feat: composite queries

[crusso]

Add new form of composite query that:

• can call other queries and composite queries
• can't be called from updates
• can't do async expressions (no way to queue up a callback since state is lost)
• can't call local async or async* (because those might contain update calls)

From the (informal) doc:

Composite query functions

Although queries can be fast, when called from a frontend, yet trusted though slower, when called from an actor, they are also limited in what they can do. In particular, they cannot themselves issue further messages, including queries.

To address this limitation, the Internet Computer supports another flavour of query function called a composite query. Like plain queries, the state changes made by a composite query are transient, isolated and never committed. Moreover, composite queries cannot call update functions, including those implicit in async expressions (which require update calls under the hood). Unlike plain queries, composite queries can call query functions and composite query functions, on the same and other actors, but only provided those actors reside on the same subnet.

As a contrived example, consider generalising the previous Counter actor to a class of counters. Each instance of the class provides an additional composite query to sum the values of a given array of counters:

actor class Counter () {

  var count = 0;

  // ...

  public shared query func peek() : async Nat {
    count
  };

  public shared composite query func sum(counters : [Counter]) : async Nat {
    var sum = 0;
    for (counter in counters.vals())  {
      sum += await counter.peek();
    };
    sum
  }

}

Declaring sum as a composite query enables it call the peek queries of its argument counters.

While update message can call plain query functions, they cannot call composite query functions. This distinction, which is dictated by the current capabilites of the IC, explains why query functions and composite query functions are regarded as distinct types of shared functions.

Note that the composite query modifier is reflected in the type of a composite query function:

  sum : shared composite query ([Counter]) -> async Nat

Since only a composite query can call another composite query, you may be wondering how any composite query gets called at all? The answer to this chicken-and-egg problem is that composite queries are initiated outside the IC, typically by an application (such as a browser frontend) sending an ingress message invoking a composite query on a backend actor on the IC.

c.f. dfinity/interface-spec#144

• positive tests
• negative tests
• RTS support (subtyping, IDL validation etc)
• doc
• gc (to GC or not at end of each message)? We currently do a (redundant?) GC for composite queries
• imports
• inspect_message support? Since composite queries can't be called as updates, perhaps they don't matter at all?
• I had to modify cycles adding and refund logic to avoid calling ic0.call_cycles_add128/ic0.cycles_refunded128 unless necessary - these aren't supported for composite query callbacks (see spec).
• More accurate Lifetime modelling - we currently reuse state Lifecycle.InUpdate since callbacks are always in this state (and changeing that statically is tricky without introducing new forms of callback for CompositeQueries. Adding a new state would allow us to suppress GC at the end of each message, if desired, and more elegantly rule out forbidden ops like adding non-zero cycles, observing refunds. Of course, we could also just set a global to disable these until all state-changes are aborted at the end. Might be simpler.
• regenerate ok test output once ic-ref available again by merge with master. At the moment, I can manually run the new tests, but can't accept their output. They pass, trust me.
• better error messages, distinguishing capability (send update, send query, send composite query, perhaps) required.
• enable ic-ref tests (once ic-ref supports composite queries)
• add keyword composite to idl, local highlight.js

[github-actions]

Comparing from c09b751 to aaa9cfc:
In terms of gas, 3 tests regressed, 1 tests improved and the mean change is -0.0%.
In terms of size, 4 tests regressed and the mean change is +0.0%.

[crusso]

@rvanasa added you as a reviewer just so you are aware of what needs to change for VSCode, if anything (there's a new keyword composite that can appear in several places (see grammar.txt in PR)

[luc-blaeser]

This means that inspect is not called for composite queries? Or is the message argument for shared composite query simply mapped to shared query?

[crusso]

Inspect is indeed not called for composite queries (in my understanding) so we don't even include them in the variant type.

[crusso]

Just to clarify, even for querie method, inspect is only called if the method is invoked as an (ingress) update call (with consensus). It's not used for the faster query calls (no-concensus). Very confusing.

Since composite query methods can't be called with (ingress) update calls, just (ingress) query calls, there is no need to include them here.

[luc-blaeser]

Including composite as reserved keyword impacts backward compatibility (former identifiers named composite become invalid). This would technically be a breaking change, isn't it?

[crusso]

Yes, it is, but probably won't break many. Maybe we should bump to 0.10?

[crusso]

Another alternative would be to use composite_query (ugly IMO) or query* (confusing, subtle IMO)

[luc-blaeser]

I think composite query is much nicer to read. (Another possibility would be to introduce non-reserved keywords but the complexity is not worth it.) I would keep the current syntax.

[luc-blaeser]

I heard that update calls cannot invoke composite queries. Just for curiosity: Is it a technical reason? Or a conceptual aspect?

[crusso]

When an update calls a query, the query is actually executed in replicated mode for concensus on the result (state change is still discarded).
Similary, inspect message is only called for query functions that are executed in update mode (with concensus), not ordinary fast queries.
I suspect that replicated composite queries are much harder to implement and haven't been tackled yet, and might not be.

[luc-blaeser]

Thanks for the explanation.

[luc-blaeser]

Maybe we should mention that each composite query call rolls back its state on function exit, and also does not pass state changes to sub-query or sub-composite-query calls. Therefore, repeated calls (which includes recursive calls) have different semantics than in classical procedural execution (like with update calls).

[crusso]

Will do, I was shying away from this ;->

[luc-blaeser]

Maybe, we could also just reference the general design description of that feature, because it is not a Motoko-specific aspect?

[crusso]

I've added some clarification, plus an example.

[luc-blaeser]

Great explanation!

[luc-blaeser]

Just to double check: The subsequent state of the lifecycle is Idle and not PostQuery for composite queries?

[crusso]

Yes, this is an unfortunate hack. For queries, you can just generate the atomic body and enter PostQuery. But composite queries are not atomic, so you need to enter some state after every callback. Unfortunately, the code for generating callbacks always enters InUpdate and its hard to make the transition conditional.
I couldn't see any (easy) way to enter a different state without complicated the rest of the code to track whether we are in an ordinary callback or a composite callback. I could may set and test a global but that seemed gross too.

As far as I know, the Lifecycle stuff is just for sanity checking, so I think we are just losing some accuracy here.

[luc-blaeser]

Probably, the error message is not very specific if the call between the modes update/query/composite query is not supported. But this is only cosmetics, one could always polish error messages...

[crusso]

Yes, I was considering revising those (maybe splitting send capability into update query and composite query capability.
Maybe this is the right time to do it.

[luc-blaeser]

This is nothing important, could be also done later. I guess we can do that as part of an error message improvement work (together as a team across the entire compiler).

[luc-blaeser]

I like that Motoko offers composite query calls with static checking.
Nice compiler implementation and documentation of this feature.

[crusso]

@luc-blaeser, if you could take another (quick) look, I've improved the error messages (a bit) and added some more doc about side-effects.

contrecoeur indeed.

[luc-blaeser]

@luc-blaeser, if you could take another (quick) look, I've improved the error messages (a bit) and added some more doc about side-effects.

Very clear explanation. I would say it is ready to merge...

[ggreif]

Maybe add a note that composite queries cannot be run in replicated mode (as opposed to normal queries).
Line 1290 has it.