transaction vstorage

[turadg]

refs: #10598

Description

The dashboard will requires data for each transaction. In the course of designing that we explored how to design the storage node paths without creating too much cost in IAVL. (The data in HEAD carry a burden of magnitude O(k+v) for all network nodes (including non-validators) into perpetuity.)

Examining the trade-offs we arrived at:

• store one node per transaction
  • push all changes through it
  • rely on indexer to demux
• delete on demand
  • when we have an API for block-safe deletion it can delete in the operation
  • until then keep track of what to delete
  • a core-eval can be run to cull data whenever necessary

Security Considerations

none

Scaling Considerations

One storage path per transaction, which persists until the deletion job is called.

One entry in a set to keep track of transactions to delete.

Documentation Considerations

Not developer facing

Testing Considerations

CI

Upgrade Considerations

not yet deployed

[cloudflare-workers-and-pages]

Deploying agoric-sdk with    Cloudflare Pages

Latest commit:	ccb9e28
Status:	✅  Deploy successful!
Preview URL:	https://3d3a51d6.agoric-sdk.pages.dev
Branch Preview URL:	https://10578-transaction-vstorage.agoric-sdk.pages.dev

View logs

[dckc]

neat: string & { length: 40 }

[gibson042]

I don't like that this approach is vulnerable to collisions and "upgrades" any all-decimal-digits string to a bigint, even if it was user input that should remain a string. What's the reason for not using smallcaps?

const rejectOCap = cap => Fail`${cap} is not pure data`;
const { toCapData, fromCapData } =
  makeMarshal(rejectOCap, rejectOCap, { serializeBodyFormat: "smallcaps" });
// Constraining to pure data guarantees empty slots and allows for direct use of
// `body`.
const serialize = value => {
  const { body, slots } = toCapData(value);
  slots.length === 0 || Fail`slots ${slots} unexpected for pure data`;
  return body;
}
const unserialize = text => fromCapData({ body: text, slots: [] });

const value = harden({ number: 42, bigint: 42n, strings: ["42", "+42"] });
const serialized = serialize(value);
const restored = unserialize(serialized);
console.log({ value, serialized, restored });
/* =>
{
  value: { number: 42, bigint: 42n, strings: [ '42', '+42' ] },
  serialized: '#{"bigint":"+42","number":42,"strings":["42","!+42"]}',
  restored: { bigint: 42n, number: 42, strings: [ '42', '+42' ] }
}
*/

[turadg]

I think it's a good idea worth exploring more. There are lots of trade-offs to consider so I'm opting to take it out of the critical path for FU by using the more verbose but well trodden "JSON-stringified CapData".

[dckc]

For ref, I track this possible optimization in/around..

• wallet action, inter protocol data is wrapped in 2 JSON.stringify layers #7999

[samsiegart]

Optional: Could we just name this fastUsdc? Is it intentionally different than the real node? Seeing "fun" in the test file was confusing at first.

[turadg]

Is it intentionally different than the real node

It is intentional, to show that the contract root is configured by the core-eval and not the contract itself.

I do think that's worth keeping. I chose a three letter one to keep the paths short and wrap lines less.

[samsiegart]

Optional: It might help to document this a bit. I gather it can't have any remotables or bigints.

[turadg]

good point, it should have a jsdoc.

remotables aren't pure data but bigints are. (bigint is the main motivation; otherwise JSON is a good encoding of pure data)

[samsiegart]

Question: I'm a bit confused. Below we have:

  t.deepEqual(
    storage.getPureData(`fun.txns.${mockEvidence.txHash}`),
    [mockEvidence, { status: PendingTxStatus.Advancing }],
    'tx is Advancing',
  );

I see the { status: PendingTxStatus.Advancing } part here, but not the mockEvidence. Wouldn't that be expected here?

[turadg]

I think this one is truncating the array to show the HEAD value. Do you want it to have the whole sequence? That's only per block and in practice the state changes would happen in different blocks but the fake vstorage treats everything as block height zero

[samsiegart]

It appears from looking at status-manager.js that the evidence is written in the same block as the status

agoric-sdk/packages/fast-usdc/src/exos/status-manager.js

Lines 161 to 162 in 33173f9

	publishEvidence(txHash, evidence);
	publishStatus(txHash, status);

. I think the sequence: true when creating the node ensures they're both included.

I guess this test is just looking at the last cell, but if it's important behavior that the evidence is included in the first cell, I think we should capture that in the test somehow. Why not include it in all cells like { evidence: {}, status: "" }? Are we assuming the indexer will just pick up the evidence in the first cell and save it?

[turadg]

Why not include it in all cells like { evidence: {}, status: "" }?

Great idea. I'll do that.

Are we assuming the indexer will just pick up the evidence in the first cell and save it?

The indexer will accumulate events to update the db row, yeah.

[samsiegart]

I was thinking of including it in all cells so we wouldn't have to track anything but the latest, it's kind of moot if we only include the evidence in the first cell, even though it's one less cell to track it's still more than one. However, it looks like documentStorageSchema doesn't support multiple cells. That probably doesn't have to be in scope, but a regular assert for the original cell with the evidence would suffice. I think it's important to verify that the evidence is published since the indexer relies on it.

