Cleanup

d0cd · d0cd · commit 7125156a715d · 2025-03-19T16:24:11.000-07:00
diff --git a/ledger/block/src/transaction/merkle.rs b/ledger/block/src/transaction/merkle.rs
@@ -119,7 +119,7 @@ impl<N: Network> Transaction<N> {
         // Prepare the header for the hash.
         let header = match deployment.program_checksum() {
             None => deployment.program().id().to_bits_le(),
-            // Note that the checksum must be recomputed since the one stored in the deployment may have been modified.
+            // Note that the checksum is verified in `VM::check_transaction`.
             Some(program_checksum) => program_checksum.to_bits_le(),
         };
         // Prepare the leaves.
diff --git a/ledger/block/src/transactions/confirmed/mod.rs b/ledger/block/src/transactions/confirmed/mod.rs
@@ -51,11 +51,13 @@ impl<N: Network> ConfirmedTransaction<N> {
             }
         };
 
-        // Count the number of `InitializeMapping` and `UpdateKeyValue` finalize operations.
-        let (num_initialize_mappings, num_update_key_values) =
-            finalize_operations.iter().try_fold((0, 0), |(init, update), operation| match operation {
-                FinalizeOperation::InitializeMapping(..) => Ok((init + 1, update)),
-                FinalizeOperation::UpdateKeyValue(..) => Ok((init, update + 1)),
+        // Count the number of `InitializeMapping` and `*KeyValue` finalize operations.
+        let (num_initialize_mappings, num_key_values) =
+            finalize_operations.iter().try_fold((0, 0), |(init, key_value), operation| match operation {
+                FinalizeOperation::InitializeMapping(..) => Ok((init + 1, key_value)),
+                FinalizeOperation::InsertKeyValue(..) // At the time of writing, `InsertKeyValue` is only used in tests. However, it is added for completeness, as it is a valid operation.
+                | FinalizeOperation::RemoveKeyValue(..)
+                | FinalizeOperation::UpdateKeyValue(..) => Ok((init, key_value + 1)),
                 op => {
                     bail!("Transaction '{}' (deploy) contains an invalid finalize operation ({op})", transaction.id())
                 }
@@ -64,30 +66,29 @@ impl<N: Network> ConfirmedTransaction<N> {
         // Perform safety checks on the finalize operations.
         {
             // Ensure the number of finalize operations matches the number of 'InitializeMapping' and 'UpdateKeyValue' finalize operations.
-            if num_initialize_mappings + num_update_key_values != finalize_operations.len() {
+            if num_initialize_mappings + num_key_values != finalize_operations.len() {
                 bail!(
                     "Transaction '{}' (deploy) must contain '{}' operations",
                     transaction.id(),
                     finalize_operations.len()
                 );
             }
             // Ensure the number of program mappings upper bounds the number of 'InitializeMapping' finalize operations.
-            if num_initialize_mappings > program.mappings().len() {
-                bail!(
-                    "Transaction '{}' (deploy) must contain at most '{}' 'InitializeMapping' operations (found '{num_initialize_mappings}')",
-                    transaction.id(),
-                    program.mappings().len(),
-                )
-            }
-            // Ensure the number of fee finalize operations lower bounds the number of 'UpdateKeyValue' finalize operations.
-            // The lower bound is due to the fact that constructors can issue 'UpdateKeyValue' operations as part of the deployment.
-            if num_update_key_values < fee.num_finalize_operations() {
-                bail!(
-                    "Transaction '{}' (deploy) must contain at least {} 'UpdateKeyValue' operations (found '{num_update_key_values}')",
-                    transaction.id(),
-                    fee.num_finalize_operations()
-                );
-            }
+            // The upper bound is due to the fact that some mappings may have been initialized in earlier deployments or updates.
+            ensure!(
+                num_initialize_mappings <= program.mappings().len(),
+                "Transaction '{}' (deploy) must contain at most '{}' 'InitializeMapping' operations (found '{num_initialize_mappings}')",
+                transaction.id(),
+                program.mappings().len(),
+            );
+            // Ensure the number of fee finalize operations lower bounds the number of '*KeyValue' finalize operations.
+            // The lower bound is due to the fact that constructors can issue '*KeyValue' operations as part of the deployment.
+            ensure!(
+                fee.num_finalize_operations() <= num_key_values,
+                "Transaction '{}' (deploy) must contain at least {} 'UpdateKeyValue' operations (found '{num_key_values}')",
+                transaction.id(),
+                fee.num_finalize_operations()
+            );
         }
 
