Asset backed offers

[jonjove]

Implements cap-0003, which has been discussed in stellar/stellar-protocol#36. Note that this is a preliminary implementation and does not yet contain all necessary tests, so it should not be merged.

[MonsieurNicolas]

I think you should split this commit:

• one for adding ledger version support when loading ledger entries
• the other for adding liabilities support to account (including SQL schema upgrade)

[jonjove]

The version support no longer exists after these fixes.

[MonsieurNicolas]

I think this is logically wrong: mLedgerManager.getCurrentLedgerVersion() has nothing to do with the buckets being applied ; in fact this is only set after buckets are applied (look for ProgressState::APPLIED_BUCKETS)

[jonjove]

Removed version-based loading.

[MonsieurNicolas]

similar to catchup: currentLedgerVersion doesn't seem to be a version that has any good meaning

[jonjove]

Removed version-based loading.

[MonsieurNicolas]

I think that we should just be doing this:

    assert(buyingLiabilitiesInd == sellingLiabilitiesInd);
    if (buyingLiabilitiesInd == soci::i_ok)
    {
        account.ext.v(1);
        account.ext.v1().liabilities = liabilities;
    }

the check as you wrote it doesn't actually enforce anything useful.
The liabilities being set transparently to 0 like this is just error prone as we throw away the information (by calling account.ext.v(1)).
The conversion from no liabilities -> with liabilities should be done 100% in the upgrade code - modifying entries on load is strange as, in theory, we're supposed to enforce that entries get written back if we do it like this (or risk having SQL and buckets get out of sync).

[MonsieurNicolas]

I think this also gets rid of the need to pass around the version number (previous commit)

[jonjove]

Agreed, modifying on load is strange. Liabilities are now only enabled via addBuyingLiabilities and addSellingLiabilities.

[MonsieurNicolas]

instead of using ledgerVersion, you can simply use account.ext.v() == 1

[jonjove]

This is incorrect with the new changes that liabilities should be managed only by AccountFrame and TrustFrame functions get*Liabilities and add*Liabilities. In tests, accounts and trust lines created during the set-up phase (which occurs in the current protocol version) may have liabilities. These would then be incorrectly checked here regardless of the version if this change was made.

[MonsieurNicolas]

same here, better to use trust.ext.v()

[jonjove]

Same response as above.

[MonsieurNicolas]

new/deleted files -> need to update visual studio project file

[jonjove]

Done.

[MonsieurNicolas]

forgot to update the example config (documentation for invariants)

[jonjove]

Done.

[vogel]

To think about: is it better to pass just the objects that we need or just give up and pass whole Application everywhere (as it seems that over time more and more objects are required in multiple places)?

[jonjove]

In general, I think it is better to pass just the objects that are needed. However, the Invariant subsystem was designed so that all invariants appear the same externally (registering and enabling every invariant should look exactly the same). That is why we pass Application into the Invariant-level registerInvariant which then forwards only the relevant subsystems to the InvariantManager-level registerInvariant.

[vogel]

Note: false here is cryptic, should be replaced with enum when that makes sense.

[jonjove]

I agree that this is cryptic and should be fixed, but I think it is outside the scope of this PR as it doesn't really have anything specific to do with cap-0003.

[vogel]

I'm not sure that is valid. getBalanceAboveReserve already uses current value of getSellingLiabilities.

Lets assume current sellingliabilities = 20, balance = 60, minbalance = 20.
If we want to increase sellingliabilities by 20 to 40 (which should be possible), we call this method.

getBalanceAboveReserve then returns balance - minbalance - sellingliabiliies, which is 20. This is passes as maxBalance to the addBalance method, so we are not able to increase sellingliabilities.

[jonjove]

Excellent catch, fixed.

[vogel]

or even better - extract this part to method called deletAllLinkedOffers

[vogel]

this part looks very similar to change in account

is there any chance of some function extraction and code de-duplication here or is that not possible?

[jonjove]

This segment has been refactored into a pair of functions releaseLiabilities and acquireLiabilities which facilitate liability management and is used in a few places such as ManageOfferOpFrame, AllowTrustOpFrame, and OfferExchange.

[vogel]

this makes no sense here, should be moved line up

[jonjove]

Good catch. Previous line is actually deleted after these fixes, so done.

[vogel]

we are probably executing make_unique too many times here, but as it is code that will be executed only once, it should no affect performance

[jonjove]

I agree that it is used many times, but I think trying to use it less might make determining the correctness much more difficult.

[vogel]

could probable be split into two commits - one for storeUpgradeHistory and friends, other for prepareLiabilities

[jonjove]

Good idea, done.

[vogel]

I'm not sure if I understand this method correctly, please let me know if this is correct:

For each account, remove all offers that are using assets, for which the liabilities are too big. So it does not keep any offers from that set, even if keeping only some of them would make all the liabilities proper?

