[RFC][libra-framework] Refactored prologue out of LibraAccount

[runtian-zhou]

Motivation

Moved all transaction related logic outside of LibraAccount and refactored prologue and epilogue logic into a single module.

For the LibraAccount module there will be two public apis: check_sender and charge_transaction, which is the LibraAccount related logic that is extracted out from the old prologue and epilogue.

Justification:

1. All transaction prologue and epilogues will now be grouped into one module. Now Block Prologue is the only function that LibraVM invokes that is outside of this module.
2. Cleaned up the bump_sequence_number ugliness in the writeset epilogue.
3. Move all Libra transaction related logic outside of LibraAccount module.
4. Maximize the code shared across different prologues and epilogues.

I haven't fixed the code in libra_vm invokation so tests are guarenteed to fail. Just want to know how people feel like about this rework. Will fixup tests if people are happy about this.

Have you read the Contributing Guidelines on pull requests?

Yes

Test Plan

Haven't tested yet.

[runtian-zhou]

This is the newly created module for transaction prologues and epilogues (what used to be LibraWriteSetManager).

[sblackshear]

I wonder if we can come up with a name conveying that this has transaction processing business logic rather than defining the structure of transactions (e.g., there's no struct Transaction here). Maybe TransactionManager, TransactionLifecycle, TransactionProcessing?

[runtian-zhou]

Note that although this function is public, it is not invokable from regular user scripts as it will cause the sequence number to be incremented and thus fail the assertion at line 885.

[sblackshear]

I don't understand--can't the caller choose any value they want for txn_sequence_number? E.g.

fun my_evil_function(signer: &signer) {
  let any_num_i_want = 7;
  LibraAccount::epilogue(signer, signer, 0, any_num_i_want);
}

[MIRAI-bot]

[move-prover] Move Prover test (language/move-prover/cargo test) on commit 2028e60 did fail. See details.

[jolestar]

It is possible to support a new type of visibility in Move, similar to java's protected or rust's pub(crate), where the methods that use this visibility can only be called by the modules at the same address.

[runtian-zhou]

It is possible to support a new type of visibility in Move, similar to java's protected or rust's pub(crate), where the methods that use this visibility can only be called by the modules at the same address.

I'd really love for support like that. But IMHO we don't have a clear path towards it anytime soon as supporting such feature will actually need to change the bytecode format + bytecode verifier, which seems to be a bit heavy right now.

[bob-wilson]

I really like this change, but I have reservations about doing this kind of refactoring so long after our feature-complete date. What about if we put all the prologue/epilogue code into LibraAccount (where most of it is already) instead of creating a new module? It wouldn't be as nicely factored but it seems like it would achieve most of the benefits with far less churn in the code.

[runtian-zhou]

I really like this change, but I have reservations about doing this kind of refactoring so long after our feature-complete date. What about if we put all the prologue/epilogue code into LibraAccount (where most of it is already) instead of creating a new module? It wouldn't be as nicely factored but it seems like it would achieve most of the benefits with far less churn in the code.

I think the major concern is that we need to expose charge_transaction even if we keep the current structure of code. The only gain that buys us is that the LibraVM will remain unchanged.

[bob-wilson]

I think the major concern is that we need to expose charge_transaction even if we keep the current structure of code. The only gain that buys us is that the LibraVM will remain unchanged.

Why? Wouldn't all the callers be in the LibraAccount module so that charge_transaction could be private?

[sblackshear]

unused? Did you mean to assert Signer::address_of(vm_signer) == VM_RESERVED_ADDRESS?

[sblackshear]

I don't understand--can't the caller choose any value they want for txn_sequence_number? E.g.

fun my_evil_function(signer: &signer) {
  let any_num_i_want = 7;
  LibraAccount::epilogue(signer, signer, 0, any_num_i_want);
}

[sblackshear]

Did we decide to use Errors here as well? @tnowacki @tzakian

[tnowacki]

#5876

I have a PR up to use Errors everywhere. We should probably get that in first

[sblackshear]

Add a comment about chain_id?

[sblackshear]

Suggested change

	/// - That the sequence number matches the transaction's sequence key
	/// - That the account's sequence number matches the transaction's sequence number

[sblackshear]

Should we call prologue_common here instead of this to resolve the TODO below?

[sblackshear]

This + the 0 gas price feels a bit icky and is making me wonder whether we want separate LibraAccount::gas_prologue and LibraAccount::replay_prevention_prologues (or similar...)

[sblackshear]

Maybe do assert(txn_gas_price <= MAX_U64 / gas_used) to avoid the u128 conversions?

[sblackshear]

I find this comment confusing given that the actual charging happens in LibraAccount. This part is just sanity-checking the gas price and gas unit values.

[sblackshear]

Agreed with you that these are now the same and we can kill one of them.

[tnowacki]

Also very worried about making a change like this so late.

Why? Wouldn't all the callers be in the LibraAccount module so that charge_transaction could be private?

Do we have an answer on this? I think that if we don't need to expose new public APIs, we shouldn't do it. Even if it means more code duplication.
In short, I don't really yet buy many of the motivations outlined in the summary, but could be convinced otherwise

Additionally, we should really re-evaluate this after #5876. There would only need to be a single epilogue in LibraAccount and might help us look at things differently