contracts: switch to wasmi gas metering (paritytech#14084)

* upgrade to wasmi 0.29

* prepare cleanup

* sync ref_time w engine from the stack frame

* proc_macro: sync gas in host funcs

save: compiles, only gas pushing left to macro

WIP proc macro

proc macro: done

* clean benchmarks & schedule: w_base = w_i64const

* scale gas values btw engine and gas meter

* (re)instrumentation & code_cache removed

* remove gas() host fn, continue clean-up

save

* address review comments

* move from CodeStorage&PrefabWasmModule to PristineCode&WasmBlob

* refactor: no reftime_limit&schedule passes, no CodeStorage

* bugs fixing

* fix tests: expected deposit amount

* fix prepare::tests

* update tests and fix bugs

tests::run_out_of_gas_engine, need 2 more

save: 2 bugs with gas syncs: 1 of 2 tests done

gas_syncs_no_overcharge bug fixed, test passes!

cleaned out debug prints

second bug is not a bug

disabled_chain_extension test fix (err msg)

tests run_out_of_fuel_host, chain_extension pass

all tests pass

* update docs

* bump wasmi 0.30.0

* benchmarks updated, tests pass

* refactoring

* s/OwnerInfo/CodeInfo/g;

* migration: draft, compiles

* migration: draft, runs

* migration: draft, runs (fixing)

* deposits repaid non pro rata

* deposits repaid pro rata

* better try-runtime output

* even better try-runtime output

* benchmark migration

* fix merge leftover

* add forgotten fixtures, fix docs

* address review comments

* ci fixes

* cleanup

* benchmarks::prepare to return DispatchError

* ".git/.scripts/commands/bench/bench.sh" pallet dev pallet_contracts

* store memory limits to CodeInfo

* ci: roll back weights

* ".git/.scripts/commands/bench-vm/bench-vm.sh" pallet dev pallet_contracts

* drive-by: update Readme and pallet rustdoc

* ".git/.scripts/commands/bench/bench.sh" pallet dev pallet_contracts

* ".git/.scripts/commands/bench/bench.sh" pallet dev pallet_contracts

* use wasmi 0.29

* ".git/.scripts/commands/bench/bench.sh" pallet dev pallet_contracts

* use wasmi 0.30 again

* query memory limits from wasmi

* better migration types

* ci: pull weights from master

* refactoring

* ".git/.scripts/commands/bench-vm/bench-vm.sh" pallet dev pallet_contracts

* addressing review comments

* refactor

* address review comments

* optimize migration

* ".git/.scripts/commands/bench/bench.sh" pallet dev pallet_contracts

* another review round comments addressed

* ci fix one

* clippy fix

* ci fix two

---------

Co-authored-by: command-bot <>

frame/contracts/Cargo.toml

@@ -26,7 +26,7 @@ serde = { version = "1", optional = true, features = ["derive"] }
 smallvec = { version = "1", default-features = false, features = [
 	"const_generics",
 ] }
-wasmi = { version = "0.28", default-features = false }
+wasmi = { version = "0.30", default-features = false }
 wasmparser = { package = "wasmparser-nostd", version = "0.100", default-features = false }
 impl-trait-for-tuples = "0.2"
 

frame/contracts/README.md

@@ -13,8 +13,8 @@ This module extends accounts based on the `Currency` trait to have smart-contrac
 be used with other modules that implement accounts based on `Currency`. These "smart-contract accounts"
 have the ability to instantiate smart-contracts and make calls to other contract and non-contract accounts.
 
-The smart-contract code is stored once in a `code_cache`, and later retrievable via its `code_hash`.
-This means that multiple smart-contracts can be instantiated from the same `code_cache`, without replicating
+The smart-contract code is stored once, and later retrievable via its `code_hash`.
+This means that multiple smart-contracts can be instantiated from the same `code`, without replicating
 the code each time.
 
 When a smart-contract is called, its associated code is retrieved via the code hash and gets executed.
@@ -24,48 +24,44 @@ or call other smart-contracts.
 Finally, when an account is reaped, its associated code and storage of the smart-contract account
 will also be deleted.
 
