-
Notifications
You must be signed in to change notification settings - Fork 4.5k
Deprecate account meta executable read/update in bpf loaders #34194
Conversation
0985839
to
e4c0c13
Compare
It just occurred to me that there is one more complicating factor here, the migration of built-in programs to on-chain programs: solana-foundation/solana-improvement-documents#88 So, in the end almost all programs (except for the loaders) will be on-chain and be owned by the loaders. But until then we still have to support built-in programs which also count as "executable" sometimes, but not always. E.g. built-ins don't need to be loaded into the Thus, we might need a boolean parameter to the
Related code sites:
|
1194285
to
462fb24
Compare
87a5450
to
bbfa8c5
Compare
runtime/src/accounts/mod.rs
Outdated
loaded_accounts[0], | ||
(Err(TransactionError::InvalidProgramForExecution), None,) | ||
); | ||
assert!(loaded_accounts[0].0.is_ok()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be an un-feature-gated change to consensus.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah. this needs to be feature-gated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I would prefer if we would find a way to do this refactoring transparently, without consensus changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok. let me think about it.
Another question:
https://github.com/solana-labs/solana/blob/master/sdk/src/transaction_context.rs#L1082
With the change of is_executable() on BorrowedAccount, this seems not correct any more? upgradable account can_data_be_changed?
@@ -1079,7 +1081,9 @@ impl<'a> BorrowedAccount<'a> {
#[cfg(not(target_os = "solana"))]
pub fn can_data_be_changed(&self) -> Result<(), InstructionError> {
// Only non-executable accounts data can be changed
- if self.is_executable() {
+ if self.is_executable()
+ && !solana_program::bpf_loader_upgradeable::check_id(self.account.owner())
+ {
return Err(InstructionError::ExecutableDataModified);
}
The following are the behavior changes with this PR found in test
@Lichtso Can we review them to be sure that these scenarios are not possible practically? |
|
Makes sense. I will update.
…On Wed, Nov 22, 2023, 15:06 Alexander Meißner ***@***.***> wrote:
1.
Such a test should be deleted because transferring the ownership of an
executable account is explicitly forbidden:
https://github.com/solana-labs/solana/blob/53c723ae3f6b3013b9bfe275ea683ef2088737b3/sdk/src/transaction_context.rs#L752
2.
Again, makes no sense. Once an account is marked as executable it
becomes immutable (
https://github.com/solana-labs/solana/blob/53c723ae3f6b3013b9bfe275ea683ef2088737b3/sdk/src/transaction_context.rs#L1082),
so it could never leave the uninitialized state. Thus, the executable flag
is only set after the state is initialized.
3.
Uff, this will actually be a problem. The first two loaders did not
write any metadata into the program account, so the only way to distinguish
the writing-in-progress from the finalized state is the executable flag.
Obviously, that can not be emulated without the executable flag so we do
need a feature gate here. Also, we will probably have to disable
deployments for everything but the upgradeable loader (v3), which was
planned anyways.
—
Reply to this email directly, view it on GitHub
<#34194 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABVSJCHCDJEAEVIBLUIZYDYFZSMFAVCNFSM6AAAAAA7UYRPOOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRTGUYDEMBQGY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I have tried to add a feature gate for executable flag. But it turns out that |
3b58901
to
2c1f47a
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #34194 +/- ##
========================================
Coverage 81.8% 81.8%
========================================
Files 824 824
Lines 222262 222393 +131
========================================
+ Hits 181860 182065 +205
+ Misses 40402 40328 -74 |
Fails because BPFUpgradableLoader was hijacked by aaf2748 fixed it. I have deploy this PR again on my node again to run against mnt overnight. |
df9d94c
to
954848a
Compare
FYI. A node with this change has been running for the past 5 days against mainnet! So far, it looks good! |
84e2791
to
aedde94
Compare
I added two featuregates in this PR: Aso, I created two SIMDs for these two features. @Lichtso @pgarg66 @brooksprumo Please take a look. Let me know if you have any more comments. Thanks! |
It seems that |
sdk/src/account.rs
Outdated
// the account. Once we disable the deployment of these two loaders, we can | ||
// remove the following dependency on `executable`. | ||
if bpf_loader::check_id(account.owner()) || bpf_loader_deprecated::check_id(account.owner()) { | ||
return account.executable(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return true;
That will be safe once deployments on loader-v2 are disabled. And we don't switch to this emulation here before that feature is activated.
8872bf2
to
8272151
Compare
@HaoranYi Can you split off the changes where you wire in |
3d1ec85
to
a84f34b
Compare
Yeah. #34542 is the refactor PR that pass feature_set into BorrowedAccount. |
a84f34b
to
3bdb51d
Compare
My node has been running fine with the PR over the holidays. |
programs/bpf_loader/src/lib.rs
Outdated
@@ -1818,7 +1848,7 @@ mod tests { | |||
Err(InstructionError::NotEnoughAccountKeys), | |||
); | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For all the tests of loader-v2 it would be preferable to just force deactivate the feature instead of altering the tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah. restored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After loader-v2 is disabled its management instructions will be removed. Thus, we need to rework the tests in programs/sbf/tests/programs.rs to use loader-v3 instead. However, that can happen in a separate PR.
mock account data with executable_meta in precompiled program and update test_bank_hash_consistency test pr: return const slice and add comments pr: use ReadableAccount use const to get rid of magic number add featuregate disable_bpf_loader_instructions to disable bpf loader management instructions, and deprecate_executable_meta_update_in_bpf_loader to deprecate executable flag update in bpf loader deprecate usage of executable in Account fix a test fix sbp bench fix sbf program tests add feature gate to account and borrowed account apis fix tests more test fixes
68cd6b9
to
d59193c
Compare
please DO NOT introduce multiple feature gates in the same pull request! |
Problem
Part of effort for #33970
We are deprecating executable meta flags on account. Instead of relying on executable flag on account to determine whether the account is executable, we are going to check the owner of the account and the loader's meta data in account data to determine whether the account is executable.
Summary of Changes
Feature Gate Issues:
SIMD
Fixes #