Reduce gas/storage limits in nested calls

[rockbmb]

Closes #6846 .

[xermicus]

The basic idea of the 63/64 rule looks correct to me but there are many failing tests. I left some nits.

[xermicus]

This should be a doc-comment

[xermicus]

This could go into the doc-comment (which is no no-longer correct I think)

[rockbmb]

@xermicus the meters in frame::contracts::{gas, storage::meter} also need to reflect this, correct?

[athei]

Sorry if this wasn't clear: Only pallet_revive and its supporting crates should be changed. pallet_contracts should remain untouched. It does't receive any updates beyond critical bug fixes anymore. Can you roll back the changes there? Will have a deeper look then.

[rockbmb]

@athei frame/contracts changes have been reverted, thanks for explaining this.

Most of the previously failing tests were caused by the contract code of those tests using the now-removed '0 means "use all available gas"' semantic.

After fixing this, cargo test --package pallet-revive:0.1.0 --lib --all-features yields:

failures:
    benchmarking::benchmarks::bench_seal_instantiate
    tests::call_diverging_out_len_works
    tests::create1_with_value_works
    tests::delegate_call
    tests::deploy_and_call_other_contract
    tests::deposit_limit_in_nested_calls
    tests::deposit_limit_in_nested_instantiate
    tests::destroy_contract_and_transfer_funds
    tests::failed_deposit_charge_should_roll_back_call
    tests::gas_estimation_call_runtime
    tests::gas_estimation_for_subcalls
    tests::return_data_api_works
    tests::skip_transfer_works
    tests::storage_deposit_callee_works
    tests::test_debug::debugging_works

The contracts the above tests rely on have removed usages of 0 as "use all", so their failures are somewhere else.

[rockbmb]

/bot fmt

[athei]

Due to the changes here you can get rid of the fn enforce_subcall_limit() and enum Nested. They are no longer needed because we now always enforce the limit at the sub call boundry (calling fn enforce_limit unconditionally).

Apart from a few other comments it looks pretty much like what I expect. Thanks.

[rockbmb]

Due to the changes here you can get rid of the fn enforce_subcall_limit() and enum Nested. They are no longer needed because we now always enforce the limit at the sub call boundry (calling fn enforce_limit unconditionally).

If I raze enum Nested, does it make sense to

1. Remove RawMeter's 3rd type parameter S, so it becomes pub struct RawMeter<T: Config, E>
2. move all methods in impl<T: Config, E: Ext<T>> RawMeter<T, E, Nested> into impl<T, E> RawMeter<T, E, Root>

?

[athei]

The type stating is still useful for other functions than enforce_subcall_limit that are exist on the nested meter. I wasn't aware the enum I told you to delete was also for used that. So no, keep the third type parameter.

Just remove the variants of Nested (or convert to unit structure like Root) and removed the nested field from RawMeter. Just add S to the _phantom.

[rockbmb]

14 unit tests are still failing, among them

1. tests::deposit_limit_in_nested_calls, and
2. tests::deposit_limit_in_nested_instantiate

these 2 tests fail because of a ContractReverted error where StorageDepositLimitExhausted was expected.

The remaining tests fail with ContractTrapped when assert_oking the result of CallBuilder::build.
E.g. for tests::delegate_call:

assert_ok!(builder::call(caller_addr) <-- assert fails!
	.value(1337)
	.data((callee_addr, 0u64, 0u64).encode())
	.build());

⬆️ is context in case you have any insights to share - the tests all failing for the same reason must be a clue to the underlying problem.

I'll move fast so paritytech/revive#117 can continue.

[athei]

Looks good. Just some nits.

Regarding the failing tests: Your code looks correct to me. However, it is a breaking change as it prevents sub calls from using all the remaining gas which was possible before. So I assume the tests rely in one way or another on this behavior and need to be changed.

[athei]

Doc comment needs updating to reflect the new much simpler behavior: This has to be called every time a sub call returns. No special casing anymore for a 'dedicated limit'. We just removed this special casing.

[rockbmb]

This comment has been changed on my tree, and no longer contains any reference to enforce_subcall_limit.

[athei]

The rest of the comment is still stale:

/// We normally need to call this **once** for every call stack and not for every cross contract
/// call. However, if a dedicated limit is specified for a sub-call, this needs to be called

There is no special limit anymore. Also, we never call it once per call stack as stated here. We call it for every sub call now.

[rockbmb]

😵

I was wrong, thanks for clarifying.

[athei]

these 2 tests fail because of a ContractReverted error where StorageDepositLimitExhausted was expected.