[jonjove]

You do understand this correctly, and I have added a comment to clarify. It works like this for two reasons:

1. I don't think there is any natural method to determine which offers should remain from a given asset
2. This method is independent of the order in which the offers are processed across assets

[vogel]

seems not to be used

[jonjove]

Correct, it was a remnant of an earlier test. Fixed.

[vogel]

probably invalid comment

[jonjove]

Fixed.

[vogel]

invalid comment

[jonjove]

Fixed.

[MonsieurNicolas]

no need to fix this but I think that explicit captures is only useful when doing multi-threaded/async calls.

[MonsieurNicolas]

sad, thanks for catching this

[MonsieurNicolas]

needs to be removed

[jonjove]

This was commented out as I was updating this to use getBalanceAboveReserve. Fixed.

[MonsieurNicolas]

wrong link

[jonjove]

Fixed.

[MonsieurNicolas]

this is not what this test is trying to test:
test ensures that we compute reserve as if creating the offer.
I think that, with liabilities, there should be both a check that verifies that creating an offer with exactly actualPayment works, but trying to sell more (by 1 stroop) fails.

[jonjove]

Done.

[MonsieurNicolas]

same thing here: the way the setup is done is now impossible, probably clearer to not test this anymore like that and instead rely on changeTrust tests

[jonjove]

Agreed.

[MonsieurNicolas]

it's a bit confusing to have an expected state different as it's a failure case

[jonjove]

Agreed, fixed.

[MonsieurNicolas]

I think we should change the amounts to be the ones around the edge case:
so use "10" instead of "9", and use "11" instead of "111"

[jonjove]

Done.

[MonsieurNicolas]

should those edge cases be tested differently?

[jonjove]

These edge cases aren't possible anymore, since it is not possible to have an offer with excess liabilities. Let's not test them starting in version 10.

[marta-lokhova]

would be better to use createTestApplication instead (same for line 1011).

[jonjove]

Good idea. All uses of Application::create in this file changed to createTestApplication.

[marta-lokhova]

You're comparing to version 10 is many places, any reason not to have it as a constant?

[jonjove]

We haven't followed this convention with other version numbers, and I'm not sure it would add much clarity. For example, do you think assert(lm.getCurrentLedgerVersion() >= PROTOCOL_VERSION_10); would be considerably more clear?

[marta-lokhova]

The reasons I suggested it:

1. You can easily change it. Previously you had 11, so instead of changing it to 10 in every place, you could just change one variable.
2. you could name it something like PROTOCOL_VERSION_WITH_LIABILITIES and it would be way less vague than just 10

[MonsieurNicolas]

let's not do that in this PR: v10 is broader than liabilities.

[vogel]

It could even to as far as if (lm.supportsLiabilities()) { ... }

[MonsieurNicolas]

yeah like I said, not for this PR; and this would make the code even more complicated to understand as features depend on each other on a per protocol basis.

[MonsieurNicolas]

nice, I was thinking that we need to cover this in general

[MonsieurNicolas]

txfee: this is redefining/shadowing line 43 (can be removed)

[MonsieurNicolas]

i+1 is of type size_t - yet storeUpgradeHistory takes an int, so this triggers a warning

[MonsieurNicolas]

I think you mean previousHeader here as to only rollbck whatever upgrade did?

[vogel]

Looks like versions of those for AccountEntry and TrustLineEntry could be merged as a template.

[vogel]

missing clang-format?

[jonjove]

This PR is only partially rebased right now, so no clang-format on the newest commits yet.

[vogel]

I do not see need for such asserts here. If we wish to ensure that loadAccount does what it says it does we could either:

• test it with some unit tests
• make that assert a postcondition on loadAccount inside that function

[jonjove]

This assert was actually put here to guarantee that if the parameter account != nullptr then that account matches the account that owns this offer. I agree that it does not need to test the case for AccountFrame::loadAccount. But given that I already wanted to test this condition for one case, I did not see a big disadvantage in checking all cases.

[vogel]

Right, I have missed that case.

[vogel]

This throw was added here as it was impossible for above condition even to get true.

But is it impossible now? Imagine an issuer that creates asset that requires authorization. It sends INT64_MAX of that asset to one account that has enough XLM to be a winner in inflation. Then that account can make an offer to sell this asset 1:1 for XLM, making its buying liabilities so big, that its addBalance returns 0. Then at the next inflation round all nodes will drop this transaction with txINTERNAL_ERROR, making inflation operations no-op for as long as they want.

I think we need another solution for handling that case now.

[MonsieurNicolas]

Good catch @vogel : I think you are correct, toDoleThisWinner should be capped by the amount that the account can receive instead of just being bigDivide(amountToDole, w.mVotes, totalVotes, ROUND_DOWN).

[jonjove]

Good catch indeed. Fixed as described above.

[vogel]

I think we could change getBalanceAboveReserver name to getAvailableBalance for symmetry?

[jonjove]

Good idea, done.

[vogel]

Looks like it is possible to execute prepareLiabilities twice during closing one ledger. Maybe applyUpgrade could return bool/enum/set to show that prepareLiabilities needs to be performed, then it would be only called once in closeLedger?

[MonsieurNicolas]

no, this implementation is better as it associates upgrade side effects to the appropriate upgrade.

[vogel]

I think that addOffer API allows you to leave last parameter if it will be the same as second one, as it defaults to OfferState::SAME

[jonjove]

Good point, fixed on many lines.

[vogel]

I think that edge case here is that if you added +1 to that balance, it would pass even for version 1. Maybe it is worth adding such test case for contrast?

[bartekn]

Shouldn't this function also remove offers from accounts with trustline.isAuthorized() == false? AllowTrust operation removes them when revoking trust so it seems that leaving them out is an invalid state.

[jonjove]

prepareLiabilities does remove offers that are not authorized, as demonstrated in https://github.com/stellar/stellar-core/pull/1718/files#diff-64c71f9133aa77f79d1d123bc6a59cf0R1086. The implementation uses the following logic:

1. On lines 426-434, getAvailableBalance returns 0 if not authorized.
2. On lines 453-461, getAvailableLimit returns 0 if not authorized.
3. On line 542, erase == true if offerFrame.getSellingLiabilities() == 0 || offerFrame.getBuyingLiabilities() == 0.
4. On lines 544-550, these checks can only be reached if erase == false after line 542. If so, we check that the liabilities do not exceed the relevant cap (either available balance or available limit, depending on whether it is a buying asset or a selling asset for the offer). If either the buying or selling asset is not authorized, then the cap will be 0. But because erase == false, the liabilities cannot be 0 so we end up with erase == true.

[bartekn]

This function errors when there are orphaned offers:

Exception during upgrade: trustline does not exist

Repro:

1. Run standalone testnet (testnet passphrase).
2. Submit:

AAAAAGL8HQvQkbK2HA3WVjRrKmjX00fG8sLI7m0ERwJW/AX3AAABkAAAAAAAAAABAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAADJNEgW9b6gnIKGtYeSq1SiCyMJLujoFBoDtnljGf65oAAAAXSHboAAAAAAEAAAAADJNEgW9b6gnIKGtYeSq1SiCyMJLujoFBoDtnljGf65oAAAAGAAAAAVVTRAAAAAAAYvwdC9CRsrYcDdZWNGsqaNfTR8bywsjubQRHAlb8BfcAAAAAO5rKAAAAAAEAAAAADJNEgW9b6gnIKGtYeSq1SiCyMJLujoFBoDtnljGf65oAAAADAAAAAAAAAAFVU0QAAAAAAGL8HQvQkbK2HA3WVjRrKmjX00fG8sLI7m0ERwJW/AX3AAAAAACYloAAAAABAAAAAQAAAAAAAAAAAAAAAQAAAAAMk0SBb1vqCcgoa1h5KrVKILIwku6OgUGgO2eWMZ/rmgAAAAYAAAABVVNEAAAAAABi/B0L0JGythwN1lY0aypo19NHxvLCyO5tBEcCVvwF9wAAAAAAAAAAAAAAAAAAAAJW/AX3AAAAQK6ngzT5yLjXBKPibogU0NBm9M+W+ROt2JcPiIe1mf9eGNGaWhj0DYyG3GkTzrN4Tzg+LpXhiEO4cu6gylK6bQkxn+uaAAAAQAADEbTeCGHZ3RQVmUOX2pM8J+lFr5cq1PjOQZtoxSy1jYTnrvoRHoc7z9eSj9tv8aU/9ufEYBUYawc/l6hLMAI=

3. Upgrade to V10.

[jonjove]

This was fixed in d8f0241.

[MonsieurNicolas]

minor nit (that you may decide to ignore). also, you need to rebase and reorder commits in commit order. If you decide to keep some of the commits as is (with fixes from previous commits), try to include the updated test cases with the commit (or have the next commit deal with the test cases).

[MonsieurNicolas]

while this is correct, I find the implicit conversion from true to 1 quite obscure when used like this.

[vogel]

why is currentLedgerVersion checked here?

[jonjove]

Good question, I see now that it doesn't need to be checked. Fixed.

[vogel]

LGTM, I'll merge when acceptance tests are working

[vogel]

r+ 3c9dfc0

[vogel]

@latobarita: retry

[vogel]

@latobarita: retry