fix(gnovm): fix private package re-upload issue (#4871)

[vikbez]

Fixed incorrect operation order preventing re-upload of edited private packages.
Also added a test case for this scenario.

[Gno2D2]

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):

• IGNORE the bot requirements for this PR (force green CI check)
• The pull request description provides enough details

Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)
🟢 Pending initial approval by a review team member, or review from tech-staff

☑️ Contributor Actions:

1. Fix any issues flagged by automated checks.
2. Follow the Contributor Checklist to ensure your PR is ready for review.
   • Add new tests, or document why they are unnecessary.
   • Provide clear examples/screenshots, if necessary.
   • Update documentation, if required.
   • Ensure no breaking changes, or include BREAKING CHANGE notes.
   • Link related issues/PRs, where applicable.

☑️ Reviewer Actions:

1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.

📚 Resources:

• Report a bug with the bot.
• View the bot’s configuration file.

Debug

Automated Checks

Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 The pull request was created from a fork (head branch repo: vikbez/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request

Pending initial approval by a review team member, or review from tech-staff

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 Not (🔴 Pull request author is a member of the team: tech-staff)

Then

🟢 Requirement satisfied
└── 🟢 If
    ├── 🟢 Condition
    │   └── 🟢 Or
    │       ├── 🔴 At least one of these user(s) reviewed the pull request: [jefft0 leohhhn n0izn0iz notJoon omarsy x1unix] (with state "APPROVED")
    │       ├── 🟢 At least 1 user(s) of the team tech-staff reviewed pull request
    │       └── 🔴 This pull request is a draft
    └── 🟢 Then
        └── 🟢 Not (🔴 This label is applied to pull request: review/triage-pending)

Manual Checks

**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

• Any user with comment edit permission

The pull request description provides enough details

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 Not (🔴 Pull request author is a member of the team: core-contributors)
    └── 🟢 Not (🔴 Pull request author is user: dependabot[bot])

Can be checked by

• team core-contributors

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[MikaelVallenet]

Should we remove object of the previous realm from the store ?

[thehowl]

Can you also add a .txtar integration test to ensure this behaviour works on-chain?

Try making sure also that we can modify function and method signatures, and that if a method/function is removed it doesn't exist anymore.

[mvertes]

The general idea is ok, but extra care must be taken to not introduce a vulnerability.

[mvertes]

Careful: the Private property must be asserted on the package already present in the store, not the new one, otherwise it's a security breach, where any loaded package could be overwritten (by a private instance)!

Can you try again, this time testing pv.Private?

In this case, no need to compute gm before, as you did. The original order should still be correct.

[ltzmaxwell]

agree with @mvertes . aside, should a private package can only be overridden/upgraded by another private package? maybe not. but if so, we need to check both. cc:/ @moul @thehowl @MikaelVallenet for more insights.

also, it seems more reasonable and economical to check pkg existence before TypeCheckMemPackage and ParseMemPackage, so maybe the original order is more reasonable, what do you think?

[vikbez]

@thehowl does the test you mention for function and method signatures are already here ?

I added the basic tests for private packages by creating addpkg_private_basic.txtar - but maybe it would be better to rename addpkg_private.txtar to addpkg_private_references.txtar and have the basic checks for the feature in addpkg_private.txtar.

I reverted the operations order, and used pv.Private instead of gm.Private.

I also added checks that prevents overwriting a public package with a private one and vice-versa, but let me know if you want me to remove that one as private > public may be a wanted feature to have.

Also, thanks everyone for the reviews :)