Effective Gno
Welcome to the guide for writing effective Gno code. This document is designed to help you understand the nuances of Gno and how to use it effectively.
Before we dive in, it's important to note that Gno shares several similarities with Go. Therefore, if you haven't already, we highly recommend reading "Effective Go" as a primer.
Disclaimer
Gno is a young language. The practices we've identified are based on its current state. As Gno evolves, new practices will emerge and some current ones may become obsolete. We welcome your contributions and feedback. Stay updated and help shape Gno's future!
Counter-intuitive good practices
This section highlights some Gno good practices that might seem counter-intuitive, especially if you're coming from a Go background.
Embrace global variables in realms
In Gno, using global variables is not only acceptable, but also encouraged, specifically when working with realms. This is due to the unique persistence feature of realms.
In Go, you would typically write your logic and maintain some state in memory. However, to persist the state and ensure it survives a restart, you would need to use a store (like a plain file, custom file structure, a database, a key-value store, an API, etc.).
In contrast, Gno simplifies this process. When you declare global variables in Gno realms, the GnoVM automatically persists and restores them as needed between each run. This means that the state of these variables is maintained across different executions of the realm, providing a simple and efficient way to manage state persistence.
However, it's important to note that this practice is not a blanket recommendation for all Gno code. It's specifically beneficial in the context of realms due to their persistent characteristics. In other Gno code, such as packages, the use of global variables is actually discouraged and may even be completely disabled in the future. Instead, packages should use global constants, which provide a safe and reliable way to define values that don't change.
Also, be mindful not to export your global variables. Doing so would make them accessible for everyone to read and write, potentially leading to unintended side effects. Instead, consider using getters and setters to control access to these variables, as shown in the following pattern:
// private global variable.
var counter int
// public getter endpoint.
func GetCounter() int {
return counter
}
// public setter endpoint.
func IncCounter() {
counter++
}
In this example, GetCounter
and IncCounter
are used to read and increment
the counter
variable, respectively. This allows you to control how the
counter
variable is accessed and modified, ensuring that it's used correctly
and securely.
Embrace panic
In Gno, we have a slightly different approach to handling errors compared to Go.
While the famous quote by Rob
Pike advises
Go developers "Don't panic.", in Gno, we actually embrace panic
.
Panic in Gno is not just for critical errors or programming mistakes as it is in Go. Instead, it's used as a control flow mechanism to stop the execution of a realm when something goes wrong. This could be due to an invalid input, a failed precondition, or any other situation where it's not possible or desirable to continue executing the contract.
So, while in Go, you should avoid panic
and handle error
s gracefully, in Gno,
don't be afraid to use panic
to enforce contract rules and protect the integrity
of your contract's state. Remember, a well-placed panic can save your contract
from a lot of trouble.
When you return an error
in Gno, it's like giving back any other piece of data.
It tells you something went wrong, but it doesn't stop your code or undo any
changes you made.
But, when you use panic
in Gno, it stops your code right away, says it failed,
and doesn't save any changes you made. This is safer when you want to stop
everything and not save wrong changes.
In Gno, the use of panic()
and error
should be context-dependent to ensure
clarity and proper error handling:
- Use
panic()
to immediately halt execution and roll back the transaction when encountering critical issues or invalid inputs that cannot be recovered from. - Return an
error
when the situation allows for the possibility of recovery or when the caller should decide how to handle the error.
Consequently, reusable packages should avoid panic()
except in assert-like
functions, such as Must*
or Assert*
, which are explicit about their
behavior. Packages should be designed to be flexible and not impose restrictions
that could lead to user frustration or the need to fork the code.
import "std"
func Foobar() {
caller := std.PrevRealm().Addr()
if caller != "g1xxxxx" {
panic("permission denied")
}
// ...
}
- TODO: suggest MustXXX and AssertXXX flows in p/.
Understand the importance of init()
In Gno, the init()
function isn't just a function, it's a cornerstone. It's
automatically triggered when a new realm is added onchain, making it a one-time
setup tool for the lifetime of a realm. In essence, init()
acts as a
constructor for your realm.
Unlike Go, where init()
is used for tasks like setting up database
connections, configuring logging, or initializing global variables every time
you start a program, in Gno, init()
is executed once in a realm's lifetime.
In Gno, init()
primarily serves two purposes:
- It establishes the initial state, specifically, setting up global variables.
