Use checked arithmetic in types and state proc #1009
Conversation
|
Still WIP, I've noticed a few things in the diff that need correcting |
michaelsproul
force-pushed
the
checked-arithmetic
branch
from
972de7f
to
3e4dc7a
Compare
|
Ok, ready for review. I'm just going to run some benchmarks of state processing to assess the impact on performance. |
|
Benchmarks have revealed no statistically significant deviation from
Worst-case blocks, i7-8550U, minimal spec for the 32K validators, mainnet spec for the 300K, Weirdly the benchmark is faster for the larger blocks, and the bulk signature verification is a lot slower, I don't know what's going on there but we can investigate that separately. |
| @@ -38,7 +37,7 @@ impl Slot { | |||
| } | |||
|
|
|||
| pub fn epoch(self, slots_per_epoch: u64) -> Epoch { | |||
| Epoch::from(self.0 / slots_per_epoch) | |||
| Epoch::from(self.0) / Epoch::from(slots_per_epoch) | |||
There was a problem hiding this comment.
maybe use checked_div or safe_div
There was a problem hiding this comment.
Hmm yeah, I figured this was quite innocuous here, because slots_per_epoch is unlikely to ever be 0, and it would at least panic rather than wrapping in a strange way. I'll see how much flow-on effect returning a Result would have though.
There was a problem hiding this comment.
Perhaps we do an explicit panic if propagating the Result is too onerous (I suspect this will be the case). That way we get the panic in release too.
There was a problem hiding this comment.
I used Epoch division here because it will explicitly panic:
lighthouse/eth2/types/src/slot_epoch_macros.rs
Lines 108 to 114 in 3e4dc7a
There was a problem hiding this comment.
I'm going to leave this as-is, if that's OK with everyone.. I count 60 uses of .epoch() all throughout different crates, almost always with T::slots_per_epoch() as the argument, so I don't think it's worth it.
There was a problem hiding this comment.
Fine by me. Setting SLOTS_PER_EPOCH is not reasonable and there's plenty of other panics we could cause by setting "constants" to unreasonable values.
There was a problem hiding this comment.
It's also not really "user supplied input". I'd say it's "programmer supplied input".
| @@ -274,22 +274,20 @@ impl MerkleHasher { | |||
| loop { | |||
| if let Some(root) = self.root { | |||
| break Ok(root); | |||
| } else if let Some(node) = self.half_nodes.last() { | |||
| let right_child = node.id * 2 + 1; | |||
There was a problem hiding this comment.
mul and add can be checked here since we return Result
There was a problem hiding this comment.
Oh yeah, we could. This refactor was just leftover from me trying to fix generic clippy lints project-wide (which I ended up disabling for now), and this crate isn't being linted currently. I agree we could expand the usage of checked arithmetic though, so I've made an issue to track that: #1013
eth2/state_processing/src/per_block_processing/block_signature_verifier.rs
Show resolved
Hide resolved
eth2/state_processing/src/per_epoch_processing/process_slashings.rs
Outdated
Show resolved
Hide resolved
| @@ -38,7 +37,7 @@ impl Slot { | |||
| } | |||
|
|
|||
| pub fn epoch(self, slots_per_epoch: u64) -> Epoch { | |||
| Epoch::from(self.0 / slots_per_epoch) | |||
| Epoch::from(self.0) / Epoch::from(slots_per_epoch) | |||
There was a problem hiding this comment.
Perhaps we do an explicit panic if propagating the Result is too onerous (I suspect this will be the case). That way we get the panic in release too.
paulhauner
added
waiting-on-author
michaelsproul
added
ready-for-review
|
Feel free to squerge when the tests pass :) |
michaelsproul
added
ready-to-squerge
and removed
ready-for-review
Proposed Changes
typesandstate_processingcrates, so that we're forced to be explicit about what sort of arithmetic we want, and can catch unwanted overflow and consider it an invalid state transition (as per Clarity onuintoverflow ethereum/consensus-specs#1701)checked_functions from the standard library. To make things more ergonomic, I introduced asafe_arithcrate which returnsResults from the checked operations instead ofOptions.