-
Notifications
You must be signed in to change notification settings - Fork 4.5k
Feature: Early verification of account modifications in BorrowedAccount
#25899
Feature: Early verification of account modifications in BorrowedAccount
#25899
Conversation
cb0f075
to
a263e52
Compare
I'm not too worried about rent_epoch anymore since accounts must be rent-exempt. We will either have to continue setting it for ABIv1, or maybe feature gate a deprecation of it which sets it to some acceptable value that is least likely to break existing programs. |
a263e52
to
c6c391b
Compare
BorrowedAccount
BorrowedAccount
Codecov Report
@@ Coverage Diff @@
## master #25899 +/- ##
=========================================
Coverage 81.9% 81.9%
=========================================
Files 631 633 +2
Lines 174252 175374 +1122
=========================================
+ Hits 142728 143798 +1070
- Misses 31524 31576 +52 |
2dda9ab
to
2e9d321
Compare
b6ed6c6
to
29a7ffb
Compare
29a7ffb
to
213376f
Compare
f9e4d01
to
5307666
Compare
…erialization, CPI syscall and program-test.
…in InstructionContext
…verification_of_account_modifications is enabled.
…ons into TransactionContext::new().
5307666
to
61a171d
Compare
I think I addressed all review comments, CI is passing, no merge conflicts ... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The accounts resize delta changes look good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm. master piece pr. :)
…unt` (solana-labs#25899) * Adjusts test cases for stricter requirements. * Removes account reset in deserialization test. * Removes verify related test cases. * Replicates account modification verification logic of PreAccount in BorrowedAccount. * Adds TransactionContext::account_touched_flags. * Adds account modification verification to the BPF ABIv0 and ABIv1 deserialization, CPI syscall and program-test. * Replicates the total sum of all lamports verification of PreAccounts in InstructionContext * Check that the callers instruction balance is maintained during a call / push. * Replicates PreAccount statistics in TransactionContext. * Disable verify() and verify_and_update() if the feature enable_early_verification_of_account_modifications is enabled. * Moves Option<Rent> of enable_early_verification_of_account_modifications into TransactionContext::new(). * Relaxes AccountDataMeter related test cases. * Don't touch the account if nothing changes. * Adds two tests to trigger InstructionError::UnbalancedInstruction. Co-authored-by: Justin Starry <justin@solana.com>
Problem
This is a continuation of #25380.
Currently, for BPF programs the verification cost is:
AccountSharedData
to create or update thePreAccount
AccountSharedData
so we can compare it againstPreAccount
PreAccount
(this is skipped if the data is allowed to be modified)Assuming that copies and comparison incur a similar cost (as they both need to access two different pointers, polluting the data cache), we could reduce this cost by 50% up to 66% for every account in every ABIv0 and ABIv1 BPF program executed. Built-in programs would also profit, reducing their verification cost by almost 100%. In ABIv2 BPF programs will be like built-in programs in this regard.
Summary of Changes
This PR introduces the feature
enable_early_verification_of_account_modifications
which controls the switch from the current behavior to the following:Account modification errors are thrown earlier (hence the name of the feature). Specifically, they occur the moment they are attempted, not at the begin / end of instructions and CPI. The primary motivation is to get rid of
PreAccount
and all the redundant data copies and data comparisons that come with it. As a side effect, this should make debugging easier because we can get the call stack where the error occurs.Similarly to the deprecation of
PreAccount
,AccountsDataMeter
will also be deprecated and its functionality replicated insideTransactionContext
. This was necessary as theAccountsDataMeter
is currently updated and verified from withing thePreAccount
s.As a consequence, first corrupting (meta)data and then later correcting it into a valid state again won't fly anymore. Every change will have to be valid on its own. This however, does only apply to the runtime and built-in programs, not to BPF programs of ABIv0 and ABIv1 (all currently deployed programs) as they will continue to have their checks at the deserialization edge.
Failed attempted account modifications used to be counted as modifications, now they are not recorded as "touched" anymore. For BPF programs, all accounts which are modifiable however, will be counted as "touched" even if their data did not change.
All the explicit / dedicated account modification tests inside
InvokeContext
,PreAccount
andAccountsDataMeter
are disabled / become unreachable.The loader and built-in tests on the other hand, become stricter as they now have to adhere to all account modification rules.
Two tests to trigger
InstructionError::UnbalancedInstruction
(which was not covered before) were added.Feature Gate Issue: #26589