Frontier: Support for EVM Weight V2

crystalin · March 30, 2023, 7:35pm

Challenges

Currently, the gas used in the EVM matches (more or less) the cpu time
being used by the OPCODEs executed. However, with the limitation of the PoV size
required by the relaychain, it is not enough to just rely on the cpu time.

How do we account for the Proof Size when executing an EVM transaction ?
How do we restrict the Proof Size of an EVM Transaction ?

1. Accounting for the Proof Size

The solution we are proposing is to change the EVM Gasometer to add another dimension to the execution, counting every read to the storage and comparing to a given limit (see 2.).

In the case the limit of the Proof Size is reached, a revert message with “out-of-proof-size” (probably converted to “out-of-gas” for compatibility) will be triggered.

Subcall accounting

At the difference of the gasLimit, which can be provided in a subcall, the Proof Size limit will be independant and will always be to the remaining proof size when executing the subcall.

Once the PR for using a dedicated storage for the Smart Contract code size is merged, it will be possible to check and charge directly the amount of Proof Size needed to perform a sub-call

Example:

Smart Contract A calls Smart contract B (5kB)
- Gasometer: checks proof size > 5kB, reduces proof size remaining by 5kB
Smart Contract B accesses 10 storages of 32 bytes
- Gasometer: checks proof size > 32 bytes (for each access), reduces total proof size remaining by 320B
Smart Contract B calls Smart Contract C (9kB) with 10_000 gasLimit
- Gasometer: checks proof size > 9k (doesn’t matter the gasLimit value), reduces proof size remaining by 9kB

In order to succeed, the proof size limit should be at least 5kB + 320B + 9kB=> ~15kB

2. Computing the Proof Size limit

In order to avoid Ethereum Transactions from abusing the Proof Size,
each transaction needs to have an associated limit for the proof size.

When being executed from XCM, this will be taken directly from the BuyExecution.
However, when coming from an Ethereum Transaction, we need a way to convert the gas limit into a proof size limit.

Currently, blocks are limited to 5Mb PoV (This limit applied to the compressed Pov, but for simplicity I’ll consider only the uncompressed Proof Size), so a simple solution is to use a ratio of Maximum amount of Proof Size (5M) by the Maximum amount of Gas (15M currently in Moonbeam) allowed for a block.

We could then apply this ratio to the gasLimit that is provided with the Ethereum Transaction to obtain a Proof Size limit to use with the gasometer.

Ex:
Transfer(Alith, Bob, 2 ETH), GasLimit: 21000: would allow 21000 * 5M / 15M => 7000 bytes of Proof Size.

xlc · March 30, 2023, 10:16pm

I think one of the next step is to check the PoV size usage of existing transactions and determine how much incompatibility the proposed limit will introduce. If for example, say it breaks 50% of the historical calls, then we will need to tweak the algorithm.

crystalin · March 31, 2023, 6:49am

Yes, I’ve looked at our transactions and contracts overall, and didn’t find cases that would be limited by this PoV limit, mostly because the EVM is not allowing large storages. This is also the reason we never experienced a block with over the limit proof size, most of EVM will use a lot more CPU than storage read.

rphmeier · April 1, 2023, 12:33am

Leaving this here: [2208.07919] Dynamic Pricing for Non-fungible Resources: Designing Multidimensional Blockchain Fee Markets

It’s a convex optimization approach to multidimensional gas metering for resources such as compute/PoV size.

lach · April 4, 2023, 12:14pm

What about instead of adding proof metering to SputnikVM, we instead make SputnikVM generic over gas type?

Context

Current evm gas meter looks rougly like this:

struct Gasometer {
  gas_limit: u64,
  used_gas: u64,
}

Solution proposed by @crystalin:

struct Gasometer {
  gas_limit: u64,
  used_gas: u64,
  // Added fields
  proof_limit: u64,
  used_proof: u64,
}

I propose going

struct Gasometer<Gas> {
  gas_limit: Gas,
  used_gas: Gas,
}

instead.