         // Return the accepted deploy transaction.
diff --git a/synthesizer/process/src/stack/deploy.rs b/synthesizer/process/src/stack/deploy.rs
@@ -51,6 +51,7 @@ impl<N: Network> Stack<N> {
         finish!(timer);
 
         // Return the deployment.
+        // Note that the checksum is **intentionally** left as `None`. It should be added in `VM::deploy`.
         Deployment::new(*self.program_edition, self.program.clone(), verifying_keys, None)
     }
 
@@ -74,6 +75,13 @@ impl<N: Network> Stack<N> {
             *self.program_edition == deployment.edition(),
             "The stack edition does not match the deployment edition"
         );
+        // If the deployment contains a checksum, ensure it matches the one computed by the stack.
+        if let Some(program_checksum) = deployment.program_checksum() {
+            ensure!(
+                *program_checksum == self.program_checksum,
+                "The deployment checksum does not match the stack checksum"
+            );
+        }
 
         // Check Verifying Keys //
 
diff --git a/synthesizer/process/src/stack/helpers/check_update.rs b/synthesizer/process/src/stack/helpers/check_update.rs
@@ -18,9 +18,9 @@ use super::*;
 impl<N: Network> Stack<N> {
     /// Checks that the new program definition is a valid update.
     #[inline]
-    pub(crate) fn check_update_is_valid(process: &Process<N>, program: &Program<N>) -> Result<()> {
+    pub(crate) fn check_update_is_valid(process: &Process<N>, new_program: &Program<N>) -> Result<()> {
         // Get the new program ID.
-        let program_id = program.id();
+        let program_id = new_program.id();
         // Get the old program.
         let stack = process.get_stack(program_id)?;
         let old_program = stack.program();
@@ -30,79 +30,76 @@ impl<N: Network> Stack<N> {
             "Cannot update '{program_id}' because it does not have a constructor"
         );
         // Ensure the program ID matches.
-        ensure!(old_program.id() == program.id(), "Cannot update '{program_id}' with different program ID");
+        ensure!(old_program.id() == new_program.id(), "Cannot update '{program_id}' with different program ID");
         // Ensure that all of the structs in the old program exist in the new program.
-        for (struct_id, struct_type) in old_program.structs() {
-            let new_struct_type = program.get_struct(struct_id)?;
+        for (old_struct_id, old_struct_type) in old_program.structs() {
+            let new_struct_type = new_program.get_struct(old_struct_id)?;
             ensure!(
-                struct_type == new_struct_type,
-                "Cannot update '{program_id}' because the struct '{struct_id}' does not match"
+                old_struct_type == new_struct_type,
+                "Cannot update '{program_id}' because the struct '{old_struct_id}' does not match"
             );
         }
         // Ensure that all of the records in the old program exist in the new program.
-        for (record_id, record_type) in old_program.records() {
-            let new_record_type = program.get_record(record_id)?;
+        for (old_record_id, old_record_type) in old_program.records() {
+            let new_record_type = new_program.get_record(old_record_id)?;
             ensure!(
-                record_type == new_record_type,
-                "Cannot update '{program_id}' because the record '{record_id}' does not match"
+                old_record_type == new_record_type,
+                "Cannot update '{program_id}' because the record '{old_record_id}' does not match"
             );
         }
         // Ensure that all of the mappings in the old program exist in the new program.
-        for (mapping_id, mapping_type) in old_program.mappings() {
-            let new_mapping_type = program.get_mapping(mapping_id)?;
+        for (old_mapping_id, old_mapping_type) in old_program.mappings() {
+            let new_mapping_type = new_program.get_mapping(old_mapping_id)?;
             ensure!(
-                *mapping_type == new_mapping_type,
-                "Cannot update '{program_id}' because the mapping '{mapping_id}' does not match"
+                *old_mapping_type == new_mapping_type,
+                "Cannot update '{program_id}' because the mapping '{old_mapping_id}' does not match"
             );
         }
         // Ensure that all of the imports in the old program exist in the new program.
-        for import in old_program.imports().keys() {
-            if !program.contains_import(import) {
-                bail!("Cannot update '{program_id}' because it is missing the original import '{import}'");
+        for old_import in old_program.imports().keys() {
+            if !new_program.contains_import(old_import) {
+                bail!("Cannot update '{program_id}' because it is missing the original import '{old_import}'");
             }
         }
         // Ensure that the constructors in both programs are exactly the same.
         ensure!(
-            old_program.constructor() == program.constructor(),
+            old_program.constructor() == new_program.constructor(),
