Implement transaction invariant checks (RIPD-1425):

Add new functionality to enforce one or more sanity checks (invariants)
on transactions. Add tests for each new invariant check. Allow
for easily adding additional invariant checks in the future.

Also Resolves
-------------

  - RIPD-1426
  - RIPD-1427
  - RIPD-1428
  - RIPD-1429
  - RIPD-1430
  - RIPD-1431
  - RIPD-1432

Release Notes
-------------

Creates a new ammendment named "EnforceInvariants" which must be
enabled in order for these new checks to run on each transaction.

Builds/VisualStudio2015/RippleD.vcxproj

@@ -1311,6 +1311,12 @@
     </ClCompile>
     <ClInclude Include="..\..\src\ripple\app\tx\impl\Escrow.h">
     </ClInclude>
+    <ClCompile Include="..\..\src\ripple\app\tx\impl\InvariantCheck.cpp">
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='debug|x64'">True</ExcludedFromBuild>
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='release|x64'">True</ExcludedFromBuild>
+    </ClCompile>
+    <ClInclude Include="..\..\src\ripple\app\tx\impl\InvariantCheck.h">
+    </ClInclude>
     <ClInclude Include="..\..\src\ripple\app\tx\impl\Offer.h">
     </ClInclude>
     <ClCompile Include="..\..\src\ripple\app\tx\impl\OfferStream.cpp">
@@ -4699,6 +4705,10 @@
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='debug|x64'">True</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='release|x64'">True</ExcludedFromBuild>
     </ClCompile>
+    <ClCompile Include="..\..\src\test\ledger\Invariants_test.cpp">
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='debug|x64'">True</ExcludedFromBuild>
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='release|x64'">True</ExcludedFromBuild>
+    </ClCompile>
     <ClCompile Include="..\..\src\test\ledger\PaymentSandbox_test.cpp">
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='debug|x64'">True</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='release|x64'">True</ExcludedFromBuild>

Builds/VisualStudio2015/RippleD.vcxproj.filters

@@ -1833,6 +1833,12 @@
     <ClInclude Include="..\..\src\ripple\app\tx\impl\Escrow.h">
       <Filter>ripple\app\tx\impl</Filter>
     </ClInclude>
+    <ClCompile Include="..\..\src\ripple\app\tx\impl\InvariantCheck.cpp">
+      <Filter>ripple\app\tx\impl</Filter>
+    </ClCompile>
+    <ClInclude Include="..\..\src\ripple\app\tx\impl\InvariantCheck.h">
+      <Filter>ripple\app\tx\impl</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\src\ripple\app\tx\impl\Offer.h">
       <Filter>ripple\app\tx\impl</Filter>
     </ClInclude>
@@ -5448,6 +5454,9 @@
     <ClCompile Include="..\..\src\test\ledger\Directory_test.cpp">
       <Filter>test\ledger</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\src\test\ledger\Invariants_test.cpp">
+      <Filter>test\ledger</Filter>
+    </ClCompile>
     <ClCompile Include="..\..\src\test\ledger\PaymentSandbox_test.cpp">
       <Filter>test\ledger</Filter>
     </ClCompile>

docs/source.dox

@@ -117,6 +117,7 @@ INPUT                  = \
     ../src/ripple/app/consensus/RCLCxLedger.h \
     ../src/ripple/app/consensus/RCLConsensus.h \
     ../src/ripple/app/consensus/RCLCxPeerPos.h \
+    ../src/ripple/app/tx/impl/InvariantCheck.h \
 
 INPUT_ENCODING         = UTF-8
 FILE_PATTERNS          =

src/ripple/app/main/Amendments.cpp

@@ -52,7 +52,8 @@ supportedAmendments ()
         { "E2E6F2866106419B88C50045ACE96368558C345566AC8F2BDF5A5B5587F0E6FA fix1368" },
         { "07D43DCE529B15A10827E5E04943B496762F9A88E3268269D69C44BE49E21104 Escrow" },
         { "86E83A7D2ECE3AD5FA87AB2195AE015C950469ABF0B72EAACED318F74886AE90 CryptoConditionsSuite" },
-        { "48C4451D6C6A138453F056EB6793AFF4B5C57457A37BA63EF3541FF8CE873DC2 ToStrandV2"}
+        { "48C4451D6C6A138453F056EB6793AFF4B5C57457A37BA63EF3541FF8CE873DC2 ToStrandV2"},
+        { "DC9CA96AEA1DCF83E527D1AFC916EFAF5D27388ECA4060A88817C1238CAEE0BF EnforceInvariants" }
     };
 }
 

