Extract the STF execution logic to a separate crate 'stf-executor'

[murerfel]

A further refactoring step towards #301 . This time I extracted code from the enclave-runtime that is related to executing logic on the STF. This includes:

• Trusted calls
• Trusted getters
• General state updates
• Block updates

The main motivation for separating this code to a separate crate, is that the sidechain components use it, and it's the reason why we still have quite a bit of sidechain implementation in the enclave-runtime instead of the sidechain crate.

The extracted code has not been much beautified or re-designed, it's mostly moved in its original state. I mention this, because there are certainly quite a few improvements that could be done on those parts of the code (that now reside in stf-executor). But in order to move along and get to the end-goal (#301), I leave it as-is for now.

[murerfel]

new crate in core-primitives: stf-executor

[murerfel]

Moved this from the top-pool-rpc-author crate to the ita-stf crate, so it can be re-used in our new crate stf-executor.

[murerfel]

Moved the result and error type definition out of the sgx-only module, in order to have more parts of the code available in both std and sgx feature.

[murerfel]

Generalize this method signature, making it consistent with some of the other methods that already used this type of signature.

[murerfel]

Seems like there was a change in the formatter after some update that happened on master? Now we have some formatting changes in this PR as a result. Either that, or this crate was never properly formatted to begin with (although shouldn't the formatter have complained?)

[murerfel]

Here I'm not sure: We have 3 ways to bring some of the alloc or std types into our sgx feature:

• extern crate alloc + use alloc::vec::Vec
• use std::vec::Vec
• use sp_std::prelude::Vec (re-export in sp_std)

What do you guys think? Which option do you prefer and why?

[clangenb]

I think it does not matter. extern crate alloc + use alloc::vec::Vec is the only one that would be available always. But as it is more verbose, I prefer this the least.

For crates that are close to supporting plain no_std, I would choose alloc still because:

• sp_std: pulls in sp-io, which assumes wasm in no_std, implying that is does not support plain no_std. The library can be used no_std only in wasm (e.g. substrate-node-runtime`), or in sgx (where we patch sp-io, with sgx-sp-io)
• sgx: can be used no_std only in an sgx-environment.

[haerdib]

I'm against option three, because I don't think we should import substrate deps just to use vec::Vec.

Option 1 & 2.. I don't really care. You said that sgx ports Vec to alloc anyway, so it's only about style. Since we've been using std::vec::Vec quite often, maybe lets stick to that.

[murerfel]

This file now contains all the relevant implementation for executing calls, getters and operations in general on the STF. It's all moved from the enclave-runtime. It's probably a bit large and does not have any unit-tests 😞 . There are a couple of indirect tests of these parts, in the enclave-runtime.
Unfortunately this module is only available in sgx feature, because we heavily use Stf and all related structures.

[haerdib]

So we should introduce unit tests for this part.. I guess? Maybe create an issue for this if its too much work for this PR?

[murerfel]

Having unit tests would certainly be a great improvement. And we're lacking them everywhere. So I'm not sure an issue 'create unit tests for this' will do much good. In my experience those kind of issues never get prioritized in a sprint 😝 Next time we touch this code and we extend or change the behavior, we need to introduce unit tests. So writing the tests should be part of the next feature that happens in this part.

[haerdib]

You got me there.. can't reason against that :(

[murerfel]

Well you could argue to still do them now 😄 I'm a bit on the fence about it myself, because I like to write unit tests. And on the other hand, I should make some progress on the actual feature (#301) I'm trying to achieve

[haerdib]

I also agree. Maybe add a //FIXME comment. Not an issue but atleast something that someone will stumble upon when this code part is touched?

[murerfel]

A re-usable method to execute a single trusted call on the STF (not part of a trait)

[murerfel]

I quite dislike the fact that the result of this method is both in the returned value, and in the &mut Vec<OpaqueCall> parameter. In some parts, I replaced this out parameter by just a return value. But not here yet.

[clangenb]

Yes, this has been bugging me for ages too.

[murerfel]

Execute shield funds logic on the Stf

[murerfel]

Execute a batch of trusted calls with a given time budget and return an ExecutionResult which includes the previous state hash, the execution status, and more information.

[murerfel]

Utility structure for returning information about the execution of a collection of operations.

[clangenb]

I really like the abstractions here. 👍

[haerdib]

Very cool. I really like this approach. However, is the ExecutionResult naming correct? Until now, for me an execution was the execution of one extrsinic. Maybe I'm in the wrong here, but how about BatchExecutionResult?