             "Cannot update '{program_id}' because the constructor does not match"
         );
         // Ensure that the old program closures exist in the new program, with the exact same definition
-        for closure in old_program.closures().values() {
-            let closure_name = closure.name();
-            let new_closure = program.get_closure(closure_name)?;
+        for old_closure in old_program.closures().values() {
+            let old_closure_name = old_closure.name();
+            let new_closure = new_program.get_closure(old_closure_name)?;
             ensure!(
-                closure == &new_closure,
-                "Cannot update '{program_id}' because the closure '{closure_name}' does not exactly match"
+                old_closure == &new_closure,
+                "Cannot update '{program_id}' because the closure '{old_closure_name}' does not match"
             );
         }
         // Ensure that the old program functions exist in the new program, with the same input and output types.
         // If the function has an associated `finalize` block, then ensure that the finalize block exists in the new program.
-        for function in old_program.functions().values() {
-            let function_name = function.name();
-            if !program.contains_function(function.name()) {
-                bail!("Cannot update '{program_id}' because it is missing the function '{function_name}'");
-            }
-            let new_function = program.get_function(function.name())?;
+        for old_function in old_program.functions().values() {
+            let old_function_name = old_function.name();
+            let new_function = new_program.get_function_ref(old_function_name)?;
             ensure!(
-                function.input_types() == new_function.input_types(),
-                "Cannot update '{program_id}' because the inputs to the function '{function_name}' do not match"
+                old_function.input_types() == new_function.input_types(),
+                "Cannot update '{program_id}' because the inputs to the function '{old_function_name}' do not match"
             );
             ensure!(
-                function.output_types() == new_function.output_types(),
-                "Cannot update '{program_id}' because the outputs of the function '{function_name}' do not match"
+                old_function.output_types() == new_function.output_types(),
+                "Cannot update '{program_id}' because the outputs of the function '{old_function_name}' do not match"
             );
-            match (function.finalize_logic(), new_function.finalize_logic()) {
+            match (old_function.finalize_logic(), new_function.finalize_logic()) {
                 (None, None) => {} // Do nothing
                 (None, Some(_)) => bail!(
-                    "Cannot update '{program_id}' because the function '{function_name}' should not have a finalize block"
+                    "Cannot update '{program_id}' because the function '{old_function_name}' should not have a finalize block"
                 ),
                 (Some(_), None) => bail!(
-                    "Cannot update '{program_id}' because the function '{function_name}' should have a finalize block"
+                    "Cannot update '{program_id}' because the function '{old_function_name}' should have a finalize block"
                 ),
-                (Some(finalize), Some(new_finalize)) => {
+                (Some(old_finalize), Some(new_finalize)) => {
                     ensure!(
-                        finalize.input_types() == new_finalize.input_types(),
-                        "Cannot update '{program_id}' because the finalize inputs to the function '{function_name}' do not match"
+                        old_finalize.input_types() == new_finalize.input_types(),
+                        "Cannot update '{program_id}' because the finalize inputs to the function '{old_function_name}' do not match"
                     );
                 }
             }
diff --git a/synthesizer/src/vm/verify.rs b/synthesizer/src/vm/verify.rs
@@ -285,10 +285,11 @@ impl<N: Network, C: ConsensusStorage<N>> VM<N, C> {
                             N::TRANSACTION_SPEND_LIMIT
                         );
                         // Ensure the fee is sufficient to cover the cost.
-                        ensure!(
-                            cost <= *fee.base_amount()?,
-                            "Transaction '{id}' has an insufficient base fee (execution) - requires {cost} microcredits"
-                        );
+                        if *fee.base_amount()? < cost {
+                            bail!(
+                                "Transaction '{id}' has an insufficient base fee (execution) - requires {cost} microcredits"
+                            )
+                        }
                     } else {
                         // Ensure the base fee amount is zero.
                         ensure!(*fee.base_amount()? == 0, "Transaction '{id}' has a non-zero base fee (execution)");
