randtxn custom max gas

[zjma]

Description

• Support attribute #[randomness(max_gas=<x>)] and build it into module info.
• Introduce a new on-chain flag randomness_api_v0_config::AllowCustomMaxGasFlag.
• When AllowCustomMaxGasFlag is on, if max_gas is set in randomness attribute, use it as the required gas amount instead of the default value 10000.

Type of Change

• New feature
• Tests

Which Components or Systems Does This Change Impact?

• Move/Aptos Virtual Machine
• Aptos Framework
• Aptos CLI/SDK

How Has This Been Tested?

New smoke tests in testsuite/smoke-test/src/randomness/entry_func_attrs.rs.

Key Areas to Review

Please start review with the smoke test in testsuite/smoke-test/src/randomness/entry_func_attrs.rs and confirm the assertions made there.

Checklist

• I have read and followed the CONTRIBUTING doc
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I identified and added all stakeholders and component owners affected by this change as reviewers
• I tested both happy and unhappy path of the functionality
• I have made corresponding changes to the documentation

[trunk-io]

⏱️ 26h 35m total CI duration on this PR

Job	Cumulative Duration	Recent Runs
rust-smoke-tests	3h 26m	⬜ ⬜ 🟩 🟩 🟩 (+2 more)
rust-targeted-unit-tests	3h 9m	⬜ ⬜ 🟩 🟩 🟩 (+4 more)
execution-performance / single-node-performance	2h 56m	🟩 🟩 🟩 🟩 🟩 (+2 more)
forge-framework-upgrade-test / forge	2h 28m	🟩 🟥 🟩
rust-move-unit-coverage	2h 1m	🟩 🟩 🟩 🟩 🟩 (+2 more)
rust-move-tests	1h 43m	🟩 🟩 🟩 🟩 🟩 (+5 more)
forge-e2e-test / forge	1h 38m	⬜ ⬜ 🟩 🟩 🟩 (+2 more)
rust-images / rust-all	1h 36m	🟩 🟩 🟩 🟩 🟩 (+2 more)
forge-compat-test / forge	1h 31m	🟩 ⬜ 🟩 🟩 🟩 (+2 more)
windows-build	1h 25m	🟩 🟩
cli-e2e-tests / run-cli-tests	52m	🟩 ⬜ 🟥 🟩 🟩 (+2 more)
rust-lints	41m	🟥 🟩 🟩 🟩 🟩 (+3 more)
run-tests-main-branch	39m	🟩 🟩 🟩 🟩 🟩 (+4 more)
rust-build-cached-packages	27m	🟩 🟩 🟩 🟩 🟩 (+1 more)
check	24m	🟩 🟩 🟩 🟩 🟩 (+1 more)
test-target-determinator	22m	🟩 🟩 🟩 🟩 🟩 (+1 more)
execution-performance / test-target-determinator	21m	🟩 🟩 🟩 🟩 🟩 (+1 more)
general-lints	14m	🟩 🟩 🟩 🟩 🟩 (+3 more)
indexer-grpc-e2e-tests / test-indexer-grpc-docker-compose	12m	🟩 🟩 🟩 🟥 🟩 (+2 more)
check-dynamic-deps	11m	🟩 🟩 🟩 🟩 🟩 (+3 more)
node-api-compatibility-tests / node-api-compatibility-tests	6m	🟩 🟩 🟩 🟩 🟩 (+2 more)
semgrep/ci	4m	🟩 🟩 🟩 🟩 🟩 (+5 more)
file_change_determinator	2m	🟩 🟩 🟩 🟩 🟩 (+5 more)
file_change_determinator	2m	🟩 🟩 🟩 🟩 🟩 (+4 more)
file_change_determinator	1m	🟩 🟩 🟩 🟩 🟩 (+2 more)
permission-check	36s	🟩 🟩 🟩 🟩 🟩 (+5 more)
permission-check	32s	🟩 🟩 🟩 🟩 🟩 (+5 more)
permission-check	29s	🟩 🟩 🟩 🟩 🟩 (+5 more)
permission-check	26s	🟩 🟩 🟩 🟩 🟩 (+5 more)
permission-check	23s	🟩 🟩 🟩 🟩 🟩 (+2 more)
determine-docker-build-metadata	20s	🟩 🟩 🟩 🟩 🟩 (+2 more)

🚨 2 jobs on the last run were significantly faster/slower than expected

Job	Duration	vs 7d avg	Delta
forge-compat-test / forge	18m	14m
windows-build	49m	39m

_{settings ⋅ feedback ⋅ docs ⋅ learn more about trunk.io}

[codecov]

Codecov Report

Attention: Patch coverage is 10.65574% with 109 lines in your changes are missing coverage. Please review.

