PLT-1034 Fixed SealedBidAuction failing quickcheck test case.

* Fixed the SealedBidAuction failing quickcheck test case

* Documented the issue concerning validity intervals and outlined the
  issue with cardano-ledger.

* Added a global limit of 100 for number of generated test cases for
  quickcheck. This can be override on individual property tests using
  'withMaxSuccess'.

* Added a test case for Crowdfunding to verify that we can't make a
  contribution if the deadline is elapsed.

Author: koslambrou

plutus-use-cases/src/Plutus/Contracts.hs

@@ -43,12 +43,31 @@ inputs.
 
 {- Note [Validity Interval's upper bound]
 
-During the transition from plutus validation rules to cardano-ledger validation rules
-we have found that the cardan-ledger has a problem with validity interval's upper bound.
+During the transition from `plutus-apps` ledger validation rules to
+`cardano-ledger` validation rules we have found that the `cardano-ledger` has a
+problem with the translation from the transaction's upper bound slot to the
+'TxInfo' validity range upper bound time. By definition, as given by the ledger
+specification, the upper bound should be open (exclusive) but they convert it
+as a closed bound.
 
-They don't convert it properly. By definition the top should be open but they convert it as
-a closed bound. Because of that we have to do double 'pred' or '-2' operation to make
+We encountered this issue by getting a Phase 2 validation error when doing:
+
+@
+  txValidityTimeRange `contains` txInfoValidRange scriptContextTxInfo
+@
+
+in a Plutus validation script if 'txValidityTimeRange' does not define a lower
+bound (using 'NegInf').
+
+Because of that, we have to do 'pred . pred'  or '-2' operation to make the
 'to' function behaviour as expected.
+For more info on the bug, see https://github.com/input-output-hk/cardano-ledger/issues/3043.
+Note that this bug will be fixed in a future HF (next HF after Vasil -> PlutusV3 or later).
 
-https://github.com/input-output-hk/cardano-ledger/issues/3043
+IMPORTANT OUTLINE: This bug is ONLY triggered in the following conditions:
+* you submit a transaction which tries to spend a script output or mints a value
+* the transaction does not define a lower bound (uses 'NegInf')
+* the transaction's Plutus script does a comparison between a provided time
+  range with the 'TxInfo' valid range. Something like:
+  'txValidityTimeRange `contains` txInfoValidRange scriptContextTxInfo'
 -}

plutus-use-cases/src/Plutus/Contracts/Crowdfunding.hs

@@ -59,6 +59,7 @@ import Ledger (PaymentPubKeyHash (unPaymentPubKeyHash), getCardanoTxId)
 import Ledger qualified
 import Ledger.Ada qualified as Ada
 import Ledger.Constraints qualified as Constraints
+import Ledger.Interval (Extended (NegInf), Interval (Interval), LowerBound (LowerBound))
 import Ledger.Interval qualified as Interval
 import Ledger.TimeSlot qualified as TimeSlot
 import Ledger.Typed.Scripts qualified as Scripts hiding (validatorHash)
@@ -123,8 +124,9 @@ mkCampaign ddl collectionDdl ownerWallet =
 {-# INLINABLE collectionRange #-}
 collectionRange :: Campaign -> PV1.POSIXTimeRange
 collectionRange cmp =
-    -- We have to subtract '2', see Note [Validity Interval's upper bound]
-    Interval.interval (campaignDeadline cmp) (campaignCollectionDeadline cmp - 2)
+    Interval
+        (Interval.lowerBound $ campaignDeadline cmp)
+        (Interval.strictUpperBound $ campaignCollectionDeadline cmp)
 
 -- | The 'POSIXTimeRange' during which a refund may be claimed
 {-# INLINABLE refundRange #-}
@@ -206,9 +208,11 @@ contribute cmp = endpoint @"contribute" $ \Contribution{contribValue} -> do
     logInfo @Text $ "Contributing " <> Text.pack (Haskell.show contribValue)
     contributor <- ownFirstPaymentPubKeyHash
     let inst = typedValidator cmp
+        validityTimeRange =
+            Interval (LowerBound NegInf True)
+                     (Interval.strictUpperBound $ campaignDeadline cmp)
         tx = Constraints.mustPayToTheScriptWithDatumInTx contributor contribValue
-                -- We have to subtract '2', see Note [Validity Interval's upper bound]
-                <> Constraints.mustValidateIn (Interval.to (campaignDeadline cmp))
+                <> Constraints.mustValidateIn validityTimeRange
     txid <- fmap getCardanoTxId $ mkTxConstraints (Constraints.typedValidatorLookups inst) tx
         >>= adjustUnbalancedTx >>= submitUnbalancedTx
 

