feat: add a read-only mode to sends

[Stebalien]

Adds a read-only mode for sends.

1. Adds "flags" to the sends syscall. We can extend it in the future to support additional flags.
2. Adds the concept of "read-only" layers to both the event accumulator and the state tree. This means we can track the read-only state at the lowest level.

The general approach here is to reject mutations at the mutation site instead of early. That means we'll charge gas first. The alternative would be to check up-front at the top of the syscall, but that's non-trivial because a send may automatically create an actor in some cases.

[codecov-commenter]

Codecov Report

Merging #1150 (6463bc3) into master (9c35c30) will increase coverage by 1.12%.
The diff coverage is 23.88%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1150      +/-   ##
==========================================
+ Coverage   48.63%   49.75%   +1.12%     
==========================================
  Files         128      128              
  Lines       11610    11385     -225     
==========================================
+ Hits         5646     5665      +19     
+ Misses       5964     5720     -244     

Impacted Files	Coverage Δ
fvm/src/call_manager/default.rs	0.00% <0.00%> (ø)
fvm/src/call_manager/mod.rs	21.42% <ø> (+8.09%)	⬆️
fvm/src/executor/default.rs	0.89% <0.00%> (+0.12%)	⬆️
fvm/src/kernel/default.rs	11.58% <0.00%> (-1.30%)	⬇️
fvm/src/syscalls/send.rs	0.00% <0.00%> (ø)
sdk/src/error.rs	0.00% <0.00%> (ø)
sdk/src/send.rs	0.00% <0.00%> (ø)
sdk/src/sself.rs	0.00% <0.00%> (ø)
sdk/src/vm.rs	0.00% <0.00%> (ø)
shared/src/error/mod.rs	0.00% <0.00%> (ø)
... and 17 more

[Stebalien]

In the future, we may want other flags like:

• Isolated (can't make sub-calls).
• Silent (events are ignored). We could even split READ_ONLY into DENY_MUTATIONS and SILENT, but I don't want to do that now because there are some security concerns.
• "Pure" (can't read contextual information like the epoch, time, randomness, etc.).

[Stebalien]

See #1151. This really doesn't belong in fvm_sdk::message.

[Stebalien]

I considered using an existing error but:

• IllegalOperation is ambiguous on set_root (returned both if the actor has already been deleted, or is in read-only mode).
• Forbidden is ambiguous on self_destruct if the beneficiary is self.

In general, I'm starting to regret having "common" errors and am becoming convinced we want more specific ones. We can still share errors between syscalls, but errors like ActorDeleted is probably better than IllegalOperation.

[vyzo]

Shouldnt events be allowed in readonly mode?

[vyzo]

first pass on the phone, will do another one on the computer.

[vyzo]

What's a reaonly transaction?

Kind of nonsensical, but i guess convenient in not having to change existing code.

[Stebalien]

Yeah, it is kind of subtle... I'm effectively just counting how many times I've entered "read-only" mode so I can exit when I get back to the top.

[vyzo]

So they are allowed, just not emitted.

[Stebalien]

Yes.

[vyzo]

subtle.

[Stebalien]

Shouldnt events be allowed in readonly mode?

They are, they're just dropped.

• This matches EVM behavior.
• This avoids a potential security issue where an attacker might be able to cause another actor to emit an event even if the change won't be committed.

Eventually, I'd like to split "read-only" into multiple limits, but this is a good place to start.

[Stebalien]

@raulk FYI, I kept it as "read-only" because it's now actually read-only (we're rejecting calls to set_root instead of just reverting them). Happy to rename if you can think of a better name.

[vyzo]

ship it!