2022-12-22 00:58:06 -08:00
|
|
|
//! Data shared between program runtime and built-in programs as well as SBF programs.
|
2022-09-05 07:29:02 -07:00
|
|
|
#![deny(clippy::indexing_slicing)]
|
2021-12-27 09:49:32 -08:00
|
|
|
|
2023-01-09 15:54:26 -08:00
|
|
|
#[cfg(all(not(target_os = "solana"), debug_assertions))]
|
|
|
|
|
use crate::signature::Signature;
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
use {
|
|
|
|
|
crate::{
|
|
|
|
|
account::WritableAccount,
|
|
|
|
|
rent::Rent,
|
|
|
|
|
system_instruction::{
|
|
|
|
|
MAX_PERMITTED_ACCOUNTS_DATA_ALLOCATIONS_PER_TRANSACTION, MAX_PERMITTED_DATA_LENGTH,
|
|
|
|
|
},
|
2022-08-31 08:47:47 -07:00
|
|
|
},
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
solana_program::entrypoint::MAX_PERMITTED_DATA_INCREASE,
|
|
|
|
|
std::mem::MaybeUninit,
|
2022-08-31 08:47:47 -07:00
|
|
|
};
|
2022-02-18 21:32:29 -08:00
|
|
|
use {
|
|
|
|
|
crate::{
|
2022-08-31 08:47:47 -07:00
|
|
|
account::{AccountSharedData, ReadableAccount},
|
2022-02-18 21:32:29 -08:00
|
|
|
instruction::InstructionError,
|
|
|
|
|
pubkey::Pubkey,
|
|
|
|
|
},
|
|
|
|
|
std::{
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
cell::{Ref, RefCell, RefMut},
|
2022-02-18 21:32:29 -08:00
|
|
|
collections::HashSet,
|
|
|
|
|
pin::Pin,
|
2023-08-24 15:54:06 -07:00
|
|
|
rc::Rc,
|
2022-02-18 21:32:29 -08:00
|
|
|
},
|
2022-01-03 14:30:56 -08:00
|
|
|
};
|
2021-12-27 09:49:32 -08:00
|
|
|
|
2022-09-06 02:31:40 -07:00
|
|
|
/// Index of an account inside of the TransactionContext or an InstructionContext.
|
|
|
|
|
pub type IndexOfAccount = u16;
|
|
|
|
|
|
2022-05-24 15:04:46 -07:00
|
|
|
/// Contains account meta data which varies between instruction.
|
|
|
|
|
///
|
|
|
|
|
/// It also contains indices to other structures for faster lookup.
|
2022-10-11 12:59:58 -07:00
|
|
|
#[derive(Clone, Debug, Eq, PartialEq)]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub struct InstructionAccount {
|
2022-05-24 15:04:46 -07:00
|
|
|
/// Points to the account and its key in the `TransactionContext`
|
2022-09-06 02:31:40 -07:00
|
|
|
pub index_in_transaction: IndexOfAccount,
|
2022-05-24 15:04:46 -07:00
|
|
|
/// Points to the first occurrence in the parent `InstructionContext`
|
|
|
|
|
///
|
2022-05-25 04:43:20 -07:00
|
|
|
/// This excludes the program accounts.
|
2022-09-06 02:31:40 -07:00
|
|
|
pub index_in_caller: IndexOfAccount,
|
2022-05-24 15:04:46 -07:00
|
|
|
/// Points to the first occurrence in the current `InstructionContext`
|
|
|
|
|
///
|
|
|
|
|
/// This excludes the program accounts.
|
2022-09-06 02:31:40 -07:00
|
|
|
pub index_in_callee: IndexOfAccount,
|
2022-05-24 15:04:46 -07:00
|
|
|
/// Is this account supposed to sign
|
2021-12-27 09:49:32 -08:00
|
|
|
pub is_signer: bool,
|
2022-05-24 15:04:46 -07:00
|
|
|
/// Is this account allowed to become writable
|
2021-12-27 09:49:32 -08:00
|
|
|
pub is_writable: bool,
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-05 07:29:02 -07:00
|
|
|
/// An account key and the matching account
|
|
|
|
|
pub type TransactionAccount = (Pubkey, AccountSharedData);
|
|
|
|
|
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
#[derive(Clone, Debug, PartialEq)]
|
|
|
|
|
pub struct TransactionAccounts {
|
|
|
|
|
accounts: Vec<RefCell<AccountSharedData>>,
|
|
|
|
|
touched_flags: RefCell<Box<[bool]>>,
|
|
|
|
|
is_early_verification_of_account_modifications_enabled: bool,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl TransactionAccounts {
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
fn new(
|
|
|
|
|
accounts: Vec<RefCell<AccountSharedData>>,
|
|
|
|
|
is_early_verification_of_account_modifications_enabled: bool,
|
|
|
|
|
) -> TransactionAccounts {
|
|
|
|
|
TransactionAccounts {
|
|
|
|
|
touched_flags: RefCell::new(vec![false; accounts.len()].into_boxed_slice()),
|
|
|
|
|
accounts,
|
|
|
|
|
is_early_verification_of_account_modifications_enabled,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn len(&self) -> usize {
|
|
|
|
|
self.accounts.len()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn get(&self, index: IndexOfAccount) -> Option<&RefCell<AccountSharedData>> {
|
|
|
|
|
self.accounts.get(index as usize)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn touch(&self, index: IndexOfAccount) -> Result<(), InstructionError> {
|
|
|
|
|
if self.is_early_verification_of_account_modifications_enabled {
|
|
|
|
|
*self
|
|
|
|
|
.touched_flags
|
|
|
|
|
.borrow_mut()
|
|
|
|
|
.get_mut(index as usize)
|
|
|
|
|
.ok_or(InstructionError::NotEnoughAccountKeys)? = true;
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn touched_count(&self) -> usize {
|
|
|
|
|
self.touched_flags
|
|
|
|
|
.borrow()
|
|
|
|
|
.iter()
|
|
|
|
|
.fold(0usize, |accumulator, was_touched| {
|
|
|
|
|
accumulator.saturating_add(*was_touched as usize)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn try_borrow(
|
|
|
|
|
&self,
|
|
|
|
|
index: IndexOfAccount,
|
|
|
|
|
) -> Result<Ref<'_, AccountSharedData>, InstructionError> {
|
|
|
|
|
self.accounts
|
|
|
|
|
.get(index as usize)
|
|
|
|
|
.ok_or(InstructionError::MissingAccount)?
|
|
|
|
|
.try_borrow()
|
|
|
|
|
.map_err(|_| InstructionError::AccountBorrowFailed)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn try_borrow_mut(
|
|
|
|
|
&self,
|
|
|
|
|
index: IndexOfAccount,
|
|
|
|
|
) -> Result<RefMut<'_, AccountSharedData>, InstructionError> {
|
|
|
|
|
self.accounts
|
|
|
|
|
.get(index as usize)
|
|
|
|
|
.ok_or(InstructionError::MissingAccount)?
|
|
|
|
|
.try_borrow_mut()
|
|
|
|
|
.map_err(|_| InstructionError::AccountBorrowFailed)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn into_accounts(self) -> Vec<AccountSharedData> {
|
|
|
|
|
self.accounts
|
|
|
|
|
.into_iter()
|
|
|
|
|
.map(|account| account.into_inner())
|
|
|
|
|
.collect()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-27 09:49:32 -08:00
|
|
|
/// Loaded transaction shared between runtime and programs.
|
|
|
|
|
///
|
|
|
|
|
/// This context is valid for the entire duration of a transaction being processed.
