Reject wasm code exceeding limit

[alpe]

• Resolves Return error if wasm to big #287
• Resolves Make Wasm maxSize a configuration option #289

Summary of changes:

• Returns ErrLimit when wasm code exceeds max size
• New default wasm code max size: 600 * 1024 bytes
• Max size configurable via parameters
• Limit also applied to uncompressed wasm code

[codecov]

Codecov Report

Merging #302 (2efd962) into master (41cf73d) will increase coverage by 0.16%.
The diff coverage is 47.82%.

@@            Coverage Diff             @@
##           master     #302      +/-   ##
==========================================
+ Coverage   17.23%   17.40%   +0.16%     
==========================================
  Files          35       35              
  Lines       10463    10471       +8     
==========================================
+ Hits         1803     1822      +19     
+ Misses       8563     8551      -12     
- Partials       97       98       +1     

Impacted Files	Coverage Δ
x/wasm/internal/types/types.pb.go	0.76% <0.00%> (+<0.01%)	⬆️
x/wasm/internal/types/params.go	60.97% <70.00%> (+2.64%)	⬆️
x/wasm/internal/keeper/ioutil.go	100.00% <100.00%> (ø)
x/wasm/internal/keeper/keeper.go	89.69% <100.00%> (+0.09%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 41cf73d...2efd962. Read the comment docs.

[ethanfrey]

Looks good. I am scratching my head how it is sure that limit passes and limit+1 fails. But tests pass for those cases and your understanding of the go stdlib is better than mine.

You can merge as is or attempt to add some more defensive code there if you think my worry is justified.

[ethanfrey]

ReadAll keeps reading until one read returns (0, nil) or any return (x, err) correct?

Update: checked ioutil and bytes.Buffer. They only stop when it hits an error. If the error is EOF, then it stops and return data with no error, otherwise, it returns the error.

Seems fine, just note this returns an error if the input is the exact size of n.

[ethanfrey]

Or maybe, so the read, then check if it overflowed? Or maybe I don't fully understand how LimitedReader works.

[ethanfrey]

This means if the total size >= limit we will get the types.ErrLimit error. However, we want total_size > limit.
I would use int64(limit + 1) here, so if there is one byte more than the requested limit, it returns an error

[ethanfrey]

Huh, this passes? That means it can return (n, EOF) where n > 0?

The test cases (both limit and limit+1 gzips) pass. So I can approve it. Just seems there is some possible way something can slip through.

[ethanfrey]

Okay, nice to add the parameter here - this is set in genesis, right?

[ethanfrey]

Yup. Nice addition here.

Reading the config option (1k gas) on upload (> 1 million gas) is virtually 0 overhead. Happy for a param here.

[ethanfrey]

Very nice updates here.
You have thought more angles than I did.

💯

[alpe]

The underlying (gzip) reader returns n, io.EOF for the last read with a size <=limit. n, EOF are handled in ioutil.ReadAll
The limit reader comes into play only for read > limit where the last call before returned n, nil.
I have added a missing test case for uncompressed bytes.

[webmaster128]

This check also rejects compressed data > limit, which is smaller than limit when uncompressed. Is this intended?

[alpe]

good edge case!
This can only happen when gzip does not compress the data but adds it header on top. I guess that is very unlikely to happen and the workaround would be to send uncompressed data.

[webmaster128]

Right. If found the code a bit confusing to review, because it is not very clear which parts deals with compressed and which with uncompressed data. Some checks operate on both.