[Clarity-4] Implement contract post-conditions

CHANGELOG.md

@@ -20,6 +20,14 @@ and this project adheres to the versioning scheme outlined in the [README.md](RE
   - `current-contract`
   - `block-time`
   - `to-ascii?`
+  - `restrict-assets?`
+  - `as-contract?`
+  - Special allowance expressions:
+    - `with-stx`
+    - `with-ft`
+    - `with-nft`
+    - `with-stacking`
+    - `with-all-assets-unsafe`
 - Added `contract_cost_limit_percentage` to the miner config file — sets the percentage of a block’s execution cost at which, if a large non-boot contract call would cause a BlockTooBigError, the miner will stop adding further non-boot contract calls and only include STX transfers and boot contract calls for the remainder of the block.
 
 ### Changed

clarity-types/src/errors/analysis.rs

@@ -307,6 +307,16 @@ pub enum CheckErrors {
 
     // time checker errors
     ExecutionTimeExpired,
+
+    // contract post-conditions
+    ExpectedListOfAllowances(String, i32),
+    AllowanceExprNotAllowed,
+    ExpectedAllowanceExpr(String),
+    WithAllAllowanceNotAllowed,
+    WithAllAllowanceNotAlone,
+    WithNftExpectedListOfIdentifiers,
+    MaxIdentifierLengthExceeded(u32, u32),
+    TooManyAllowances(usize, usize),
 }
 
 #[derive(Debug, PartialEq)]
@@ -605,6 +615,14 @@ impl DiagnosableError for CheckErrors {
             CheckErrors::CostComputationFailed(s) => format!("contract cost computation failed: {s}"),
             CheckErrors::CouldNotDetermineSerializationType => "could not determine the input type for the serialization function".into(),
             CheckErrors::ExecutionTimeExpired => "execution time expired".into(),
+            CheckErrors::ExpectedListOfAllowances(fn_name, arg_num) => format!("{fn_name} expects a list of asset allowances as argument {arg_num}"),
+            CheckErrors::AllowanceExprNotAllowed => "allowance expressions are only allowed in the context of a `restrict-assets?` or `as-contract?`".into(),
+            CheckErrors::ExpectedAllowanceExpr(got_name) => format!("expected an allowance expression, got: {got_name}"),
+            CheckErrors::WithAllAllowanceNotAllowed => "with-all-assets-unsafe is not allowed here, only in the allowance list for `as-contract?`".into(),
+            CheckErrors::WithAllAllowanceNotAlone => "with-all-assets-unsafe must not be used along with other allowances".into(),
+            CheckErrors::WithNftExpectedListOfIdentifiers => "with-nft allowance must include a list of asset identifiers".into(),
+            CheckErrors::MaxIdentifierLengthExceeded(max_len, len) => format!("with-nft allowance identifiers list must not exceed {max_len} elements, got {len}"),
+            CheckErrors::TooManyAllowances(max_allowed, found) => format!("too many allowances specified, the maximum is {max_allowed}, found {found}"),
         }
     }
 

clarity-types/src/errors/mod.rs

@@ -101,6 +101,7 @@ pub enum RuntimeErrorType {
     PoxAlreadyLocked,
 
     BlockTimeNotAvailable,
+    Unreachable,
 }
 
 #[derive(Debug, PartialEq)]

clarity-types/src/types/mod.rs

@@ -1235,6 +1235,16 @@ impl Value {
             Err(InterpreterError::Expect("Expected response".into()).into())
         }
     }
+
+    pub fn expect_string_ascii(self) -> Result<String> {
+        if let Value::Sequence(SequenceData::String(CharType::ASCII(ASCIIData { data }))) = self {
+            Ok(String::from_utf8(data)
+                .map_err(|_| InterpreterError::Expect("Non UTF-8 data in string".into()))?)
+        } else {
+            error!("Value '{self:?}' is not an ASCII string");
+            Err(InterpreterError::Expect("Expected ASCII string".into()).into())
+        }
+    }
 }
 
 impl BuffData {

clarity-types/src/types/signatures.rs

@@ -855,6 +855,8 @@ impl TypeSignature {
     pub const STRING_ASCII_MAX: TypeSignature = Self::type_ascii_const(MAX_VALUE_SIZE);
     /// String ASCII type with length 40.
     pub const STRING_ASCII_40: TypeSignature = Self::type_ascii_const(40);
+    /// String ASCII type with length 128.
+    pub const STRING_ASCII_128: TypeSignature = Self::type_ascii_const(128);
 
