Feature gate builtin consumes static units during processing instruction

[tao-stones]

Problem

For below mentioned feature gated issue, PR #30680 presented one possible solution to charge default units if (and only if) builtins don't manually deduct units after process_instruction(). @Lichtso pointed out two issues with it:

1. the prerequisite add default_cost as mandatory field for Builtin #30639 conflicts with the undergoing refactoring works; (detail here)
2. the preferred practice is to deduct units before processing, not after.

@Lichtso and I huddled offline, proposed to update all builtins to consume statically defined units at beginning of process_instruction. The pros: above mentioned 2 concerns are addressed; the cons: it is not easy to abandon builtin costs (re)defined in runtime/src/block_cost_limits.rs, which adds cost of maintenance. (with previous approach, i was planning to remove that HashMap from block_cost_limit, instead fetch builtin cost from bank.builtins.default_compute_unit_cost)

Summary of Changes

• add feature gate
• implement second proposal.

Feature Gate Issue: #30620

[joncinque]

The change looks good to me! To prevent this in the future, do you want to add something in the native instruction processor which errors if no compute units are used? This can be addressed in a followup with a separate feature gate if you prefer.

[tao-stones]

To prevent this in the future, do you want to add something in the native instruction processor which errors if no compute units are used? This can be addressed in a followup with a separate feature gate if you prefer.

Like this idea, makes sense to include this change in same feature gate. But can you say more about it? Not super clear what "native instruction processor" refer to, and how that would prevent future native program to consume units.

As for error, would a new InstructionError::InstructionNotConsumeUnits suffice?

[tao-stones]

Also I wish to refactor the hardcoded number into named constants. so
this
invoke_context.consume_checked(150)?;
would becomes:
invoke_context.consume_checked(solana_sdk::system_program::DEFAULT_COMPUTE_UNIT_COST)?;
and their tests as well.
I'm thinking to add const right next to each program id declarion, so

crate::declare_id!(...);
pub const DEFAUL_COMPUT_UNIT_COST: u64 = ....;

Would this break any convention? @joncinque @Lichtso

[joncinque]

Like this idea, makes sense to include this change in same feature gate. But can you say more about it? Not super clear what "native instruction processor" refer to, and how that would prevent future native program to consume units.

In your other PR, you checked to see if consumed compute units was 0 before deducting the default amount at https://github.com/solana-labs/solana/pull/30680/files#diff-9ac236825ce9b87946d6820e3ec3096bc841818c66037b38b6d98142318f4b0aR783-R791

How about returning an error if consumed compute units is 0?

[joncinque]

Also I wish to refactor the hardcoded number into named constants

If it's only used in one place, I think it's fine to keep the hardcoded amounts, but it's a matter of taste

[tao-stones]

In your other PR, you checked to see if consumed compute units was 0 before ...

Aaah, gotcha! The word "native" threw me off, thought it's something else 😜 Thanks for explaining,

Also I wish to refactor the hardcoded number into named constants

If it's only used in one place, I think it's fine to keep the hardcoded amounts, but it's a matter of taste

Yeah ok, let's leave this one out for now. It can be done as separately without needing another feature gate.

[tao-stones]

you checked to see if consumed compute units was 0 ...

Aaah, gotcha. Sorry "native" threw me off early, thought referring to something else 😜 . comment 254da8b does it.

[tao-stones]

Adding this to enforce future native programs to consume units.

[tao-stones]

Existing mock/test programs do not consume units, the enforcement added above not only breaks all tests under program-test/tests and some zk-token-proof tests, it also breaks downstream tests (such as spl). I deactivated this feature for ProgramTest here to continue support existing tests.

[joncinque]

No problem, that makes sense for these, especially in "native" mode. We could eventually change program-test to consume some default amount in "native" mode.

[tao-stones]

abi change due to adding InstructionError

[codecov]

Codecov Report

Merging #30702 (d661745) into master (5a05e9b) will decrease coverage by 0.1%.
The diff coverage is 59.5%.

@@            Coverage Diff            @@
##           master   #30702     +/-   ##
=========================================
- Coverage    81.5%    81.5%   -0.1%     
=========================================
  Files         726      726             
  Lines      204809   204914    +105     
=========================================
+ Hits       167027   167080     +53     
- Misses      37782    37834     +52     

[tao-stones]

@joncinque @Lichtso adding check to enforce builtin to consume units broke a ton tests all over place :) Took time to use the opportunity to learn some details about runtime and program_test. This PR is cleaned up, ready for another review.

[joncinque]

Thanks for fixing up all those tests, this is looking really close!

[joncinque]

No problem, that makes sense for these, especially in "native" mode. We could eventually change program-test to consume some default amount in "native" mode.

[joncinque]

Now that I think about it more -- consuming 0 units is a programmer error and not a user error, so we could be even more aggressive and assert.

On the flipside, since the runtime is used by other developers, like in all of the program tests, they should probably get a nice error rather than an assert. I'm leaning toward keeping this as an error, but I wanted to bring up the discussion to see how you thought.

[tao-stones]

Great observation! I agree it'd be a programmer error. Also agree runtime is library other developers use; so it'd be great, as good SDK, to return meaningful errors for unsupported user invokes. I'd vote for keep error too.

[joncinque]

Looks good to me, but be sure to get feedback from @Lichtso too, to make sure that it interacts properly with any runtime changes