-### Gas
+### Weight
 
-Senders must specify a gas limit with every call, as all instructions invoked by the smart-contract require gas.
-Unused gas is refunded after the call, regardless of the execution outcome.
+Senders must specify a [`Weight`](https://paritytech.github.io/substrate/master/sp_weights/struct.Weight.html) limit with every call, as all instructions invoked by the smart-contract require weight.
+Unused weight is refunded after the call, regardless of the execution outcome.
 
-If the gas limit is reached, then all calls and state changes (including balance transfers) are only
-reverted at the current call's contract level. For example, if contract A calls B and B runs out of gas mid-call,
+If the weight limit is reached, then all calls and state changes (including balance transfers) are only
+reverted at the current call's contract level. For example, if contract A calls B and B runs out of weight mid-call,
 then all of B's calls are reverted. Assuming correct error handling by contract A, A's other calls and state
 changes still persist.
 
-One gas is equivalent to one [weight](https://docs.substrate.io/v3/runtime/weights-and-fees)
-which is defined as one picosecond of execution time on the runtime's reference machine.
+One `ref_time` `Weight` is defined as one picosecond of execution time on the runtime's reference machine.
 
 ### Revert Behaviour
 
 Contract call failures are not cascading. When failures occur in a sub-call, they do not "bubble up",
 and the call will only revert at the specific contract level. For example, if contract A calls contract B, and B
 fails, A can decide how to handle that failure, either proceeding or reverting A's changes.
 
-### Offchain Execution
+### Off-chain Execution
 
 In general, a contract execution needs to be deterministic so that all nodes come to the same
 conclusion when executing it. To that end we disallow any instructions that could cause
 indeterminism. Most notable are any floating point arithmetic. That said, sometimes contracts
 are executed off-chain and hence are not subject to consensus. If code is only executed by a
 single node and implicitly trusted by other actors is such a case. Trusted execution environments
-come to mind. To that end we allow the execution of indeterminstic code for offchain usages
+come to mind. To that end we allow the execution of indeterminstic code for off-chain usages
 with the following constraints:
 
 1. No contract can ever be instantiated from an indeterministic code. The only way to execute
 the code is to use a delegate call from a deterministic contract.
-2. The code that wants to use this feature needs to depend on `pallet-contracts` and use `bare_call`
+2. The code that wants to use this feature needs to depend on `pallet-contracts` and use [`bare_call()`](https://paritytech.github.io/substrate/master/pallet_contracts/pallet/struct.Pallet.html#method.bare_call)
 directly. This makes sure that by default `pallet-contracts` does not expose any indeterminism.
 
-## How to use
-
-When setting up the `Schedule` for your runtime make sure to set `InstructionWeights::fallback`
-to a non zero value. The default is `0` and prevents the upload of any non deterministic code.
+#### How to use
 
 An indeterministic code can be deployed on-chain by passing `Determinism::Relaxed`
-to `upload_code`. A deterministic contract can then delegate call into it if and only if it
-is ran by using `bare_call` and passing `Determinism::Relaxed` to it. **Never use
+to [`upload_code()`](https://paritytech.github.io/substrate/master/pallet_contracts/pallet/struct.Pallet.html#method.upload_code). A deterministic contract can then delegate call into it if and only if it
+is ran by using [`bare_call()`](https://paritytech.github.io/substrate/master/pallet_contracts/pallet/struct.Pallet.html#method.bare_call) and passing [`Determinism::Relaxed`](https://paritytech.github.io/substrate/master/pallet_contracts/enum.Determinism.html#variant.Relaxed) to it. **Never use
 this argument when the contract is called from an on-chain transaction.**
 