This can be a bit finicky and requires some knowledge of how the error handling works in contracts to debug. The error you are asserting on here is what is returned from the root contract that is called from the transaction.

However, when this contract calls into another contract and the callee encounters an error like StorageDepositLimitExhausted it will just be returned as an error code to the caller. This is so that the caller can decide how to handle errors in sub calls rather than just reverting.

The change you made by removing enforce_subcall_limit can leadd to the situation that we fail in the sub calls context when running out of storage deposit. At least when we were passing 0. Before we delayed the check to the last frame returning and failed in the callers context. The caller probably just reverts on non-zero return codes from the sub calls. This is why you get the generic ContractReverted instead of the more detailed StorageDepositLimitExhausted.

This is actually expected and nice that it is covered by test cases. You should change the tests to adapt to the new behavior. You can see that the caller contract also returns the sub calls return code in addition to reverting. So you can check this return code in your test and are not at the mercy of the generic ContractReverted error.

[rockbmb]

You should change the tests to adapt to the new behavior. You can see that the caller contract also returns the sub calls return code in addition to reverting. So you can check this return code in your test and are not at the mercy of the generic ContractReverted error.

Thanks for clarifying this - in acfcf66 and e0c0845, both tests that threw ContractReverted are corrected.

The remaining ones throw ContractTrapped - as you said, these tests may need to be changed.

[athei]

Suggested change

	// If a special limit was set for the sub-call, we enforce it here.
	// The sub-call will be rolled back in case the limit is exhausted.
	// We are only charging the storage deposit at the end of every call stack.
	// To make sure that no sub call uses more than it is allowed we need to
	// manually enforce the limit here.

[athei]

You can remove the nested field.

Suggested change

	_phantom: PhantomData<E>,
	_phantom: PhantomData<(E, S)>,

[rockbmb]

Apologies for the force-push - I made a mistake in a commit prior to the master merge.

[rockbmb]

/cmd fmt

[github-actions]

Command "fmt" has started 🚀 See logs here

[github-actions]

Command "fmt" has finished ✅ See logs here

[rockbmb]

The only tests that still need to be addressed:

failures:
    tests::gas_estimation_for_subcalls
    tests::skip_transfer_works

[athei]

Suggested change

	let deposit_limit = if deposit_ptr == SENTINEL {
	U256::from(u64::MAX)
	} else {
	memory.read_u256(deposit_ptr)?
	};
	memory.read_u256(deposit_ptr)?

[athei]

We don't want any special handling here anymore.

[athei]

Suggested change

	let deposit_limit: U256 = if deposit_ptr == SENTINEL {
	U256::from(u64::MAX)
	} else {
	memory.read_u256(deposit_ptr)?
	};
	memory.read_u256(deposit_ptr)?

[rockbmb]

This raises OutOfBounds errors in many tests (it replaced the last 2 tests' failure ContractTrapped failure, which is progress).

Do you have an idea of what might be causing this?

[athei]

The test fixtures need to be adapted to always pass a valid pointer. SENTINEL is used to indicate a None so to say.

[rockbmb]

For example, in substrate/frame/revive/fixtures/contracts/call.rs, the deposit limit is None - this is was we want, right

[athei]

Yes. You need to change the wrapper in pallet-fixtures-uapi. It no longer takes an Option since the value is no longer optional. You then pass in U256::MAX where None was passes before.

[rockbmb]

Where there is U256::MAX, do you mean &[u8::MAX; 32], since in trait HostFn one has deposit_limit: &[u8; 32],?

Furthermore, instead of &[u8::MAX; 32], won't we want something like &[u8::MAX; 8].concat([0u8; 24]? Equivalent to U256::from(u64::MAX).
Using &[u8::MAX; 32] will raise Error::BalanceConversionFailed when the value is read from memory and converted into a Balance<T>.

[rockbmb]

I opted for (something similar to) &[0xFF; 8].concat([0u8; 24] to solve this issue.

[paritytech-workflow-stopper]

All GitHub workflows were cancelled due to failure one of the required jobs.
Failed workflow url: https://github.com/paritytech/polkadot-sdk/actions/runs/12653577226
Failed job name: fmt

[rockbmb]

@athei One question:

What is the meaning of value: 0u32.into()?
I.e. after the semantic change in the meaning of 0 introduced by this PR, should its default still be 0?

This is causing tests::gas_estimation_for_subcalls to fail when creating the storage meter for Pallet::bare_call by creating a meter with 0 limit, eventually leading to ContractTrapped.