Commit 90f0d1e4 authored by Jakob Botsch Nielsen's avatar Jakob Botsch Nielsen

Remove incoming_txs and outgoing_txs from contract view of chains

This is much more realistic, as allowing contracts to efficiently access
transaction histories for all addresses is extremely expensive. To do
this, we
* Add an account_balance operation in Chain instead
* Change incoming_txs and outgoing_txs to compute transactions from
  traces
* Require implementations to give a proof-relevant trace, and rework
  proofs to use these, as necessary
parent a8554728
Pipeline #12664 failed with stage
in 5 minutes and 58 seconds
This diff is collapsed.
......@@ -11,6 +11,7 @@ Section Circulation.
Context {ChainBase : ChainBase}.
Context `{Finite Address}.
Local Open Scope Z.
Definition circulation (chain : Chain) :=
sumZ (account_balance chain) (elements Address).
......@@ -101,7 +102,7 @@ Proof.
Qed.
Lemma circulation_add_new_block header baker env :
circulation (add_new_block_header header baker env) =
circulation (add_new_block header baker env) =
(circulation env + compute_block_reward (block_height header))%Z.
Proof.
assert (Hperm: exists suf, Permutation ([baker] ++ suf) (elements Address)).
......@@ -112,17 +113,14 @@ Proof.
unfold circulation.
rewrite perm.
cbn.
unfold constructor, set, account_balance.
cbn.
destruct (address_eqb_spec baker baker); try congruence.
cbn.
unfold add_balance.
rewrite address_eq_refl.
match goal with
| [|- ((?a - ?b + (?c + ?d)) + ?e = (?a - ?b + ?d + ?f + ?c))%Z] =>
enough (e = f) by lia
| [|- ?a + ?b + ?c = ?b + ?d + ?a] => enough (c = d) by lia
end.
pose proof (in_NoDup_app baker [baker] suf ltac:(intuition) perm_set) as not_in_suf.
clear perm perm_set e.
clear perm perm_set.
induction suf as [| x xs IH]; auto.
cbn in *.
apply Decidable.not_or in not_in_suf.
......@@ -165,9 +163,12 @@ Proof.
induction (elements Address); auto.
- rewrite (event_circulation x).
destruct x.
+ match goal with
| [H: EnvironmentEquiv _ _, H': IsValidNextBlock _ _ |- _] =>
now rewrite H in *; cbn; rewrite (proj1 H'), sumZ_seq_S, IH
+ rewrite_environment_equiv.
cbn.
unfold constructor.
match goal with
| [H: IsValidNextBlock _ _ |- _] =>
rewrite (proj1 H), IH, sumZ_seq_S; auto
end.
+ erewrite block_header_post_step; eauto.
+ intuition.
......
This diff is collapsed.
......@@ -433,17 +433,17 @@ Section Theories.
Import LocalBlockchain.
Open Scope nat.
Definition num_acts_created_in_proposals chain address :=
let count tx :=
match tx_body tx with
| tx_call msg =>
match deserialize msg : option Msg with
| Some (create_proposal acts) => length acts
| _ => 0
end
Definition num_acts_created_in_proposals (txs : list Tx) :=
let count tx :=
match tx_body tx with
| tx_call (Some msg) =>
match deserialize msg with
| Some (create_proposal acts) => length acts
| _ => 0
end in
sumnat count (incoming_txs chain address).
end
| _ => 0
end in
sumnat count txs.
Definition exploit_example : option (Address * LocalChainBuilderDepthFirst) :=
let chain := builder_initial in
......@@ -461,9 +461,9 @@ Section Theories.
do chain <-
builder_add_block
chain baker (map (build_act baker) [dep_congress; dep_exploit]) (next_num chain) 0;
let baker_to_addrs := map tx_to (outgoing_txs chain baker) in
let exploit := nth 0 baker_to_addrs baker in
let congress := nth 1 baker_to_addrs baker in
let contracts := map fst (FMap.elements (lc_contracts (lcb_lc chain))) in
let exploit := nth 0 contracts baker in
let congress := nth 1 contracts baker in
(* Add baker to congress, create a proposal to transfer *)
(* some money to exploit contract, vote for the proposal, and execute the proposal *)
let add_baker := add_member baker in
......@@ -483,16 +483,15 @@ Section Theories.
property we proved for the other version of the Congress. We filter out transactions
from the congress to the congress as we have those now (due to self calls). *)
Theorem congress_is_buggy :
exists state addr,
reachable state /\
exists state addr (trace : ChainTrace empty_state state),
env_contracts state addr = Some (contract : WeakContract) /\
length (filter (fun tx => negb (tx_to tx =? addr)%address) (outgoing_txs state addr)) >
num_acts_created_in_proposals state addr.
length (filter (fun tx => negb (tx_to tx =? addr)%address) (outgoing_txs trace addr)) >
num_acts_created_in_proposals (incoming_txs trace addr).
Proof.
exists (build_chain_state (snd unpacked_exploit_example) []).
exists (fst unpacked_exploit_example).
split; [|split].
- destruct (snd unpacked_exploit_example); auto.
exists (builder_trace (snd unpacked_exploit_example)).
split.
- reflexivity.
- vm_compute.
lia.
......
This diff is collapsed.
......@@ -75,30 +75,27 @@ Section LocalBlockchainTests.
4 0).
Definition congress_1 : Address :=
match outgoing_txs chain4 person_1 with
match outgoing_txs (builder_trace chain4) person_1 with
| tx :: _ => tx_to tx
| _ => person_1
end.
Compute (contract_deployment chain4 congress_1).
Compute (account_balance chain4 person_1).
Compute (account_balance chain4 baker).
Compute (account_balance chain4 congress_1).
Definition congress_ifc
: ContractInterface Congress.Setup Congress.Msg Congress.State :=
: ContractInterface Congress.Msg Congress.State :=
match get_contract_interface
chain4 congress_1
Congress.Setup Congress.Msg Congress.State with
Congress.Msg Congress.State with
| Some x => x
(* Using unpack_option here is extremely slow *)
| None =>
build_contract_interface
@build_contract_interface
_ _ _
baker
0
setup
(fun c => None)
(fun a => deploy_congress)
(fun a m => deploy_congress)
end.
......@@ -118,7 +115,7 @@ Section LocalBlockchainTests.
(* person_1 adds person_1 and person_2 as members of congress *)
Definition add_person p :=
congress_ifc.(call) 0 (add_member p).
congress_ifc.(send) 0 (Some (add_member p)).
Definition chain5 : ChainBuilder :=
unpack_option
......@@ -133,7 +130,7 @@ Section LocalBlockchainTests.
(* person_1 creates a proposal to send 3 coins to person_3 using funds
of the contract *)
Definition create_proposal_call :=
congress_ifc.(call) 0 (create_proposal [cact_transfer person_3 3]).
congress_ifc.(send) 0 (Some (create_proposal [cact_transfer person_3 3])).
Definition chain6 : ChainBuilder :=
unpack_option (
......@@ -146,7 +143,7 @@ Section LocalBlockchainTests.
(* person_1 and person_2 vote for the proposal *)
Definition vote_proposal :=
congress_ifc.(call) 0 (vote_for_proposal 1).
congress_ifc.(send) 0 (Some (vote_for_proposal 1)).
Definition chain7 : ChainBuilder :=
unpack_option (
......@@ -159,7 +156,7 @@ Section LocalBlockchainTests.
(* Person 3 finishes the proposal (anyone can finish it after voting) *)
Definition finish_proposal :=
congress_ifc.(call) 0 (finish_proposal 1).
congress_ifc.(send) 0 (Some (finish_proposal 1)).
Definition chain8 : ChainBuilder :=
unpack_option (
......@@ -185,7 +182,8 @@ Lemma congress_txs_after_local_chain_block
builder_add_block prev baker acts slot finalization_height = Some new ->
forall addr,
env_contracts new addr = Some (Congress.contract : WeakContract) ->
length (outgoing_txs new addr) <= num_acts_created_in_proposals new addr.
length (outgoing_txs (builder_trace new) addr) <=
num_acts_created_in_proposals (incoming_txs (builder_trace new) addr).
Proof. eauto. Qed.
(* And of course, it is satisfied for the breadth first chain as well. *)
Lemma congress_txs_after_local_chain_bf_block
......@@ -193,5 +191,6 @@ Lemma congress_txs_after_local_chain_bf_block
builder_add_block prev baker acts slot finalization_height = Some new ->
forall addr,
env_contracts new addr = Some (Congress.contract : WeakContract) ->
length (outgoing_txs new addr) <= num_acts_created_in_proposals new addr.
length (outgoing_txs (builder_trace new) addr) <=
num_acts_created_in_proposals (incoming_txs (builder_trace new) addr).
Proof. eauto. Qed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment