cmd, core, params, trie: Add verkle access witness

[gballet]

This is a rewrite of #29234 that uses the simplified approach suggested by @holiman

[gballet]

vmenv actually has an unexported rules field that I would like to be able to access instead of having to pass extra headers. Would that be an option?

[holiman]

Yeah could either make the chainRules accessible, or use a vmenv.ChainConfig().Rules(header.Number, header.Time) new instance

[holiman]

This little thing iterates form VersionLeafKey to CodeSizeLeafKey, it's not apparent to me why this does so.In TouchAndChageMessageCall, we only use those two, not the things in between. Please add some comments

[holiman]

WHy, nonce is not needed here, it's just a balance increase?

[rjl493456442]

Have the same feeling.

As account fields are stored in different position in leafNode. The state access granularity is actually a field. It brings lots of complexity for gas metering.

Nothing to against the implementation, just want to mention that gas metering could be wrong very easy.

[holiman]

All of these implicitly ComputeGas, no? But some have it in the name and some don't, so just drop it imo

[gballet]

indeed some don't, I changed their names and the API to reflect that.

[holiman]

I'd prefer if you make opExtCodeCopyVerkle and put in eips. That way we know that the verkle-things do not interfere with pre-verkle, not even adding an extra if-clause check. Same for other changed ops in this file

[holiman]

Ping

[gballet]

it's not great, because if any operation is changed between the time I copy the code and the time the Osaka fork is activated, there is a regression risk. I would rather try to move it to a dynamic gas function if I can.

[gballet]

and who knows how these functions, especially the introspecting ones, are going to change when/if EOF is added to Prague and the spec finalized.

[gballet]

right, I guess I could just call the previous handler and just add the extra gas costs, to avoid regressions.

[fjl]

Probably needs a new GasChange reason here

[rjl493456442]

Have the same feeling.

As account fields are stored in different position in leafNode. The state access granularity is actually a field. It brings lots of complexity for gas metering.

Nothing to against the implementation, just want to mention that gas metering could be wrong very easy.

[rjl493456442]

Please replace it with github.com/ethereum/go-verkle

[gballet]

not sure what you mean here, this is what is already happening line 35? 🤔

[rjl493456442]

Shouldn't it be IsEIP4762?

[gballet]

nope, access lists are a concept of 2929 that is deactivated with 4762

[holiman]

Is there any particular reason why you are placing all these calls to AccessList within isEIP2929 clauses?
I mean, you could just let the call happen, couldn't you?

[gballet]

I could, but it's not supposed to happen (even if it has no obvious impact afaict)

[rjl493456442]

Shouldn't we only mutate the balance field?

[holiman]

And this could just take the params.Rules, couldn't it?

[holiman]

Why is this needed? We're going to Call into that address, shouldn't that add it later on?

[gballet]

because when it comes to witnesses, these costs are paid for the 21000 gas. All other calls are paid for. If this is moved to the Call, I have to add an if somewhere to distinguish between the top-level call, and any other, nested call.

[holiman]

All of these needs docstrings. What assumptions are used here, regarding the caller? For example, is it "ok" if the caller first invokes BalanceGas(.., false) then BalanceGas(.., true)?
What are the side-effects?

For example. in beacon consensus engine, this method is invoked:

state.AccessEvents().BalanceGas(w.Address[:], true)

It's not clear to me why. What are the side-effects of that invocation? Because clearly we're not concerned about the gas cost.

[gballet]

All of these needs docstrings. What assumptions are used here, regarding the caller? For example, is it "ok" if the caller first invokes BalanceGas(.., false) then BalanceGas(.., true)? What are the side-effects?

The previous version of this PR was more explicit, it defined ReadWriteMode and so this is what things are: if a location is accessed in "read" mode, the price is cheaper than if they are accessed in "write" mode.

[holiman]

Whoa, you just copy the pointcache so the original and the copy now uses the same instance? Is that safe?

[holiman]

Shouldn't this only be set if verkle is active?

[rjl493456442]

Also, inside of evm.Reset, the txContext.AccessEvents will also be initialized. Is it a bit redundant? Or some mistakes here?