plutus-use-cases/src/Plutus/Contracts/Escrow.hs

@@ -292,24 +292,28 @@ redeem ::
     -> Contract w s e RedeemSuccess
 redeem inst escrow = mapError (review _EscrowError) $ do
     let addr = Scripts.validatorAddress inst
-    current <- currentTime
     unspentOutputs <- utxosAt addr
-    let
-        -- We have to do 'pred' twice, see Note [Validity Interval's upper bound]
-        valRange = Interval.to (Haskell.pred $ Haskell.pred $ escrowDeadline escrow)
-        tx = Constraints.collectFromTheScript unspentOutputs Redeem
-                <> foldMap mkTx (escrowTargets escrow)
-                <> Constraints.mustValidateIn valRange
+    current <- currentTime
     if current >= escrowDeadline escrow
     then throwing _RedeemFailed DeadlinePassed
     else if foldMap (view Tx.ciTxOutValue) unspentOutputs `lt` targetTotal escrow
-         then throwing _RedeemFailed NotEnoughFundsAtAddress
-         else do
-           utx <- mkTxConstraints ( Constraints.typedValidatorLookups inst
-                                 <> Constraints.unspentOutputs unspentOutputs
-                                  ) tx
-           adjusted <- adjustUnbalancedTx utx
-           RedeemSuccess . getCardanoTxId <$> submitUnbalancedTx adjusted
+    then throwing _RedeemFailed NotEnoughFundsAtAddress
+    else do
+      let
+          -- Correct validity interval should be:
+          -- @
+          --   Interval (LowerBound NegInf True) (Interval.scriptUpperBound $ escrowDeadline escrow)
+          -- @
+          -- See Note [Validity Interval's upper bound]
+          validityTimeRange = Interval.to (Haskell.pred $ Haskell.pred $ escrowDeadline escrow)
+          tx = Constraints.collectFromTheScript unspentOutputs Redeem
+                  <> foldMap mkTx (escrowTargets escrow)
+                  <> Constraints.mustValidateIn validityTimeRange
+      utx <- mkTxConstraints ( Constraints.typedValidatorLookups inst
+                            <> Constraints.unspentOutputs unspentOutputs
+                             ) tx
+      adjusted <- adjustUnbalancedTx utx
+      RedeemSuccess . getCardanoTxId <$> submitUnbalancedTx adjusted
 
 newtype RefundSuccess = RefundSuccess TxId
     deriving newtype (Haskell.Eq, Haskell.Show, Generic)

plutus-use-cases/src/Plutus/Contracts/Governance.hs

@@ -181,9 +181,14 @@ transition Params{..} State{ stateData = s, stateValue} i = case (s, i) of
 
     (GovState law mph (Just (Voting p oldMap)), AddVote tokenName vote) ->
         let newMap = AssocMap.insert tokenName vote oldMap
+            -- Correct validity interval should be:
+            -- @
+            --   Interval (LowerBound NegInf True) (Interval.scriptUpperBound $ votingDeadline p)
+            -- @
+            -- See Note [Validity Interval's upper bound]
+            validityTimeRange = Interval.to (votingDeadline p - 2)
             constraints = ownsVotingToken mph tokenName
-                        -- We have to subtract '2', see Note [Validity Interval's upper bound]
-                        <> Constraints.mustValidateIn (Interval.to (votingDeadline p - 2))
+                        <> Constraints.mustValidateIn validityTimeRange
         in Just (constraints, State (GovState law mph (Just (Voting p newMap))) stateValue)
 
     (GovState oldLaw mph (Just (Voting p votes)), FinishVoting) ->

plutus-use-cases/src/Plutus/Contracts/MultiSigStateMachine.hs

@@ -221,9 +221,14 @@ transition params State{ stateData =s, stateValue=currentValue} i = case (s, i)
     (CollectingSignatures payment pkh, Pay)
         | proposalAccepted params pkh ->
             let Payment{paymentAmount, paymentRecipient, paymentDeadline} = payment
+                -- Correct validity interval should be:
+                -- @
+                --   Interval (LowerBound NegInf True) (Interval.scriptUpperBound $ paymentDeadline p)
+                -- @
+                -- See Note [Validity Interval's upper bound]
+                validityTimeRange = Interval.to $ paymentDeadline - 2
                 constraints =
-                    -- We have to subtract '2', see Note [Validity Interval's upper bound]
-                    Constraints.mustValidateIn (Interval.to $ paymentDeadline - 2)
+                    Constraints.mustValidateIn validityTimeRange
                     <> Constraints.mustPayToPubKey paymentRecipient paymentAmount
                 newValue = currentValue - paymentAmount
             in Just ( constraints