Project coverage is 57.5%. Comparing base (e54d82f) to head (5d1c6f1).
Report is 8 commits behind head on main.

Files	Patch %	Lines
aptos-move/framework/src/extended_checks.rs	23.6%	42 Missing ⚠️
aptos-move/framework/src/module_metadata.rs	0.0%	16 Missing ⚠️
aptos-move/aptos-vm/src/aptos_vm.rs	0.0%	14 Missing ⚠️
aptos-move/aptos-vm/src/randomness_config.rs	0.0%	12 Missing ⚠️
aptos-move/aptos-vm/src/verifier/randomness.rs	0.0%	12 Missing ⚠️
...es/src/on_chain_config/randomness_api_v0_config.rs	0.0%	10 Missing ⚠️
types/src/move_utils/as_move_value.rs	0.0%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #13269       +/-   ##
===========================================
- Coverage    71.9%    57.5%    -14.4%     
===========================================
  Files        2315      833     -1482     
  Lines      454561   198666   -255895     
===========================================
- Hits       326875   114281   -212594     
+ Misses     127686    84385    -43301     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[georgemitenkov]

Why do we use structs for configs and not Features? What is the difference?

[zjma]

Im just leaning to putting related configs close to each other.

[georgemitenkov]

I think features are cleaner. Imagine we have more and more features and everyone adds a new struct for those... this can quickly become a mess. Either you have a config stored as vector<u8>, e.g. gas schedule, which has multiple fields which evolve, or a feature flag. Otherwise this stays forever...

cc @vgao1996 @msmouse who are feature-pros

[msmouse]

I prefer a normal feature flag in this case as well.

[zjma]

if the flag was controlling an entire standalone feature, it makes more sense for the flag to live in the feature flag vec.

But in this case, technically it is part of another config which has been separated out.

[zjma]

I also found the features flag vec is very limited: it only support boolean flags, but more and more features need configs like this:

enum FeatureXConfig {
    Off,
    OnMode1 { limit_a0: u64 },
    OnMode2 { limit_a1: u64, threshold_b: u64 },
}

[zjma]

It's true that we could have foreseen this situation and merged RequiredGasDeposit and this new flag into a single struct. Unfortunately we didn't...

Anyway, nothing stops new config structs to be added for other features, so having an extra one here is fine?

Would like to continue with the current implementation, if you don't mind :)

[georgemitenkov]

Feature flags are only for booleans, yes. If you need the config like you want above, with options and fields, there are two ways:

1. Define a rust struct which is initialised based on boolean flags. Please check how VMConfig or VerifierConfig are created. They have built-in values which we can upgrade per release, and also use feature flags to make stricter.
2. Have a config stored on chain as a serialized vector blob. Our gas schedule is exactly that, it is just an enum of BTreeMaps. This way new versions can be added, and new gas params. Another example:

   aptos-core/aptos-move/aptos-vm-types/src/storage/io_pricing.rs

   Line 234 in c729bc3

   pub enum IoPricing {

   initialized based on gas feature version. Another example:

   aptos-core/types/src/block_executor/config.rs

   Line 21 in c729bc3

   #[derive(Clone, Debug, Deserialize, Serialize)]

   , but seems like it is not initialized from on-chain yet. But this is a good one:

   aptos-core/types/src/on_chain_config/execution_config.rs

   Line 12 in c729bc3

   pub enum OnChainExecutionConfig {

   .

[georgemitenkov]

Use ?, not unwrap? This function fails on module loading so we should return an error

[zjma]

i don't know if changing it now breaks compatibility... current code has been shipped with 1.12.

