[Dijkstra] UTXOS Rule with batch-level validity checking #1021
Conversation
williamdemeo
force-pushed
the
1007-dijkstra-utxos-batch-level-validity
branch
from
1814828 to
b6f0a59
Compare
williamdemeo
changed the title
There was a problem hiding this comment.
Pull request overview
This PR implements batch-level validity checking for the UTXOS rule in the Dijkstra specification, addressing issues #1006 and #1007. It introduces a two-branch UTXOS relation that handles both successful script execution (applying all batch effects) and failed execution (collecting only collateral).
Key changes include:
- Introduction of batch-level script validation with
batchScriptsOkand preservation of value checking viabatchPOV - Two-branch UTXOS rule with success/failure paths based on script execution results
- Refactoring of the
Feesmodule to be parameterized by protocol parameters
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
src/Ledger/Dijkstra/Specification/Utxo.lagda.md |
Implements batch-level UTXOS rule with success/failure branches, batch operations, and UTxO state transitions |
src/Ledger/Dijkstra/Specification/Transaction.lagda.md |
Adds level-dependent and level-independent type classes for transaction components, adds txSize field to Tx |
src/Ledger/Dijkstra/Specification/Script/Validation.lagda.md |
Updates references from ValueOf to MintedValueOf for consistency |
src/Ledger/Conway/Specification/Fees.lagda.md |
Refactors module to take protocol parameters as module parameter; changes scriptsCost signature from PParams → ℕ → Coin to ℕ → Coin |
src/Ledger/Conway/Specification/Utxo.lagda.md |
Updates import statement for scriptsCost (but not all call sites) |
src/Ledger/Conway/Conformance/Utxo.agda |
Updates import statement for scriptsCost (but not all call sites) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| depositsSuccess = foldr (λ sub deps → updateDeposits (PParamsOf Γ) sub deps) | ||
| (updateDeposits (PParamsOf Γ) txTop (DepositsOf s)) | ||
| (SubTransactionsOf txTop) |
There was a problem hiding this comment.
depositsSuccess applies updateDeposits to each sub-transaction, but the batch preservation-of-value check batchPOV only uses depositsChange for the top-level transaction (Δdeposits) and completely ignores deposit/gov-proposal effects of sub-transactions. This lets a batch include sub-transactions with deposit-creating or deposit-refunding certificates/proposals that change DepositsOf in successState without any balancing term in batchConsumed/batchProduced, so total Ada in the UTxOState can increase or decrease even when batchPOV holds. To prevent this, the deposit component of preservation-of-value must also account for sub-transaction certificates/proposals (e.g. by incorporating their depositsChange into consumedSub/producedSub or by computing a single batch-level deposits delta and using that consistently for both batchPOV and depositsSuccess).
| depositsSuccess = foldr (λ sub deps → updateDeposits (PParamsOf Γ) sub deps) | |
| (updateDeposits (PParamsOf Γ) txTop (DepositsOf s)) | |
| (SubTransactionsOf txTop) | |
| depositsSuccess = updateDeposits (PParamsOf Γ) txTop (DepositsOf s) |
There was a problem hiding this comment.
subtransactions have no deposits, so they cannot introduce or refund deposits, but we might want to include an additional check/invariant for this.
