Add a transaction context function to get the raw transaction hash

[junkil-park]

Description

This commit adds a transaction context function to get the raw transaction hash.

This resolves #14774.

Type of Change

• New feature
• Bug fix
• Breaking change
• Performance improvement
• Refactoring
• Dependency update
• Documentation update
• Tests

Which Components or Systems Does This Change Impact?

• Validator Node
• Full Node (API, Indexer, etc.)
• Move/Aptos Virtual Machine
• Aptos Framework
• Aptos CLI/SDK
• Developer Infrastructure
• Other (specify)

How Has This Been Tested?

unit test and e2e test

Key Areas to Review

Checklist

• I have read and followed the CONTRIBUTING doc
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I identified and added all stakeholders and component owners affected by this change as reviewers
• I tested both happy and unhappy path of the functionality
• I have made corresponding changes to the documentation

[trunk-io]

⏱️ 9m total CI duration on this PR

Job	Cumulative Duration	Recent Runs
rust-move-tests	9m	🟩

_{settings ⋅ feedback ⋅ docs ⋅ learn more about trunk.io}

[codecov]

Codecov Report

Attention: Patch coverage is 19.35484% with 50 lines in your changes missing coverage. Please review.

Project coverage is 60.0%. Comparing base (cbb422d) to head (4f7ef2b).

Files with missing lines	Patch %	Lines
aptos-move/aptos-vm/src/transaction_metadata.rs	0.0%	25 Missing ⚠️
...-move/framework/src/natives/transaction_context.rs	42.8%	16 Missing ⚠️
types/src/transaction/user_transaction_context.rs	0.0%	5 Missing ⚠️
aptos-move/aptos-vm/src/move_vm_ext/session/mod.rs	0.0%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             main   #13659     +/-   ##
=========================================
- Coverage    60.1%    60.0%   -0.1%     
=========================================
  Files         856      856             
  Lines      210640   210692     +52     
=========================================
- Hits       126615   126578     -37     
- Misses      84025    84114     +89     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[movekevin]

Can we add documentation to explain the difference between this one and the other ones. May be say the other ones shouldn't be used?

[github-actions]

This issue is stale because it has been open 45 days with no activity. Remove the stale label, comment or push a commit - otherwise this will be closed in 15 days.

[github-actions]

This issue is stale because it has been open 45 days with no activity. Remove the stale label, comment or push a commit - otherwise this will be closed in 15 days.

[lightmark]

any updates?

[junkil-park]

any updates?

I will add tests and more documentation this week.

[lightmark]

Let's ship it

[lightmark]

Let's make this ZERO instead...
We don't want to have two possible valid hash here.
cc @davidiw

[junkil-park]

We could make the function return a vector of hash values to return both: [hash_for_0x0_fee_payer, hash_for_actual_fee_payer].

[lightmark]

what if it is not a fee payer txn? which two hashes would you return?
Also, I think users will be super confused.

[junkil-park]

what if it is not a fee payer txn? which two hashes would you return?
Also, I think users will be super confused.

If it's not a fee-payer transaction, we could return a singleton vector with the hash of the raw transaction [hash_value].

[lightmark]

So it can be either 1 or 2?
Don't you think it is too confusing?

[junkil-park]

So it can be either 1 or 2?

Yes, 2 return values for fee-payer transactions and 1 return value for other types of transactions.

Don't you think it is too confusing?

I think the more important question is whether it's necessary. The current authentication process utilizes both hash values with the actual fee payer and without it. Would there be any scenario where an AA user needs both hash values?

[lightmark]

Each txn must be either case but not both. Do you have any data on this, like how many people are using the each signing pre-image? We will note in the function that the hash is only for all zero if necessary.

I don't think there is a case that they need both. Do you have a use case in mind?

[junkil-park]

The fee payer must sign the transaction with their own address included. The primary and secondary signers have two options: (1) Signing the transaction with the fee payer's address included, or (2) Signing the transaction with 0x0 as the fee payer address. I believe that option (2) is commonly used when the specific fee-payer account is determined later in the process. However, I don't have specific data to confirm this. Perhaps @davidiw, @gregnazario, or @movekevin may have more context on this.

[gregnazario]

The second path is important.

The sender initially signs with 0x0, and then the fee payer signs with their address in that slot.

There are then 2 hashes, it would be the fee payer's responsibility to tell the user what the new hash is.

