CAP-0023 implementation

[sisuresh]

Description

Implements https://github.com/stellar/stellar-protocol/blob/master/core/cap-0023.md

Checklist

• Reviewed the contributing document
• Rebased on top of master (no merge commits)
• Ran clang-format v5.0.0 (via make format or the Visual Studio extension)
• Compiles
• Ran all tests
• If change impacts performance, include supporting evidence per the performance document

[jonjove]

Completed a preliminary review of everything after the LedgerTxn changes, excluding the tests. Looks pretty good, but a few important comments in here.

[MonsieurNicolas]

I did a full review of this PR - see comments.

Overall this is pretty close to mergeable (good job!):

• I added a couple questions that happen to be CAP issues/suggestions that we missed
• I think you have a few missing test cases that would have uncovered a couple bugs

[MonsieurNicolas]

you need to run clang-format manually on the .x files (make sure to comment the %#include before doing so)

[sisuresh]

done

[MonsieurNicolas]

CAP question - should we remove the AFTER (or BEFORE) predicates and just add a NOT operator?

[MonsieurNicolas]

@jonjove

[jonjove]

I thought about this (it was actually my original approach) but I had some concerns that it could be a future foot-gun. For example, suppose we added a predicate like CLAIM_PREDICATE_HASH_PREIMAGE where you have to reveal a SHA256-preimage in order to claim. NOT doesn't behave particularly well with this predicate because it would be satisfied by default. Maybe this concern is overblown, because you could always configure the predicates incorrectly anyway. What do you think? I'm pretty flexible on this.

[MonsieurNicolas]

warning: signed vs unsigned comparison

[sisuresh]

Should be fixed.

[MonsieurNicolas]

warning: signed/unsigned comparison

[sisuresh]

Should be fixed.

[MonsieurNicolas]

warning ok shadows line 156

[sisuresh]

fixed

[MonsieurNicolas]

per my other comment elsewhere, size_t is overkill for this as we later have to downcast it. Better to just downcast it once (here). Not sure why it was size_t before in TransactionFrame::makeOperation.

[sisuresh]

fixed

[osman-20068]

os

[MonsieurNicolas]

I've resolved all issues that I consider resolved; added a couple new ones.
Next step is to rebase on top of master and squash commits so that you can address the SQL related issues.

[MonsieurNicolas]

I'm dumb for not having noticed this earlier: why do we need to expose all those internal fields?
I think the minimal set is
balanceid(HEX) | claimablebalanceentry (XDR) | lastmodified (BIGINT)

[MonsieurNicolas]

so we end up with a lot less code

[sisuresh]

This makes sense to me, but I noticed that this wasn't done for the other ledger entries. I want to make sure there wasn't a specific reason for listing the fields individually before I change this. @jonjove?

[jonjove]

The reason other ledger entries aren't like this is historical. It's possible we will move this direction in the long run. We already moved slightly in this direction with #2593.

[sisuresh]

Makes sense. Thanks

[sisuresh]

I made the change to use a claimablebalanceentry column. I also updated db-schema.md.

[MonsieurNicolas]

you still need to do this

[MonsieurNicolas]

maybe open an issue: this invariant should also check that we don't modify immutable fields. For claimable balance, all fields are immutable.

[sisuresh]

Added an issue - #2620

[MonsieurNicolas]

this is written as if reserve and amount are mutable, maybe OK in this context (albeit a bit confusing as the code doesn't work at all if asset gets modified) but see my comment in the other invariant on validity

[jonjove]

This will be simplified when we rebase CAP-33 on top, because the reserve is not stored in that case. But I the code should work correctly in the case that asset changed. This would obviously be a bug if it were to happen, but for clarity and safety the code should account for it (after all, invariants are all about catching bugs).

