BREAKING: Add payable modifier

[axic]

Partially implements #500 and #563. Comments welcome.

Fixes #602.

todo:

• library function should not be payable
• contract is payable should create payable fallback function (and error if there already is one)
• calling a non-payable function with value set should report an error
• accessor functions should not be able to receive ether (-> callvalue check should probably move to dispatcher)
• internal functions should not allow payable modifier
• overwriting a base contract function should not change payable
• force constant and payable to be mutually exclusive

[chriseth]

This severely breaks backwards compatibility and has to be discussed thoroughly.

I think it would be better to not have this as a bulit-in compiler feature. If we want to use something like that for analysis and error reporting purposes, the modifier could be added to a standard library. Having said that, I'm not so keen on keeping the hardcoded standard libraries.

[redsquirrel]

@chriseth Any specific plans for the standard libraries?

[axic]

@chriseth I think the reason it should be built in is to support it in the interface JSON. Unless you want to introduce a feature whereby flags can be added to the interface JSON via modifiers or other language features.

[axic]

Alternative approach to not break backwards compatibility to have a rejectValue flag in the interface JSON. The language could have either ways, but in that case probably it is preferable to mirror the interface JSON, i.e. have a rejectValue modifier.

I do think that the idea of making backwards incompatible changes at this stage, in a coordinated effort, should not be withdrawn.

[chriseth]

Ok, I agree that it might be handy to know whether a function accepts ether especially with auto-generated contract interfaces in mind.

I don't especially like the name of the modifier - value is a bit too generic, although I know that we have msg.value. Also I would prefer the active form acceptsValue.

For the sake of usability, a default of rejecting ether transfer should of course be preferred. It gets more complicated at the point where we have public functions which are helper functions and are called from functions that accept value transfer - then these would throw.

[axic]

@chriseth the code currently has valueAccepted as a keyword and acceptvalue in the ABI JSON.

Would you rather go for acceptsValue and acceptsvalue?

Also this PR doesn't implement the actual code to reject such transactions, so I do not see any backward compatibility break. Rejection should be implemented of course and I would prefer to reject if it value as given to a non-acceptsValue method.

[chriseth]

I think I would prefer acceptsEther but I'm open for suggestions; and please implement the full thing in one PR.

[axic]

@chriseth I would probably go with acceptsValue or acceptsEther.

Regarding the latter I'm not sure how the system will look like once Ether becomes a token contract:

1. Will value passing be removed from normal transactions and it has to be assigned as usual via the token interface?
2. Or will the transaction have the token type (i.e. token contract address) passed along the value?

In case 2), acceptsEther is misleading.

[chriseth]

I don't think we will go with 2. If we do, we can still add a new modifier acceptsToken(Token _token)

[axic]

Agreed with @chriseth that we're going for the keyword payable.

[chriseth]

Please check (as in write a test) that this also applies to accessor functions!

[axic]

Question is, should it be in visit(FunctionDefiniton) or appendFunctionSelector?

[chriseth]

visit(FunctionDefinition) is also used for internal functions, so it should be in the selector or the calldata unpacker.

[axic]

@chriseth This works now, but a lot tests need to be fixed to include the keyword.

[axic]

It may be a good time to review some of those EndToEnd tests whether they actually require a value to be sent at them. Some looked like they may only have it as an oversight.

[chriseth]

Do you actually handle the constructor?

[axic]

Yes. I've only added the keyword to the tests where it was failing without the keyword and I've reviewed that the code actually needs it.

[chriseth]

I think you added payable to a lot of end to end tests where this is not needed.

[chriseth]

We could add another feature: contract a is payable { ... } results in contract a receiving an empty fallback function and errors if it already has a fallback function.

[ethernomad]

Will this mean that getters generated for public variables will throw if they are called with a value transfer?

[chriseth]

@ethernomad yes

[axic]

@chriseth I think constant and payable modifiers should be mutually exclusive.

constant means that the state cannot be modified, while receiving value is modifying the balance of the state. (Albeit it is not done by the code running on EVM.)

[chriseth]

@axic ok, that makes sense.

[chriseth]

Removed the contract A is payable feature again as it is probably of limited use. We can still add it without breaking backwards-compatibility.

[pirapira]

Now a semicolon after _ is necessary after #1005.

[axic]

This can be merged into the above if.

[axic]

Two tests needed:

• ABI test for payable fallback
• payable private method should be disallow (similar to how payable internal is)

[chriseth]

@axic please review again

[axic]

@chriseth looks good