Silent overflow in release mode in size and weight functions

[tcharding]

#2076 introduced silent overflows ("normal" arithmetic) in size and weight calculations - they all need to be fixed / thought about to close this issue.

During work on weight, size, base_size, total_size etc. (on Transaction and Block) it was realized that overflowing ops could potentially be an attack vector. However doing checked_ ops and returning Option is unergonomic considering that overflow should never happen under normal conditions.

Two possible solutions discussed were:

• saturating add/mul
• explicit panic on overflow

Also need to consider if doing bounds checks introducesa any additional/unwanted overhead.

References:

• Re-write the weight/size API #2076 (comment)
• Feature: Count sigops for Transaction #2073 (comment)

[apoelstra]

I'm glad that @Kixunil has arrived again as we look into this, because it has the feel of an unwise idea. But I am in favor of it because:

• In practice transaction weights are typically in the low hundreds or thousands. A standard tx cannot exceed 400k weight and a tx in the blockchain cannot exceed 4M weight. So normal users are never within 1000x of overflowing u32, let alone u64.
• But internally we do need to do arithmetic and in theory a user can try to consruct a transaction with a gazillion inputs, or multi-terabyte scripts, or whatever. So it's difficult to avoid the possibility overflow. (We should put a max size invariant on Script I think, but it's less obvious that we can/should put a max number of inputs or outputs on Transaction. Though I observe that Bitcoin itself starts to break down if you somehow have more than 2^32 outputs.)
• So...the three ways to deal with overflow are to return a Result, panic, or saturate.
  • Returning a Result for a case that most users will never come close to hitting sucks. And it infects basically every Weight related method in the library.
  • Panicking in such a case is a DoS vector, since it is possible to hit if you really try, even if it's impossible if you don't.
  • Saturating will result in silently wrong values in the case that you provide a wildly invalid transaction, but have a clean API and no DoSes.

[Kixunil]

I'm not sure what is meant by "ops". If the traits then I really don't like going against Rust convention of panicking as that would be surprising. However I'm totally for having .saturating_*() methods.

[junderw]

I agree saturating all around and making it prominent in the docs is fine.

[tcharding]

By ops I meant ops traits Add, Mul for example. Just having methods may be better and not implementing the ops at all so that usage is exlicit?

[tcharding]

On further investigation this issue can probably be expanded to be "use saturating arithmetic for all types where over flow may lead to users writing software that allows attackers to steal money and where MAX should never really be anywhere close to being reached for all sane usage", tentatively I would include:

• Amount (currently panics for overflow in release mode), (need to think about SignedAmount)
• Weight
• FeeRate

We probably need types VBytes, Bytes, VSize, and Size (obviously we cannot use the names Bytes and Size) to support the same saturating behaviour.

[yancyribbens]

I'm not against adding .saturating_*() although I don't think it should be a replacement for .checked_*(). To me there are different use cases depending on the situation.

[apoelstra]

It is easy to actually overflow Amount. We should follow Rust conventions there. You can add 4000 copies of MAX_MONEY and you've done it.

FeeRate I assumed was a floating point value. How can it overflow? Is it actually some sort of rational?

It is only Weight where people expect to follow the "C rules" where they can just blindly add and multiply and never expect overflow to actually happen. But having said this, I am warming up to @Kixunil's feeling that we should just panic, even for Weight, since this is the Rust convention, and if it's suprising to people then they're going to get similarly surprised by all the primitive int types.

But yes, we should implement SaturatingAdd and CheckedAdd and so on, in addition to our normal addition functions. (Not WrappingAdd since I don't think that makes sense for any of these types.)

[yancyribbens]

I think it makes sense to panic in cases where an overflow might happen instead of return a result or saturate. Since an overflow is something we do not expect to happen, it should be handled differently then an error that is something we do expect.

cite: https://doc.rust-lang.org/book/ch09-03-to-panic-or-not-to-panic.html

Also, using panic helps simplify the code a lot since infallible iterators don't exist for most.

[apoelstra]

I think that if "panic in debug mode, overflow in release" is good enough for stdlib it should be good enough for us.

[yancyribbens]

I think that if "panic in debug mode, overflow in release" is good enough for stdlib it should be good enough for us.

Seems reasonable to me and would simplify things. Maybe something in the README for downstream consumers to beware since the responsibility of bounds checking will be theirs.