plutus-use-cases/src/Plutus/Contracts/SealedBidAuction.hs

@@ -37,6 +37,7 @@ import Ledger (POSIXTime, PaymentPubKeyHash, Value)
 import Ledger.Ada qualified as Ada
 import Ledger.Constraints qualified as Constraints
 import Ledger.Constraints.TxConstraints (TxConstraints)
+import Ledger.Interval (Interval (Interval))
 import Ledger.Interval qualified as Interval
 import Ledger.Typed.Scripts qualified as Scripts
 import Ledger.Value qualified as Value
@@ -175,8 +176,13 @@ auctionTransition AuctionParams{apOwner, apAsset, apEndTime, apPayoutTime} State
     -- A new bid is placed, a bidder is only allowed to bid once
     (Ongoing bids, PlaceBid bid)
       | sealedBidBidder bid `notElem` map sealedBidBidder bids ->
-        -- We have to subtract '2', see Note [Validity Interval's upper bound]
-        let constraints = Constraints.mustValidateIn (Interval.to $ apEndTime - 2)
+        -- Correct validity interval should be:
+        -- @
+        --   Interval (LowerBound NegInf True) (Interval.scriptUpperBound apEndTime)
+        -- @
+        -- See Note [Validity Interval's upper bound]
+        let validityTimeRange = Interval.to $ apEndTime - 2
+            constraints = Constraints.mustValidateIn validityTimeRange
             newState =
               State
                   { stateData  = Ongoing (bid:bids)
@@ -187,8 +193,11 @@ auctionTransition AuctionParams{apOwner, apAsset, apEndTime, apPayoutTime} State
     -- The first bid is revealed
     (Ongoing bids, RevealBid bid)
       | sealBid bid `elem` bids ->
-        -- We have to subtract '2', see Note [Validity Interval's upper bound]
-        let constraints = Constraints.mustValidateIn (Interval.interval apEndTime (apPayoutTime - 2))
+        let validityTimeRange =
+                Interval
+                    (Interval.lowerBound apEndTime)
+                    (Interval.strictUpperBound apPayoutTime)
+            constraints = Constraints.mustValidateIn validityTimeRange
             newState =
               State
                   { stateData  = AwaitingPayout bid (filter (/= sealBid bid) bids)
@@ -212,8 +221,13 @@ auctionTransition AuctionParams{apOwner, apAsset, apEndTime, apPayoutTime} State
     (AwaitingPayout highestBid sealedBids, RevealBid bid)
       | revealedBid bid > revealedBid highestBid
         && sealBid bid `elem` sealedBids ->
-        -- We have to subtract '2', see Note [Validity Interval's upper bound]
-        let constraints = Constraints.mustValidateIn (Interval.to $ apPayoutTime - 2)
+        -- Correct validity interval should be:
+        -- @
+        --   Interval (LowerBound NegInf True) (Interval.scriptUpperBound apPayoutTime)
+        -- @
+        -- See Note [Validity Interval's upper bound]
+        let validityTimeRange = Interval.to $ apPayoutTime - 2
+            constraints = Constraints.mustValidateIn validityTimeRange
                         <> Constraints.mustPayToPubKey (revealedBidBidder highestBid) (valueOfBid highestBid)
             newState =
               State

plutus-use-cases/src/Plutus/Contracts/SimpleEscrow.hs

@@ -125,7 +125,11 @@ validate params action ScriptContext{scriptContextTxInfo=txInfo} =
 -- requirement that the transaction validates before the 'deadline'.
 lockEp :: Promise () EscrowSchema EscrowError ()
 lockEp = endpoint @"lock" $ \params -> do
-  -- We have to do 'pred' twice, see Note [Validity Interval's upper bound]
+  -- Correct validity interval should be:
+  -- @
+  --   Interval (LowerBound NegInf True) (Interval.scriptUpperBound $ deadline params)
+  -- @
+  -- See Note [Validity Interval's upper bound]
   let valRange = Interval.to (Haskell.pred $ Haskell.pred $ deadline params)
       tx = Constraints.mustPayToTheScriptWithDatumInTx params (paying params)
             <> Constraints.mustValidateIn valRange
@@ -143,9 +147,14 @@ redeemEp = endpoint @"redeem" redeem
       unspentOutputs <- utxosAt escrowAddress
 