This is important to allow decoupling of knowing who the second signer is, because you don't really care as long as they pay

Though, this definitely points out a use case for a wait on sequence number function

[junkil-park]

@lightmark, per request, I've updated the function to generate the hash value using 0x0 as the fee-payer address. If we need to generate hash values based on actual fee-payer addresses, we will need to introduce a separate API, as you suggested.

[igor-aptos]

what will this be for non-user transactions? will it abort or returning something?
is there any uniqueness guarantees?

(irrespectively, function should be raw_txn_hash() -> get_raw_txn_hash() to follow the naming of other functions)

[junkil-park]

what will this be for non-user transactions? will it abort or returning something?

It will abort when it's a non-user transaction and a user transaction context is unavailable.

aptos-core/aptos-move/framework/aptos-framework/sources/transaction_context.move

Line 273 in 71ec744

// expected to fail with the error code of `invalid_state(E_TRANSACTION_CONTEXT_NOT_AVAILABLE)`

is there any uniqueness guarantees?

The returned hash values should differ if the raw transactions are different. However, it will remain the same across sessions (prologue, execution, and epilogue). In that sense, it's different from the get_transaction_hash function.

(irrespectively, function should be raw_txn_hash() -> get_raw_txn_hash() to follow the naming of other functions)

The convention seems to avoid using the get_ prefix, except for get_transaction_hash and get_script_hash.
https://github.com/aptos-labs/aptos-core/blob/main/aptos-move/framework/aptos-framework/sources/transaction_context.move#L71-L183

[lightmark]

what's the hash from get_transaction_hash?

[junkil-park]

It's the hash of the SessionId, which is an internal data structure within the Aptos VM.

[lightmark]

could we add a feature flag and reuse this function?

[igor-aptos]

get_transaction_hash is used extensively with the assumption it is a globally unique identifier to the session (across all transaction types)

new one isn't

so it will break anything that depends on it.

Naming here is very poor. Maybe we should deprecate this one (with #[deprecated]), and add two new functions with clearer names, then compiler will warn people - and we can update in framework accordingly.

we can name them transaction_hash and unique_session_hash

[junkil-park]

Naming here is very poor. Maybe we should deprecate this one (with #[deprecated]), and add two new functions with clearer names, then compiler will warn people - and we can update in framework accordingly.

I've refactored the code by introducingunique_session_hash and marking the original get_transaction_hash function with the #[deprecated] attribute. Even though the behavior of the original function remains unchanged, do we still need to feature-gate its deprecation?

[junkil-park]

we can name them transaction_hash and unique_session_hash

How about raw_transaction_hash? It's a bit more descriptive and less likely to cause confusion with other types of transaction hashes in the future.

[igor-aptos]

either you need a feature flag, or more simply - you can separate all usages of unique_session_hash() into separate PR that lands one release after that native function is introduced.

[junkil-park]

@igor-aptos , since get_transaction_hash is still available, should get_transaction_hash still be used in this release instead of unique_session_hash?

[igor-aptos]

you need to leave this for 1 release

[junkil-park]

Got it. I added it back.

[igor-aptos]

just add both with same:

("get_txn_hash", native_unique_session_hash_internal),
("unique_session_hash_internal", native_unique_session_hash_internal),

[junkil-park]

I added it back. Now, we have both.

[lightmark]

@junkil-park can you resolve @igor-aptos 's comments? We need this for blind signing.

[junkil-park]

@junkil-park can you resolve @igor-aptos 's comments? We need this for blind signing.

A bit delayed due to a discussion about this issue on Slack. I will update shortly.

[junkil-park]

@igor-aptos , this is an entirely new native function (unlike get_txn_hash()). Does this pattern seem right to you, having a public function wrapper and being protected by a feature gate?