[MonsieurNicolas]

from recent findings, let's be defensive and avoid using to_string -> use fmt::format instead

[sisuresh]

done

[MonsieurNicolas]

• balanceid is a base64 encoded xdr object -> type should be "XDR", also description should say that it's a ClaimableBalanceID ; we use BASE64 as a type when there is no good XDR type.
• claimablebalanceentry is a based64 encoded xdr object -> type should be "XDR" (and description should say that it's a ClaimableBalanceEntry)

[sisuresh]

done

[MonsieurNicolas]

yes you need to call mApp.getLedgerTxnRoot().dropClaimableBalances(); from Database::applySchemaUpgrade when upgrading to schema version 13 otherwise the table won't be created

[MonsieurNicolas]

I don't think you need those 2 "crypto" includes

[sisuresh]

removed

[MonsieurNicolas]

56 is wrong (needs to be updated in the md file as well):
I think it's base64(4+32) = 4 * round_up(36/3) = 4*12 = 48

[MonsieurNicolas]

we should store not just ClaimableBalanceEntry but the full LedgerEntry in this column, this duplicates a small amount of data but avoids adding an extra column for ledgerext (this was added in the latest round of changes to the database)

[jonjove]

I support this approach as well. We can always change it later if the performance is worse-than-desired, but this approach will considerably simplify future development.

[sisuresh]

This would also allow us to remove the lastmodified column right?

[sisuresh]

Nevermind. The lastmodified column is required.

[sisuresh]

I made the change to store the full LedgerEntry.

[jonjove]

Nice work! This looks largely correct to me at this point, and @MonsieurNicolas had already identified most of the remaining issues. Most of my comments are picking out minor details. The main issue here for me is that the tests are pretty confusing: it was hard for me to tell exactly what is being tested in various places, and also hard for me to tell if we achieved the desired coverage. For example, I wasn't able to pick out a test that created a claimable balance entry in a transaction where the operation and transaction have different source accounts (is there such a test?). Is there anything we can do to improve the overall clarity of the tests?

[jonjove]

I support this approach as well. We can always change it later if the performance is worse-than-desired, but this approach will considerably simplify future development.

[jonjove]

This will be simplified when we rebase CAP-33 on top, because the reserve is not stored in that case. But I the code should work correctly in the case that asset changed. This would obviously be a bug if it were to happen, but for clarity and safety the code should account for it (after all, invariants are all about catching bugs).

[jonjove]

Does this all actually work as you intend? The sequential sections with intermittent code is a pretty confusing pattern. It leaves me wondering, what is supposed to happen here and what actually does happen here?

Are these early sections like "no trust" and "not authorized" even required? The code in those sections should have no effect other than paying fees and consuming sequence numbers, so the sections might not really be doing anything.

In summary, I'm confused by this.

[sisuresh]

I cleaned up the tests and squashed with 572598aa0be8290908319e5d1d98e83c09c5520f.

[sisuresh]

@jonjove You make a good point about the test cases. They're confusing to look at, and the pattern where I use sequential sections with intermittent code can be hard to follow. I did this to avoid duplicating code, but the end result isn't great. I'll fix this.

I wasn't able to pick out a test that created a claimable balance entry in a transaction where the operation and transaction have different source accounts

SECTION("validate Tx account is used in hash") tests this, but that's obviously not clear from the name. Being able to identify any tested functionality based on the SECTION name is a good requirement. I'll make a pass through the test cases and try to change -

1. Ambiguous section names.
2. Any Large SECTION that tests multiple code paths without making it clear.

[jonjove]

This looks almost ready to me now. The tests are vastly easier to parse, so thank you for redesigning that! The only test that I don't remember seeing is one in which we create a claimable balance and then claim it in the same transaction. I expect this to work, but I think we should test it because it is an edge case in the sense that if you are doing this then you aren't really taking advantage of the behavior of claimable balance.

[jonjove]

I don't think this name is a good description anymore, given that we are storing the LedgerEntry.

[sisuresh]

Changed to ledgerentry.

[jonjove]

I'm a little confused about this comment. acc1 can't have the same balance in both scenarios because you are executing some transactions only if !isNative. Do I misunderstand?

[sisuresh]

Ah the comment should be updated to say the number of subentries is the same in both scenarios.

[jonjove]

Not sure I understand the purpose of this test? Unless I'm mistaken, it effectively does "create -> claim -> fund -> create -> claim" with each step in its own transaction. Was the intention to do that as a single transaction?

[sisuresh]

The test here was to make sure that the claim doesn't have any unintended side effects that could get in the way of another create/claim later on.

[sisuresh]

@jonjove I made the last round of PR changes and squashed/rebased. I also added a test for creating and claiming in the same tx under the section create and claim in same tx.

[jonjove]

r+ 29c1cab

[MonsieurNicolas]

@latobarita: retry