Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Document snippet reviewing process #143

Merged
merged 4 commits into from
Dec 9, 2024
Merged

docs: Document snippet reviewing process #143

merged 4 commits into from
Dec 9, 2024

Conversation

jan-ferdinand
Copy link
Member

No description provided.

@jan-ferdinand jan-ferdinand linked an issue Dec 4, 2024 that may be closed by this pull request
Formal review of consensus-critical snippets #141
Closed
@Sword-Smith
Copy link
Contributor

Sword-Smith commented Dec 4, 2024
edited
Loading

Very cool. Two remarks:

  1. I think it's worth stating that extra checks (security in-depth or redundant checks) are OK and should not necessarily be removed even though they are not part of the contract. An example could be that the contract states that the inputs are valid u32s but the snippet has a check that some of the values actually are u32s. You could argue that that's a redundant check since is part of the contract, but once in a while I think extra checks of that kind make sense, since it reduces the mental overhead of what has and has not been verified already.
  2. The requirements that each a field of each object instance is only ever accessed once is quite strict. I think there could be a few snippets where ensuring that requirement would be a challenge. As long as the field values are range-checked and the other points of the contract are upheld, we might want to be a bit more lax with this requirement. But this is not something, we have to change now. If I'm right, it'll be revealed during the review process.

@jan-ferdinand
Copy link
Member Author

jan-ferdinand commented Dec 5, 2024
edited
Loading

Regarding (2), what would wording be that captures your suggestion? Maybe something like: “Each field accessor is used at most once per struct instance, or range-checked before each use.”

You say that “the field values are range-checked”; is it actually the values of a field that should be range-checked? My current understanding is that the range check is required for dynamic size indicators (or is it length indicators?).

@jan-ferdinand jan-ferdinand force-pushed the 141_snippet_review branch 3 times, most recently from e7ebddf to 871426a Compare December 6, 2024 12:30
@jan-ferdinand jan-ferdinand marked this pull request as ready for review December 6, 2024 12:37
jan-ferdinand
jan-ferdinand commented Dec 6, 2024
View reviewed changes
tasm-lib/src/test_helpers.rs
Comment on lines +418 to +422
shadowed_snippet
.inner()
.borrow()
.assert_all_sign_offs_are_up_to_date();

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm unsure about this addition because it lives in a publicly exposed function. Should downstream callers also be exposed to the potential panics generated here?

@jan-ferdinand jan-ferdinand force-pushed the 141_snippet_review branch 2 times, most recently from c2e5e4d to 5b10564 Compare December 8, 2024 18:37
@jan-ferdinand jan-ferdinand mentioned this pull request Dec 9, 2024
Merged
@jan-ferdinand jan-ferdinand force-pushed the 141_snippet_review branch 3 times, most recently from 38c7aa8 to 11d6760 Compare December 9, 2024 14:02
@jan-ferdinand jan-ferdinand merged commit 3bd722a into master Dec 9, 2024
3 checks passed
@jan-ferdinand jan-ferdinand deleted the 141_snippet_review branch December 9, 2024 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sword-Smith Sword-Smith Awaiting requested review from Sword-Smith

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Formal review of consensus-critical snippets
2 participants
@jan-ferdinand @Sword-Smith