- Note: global variables can often be set up just by assigning their initial value when you're declaring them. See below for an example! \
Deciding when to initialise the variable directly, and when to set it up in
init
can be non-straightforward. As a rule of thumb, though,init
visually marks the code as executing only when the realm is started, while assigning the variables can be less straightforward.
- Note: global variables can often be set up just by assigning their initial value when you're declaring them. See below for an example! \
Deciding when to initialise the variable directly, and when to set it up in
- It communicates with another realm, for example, to register itself in a registry.
import "gno.land/r/some/registry"
func init() {
registry.Register("myID", myCallback)
}
func myCallback(a, b string) { /* ... */ }
A common use case could be to set the "admin" as the caller uploading the package.
import (
"std"
"time"
)
var (
created time.Time
admin std.Address
list = []string{"foo", "bar", time.Now().Format("15:04:05")}
)
func init() {
created = time.Now()
// std.GetOrigCaller in the context of realm initialisation is,
// of course, the publisher of the realm :)
// This can be better than hardcoding an admin address as a constant.
admin = std.GetOrigCaller()
// list is already initialized, so it will already contain "foo", "bar" and
// the current time as existing items.
list = append(list, admin.String())
}
In essence, init()
in Gno is your go-to function for setting up and
registering realms. It's a powerful tool that helps keep your realms organized
and properly configured from the get-go. Acting as a constructor, it sets the
stage for the rest of your realm's lifetime.
A little dependency is better than a little copying
In Go, there's a well-known saying by Rob Pike: "A little copying is better than a little dependency". This philosophy encourages developers to minimize their dependencies and instead copy small amounts of code where necessary. While this approach often makes sense in Go, it's not always the best strategy in Gno.
In Gno, especially for p/
packages, another philosophy prevails, one that is
more akin to the Node/NPM ecosystem. This philosophy encourages creating small
modules and leveraging multiple dependencies. The main reason for this shift is
code readability and trust.
A Gno contract is not just its lines of code, but also the imports it uses. More importantly, Gno contracts are not just for developers. For the first time, it makes sense for users to see what functionality they are executing too. Code simplicity, transparency, explicitness, and trustability are paramount.
Another good reason for creating simple, focused libraries is the composability
of Go and Gno. Essentially, you can think of each p/
package as a Lego brick
in an ever-growing collection, giving more power to users. p/
in Gno is
basically a way to extend the standard libraries in a community-driven manner.
Unlike other compiled languages where dependencies are not always well-known and clear metrics are lacking, Gno allows for a reputation system not only for the called contracts, but also for the dependencies.
For example, you might choose to use well-crafted p/
packages that have been
reviewed, audited, and have billions of transactions under their belt, boasting
super high stability. This approach can make your code footprint smaller and more
reliable.
In other platforms, an audit usually involves auditing everything, including the dependencies. However, in Gno, we can expect that over time, contracts will become smaller, more powerful, and partially audited by default, thanks to this enforced open-source system.
One key difference between the Go and Gno ecosystem is the trust assumption when adding a new dependency. Dependency code always needs to be vetted, regardless of what programming language or ecosystem you're using. However, in Gno, you can have the certainty that the author of a package cannot overwrite an existing, published contract; as that is simply disallowed by the blockchain. In other words, using existing and widely-used packages reinforces your security rather than harming it.
So, while you can still adhere to the original philosophy of minimizing
dependencies, ultimately, try to use and write super stable, simple, tested,
and focused p/
small libraries. This approach can lead to more reliable,
efficient, and trustworthy Gno contracts.
import (
"gno.land/p/finance/tokens"
"gno.land/p/finance/exchange"
"gno.land/p/finance/wallet"
"gno.land/p/utils/permissions"
)
var (
myWallet wallet.Wallet
myToken tokens.Token
myExchange exchange.Exchange
)
func init() {
myWallet = wallet.NewWallet()
myToken = tokens.NewToken("MyToken", "MTK")
myExchange = exchange.NewExchange(myToken)
}
func BuyTokens(amount int) {
caller := permissions.GetCaller()
permissions.CheckPermission(caller, "buy")
myWallet.Debit(caller, amount)
myExchange.Buy(caller, amount)
}
func SellTokens(amount int) {
caller := permissions.GetCaller()
permissions.CheckPermission(caller, "sell")
myWallet.Credit(caller, amount)
myExchange.Sell(caller, amount)
}
When Gno takes Go practices to the next level
Documentation is for users
One of the well-known proverbs in Go is: "Documentation is for users", as stated by Rob Pike. In Go, documentation is for users, but users are often developers. In Gno, documentation is for users, and users can be other developers but also the end users.
