-
Notifications
You must be signed in to change notification settings - Fork 4.5k
Rent timing is not consistant for writable/read-only access #10426
Comments
|
@jackcmay No, it does not persist and cannot be read. Ideally, we want to save
*: Assume all existing accounts are NOT yet rent-collected for this epoch. Also, Also, I think we can realize this consistent behavior if we enforce to apply rent collection for every loaded accounts. |
The 1 SOL to 1 lamport case above is only valid if Why not allow a read of an account with 1 lamport? Is that because it's considered already delinquent? |
Yeah, that's true. That's implied.
Yeah, that's correct as well. Because it's delinquent, it should behave so consistently for easier reasoning for development and hiding our implementation details. Otherwise, our developers can't be sure when/how exactly their expiring accounts actually go disappear. Eventually, the account will be corrected by the eager-rent collection cycle for the current epoch. But, it could go away anytime when someone sends a no-op transaction on it. Morever, while the account can be viewed safely by cli/explorer/transactions, the account cannot be modified and that action itself causes irrecoverable deletion of the accout itself. However, currently there is a workaround to prevent it from being purged: send some rent-enough lamports to the account. Then, the account can be recovered to be readable/writable. I think we could simplify these inconsistencies across various actions on the account for more consistent behavior: Once an account goes delinquent, it's gone in every way. Also note that, if we leave the current behavior as-is, we must document this in detail. Our docs (even after updated by #10348) assumes we provide the ideal consistent behavior. @jstarry Any thoughts from app development side? Btw, I've prepared a fancy table for rent-related edge cases. |
This sounds great! And accounts then go delinquent immediately when the new epoch starts?
Very helpful!
Yeah, it would also be caught by the transaction simulation check! Questions:
Maybe my expectation comes from thinking that App Development NotesIt seems that if any instruction in a transaction creates an account which cannot cover rent, the whole transaction will fail. This will require some documentation for program developers but shouldn't be a problem. I think we could add a convenience method to the Other than that, nothing to add. This change would be a big improvement to the app development experience IMO. |
Yeah, that near-end-of-epoch case is unfortunate.. Pro-rate might makes things complicated... Instead, we could use slot index in an epoch as the different timings for each accounts? In that case, I think this change is significant yet relatively easy if we clean-up now rather deprecated
Yeah, your reasoning makes sense for me. Just updated. Maybe just my typo..
I like this name! Updated! |
Good catch! Hmm, I think we need more than this. Othwerwise, every transaction must be guarded against rent checks when they're dealing with arbitrary account pubkeys? This might turn out to be a footgun too easily... Here basically we're considering the design choice of
Thanks!! |
True, are you referring to the determinism of rent fees here or something else?
Yeah this sounds better. I'm not sure if the best way is to use a slot index yet. Couldn't epoch slot length change in the future? |
I'm not so sure about this case now:
I don't think it should preserve data because data preservation implies that the account was readable despite being rent delinquent. Thoughts? |
Well, the determinism can be assured. I'm mainly concerned with the complication in implementation-wise. @jstarry In my opinion, extra rent fee for an epoch should be pretty cheap. I guess pro-rate isn't desired so much? Or is there some clever use case with micro-payment and short-lived accounts?
Hmm, I'm not sure but epoch slot length can change from the current 2 days to longer or shorter? Then, this idea might be difficult... This also complicates pro-rate rent fee. (if implemented)
Oh, good call! I've deliberately made the case to preserve because this allows last-minute restoration of account data this way. Otherwise, it'll be impossible rent-delinquent account to be restored after the new epoch begins. Come to think of it, users should act early. Well, maybe I was caring too much in the edge cases. I've aligned the behavior as you suggested like you suggested for the other case! Prefer overall logical consistency. :) |
Yeah, seems complicated and I don't think this was the right place to bring up the conversation. Sorry for detracting the conversation!
Sounds good! So now the only way that |
No problem! Thanks for helping discussions to go in deep! :)
Yeah, I agree. :) @jackcmay FYI, I've changed some cases. How does it look now for you? If there is no remaining topics to discuss, I'll leave this issue open as-is to be implemented in mid-term (I hope..). Thanks for inputs! |
todo: #10468 (comment) |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
This stale issue has been automatically closed. Thank you for your contributions. |
This issue has been automatically locked since there has not been any activity in past 7 days after it was closed. Please open a new issue for related bugs. |
Problem
Maybe to avoid write lock to accounts, rent collection is currently only done at post transaction. This causes some confusion and odd behavior, specifically #7413 (comment) and #7413 (comment).
Proposed Solution
Always, apply rent collection on load from
AccountsDB
toBank
. There is no exception. This solves varying view of program execution and cli/rpc, as well.So, rent is collected at both at pre-transaction and post-transaction.
Come to think of it, I think there is no problem for mutating read-only accounts by maintaining the list of the actually rent collected read-only accounts and writable accounts touched by failed transaction in a bank and flush those account updates immeditely before at
Bank::freeze()
like with the eager rent collection account updates and by consistently applying rent collection on every access accounts before passing them into programs because rent collection is deterministic and idempotent.Also, after post-transaction rent collection, if the balance goes below 0, abort the transaction itself with new TransactionError like
InsufficientFundsForRent
(renamed fromNotWritableByRent
) or similar, instead of silently writingAccount::default()
into theAccountDB
.related #7413, #10088.
found via #10348
The text was updated successfully, but these errors were encountered: