Dynamic storage support

[Dentosal]

Implements dynamic storage instructions as described in FuelLabs/fuel-specs#640

The storage initialization in Create transactions is left as-is, i.e. it only allows 32 byte slots. This feature isn't used much, and I don't think it's worth it to continue supporting.

The only breaking change introduced here is adding an immediate offset operand to SRW instruction. Backwards compatibility is retained as the field as previously required to be zeroed.

Checklist

• Breaking changes are clearly marked as such in the PR description and changelog
• New behavior is reflected in tests
• If performance characteristic of an instruction change, update gas costs as well or make a follow-up PR for that
• The specification matches the implemented behavior (link update PR if changes are needed)

Before requesting review

• I have reviewed the code myself
• I have created follow-up issues caused by this PR and linked them here:
  • New storage bytes cost rework #987

[cursor]

PR Summary

High Risk
High risk because it changes FuelVM instruction encoding/semantics (SRW operand change + new storage opcodes), rewires core storage read/write APIs, and updates gas/consensus parameters that affect transaction execution and metering.

Overview
Adds dynamic/variable-length contract storage support by introducing new VM opcodes (SCLR, SRDD/SRDI, SWRD/SWRI, SUPD/SUPI, SPLD, SPCP) plus a storage-preload memory area used by SPLD/SPCP, and updates the interpreter to enforce a new max_storage_slot_length limit.

Makes a backwards-compatible instruction format change to SRW by adding an immediate offset operand, updates legacy storage paths (SRW, SRWQ, range reads) to operate safely over variable-sized slots (including new StorageOutOfBounds panic reason), and bumps gas costs to GasCostsValuesV7 with default costs for the new opcodes.

Reworks fuel-storage’s StorageRead API from read -> bool to read_exact/read_zerofill returning Result<usize, StorageReadError>, and propagates the new typed errors through fuel-vm storage implementations, call/return flow, and tests.

^{Written by Cursor Bugbot for commit 0fb12cf. This will update automatically on new commits. Configure here.}

[xgreenx]

It would be nice if we used readable names here like in hte opcode definition

[Dentosal]

Done in eec4b1d

[xgreenx]

You can convert the value into owned type (because, under the hood, it is already owned). Overwise you create vector two times(one when we create value, and another here).

[Dentosal]

Sure. f07f99e

[xgreenx]

Maybe it is better to use read_bytes here? In this case we will avoud creation of the vector on the fuel-core side

[Dentosal]

Not sure which read_bytes you're talking about?

[xgreenx]

Sorry, I thought it was the name=D I meant StorageRead::read

[Dentosal]

I don't think that works. We need to charge gas based on the full size of the storage slot, and StorageRead::read doesn't expose that info.

[Dentosal]

Decided on call: lets change the API of StorageRead then

[Dentosal]

That required quite a bit of refactoring due to zero filling that was already going against the documentation. Since we need to handle the returned error properly, the trait had to be reworked quite a bit.

37ef2c6

[cursor]

Stale data in preload area after failed SPLD

Medium Severity

When storage_preload doesn't find the requested key, the ERR register is set and 0 is returned, but the preload area is not cleared. If a previous successful SPLD loaded data, that stale data remains in the preload area. A subsequent SPCP call that doesn't properly check ERR could copy this stale data, potentially leading to unexpected behavior or information leakage between different storage keys within the same call frame.

 

[Dentosal]

The is the intended behavior from the specification.

[Voxelot]

why is this so much more expensive than the original SRWQ?

[Voxelot]

[Dentosal]

The values in default_gas_costs.rs aren't related to reality in any way at all. I'll be getting rid of this file in a follow-up PR, see issue #985

The real value from fuel-core that you could compare with is:

        srwq: DependentCost::HeavyOperation {
            base: 520,
            gas_per_unit: 522,
        },

which is still cheaper than this, but not unreasonably so

[MitchTurner]

I'd like to understand what the "preload" is doing.

I had Codex walk me through all the tests because they are inscrutable for me to read unfortunately. Seems good to me, but I wish the could be a little more human-friendly. Also, we use rstest on a lot of them in a way that obscures logic, i.e. we use the cases to create logical differences in the test, rather than helping get better coverage. I think of rstest as a manual prop test solution, but we are using it as a DRYing tool, at the cost of clarity.

[MitchTurner]

This isn't very intuitive. I'll see how it works later in the code and readdress.

[Dentosal]

We could instead flatten the error variants into an enum, but that would make it way less ergonomic to call. The idea here is that the outer error you'll always want to propagate using ?, as there's no way you can handle it in any meaningful way at the call site. The inner error, however, you'll always handle using a match statement, because there will be logic to handle missing keys, at least.

[MitchTurner]

Why are these test only now?