[gballet]

it's not a mistake, one needs to start with an empty access event list when starting a conversion.

[rjl493456442]

Also, inside of evm.Reset, the txContext.AccessEvents will also be initialized. Is it a bit redundant? Or some mistakes here?

[rjl493456442]

I think it's wrong here.

In EIp158, we introduce a rule that at most 63/64 gas could be used in a inner call, therefore the gas for CALL opcode should be fully computed, and then 1/64 remaining gas will be deducted for this rule.

However in this pull request, the verkle specific gas is deducted after this rule. It's a behavioral change.

suggested change:

-       if transfersValue && !evm.chainRules.IsEIP4762 {
+       if transfersValue {
                gas += params.CallValueTransferGas
        }
        memoryGas, err := memoryGasCost(mem, memorySize)
@@ -394,7 +394,14 @@ func gasCall(evm *EVM, contract *Contract, stack *Stack, mem *Memory, memorySize
        if gas, overflow = math.SafeAdd(gas, memoryGas); overflow {
                return 0, ErrGasUintOverflow
        }
-
+       if evm.chainRules.IsEIP4762 && transfersValue {
+               // Deduct the gas cost for value transfers according to the legacy rules.
+               gas -= params.CallValueTransferGas
+               gas, overflow = math.SafeAdd(gas, evm.AccessEvents.ValueTransferGas(contract.Address().Bytes()[:], address.Bytes()[:]))
+               if overflow {
+                       return 0, ErrGasUintOverflow
+               }
+       }
        evm.callGasTemp, err = callGas(evm.chainRules.IsEIP150, contract.Gas, gas, stack.Back(0))
        if err != nil {
                return 0, err
@@ -402,15 +409,6 @@ func gasCall(evm *EVM, contract *Contract, stack *Stack, mem *Memory, memorySize
        if gas, overflow = math.SafeAdd(gas, evm.callGasTemp); overflow {
                return 0, ErrGasUintOverflow
        }
-       if evm.chainRules.IsEIP4762 {
-               if transfersValue {
-                       gas, overflow = math.SafeAdd(gas, evm.AccessEvents.ValueTransferGas(contract.Address().Bytes()[:], address.Bytes()[:]))
-                       if overflow {
-                               return 0, ErrGasUintOverflow
-                       }
-               }
-       }

[gballet]

so for the part where the sent value is concerned, this is the correct behavior:

[gballet]

I had to think about the other part a little, but I am now convinced that you are correct.

[holiman]

One thing that bothers me a bit, with how the access events are designed: you do e.g. BalanceGas, which does two things:

1. Adds it to the access events
2. Returns how much it cost

This means that the evm cannot first check if the cost is covered, and then proceed (or not). As it is, the effective gas cost is the "available gas", not the cost.

This is problematic in the following case.
1.Y: Call contract X with near-zero gas
2. X: load slot 1
3. X: The load operation fails because insufficient gas for adding to witness
4.Y: Call contract X with near-zero gas
5. X: load slot 2
6. X: The load operation fails because insufficient gas for adding to witness
7. repeat

The end result is that we've added N slots to the witness, bloating it, at the cost of ~100 (the cost of a call to a warm address, plus a little more). Whereas the 'true' cost would have been something like N x ( (WitnessBranchReadCost @ 1900) + (WitnessChunkReadCost @ 200))

Now, the same is true for a few other ops, notably the access lists. However, the access lists are journalled, which makes this attack moot. This can be fixed, if the design is changed so that either

1. The methods to "add and return cost" takes a availableGas parameter, and aborts if the cost is higher than that
2. The methods to "add and return cost" is split into two: return cost and add, where the first is pure, the second just executes the change without any checks.

[holiman]

All in all, I'm fairly confident that this does not break existing code. Did you run it on any of the benchmarkers in prod at all? Or somewhere else.. ?

[holiman]

IMO we should rename IsEIP4762 to IsVerkle, to make things easier for a casual reader

[gballet]

I could, but here's the thing: EIP4762 and verkle are two separate things, eip4762 pertains to statelessness while verkle is a specific implementation of statelessness (i.e. if for whatever reason we switch to another state tree later, eip4762 will still apply).