|
2022-10-11 12:59:58 -07:00
|
|
|
#[derive(Debug, Clone, PartialEq)]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub struct TransactionContext {
|
2022-01-03 14:30:56 -08:00
|
|
|
account_keys: Pin<Box<[Pubkey]>>,
|
2023-08-24 15:54:06 -07:00
|
|
|
accounts: Rc<TransactionAccounts>,
|
2022-09-26 01:47:16 -07:00
|
|
|
instruction_stack_capacity: usize,
|
|
|
|
|
instruction_trace_capacity: usize,
|
2022-02-09 11:04:49 -08:00
|
|
|
instruction_stack: Vec<usize>,
|
2022-08-20 02:20:47 -07:00
|
|
|
instruction_trace: Vec<InstructionContext>,
|
2022-03-22 15:17:05 -07:00
|
|
|
return_data: TransactionReturnData,
|
2022-07-15 00:31:34 -07:00
|
|
|
accounts_resize_delta: RefCell<i64>,
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-07-15 00:31:34 -07:00
|
|
|
rent: Option<Rent>,
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-08-29 11:30:48 -07:00
|
|
|
is_cap_accounts_data_allocations_per_transaction_enabled: bool,
|
2023-01-09 15:54:26 -08:00
|
|
|
/// Useful for debugging to filter by or to look it up on the explorer
|
|
|
|
|
#[cfg(all(not(target_os = "solana"), debug_assertions))]
|
|
|
|
|
signature: Signature,
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl TransactionContext {
|
|
|
|
|
/// Constructs a new TransactionContext
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub fn new(
|
|
|
|
|
transaction_accounts: Vec<TransactionAccount>,
|
2022-07-15 00:31:34 -07:00
|
|
|
rent: Option<Rent>,
|
2022-09-26 01:47:16 -07:00
|
|
|
instruction_stack_capacity: usize,
|
|
|
|
|
instruction_trace_capacity: usize,
|
2021-12-27 09:49:32 -08:00
|
|
|
) -> Self {
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
let (account_keys, accounts): (Vec<_>, Vec<_>) = transaction_accounts
|
|
|
|
|
.into_iter()
|
|
|
|
|
.map(|(key, account)| (key, RefCell::new(account)))
|
|
|
|
|
.unzip();
|
2021-12-27 09:49:32 -08:00
|
|
|
Self {
|
2022-01-03 14:30:56 -08:00
|
|
|
account_keys: Pin::new(account_keys.into_boxed_slice()),
|
2023-08-24 15:54:06 -07:00
|
|
|
accounts: Rc::new(TransactionAccounts::new(accounts, rent.is_some())),
|
2022-09-26 01:47:16 -07:00
|
|
|
instruction_stack_capacity,
|
|
|
|
|
instruction_trace_capacity,
|
|
|
|
|
instruction_stack: Vec::with_capacity(instruction_stack_capacity),
|
2022-09-03 01:34:57 -07:00
|
|
|
instruction_trace: vec![InstructionContext::default()],
|
2022-03-22 15:17:05 -07:00
|
|
|
return_data: TransactionReturnData::default(),
|
2022-07-15 00:31:34 -07:00
|
|
|
accounts_resize_delta: RefCell::new(0),
|
|
|
|
|
rent,
|
2022-08-29 11:30:48 -07:00
|
|
|
is_cap_accounts_data_allocations_per_transaction_enabled: false,
|
2023-01-09 15:54:26 -08:00
|
|
|
#[cfg(all(not(target_os = "solana"), debug_assertions))]
|
|
|
|
|
signature: Signature::default(),
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Used in mock_process_instruction
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub fn deconstruct_without_keys(self) -> Result<Vec<AccountSharedData>, InstructionError> {
|
2022-02-09 11:04:49 -08:00
|
|
|
if !self.instruction_stack.is_empty() {
|
2021-12-27 09:49:32 -08:00
|
|
|
return Err(InstructionError::CallDepth);
|
|
|
|
|
}
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
|
2023-08-24 15:54:06 -07:00
|
|
|
Ok(Rc::try_unwrap(self.accounts)
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
.expect("transaction_context.accounts has unexpected outstanding refs")
|
|
|
|
|
.into_accounts())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
2023-08-24 15:54:06 -07:00
|
|
|
pub fn accounts(&self) -> &Rc<TransactionAccounts> {
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
&self.accounts
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
2022-07-15 00:31:34 -07:00
|
|
|
/// Returns true if `enable_early_verification_of_account_modifications` is active
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-07-15 00:31:34 -07:00
|
|
|
pub fn is_early_verification_of_account_modifications_enabled(&self) -> bool {
|
|
|
|
|
self.rent.is_some()
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-09 15:54:26 -08:00
|
|
|
/// Stores the signature of the current transaction
|
|
|
|
|
#[cfg(all(not(target_os = "solana"), debug_assertions))]
|
|
|
|
|
pub fn set_signature(&mut self, signature: &Signature) {
|
|
|
|
|
self.signature = *signature;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the signature of the current transaction
|
|
|
|
|
#[cfg(all(not(target_os = "solana"), debug_assertions))]
|
|
|
|
|
pub fn get_signature(&self) -> &Signature {
|
|
|
|
|
&self.signature
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-27 09:49:32 -08:00
|
|
|
/// Returns the total number of accounts loaded in this Transaction
|
2022-09-06 02:31:40 -07:00
|
|
|
pub fn get_number_of_accounts(&self) -> IndexOfAccount {
|
|
|
|
|
self.accounts.len() as IndexOfAccount
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Searches for an account by its key
|
2022-02-03 02:34:51 -08:00
|
|
|
pub fn get_key_of_account_at_index(
|
|
|
|
|
&self,
|
2022-09-06 02:31:40 -07:00
|
|
|
index_in_transaction: IndexOfAccount,
|
2022-02-03 02:34:51 -08:00
|
|
|
) -> Result<&Pubkey, InstructionError> {
|
|
|
|
|
self.account_keys
|
2022-09-06 02:31:40 -07:00
|
|
|
.get(index_in_transaction as usize)
|
2022-02-03 02:34:51 -08:00
|
|
|
.ok_or(InstructionError::NotEnoughAccountKeys)
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Searches for an account by its key
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-02-03 02:34:51 -08:00
|
|
|
pub fn get_account_at_index(
|
|
|
|
|
&self,
|
2022-09-06 02:31:40 -07:00
|
|
|
index_in_transaction: IndexOfAccount,
|
2022-02-03 02:34:51 -08:00
|
|
|
) -> Result<&RefCell<AccountSharedData>, InstructionError> {
|
|
|
|
|
self.accounts
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
.get(index_in_transaction)
|
2022-02-03 02:34:51 -08:00
|
|
|
.ok_or(InstructionError::NotEnoughAccountKeys)
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Searches for an account by its key
|
2022-09-06 02:31:40 -07:00
|
|
|
pub fn find_index_of_account(&self, pubkey: &Pubkey) -> Option<IndexOfAccount> {
|
|
|
|
|
self.account_keys
|
|
|
|
|
.iter()
|
|
|
|
|
.position(|key| key == pubkey)
|
|
|
|
|
.map(|index| index as IndexOfAccount)
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Searches for a program account by its key
|
2022-09-06 02:31:40 -07:00
|
|
|
pub fn find_index_of_program_account(&self, pubkey: &Pubkey) -> Option<IndexOfAccount> {
|
|
|
|
|
self.account_keys
|
|
|
|
|
.iter()
|
|
|
|
|
.rposition(|key| key == pubkey)
|
|
|
|
|
.map(|index| index as IndexOfAccount)
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
2022-09-26 01:47:16 -07:00
|
|
|
/// Gets the max length of the InstructionContext trace
|
|
|
|
|
pub fn get_instruction_trace_capacity(&self) -> usize {
|
|
|
|
|
self.instruction_trace_capacity
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-03 01:34:57 -07:00
|
|
|
/// Returns the instruction trace length.
|
|
|
|
|
///
|
|
|
|
|
/// Not counting the last empty InstructionContext which is always pre-reserved for the next instruction.
|
|
|
|
|
/// See also `get_next_instruction_context()`.
|
2022-08-20 02:20:47 -07:00
|
|
|
pub fn get_instruction_trace_length(&self) -> usize {
|
2022-09-03 01:34:57 -07:00
|
|
|
self.instruction_trace.len().saturating_sub(1)
|
2022-08-20 02:20:47 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Gets an InstructionContext by its index in the trace
|
|
|
|
|
pub fn get_instruction_context_at_index_in_trace(
|
|
|
|
|
&self,
|
|
|
|
|
index_in_trace: usize,
|
|
|
|
|
) -> Result<&InstructionContext, InstructionError> {
|
|
|
|
|
self.instruction_trace
|
|
|
|
|
.get(index_in_trace)
|
|
|
|
|
.ok_or(InstructionError::CallDepth)
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-12 17:52:47 -07:00
|
|
|
/// Gets an InstructionContext by its nesting level in the stack
|
2022-08-20 02:20:47 -07:00
|
|
|
pub fn get_instruction_context_at_nesting_level(
|
2021-12-27 09:49:32 -08:00
|
|
|
&self,
|
2022-08-20 02:20:47 -07:00
|
|
|
nesting_level: usize,
|
2022-04-12 17:52:47 -07:00
|
|
|
) -> Result<&InstructionContext, InstructionError> {
|
2022-08-20 02:20:47 -07:00
|
|
|
let index_in_trace = *self
|
2022-02-09 11:04:49 -08:00
|
|
|
.instruction_stack
|
2022-08-20 02:20:47 -07:00
|
|
|
.get(nesting_level)
|
2022-02-09 11:04:49 -08:00
|
|
|
.ok_or(InstructionError::CallDepth)?;
|
2022-08-20 02:20:47 -07:00
|
|
|
let instruction_context = self.get_instruction_context_at_index_in_trace(index_in_trace)?;
|
|
|
|
|
debug_assert_eq!(instruction_context.nesting_level, nesting_level);
|
2022-02-09 11:04:49 -08:00
|
|
|
Ok(instruction_context)
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Gets the max height of the InstructionContext stack
|
2022-09-26 01:47:16 -07:00
|
|
|
pub fn get_instruction_stack_capacity(&self) -> usize {
|
|
|
|
|
self.instruction_stack_capacity
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
2022-02-02 16:45:57 -08:00
|
|
|
/// Gets instruction stack height, top-level instructions are height
|
|
|
|
|
/// `solana_sdk::instruction::TRANSACTION_LEVEL_STACK_HEIGHT`
|
2021-12-30 06:46:36 -08:00
|
|
|
pub fn get_instruction_context_stack_height(&self) -> usize {
|
2022-02-09 11:04:49 -08:00
|
|
|
self.instruction_stack.len()
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the current InstructionContext
|
|
|
|
|
pub fn get_current_instruction_context(&self) -> Result<&InstructionContext, InstructionError> {
|
2021-12-30 06:46:36 -08:00
|
|
|
let level = self
|
2022-02-09 11:04:49 -08:00
|
|
|
.get_instruction_context_stack_height()
|
2021-12-30 06:46:36 -08:00
|
|
|
.checked_sub(1)
|
|
|
|
|
.ok_or(InstructionError::CallDepth)?;
|
2022-08-20 02:20:47 -07:00
|
|
|
self.get_instruction_context_at_nesting_level(level)
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
2022-09-03 01:34:57 -07:00
|
|
|
/// Returns the InstructionContext to configure for the next invocation.
|
|
|
|
|
///
|
|
|
|
|
/// The last InstructionContext is always empty and pre-reserved for the next instruction.