     /// String UTF8 type with minimum length (`1`).
     pub const STRING_UTF8_MIN: TypeSignature = Self::type_string_utf8(1);
@@ -908,7 +910,7 @@ impl TypeSignature {
 
     /// Creates a string ASCII type with the specified length.
     /// It may panic if the provided length is invalid.
-    #[cfg(test)]
+    #[cfg(any(test, feature = "testing"))]
     pub const fn new_ascii_type_checked(len: u32) -> Self {
         Self::type_ascii_const(len)
     }

clarity/src/vm/analysis/arithmetic_checker/mod.rs

@@ -173,9 +173,31 @@ impl ArithmeticOnlyChecker<'_> {
             | ContractCall | StxTransfer | StxTransferMemo | StxBurn | AtBlock | GetStxBalance
             | GetTokenSupply | BurnToken | FromConsensusBuff | ToConsensusBuff | BurnAsset
             | StxGetAccount => Err(Error::FunctionNotPermitted(function)),
-            Append | Concat | AsMaxLen | ContractOf | PrincipalOf | ListCons | Print
-            | AsContract | ElementAt | ElementAtAlias | IndexOf | IndexOfAlias | Map | Filter
-            | Fold | Slice | ReplaceAt | ContractHash => Err(Error::FunctionNotPermitted(function)),
+            Append
+            | Concat
+            | AsMaxLen
+            | ContractOf
+            | PrincipalOf
+            | ListCons
+            | Print
+            | AsContract
+            | ElementAt
+            | ElementAtAlias
+            | IndexOf
+            | IndexOfAlias
+            | Map
+            | Filter
+            | Fold
+            | Slice
+            | ReplaceAt
+            | ContractHash
+            | RestrictAssets
+            | AsContractSafe
+            | AllowanceWithStx
+            | AllowanceWithFt
+            | AllowanceWithNft
+            | AllowanceWithStacking
+            | AllowanceAll => Err(Error::FunctionNotPermitted(function)),
             BuffToIntLe | BuffToUIntLe | BuffToIntBe | BuffToUIntBe => {
                 Err(Error::FunctionNotPermitted(function))
             }

clarity/src/vm/analysis/read_only_checker/mod.rs

@@ -282,20 +282,101 @@ impl<'a, 'b> ReadOnlyChecker<'a, 'b> {
         use crate::vm::functions::NativeFunctions::*;
 
