Enhance/cleanup unconfirmed execution

[oxade]

This PR converts this to work with the new refactoring.

Removed the ability to execute transactions without confirmation and instead all executions go through the same function execute_transaction
This allows us consolidate the critical areas where we might have to lock/unlock orders.
Additionally propagated the OrderInfoResponse for executions which was being discarded.
Updated test cases to use pending-orders
Also ported multi-insert and multi-remove over to Mysten infra, so no need to have them here.

How it works:

An order ord's objects can be locked or unlocked by the order if all of ord's input objects are already locked by ord or by no other order.

There are two phases to completing a transaction:
TX Order without confirmation: this locks the objects owned by ord if they are available for locking. However in case of an authority error the objects are unlocked.
If the order is successfully executed, the objects remain locked until confirmation.

Confirmation of TX order:
Here the objects are unlocked if tx is successful or if tx fails with errors having no side effects.
If the objects remain locked after this step, there is a critical error.

Next steps:

1. Clarify which errors from authorities should or should not lead to unlocking orders
2. Make pending_order table test & + test & unlock thread-safe

[oxade]

@lxfind please take a look to make sure this PR fits in the refactor flow.

[oxade]

I feel there are situations where an authority operation fails and we would rather keep the order locked.
How can we for sure determine which errors should unlock orders?

[lxfind]

I have two questions about this:

1. If we keep the order locked, when would we unlock them?
2. Could you also write down a concrete scenario where things could go wrong if we always unlock here?

[oxade]

1. Up to the caller. They can re-submit and order. Or can call try_complete_pending
2. Situations where the true state of the order is not defined. Example quorum logic failure, network/comms failure, set_order_lock failure here https://github.com/MystenLabs/fastnft/blob/main/fastpay_core/src/authority/authority_store.rs#L289

These are just guesses of course. I could be wrong.

[lxfind]

Thanks for putting up the PR.
I did give this flag idea a thought, and I chose to not add this flag to merge the two code paths for the following reasons:

1. We don't know if transfer_to_fastx_unsafe_unconfirmed is actually useful/needed.
2. Even if (1) is necessary, so far, there is only one caller that's calling execute_transaction_without_confirmation_unsafe. I am not aware of any new callers being added.
   So we could say that execute_transaction_without_confirmation_unsafe is an edge case at best. Adding a flag like this makes the code a lot more complex. Such complexity is not worth it for an edge case (this PR vs 2 lines of code in the original impl).
   Of course, if we are convinced that this is not an edge case and we will be adding more callers to execute_transaction_without_confirmation_unsafe, I would totally agree that a unification of the code paths would be a good idea.

Let me what you think.

Also, @gdanezis Could you confirm how transfer_to_fastx_unsafe_unconfirmed would be used? And whether it would be a common need for the client to call into execute_transaction_without_confirmation_unsafe?

[lxfind]

I have two questions about this:

1. If we keep the order locked, when would we unlock them?
2. Could you also write down a concrete scenario where things could go wrong if we always unlock here?

[lxfind]

Duplicates?

[lxfind]

Curious, what happens if we fail to unlock here due to can_lock_or_unlock returns Err? Could the objects be locked forever?

[lxfind]

May want to add a TODO here. I think we need to handle the failure of can_lock_or_unlock eventually.

[oxade]

Thanks for putting up the PR. I did give this flag idea a thought, and I chose to not add this flag to merge the two code paths for the following reasons:

1. We don't know if transfer_to_fastx_unsafe_unconfirmed is actually useful/needed.
2. Even if (1) is necessary, so far, there is only one caller that's calling execute_transaction_without_confirmation_unsafe. I am not aware of any new callers being added.
   So we could say that execute_transaction_without_confirmation_unsafe is an edge case at best. Adding a flag like this makes the code a lot more complex. Such complexity is not worth it for an edge case (this PR vs 2 lines of code in the original impl).
   Of course, if we are convinced that this is not an edge case and we will be adding more callers to execute_transaction_without_confirmation_unsafe, I would totally agree that a unification of the code paths would be a good idea.

Let me what you think.

Also, @gdanezis Could you confirm how transfer_to_fastx_unsafe_unconfirmed would be used? And whether it would be a common need for the client to call into execute_transaction_without_confirmation_unsafe?

Right. I want to get rid of the unconfirmed path too for the reasons you mentioned, and more. But while we have it, I'm striving to reduce ways it can be misused.

[lxfind]

May want to add a TODO here. I think we need to handle the failure of can_lock_or_unlock eventually.

[lxfind]

Curious why do we have to do this here instead of keeping the old logic (match returns the pairs)?

[oxade]

The responses from the old code will always be empty because it's the output of the catch-up confirmation steps, which tx_order does not do anymore. It's a bit misleading.

[lxfind]

Approving but some of the code will go away in latter PRs from @gdanezis (may want to take a look at his PR to make sure we are porting changes from this PR)

[oxade]

Approving but some of the code will go away in latter PRs from @gdanezis (may want to take a look at his PR to make sure we are porting changes from this PR)

Agreed. Many of the concepts here are based on logic that will go away soon, however I'm not sure of the timelines, so I'm hoping these incremental steps can keep us moving at least.