|
|
|
|
|
pub fn get_next_instruction_context(
|
2021-12-27 09:49:32 -08:00
|
|
|
&mut self,
|
2022-09-03 01:34:57 -07:00
|
|
|
) -> Result<&mut InstructionContext, InstructionError> {
|
|
|
|
|
self.instruction_trace
|
|
|
|
|
.last_mut()
|
|
|
|
|
.ok_or(InstructionError::CallDepth)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Pushes the next InstructionContext
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn push(&mut self) -> Result<(), InstructionError> {
|
|
|
|
|
let nesting_level = self.get_instruction_context_stack_height();
|
|
|
|
|
let caller_instruction_context = self
|
|
|
|
|
.instruction_trace
|
|
|
|
|
.last()
|
|
|
|
|
.ok_or(InstructionError::CallDepth)?;
|
2022-09-05 07:29:02 -07:00
|
|
|
let callee_instruction_accounts_lamport_sum =
|
|
|
|
|
self.instruction_accounts_lamport_sum(caller_instruction_context)?;
|
2022-08-20 02:20:47 -07:00
|
|
|
if !self.instruction_stack.is_empty()
|
|
|
|
|
&& self.is_early_verification_of_account_modifications_enabled()
|
|
|
|
|
{
|
|
|
|
|
let caller_instruction_context = self.get_current_instruction_context()?;
|
|
|
|
|
let original_caller_instruction_accounts_lamport_sum =
|
|
|
|
|
caller_instruction_context.instruction_accounts_lamport_sum;
|
2022-09-05 07:29:02 -07:00
|
|
|
let current_caller_instruction_accounts_lamport_sum =
|
|
|
|
|
self.instruction_accounts_lamport_sum(caller_instruction_context)?;
|
2022-08-20 02:20:47 -07:00
|
|
|
if original_caller_instruction_accounts_lamport_sum
|
|
|
|
|
!= current_caller_instruction_accounts_lamport_sum
|
|
|
|
|
{
|
|
|
|
|
return Err(InstructionError::UnbalancedInstruction);
|
2022-07-15 00:31:34 -07:00
|
|
|
}
|
2022-08-20 02:20:47 -07:00
|
|
|
}
|
2022-09-03 01:34:57 -07:00
|
|
|
{
|
2023-07-13 10:14:33 -07:00
|
|
|
let instruction_context = self.get_next_instruction_context()?;
|
2022-09-03 01:34:57 -07:00
|
|
|
instruction_context.nesting_level = nesting_level;
|
|
|
|
|
instruction_context.instruction_accounts_lamport_sum =
|
|
|
|
|
callee_instruction_accounts_lamport_sum;
|
|
|
|
|
}
|
2022-09-05 07:29:02 -07:00
|
|
|
let index_in_trace = self.get_instruction_trace_length();
|
2022-09-26 01:47:16 -07:00
|
|
|
if index_in_trace >= self.instruction_trace_capacity {
|
|
|
|
|
return Err(InstructionError::MaxInstructionTraceLengthExceeded);
|
|
|
|
|
}
|
2022-09-03 01:34:57 -07:00
|
|
|
self.instruction_trace.push(InstructionContext::default());
|
2022-09-26 01:47:16 -07:00
|
|
|
if nesting_level >= self.instruction_stack_capacity {
|
2022-02-09 11:04:49 -08:00
|
|
|
return Err(InstructionError::CallDepth);
|
2022-01-19 13:40:09 -08:00
|
|
|
}
|
2022-02-09 11:04:49 -08:00
|
|
|
self.instruction_stack.push(index_in_trace);
|
2021-12-27 09:49:32 -08:00
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Pops the current InstructionContext
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub fn pop(&mut self) -> Result<(), InstructionError> {
|
2022-02-09 11:04:49 -08:00
|
|
|
if self.instruction_stack.is_empty() {
|
2021-12-27 09:49:32 -08:00
|
|
|
return Err(InstructionError::CallDepth);
|
|
|
|
|
}
|
2022-07-15 00:31:34 -07:00
|
|
|
// Verify (before we pop) that the total sum of all lamports in this instruction did not change
|
2022-08-20 02:20:47 -07:00
|
|
|
let detected_an_unbalanced_instruction =
|
|
|
|
|
if self.is_early_verification_of_account_modifications_enabled() {
|
|
|
|
|
self.get_current_instruction_context()
|
|
|
|
|
.and_then(|instruction_context| {
|
|
|
|
|
// Verify all executable accounts have no outstanding refs
|
|
|
|
|
for account_index in instruction_context.program_accounts.iter() {
|
|
|
|
|
self.get_account_at_index(*account_index)?
|
|
|
|
|
.try_borrow_mut()
|
|
|
|
|
.map_err(|_| InstructionError::AccountBorrowOutstanding)?;
|
|
|
|
|
}
|
2022-09-05 07:29:02 -07:00
|
|
|
self.instruction_accounts_lamport_sum(instruction_context)
|
|
|
|
|
.map(|instruction_accounts_lamport_sum| {
|
|
|
|
|
instruction_context.instruction_accounts_lamport_sum
|
|
|
|
|
!= instruction_accounts_lamport_sum
|
|
|
|
|
})
|
2022-08-20 02:20:47 -07:00
|
|
|
})
|
|
|
|
|
} else {
|
|
|
|
|
Ok(false)
|
|
|
|
|
};
|
2022-07-15 00:31:34 -07:00
|
|
|
// Always pop, even if we `detected_an_unbalanced_instruction`
|
2022-02-09 11:04:49 -08:00
|
|
|
self.instruction_stack.pop();
|
2022-07-15 00:31:34 -07:00
|
|
|
if detected_an_unbalanced_instruction? {
|
|
|
|
|
Err(InstructionError::UnbalancedInstruction)
|
|
|
|
|
} else {
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Gets the return data of the current InstructionContext or any above
|
|
|
|
|
pub fn get_return_data(&self) -> (&Pubkey, &[u8]) {
|
2022-03-22 15:17:05 -07:00
|
|
|
(&self.return_data.program_id, &self.return_data.data)
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Set the return data of the current InstructionContext
|
2022-01-10 09:26:51 -08:00
|
|
|
pub fn set_return_data(
|
|
|
|
|
&mut self,
|
|
|
|
|
program_id: Pubkey,
|
|
|
|
|
data: Vec<u8>,
|
|
|
|
|
) -> Result<(), InstructionError> {
|
2022-03-22 15:17:05 -07:00
|
|
|
self.return_data = TransactionReturnData { program_id, data };
|
2021-12-27 09:49:32 -08:00
|
|
|
Ok(())
|
|
|
|
|
}
|
2022-01-19 13:40:09 -08:00
|
|
|
|
2022-07-15 00:31:34 -07:00
|
|
|
/// Calculates the sum of all lamports within an instruction
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-09-05 07:29:02 -07:00
|
|
|
fn instruction_accounts_lamport_sum(
|
|
|
|
|
&self,
|
|
|
|
|
instruction_context: &InstructionContext,
|
|
|
|
|
) -> Result<u128, InstructionError> {
|
2022-07-15 00:31:34 -07:00
|
|
|
if !self.is_early_verification_of_account_modifications_enabled() {
|
|
|
|
|
return Ok(0);
|
|
|
|
|
}
|
|
|
|
|
let mut instruction_accounts_lamport_sum: u128 = 0;
|
2022-09-05 07:29:02 -07:00
|
|
|
for instruction_account_index in 0..instruction_context.get_number_of_instruction_accounts()
|
|
|
|
|
{
|
|
|
|
|
if instruction_context
|
|
|
|
|
.is_instruction_account_duplicate(instruction_account_index)?
|
|
|
|
|
.is_some()
|
|
|
|
|
{
|
2022-07-15 00:31:34 -07:00
|
|
|
continue; // Skip duplicate account
|
|
|
|
|
}
|
2022-09-05 07:29:02 -07:00
|
|
|
let index_in_transaction = instruction_context
|
|
|
|
|
.get_index_of_instruction_account_in_transaction(instruction_account_index)?;
|
2022-07-15 00:31:34 -07:00
|
|
|
instruction_accounts_lamport_sum = (self
|
2022-09-05 07:29:02 -07:00
|
|
|
.get_account_at_index(index_in_transaction)?
|
2022-07-15 00:31:34 -07:00
|
|
|
.try_borrow()
|
|
|
|
|
.map_err(|_| InstructionError::AccountBorrowOutstanding)?
|
|
|
|
|
.lamports() as u128)
|
|
|
|
|
.checked_add(instruction_accounts_lamport_sum)
|
|
|
|
|
.ok_or(InstructionError::ArithmeticOverflow)?;
|
|
|
|
|
}
|
|
|
|
|
Ok(instruction_accounts_lamport_sum)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the accounts resize delta
|
|
|
|
|
pub fn accounts_resize_delta(&self) -> Result<i64, InstructionError> {
|
|
|
|
|
self.accounts_resize_delta
|
|
|
|
|
.try_borrow()
|
|
|
|
|
.map_err(|_| InstructionError::GenericError)
|
|
|
|
|
.map(|value_ref| *value_ref)
|
|
|
|
|
}
|
2022-08-29 11:30:48 -07:00
|
|
|
|
|
|
|
|
/// Enables enforcing a maximum accounts data allocation size per transaction
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-08-29 11:30:48 -07:00
|
|
|
pub fn enable_cap_accounts_data_allocations_per_transaction(&mut self) {
|
|
|
|
|
self.is_cap_accounts_data_allocations_per_transaction_enabled = true;
|
|
|
|
|
}
|
2022-02-02 16:45:57 -08:00
|
|
|
}
|
|
|
|
|
|
2022-03-22 15:17:05 -07:00
|
|
|
/// Return data at the end of a transaction
|
2022-05-22 18:00:42 -07:00
|
|
|
#[derive(Clone, Debug, Default, Deserialize, PartialEq, Eq, Serialize)]
|
2022-03-22 15:17:05 -07:00
|
|
|
pub struct TransactionReturnData {
|
|
|
|
|
pub program_id: Pubkey,
|
|
|
|
|
pub data: Vec<u8>,
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-27 09:49:32 -08:00
|
|
|
/// Loaded instruction shared between runtime and programs.
|
|
|
|
|
///
|
|
|
|
|
/// This context is valid for the entire duration of a (possibly cross program) instruction being processed.
|
2022-10-11 12:59:58 -07:00
|
|
|
#[derive(Debug, Clone, Default, Eq, PartialEq)]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub struct InstructionContext {
|
2022-02-09 11:04:49 -08:00
|
|
|
nesting_level: usize,
|
2022-07-15 00:31:34 -07:00
|
|
|
instruction_accounts_lamport_sum: u128,
|
2022-09-06 02:31:40 -07:00
|
|
|
program_accounts: Vec<IndexOfAccount>,
|
2021-12-30 06:46:36 -08:00
|
|
|
instruction_accounts: Vec<InstructionAccount>,
|
2021-12-27 09:49:32 -08:00
|
|
|
instruction_data: Vec<u8>,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl InstructionContext {
|
2022-09-03 01:34:57 -07:00
|
|
|
/// Used together with TransactionContext::get_next_instruction_context()
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-09-03 01:34:57 -07:00
|
|
|
pub fn configure(
|
|
|
|
|
&mut self,
|
2022-09-06 02:31:40 -07:00
|
|
|
program_accounts: &[IndexOfAccount],
|
2022-09-03 01:34:57 -07:00
|
|
|
instruction_accounts: &[InstructionAccount],
|
|
|
|
|
instruction_data: &[u8],
|
|
|
|
|
) {
|
|
|
|
|
self.program_accounts = program_accounts.to_vec();
|
|
|
|
|
self.instruction_accounts = instruction_accounts.to_vec();
|
|
|
|
|
self.instruction_data = instruction_data.to_vec();
|
2022-02-02 16:45:57 -08:00
|
|
|
}
|
|
|
|
|
|
2022-02-09 11:04:49 -08:00
|
|
|
/// How many Instructions were on the stack after this one was pushed
|
|
|
|
|
///
|
|
|
|
|
/// That is the number of nested parent Instructions plus one (itself).
|
|
|
|
|
pub fn get_stack_height(&self) -> usize {
|
|
|
|
|
self.nesting_level.saturating_add(1)
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-27 09:49:32 -08:00
|
|
|
/// Number of program accounts
|
2022-09-06 02:31:40 -07:00
|
|
|
pub fn get_number_of_program_accounts(&self) -> IndexOfAccount {
|
|
|
|
|
self.program_accounts.len() as IndexOfAccount
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Number of accounts in this Instruction (without program accounts)
|
2022-09-06 02:31:40 -07:00
|
|
|
pub fn get_number_of_instruction_accounts(&self) -> IndexOfAccount {
|
|
|
|
|
self.instruction_accounts.len() as IndexOfAccount
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
2022-02-18 17:06:33 -08:00
|
|
|
/// Assert that enough account were supplied to this Instruction
|
|
|
|
|
pub fn check_number_of_instruction_accounts(
|
|
|
|
|
&self,
|
2022-09-06 02:31:40 -07:00
|
|
|
expected_at_least: IndexOfAccount,
|
2022-02-18 17:06:33 -08:00
|
|
|
) -> Result<(), InstructionError> {
|
|
|
|
|
if self.get_number_of_instruction_accounts() < expected_at_least {
|
|
|
|
|
Err(InstructionError::NotEnoughAccountKeys)
|
|
|
|
|
} else {
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-27 09:49:32 -08:00
|
|
|
/// Data parameter for the programs `process_instruction` handler
|
|
|
|
|
pub fn get_instruction_data(&self) -> &[u8] {
|
|
|
|
|
&self.instruction_data
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-30 06:46:36 -08:00
|
|
|
/// Searches for a program account by its key
|
|
|
|
|
pub fn find_index_of_program_account(
|
|
|
|
|
&self,
|
|
|
|
|
transaction_context: &TransactionContext,
|
|
|
|
|
pubkey: &Pubkey,
|
2022-09-06 02:31:40 -07:00
|
|
|
) -> Option<IndexOfAccount> {
|
2021-12-30 06:46:36 -08:00
|
|
|
self.program_accounts
|
|
|
|
|
.iter()
|
|
|
|
|
.position(|index_in_transaction| {
|
2022-09-06 02:31:40 -07:00
|
|
|
transaction_context
|
|
|
|
|
.account_keys
|
|
|
|
|
.get(*index_in_transaction as usize)
|
|
|
|
|
== Some(pubkey)
|
2021-12-30 06:46:36 -08:00
|
|
|
})
|
2022-09-06 02:31:40 -07:00
|
|
|
.map(|index| index as IndexOfAccount)
|
2021-12-30 06:46:36 -08:00
|
|
|
}
|
|
|
|
|
|
2022-06-16 09:46:17 -07:00
|
|
|
/// Searches for an instruction account by its key
|
|
|
|
|
pub fn find_index_of_instruction_account(
|
2021-12-30 06:46:36 -08:00
|
|
|
&self,
|
|
|
|
|
transaction_context: &TransactionContext,
|
|
|
|
|
pubkey: &Pubkey,
|
2022-09-06 02:31:40 -07:00
|
|
|
) -> Option<IndexOfAccount> {
|
2021-12-30 06:46:36 -08:00
|
|
|
self.instruction_accounts
|
|
|
|
|
.iter()
|
|
|
|
|
.position(|instruction_account| {
|
2022-09-05 07:29:02 -07:00
|
|
|
transaction_context
|
|
|
|
|
.account_keys
|
2022-09-06 02:31:40 -07:00
|
|
|
.get(instruction_account.index_in_transaction as usize)
|
2022-09-05 07:29:02 -07:00
|
|
|
== Some(pubkey)
|
2021-12-30 06:46:36 -08:00
|
|
|
})
|
2022-09-06 02:31:40 -07:00
|
|
|
.map(|index| index as IndexOfAccount)
|
2021-12-30 06:46:36 -08:00
|
|
|
}
|
|
|
|
|
|
2022-06-16 09:46:17 -07:00
|
|
|
/// Translates the given instruction wide program_account_index into a transaction wide index
|
|
|
|
|
pub fn get_index_of_program_account_in_transaction(
|
2022-01-03 14:30:56 -08:00
|
|
|
&self,
|
2022-09-06 02:31:40 -07:00
|
|
|
program_account_index: IndexOfAccount,
|
|
|
|
|
) -> Result<IndexOfAccount, InstructionError> {
|
2022-06-16 09:46:17 -07:00
|
|
|
Ok(*self
|
|
|
|
|
.program_accounts
|
2022-09-06 02:31:40 -07:00
|
|
|
.get(program_account_index as usize)
|
2022-06-16 09:46:17 -07:00
|
|
|
.ok_or(InstructionError::NotEnoughAccountKeys)?)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Translates the given instruction wide instruction_account_index into a transaction wide index
|
|
|
|
|
pub fn get_index_of_instruction_account_in_transaction(
|
|
|
|
|
&self,
|
2022-09-06 02:31:40 -07:00
|
|
|
instruction_account_index: IndexOfAccount,
|
|
|
|
|
) -> Result<IndexOfAccount, InstructionError> {
|
2022-06-16 09:46:17 -07:00
|
|
|
Ok(self
|
|
|
|
|
.instruction_accounts
|
2022-09-06 02:31:40 -07:00
|
|
|
.get(instruction_account_index as usize)
|
2022-06-16 09:46:17 -07:00
|
|
|
.ok_or(InstructionError::NotEnoughAccountKeys)?
|
2022-09-06 02:31:40 -07:00
|
|
|
.index_in_transaction as IndexOfAccount)
|
2022-01-03 14:30:56 -08:00
|
|
|
}
|
|
|
|
|
|
2022-06-16 09:46:17 -07:00
|
|
|
/// Returns `Some(instruction_account_index)` if this is a duplicate
|
2022-05-24 15:04:46 -07:00
|
|
|
/// and `None` if it is the first account with this key
|
2022-06-16 09:46:17 -07:00
|
|
|
pub fn is_instruction_account_duplicate(
|
2022-05-24 15:04:46 -07:00
|
|
|
&self,
|
2022-09-06 02:31:40 -07:00
|
|
|
instruction_account_index: IndexOfAccount,
|
|
|
|
|
) -> Result<Option<IndexOfAccount>, InstructionError> {
|
2022-06-16 09:46:17 -07:00
|
|
|
let index_in_callee = self
|
|
|
|
|
.instruction_accounts
|
2022-09-06 02:31:40 -07:00
|
|
|
.get(instruction_account_index as usize)
|
2022-06-16 09:46:17 -07:00
|
|
|
.ok_or(InstructionError::NotEnoughAccountKeys)?
|
|
|
|
|
.index_in_callee;
|
|
|
|
|
Ok(if index_in_callee == instruction_account_index {
|
|
|
|
|
None
|
2022-05-24 15:04:46 -07:00
|
|
|
} else {
|
2022-06-16 09:46:17 -07:00
|
|
|
Some(index_in_callee)
|
|
|
|
|
})
|
2022-05-24 15:04:46 -07:00
|
|
|
}
|
|
|
|
|
|
2022-02-18 17:06:33 -08:00
|
|
|
/// Gets the key of the last program account of this Instruction
|
2022-06-16 09:46:17 -07:00
|
|
|
pub fn get_last_program_key<'a, 'b: 'a>(
|
2022-02-18 17:06:33 -08:00
|
|
|
&'a self,
|
|
|
|
|
transaction_context: &'b TransactionContext,
|
|
|
|
|
) -> Result<&'b Pubkey, InstructionError> {
|
2022-09-03 01:34:57 -07:00
|
|
|
self.get_index_of_program_account_in_transaction(
|
2022-09-05 07:29:02 -07:00
|
|
|
self.get_number_of_program_accounts().saturating_sub(1),
|
2022-09-03 01:34:57 -07:00
|
|
|
)
|
|
|
|
|
.and_then(|index_in_transaction| {
|
|
|
|
|
transaction_context.get_key_of_account_at_index(index_in_transaction)
|
|
|
|
|
})
|
2022-02-18 17:06:33 -08:00
|
|
|
}
|
|
|
|
|
|
2022-06-16 09:46:17 -07:00
|
|
|
fn try_borrow_account<'a, 'b: 'a>(
|
2021-12-27 09:49:32 -08:00
|
|
|
&'a self,
|
|
|
|
|
transaction_context: &'b TransactionContext,
|
2022-09-06 02:31:40 -07:00
|
|
|
index_in_transaction: IndexOfAccount,
|
|
|
|
|
index_in_instruction: IndexOfAccount,
|
2021-12-27 09:49:32 -08:00
|
|
|
) -> Result<BorrowedAccount<'a>, InstructionError> {
|
2022-06-16 09:46:17 -07:00
|
|
|
let account = transaction_context
|
|
|
|
|
.accounts
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
.get(index_in_transaction)
|
2022-06-16 09:46:17 -07:00
|
|
|
.ok_or(InstructionError::MissingAccount)?