[turadg]

I was thinking of including it in all cells so we wouldn't have to track anything but the latest,

Oh, the evidence isn't stored in a way that it can be looked up for each update.

I think it's important to verify that the evidence is published since the indexer relies on it.

I think that's covered by the unit tests but I've added the assertion to the boot test too. Do you think the A3P tests also need it?

[samsiegart]

Oh, the evidence isn't stored in a way that it can be looked up for each update.

Ah I see, yea not worth changing that part.

I think that's covered by the unit tests

I guess that makes sense. Unit tests for exhaustiveness, and a boot test just to make sure the vstorage write works for any path. It was confusing seeing the different results between the two though so thanks for updating.

Do you think the A3P tests also need it?

I'm not sure the scope of the a3p tests, seems like they're not super important for fast-usdc because they're on a single chain, but the multichain-testing tests might want to have test cases for the status updates. There weren't any such existing test cases there before this PR though so I don't think it's in scope.

[dckc]

I'm struggling to get a high level view.

I'd like to see a typed pattern for what a client might see at one of these vstorage keys.

[dckc]

Suggested change

	> Under "published", the "fastUsdc.txns" node is delegated to the Ethereum transactions upon which Fast USDC is acting.
	> Under "published", the "fastUsdc.txns" node is delegated to the Ethereum transactions upon which Fast USDC is acting.

I suppose txns is an abbreviation for transactions. Why not spell it out?

[turadg]

1. concision
2. the evidence uses txn
3. to make clear this is an Ethereum-identified transaction

[dckc]

ok, so txns isn't an abbreviation of transactions; it's a plural of the evidence property name.

Re txn distinguing between ethereum and others such as cosmos-sdk... I seem to have a gap in my education. If you have a moment to point me at what I missed, I'd appreciate it.

[turadg]

Re txn distinguing between ethereum and others such as cosmos-sdk

I retract #3. I didn't think it through carefully.

txs is the common Ethereum abbreviation for "transactions" and it's also used in Cosmos.

So I don't have a good reason to use txns. I do prefer txs to transactions but could go either way if you have a principle for the latter.

[dckc]

using conventional dictionary words for identifiers that have scopes larger than a few lines pays off, IME.

"txn" is a sufficiently established term-of-art that I find it acceptable.

[dckc]

harden(...) doesn't hurt (much) here, but if it's already a CopyRecord, it's already hardened.

[turadg]

harden(...) doesn't hurt (much) here

The marshaller threw without it.

if it's already a CopyRecord, it's already hardened

Not according to the structural type of CopyRecord,

export type CopyRecord<T extends Passable = any> = Record<string, T>;

[dckc]

The marshaller threw without it.

That's a a bug in the caller that claimed something was a CopyRecord without harden-ing it.

This is actually the cost of adding the harden(...) here: it masks such bugs.

[dckc]

I wonder what "monotonic" is intended to communicate. Monotonic is a relationship between 2 variables. Is the dependent variable here time? A constant function is non-decreasing and hence monotonic.

Suggested change

	* Note that these are stored in IAVL and grow monotonically. At some point in the future we may want to prune them.
	* Note that like all durable stores, this SetStore is stored in IAVL. It grows without bound (though the amount of growth per incoming message to the contract is bounded). At some point in the future we may want to prune it.

[turadg]

the dependent variable here time?

Yes, or blockheight, what have you.

A constant function is non-decreasing and hence monotonic.

Sure, it could stay constant if it's never used.

The suggestion is more clear, I'll take it.

[dckc]

these vstorage snapshots are nice for looking at an example or two, but I wonder about how to make it easier to figure out all possible values.

How about including the name of a TypedPattern and the Type in the doc?

Maybe documentStorageSchema should support the pattern?

[turadg]

maybe sometime but out of scope rn, imo

[dckc]

ctx is part of the durable storage of the relevant vow, right? So this property name change would be a breaking change if this code were deployed, right?

[turadg]

yes if it were deployed

[dckc]

When we get to upgrade testing, I hope we manage to test upgrading with pending vows.

[dckc]

odd that we spell it out internally but not externally.

[turadg]

txs is embedded in a string that's already very long and distinct so the motivation was there.

I agree it's probably better to make them match. I'd rather make this txsNode than have published.fastUsdc.transactions.0x19330d10D9Cc8751218eaf51E8885D058642E08A

[dckc]

Did you use tooling to add all these resolutions?

[turadg]

agoric-sdk/multichain-testing/README.md

Line 24 in 1af5f1d

(Note that the '@agoric/*' deps will come from the parent directory due to `yarn link --relative ../../.. --all`)

[samsiegart]

LGTM hoping CI passes

[samsiegart]

Oh, the evidence isn't stored in a way that it can be looked up for each update.

Ah I see, yea not worth changing that part.

I think that's covered by the unit tests

I guess that makes sense. Unit tests for exhaustiveness, and a boot test just to make sure the vstorage write works for any path. It was confusing seeing the different results between the two though so thanks for updating.

Do you think the A3P tests also need it?

I'm not sure the scope of the a3p tests, seems like they're not super important for fast-usdc because they're on a single chain, but the multichain-testing tests might want to have test cases for the status updates. There weren't any such existing test cases there before this PR though so I don't think it's in scope.