[murerfel]

I re-named it to BatchExecutionResult 👍

[murerfel]

In the enclave-runtime the StfExecutor now replaces the StateHandler in a lot of places (not everywhere) and thus hides the state handler details.

[murerfel]

The logic for setting block number, timestamp etc is now packed into a state 'pre-processing' lambda.

[clangenb]

I think, this looks very nice.

[haerdib]

Complicated stuff.. left some comments.

[haerdib]

I'm against option three, because I don't think we should import substrate deps just to use vec::Vec.

Option 1 & 2.. I don't really care. You said that sgx ports Vec to alloc anyway, so it's only about style. Since we've been using std::vec::Vec quite often, maybe lets stick to that.

[haerdib]

Not for this PR, but as a general Info in case you're introducing a new error type: Clippy will warn about using an Error ending in the future rust version: https://rust-lang.github.io/rust-clippy/master/index.html#enum_variant_names

So don't name them xxxxError

[murerfel]

I think you have a point here, the error enum element should not contain 'error' itself, I will fix that 👍

[haerdib]

So we should introduce unit tests for this part.. I guess? Maybe create an issue for this if its too much work for this PR?

[haerdib]

Is it really necessary to have so many traits? Is there no other way to abstract the stf?

[murerfel]

This is the design question of how many methods should a trait have. In other languages, recommendations for interfaces are in the range of 2-5 or 2-7. With traits, where we have trait mix-in (with +) that makes trait aggregation very easy, we can achieve very fine granularity by having one method per trait.
In our case here, most consumers don't ever need more than 2 of these methods. So grouping them together in a trait, will cause unnecessary exposure of methods. That was my reasoning behind this design. However, I think this can be open for debate, I'd be happy to hear your arguments 😄

[clangenb]

I second Felix. However, the real merit of this will not be obvious before we start having generic functions only requiring one of these 'subtraits'.

[clangenb]

However, by better core design, we'd might want to some of these traits, but I think this is a different construction site.

[murerfel]

We'd might want to do __ what with these traits? I think you lost the verb there in the sentence 😅

[clangenb]

haha, thought faster than I typed. 😄 I meant 'remove'. However, not in terms of combining traits, but with a better core design. :P

[murerfel]

Ah okay, now it makes sense 😝. Yes I totally agree, I think these stf executor traits can be reduced in number, because they are somewhat redundant and can be combined into more generalized trait methods. However, I also believe refactoring that requires a bit of effort, it's not that straight forward (and will require writing some tests in advance, to make sure we don't break stuff in the process).

[haerdib]

My reasoning is just to keep it simple. The stf is made to be adaptable by clients such that they can easily integrate their stuff into the sgx-runtime. As long as we keep in mind the users who want to remove unshielding & shielding, or whatever, I'm fine with it. And it's not like I have a better solution here myself ;)

[murerfel]

We can certainly make it more simple. What I have here in this PR is just extracting code as-is into a crate. It is by no means the end-result as we would want to have it. There are still many improvements that can be done on this part, this was just a first step.

[haerdib]

Very cool. I really like this approach. However, is the ExecutionResult naming correct? Until now, for me an execution was the execution of one extrsinic. Maybe I'm in the wrong here, but how about BatchExecutionResult?

[haerdib]

Renaming suggestion: get_executed_operation_hashes

[murerfel]

I can do that 👍

[haerdib]

Very nice!

[haerdib]

For me this naming was a little confusing. ExecutionHashes could also be the State hashes after execution. We could simply name it ExtrinsicHash to follow substrates example. Or OperationHash. ( I guess it should be singular, as it only contains one hash each? Also, why are both, call hashes and operation hashes needed?

[murerfel]

Yes the naming is not ideal here. It's probably a combination of me not understanding exactly what it represents, and the thing having a confusing name before the refactoring.
I don't know why we have both a OperationHash and a CallHash - this is just ported over as it was before. I also don't exactly understand what the difference should be. ExecutionHashes should probably be replaced by a better name. Provided we still need OperationHash AND CallHash, what could the aggregation of those two be called?

[clangenb]

I think @haerdib introduced these (not sure), so she might correct my statements.

I have taken a look at the code. Deriving from the current usage of handle_trusted_worker_call, which is only at two places. The first time, we only care about the potential error, the second time, we are only interested in the trusted_operation_hash, which is put into a call_hash vector (!!!), I sense some code smell here. :)

I am confident, we can get rid of one. I actually think we should not use the trusted operations hash. Reasoning: this is an internal helper struct of the worker. The client sends either TrustedCalls or TrustedGetters AFAIK. If we want to give a block inclusion proof to a client in the future, it will be more straightforward if we hash the exact object the client has sent to the worker. The hash is not needed for anything else.