[zjma]

anyway, why is it not fine to have this function focus on required deposit calculation?
if module loading failed, other existing steps should catch it anyway?

[georgemitenkov]

I don't like relying on "other existing steps"... we do not have clear semantics of what are the next steps, and this can bite us in the future. It is ok here, I guess...

[georgemitenkov]

nit:

self.allow_...gas.then(annotation.max_gas).flatten().unwrap_or(default_gas_amount)

[georgemitenkov]

Isn't a feature flag cleaner? Why have a single struct like that?

[zjma]

i thought about it, but putting related configs close to each other also has its benefit...

[georgemitenkov]

What is the benefit? We have more and more different configs we have to load from storage. I think it is better to have everything in one place, so no errors can be made. We have features, and it is clear what is enabled what is disabled.

[zekun000]

seems people prefer feature flag more than the bool value resource?

[zekun000]

nit: it's allow rand contract not the txn to custom max gas?

[zekun000]

it probably should be less than the maximum gas we allowed, as least in the error message

[zjma]

but that limit is an on-chain config that's hard to know at compile time?

[zekun000]

yes, that's why I only suggested changing error message lol

[zjma]

what's the exact error msg in your mind?

[zekun000]

less than maximum_number_of_gas_units allowed?

[zjma]

how would dev figure out maximum_number_of_gas_units?

[zekun000]

I don't know, we can also just put aptos_global_constants::MAX_GAS_AMOUNT here, but anyway it's weird since it only errors out when it exceeds u64::max

[zjma]

if dev specifies u64::max + 1, it's surely won't work because we use u64 to represent gas amount throughout the codebase.

If dev specifies u64::max - 1, one will not be sure if it will work at compile time, depending on on-chain gas params. So it should be a runtime error?

[zekun000]

this may not be very clear to user, how about "gas_deposit"?

[zjma]

no way the keyword itself will be self-explanatory. we should rely on the documentation?

[zekun000]

we should have both, but isn't "gas_deposit" better? maybe it's just me

[zjma]

gas_deposit sounds more like implementation details of undergasing prevention, which dev doesn't need to know?

[zekun000]

this is the amount that user needs to deposit? but I don't feel very strongly

[zjma]

yeah, let's just explain more in the doc.

[georgemitenkov]

I would like to have more thoughts on how randomness configs are organised. Do we plan to add more things? Do we plan to update them often?

I think designs similar to execution configs, or gas schedule are the best because they will allow you to have a single rust struct and also a single on-chain resource, as well as version and mutate it. Having multiple configs scattered around the code makes reasoning harder. I do not think we should do it.

[georgemitenkov]

This should go into separate file, it's ok for now but please add a TODO. For example, you can put it in types where you define randomness OnChainConfig

[zjma]

fixed, but something still has to stay inside crate aptos-vm because fetch requires a resolver: &impl AptosMoveResolver which is only available in this crate.

[georgemitenkov]

Btw, you can use &impl ConfigStorage trait and move it out (not too important I guess). The only reason why resolver is used is because we have one config which is inside resource group

[georgemitenkov]

This can also be factored out to that helper config file, VM only needs to know how to create a randomness config, but not the exact resources it has to fetch. Gas schedule is a good example for that.

[zjma]

fixed

[georgemitenkov]

I don't like relying on "other existing steps"... we do not have clear semantics of what are the next steps, and this can bite us in the future. It is ok here, I guess...

[github-actions]

✅ Forge suite realistic_env_max_load success on 5d1c6f1851335094559a52ab7d8751ef2b283fb9

two traffics test: inner traffic : committed: 7969.524154277345 txn/s, latency: 4912.97104486183 ms, (p50: 4800 ms, p90: 5700 ms, p99: 10200 ms), latency samples: 3447920
two traffics test : committed: 99.96330077772917 txn/s, latency: 1999.912365591398 ms, (p50: 1900 ms, p90: 2200 ms, p99: 5400 ms), latency samples: 1860
Latency breakdown for phase 0: ["QsBatchToPos: max: 0.213, avg: 0.207", "QsPosToProposal: max: 0.254, avg: 0.217", "ConsensusProposalToOrdered: max: 0.463, avg: 0.423", "ConsensusOrderedToCommit: max: 0.406, avg: 0.392", "ConsensusProposalToCommit: max: 0.824, avg: 0.815"]
Max round gap was 1 [limit 4] at version 1715076. Max no progress secs was 5.012167 [limit 15] at version 1715076.
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite compat success on 01b24e7e3548382dd25440b39a0438a993387f12 ==> 5d1c6f1851335094559a52ab7d8751ef2b283fb9