[igor-aptos]

yes this is correct.

you can register raw_transaction_hash as native as well, so in next release you can remove raw_transaction_hash_internal completely

[igor-aptos]

yes this is correct.

you can register raw_transaction_hash as native as well, so in next release you can remove raw_transaction_hash_internal completely

[igor-aptos]

you need to add now:

("unique_session_hash", native_get_txn_hash),

so that second stage can be done

and you can rename native_get_txn_hash to native_unique_session_hash in rust for cleanliness, as this is just rust code

[junkil-park]

Done renaming native_get_txn_hash to native_unique_session_hash,
and adding ("unique_session_hash", native_unique_session_hash), and
("raw_transaction_hash", native_raw_transaction_hash_internal,),

@igor-aptos , by the way, we already have some existing native functions such as gas_payer_internal that has its public wrapper gas_payer.
Following the same pattern, we can register gas_payer as native in this release, right? So, adding,

("gas_payer", native_gas_payer_internal),

[igor-aptos]

yup, if you want to clean things up and optimize out - we can do that.

if there is any chance we are going to need to revert a flag, we shouldn't remove the internal variant :)

[igor-aptos]

great! :)

[vusirikala]

Just curious about the reason behind using ZERO for fee-payer address. Is it because we want the execution of the transaction to be the same independent of which fee payer is paying for the transaction?

[junkil-park]

For example, the sender and secondary signers can sign without specifying a particular fee-payer address, allowing the gas station to select an appropriate fee-payer account as needed.

[vusirikala]

secondary signers can sign without specifying a particular fee-payer address,

Oh, I see. In practice, do secondary signers actually set the fee-payer address to ZERO? In the below sign_fee_payer function, both the secondary signers and fee payer seem to be signing the same message. But then, in the verify function, the fee payer address is replaced with ZERO. I'm not sure why.

https://github.com/aptos-labs/aptos-core/blob/main/types/src/transaction/mod.rs#L298
https://github.com/aptos-labs/aptos-core/blob/main/types/src/transaction/authenticator.rs#L172

[junkil-park]

The sender and secondary signers can sign with or without specifying a fee-payer address; both options are currently supported. However, the fee-payer is required to sign with its address included.

[vusirikala]

SignedTransaction actually already has the field committed_hash that is computed during the previous stages of the execution pipeline. If we are okay with using hash(signed transaction) here instead of hash(raw transaction), then we might save CPU cycles?

[junkil-park]

We need the hash of the "raw transaction" that is used in the authentication process for signers.

[vusirikala]

If we are okay with using hash(signed transaction), then I guess we may not need to construct RawTransactionWithData as above (as TransactionAuthenticator will already have the info)?

[junkil-park]

If we are okay with using hash(signed transaction)

In the current setting, I think it's not ok to use hash(signed transaction) because TransactionAuthenticator also contains signatures which should be excluded.

[vusirikala]

The function seems pretty innocent :-)
Curious why it is supposed to fail.

[junkil-park]

The unit test runs in an environment without any user transaction context. In that case, the design decision has been to abort instead of returning some default value.

[vusirikala]

I'm actually not super familiar with why we do this. In general, why do we separate the native function into two functions with _internal tag?

[junkil-park]

For safety in release. It would've been ideal to just add public native fun raw_transaction_hash(). However, it's turns out to be unsafe during the release process due to the timing not being perfectly aligned between the binary upgrade and the framework upgrade.

[github-actions]

✅ Forge suite realistic_env_max_load success on 6b724bfda40f0e4488a00f7eeadf8acfd8856f79

two traffics test: inner traffic : committed: 14101.46 txn/s, latency: 2813.17 ms, (p50: 2700 ms, p70: 2700, p90: 3000 ms, p99: 3300 ms), latency samples: 5361660
two traffics test : committed: 99.92 txn/s, latency: 1517.62 ms, (p50: 1400 ms, p70: 1500, p90: 1600 ms, p99: 7300 ms), latency samples: 1760
Latency breakdown for phase 0: ["MempoolToBlockCreation: max: 2.009, avg: 1.559", "ConsensusProposalToOrdered: max: 0.326, avg: 0.298", "ConsensusOrderedToCommit: max: 0.395, avg: 0.377", "ConsensusProposalToCommit: max: 0.688, avg: 0.675"]
Max non-epoch-change gap was: 0 rounds at version 0 (avg 0.00) [limit 4], 0.99s no progress at version 2802849 (avg 0.21s) [limit 15].
Max epoch-change gap was: 0 rounds at version 0 (avg 0.00) [limit 4], 8.55s no progress at version 2802847 (avg 8.55s) [limit 15].
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite framework_upgrade success on f38ec72e975a4dff4e9919e7a1d8118a75858bab ==> 6b724bfda40f0e4488a00f7eeadf8acfd8856f79