         match function {
-            Add | Subtract | Divide | Multiply | CmpGeq | CmpLeq | CmpLess | CmpGreater
-            | Modulo | Power | Sqrti | Log2 | BitwiseXor | And | Or | Not | Hash160 | Sha256
-            | Keccak256 | Equals | If | Sha512 | Sha512Trunc256 | Secp256k1Recover
-            | Secp256k1Verify | ConsSome | ConsOkay | ConsError | DefaultTo | UnwrapRet
-            | UnwrapErrRet | IsOkay | IsNone | Asserts | Unwrap | UnwrapErr | Match | IsErr
-            | IsSome | TryRet | ToUInt | ToInt | BuffToIntLe | BuffToUIntLe | BuffToIntBe
-            | BuffToUIntBe | IntToAscii | IntToUtf8 | StringToInt | StringToUInt | IsStandard
-            | ToConsensusBuff | PrincipalDestruct | PrincipalConstruct | Append | Concat
-            | AsMaxLen | ContractOf | PrincipalOf | ListCons | GetBlockInfo | GetBurnBlockInfo
-            | GetStacksBlockInfo | GetTenureInfo | TupleGet | TupleMerge | Len | Print
-            | AsContract | Begin | FetchVar | GetStxBalance | StxGetAccount | GetTokenBalance
-            | GetAssetOwner | GetTokenSupply | ElementAt | IndexOf | Slice | ReplaceAt
-            | BitwiseAnd | BitwiseOr | BitwiseNot | BitwiseLShift | BitwiseRShift | BitwiseXor2
-            | ElementAtAlias | IndexOfAlias | ContractHash | ToAscii => {
+            Add
+            | Subtract
+            | Divide
+            | Multiply
+            | CmpGeq
+            | CmpLeq
+            | CmpLess
+            | CmpGreater
+            | Modulo
+            | Power
+            | Sqrti
+            | Log2
+            | BitwiseXor
+            | And
+            | Or
+            | Not
+            | Hash160
+            | Sha256
+            | Keccak256
+            | Equals
+            | If
+            | Sha512
+            | Sha512Trunc256
+            | Secp256k1Recover
+            | Secp256k1Verify
+            | ConsSome
+            | ConsOkay
+            | ConsError
+            | DefaultTo
+            | UnwrapRet
+            | UnwrapErrRet
+            | IsOkay
+            | IsNone
+            | Asserts
+            | Unwrap
+            | UnwrapErr
+            | Match
+            | IsErr
+            | IsSome
+            | TryRet
+            | ToUInt
+            | ToInt
+            | BuffToIntLe
+            | BuffToUIntLe
+            | BuffToIntBe
+            | BuffToUIntBe
+            | IntToAscii
+            | IntToUtf8
+            | StringToInt
+            | StringToUInt
+            | IsStandard
+            | ToConsensusBuff
+            | PrincipalDestruct
+            | PrincipalConstruct
+            | Append
+            | Concat
+            | AsMaxLen
+            | ContractOf
+            | PrincipalOf
+            | ListCons
+            | GetBlockInfo
+            | GetBurnBlockInfo
+            | GetStacksBlockInfo
+            | GetTenureInfo
+            | TupleGet
+            | TupleMerge
+            | Len
+            | Print
+            | AsContract
+            | Begin
+            | FetchVar
+            | GetStxBalance
+            | StxGetAccount
+            | GetTokenBalance
+            | GetAssetOwner
+            | GetTokenSupply
+            | ElementAt
+            | IndexOf
+            | Slice
+            | ReplaceAt
+            | BitwiseAnd
+            | BitwiseOr
+            | BitwiseNot
+            | BitwiseLShift
+            | BitwiseRShift
+            | BitwiseXor2
+            | ElementAtAlias
+            | IndexOfAlias
+            | ContractHash
+            | ToAscii
+            | AllowanceWithStx
+            | AllowanceWithFt
+            | AllowanceWithNft
+            | AllowanceWithStacking
+            | AllowanceAll => {
                 // Check all arguments.
                 self.check_each_expression_is_read_only(args)
             }
@@ -427,6 +508,45 @@ impl<'a, 'b> ReadOnlyChecker<'a, 'b> {
                 self.check_each_expression_is_read_only(&args[2..])
                     .map(|args_read_only| args_read_only && is_function_read_only)
             }
+            RestrictAssets => {
+                check_arguments_at_least(3, args)?;
+
+                // Check the asset owner argument.
+                let asset_owner_read_only = self.check_read_only(&args[0])?;
+
+                // Check the allowances argument.
+                let allowances =
+                    args[1]
+                        .match_list()
+                        .ok_or(CheckErrors::ExpectedListOfAllowances(
+                            "restrict-assets?".into(),
+                            2,
+                        ))?;
+                let allowances_read_only = self.check_each_expression_is_read_only(allowances)?;
+
+                // Check the body expressions.
+                let body_read_only = self.check_each_expression_is_read_only(&args[2..])?;
+
+                Ok(asset_owner_read_only && allowances_read_only && body_read_only)
+            }
+            AsContractSafe => {
+                check_arguments_at_least(2, args)?;
+
+                // Check the allowances argument.
+                let allowances =
+                    args[0]
+                        .match_list()
+                        .ok_or(CheckErrors::ExpectedListOfAllowances(
+                            "as-contract?".into(),
+                            1,
+                        ))?;
+                let allowances_read_only = self.check_each_expression_is_read_only(allowances)?;
+
+                // Check the body expressions.
+                let body_read_only = self.check_each_expression_is_read_only(&args[1..])?;
+
+                Ok(allowances_read_only && body_read_only)
+            }
         }
     }
 