       let value = foldMap (view Tx.ciTxOutValue) unspentOutputs
+          -- Correct validity interval should be:
+          -- @
+          --   Interval (LowerBound NegInf True) (Interval.scriptUpperBound $ deadline params)
+          -- @
+          -- See Note [Validity Interval's upper bound]
+          validityTimeRange = Interval.to (Haskell.pred $ Haskell.pred $ deadline params)
           tx = Constraints.collectFromTheScript unspentOutputs Redeem
-                      -- We have to do 'pred' twice, see Note [Validity Interval's upper bound]
-                      <> Constraints.mustValidateIn (Interval.to (Haskell.pred $ Haskell.pred $ deadline params))
+                      <> Constraints.mustValidateIn validityTimeRange
                       -- Pay me the output of this script
                       <> Constraints.mustPayToPubKey pk value
                       -- Pay the payee their due

plutus-use-cases/test/Spec.hs

@@ -25,19 +25,22 @@ import Spec.Vesting qualified
 
 import Test.Tasty
 import Test.Tasty.Hedgehog (HedgehogTestLimit (..))
+import Test.Tasty.QuickCheck (QuickCheckTests (QuickCheckTests))
 
 main :: IO ()
 main = defaultMain tests
 
--- | Number of successful tests for each hedgehog property.
---   The default is 100 but we use a smaller number here in order to speed up
---   the test suite.
---
-limit :: HedgehogTestLimit
-limit = HedgehogTestLimit (Just 5)
+-- | Number of successful tests for each property test.
+-- You can override this number for a specific property test by using
+-- 'Test.Tasty.Quickcheck.withMaxSuccess'.
+limit :: Int
+limit = 100
 
 tests :: TestTree
-tests = localOption limit $ testGroup "use cases" [
+tests =
+    localOption (HedgehogTestLimit (Just $ fromIntegral limit))
+  $ localOption (QuickCheckTests limit)
+  $ testGroup "use cases" [
     Spec.Crowdfunding.tests,
     Spec.Vesting.tests,
     Spec.ErrorHandling.tests,

plutus-use-cases/test/Spec/Auction.hs

@@ -363,10 +363,8 @@ tests =
             .&&. walletFundsChange w2 (inv (Ada.toValue trace2WinningBid) <> theToken)
             .&&. walletFundsChange w3 mempty)
             auctionTrace2
-        , testProperty "QuickCheck property FinishAuction" $
-            withMaxSuccess 100 prop_FinishAuction
-        , testProperty "QuickCheck property Auction" $
-            withMaxSuccess 100 prop_Auction
+        , testProperty "QuickCheck property FinishAuction" prop_FinishAuction
+        , testProperty "QuickCheck property Auction" prop_Auction
         , testProperty "NLFP fails" $ expectFailure $ noShrinking prop_NoLockedFunds
         , testProperty "prop_Reactive" $
             withMaxSuccess 1000 (propSanityCheckReactive @AuctionModel)

plutus-use-cases/test/Spec/Crowdfunding.hs

@@ -88,6 +88,18 @@ tests = testGroup "crowdfunding"
         (walletFundsChange w1 (Ada.adaValueOf 22.5))
         successfulCampaign
 
+    , checkPredicate "cannot make contribution after campaign dealine"
+        (walletFundsChange w1 PlutusTx.zero
+        .&&. assertFailedTransaction (\_ err ->
+            case err of
+                Ledger.CardanoLedgerValidationError msg ->
+                    "OutsideValidityIntervalUTxO" `Text.isInfixOf` msg
+                _ -> False
+            ))
+        $ do
+            void $ Trace.waitUntilSlot $ Slot 20
+            makeContribution w1 (Ada.adaValueOf 10)
+
     , checkPredicate "cannot collect money too late"
         (walletFundsChange w1 PlutusTx.zero
         .&&. assertFailedTransaction (\_ err ->
@@ -159,8 +171,7 @@ tests = testGroup "crowdfunding"
 
     -- TODO: Linked to https://github.com/input-output-hk/plutus-apps/issues/754
     -- Re-activate once issue is resolved
-    -- , testProperty "QuickCheck ContractModel" $ withMaxSuccess 100 prop_Crowdfunding
-
+    -- , testProperty "QuickCheck ContractModel" prop_Crowdfunding
     ]
 
     where