Compatibility test results for f38ec72e975a4dff4e9919e7a1d8118a75858bab ==> 6b724bfda40f0e4488a00f7eeadf8acfd8856f79 (PR)
Upgrade the nodes to version: 6b724bfda40f0e4488a00f7eeadf8acfd8856f79
framework_upgrade::framework-upgrade::full-framework-upgrade : committed: 1188.43 txn/s, submitted: 1191.54 txn/s, failed submission: 3.10 txn/s, expired: 3.10 txn/s, latency: 2611.31 ms, (p50: 2400 ms, p70: 3000, p90: 3800 ms, p99: 5700 ms), latency samples: 107280
framework_upgrade::framework-upgrade::full-framework-upgrade : committed: 1178.13 txn/s, submitted: 1181.20 txn/s, failed submission: 3.08 txn/s, expired: 3.08 txn/s, latency: 2440.51 ms, (p50: 2100 ms, p70: 2700, p90: 3900 ms, p99: 5700 ms), latency samples: 107160
5. check swarm health
Compatibility test for f38ec72e975a4dff4e9919e7a1d8118a75858bab ==> 6b724bfda40f0e4488a00f7eeadf8acfd8856f79 passed
Upgrade the remaining nodes to version: 6b724bfda40f0e4488a00f7eeadf8acfd8856f79
framework_upgrade::framework-upgrade::full-framework-upgrade : committed: 1233.55 txn/s, submitted: 1236.63 txn/s, failed submission: 3.08 txn/s, expired: 3.08 txn/s, latency: 2402.92 ms, (p50: 2400 ms, p70: 2400, p90: 3300 ms, p99: 4800 ms), latency samples: 112000
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite compat success on f38ec72e975a4dff4e9919e7a1d8118a75858bab ==> 6b724bfda40f0e4488a00f7eeadf8acfd8856f79

Compatibility test results for f38ec72e975a4dff4e9919e7a1d8118a75858bab ==> 6b724bfda40f0e4488a00f7eeadf8acfd8856f79 (PR)
1. Check liveness of validators at old version: f38ec72e975a4dff4e9919e7a1d8118a75858bab
compatibility::simple-validator-upgrade::liveness-check : committed: 17352.52 txn/s, latency: 1976.85 ms, (p50: 2100 ms, p70: 2100, p90: 2200 ms, p99: 2400 ms), latency samples: 553720
2. Upgrading first Validator to new version: 6b724bfda40f0e4488a00f7eeadf8acfd8856f79
compatibility::simple-validator-upgrade::single-validator-upgrading : committed: 7086.67 txn/s, latency: 4032.21 ms, (p50: 4600 ms, p70: 4900, p90: 5000 ms, p99: 5000 ms), latency samples: 131360
compatibility::simple-validator-upgrade::single-validator-upgrade : committed: 6604.28 txn/s, latency: 4870.17 ms, (p50: 5000 ms, p70: 5000, p90: 6800 ms, p99: 7200 ms), latency samples: 218640
3. Upgrading rest of first batch to new version: 6b724bfda40f0e4488a00f7eeadf8acfd8856f79
compatibility::simple-validator-upgrade::half-validator-upgrading : committed: 5588.61 txn/s, latency: 5173.28 ms, (p50: 6000 ms, p70: 6200, p90: 6300 ms, p99: 6400 ms), latency samples: 106860
compatibility::simple-validator-upgrade::half-validator-upgrade : committed: 5214.50 txn/s, latency: 5757.98 ms, (p50: 6200 ms, p70: 6500, p90: 6700 ms, p99: 7000 ms), latency samples: 202080
4. upgrading second batch to new version: 6b724bfda40f0e4488a00f7eeadf8acfd8856f79
compatibility::simple-validator-upgrade::rest-validator-upgrading : committed: 9523.98 txn/s, latency: 2947.66 ms, (p50: 3100 ms, p70: 3500, p90: 3700 ms, p99: 3900 ms), latency samples: 163680
compatibility::simple-validator-upgrade::rest-validator-upgrade : committed: 9375.42 txn/s, latency: 3425.72 ms, (p50: 3600 ms, p70: 3800, p90: 4100 ms, p99: 4300 ms), latency samples: 308160
5. check swarm health
Compatibility test for f38ec72e975a4dff4e9919e7a1d8118a75858bab ==> 6b724bfda40f0e4488a00f7eeadf8acfd8856f79 passed
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking