Unsafe error handling about mir HOT 2 CLOSED

Good point Denis. I did think about this and error handling is implemented at Node level through the WorkErrorNotifier (adapted from the original implementation). In a nutshell, if the Protocol module panics, the code that is performing the actual execution catches the panic and returns an error saying "Protocol implementation panicked (because XYZ)". Note that this is unavoidable in any case, since the protocol implementation is, in some cases, supposed to be provided by the user (of Mir) and we thus need to count on it panicking any time. But a panic in the protocol can only ever occur due to a bug in the implementation, never due to malicious input. The protocol must ensure that. The lines you linked cannot be reached unless there is a bug in the implementation.

That being said, the current implementation of ISS is still ongoing and not all inputs are properly sanitized yet. I can imagine that at this stage the protocol could be made to panic by sending it a maliciously crafted message. This should not be the case for a final implementation.

Defining such a policy, however, still makes very good sense and it could be part of a sort of "Protocol Implementation Guide" that describes how a new Protocol module should be implemented. I created an issue (#40) for that.

from mir.

Picking this up again. Let us just remove explicit panics from module implementations (can be found by grep -iE 'panic' pkg/*/*.go) for now, replace them by returned errors whenever appropriate, and close this issue. And later go on and address #40 .

from mir.