[aptos-framework] Dispatchable Token Standard

[runtian-zhou]

Description

This PR provides a reference implementation for AIP-73. See discussion thread: #12490.

The PR mainly have the following four parts:

• MoveVM related change to:
  • support native functions to return control flow change directive.
  • Add runtime check for cyclic call graph that could be introduced by the dispatch logic
• A function_info.move that mocks the function pointer
• A overloadable_fungible_asset.move that utilizes the function info and dispatch native to allow for a custom withdraw operation
• An example of how a overloadable withdraw function could be implemented as a test.
• WIP: Compiler directive to check the dispatch target function has expected type so the users can get early warnings on type mismatch?

Type of Change

• New feature
• Bug fix
• Breaking change
• Performance improvement
• Refactoring
• Dependency update
• Documentation update

Which Components or Systems Does This Change Impact?

• Validator Node
• Full Node (API, Indexer, etc.)
• Move/Aptos Virtual Machine
• Aptos Framework
• Aptos CLI/SDK
• Developer Infrastructure
• Other (specify)

How Has This Been Tested?

Added tests for all logics added.

Key Areas to Review

A few areas we should focus on:

1. The runtime check implemented in MoveVM is indeed safe.
2. Make sure we charge gas for dispatch properly.
3. Work with ecosystem folks on the public interfaces of dispatchable token module.

Checklist

• I have read and followed the CONTRIBUTING doc
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I identified and added all stakeholders and component owners affected by this change as reviewers
• I tested both happy and unhappy path of the functionality
• I have made corresponding changes to the documentation

[trunk-io]

⏱️ 2h 47m total CI duration on this PR

Job	Cumulative Duration	Recent Runs
execution-performance / single-node-performance	36m	🟥
run-tests-main-branch	36m	🟥 🟥 🟥 🟥 🟥 (+1 more)
rust-unit-tests	26m	🟥
windows-build	23m	🟩
rust-move-unit-coverage	18m	🟩
rust-targeted-unit-tests	6m	⬜
rust-lints	5m	🟥 ⬜
rust-move-tests	4m	🟥
check	4m	🟩
general-lints	2m	🟩
check-dynamic-deps	2m	🟩
file_change_determinator	1m	🟩 🟩 🟩 🟩 🟩 (+1 more)
semgrep/ci	51s	🟩 🟩
permission-check	24s	🟩 🟩 🟩 🟩 🟩 (+1 more)
permission-check	19s	🟩 🟩 🟩 🟩 🟩 (+1 more)
permission-check	18s	🟩 🟩 🟩 🟩 🟩 (+1 more)
file_change_determinator	16s	🟩
permission-check	14s	🟩 🟩 🟩 🟩 🟩 (+1 more)

🚨 1 job on the last run was significantly faster/slower than expected

Job	Duration	vs 7d avg	Delta
run-tests-main-branch	6m	4m

_{settings ⋅ feedback ⋅ docs ⋅ learn more about trunk.io}

[runtian-zhou]

I tried to separate out the components into each individual commits. So reviewing by commit might be better.

[codecov]

Codecov Report

Attention: Patch coverage is 69.62233% with 185 lines in your changes are missing coverage. Please review.

Project coverage is 62.4%. Comparing base (3b3edf1) to head (984aa7e).
Report is 2 commits behind head on main.

Files	Patch %	Lines
aptos-move/aptos-vm/src/aptos_vm.rs	0.0%	94 Missing ⚠️
aptos-move/aptos-vm/src/transaction_validation.rs	0.0%	34 Missing ⚠️
...hird_party/move/move-vm/runtime/src/interpreter.rs	89.9%	20 Missing ⚠️
...ptos-vm/src/verifier/transaction_arg_validation.rs	0.0%	8 Missing ⚠️
aptos-move/framework/src/natives/function_info.rs	93.2%	8 Missing ⚠️
...s-gas-schedule/src/gas_schedule/aptos_framework.rs	0.0%	7 Missing ⚠️
aptos-move/aptos-vm/src/testing.rs	0.0%	4 Missing ⚠️
aptos-move/aptos-vm/src/validator_txns/dkg.rs	0.0%	2 Missing ⚠️
aptos-move/aptos-vm/src/validator_txns/jwk.rs	0.0%	2 Missing ⚠️
...party/move/move-vm/runtime/src/native_functions.rs	92.3%	2 Missing ⚠️
... and 3 more

Additional details and impacted files

@@            Coverage Diff            @@
##             main   #12635     +/-   ##
=========================================
+ Coverage    62.3%    62.4%   +0.1%     
=========================================
  Files         828      830      +2     
  Lines      185844   186363    +519     
=========================================
+ Hits       115858   116390    +532     
+ Misses      69986    69973     -13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[alnoki]

Is there any way that this support can be extended for primary fungible stores?

Asking since those will be the primary use case for FA transfers

[alnoki]

Nice!

So in this case the deposit function is the one that might implement a tax?

Asking because I don't see an assert for EAMOUNT_MISMATCH

[runtian-zhou]

So the assumption here is we use withdraw_with_ref to get the exact amount from the sender side. So we don't need EAMOUNT_MISMATCH

[alnoki]

So here, the assumption is that once a hot potato FA has been withdrawn, the exact amount will necessarily end up in the receiver store

Correct?

[runtian-zhou]

Yes because we use deposit_with_ref so it has no custom behavior.

