[storage_gas] implement customizable storage gas config

[lightmark]

Description

We implement a customizable curve for storage-based gas base unit and map x <-[0, 10000] to y<-[0, 10000].
storage gas = min_gas + (max_gas - min_gas) * (current_usage / target_utilization)

The curve is a vector of point(x, y), both are basis points.

1. curve's points' y value must be monotonically non-decreasing, and x values must be monotonically increasing.
2. curve's points must start with a point of x = 0 and end with a point of x = 10000.

Test Plan

ut

---

This change is 

[davidiw]

Cool stuff.

However, this is a breaking change.

We can't just delete GasParameter but we can stop using it.

We'll also need to figure out how to upgrade long lived testnet.

[wrwg]

This is not a compatible change. I have not seen a clean indicating on slack that we are ok with breaking changes now.

Frankly, I also think this is a lot of new code in the last minute. There are little tests with this code, or do I miss them?

[wrwg]

You can't remove this without reset of the chain.

[lightmark]

That's something we'll discuss with @davidiw ... Yeah, I guess I have to keep and put it to the end of the file for now tho.

[vgao1996]

Overall LGTM! Thanks for the hard work!

[vgao1996]

This could only happen when i == 0, right?

[lightmark]

yes. it is a corner case.

[vgao1996]

Then I wonder if it's clearer to replace the is with 0s?

[vgao1996]

Since you already checked the points at the two ends, you can just loop from i = 0 to (len - 2) inclusive and get rid of the special checks.

[lightmark]

I checked the points at the ends. but if doesn't tells me points[len - 1].x < end_point.x and points[len - 1].y <= end_point.y. So tho I have len points, actually we have len + 2 in total and have to compare len + 1 pairs that's why we loop i in [0, len], which has len + 1 iterations.

[vgao1996]

@msmouse when we discussed previously, you said something like "we want the the cost to be 1.15x of the base cost at 50% utilization". However here it's base + 0.15x the max price hike. Just to double check: which one is correct?

[msmouse]

0.15x the max price hike
^ is what I meant, sorry

[msmouse]

beautiful

[movekevin]

Why do we need this extra function? Can't we just call storage_gas::set_config directly?

[lightmark]

we can. But I think @vgao1996 insists we control gas-related params from a single module.

[vgao1996]

Can't we just call storage_gas::set_config directly?

I'm totally fine with calling storage_gas::set_config directly.

@vgao1996 insists we control gas-related params from a single module.

Well I did prefer us having a single entity to manage all gas-related stuff, but my definition for this single entity is pretty broad -- the combined group of "gas_schedule" & "storage" gas is conceptually still a single entity to me ;)

[vgao1996]

With that being said I remember there were some technical issues preventing us from having everything in the same module in the first place, that is, modules cannot have cyclic dependencies and I have a feeling that the same issue also applies here.

Correct me if I'm wrong:

When we update the gas schedule, we want to call reconfigure(), so the module this entry point is in needs to depend on reconfiguration. However, storage_gas has an on_reconfig event so the reconfiguration module needs to depend on it. Therefore we cannot really call reconfigure() in storage_gas, but have to do it in a different module...

[lightmark]

@vgao1996 is correct about the reconfig. Yes, we want reconfig after set_storage_gas_config but we cannot do it inside storage_gas. we can only set_config inside.

[movekevin]

This is not compatible with LLT as we'd not redo genesis. @areshand @wrwg Do you know if a module's initialize function would be called on a package republish if the module is brand new?

[lightmark]

uhhhh, we definitely need a way to initialize the module. But what do you mean by republish?

[lightmark]

alright. It seems I have to rename it as "init_module"

[wrwg]

What you should be able to do is add an init_module which calls this function here. This should cover the case when the module is loaded the first time during upgrade, whereas this function covers genesis.

[movekevin]

Why add these checks now? If this fails, it crashes the entire network

[lightmark]

if the check doesn't fail, the next line will also fail, right?

[movekevin]

You can delete friend-only functions now I think. cc @wrwg

[lightmark]

let me try.

[movekevin]

Can we just remove this then?

[lightmark]

it breaks the module_upgrade_test

[movekevin]

Weird cc @wrwg. I'm not aware of friend statements being checked in compatibility validation

[wrwg]

The friend_a_private feature is merged, but the feature isn't on by default. And it can't be turned on before rolled out, strictly spoken (because of replay).

For now any changes to friend function or module declarations will cause the upgrade to fail. But we can clean this once we upgraded testnet. So keep everything for now, remove later.

[lightmark]

I think it changes visibility. It took me a while to figure it out.

[wrwg]

The friend M decls need to be a superset of the old module. With the new feature this check is not longer happening, but you can't use that yet.

[movekevin]

These are not visible to end users, but can we still add comments here explaining what these error codes are for?

[lightmark]

to me it is quite self-explanatory. But I can add some.

[movekevin]

Did you verify that this works in the context of a package upgrade?

[lightmark]

Is there an easy way to do that?
is that something fn init_module() tries to do?

[movekevin]

Can this fail? If this fails, it crashes the network

[lightmark]

all the code triggered by reconfig will crash the network if fails. I think we avoid all the possible overflow issues. But if you can anything risky, I am glad to discuss.