[Dentosal]

Since the new operation with_max_storage_slot_length will panic if used with V1 variant. I don't want to have that kind of thing happen outside tests, and since these are not used anywhere else, it seems prudent to make it test only. The pre-existing functions are marked as test-only for consistency.

[MitchTurner]

Why even keep the Result?

[Dentosal]

Because some cases return an error. It's just that the storage error type nested inside RuntimeError is now infallible, but there are other error types there too, including RuntimeError::Recoverable which is used here.

[MitchTurner]

Wait. How can we expect a RuntimeError if it's Infallible?

[Dentosal]

The Infallible is a generic parameter for StorageError, see the definition of RuntimeError:

pub enum RuntimeError<StorageError> {
    /// Specified error with well-formed fallback strategy, i.e. vm panics.
    Recoverable(PanicReason),
    /// Invalid interpreter state reached unexpectedly, this is a bug
    Bug(Bug),
    /// Storage io error
    Storage(StorageError),
}

[MitchTurner]

This just isn't used anymore?

[MitchTurner]

This test is breaking my brain. I can't keep track of what thing are slots keys and what things are values while reading it.

[Dentosal]

Rewritten for clarity in 6d9e197

[Dentosal]

I'd like to understand what the "preload" is doing.

The spec says:

The storage preload instruction SPLD loads contents of a storage slot into a staging area. This is a special memory region only readable with SPCP instruction. The staging area is cleared every time a call or return occurs.

This is useful because reading length of a slot requires internally reading the whole slot contents. The primary function of the preload area is to avoid having to load the same slot twice when fetching variable length data. It also allows reading parts of a slot into memory without placing it all continously, which is sometimes useful when i.e. traversing tree structures.

I had Codex walk me through all the tests because they are inscrutable for me to read unfortunately. Seems good to me, but I wish the could be a little more human-friendly.

I attempted abstracting some of the setup code into reusable and well-named functions, but the result was even less readable.

Also, we use rstest on a lot of them in a way that obscures logic, i.e. we use the cases to create logical differences in the test, rather than helping get better coverage. I think of rstest as a manual prop test solution, but we are using it as a DRYing tool, at the cost of clarity.

I'm indeed using it as a DRY tool. I think duplicating the functions would hurt clarity quite a bit more than the rstest does, as now it becomes very hard to see what's the difference between the variants. The code it still by itself rather hard to read, making more of it means you'll have to read twice as much hard-to-understand code. Here rstest-duplication never affects control flow of the fuel-vm instructions.

We could of course do the same thing without rstest and instead move entire test to a separate function, passing in a closure that performs the actual operation-under-test. That would feel rather pointless, and we would lose the nice DX rstest gives us on test failure.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

SUPD/SUPI gas undercharged for writes to large slots

High Severity

storage_update_from_memory returns len_after (offset + write_len) instead of value.len() (the full slot size). When a small range is updated in a large existing slot, the gas charge is based on the write endpoint, not the total I/O. For example, writing 5 bytes at offset 10 of a 1000-byte slot charges gas for 15 bytes while the storage backend reads and rewrites all 1000 bytes. The return value for gas metering needs to reflect the actual slot size, i.e., value.len(), which equals max(original_len, offset + write_len).

Additional Locations (1)

• fuel-vm/src/interpreter/executors/opcodes_impl.rs#L2886-L2896

 

[Dentosal]

0fb12cf

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Undocumented u64::MAX sentinel enables silent append behavior

Medium Severity

In storage_update_from_memory, offset == u64::MAX is treated as a sentinel meaning "append to end of slot." This implicit behavior is not documented in the SUPD/SUPI opcode descriptions and can be triggered by any contract that sets its offset register to u64::MAX. Instead of getting a StorageOutOfBounds panic (which would naturally occur for such a large offset), the contract silently gets append semantics.

 

[Dentosal]

It's documented in the specification

[cursor]

SRDI charges gas using wrong cost accessor name

Low Severity

SRDI charges gas using gas_costs().srdd() and SWRI charges gas using gas_costs().swrd(). While sharing costs between immediate/register variants may be intentional, there are no corresponding srdi or swri fields in GasCostsValuesV7, so these opcodes can never be independently costed. If future gas benchmarking reveals the immediate variants deserve different costs, a new gas cost version will be needed.

Additional Locations (1)

• fuel-vm/src/interpreter/executors/opcodes_impl.rs#L2853-L2856

 

[Dentosal]

This is intentional and not a real concern

[Dentosal]

Gas cost comparison from the latest benchmark run versus existing cost of non-dynamic operations. I'm only comparing read operations here, because the database read cost completely dominates the costs; writing is almost free except that we need to read the value anyway to charge for new bytes written. Read costs:

Using srwq: 520 gas per 32 byte slot.

Using srdd: 2593 gas per op, plus 38 bytes for each gas.

Meaning that if you're able to combine at least six slots, dynamic ops are cheaper for reading.