Add class hash check for declarev2

[SantiagoPittella]

Description

When compiling the casm class in the DeclareV2 we now check if the received casm_class_hash was correct.

Made on top of #814 (DO NOT MERGE UNTIL GET THAT MERGED)
closes #791

Checklist

• Linked to Github Issue
• Unit tests added
• Integration tests added.
• This change requires new documentation.
  • Documentation has been added/updated.

[codecov-commenter]

Codecov Report

Merging #819 (a0cbb66) into main (71e98dc) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #819      +/-   ##
==========================================
+ Coverage   91.72%   91.74%   +0.01%     
==========================================
  Files          54       54              
  Lines       12503    12530      +27     
==========================================
+ Hits        11469    11496      +27     
  Misses       1034     1034              

Impacted Files	Coverage Δ
src/testing/mod.rs	100.00% <ø> (ø)
src/transaction/error.rs	100.00% <ø> (ø)
src/lib.rs	98.71% <100.00%> (+0.01%)	⬆️
src/transaction/declare_v2.rs	78.36% <100.00%> (+0.75%)	⬆️

[MegaRedHand]

Does it make sense to always have this check? Maybe we could have it as an optional feature, or add it only for debugging.

[SantiagoPittella]

No, it's not necessary to always check this. We want to check this whenever a casm contract class and casm class hash is sent from the outside, because otherwise we couldn't guarantee that the compiled contract is really the corresponded to that sierra contract class. It wouldn't be a problem if the contract was already compiled on our side. I'll work on that next, but preferred to have this implemented first.

[Oppen]

I'm in favor of making it a debug assertion. Either we computed it and they are the same by construction, or it was passed via one of the unchecked functions and the responsibility lies in the caller. The point of that was not having to compute the hash in the first place.
Unless I'm misunderstanding it, of course.

[SantiagoPittella]

Another option may be to don't compile and check at all, and take the casm contract class and class hash as valid. But sound pretty insecure. We should think a better way of guarantee that.

[Oppen]

It is insecure, but that's the compromise made for performance and that's why we have to be extra explicit and opt-in. If you hold it wrong, it breaks.
The only way to guarantee correctness is to compute stuff ourselves, but then we only moved the costs and increased complexity for no gain for the user. If we're gonna check, just compute it on construction and never again.

[Oppen]

Think of it like using unsafe in Rust. The keyword doesn't mean you can do whatever you like, but that you go to battle without the shield, it's your job to dodge the blows now. When the programmer opts for passing the hash themselves, it's their job to make sure it's the correct one, and if they get hurt they'll deal with it.

[MegaRedHand]

Aside from the check, LGTM, but we can leave the decision for later.

[xqft]

I agree with the leave-it-to-the-user side of the discussion and to leave it for another issue for now.