 ## Interface
@@ -99,24 +95,22 @@ Each contract is one WebAssembly module that looks like this:
 ```
 
 The documentation of all importable functions can be found
-[here](https://github.com/paritytech/substrate/blob/master/frame/contracts/src/wasm/runtime.rs).
-Look for the `define_env!` macro invocation.
+[here](https://paritytech.github.io/substrate/master/pallet_contracts/api_doc/trait.Current.html).
 
 ## Usage
 
 This module executes WebAssembly smart contracts. These can potentially be written in any language
-that compiles to web assembly. However, using a language that specifically targets this module
-will make things a lot easier. One such language is [`ink!`](https://use.ink)
-which is an [`eDSL`](https://wiki.haskell.org/Embedded_domain_specific_language) that enables
-writing WebAssembly based smart contracts in the Rust programming language.
+that compiles to Wasm. However, using a language that specifically targets this module
+will make things a lot easier. One such language is [`ink!`](https://use.ink). It enables
+writing WebAssembly-based smart-contracts in the Rust programming language.
 
 ## Debugging
 
-Contracts can emit messages to the client when called as RPC through the `seal_debug_message`
+Contracts can emit messages to the client when called as RPC through the [`debug_message`](https://paritytech.github.io/substrate/master/pallet_contracts/api_doc/trait.Current.html#tymethod.debug_message)
 API. This is exposed in [ink!](https://use.ink) via
 [`ink_env::debug_message()`](https://paritytech.github.io/ink/ink_env/fn.debug_message.html).
 
-Those messages are gathered into an internal buffer and send to the RPC client.
+Those messages are gathered into an internal buffer and sent to the RPC client.
 It is up the the individual client if and how those messages are presented to the user.
 
 This buffer is also printed as a debug message. In order to see these messages on the node
@@ -154,11 +148,11 @@ this pallet contains the concept of an unstable interface. Akin to the rust nigh
 it allows us to add new interfaces but mark them as unstable so that contract languages can
 experiment with them and give feedback before we stabilize those.
 
-In order to access interfaces marked as `#[unstable]` in `runtime.rs` one need to set
-`pallet_contracts::Config::UnsafeUnstableInterface` to `ConstU32<true>`. It should be obvious
+In order to access interfaces marked as `#[unstable]` in [`runtime.rs`](src/wasm/runtime.rs) one need to set
+`pallet_contracts::Config::UnsafeUnstableInterface` to `ConstU32<true>`. **It should be obvious
 that any production runtime should never be compiled with this feature: In addition to be
 subject to change or removal those interfaces might not have proper weights associated with
-them and are therefore considered unsafe.
+them and are therefore considered unsafe**.
 
 New interfaces are generally added as unstable and might go through several iterations
 before they are promoted to a stable interface.

frame/contracts/fixtures/seal_input_noop.wat

@@ -0,0 +1,14 @@
+;; Everything prepared for the host function call, but no call is performed.
+(module
+	(import "seal0" "seal_input" (func $seal_input (param i32 i32)))
+	(import "env" "memory" (memory 1 1))
+
+	;; [0, 8) buffer to write input
+
+	;; [8, 12) size of the input buffer
+	(data (i32.const 8) "\04")
+
+	(func (export "call"))
+
+	(func (export "deploy"))
+)

frame/contracts/fixtures/seal_input_once.wat

@@ -0,0 +1,22 @@
+;; Stores a value of the passed size. The host function is called once.
+(module
+	(import "seal0" "seal_input" (func $seal_input (param i32 i32)))
+	(import "env" "memory" (memory 1 1))
+
+	;; [0, 8) buffer to write input
+
+	;; [8, 12) size of the input buffer
+	(data (i32.const 8) "\04")
+
+	(func (export "call")
+		;; instructions to consume engine fuel
+		(drop
+			(i32.const 42)
+		 )
+
+ 	    (call $seal_input (i32.const 0) (i32.const 8))
+
+	 )
+
+	(func (export "deploy"))