clarity/src/vm/analysis/type_checker/v2_05/natives/mod.rs

@@ -777,12 +777,43 @@ impl TypedNativeFunction {
             IsNone => Special(SpecialNativeFunction(&options::check_special_is_optional)),
             IsSome => Special(SpecialNativeFunction(&options::check_special_is_optional)),
             AtBlock => Special(SpecialNativeFunction(&check_special_at_block)),
-            ElementAtAlias | IndexOfAlias | BuffToIntLe | BuffToUIntLe | BuffToIntBe
-            | BuffToUIntBe | IsStandard | PrincipalDestruct | PrincipalConstruct | StringToInt
-            | StringToUInt | IntToAscii | IntToUtf8 | GetBurnBlockInfo | StxTransferMemo
-            | StxGetAccount | BitwiseAnd | BitwiseOr | BitwiseNot | BitwiseLShift
-            | BitwiseRShift | BitwiseXor2 | Slice | ToConsensusBuff | FromConsensusBuff
-            | ReplaceAt | GetStacksBlockInfo | GetTenureInfo | ContractHash | ToAscii => {
+            ElementAtAlias
+            | IndexOfAlias
+            | BuffToIntLe
+            | BuffToUIntLe
+            | BuffToIntBe
+            | BuffToUIntBe
+            | IsStandard
+            | PrincipalDestruct
+            | PrincipalConstruct
+            | StringToInt
+            | StringToUInt
+            | IntToAscii
+            | IntToUtf8
+            | GetBurnBlockInfo
+            | StxTransferMemo
+            | StxGetAccount
+            | BitwiseAnd
+            | BitwiseOr
+            | BitwiseNot
+            | BitwiseLShift
+            | BitwiseRShift
+            | BitwiseXor2
+            | Slice
+            | ToConsensusBuff
+            | FromConsensusBuff
+            | ReplaceAt
+            | GetStacksBlockInfo
+            | GetTenureInfo
+            | ContractHash
+            | ToAscii
+            | RestrictAssets
+            | AsContractSafe
+            | AllowanceWithStx
+            | AllowanceWithFt
+            | AllowanceWithNft
+            | AllowanceWithStacking
+            | AllowanceAll => {
                 return Err(CheckErrors::Expects(
                     "Clarity 2+ keywords should not show up in 2.05".into(),
                 ));

clarity/src/vm/analysis/type_checker/v2_1/mod.rs

@@ -1135,7 +1135,7 @@ impl<'a, 'b> TypeChecker<'a, 'b> {
         Ok(())
     }
 
-    // Type check an expression, with an expected_type that should _admit_ the expression.
+    /// Type check an expression, with an expected_type that should _admit_ the expression.
     pub fn type_check_expects(
         &mut self,
         expr: &SymbolicExpression,
@@ -1157,7 +1157,7 @@ impl<'a, 'b> TypeChecker<'a, 'b> {
         }
     }
 
-    // Type checks an expression, recursively type checking its subexpressions
+    /// Type checks an expression, recursively type checking its subexpressions
     pub fn type_check(
         &mut self,
         expr: &SymbolicExpression,
@@ -1176,6 +1176,8 @@ impl<'a, 'b> TypeChecker<'a, 'b> {
         result
     }
 
+    /// Type checks a list of statements, ensuring that each statement is valid
+    /// and any responses before the last statement are handled.
     fn type_check_consecutive_statements(
         &mut self,
         args: &[SymbolicExpression],

clarity/src/vm/analysis/type_checker/v2_1/natives/mod.rs

@@ -39,6 +39,7 @@ mod assets;
 mod conversions;
 mod maps;
 mod options;
+pub(crate) mod post_conditions;
 mod sequences;
 
 #[allow(clippy::large_enum_variant)]
@@ -1210,6 +1211,15 @@ impl TypedNativeFunction {
                     CheckErrors::Expects("FATAL: Legal Clarity response type marked invalid".into())
                 })?,
             ))),
+            RestrictAssets => Special(SpecialNativeFunction(
+                &post_conditions::check_restrict_assets,
+            )),
+            AsContractSafe => Special(SpecialNativeFunction(&post_conditions::check_as_contract)),
+            AllowanceWithStx
+            | AllowanceWithFt
+            | AllowanceWithNft
+            | AllowanceWithStacking
+            | AllowanceAll => Special(SpecialNativeFunction(&post_conditions::check_allowance_err)),
         };
 
         Ok(out)