In Go, we usually have well-written documentation for other developers to maintain and use our code as a library. Then, we often have another layer of documentation on our API, sometimes with OpenAPI Specs, Protobuf, or even user documentation.
In Gno, the focus shifts towards writing documentation for the end user. You can even consider that the main reader is an end user, who is not so interested in technical details, but mostly interested in how and why they should use a particular endpoint. Comments will be used to aid code source reading, but also to generate documentation and even for smart wallets that need to understand what to do.
Inline comments have the same goal: to guide users (developers or end users) through the code. While comments are still important for maintainability, their main purpose in Gno is for discoverability. This shift towards user-centric documentation reflects the broader shift in Gno towards making code more accessible and understandable for all users, not just developers.
TODO: func ExampleXXX
.
Reflection is never clear
In Go, there's a well-known saying by Rob Pike: "Reflection is never clear." This statement emphasizes the complexity and potential pitfalls of using reflection in Go.
In Gno, reflection does not exist (yet). There are technical reasons for this, but also a desire to create a Go alternative that is explicitly safer to use than Go, with a smaller cognitive difficulty to read, discover, and understand.
The absence of reflection in Gno is not just about simplicity, but also about safety. Reflection can be powerful, but it can also lead to code that is hard to understand, hard to debug, and prone to runtime errors. By not supporting reflection, Gno encourages you to write code that is explicit, clear, and easy to understand.
We're currently in the process of considering whether to add reflection support or not, or perhaps add it in a privileged mode for very few libraries. But for now, when you're writing Gno code, remember: explicit is better than implicit, and clear code is better than clever code.
Gno good practices
Package naming and organization
Your package name should match the folder name. This helps to prevent having named imports, which can make your code more difficult to understand and maintain. By matching the package name with the folder name, you can ensure that your imports are clear and intuitive.
Ideally, package names should be short and human-readable. This makes it easier for other developers to understand what your package does at a glance. Avoid using abbreviations or acronyms unless they are widely understood.
Packages and realms can be organized into subdirectories. However, consider that the
best place for your main project will likely be r/NAMESPACE/DAPP
, similar
to how repositories are organized on GitHub.
If you have multiple sublevels of realms, remember that they are actually independent realms and won't share data. A good usage could be to have an ecosystem of realms, where one realm is about storing the state, another one about configuration, etc. But in general, a single realm makes sense.
You can also create small realms to create your ecosystem. For example, you
could centralize all the authentication for your whole company/organization in
r/NAMESPACE/auth
, and then import it in all your contracts.
The p/
prefix is different. In general, you should use top-level p/
like
p/NAMESPACE/DAPP
only for things you expect people to use. If your goal is
just to have internal libraries that you created to centralize your helpers and
don't expect that other people will use your helpers, then you should probably
use subdirectories like p/NAMESPACE/DAPP/foo/bar/baz
.
Define types and interfaces in pure packages (p/)
In Gno, it's common to create p/NAMESPACE/DAPP
for defining types and
interfaces, and r/NAMESPACE/DAPP
for the runtime, especially when the goal
for the realm is to become a standard that could be imported by p/
.
The reason for this is that p/
can only import p/
, while r/
can import
anything. This separation allows you to define standards in p/
that can be
used across multiple realms and packages.
In general, you can just write your r/
to be an app. But if for some reason
you introduce a concept that can be reused, it makes sense to have a
dedicated p/
so that people can re-use your logic without depending on
your realm's data.
For instance, if you want to create a token type in a realm, you can use it, and
other realms can import the realm and compose it. But if you want to create a
p/
helper that will create a pattern, then you need to have your interface and
types defined in p/
so anything can import it.
By separating your types and interfaces into p/
and your runtime into r/
,
you can create more modular, reusable, and standardized code in Gno. This
approach allows you to leverage the composability of Gno to build more powerful
and flexible applications.
Design your realm as a public API
In Go, all your packages, including your dependencies, are typically treated as part of your safe zone, similar to a secure perimeter. The boundary is drawn between your program and the rest of the world, which means you secure the API itself, potentially with authentication middlewares.
However, in Gno, your realm is the public API. It's exposed to the outside world and can be accessed by other realms. Therefore, it's crucial to design your realm with the same level of care and security considerations as you would a public API.
One approach is to simulate a secure perimeter within your realm by having private functions for the logic and then writing your API layer by adding some front-facing API with authentication. This way, you can control access to your realm's functionality and ensure that only authorized callers can execute certain operations.
import "std"
func PublicMethod(nb int) {
caller := std.PrevRealm().Addr()
privateMethod(caller, nb)
}
func privateMethod(caller std.Address, nb int) { /* ... */ }
In this example, PublicMethod
is a public function that can be called by other
realms. It retrieves the caller's address using std.PrevRealm().Addr()
, and
then passes it to privateMethod
, which is a private function that performs the
actual logic. This way, privateMethod
can only be called from within the
realm, and it can use the caller's address for authentication or authorization
checks.
Emit Gno events to make life off-chain easier
Gno provides users the ability to log specific occurrences that happened in their
on-chain apps. An event
log is stored in the ABCI results of each block, and
these logs can be indexed, filtered, and searched by external services, allowing
them to monitor the behaviour of on-chain apps.
It is good practice to emit events when any major action in your code is triggered. For example, good times to emit an event is after a balance transfer, ownership change, profile created, etc. Alternatively, you can view event emission as a way to include data for monitoring purposes, given the indexable nature of events.
Events consist of a type and a slice of strings representing key:value
pairs.
They are emitted with the Emit()
function, contained in the std
package in
the Gno standard library:
package events
import (
"std"
)
var owner std.Address
func init() {
owner = std.PrevRealm().Addr()
}
func ChangeOwner(newOwner std.Address) {
caller := std.PrevRealm().Addr()
if caller != owner {
panic("access denied")
}
owner = newOwner
std.Emit("OwnershipChange", "newOwner", newOwner.String())
}
If ChangeOwner()
was called in, for example, block #43, getting the BlockResults
of block #43 will contain the following data:
{
"Events": [
{
"@type": "/tm.gnoEvent",
"type": "OwnershipChange",
"pkg_path": "gno.",
"func": "ChangeOwner",
"attrs": [
{
"key": "newOwner",
"value": "g1zzqd6phlfx0a809vhmykg5c6m44ap9756s7cjj"
}
]
}
// other events
]
}
Read more about events here.
Contract-level access control
In Gno, it's a good practice to design your contract as an application with its own access control. This means that different endpoints of your contract should be accessible to different types of users, such as the public, admins, or moderators.
The goal is usually to store the admin address or a list of addresses
(std.Address
) in a variable, and then create helper functions to update the
owners. These helper functions should check if the caller of a function is
whitelisted or not.
Let's deep dive into the different access control mechanisms we can use:
One strategy is to look at the caller with std.PrevRealm()
, which could be the
EOA (Externally Owned Account), or the preceding realm in the call stack.
Another approach is to look specifically at the EOA. For this, you should call
std.GetOrigCaller()
, which returns the public address of the account that
signed the transaction.
TODO: explain when to use std.GetOrigCaller
.
Internally, this call will look at the frame stack, which is basically the stack of callers including all the functions, anonymous functions, other realms, and take the initial caller. This allows you to identify the original caller and implement access control based on their address.
Here's an example:
import "std"
var admin std.Address = "g1xxxxx"
func AdminOnlyFunction() {
caller := std.PrevRealm().Addr()
if caller != admin {
panic("permission denied")
}
// ...
}
// func UpdateAdminAddress(newAddr std.Address) { /* ... */ }
In this example, AdminOnlyFunction
is a function that can only be called by
the admin. It retrieves the caller's address using std.PrevRealm().Addr()
,
this can be either another realm contract, or the calling user if there is no
other intermediary realm. and then checks if the caller is the admin. If not, it
panics and stops the execution.
The goal of this approach is to allow a contract to own assets (like grc20 or coins), so that you can create contracts that can be called by another contract, reducing the risk of stealing money from the original caller. This is the behavior of the default grc20 implementation.
Here's an example:
import "std"
func TransferTokens(to std.Address, amount int64) {
caller := std.PrevRealm().Addr()
if caller != admin {
panic("permission denied")
}
// ...
}
In this example, TransferTokens
is a function that can only be called by the
admin. It retrieves the caller's address using std.PrevRealm().Addr()
, and
then checks if the caller is the admin. If not, the function panics and execution is stopped.
By using these access control mechanisms, you can ensure that your contract's functionality is accessible only to the intended users, providing a secure and reliable way to manage access to your contract.
Using avl.Tree for efficient data retrieval
In Gno, the avl.Tree
data structure is a powerful tool for optimizing data
retrieval. It works by lazily resolving information, which means it only loads
the data you need when you need it. This allows you to scale your application
and pay less gas for data retrieval.