|
2021-12-27 09:49:32 -08:00
|
|
|
.try_borrow_mut()
|
|
|
|
|
.map_err(|_| InstructionError::AccountBorrowFailed)?;
|
|
|
|
|
Ok(BorrowedAccount {
|
|
|
|
|
transaction_context,
|
|
|
|
|
instruction_context: self,
|
|
|
|
|
index_in_transaction,
|
|
|
|
|
index_in_instruction,
|
|
|
|
|
account,
|
|
|
|
|
})
|
|
|
|
|
}
|
2021-12-30 06:46:36 -08:00
|
|
|
|
2022-01-05 00:39:37 -08:00
|
|
|
/// Gets the last program account of this Instruction
|
2022-06-16 09:46:17 -07:00
|
|
|
pub fn try_borrow_last_program_account<'a, 'b: 'a>(
|
|
|
|
|
&'a self,
|
|
|
|
|
transaction_context: &'b TransactionContext,
|
|
|
|
|
) -> Result<BorrowedAccount<'a>, InstructionError> {
|
|
|
|
|
let result = self.try_borrow_program_account(
|
|
|
|
|
transaction_context,
|
2022-09-05 07:29:02 -07:00
|
|
|
self.get_number_of_program_accounts().saturating_sub(1),
|
2022-06-16 09:46:17 -07:00
|
|
|
);
|
|
|
|
|
debug_assert!(result.is_ok());
|
|
|
|
|
result
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Tries to borrow a program account from this Instruction
|
2021-12-30 06:46:36 -08:00
|
|
|
pub fn try_borrow_program_account<'a, 'b: 'a>(
|
|
|
|
|
&'a self,
|
|
|
|
|
transaction_context: &'b TransactionContext,
|
2022-09-06 02:31:40 -07:00
|
|
|
program_account_index: IndexOfAccount,
|
2021-12-30 06:46:36 -08:00
|
|
|
) -> Result<BorrowedAccount<'a>, InstructionError> {
|
2022-06-16 09:46:17 -07:00
|
|
|
let index_in_transaction =
|
|
|
|
|
self.get_index_of_program_account_in_transaction(program_account_index)?;
|
2021-12-30 06:46:36 -08:00
|
|
|
self.try_borrow_account(
|
|
|
|
|
transaction_context,
|
2022-06-16 09:46:17 -07:00
|
|
|
index_in_transaction,
|
|
|
|
|
program_account_index,
|
2021-12-30 06:46:36 -08:00
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-05 00:39:37 -08:00
|
|
|
/// Gets an instruction account of this Instruction
|
2021-12-30 06:46:36 -08:00
|
|
|
pub fn try_borrow_instruction_account<'a, 'b: 'a>(
|
|
|
|
|
&'a self,
|
|
|
|
|
transaction_context: &'b TransactionContext,
|
2022-09-06 02:31:40 -07:00
|
|
|
instruction_account_index: IndexOfAccount,
|
2021-12-30 06:46:36 -08:00
|
|
|
) -> Result<BorrowedAccount<'a>, InstructionError> {
|
2022-06-16 09:46:17 -07:00
|
|
|
let index_in_transaction =
|
|
|
|
|
self.get_index_of_instruction_account_in_transaction(instruction_account_index)?;
|
2021-12-30 06:46:36 -08:00
|
|
|
self.try_borrow_account(
|
|
|
|
|
transaction_context,
|
2022-06-16 09:46:17 -07:00
|
|
|
index_in_transaction,
|
2022-09-05 07:29:02 -07:00
|
|
|
self.get_number_of_program_accounts()
|
2022-02-18 17:06:33 -08:00
|
|
|
.saturating_add(instruction_account_index),
|
2021-12-30 06:46:36 -08:00
|
|
|
)
|
|
|
|
|
}
|
2022-01-05 00:39:37 -08:00
|
|
|
|
2022-06-16 09:46:17 -07:00
|
|
|
/// Returns whether an instruction account is a signer
|
|
|
|
|
pub fn is_instruction_account_signer(
|
|
|
|
|
&self,
|
2022-09-06 02:31:40 -07:00
|
|
|
instruction_account_index: IndexOfAccount,
|
2022-06-16 09:46:17 -07:00
|
|
|
) -> Result<bool, InstructionError> {
|
|
|
|
|
Ok(self
|
|
|
|
|
.instruction_accounts
|
2022-09-06 02:31:40 -07:00
|
|
|
.get(instruction_account_index as usize)
|
2022-06-16 09:46:17 -07:00
|
|
|
.ok_or(InstructionError::MissingAccount)?
|
|
|
|
|
.is_signer)
|
2022-02-02 16:45:57 -08:00
|
|
|
}
|
|
|
|
|
|
2022-06-16 09:46:17 -07:00
|
|
|
/// Returns whether an instruction account is writable
|
|
|
|
|
pub fn is_instruction_account_writable(
|
|
|
|
|
&self,
|
2022-09-06 02:31:40 -07:00
|
|
|
instruction_account_index: IndexOfAccount,
|
2022-06-16 09:46:17 -07:00
|
|
|
) -> Result<bool, InstructionError> {
|
|
|
|
|
Ok(self
|
|
|
|
|
.instruction_accounts
|
2022-09-06 02:31:40 -07:00
|
|
|
.get(instruction_account_index as usize)
|
2022-06-16 09:46:17 -07:00
|
|
|
.ok_or(InstructionError::MissingAccount)?
|
|
|
|
|
.is_writable)
|
2022-02-03 08:19:42 -08:00
|
|
|
}
|
|
|
|
|
|
2022-06-16 09:46:17 -07:00
|
|
|
/// Calculates the set of all keys of signer instruction accounts in this Instruction
|
2022-09-05 07:29:02 -07:00
|
|
|
pub fn get_signers(
|
|
|
|
|
&self,
|
|
|
|
|
transaction_context: &TransactionContext,
|
|
|
|
|
) -> Result<HashSet<Pubkey>, InstructionError> {
|
2022-02-03 08:19:42 -08:00
|
|
|
let mut result = HashSet::new();
|
|
|
|
|
for instruction_account in self.instruction_accounts.iter() {
|
|
|
|
|
if instruction_account.is_signer {
|
|
|
|
|
result.insert(
|
2022-09-05 07:29:02 -07:00
|
|
|
*transaction_context
|
|
|
|
|
.get_key_of_account_at_index(instruction_account.index_in_transaction)?,
|
2022-02-03 08:19:42 -08:00
|
|
|
);
|
|
|
|
|
}
|
2022-02-02 16:45:57 -08:00
|
|
|
}
|
2022-09-05 07:29:02 -07:00
|
|
|
Ok(result)
|
2022-02-02 16:45:57 -08:00
|
|
|
}
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Shared account borrowed from the TransactionContext and an InstructionContext.
