Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate proof types on decode #71

Open
Stebalien opened this issue Mar 9, 2022 · 4 comments
Open

Validate proof types on decode #71

Stebalien opened this issue Mar 9, 2022 · 4 comments
Labels
cleanup good first issue Good for newcomers needs-discussion
Milestone
Network v16

Comments

@Stebalien
Copy link
Member

Currently, we validate proof types manually inside our actors to match go's behavior. It would be safer to simply reject invalid proof types when we attempt to decode state/messages.

Doing this for NV16 (M1) is pretty easy: we'd just remove the Invalid cases from our enums. E.g.:

https://github.com/filecoin-project/ref-fvm/blob/0692d5bbb4d7ca588278a3544a48504a7f5ed0ee/shared/src/sector/registered_proof.rs#L30

Doing this after Nv16 is possible, but slightly tricker as these types tend to be "shared" between versions. Although it shouldn't be too bad as we won't re-compile nv16 actors in nv17.
@raulk
Copy link
Member

raulk commented Mar 9, 2022

@Stebalien mind pasting a link to the code that validates manually, to illustrate the case here? 🙏

@Stebalien
Copy link
Member Author

Hm. That's actually interesting. Usually, when we "check" the proof types, we check if the proof type is within some set of "allowed" proof types, not if the proof type is "valid".

For example:

builtin-actors/actors/miner/src/lib.rs

Lines 4069 to 4079 in 1a4287f

fn check_valid_post_proof_type(proof_type: RegisteredPoStProof) -> Result<(), ActorError> {
match proof_type {
RegisteredPoStProof::StackedDRGWindow32GiBV1
| RegisteredPoStProof::StackedDRGWindow64GiBV1 => Ok(()),
_ => Err(actor_error!(
ErrIllegalArgument,
"proof type {:?} not allowed for new miner actors",
proof_type
)),
}
}

The invalid checks are things like:

I guess the primary benefit of checking earlier is taht we'd be able to get rid of all the "results" like https://github.com/filecoin-project/ref-fvm/blob/0692d5bbb4d7ca588278a3544a48504a7f5ed0ee/shared/src/sector/registered_proof.rs#L145, because those methods would be infallible.

@raulk raulk added this to the Network v16 milestone Mar 9, 2022
@anorth
Copy link
Member

anorth commented Aug 11, 2022

@Stebalien is this still relevant?

@Stebalien
Copy link
Member Author

Yes. Basically, it involves getting rid of statements things like https://github.com/filecoin-project/ref-fvm/blob/b30538700be419b42719ecf75350ef6836be770e/shared/src/sector/registered_proof.rs#L30.

That would mean we simply wouldn't decode messages that reference invalid proof types.

@anorth anorth added good first issue Good for newcomers cleanup labels Aug 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cleanup good first issue Good for newcomers needs-discussion
Projects
No open projects
Network v16 (Skyr) - FVM M1 Upgrade
Status: No status
Milestone
Network v16
Development

No branches or pull requests
3 participants
@Stebalien @anorth @raulk