Add async contract invocation interface

[kostko]

See #120
See #121

Rendered async contract interface docs.

This PR will introduce the following BREAKING CHANGES:

• The RPC client and backend structures will be renamed from ContractClient* to RpcClient* (the ContractClient* prefix will now be used for the async contract interface).
• RPC calls will become stateless (no access to storage), only contract calls will be stateful.

TODO

• Define ECALLs.
• Define RPCs.
• Define how contract APIs will be defined (these will replace current RPC API definitions in contracts, so we may borrow from that).
• Replace Serializable with Encodable (see Consider using RLP for serialization/deserialization #20).
• Contract invocation dispatcher (borrow from RPC dispatcher).
• Compute node support. Currently assume that the contacted node is a leader.
  • Pass through all RPC calls without batching, client will submit calls via RPC.
  • Compute node will check if there is a new batch available and will ask the enclave to provide the batch.
  • Compute node will execute (and later replicate, see Leader forwards batches to workers in a compute replica group #122) batches.
  • Batch execution will provide encrypted outputs. Client may later contact the contract via RPC and provide the proof of publication to get the decryption key.
• Client support. Generate client based on API (borrow from RPC client).

[willscott]

Can missed_calls grow arbitrarily? should we be keeping track of timing to expire these results / be able to eventually garbage collect?

[kostko]

No, if you check above you will notice that the hashmap uses a LRU eviction policy with a fixed size of items (currently arbitrarily set at 2 * max_batch_size).

[willscott]

doc comment examples of using and calling from the client would be great.

[kostko]

You usually use this from a generated client interface (see macros.rs) and not via this method directly. But sure, I can add some more docs. There are examples for RPC under docs/rpc.md, but I haven't ported those over to docs/contract.md - which is a good point and I'll port those over.

[kostko]

I've added documentation into the contract docs.

[pro-wh]

publishing this partial review, so that we don't have to wait forever to see it. some comments are marked as "(me)", which you don't have to respond to.

requesting changes because:

• sgx error and source information is swallowed

[pro-wh]

why is this excluded?

[kostko]

The same reason as the above untrusted crates, it doesn't compile and there is not much we can test there so I didn't bother to look into it yet.

[willscott]

file an issue?

[pro-wh]

what remains to be done directly with the rpc client?

[kostko]

As explained in the updated documentation and in #120, the RPC interface is used for interactive stateless calls to a single contract instance while the contract interface is used for stateful async calls which may be delayed longer and may be executed by multiple nodes.

And the contract client uses the RPC client underneath to initiate the contract calls.

[pro-wh]

how did we used to get away without a , at the end here?

[kostko]

The issue is that rustfmt does not seem to touch macros (only the line length rule is checked).

[pro-wh]

remove completely or revert to etcommon-rlp = "0.xxx"?

[pro-wh]

they want your CLA

[pro-wh]

if the only other field is unused, could we just use the Box directly instead?

[kostko]

The reason for the descriptor is if we need to add some method attributes in the future. We will likely have those and I don't want to remove it now just to add it back later.

[pro-wh]

this causes the key to be duplicated in the value. do we need that? or would Box<ContractMethodHandlerDispatch> be sufficient?

[kostko]

Good point, I think it can be removed.

[pro-wh]

does this result in parsing the arguments an additional time before the dispatch? or does serde_cbor::Value do something magical to save the extra work?

actually how robust is it to parse with SignedContractCall<Generic>? will it work if the actual arguments type has multiple fields? this has to do with how CBOR and the derived procedures deal with multi-field objects. are they stored as the fields packed next to each other with no grouping information? or is there an envelope around them?

[kostko]

does this result in parsing the arguments an additional time before the dispatch?

Yes it does parse it twice.

actually how robust is it to parse with SignedContractCall? will it work if the actual arguments type has multiple fields?

Yes, it will work with arbitrary payloads. I've updated the test case (in call.rs) which previously only tested a simple argument to instead test a more complex structure.

[pro-wh]

it looks like this was later changed to be a "dummy" method rather than an empty method

[pro-wh]

(me) bookmark

[pro-wh]

ok

…

On Sat, Apr 28, 2018, 11:00 AM Jernej Kos ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In .circleci/config.yml <#128 (comment)>: > @@ -18,6 +18,7 @@ jobs: --exclude ekiden-enclave-untrusted \ --exclude ekiden-rpc-untrusted \ --exclude ekiden-db-untrusted \ + --exclude ekiden-contract-untrusted \ The same reason as the above untrusted crates, it doesn't compile and there is not much we can test there so I didn't bother to look into it yet. — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#128 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AkdULjWSkNG-3byNllhzCg94aScphC0Mks5ttK5QgaJpZM4TbVae> .

[kostko]

@pro-wh I've addressed most of your review comments, please check.

[willscott]

file an issue?

[willscott]

This seems like the core of this code. why is it a todo?

[kostko]

It is not the core. The core is making contract calls async, adding encryption/decryption is easy once we decide how to do that as this part is not defined in any RFC or the master plan.

And anyway it doesn't make sense to do this until we decide how to produce a "proof of publication" that will be used to reveal the keys. I've defined the RPCs that will be used for that, but we need to define how we will be encrypting stuff before we actually go and implement something.

[kostko]

Added a note about that to our overall tracking issue (#94 (comment)).

[willscott]

why do we hide the docs here?

[kostko]

Because these are internal modules not meant for public use. The only reason why they need to be public is because they export C symbols.

[willscott]

is there another method that should be here?
(OK to defer to a followup PR)

[kostko]

Yes, the contract_reveal_outputs mentioned in contract.md and protocol.rs. The reason why it is not implemented is the same as I mentioned above - we first need to define what the proof of publication is.

[kostko]

Added a note about that to our overall tracking issue (#94 (comment)).

[willscott]

Is this really an Ok decryption, and not an Err?

[kostko]

Yes, this basically means "no state".

[willscott]

also to cbor?

[kostko]

Yup, missed that, thanks!

[willscott]

Does Rs really need to be static?

[kostko]

Yes, note that this is not the lifetime of the value but the lifetime of the type. This basically means that Rs should not store any non-'static references. Also see this Rust RFC.

[willscott]

is this a TODO? should we file a tracking issue?

[kostko]

There is already an issue filed for this, I think it is called cross-contract calls and this needs a lot of design before it can be implemented (see #65).

Comments addressed.