[clangenb]

I would simply use the following structure:

ExecutionResult {
     // hash of the executed trusted call.
    call_hash: H256
}

[murerfel]

I'd be happy to get rid of one of those hashes. And yes, we mix the names in the process, that adds to the confusion. We now use the operation_hash and use it in a call_hashes vector. And you suggest to only use the call_hash and get rid of the operation_hash? Won't that break something, because we're now returning a different hash value?

[haerdib]

I think that's fine if everything is still working. But we might want to create an issue to discuss the use case of TrustedOperation itself @clangenb ?

[clangenb]

Yes, I think @mullefel change is fine.

I also agree to discuess the usage of trusted op.

[haerdib]

#489

[murerfel]

fyi: I had to revert back to using the operation hash (not the call hash), since we have tests that check for that. So to be on the safe side, I'll use the operation hash for now to not alter any behavior in the code.

[clangenb]

Ok, even better. 👍

[haerdib]

I know this was here before, but I think we should not panic in case we can not remove a top. Should we?

[murerfel]

We probably shouldn't. I'll change that to properly handle the result 👍

[murerfel]

Unfortunately I cannot answer to your suggestion: #485 (comment) , so I'll do it here.
BatchExecutionResult might already be an improvement, I'll re-name it. Maybe at some point we can come up with better names for these structures (provided they are still around after more refactoring).

[clangenb]

In general, very impressive. I think you made a good compromise between simple modularization and refactoring.

Only some small questions.

[clangenb]

I think it does not matter. extern crate alloc + use alloc::vec::Vec is the only one that would be available always. But as it is more verbose, I prefer this the least.

For crates that are close to supporting plain no_std, I would choose alloc still because:

• sp_std: pulls in sp-io, which assumes wasm in no_std, implying that is does not support plain no_std. The library can be used no_std only in wasm (e.g. substrate-node-runtime`), or in sgx (where we patch sp-io, with sgx-sp-io)
• sgx: can be used no_std only in an sgx-environment.

[clangenb]

Yes, this has been bugging me for ages too.

[clangenb]

I really like the abstractions here. 👍

[clangenb]

I think this can be even more useful, if we add Externalities to the generic arguments and require the SgxExternalities trait bound here; what do you think?

This would require the that the externalities are part of the StfExecutor as a PhantomData field, but this is totally fine.

[murerfel]

Yes I can do that, it would further decouple us from the concrete SgxExternalities 👍

[murerfel]

I made that change now. It required a bit of refactoring in the state handler as well, to make that trait generic over the externalities. And I also had to further generalize some of the method signature in the Stf struct. The explains the rather large change set that I had to commit on top of this PR 😅

[clangenb]

Haha, yes, but I think it was worth the effort. Thanks! Looks good.

[clangenb]

However, by better core design, we'd might want to some of these traits, but I think this is a different construction site.

[clangenb]

I think @haerdib introduced these (not sure), so she might correct my statements.

I have taken a look at the code. Deriving from the current usage of handle_trusted_worker_call, which is only at two places. The first time, we only care about the potential error, the second time, we are only interested in the trusted_operation_hash, which is put into a call_hash vector (!!!), I sense some code smell here. :)

I am confident, we can get rid of one. I actually think we should not use the trusted operations hash. Reasoning: this is an internal helper struct of the worker. The client sends either TrustedCalls or TrustedGetters AFAIK. If we want to give a block inclusion proof to a client in the future, it will be more straightforward if we hash the exact object the client has sent to the worker. The hash is not needed for anything else.

[clangenb]

I would simply use the following structure:

ExecutionResult {
     // hash of the executed trusted call.
    call_hash: H256
}

[clangenb]

I think, this looks very nice.

[clangenb]

This sucks big time, but I think we will have to live with this until we abstract TrustedCalls, TrustedOp, TrustedGetter into core-primitives.

[murerfel]

We have the ita-stf dependency everywhere because of it, yes. I've looked at it a couple of times, and I'm not sure there is a 'simple' solution, provided we don't break with @brenzi 's intention to keep all the domain specific stuff in that crate (and TrustedCall, TrustedGetter etc. contain exactly the domain specific logic)

[clangenb]

Looks very good!

[haerdib]

Very cool, thanks !