+)

frame/contracts/fixtures/seal_input_twice.wat

@@ -0,0 +1,28 @@
+;; Stores a value of the passed size. The host function is called twice.
+(module
+	(import "seal0" "seal_input" (func $seal_input (param i32 i32)))
+	(import "env" "memory" (memory 1 1))
+
+	;; [0, 8) buffer to write input
+
+	;; [8, 12) size of the input buffer
+	(data (i32.const 8) "\04")
+
+	(func (export "call")
+		;; instructions to consume engine fuel
+		(drop
+			(i32.const 42)
+		 )
+
+ 	    (call $seal_input (i32.const 0) (i32.const 8))
+
+		;; instructions to consume engine fuel
+		(drop
+			(i32.const 42)
+		 )
+
+ 	    (call $seal_input (i32.const 0) (i32.const 8))
+	)
+
+	(func (export "deploy"))
+)

frame/contracts/proc-macro/src/lib.rs

@@ -624,19 +624,15 @@ fn expand_functions(def: &EnvDef, expand_blocks: bool, host_state: TokenStream2)
 			let trace_fmt_str = format!("{}::{}({}) = {{:?}}\n", module, name, params_fmt_str);
 
 			quote! {
+				let result = #body;
 				if ::log::log_enabled!(target: "runtime::contracts::strace", ::log::Level::Trace) {
-					let result = #body;
-					{
 						use sp_std::fmt::Write;
 						let mut w = sp_std::Writer::default();
 						let _ = core::write!(&mut w, #trace_fmt_str, #( #trace_fmt_args, )* result);
 						let msg = core::str::from_utf8(&w.inner()).unwrap_or_default();
 						ctx.ext().append_debug_buffer(msg);
-					}
-					result
-				} else {
-					#body
 				}
+				result
 			}
 		};
 
@@ -661,7 +657,7 @@ fn expand_functions(def: &EnvDef, expand_blocks: bool, host_state: TokenStream2)
 				::core::unreachable!()
 			} }
 		};
-		let map_err = if expand_blocks {
+		let into_host = if expand_blocks {
 			quote! {
 				|reason| {
 					::wasmi::core::Trap::from(reason)
@@ -677,6 +673,43 @@ fn expand_functions(def: &EnvDef, expand_blocks: bool, host_state: TokenStream2)
 		} else {
 			quote! { #[allow(unused_variables)] }
 		};
+		let sync_gas_before = if expand_blocks {
+			quote! {
+				// Gas left in the gas meter right before switching to engine execution.
+				let __gas_before__ = {
+					let engine_consumed_total =
+						__caller__.fuel_consumed().expect("Fuel metering is enabled; qed");
+					let gas_meter = __caller__.data_mut().ext().gas_meter_mut();
+					gas_meter
+						.charge_fuel(engine_consumed_total)
+						.map_err(TrapReason::from)
+						.map_err(#into_host)?
+						.ref_time()
+				};
+			}
+		} else {
+			quote! { }
+		};
+		// Gas left in the gas meter right after returning from engine execution.
+		let sync_gas_after = if expand_blocks {
+			quote! {
+				let mut gas_after = __caller__.data_mut().ext().gas_meter().gas_left().ref_time();
+				let mut host_consumed = __gas_before__.saturating_sub(gas_after);
+				// Possible undercharge of at max 1 fuel here, if host consumed less than `instruction_weights.base`
+				// Not a problem though, as soon as host accounts its spent gas properly.
+				let fuel_consumed = host_consumed
+					.checked_div(__caller__.data_mut().ext().schedule().instruction_weights.base as u64)
+					.ok_or(Error::<E::T>::InvalidSchedule)
+					.map_err(TrapReason::from)
+					.map_err(#into_host)?;
+				 __caller__
+					 .consume_fuel(fuel_consumed)
+					 .map_err(|_| TrapReason::from(Error::<E::T>::OutOfGas))
+					 .map_err(#into_host)?;
+			}
+		} else {
+			quote! { }
+		};
 
 		quote! {
 			// We need to allow all interfaces when runtime benchmarks are performed because
@@ -688,10 +721,11 @@ fn expand_functions(def: &EnvDef, expand_blocks: bool, host_state: TokenStream2)
 			{
 				#allow_unused
 				linker.define(#module, #name, ::wasmi::Func::wrap(&mut*store, |mut __caller__: ::wasmi::Caller<#host_state>, #( #params, )*| -> #wasm_output {
+ 					#sync_gas_before
 					let mut func = #inner;
-					func()
-						.map_err(#map_err)
-						.map(::core::convert::Into::into)
+					let result = func().map_err(#into_host).map(::core::convert::Into::into);
+					#sync_gas_after
+					result
 				}))?;
 			}
 		}