[alnoki]

What happens for the two-sided transfer functions in the case that

a. withdraw assesses a tax
b. deposit assesses a tax
c. both assess a tax

?

[runtian-zhou]

That's an interesting case. To avoid double assess maybe we should just use the transfer api so at most one side pays the tax?

[davidiw]

What is the issue? I already pay two taxes in the US ... income and sales 😭

[alnoki]

@davidiw my main concern here is ensuring that a transfer can have either a known amount sent or received

else the accounting for DeFi breaks, since you don't have a known amount deposited into a pool (known receive amount) or withdrawn from a pool (known send amount)

[junkil-park]

Unfortunately, we cannot specify this function because, at the static time, function is unknown, and we do not know the exact behavior of this native function dispatchable_withdraw.

It would be useful to observe some instances of overloaded functions and see what properties we can specify for them.

[davidiw]

maybe these should be optional and we need balance and something else, @movekevin

[davidiw]

This should be a wrapper around withdraw, the happy path is that the FA isn't frozen and that this isn't used. We'll also need to see performance of the global freeze.

[davidiw]

What is the issue? I already pay two taxes in the US ... income and sales 😭

[davidiw]

something seems off here where is the ownership check?

[igor-aptos]

freeze has a different meaning.

Let's call this differently / more descriptively, and not share error codes.

maybe DelegatedToOverloaded? ActionsOverloaded?
also, can only one of the withdraw/deposit be overloaded, or do both need to be simultanously? or if either is, we just ask them to go through the other api anyways?

[zekun000]

overall looks reasonable to me

[zekun000]

i guess it's impossible to re-enter a script?

[runtian-zhou]

Yea script has to be always on the top most frame only.

[zekun000]

this seems pretty hacky

[vgao1996]

This is indeed a hack, but it's due to a limitation of our current implementation -- native functions lack access to the real gas meter, so to do the metering properly, we exit from the native function and then instruct the Move VM to do the actual work.

We have considered various alternatives and non of them is trivial.

[zekun000]

do we ensure the function is public? otherwise it can be upgraded and even change the function signature

[igor-aptos]

do we want to be even stricter, and require it to be un-upgradeable?

[davidiw]

I think it needs to be a public function -- otherwise this check needs to be performed each transfer.

I think it ought to be upgradeable -- not sure why we'd restrict it that way.

[igor-aptos]

do we want to be even stricter, and require it to be un-upgradeable?

[sherry-x]

we don't add features in the default release yaml file anymore, they will be enabled separately. if you want you can create a dispatchable.yaml file in the same folder

[github-actions]

✅ Forge suite realistic_env_max_load success on 984aa7efffb7fe269d458888ba4b9d1843c03e7c

two traffics test: inner traffic : committed: 7732 txn/s, latency: 5070 ms, (p50: 4800 ms, p90: 6000 ms, p99: 11100 ms), latency samples: 3340340
two traffics test : committed: 100 txn/s, latency: 2041 ms, (p50: 1800 ms, p90: 2200 ms, p99: 8200 ms), latency samples: 1760
Latency breakdown for phase 0: ["QsBatchToPos: max: 0.205, avg: 0.201", "QsPosToProposal: max: 0.281, avg: 0.248", "ConsensusProposalToOrdered: max: 0.472, avg: 0.436", "ConsensusOrderedToCommit: max: 0.406, avg: 0.383", "ConsensusProposalToCommit: max: 0.858, avg: 0.819"]
Max round gap was 1 [limit 4] at version 1467624. Max no progress secs was 6.476503 [limit 15] at version 1467624.
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite compat success on aptos-node-v1.10.1 ==> 984aa7efffb7fe269d458888ba4b9d1843c03e7c

Compatibility test results for aptos-node-v1.10.1 ==> 984aa7efffb7fe269d458888ba4b9d1843c03e7c (PR)
1. Check liveness of validators at old version: aptos-node-v1.10.1
compatibility::simple-validator-upgrade::liveness-check : committed: 5327 txn/s, latency: 5682 ms, (p50: 5000 ms, p90: 9900 ms, p99: 11700 ms), latency samples: 229100
2. Upgrading first Validator to new version: 984aa7efffb7fe269d458888ba4b9d1843c03e7c
compatibility::simple-validator-upgrade::single-validator-upgrade : committed: 1836 txn/s, latency: 15675 ms, (p50: 18300 ms, p90: 22300 ms, p99: 22600 ms), latency samples: 91840
3. Upgrading rest of first batch to new version: 984aa7efffb7fe269d458888ba4b9d1843c03e7c
compatibility::simple-validator-upgrade::half-validator-upgrade : committed: 1846 txn/s, latency: 15672 ms, (p50: 19000 ms, p90: 22600 ms, p99: 23100 ms), latency samples: 90460
4. upgrading second batch to new version: 984aa7efffb7fe269d458888ba4b9d1843c03e7c
compatibility::simple-validator-upgrade::rest-validator-upgrade : committed: 3481 txn/s, latency: 9219 ms, (p50: 9600 ms, p90: 12700 ms, p99: 13000 ms), latency samples: 146240
5. check swarm health
Compatibility test for aptos-node-v1.10.1 ==> 984aa7efffb7fe269d458888ba4b9d1843c03e7c passed
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking

[runtian-zhou]

cc @brianrmurphy