - RJUMPI(-3) generates equality case, and without the check it would be valid, but it is invalid because stack after RJUMPI is not equal to stack before RJUMPI (requires 1 item)

[chfast]

Ok, cool.

[chfast]

Suggested change

	const auto validate_successor = [&stack_heights](size_t current_offset,
	const auto visit_successor = [&stack_heights](size_t current_offset,

The name "validate" suggests this a "constant" function - no update.

[chfast]

By no-op I mean that the validity condition is always true because in this case successor_stack_height is required_stack_height. Or I'm missing something.

We could handle this separately for clarity and test coverage visibility. As follows:

if (successor_offset == current_offset) // self-referencing jump
    return true;

But I'm insisting on this. I'm mostly verifying my understanding.

[chfast]

Let's leave it for later.

[chfast]

Ok, cool.

[pdobacz]

👍