[github-actions]

Forge is running suite land_blocking on 82e3a4493d70d868862a9b7c4434f7e01e12398b

• Grafana dashboard (auto-refresh)
• Humio Logs
• (Deprecated) OpenSearch Logs
• Test runner output
• Test run is land-blocking

Forge is running suite compat on testnet ==> 82e3a4493d70d868862a9b7c4434f7e01e12398b

• Grafana dashboard (auto-refresh)
• Humio Logs
• (Deprecated) OpenSearch Logs
• Test runner output
• Test run is land-blocking

✅ Forge suite land_blocking success on 82e3a4493d70d868862a9b7c4434f7e01e12398b

performance benchmark with full nodes : 7933 TPS, 4998 ms latency, 8700 ms p99 latency,no expired txns
Test Ok

• Grafana dashboard
• Humio Logs
• (Deprecated) OpenSearch Logs
• Test runner output
• Test run is land-blocking

✅ Forge suite compat success on testnet ==> 82e3a4493d70d868862a9b7c4434f7e01e12398b

Compatibility test results for testnet ==> 82e3a4493d70d868862a9b7c4434f7e01e12398b (PR)
1. Check liveness of validators at old version: testnet
compatibility::simple-validator-upgrade::liveness-check : 8158 TPS, 4646 ms latency, 7300 ms p99 latency,no expired txns
2. Upgrading first Validator to new version: 82e3a4493d70d868862a9b7c4434f7e01e12398b
compatibility::simple-validator-upgrade::single-validator-upgrade : 6044 TPS, 5980 ms latency, 8000 ms p99 latency,no expired txns
3. Upgrading rest of first batch to new version: 82e3a4493d70d868862a9b7c4434f7e01e12398b
compatibility::simple-validator-upgrade::half-validator-upgrade : 5920 TPS, 6279 ms latency, 8500 ms p99 latency,no expired txns
4. upgrading second batch to new version: 82e3a4493d70d868862a9b7c4434f7e01e12398b
compatibility::simple-validator-upgrade::rest-validator-upgrade : 7603 TPS, 4657 ms latency, 7000 ms p99 latency,no expired txns
5. check swarm health
Compatibility test for testnet ==> 82e3a4493d70d868862a9b7c4434f7e01e12398b passed
Test Ok

• Grafana dashboard
• Humio Logs
• (Deprecated) OpenSearch Logs
• Test runner output
• Test run is land-blocking

Forge is running suite compat on testnet ==> dca00b535428b63341fbc4733f2b2c30a1973b00

• Grafana dashboard (auto-refresh)
• Humio Logs
• (Deprecated) OpenSearch Logs
• Test runner output
• Test run is land-blocking

Forge is running suite land_blocking on dca00b535428b63341fbc4733f2b2c30a1973b00

• Grafana dashboard (auto-refresh)
• Humio Logs
• (Deprecated) OpenSearch Logs
• Test runner output
• Test run is land-blocking

✅ Forge suite land_blocking success on dca00b535428b63341fbc4733f2b2c30a1973b00

performance benchmark with full nodes : 7599 TPS, 5221 ms latency, 7500 ms p99 latency,no expired txns
Test Ok

• Grafana dashboard
• Humio Logs
• (Deprecated) OpenSearch Logs
• Test runner output
• Test run is land-blocking

✅ Forge suite compat success on testnet ==> dca00b535428b63341fbc4733f2b2c30a1973b00

Compatibility test results for testnet ==> dca00b535428b63341fbc4733f2b2c30a1973b00 (PR)
1. Check liveness of validators at old version: testnet
compatibility::simple-validator-upgrade::liveness-check : 8270 TPS, 4524 ms latency, 8300 ms p99 latency,no expired txns
2. Upgrading first Validator to new version: dca00b535428b63341fbc4733f2b2c30a1973b00
compatibility::simple-validator-upgrade::single-validator-upgrade : 5807 TPS, 6176 ms latency, 8300 ms p99 latency,no expired txns
3. Upgrading rest of first batch to new version: dca00b535428b63341fbc4733f2b2c30a1973b00
compatibility::simple-validator-upgrade::half-validator-upgrade : 6128 TPS, 6016 ms latency, 7900 ms p99 latency,no expired txns
4. upgrading second batch to new version: dca00b535428b63341fbc4733f2b2c30a1973b00
compatibility::simple-validator-upgrade::rest-validator-upgrade : 7757 TPS, 4660 ms latency, 8800 ms p99 latency,no expired txns
5. check swarm health
Compatibility test for testnet ==> dca00b535428b63341fbc4733f2b2c30a1973b00 passed
Test Ok

• Grafana dashboard
• Humio Logs
• (Deprecated) OpenSearch Logs
• Test runner output
• Test run is land-blocking

[movekevin]

Approved pending the potential risk of storage_gas::on_reconfig() aborting. I double checked and didn't see any potential aborts beyond overflow/underflow. Would be great to have @vgao1996 and @davidiw double check this as well

[lightmark]

@davidiw @vgao1996 Can our SMART smart contract engineers help review the code to reassure us that it will not abort in any cases?

1. line 209 would not overflow because, line 186 checks max_usage * BASIS_POINT_DENOMINATION <= u64::MAX
2. Please review the binary search logic is valid.
3. Please check 239 will not overflow or underflow( such as current_usage_bps - left.x).

Some background:
in validate_curve(), we check 0 <= point.x, point.y <= BASIS_POINT_DENOMINATION, x is strictly monotonically increasing while y is monotonically non-decreasing;
max_gas * BASIS_POINT_DENOMINATION <= u64::MAX.

[vgao1996]

Yeah when I read this part of the code previously I also checked that the code would not overflow/underflow

Unblocking... Haven't reviewed

[msmouse]

@lightmark This is wrong.. the base 8192 curve is for max / min = 100x, the base 1M curve is for 1000x..

But none the less, we need to update these together with @vgao1996 's initial gas parameters. @vgao1996 if I'm reading your pending diff correctly, we should set min_price for read to be 1000, which is the value of load_data.per_byte in the current schedule, right? And according to the discussion yesterday, the max will be 100x that, if we are going with the base 8192 curve.

[vgao1996]

Yes

[vgao1996]

We should set both in the same governance proposal.

[msmouse]

And / or we should send another PR to make init_module set things to the "correct" numbers already?