Add vault invariants

[Bronek]

High Level Overview of Change

This adds invariants for SingleAssetVault #5224 XLS-065

Context of Change

Invariants were intentionally skipped from #5224 to keep the PR size manageable. This PR fills the hole.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Performance (increase or change in throughput and/or latency)
• Tests (you added tests for code that already exists, or your new feature included in this PR)
• Documentation update
• Chore (no impact to binary, e.g. .gitignore, formatting, dropping support for older tooling)
• Release

[ximinez]

This comment is not true. after should never be null. Deletion is indicated by isDelete.

• If before is empty, then the object is being created
• If isDelete is true, the the object is being deleted
• Otherwise it's a modification of an object.

I think the correct assert is more like

after != nullptr && (before != nullptr || !isDelete)

[ximinez]

This should probably be a "permission"

[Bronek]

Thanks, added mustModifyVault (and a TODO to add mayModifyVault which I think you will do)

[ximinez]

Remember, the whole purpose of the invariants are to catch things that might be wrong in transactors, so something like "Transactor makes this condition impossible" is the wrong way to look at this. All of these failure conditions should be impossible.

Also, this is absolutely testable using the framework in Invariants_test.cpp. Do a test case that manually creates, modifies, or deletes a vault, but have the transaction type be, I dunno, ttPayment.

[Bronek]

Thank you, you are almost right - except I have to use a transaction type which passes the if in the outer scope i.e. one of the Vault transactions.

[ximinez]

Thank you, you are almost right - except I have to use a transaction type which passes the if in the outer scope i.e. one of the Vault transactions.

In that case, you should probably check condition this outside of that scope, which it looks like you've already done. Nice!

[ximinez]

This could probably also be a permission.

[ximinez]

This whole class has a "fatal flaw". (Well, not really fatal, but very significant.)

You're assuming that only one Vault will be affected. What if there are more? You're going to, for example, overwrite befaultVault_ here.

You've got the same problem when you're looking up assets and shares in finalize, where you return the first matching item found. What if there are multiple matches?

It should be impossible, but that is what invariants are here to confirm.

All of these structures and functions should be using collections (vector, set, whatever) instead of single values. You could have a simple check after each one that's like

if (beforeVault_.size() > 1)
{
    XRPL_ASSERT(enforce, ...);
    return !enforce;
}

[Bronek]

Thanks, that's great feedback. Making it work is actually simple (since optional is basically a collection of at-most-one)

[ximinez]

Thanks, that's great feedback. Making it work is actually simple (since optional is basically a collection of at-most-one)

I figured it would be. 😄

[Bronek]

@ximinez I implemented your feedback in last three commits:
9999f3c Review feedback, yet to extend unit tests
3603356 Added mustModifyVault priviledge, code cleanup, more tests
0e58a15 More tests

Incidentally, your observation that the comment (and assert) in ValidVault::visitEntry was wrong helped me to simplify ValidVault::finalize . Thanks !

[ximinez]

This comment is not true anymore. There's no case above that returns success if afterVault_ is empty, and this test does.

[Bronek]

Thank you, I cleaned this up in c73dc5f

[ximinez]

Updates look good. I don't think I've reviewed everything, so I'll skip a full approval.

Requested changes have been made, but I haven't done a full review.