AVL is short for Adelson-Velsky and Landis: under the hood, it is an implementation of a self-balancing binary tree.
The avl.Tree
can be used like a map, where you can store key-value pairs and
retrieve an entry with a simple key. However, unlike a traditional map, the
avl.Tree
doesn't load unnecessary data. This makes it particularly efficient
for large data sets where you only need to access a small subset of the data at
a time.
Here's an example of how you can use avl.Tree
:
import "avl"
var tree avl.Tree
func GetPost(id string) *Post {
return tree.Get(id).(*Post)
}
func AddPost(id string, post *Post) {
tree.Set(id, post)
}
In this example, GetPost
is a function that retrieves a post from the
avl.Tree
using an ID. It only loads the post with the specified ID, without
loading any other posts.
In the future, we plan to add built-in "map" support that will match the
efficienty of an avl.Tree
while offering a more intuitive API. Until then, if
you're dealing with a compact dataset, it's probably best to use slices.
For larger datasets where you need to quickly retrieve elements by keys,
avl.Tree
is the way to go.
You can also create SQL-like indexes by having multiple avl.Tree
instances for
different fields. For example, you can have an avl.Tree
for ID to *post, then
an avl.Tree
for Tags, etc. Then, you can create reader methods that will just
retrieve what you need, similar to SQL indexes.
By using avl.Tree
and other efficient data structures, you can optimize your
Gno code for performance and cost-effectiveness, making your applications more
scalable and efficient.
TODO: multi-indices example
Construct "safe" objects
A safe object in Gno is an object that is designed to be tamper-proof and secure. It's created with the intent of preventing unauthorized access and modifications. This follows the same principle of making a package an API, but for a Gno object that can be directly referenced by other realms.
The goal is to create an object which, once instantiated, can be linked and its pointer can be "stored" by other realms without issue, because it protects its usage completely.
type MySafeStruct {
counter nb
admin std.Address
}
func NewSafeStruct() *MySafeStruct {
caller := std.PrevRealm().Addr()
return &MySafeStruct{
counter: 0,
admin: caller,
}
}
func (s *MySafeStruct) Counter() int { return s.counter }
func (s *MySafeStruct) Inc() {
caller := std.PrevRealm().Addr()
if caller != s.admin {
panic("permission denied")
}
s.counter++
}
Then, you can register this object in another or several other realms so other realms can access the object, but still following your own rules.
import "gno.land/r/otherrealm"
func init() {
mySafeObj := NewSafeStruct()
otherrealm.Register(mySafeObject)
}
// then, other realm can call the public functions but won't be the "owner" of
// the object.
Choosing between Coins and GRC20 tokens
In Gno, you've got two primary options: Coins or GRC20. Each option has its unique advantages and disadvantages, and the ideal choice varies based on individual requirements.
Coins
Coins are managed by the banker module, separate from GnoVM. They're simple, strict, and secure. You can create, transfer, and check balances with an RPC call, no GnoVM needed.
For example, if you're creating a coin for cross-chain transfers, Coins are your best bet. They're IBC-ready and their strict rules offer top-notch security.
Read about how to use the Banker module here.
GRC20 tokens
GRC20 tokens, on the other hand, are like Ethereum's ERC20 or CosmWasm's CW20. They're flexible, composable, and perfect for DeFi protocols and DAOs. They offer more features like token-gating, vaults, and wrapping.
For instance, if you're creating a voting system for a DAO, GRC20 tokens are ideal. They're programmable, can be embedded in safe Gno objects, and offer more control.
Remember, GRC20 tokens are more gas-intensive and aren't IBC-ready yet. They also come with shared ownership, meaning the contract retains some control.
In the end, your choice depends on your needs: simplicity and security with Coins, or flexibility and control with GRC20 tokens. And if you want the best of both worlds, you can wrap a Coins into a GRC20 compatible token.
import "gno.land/p/demo/grc/grc20"
var fooToken grc20.AdminToken = grc20.NewAdminToken("Foo Token", "FOO", 4)
func MyBalance() uint64 {
caller := std.PrevRealm().Addr()
balance, _ := fooToken.BalanceOf(caller)
return balance
}
See also: https://gno.land/r/demo/foo20
Wrapping Coins
Want the best of both worlds? Consider wrapping your Coins. This gives your coins the flexibility of GRC20 while keeping the security of Coins. It's a bit more complex, but it's a powerful option that offers great versatility.
See also: https://github.com/gnolang/gno/tree/master/examples/gno.land/r/demo/wugnot