This way, we not only can make no substrate-specific changes in EVM implementation but also implement a metering system, which is more suitable for substrate-based chains, and also allow said generic gas implementation to support future Ethereum own multi-dimensional weight system, which was already proposed several times.

Problem

The problem with the current system is that we have one Gas2Weight mapping, which can’t be both correct and fair.
In Ethereum, write costs 20000 gas, and the read of cold storage is 2100 gas, ≈ 10 times difference.
But in substrate, write costs 100μs, and read costs 25μs in case of RocksDb, 4 times difference.
And 50μs/8μs in the case of ParityDb, 6 times difference.

Let’s estimate what substrate is capable of, based on RocksDb weights:

ReadsPerSecond = 1s / 25μs = 40000
WritesPerSecond = 1s / 100μs = 10000

If we base our Gas2Weight mapping on write prices (Which is bad, because changing non-zero storage value to non-zero is much cheaper than cold storage write)

GasPerSecond = WritesPerSecond * 20000Gas = 200MGas

We can perform

EthereumReadsPerSecond = GasPerSecond / 2100Gas ≈ 95000

And 95000 > ReadsPerSecond, so we’ve got a vulnerability. Not correct.

And if we base our Gas2Weight mapping on read prices

GasPerSecond = ReadsPerSecond * 2100 = 84MGas

We can perform

EthereumWritesPerSecond = GasPerSecond / 20000 Gas = 4200

And this is ok, as 4200 < WritesPerSecond… Until we account for warm storage (= specified in the EIP-1559 transaction), to which access is cheaper. Not fair.

In both cases, we have a considerable difference between consumed gas and ref_time, which should be consumed.

The situation is even worse in the case of

Optimized accesses, for which EVM provides subsided costs, i.e., this is not possible to optimize access_list from EIP-1559 (G_warmaccess, G_accesslistaddress, G_accessliststorage), thus in substrate access_list should not affect the weight calculation.
Changing a storage key from non-zero to non-zero (G_sreset) should not be cheaper too, as in substrate this will result in pov consumed for read and write, and this should not be cheaper than cold storage write
Bidirectional conversions: in the case of substrate user calling substrate, we have a conversion from gas to weight for price calculation, and in the case of precompile benchmarking, we have a conversion from weight to gas, in the end resulting in inadequate conversions with no means to track proof size reliably

Solution

With that said, I propose the following Gas implementation for the generic gas type proposed, which also allows measuring ref_time part of a 2-dimensional weight system and makes it possible to use benchmarking with precompiles correctly.

struct Gas {
  traditional_gas: u64,
  ref_time: u64,
  proof_size: u64,
}

traditional_gas - is a legacy gas value used for backward compatibility (until no solution is proposed on the Ethereum implementation side).
ref_time - consumed time, used to return correct weight in post_info.
proof_size - for post_info.

How it will work

Each instruction should have its benchmark, according to substrate specifics, and not based on Ethereum specs (Because they are written for Ethereum, not for substrate).

For compatibility with existing Ethereum RPCs, specified gas should also provide some ref_time/proof_size, I.e

let gas_limit = Gas {
  traditional_gas: tx.gas_limit,
  ref_time: tx.gas_limit * RefTimePerGas,
  proof_size: tx.gas_limit * ProofSizePerGas,
}

This way, existing contracts will work the same, subcall gas limit will only limit traditional_gas consumption; as there is currently no way to specify other limits provided by EVM spec, we will be able to limit contract proof_size consumption, and even more, it allows to return correct PostInfo, which may enable increasing Ethereum transaction throughput on substrate chains.

