Add READ_ONLY flag to contract call function

[smiasojed]

This PR implements the READ_ONLY flag to be used as a Callflag in the call function.
The flag indicates that the callee is restricted from modifying the state during call execution.
It is equivalent to Ethereum's STATICCALL.

[smiasojed]

bot bench substrate-pallet --pallet=pallet_contracts

[command-bot]

@smiasojed https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6163849 was started for your command "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --pallet=pallet_contracts. Check out https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/pipelines?page=1&scope=all&username=group_605_bot to know what else is being executed currently.

Comment bot cancel 4-e1cd379c-2ad8-4462-ad01-76ff89dbf800 to cancel this command or bot cancel to cancel all commands in this pull request.

[command-bot]

@smiasojed Command "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --pallet=pallet_contracts has finished. Result: https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6163849 has finished. If any artifacts were generated, you can download them from https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6163849/artifacts/download.

[smiasojed]

bot bench substrate-pallet --pallet=pallet_contracts

[command-bot]

@smiasojed "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --pallet=pallet_contracts (https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6165184) was cancelled in #4418 (comment)

[smiasojed]

bot cancel 5-a1be7227-1f82-4a82-9891-dfc753222de3

[command-bot]

@smiasojed Command "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --pallet=pallet_contracts has finished. Result: https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6165184 has finished. If any artifacts were generated, you can download them from https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6165184/artifacts/download.

[smiasojed]

@athei I assumed that chain_extension calls the API over the Ext trait, so read-only protection in the Ext implementation is good enough, please comment
Another option is to extend Ext trait with fn is_read_only(&self) -> bool so the chain_extension is aware of the read_only context.

[smiasojed]

bot bench substrate-pallet --pallet=pallet_contracts

[command-bot]

@smiasojed https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6168456 was started for your command "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --pallet=pallet_contracts. Check out https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/pipelines?page=1&scope=all&username=group_605_bot to know what else is being executed currently.

Comment bot cancel 1-461002b6-0e9a-417d-86f9-dad7ecaae79a to cancel this command or bot cancel to cancel all commands in this pull request.

[command-bot]

@smiasojed Command "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --pallet=pallet_contracts has finished. Result: https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6168456 has finished. If any artifacts were generated, you can download them from https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6168456/artifacts/download.

[athei]

Some further ideas:

1. Maybe move the checks from Ext to Runtime. I think it is easier to understand because the checks are per host function and that way we error out as early as possible. You could even implement this as attribute on the macro making it declarative. Having checks sprinkled around Ext seems not the best approach.

2. I think there is no difference in how reentrancy and read_only is inherited. Can you unify them in one bit field? You may need to invert allow_reentrancy to make this happen.

[athei]

@athei I assumed that chain_extension calls the API over the Ext trait, so read-only protection in the Ext implementation is good enough, please comment Another option is to extend Ext trait with fn is_read_only(&self) -> bool so the chain_extension is aware of the read_only context.

Yes it needs to be exposed on the Ext and chain extensions need to check it. With my comment above you need to expose it anyways if we move checks to the Runtime.

[xermicus]

Another detail if we want to mimic EVM STATICCALL semantics in full: STATICCALLs to accounts without code (e.g. call with the static flag set and no value) should succeed.

Note that an account with no code will return success as true (1).

(To clarify, EVM does balance transfers via calls to EOA. So in general, calls to EOA don't fail)

[athei]

This is a general difference we have to Ethereum that is independent of STATICCCAL. We don't allow balance transfers to plain account via seal_call. We need to add this behaviour in order to support revive. But not on this PR and probably only after the fork since it is not needed for ink!.

[pgherveou]

@smiasojed sorry for the new merge conflicts 😅
Let me know when this is ready for a final review

[smiasojed]

@smiasojed sorry for the new merge conflicts 😅 Let me know when this is ready for a final review

@pgherveou conflicts resolved

[pgherveou]

lgtm

[pgherveou]

all these diffs added every time we add a parameter are a bit annoying,
when we get a chance, we should add builder, like we did in test_utils/builder.rs,

[smiasojed]

bot bench substrate-pallet --pallet=pallet_contracts

[command-bot]

@smiasojed https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6328539 was started for your command "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --pallet=pallet_contracts. Check out https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/pipelines?page=1&scope=all&username=group_605_bot to know what else is being executed currently.

Comment bot cancel 2-edb30dc9-0c17-49be-bbbc-50a7061cbb08 to cancel this command or bot cancel to cancel all commands in this pull request.

[command-bot]

@smiasojed Command "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --pallet=pallet_contracts has finished. Result: https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6328539 has finished. If any artifacts were generated, you can download them from https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/6328539/artifacts/download.

[athei]

As stated before: We can't return that early here. This codes runs before we charge the gas for the host function call invocation itself. This has to be charged even if no work has been performed. You have to move down this statement after:

polkadot-sdk/substrate/frame/contracts/proc-macro/src/lib.rs

Lines 708 to 711 in 89604da

	// Charge gas for host function execution.
	__caller__.data_mut().charge_gas(crate::wasm::RuntimeCosts::HostFn)
	.map_err(TrapReason::from)
	.map_err(#into_host)?;

[smiasojed]

I agree, but my understanding is that the gas charge charge_gas(crate::wasm::RuntimeCosts::HostFn) is added before function body (mutating check is added to the function body)
Expanded:

                                    __caller__
                                        .data_mut()
                                        .charge_gas(crate::wasm::RuntimeCosts::HostFn)
                                        .map_err(TrapReason::from)
                                        .map_err(|reason| { ::wasmi::core::Trap::from(reason) })?;
                                    let mut func = || -> Result<(), TrapReason> {
                                        let (memory, ctx) = __caller__
                                            .data()
                                            .memory()
                                            .expect("Memory must be set when setting up host data; qed")
                                            .data_and_store_mut(&mut __caller__);
                                        let result = {
                                            if ctx.ext().is_read_only() {
                                                return Err(Error::<E::T>::StateChangeDenied.into());
                                            }
                                            ctx.set_storage(
                                                    memory,
                                                    KeyType::Fix,
                                                    key_ptr,
                                                    value_ptr,
                                                    value_len,
                                                )
                                                .map(|_| ())
                                        };

[athei]

Ahh yes. Can you add a test that makes sure this weight is charged when erroring out early?

[smiasojed]

I tried to test it using fixture:

pub extern "C" fn call() {
	input!(n: u32, );

	match n {
		0 => unsafe {core::ptr::read_volatile(core::ptr::null())},
		_ => api::set_storage(&[1u8; 32], &[1u8; 1]),
	}
}

The fixture is called with n equal to 0 and 1. Both calls result in a trap, but the difference is more significant than just the host function call cost because (I assume) the WASMI execution time differs for both cases. The difference is the host function call cost plus 15%.
HostFn ref_time is 72994

[athei]

You can call the tokens function on the gas meter to check which tokens were charged.

[smiasojed]

As discussed in priv, we do not have access to gas_meter in our tests. We could add such functionality to our tests to trace gas metering more deeply during testing. This will be implemented as a separate PR.

[athei]

You have to bump the ApiVersion and then we are good to go.