|
2021-12-30 06:46:36 -08:00
|
|
|
#[derive(Debug)]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub struct BorrowedAccount<'a> {
|
|
|
|
|
transaction_context: &'a TransactionContext,
|
|
|
|
|
instruction_context: &'a InstructionContext,
|
2022-09-06 02:31:40 -07:00
|
|
|
index_in_transaction: IndexOfAccount,
|
|
|
|
|
index_in_instruction: IndexOfAccount,
|
2021-12-27 09:49:32 -08:00
|
|
|
account: RefMut<'a, AccountSharedData>,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<'a> BorrowedAccount<'a> {
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
/// Returns the transaction context
|
|
|
|
|
pub fn transaction_context(&self) -> &TransactionContext {
|
|
|
|
|
self.transaction_context
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-30 06:46:36 -08:00
|
|
|
/// Returns the index of this account (transaction wide)
|
2022-10-06 23:45:05 -07:00
|
|
|
#[inline]
|
2022-09-06 02:31:40 -07:00
|
|
|
pub fn get_index_in_transaction(&self) -> IndexOfAccount {
|
2021-12-30 06:46:36 -08:00
|
|
|
self.index_in_transaction
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-27 09:49:32 -08:00
|
|
|
/// Returns the public key of this account (transaction wide)
|
2022-10-06 23:45:05 -07:00
|
|
|
#[inline]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub fn get_key(&self) -> &Pubkey {
|
2022-09-05 07:29:02 -07:00
|
|
|
self.transaction_context
|
|
|
|
|
.get_key_of_account_at_index(self.index_in_transaction)
|
|
|
|
|
.unwrap()
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the owner of this account (transaction wide)
|
2022-10-06 23:45:05 -07:00
|
|
|
#[inline]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub fn get_owner(&self) -> &Pubkey {
|
|
|
|
|
self.account.owner()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Assignes the owner of this account (transaction wide)
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-05-21 08:47:09 -07:00
|
|
|
pub fn set_owner(&mut self, pubkey: &[u8]) -> Result<(), InstructionError> {
|
2022-07-15 00:31:34 -07:00
|
|
|
if self
|
|
|
|
|
.transaction_context
|
|
|
|
|
.is_early_verification_of_account_modifications_enabled()
|
|
|
|
|
{
|
|
|
|
|
// Only the owner can assign a new owner
|
|
|
|
|
if !self.is_owned_by_current_program() {
|
|
|
|
|
return Err(InstructionError::ModifiedProgramId);
|
|
|
|
|
}
|
|
|
|
|
// and only if the account is writable
|
|
|
|
|
if !self.is_writable() {
|
|
|
|
|
return Err(InstructionError::ModifiedProgramId);
|
|
|
|
|
}
|
|
|
|
|
// and only if the account is not executable
|
|
|
|
|
if self.is_executable() {
|
|
|
|
|
return Err(InstructionError::ModifiedProgramId);
|
|
|
|
|
}
|
|
|
|
|
// and only if the data is zero-initialized or empty
|
|
|
|
|
if !is_zeroed(self.get_data()) {
|
|
|
|
|
return Err(InstructionError::ModifiedProgramId);
|
|
|
|
|
}
|
|
|
|
|
// don't touch the account if the owner does not change
|
|
|
|
|
if self.get_owner().to_bytes() == pubkey {
|
|
|
|
|
return Ok(());
|
|
|
|
|
}
|
|
|
|
|
self.touch()?;
|
|
|
|
|
}
|
2022-01-03 14:30:56 -08:00
|
|
|
self.account.copy_into_owner_from_slice(pubkey);
|
2022-05-21 08:47:09 -07:00
|
|
|
Ok(())
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the number of lamports of this account (transaction wide)
|
2022-10-06 23:45:05 -07:00
|
|
|
#[inline]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub fn get_lamports(&self) -> u64 {
|
|
|
|
|
self.account.lamports()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Overwrites the number of lamports of this account (transaction wide)
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-05-21 08:47:09 -07:00
|
|
|
pub fn set_lamports(&mut self, lamports: u64) -> Result<(), InstructionError> {
|
2022-07-15 00:31:34 -07:00
|
|
|
if self
|
|
|
|
|
.transaction_context
|
|
|
|
|
.is_early_verification_of_account_modifications_enabled()
|
|
|
|
|
{
|
|
|
|
|
// An account not owned by the program cannot have its balance decrease
|
|
|
|
|
if !self.is_owned_by_current_program() && lamports < self.get_lamports() {
|
|
|
|
|
return Err(InstructionError::ExternalAccountLamportSpend);
|
|
|
|
|
}
|
|
|
|
|
// The balance of read-only may not change
|
|
|
|
|
if !self.is_writable() {
|
|
|
|
|
return Err(InstructionError::ReadonlyLamportChange);
|
|
|
|
|
}
|
|
|
|
|
// The balance of executable accounts may not change
|
|
|
|
|
if self.is_executable() {
|
|
|
|
|
return Err(InstructionError::ExecutableLamportChange);
|
|
|
|
|
}
|
|
|
|
|
// don't touch the account if the lamports do not change
|
|
|
|
|
if self.get_lamports() == lamports {
|
|
|
|
|
return Ok(());
|
|
|
|
|
}
|
|
|
|
|
self.touch()?;
|
|
|
|
|
}
|
2021-12-27 09:49:32 -08:00
|
|
|
self.account.set_lamports(lamports);
|
2022-05-21 08:47:09 -07:00
|
|
|
Ok(())
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
2021-12-30 06:46:36 -08:00
|
|
|
/// Adds lamports to this account (transaction wide)
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2021-12-30 06:46:36 -08:00
|
|
|
pub fn checked_add_lamports(&mut self, lamports: u64) -> Result<(), InstructionError> {
|
|
|
|
|
self.set_lamports(
|
|
|
|
|
self.get_lamports()
|
|
|
|
|
.checked_add(lamports)
|
2022-06-28 01:04:54 -07:00
|
|
|
.ok_or(InstructionError::ArithmeticOverflow)?,
|
2022-05-21 08:47:09 -07:00
|
|
|
)
|
2021-12-30 06:46:36 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Subtracts lamports from this account (transaction wide)
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2021-12-30 06:46:36 -08:00
|
|
|
pub fn checked_sub_lamports(&mut self, lamports: u64) -> Result<(), InstructionError> {
|
|
|
|
|
self.set_lamports(
|
|
|
|
|
self.get_lamports()
|
|
|
|
|
.checked_sub(lamports)
|
2022-06-28 01:04:54 -07:00
|
|
|
.ok_or(InstructionError::ArithmeticOverflow)?,
|
2022-05-21 08:47:09 -07:00
|
|
|
)
|
2022-01-05 00:39:37 -08:00
|
|
|
}
|
|
|
|
|
|
2021-12-27 09:49:32 -08:00
|
|
|
/// Returns a read-only slice of the account data (transaction wide)
|
2022-10-06 23:45:05 -07:00
|
|
|
#[inline]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub fn get_data(&self) -> &[u8] {
|
|
|
|
|
self.account.data()
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-03 08:19:42 -08:00
|
|
|
/// Returns a writable slice of the account data (transaction wide)
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-05-21 08:47:09 -07:00
|
|
|
pub fn get_data_mut(&mut self) -> Result<&mut [u8], InstructionError> {
|
2022-07-15 00:31:34 -07:00
|
|
|
self.can_data_be_changed()?;
|
|
|
|
|
self.touch()?;
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
self.make_data_mut();
|
2022-05-21 08:47:09 -07:00
|
|
|
Ok(self.account.data_as_mut_slice())
|
2022-02-03 08:19:42 -08:00
|
|
|
}
|
|
|
|
|
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
/// Returns the spare capacity of the vector backing the account data.
|
|
|
|
|
///
|
|
|
|
|
/// This method should only ever be used during CPI, where after a shrinking
|
|
|
|
|
/// realloc we want to zero the spare capacity.
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn spare_data_capacity_mut(&mut self) -> Result<&mut [MaybeUninit<u8>], InstructionError> {
|
|
|
|
|
debug_assert!(!self.account.is_shared());
|
|
|
|
|
Ok(self.account.spare_data_capacity_mut())
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-23 17:37:02 -07:00
|
|
|
/// Overwrites the account data and size (transaction wide).
|
|
|
|
|
///
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
/// You should always prefer set_data_from_slice(). Calling this method is
|
|
|
|
|
/// currently safe but requires some special casing during CPI when direct
|
|
|
|
|
/// account mapping is enabled.
|
2023-07-13 06:44:08 -07:00
|
|
|
#[cfg(all(
|
|
|
|
|
not(target_os = "solana"),
|
|
|
|
|
any(test, feature = "dev-context-only-utils")
|
|
|
|
|
))]
|
2022-09-23 17:37:02 -07:00
|
|
|
pub fn set_data(&mut self, data: Vec<u8>) -> Result<(), InstructionError> {
|
2022-07-15 00:31:34 -07:00
|
|
|
self.can_data_be_resized(data.len())?;
|
|
|
|
|
self.can_data_be_changed()?;
|
|
|
|
|
self.touch()?;
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
|
2022-09-23 17:37:02 -07:00
|
|
|
self.update_accounts_resize_delta(data.len())?;
|
|
|
|
|
self.account.set_data(data);
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Overwrites the account data and size (transaction wide).
|
|
|
|
|
///
|
|
|
|
|
/// Call this when you have a slice of data you do not own and want to
|
|
|
|
|
/// replace the account data with it.
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn set_data_from_slice(&mut self, data: &[u8]) -> Result<(), InstructionError> {
|
|
|
|
|
self.can_data_be_resized(data.len())?;
|
|
|
|
|
self.can_data_be_changed()?;
|
|
|
|
|
self.touch()?;
|
|
|
|
|
self.update_accounts_resize_delta(data.len())?;
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
// Calling make_data_mut() here guarantees that set_data_from_slice()
|
|
|
|
|
// copies in places, extending the account capacity if necessary but
|
|
|
|
|
// never reducing it. This is required as the account migh be directly
|
|
|
|
|
// mapped into a MemoryRegion, and therefore reducing capacity would
|
|
|
|
|
// leave a hole in the vm address space. After CPI or upon program
|
|
|
|
|
// termination, the runtime will zero the extra capacity.
|
|
|
|
|
self.make_data_mut();
|
2022-09-23 17:37:02 -07:00
|
|
|
self.account.set_data_from_slice(data);
|
|
|
|
|
|
2022-05-21 08:47:09 -07:00
|
|
|
Ok(())
|
2021-12-30 06:46:36 -08:00
|
|
|
}
|
|
|
|
|
|
2022-02-03 08:19:42 -08:00
|
|
|
/// Resizes the account data (transaction wide)
|
|
|
|
|
///
|
|
|
|
|
/// Fills it with zeros at the end if is extended or truncates at the end otherwise.
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-07-06 10:27:42 -07:00
|
|
|
pub fn set_data_length(&mut self, new_length: usize) -> Result<(), InstructionError> {
|
2022-07-15 00:31:34 -07:00
|
|
|
self.can_data_be_resized(new_length)?;
|
|
|
|
|
self.can_data_be_changed()?;
|
|
|
|
|
// don't touch the account if the length does not change
|
|
|
|
|
if self.get_data().len() == new_length {
|
|
|
|
|
return Ok(());
|
|
|
|
|
}
|
|
|
|
|
self.touch()?;
|
2022-09-23 17:37:02 -07:00
|
|
|
self.update_accounts_resize_delta(new_length)?;
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
self.account.resize(new_length, 0);
|
2022-05-21 08:47:09 -07:00
|
|
|
Ok(())
|
2022-02-03 08:19:42 -08:00
|
|
|
}
|
2022-01-03 14:30:56 -08:00
|
|
|
|
2022-09-23 17:37:02 -07:00
|
|
|
/// Appends all elements in a slice to the account
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn extend_from_slice(&mut self, data: &[u8]) -> Result<(), InstructionError> {
|
|
|
|
|
let new_len = self.get_data().len().saturating_add(data.len());
|
|
|
|
|
self.can_data_be_resized(new_len)?;
|
|
|
|
|
self.can_data_be_changed()?;
|
|
|
|
|
|
|
|
|
|
if data.is_empty() {
|
|
|
|
|
return Ok(());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
self.touch()?;
|
|
|
|
|
self.update_accounts_resize_delta(new_len)?;
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
// Even if extend_from_slice never reduces capacity, still realloc using
|
|
|
|
|
// make_data_mut() if necessary so that we grow the account of the full
|
|
|
|
|
// max realloc length in one go, avoiding smaller reallocations.
|
|
|
|
|
self.make_data_mut();
|
|
|
|
|
self.account.extend_from_slice(data);
|
2022-09-23 17:37:02 -07:00
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
/// Reserves capacity for at least additional more elements to be inserted
|
|
|
|
|
/// in the given account. Does nothing if capacity is already sufficient.
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn reserve(&mut self, additional: usize) -> Result<(), InstructionError> {
|
2023-07-28 00:10:43 -07:00
|
|
|
// Note that we don't need to call can_data_be_changed() here nor
|
|
|
|
|
// touch() the account. reserve() only changes the capacity of the
|
|
|
|
|
// memory that holds the account but it doesn't actually change content
|
|
|
|
|
// nor length of the account.
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
self.make_data_mut();
|
|
|
|
|
self.account.reserve(additional);
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the number of bytes the account can hold without reallocating.
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn capacity(&self) -> usize {
|
|
|
|
|
self.account.capacity()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns whether the underlying AccountSharedData is shared.
|
|
|
|
|
///
|
|
|
|
|
/// The data is shared if the account has been loaded from the accounts database and has never
|
|
|
|
|
/// been written to. Writing to an account unshares it.
|
|
|
|
|
///
|
|
|
|
|
/// During account serialization, if an account is shared it'll get mapped as CoW, else it'll
|
|
|
|
|
/// get mapped directly as writable.
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn is_shared(&self) -> bool {
|
|
|
|
|
self.account.is_shared()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
fn make_data_mut(&mut self) {
|
|
|
|
|
// if the account is still shared, it means this is the first time we're
|
|
|
|
|
// about to write into it. Make the account mutable by copying it in a
|
|
|
|
|
// buffer with MAX_PERMITTED_DATA_INCREASE capacity so that if the
|
|
|
|
|
// transaction reallocs, we don't have to copy the whole account data a
|
|
|
|
|
// second time to fullfill the realloc.
|
|
|
|
|
//
|
direct mapping: misc fixes (#32649)
* transaction_context: update make_data_mut comment
* bpf_loader: cpi: pass SerializeAccountMetadata to CallerAccount::from*
We now have a way to provide CallerAccount with trusted values coming
from our internal serialization code and not from untrusted vm space
* bpf_loader: direct_mapping: enforce account info pointers to be immutable
When direct mapping is enabled, we might need to update account data
memory regions across CPI calls. Since the only way we have to retrieve
the regions is based on their vm addresses, we enforce vm addresses to
be stable. Accounts can still be mutated and resized of course, but it
must be done in place.
This also locks all other AccountInfo pointers, since there's no legitimate
reason to make them point to anything else.
* bpf_loader: cpi: access ref_to_len_in_vm through VmValue
Direct mapping needs to translate vm values at each access since
permissions of the underlying memory might have changed.
* direct mapping: improve memory permission tracking across CPI calls
Ensure that the data and realloc regions of an account always track the
account's permissions. In order to do this, we also need to split
realloc regions in their own self contained regions, where before we
had:
[account fields][account data][account realloc + more account fields + next account fields][next account data][...]
we now have:
[account fields][account data][account realloc][more account fields + next account fields][next account data][...]
Tested in TEST_[FORBID|ALLOW]_WRITE_AFTER_OWNERSHIP_CHANGE*
Additionally when direct mapping is on, we must update all perms at once before
doing account data updates. Otherwise, updating an account might write into
another account whose perms we haven't updated yet. Tested in
TEST_FORBID_LEN_UPDATE_AFTER_OWNERSHIP_CHANGE.
* bpf_loader: serialization: address review comment don't return vm_addr from push_account_region
* bpf_loader: rename push_account_region to push_account_data_region
* cpi: fix slow edge case zeroing extra account capacity after shrinking an account
When returning from CPI we need to zero all the account memory up to the
original length only if we know we're potentially dealing with uninitialized
memory.
When we know that the spare capacity has deterministic content, we only need to
zero new_len..prev_len.
This fixes a slow edge case that was triggerable by the following scenario:
- load a large account (say 10MB) into the vm
- shrink to 10 bytes - would memset 10..10MB
- shrink to 9 bytes - would memset 9..10MB
- shrink to 8 bytes - would memset 8..10MB
- ...
Now instead in the scenario above the following will happen:
- load a large account (say 10MB) into the vm
- shrink to 10 bytes - memsets 10..10MB
- shrink to 9 bytes - memsets 9..10
- shrink to 8 bytes - memset 8..9
- ...
* bpf_loader: add account_data_region_memory_state helper
Shared between serialization and CPI to figure out the MemoryState of an
account.
* cpi: direct_mapping: error out if ref_to_len_in_vm points to account memory
If ref_to_len_in_vm is allowed to be in account memory, calles could mutate it,
essentially letting callees directly mutate callers memory.
* bpf_loader: direct_mapping: map AccessViolation -> InstructionError
Return the proper ReadonlyDataModified / ExecutableDataModified /
ExternalAccountDataModified depending on where the violation occurs
* bpf_loader: cpi: remove unnecessary infallible slice::get call
2023-08-30 02:57:24 -07:00
|
|
|
// NOTE: The account memory region CoW code in bpf_loader::create_vm() implements the same
|
|
|
|
|
// logic and must be kept in sync.
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
if self.account.is_shared() {
|
|
|
|
|
self.account.reserve(MAX_PERMITTED_DATA_INCREASE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-30 06:46:36 -08:00
|
|
|
/// Deserializes the account data into a state
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2021-12-30 06:46:36 -08:00
|
|
|
pub fn get_state<T: serde::de::DeserializeOwned>(&self) -> Result<T, InstructionError> {
|
|
|
|
|
self.account
|
|
|
|
|
.deserialize_data()
|
|
|
|
|
.map_err(|_| InstructionError::InvalidAccountData)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Serializes a state into the account data
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2021-12-30 06:46:36 -08:00
|
|
|
pub fn set_state<T: serde::Serialize>(&mut self, state: &T) -> Result<(), InstructionError> {
|
2022-07-15 00:31:34 -07:00
|
|
|
let data = self.get_data_mut()?;
|
2021-12-30 06:46:36 -08:00
|
|
|
let serialized_size =
|
|
|
|
|
bincode::serialized_size(state).map_err(|_| InstructionError::GenericError)?;
|
|
|
|
|
if serialized_size > data.len() as u64 {
|
|
|
|
|
return Err(InstructionError::AccountDataTooSmall);
|
|
|
|
|
}
|
2022-01-03 14:30:56 -08:00
|
|
|
bincode::serialize_into(&mut *data, state).map_err(|_| InstructionError::GenericError)?;
|
2022-02-03 08:19:42 -08:00
|
|
|
Ok(())
|
2021-12-30 06:46:36 -08:00
|
|
|
}
|
|
|
|
|
|
2023-04-18 20:27:38 -07:00
|
|
|
// Returns whether or the lamports currently in the account is sufficient for rent exemption should the
|
|
|
|
|
// data be resized to the given size
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
pub fn is_rent_exempt_at_data_length(&self, data_length: usize) -> bool {
|
|
|
|
|
self.transaction_context
|
|
|
|
|
.rent
|
|
|
|
|
.unwrap_or_default()
|
|
|
|
|
.is_exempt(self.get_lamports(), data_length)
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-27 09:49:32 -08:00
|
|
|
/// Returns whether this account is executable (transaction wide)
|
2022-10-06 23:45:05 -07:00
|
|
|
#[inline]
|
2021-12-27 09:49:32 -08:00
|
|
|
pub fn is_executable(&self) -> bool {
|
|
|
|
|
self.account.executable()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Configures whether this account is executable (transaction wide)
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-05-21 08:47:09 -07:00
|
|
|
pub fn set_executable(&mut self, is_executable: bool) -> Result<(), InstructionError> {
|
2022-07-15 00:31:34 -07:00
|
|
|
if let Some(rent) = self.transaction_context.rent {
|
|
|
|
|
// To become executable an account must be rent exempt
|
|
|
|
|
if !rent.is_exempt(self.get_lamports(), self.get_data().len()) {
|
|
|
|
|
return Err(InstructionError::ExecutableAccountNotRentExempt);
|
|
|
|
|
}
|
|
|
|
|
// Only the owner can set the executable flag
|
|
|
|
|
if !self.is_owned_by_current_program() {
|
|
|
|
|
return Err(InstructionError::ExecutableModified);
|
|
|
|
|
}
|
|
|
|
|
// and only if the account is writable
|
|
|
|
|
if !self.is_writable() {
|
|
|
|
|
return Err(InstructionError::ExecutableModified);
|
|
|
|
|
}
|
|
|
|
|
// one can not clear the executable flag