src/ripple/app/tx/impl/ApplyContext.cpp

@@ -19,10 +19,12 @@
 
 #include <BeastConfig.h>
 #include <ripple/app/tx/impl/ApplyContext.h>
+#include <ripple/app/tx/impl/InvariantCheck.h>
 #include <ripple/app/tx/impl/Transactor.h>
 #include <ripple/basics/Log.h>
 #include <ripple/json/to_string.h>
 #include <ripple/protocol/Indexes.h>
+#include <ripple/protocol/Feature.h>
 #include <cassert>
 
 namespace ripple {
@@ -69,4 +71,56 @@ ApplyContext::visit (std::function <void (
     view_->visit(base_, func);
 }
 
+template<std::size_t... Is>
+TER
+ApplyContext::checkInvariantsHelper(TER terResult, std::index_sequence<Is...>)
+{
+    if (view_->rules().enabled(featureEnforceInvariants))
+    {
+        auto checkers = getInvariantChecks();
+
+        // call each check's per-entry method
+        visit (
+            [&checkers](
+                uint256 const& index,
+                bool isDelete,
+                std::shared_ptr <SLE const> const& before,
+                std::shared_ptr <SLE const> const& after)
+            {
+                // Sean Parent for_each_argument trick
+                (void)std::array<int, sizeof...(Is)>{
+                    {((std::get<Is>(checkers).
+                            visitEntry(index, isDelete, before, after)), 0)...}
+                };
+            });
+
+        // Sean Parent for_each_argument trick
+        // (a fold expression with `&&` would be really nice here when we move
+        // to C++-17)
+        std::array<bool, sizeof...(Is)> finalizers {{
+            std::get<Is>(checkers).finalize(tx, terResult, journal)...}};
+
+        // call each check's finalizer to see that it passes
+        if (! std::all_of( finalizers.cbegin(), finalizers.cend(),
+                [](auto const& b) { return b; }))
+        {
+            terResult = (terResult == tecINVARIANT_FAILED) ?
+                tefINVARIANT_FAILED :
+                tecINVARIANT_FAILED ;
+            JLOG(journal.error()) <<
+                "Transaction has failed one or more invariants: " <<
+                to_string(tx.getJson (0));
+        }
+    }
+
+    return terResult;
+}
+
+TER
+ApplyContext::checkInvariants(TER terResult)
+{
+    return checkInvariantsHelper(
+        terResult, std::make_index_sequence<std::tuple_size<InvariantChecks>::value>{});
+}
+
 } // ripple

src/ripple/app/tx/impl/ApplyContext.h

@@ -101,7 +101,13 @@ class ApplyContext
         view_->rawDestroyXRP(fee);
     }
 
+    TER
+    checkInvariants(TER);
+
 private:
+    template<std::size_t... Is>
+    TER checkInvariantsHelper(TER terResult, std::index_sequence<Is...>);
+
     OpenView& base_;
     ApplyFlags flags_;
     boost::optional<ApplyViewImpl> view_;