williamdemeo
force-pushed
the
1006-dijkstra-batch-aware-collectp2scriptswithcontext
branch
from
4a690a6 to
2890db5
Compare
williamdemeo
force-pushed
the
1007-dijkstra-utxos-batch-level-validity
branch
from
4e0a472 to
b796416
Compare
|
@williamdemeo I've opened a new pull request, #1023, to work on those changes. Once the pull request is ready, I'll request review from you. |
williamdemeo
force-pushed
the
1006-dijkstra-batch-aware-collectp2scriptswithcontext
branch
from
b0da3a6 to
a60af70
Compare
williamdemeo
force-pushed
the
1007-dijkstra-utxos-batch-level-validity
branch
from
e43ee89 to
4f543af
Compare
williamdemeo
force-pushed
the
1006-dijkstra-batch-aware-collectp2scriptswithcontext
branch
from
a60af70 to
e5e912f
Compare
williamdemeo
force-pushed
the
1007-dijkstra-utxos-batch-level-validity
branch
from
03fc211 to
9c88f5c
Compare
williamdemeo
force-pushed
the
1006-dijkstra-batch-aware-collectp2scriptswithcontext
branch
from
e5e912f to
1f7ea3b
Compare
williamdemeo
force-pushed
the
1007-dijkstra-utxos-batch-level-validity
branch
from
9c88f5c to
975c125
Compare
williamdemeo
force-pushed
the
1006-dijkstra-batch-aware-collectp2scriptswithcontext
branch
from
1f7ea3b to
4c2836d
Compare
williamdemeo
force-pushed
the
1007-dijkstra-utxos-batch-level-validity
branch
from
975c125 to
c181b8e
Compare
williamdemeo
force-pushed
the
1006-dijkstra-batch-aware-collectp2scriptswithcontext
branch
from
4c2836d to
d480c57
Compare
williamdemeo
force-pushed
the
1007-dijkstra-utxos-batch-level-validity
branch
from
227116d to
14efc44
Compare
williamdemeo
force-pushed
the
1006-dijkstra-batch-aware-collectp2scriptswithcontext
branch
from
bff46ee to
ca47549
Compare
+ Remove contradiction between "ref inputs may refer to earlier tx outputs in the batch" vs "all inputs must exist before applying any tx in the batch." The new text punts the exact constraint to the UTxO rules (where it belongs). + Fix Plutus bullet (old "nor earlier versions" reads like "no Plutus at all"). + Align fees with current Agda (`txFee : InTopLevel …`), but leave room for later CIP-driven updates.
1. Introduce subTx info type (using an alias for `TxInfo` for now). 2. Extend `TxInfo` with field `txInfoSubTxs : Maybe (List SubTxInfo)`. 3. Define a purpose-built builder: + Top-level Guard scripts ⇒ `txInfoSubTxs = just (...)` + Everything else ⇒ `txInfoSubTxs = nothing` + SubTx scripts ⇒ always `nothing` (even for `Guard` at sub level)
* improvements * Initial plan * Add batchMintedCoin constraint to prevent Ada forgery Co-authored-by: williamdemeo <[email protected]> * Add documentation for batchMintedCoin security constraint Co-authored-by: williamdemeo <[email protected]> * Use consistent aggregation syntax for batchMintedCoin Co-authored-by: williamdemeo <[email protected]> --------- Co-authored-by: William DeMeo <[email protected]> Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: williamdemeo <[email protected]>
williamdemeo
force-pushed
the
1007-dijkstra-utxos-batch-level-validity
branch
from
14efc44 to
36c1d92
Compare
Description
Stacked PR (This PR targets #1015.)
Plan (tentative)
This PR will close issue #1007 by
introducing batch helpers in
Ledger/Dijkstra/Specification/Utxo.lagda.md:getSubTxScripts,batchP2Inputs,batchScriptsOk)introduce level-parameterized versions of
producedandconsumedmaking
UTXOSa 2-branch relation: success vs failureWhat we want
UTXOSto decide:ok = batchScriptsOk txTopflag = Tx.isValid txTop(top-level only)Then:
require
flag ≡ ok(so the transaction's claimed validity matches the ledger's batch execution result)branch on
okSuccess branch (commit)
In the success constructor:
produced/consumed(sums acrosstxTopand all subTxs)Failure branch (collateral + nothing else)
In the failure constructor:
CollateralInputsOf txTopfeesby collateral amount (Q: how does ledger collect collateral? Does it go to fees? treasury?)Notes
I needed the 2-UTxO parameterization (
utxoSpend₀vsutxoRefView) in some places, bututxoRefViewis still just a place holder until we start tracking sub-level change of utxo state. TODO: address this once #1005 is finalized.Checklist
CHANGELOG.md