Links:

EIP-1559 access_list: EIP-1559: Fee market change for ETH 1.0 chain
Ethereum fee schedule: https://ethereum.github.io/yellowpaper/paper.pdf (Appendix G)

tgmichel · July 18, 2023, 8:38am

Sharing here the solution that was finally merged in the EVM + Frontier and currently live in Moonbeam networks:

github.com/paritytech/frontier

EVM + Weight v2 support

paritytech:master ← moonbeam-foundation:tgm-record-external-costs

opened 09:16AM - 13 Apr 23 UTC

tgmichel

+1682 -191

Depends on https://github.com/paritytech/frontier/pull/893 (cherry picking some …of the changes here to make it work) Drafting EVM changes in https://github.com/PureStake/evm/tree/tgm-record-external-cost (pinning this branch here temporarily to make the CI pass) ### The problem we are trying to solve Current parachain block validation design is resource restrictive, and one of this restrictions is proof size: the amount of parachain state data a relay validator needs to proof the state transition for a block is valid. The evm gasometer only records and has capacity for one metric - gas -, so we need the ability of recording additional metrics - in our case `proof_size` - so we can exit the evm when the proof size capacity limit has been reached for the _current_ block. ### What we should avoid Modifying the evm gasometer. The changes we are introducing are not part of the evm design - and will never be. There is plans in Ethereum to adapt the gasometer architecture to support witness data recording, so a solution for a similar problem will eventually be part of the standard specification. Changing the gasometer logic - or abstracting away the Gas for example - will only lead to complex foreign code in the evm that really gives nothing in return. In our case we have a Substrate-only problem, and the solution should happen completely (or almost) in Substrate. ### StackState external cost recorder This PR proposes adding two methods to the StackState trait: - `record_external_opcode_cost`: which is called from `pre_validate` in the executor (that is per each evm runtime step). - `record_external_cost`: meant to be called from precompiles, and more specifically, substrate-implemented precompiles, where there is the need of recording a foreign (not opcode based) Weight v2 cost. This method is behing a `with-substrate` feature gate. Every time the evm steps into an opcode, if it has a `proof_size` associated to it - reads or writes from storage - this proof size will be, if the storage is _cold_, cheaply calculated on the fly and recorded. The recorder will OutOfGas if the metric capacity is reached. **Note**: the reasons to not abstract away `record_external_cost` and use a feature flag are two: - The concept of _dispatching_ - and the need of an external cost - from precompiles is purely a substrate one. At least afaik. - Adding generics to the `PrecompileHandle` will cascade into changes across the evm, and thus goes against the main motivation of this proposal: keep changes outside the evm whenevr possible. ### Differences between Gas and External cost Gas is part of the evm design, and has its own _target_ capacity per subcall. This is not the case for external costs: they have one transaction-wide usage and capacity because, again, they are a foreign metric, not part of evm design. ### Ref time support https://forum.polkadot.network/t/frontier-support-for-evm-weight-v2/2470/5 does a great job describing why ref_time recording should also be supported. The solution proposed in this PR supports it (once we benchmark Opcodes in substrate) and also supports a preliminary version without it, where we still use gas to weight conversion and rely on the native gasometer. --- cc @sorpaas @librelois @nanocryk @crystalin

We introduced a set of new StackState trait methods that are called before executing an opcode. StackState is implemented in the Substrate backend, where we define some constant costs associated to virtually any amount of metrics we want the EVM transaction to be bounded to - in the case of WeightV2 support, a metric would be pov_size, but we plan to also have pure support for ref_time instead doing a loose conversion between GasLimit and ref_time.

This has the benefit of being almost completely managed at Substrate level - with the exception of some EVM helpers -, leaving the original Gasometer design untouched.

The main idea is to OutOfGas an EVM transaction when any of the metric pools are exhausted, please refer to the original PR for details.

Topic		Replies	Views
Boundaries of smart contract platforms	0	354	March 20, 2023
eBPF contracts hackathon Tech Talk wasm , smart-contracts	12	2666	June 8, 2023
zkCasper: A SNARK based protocol for verifying Casper FFG Consensus Tech Talk	0	379	May 11, 2023
Post-quantum signatures Tech Talk kusama	0	398	July 19, 2023
Trustless wasm compilation with SNARKS? Tech Talk wasm , smart-contracts	10	1354	February 19, 2024