src/ripple/app/tx/impl/InvariantCheck.cpp

@@ -0,0 +1,191 @@
+//------------------------------------------------------------------------------
+/*
+  This file is part of rippled: https://github.com/ripple/rippled
+  Copyright (c) 2012-2016 Ripple Labs Inc.
+
+  Permission to use, copy, modify, and/or distribute this software for any
+  purpose  with  or without fee is hereby granted, provided that the above
+  copyright notice and this permission notice appear in all copies.
+
+  THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+  WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
+  MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+  ANY  SPECIAL ,  DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+  WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
+  ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#include <ripple/app/tx/impl/InvariantCheck.h>
+#include <ripple/basics/Log.h>
+
+namespace ripple {
+
+void
+XRPNotCreated::visitEntry(
+    uint256 const&,
+    bool isDelete,
+    std::shared_ptr <SLE const> const& before,
+    std::shared_ptr <SLE const> const& after)
+{
+    if(before)
+    {
+        switch (before->getType())
+        {
+        case ltACCOUNT_ROOT:
+            drops_ -= (*before)[sfBalance].xrp().drops();
+            break;
+        case ltPAYCHAN:
+            drops_ -= ((*before)[sfAmount] - (*before)[sfBalance]).xrp().drops();
+            break;
+        case ltESCROW:
+            drops_ -= (*before)[sfAmount].xrp().drops();
+            break;
+        default:
+            break;
+        }
+    }
+
+    if(after)
+    {
+        switch (after->getType())
+        {
+        case ltACCOUNT_ROOT:
+            drops_ += (*after)[sfBalance].xrp().drops();
+            break;
+        case ltPAYCHAN:
+            if (! isDelete)
+                drops_ += ((*after)[sfAmount] - (*after)[sfBalance]).xrp().drops();
+            break;
+        case ltESCROW:
+            if (! isDelete)
+                drops_ += (*after)[sfAmount].xrp().drops();
+            break;
+        default:
+            break;
+        }
+    }
+}
+
+bool
+XRPNotCreated::finalize(STTx const& tx, TER /*tec*/, beast::Journal const& j)
+{
+    auto fee = tx.getFieldAmount(sfFee).xrp().drops();
+    if(-1*fee <= drops_ && drops_ <= 0)
+        return true;
+
+    JLOG(j.fatal()) << "Invariant failed: XRP net change was " << drops_ <<
+        " on a fee of " << fee;
+    return false;
+}
+
+//------------------------------------------------------------------------------
+
+void
+AccountRootsNotDeleted::visitEntry(
+    uint256 const&,
+    bool isDelete,
+    std::shared_ptr <SLE const> const& before,
+    std::shared_ptr <SLE const> const&)
+{
+    if (isDelete && before && before->getType() == ltACCOUNT_ROOT)
+        accountDeleted_ = true;
+}
+
+bool
+AccountRootsNotDeleted::finalize(STTx const&, TER, beast::Journal const& j)
+{
+    if (! accountDeleted_)
+        return true;
+
+    JLOG(j.fatal()) << "Invariant failed: an account root was deleted";
+    return false;
+}
+
+//------------------------------------------------------------------------------
+
+void
+LedgerEntryTypesMatch::visitEntry(
+    uint256 const&,
+    bool,
+    std::shared_ptr <SLE const> const& before,
+    std::shared_ptr <SLE const> const& after)
+{
+    if (before && after && before->getType() != after->getType())
+        typeMismatch_ = true;
+
+    if (after)
+    {
+        switch (after->getType())
+        {
+        case ltACCOUNT_ROOT:
+        case ltDIR_NODE:
+        case ltRIPPLE_STATE:
+        case ltTICKET:
+        case ltSIGNER_LIST:
+        case ltOFFER:
+        case ltLEDGER_HASHES:
+        case ltAMENDMENTS:
+        case ltFEE_SETTINGS:
+        case ltESCROW:
+        case ltPAYCHAN:
+            break;
+        default:
+            invalidTypeAdded_ = true;
+            break;
+        }
+    }
+}
+
+bool
+LedgerEntryTypesMatch::finalize(STTx const&, TER, beast::Journal const& j)
+{
+    if ((! typeMismatch_) && (! invalidTypeAdded_))
+        return true;
+
+    if (typeMismatch_)
+    {
+        JLOG(j.fatal()) << "Invariant failed: ledger entry type mismatch";
+    }
+
+    if (invalidTypeAdded_)
+    {
+        JLOG(j.fatal()) << "Invariant failed: invalid ledger entry type added";
+    }
+
+    return false;
+}
+
+//------------------------------------------------------------------------------
+
+void
+NoXRPTrustLines::visitEntry(
+    uint256 const&,
+    bool,
+    std::shared_ptr <SLE const> const&,
+    std::shared_ptr <SLE const> const& after)
+{
+    if (after && after->getType() == ltRIPPLE_STATE)
+    {
+        // checking the issue directly here instead of
+        // relying on .native() just in case native somehow
+        // were systematically incorrect
+        xrpTrustLine_ =
+            after->getFieldAmount (sfLowLimit).issue() == xrpIssue() ||
+            after->getFieldAmount (sfHighLimit).issue() == xrpIssue();
+    }
+}
+
+bool
+NoXRPTrustLines::finalize(STTx const&, TER, beast::Journal const& j)
+{
+    if (! xrpTrustLine_)
+        return true;
+
+    JLOG(j.fatal()) << "Invariant failed: an XRP trust line was created";
+    return false;
+}
+
+}  // ripple
+