|
|
|
|
|
if self.is_executable() && !is_executable {
|
|
|
|
|
return Err(InstructionError::ExecutableModified);
|
|
|
|
|
}
|
|
|
|
|
// don't touch the account if the executable flag does not change
|
|
|
|
|
if self.is_executable() == is_executable {
|
|
|
|
|
return Ok(());
|
|
|
|
|
}
|
|
|
|
|
self.touch()?;
|
|
|
|
|
}
|
2021-12-27 09:49:32 -08:00
|
|
|
self.account.set_executable(is_executable);
|
2022-05-21 08:47:09 -07:00
|
|
|
Ok(())
|
2022-01-03 14:30:56 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the rent epoch of this account (transaction wide)
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-10-06 23:45:05 -07:00
|
|
|
#[inline]
|
2022-01-03 14:30:56 -08:00
|
|
|
pub fn get_rent_epoch(&self) -> u64 {
|
|
|
|
|
self.account.rent_epoch()
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns whether this account is a signer (instruction wide)
|
|
|
|
|
pub fn is_signer(&self) -> bool {
|
2022-09-05 07:29:02 -07:00
|
|
|
if self.index_in_instruction < self.instruction_context.get_number_of_program_accounts() {
|
2022-06-16 09:46:17 -07:00
|
|
|
return false;
|
|
|
|
|
}
|
2022-02-03 08:19:42 -08:00
|
|
|
self.instruction_context
|
2022-06-16 09:46:17 -07:00
|
|
|
.is_instruction_account_signer(
|
|
|
|
|
self.index_in_instruction
|
2022-09-05 07:29:02 -07:00
|
|
|
.saturating_sub(self.instruction_context.get_number_of_program_accounts()),
|
2022-06-16 09:46:17 -07:00
|
|
|
)
|
2022-02-03 08:19:42 -08:00
|
|
|
.unwrap_or_default()
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns whether this account is writable (instruction wide)
|
|
|
|
|
pub fn is_writable(&self) -> bool {
|
2022-09-05 07:29:02 -07:00
|
|
|
if self.index_in_instruction < self.instruction_context.get_number_of_program_accounts() {
|
2022-06-16 09:46:17 -07:00
|
|
|
return false;
|
|
|
|
|
}
|
2022-02-03 08:19:42 -08:00
|
|
|
self.instruction_context
|
2022-06-16 09:46:17 -07:00
|
|
|
.is_instruction_account_writable(
|
|
|
|
|
self.index_in_instruction
|
2022-09-05 07:29:02 -07:00
|
|
|
.saturating_sub(self.instruction_context.get_number_of_program_accounts()),
|
2022-06-16 09:46:17 -07:00
|
|
|
)
|
2022-02-03 08:19:42 -08:00
|
|
|
.unwrap_or_default()
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
2022-07-15 00:31:34 -07:00
|
|
|
|
|
|
|
|
/// Returns true if the owner of this account is the current `InstructionContext`s last program (instruction wide)
|
|
|
|
|
pub fn is_owned_by_current_program(&self) -> bool {
|
|
|
|
|
self.instruction_context
|
|
|
|
|
.get_last_program_key(self.transaction_context)
|
|
|
|
|
.map(|key| key == self.get_owner())
|
|
|
|
|
.unwrap_or_default()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns an error if the account data can not be mutated by the current program
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-07-15 00:31:34 -07:00
|
|
|
pub fn can_data_be_changed(&self) -> Result<(), InstructionError> {
|
|
|
|
|
if !self
|
|
|
|
|
.transaction_context
|
|
|
|
|
.is_early_verification_of_account_modifications_enabled()
|
|
|
|
|
{
|
|
|
|
|
return Ok(());
|
|
|
|
|
}
|
|
|
|
|
// Only non-executable accounts data can be changed
|
|
|
|
|
if self.is_executable() {
|
|
|
|
|
return Err(InstructionError::ExecutableDataModified);
|
|
|
|
|
}
|
|
|
|
|
// and only if the account is writable
|
|
|
|
|
if !self.is_writable() {
|
|
|
|
|
return Err(InstructionError::ReadonlyDataModified);
|
|
|
|
|
}
|
|
|
|
|
// and only if we are the owner
|
|
|
|
|
if !self.is_owned_by_current_program() {
|
|
|
|
|
return Err(InstructionError::ExternalAccountDataModified);
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns an error if the account data can not be resized to the given length
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-07-15 00:31:34 -07:00
|
|
|
pub fn can_data_be_resized(&self, new_length: usize) -> Result<(), InstructionError> {
|
|
|
|
|
if !self
|
|
|
|
|
.transaction_context
|
|
|
|
|
.is_early_verification_of_account_modifications_enabled()
|
|
|
|
|
{
|
|
|
|
|
return Ok(());
|
|
|
|
|
}
|
2022-08-29 11:30:48 -07:00
|
|
|
let old_length = self.get_data().len();
|
2022-07-15 00:31:34 -07:00
|
|
|
// Only the owner can change the length of the data
|
2022-08-29 11:30:48 -07:00
|
|
|
if new_length != old_length && !self.is_owned_by_current_program() {
|
2022-07-15 00:31:34 -07:00
|
|
|
return Err(InstructionError::AccountDataSizeChanged);
|
|
|
|
|
}
|
|
|
|
|
// The new length can not exceed the maximum permitted length
|
|
|
|
|
if new_length > MAX_PERMITTED_DATA_LENGTH as usize {
|
|
|
|
|
return Err(InstructionError::InvalidRealloc);
|
|
|
|
|
}
|
2022-08-29 11:30:48 -07:00
|
|
|
if self
|
|
|
|
|
.transaction_context
|
|
|
|
|
.is_cap_accounts_data_allocations_per_transaction_enabled
|
|
|
|
|
{
|
|
|
|
|
// The resize can not exceed the per-transaction maximum
|
|
|
|
|
let length_delta = (new_length as i64).saturating_sub(old_length as i64);
|
|
|
|
|
if self
|
|
|
|
|
.transaction_context
|
|
|
|
|
.accounts_resize_delta()?
|
|
|
|
|
.saturating_add(length_delta)
|
|
|
|
|
> MAX_PERMITTED_ACCOUNTS_DATA_ALLOCATIONS_PER_TRANSACTION
|
|
|
|
|
{
|
|
|
|
|
return Err(InstructionError::MaxAccountsDataAllocationsExceeded);
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-07-15 00:31:34 -07:00
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-07-15 00:31:34 -07:00
|
|
|
fn touch(&self) -> Result<(), InstructionError> {
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
self.transaction_context
|
|
|
|
|
.accounts()
|
|
|
|
|
.touch(self.index_in_transaction)
|
2022-07-15 00:31:34 -07:00
|
|
|
}
|
2022-09-23 17:37:02 -07:00
|
|
|
|
|
|
|
|
#[cfg(not(target_os = "solana"))]
|
|
|
|
|
fn update_accounts_resize_delta(&mut self, new_len: usize) -> Result<(), InstructionError> {
|
|
|
|
|
let mut accounts_resize_delta = self
|
|
|
|
|
.transaction_context
|
|
|
|
|
.accounts_resize_delta
|
|
|
|
|
.try_borrow_mut()
|
|
|
|
|
.map_err(|_| InstructionError::GenericError)?;
|
|
|
|
|
*accounts_resize_delta = accounts_resize_delta
|
|
|
|
|
.saturating_add((new_len as i64).saturating_sub(self.get_data().len() as i64));
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
2021-12-27 09:49:32 -08:00
|
|
|
}
|
2022-03-22 15:17:05 -07:00
|
|
|
|
|
|
|
|
/// Everything that needs to be recorded from a TransactionContext after execution
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-03-22 15:17:05 -07:00
|
|
|
pub struct ExecutionRecord {
|
|
|
|
|
pub accounts: Vec<TransactionAccount>,
|
|
|
|
|
pub return_data: TransactionReturnData,
|
2022-08-23 05:58:32 -07:00
|
|
|
pub touched_account_count: u64,
|
2022-07-15 00:31:34 -07:00
|
|
|
pub accounts_resize_delta: i64,
|
2022-03-22 15:17:05 -07:00
|
|
|
}
|
2022-07-06 10:27:42 -07:00
|
|
|
|
2022-03-22 15:17:05 -07:00
|
|
|
/// Used by the bank in the runtime to write back the processed accounts and recorded instructions
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-03-22 15:17:05 -07:00
|
|
|
impl From<TransactionContext> for ExecutionRecord {
|
|
|
|
|
fn from(context: TransactionContext) -> Self {
|
2023-08-24 15:54:06 -07:00
|
|
|
let accounts = Rc::try_unwrap(context.accounts)
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
.expect("transaction_context.accounts has unexpectd outstanding refs");
|
|
|
|
|
let touched_account_count = accounts.touched_count() as u64;
|
|
|
|
|
let accounts = accounts.into_accounts();
|
2022-03-22 15:17:05 -07:00
|
|
|
Self {
|
|
|
|
|
accounts: Vec::from(Pin::into_inner(context.account_keys))
|
|
|
|
|
.into_iter()
|
Account data direct mapping (#28053)
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
2023-04-28 13:54:39 -07:00
|
|
|
.zip(accounts)
|
2022-03-22 15:17:05 -07:00
|
|
|
.collect(),
|
|
|
|
|
return_data: context.return_data,
|
2022-08-23 05:58:32 -07:00
|
|
|
touched_account_count,
|
2022-07-15 00:31:34 -07:00
|
|
|
accounts_resize_delta: RefCell::into_inner(context.accounts_resize_delta),
|
2022-03-22 15:17:05 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-07-15 00:31:34 -07:00
|
|
|
|
2022-08-31 08:47:47 -07:00
|
|
|
#[cfg(not(target_os = "solana"))]
|
2022-07-15 00:31:34 -07:00
|
|
|
fn is_zeroed(buf: &[u8]) -> bool {
|
|
|
|
|
const ZEROS_LEN: usize = 1024;
|
|
|
|
|
const ZEROS: [u8; ZEROS_LEN] = [0; ZEROS_LEN];
|
|
|
|
|
let mut chunks = buf.chunks_exact(ZEROS_LEN);
|
|
|
|
|
|
|
|
|
|
#[allow(clippy::indexing_slicing)]
|
|
|
|
|
{
|
|
|
|
|
chunks.all(|chunk| chunk == &ZEROS[..])
|
|
|
|
|
&& chunks.remainder() == &ZEROS[..chunks.remainder().len()]
|
|
|
|
|
}
|
|
|
|
|
}
|