Compatibility test results for 01b24e7e3548382dd25440b39a0438a993387f12 ==> 5d1c6f1851335094559a52ab7d8751ef2b283fb9 (PR)
1. Check liveness of validators at old version: 01b24e7e3548382dd25440b39a0438a993387f12
compatibility::simple-validator-upgrade::liveness-check : committed: 6646.602789699171 txn/s, latency: 4954.94980418866 ms, (p50: 5100 ms, p90: 7800 ms, p99: 9000 ms), latency samples: 234920
2. Upgrading first Validator to new version: 5d1c6f1851335094559a52ab7d8751ef2b283fb9
compatibility::simple-validator-upgrade::single-validator-upgrade : committed: 1657.3940383598494 txn/s, latency: 17733.89791989378 ms, (p50: 19000 ms, p90: 24400 ms, p99: 24700 ms), latency samples: 90380
3. Upgrading rest of first batch to new version: 5d1c6f1851335094559a52ab7d8751ef2b283fb9
compatibility::simple-validator-upgrade::half-validator-upgrade : committed: 1696.0474130898344 txn/s, latency: 17086.771582976806 ms, (p50: 19000 ms, p90: 22300 ms, p99: 22500 ms), latency samples: 88820
4. upgrading second batch to new version: 5d1c6f1851335094559a52ab7d8751ef2b283fb9
compatibility::simple-validator-upgrade::rest-validator-upgrade : committed: 3529.2810866912328 txn/s, latency: 8912.651139014684 ms, (p50: 9600 ms, p90: 12700 ms, p99: 12900 ms), latency samples: 145740
5. check swarm health
Compatibility test for 01b24e7e3548382dd25440b39a0438a993387f12 ==> 5d1c6f1851335094559a52ab7d8751ef2b283fb9 passed
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite framework_upgrade success on 01b24e7e3548382dd25440b39a0438a993387f12 ==> 5d1c6f1851335094559a52ab7d8751ef2b283fb9

Compatibility test results for 01b24e7e3548382dd25440b39a0438a993387f12 ==> 5d1c6f1851335094559a52ab7d8751ef2b283fb9 (PR)
Upgrade the nodes to version: 5d1c6f1851335094559a52ab7d8751ef2b283fb9
framework_upgrade::framework-upgrade::full-framework-upgrade : committed: 1263.5784164932188 txn/s, submitted: 1266.2948158120864 txn/s, failed submission: 2.716399318867543 txn/s, expired: 2.716399318867543 txn/s, latency: 2402.156753851666 ms, (p50: 2000 ms, p90: 3900 ms, p99: 6000 ms), latency samples: 111640
framework_upgrade::framework-upgrade::full-framework-upgrade : committed: 1188.9797859181158 txn/s, submitted: 1190.1393136984145 txn/s, failed submission: 1.159527780298533 txn/s, expired: 1.159527780298533 txn/s, latency: 2671.8583089526037 ms, (p50: 2300 ms, p90: 4800 ms, p99: 6900 ms), latency samples: 102540
5. check swarm health
Compatibility test for 01b24e7e3548382dd25440b39a0438a993387f12 ==> 5d1c6f1851335094559a52ab7d8751ef2b283fb9 passed
Upgrade the remaining nodes to version: 5d1c6f1851335094559a52ab7d8751ef2b283fb9
framework_upgrade::framework-upgrade::full-framework-upgrade : committed: 1230.8146073017967 txn/s, submitted: 1232.0024229814935 txn/s, failed submission: 1.1878156796967736 txn/s, expired: 1.1878156796967736 txn/s, latency: 2803.8592646207294 ms, (p50: 2300 ms, p90: 4800 ms, p99: 7800 ms), latency samples: 103620
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking