* allow pedantic invalid cast lint
* allow lint with false-positive triggered by `test-case` crate
* nightly `fmt` correction
* adapt to rust layout changes
* remove dubious test
* Use transmute instead of pointer cast and de/ref when check_aligned is false.
* Renames clippy::integer_arithmetic to clippy::arithmetic_side_effects.
* bump rust nightly to 2023-08-25
* Upgrades Rust to 1.72.0
---------
Co-authored-by: Trent Nelson <trent@solana.com>
* Moves initialization and growth of program accounts
from "write" to "truncate" instruction in loader-v4.
* Removes the parameter payer account from the truncate instruction.
Computing Poseidon[0] hashes is too expensive to be done in a Solana
program in one transaction. Poseidon is a zero-knowlege proof friendly
hash function, used by the majority of ZK-based projects, including the
ones built on top of Solana.
This change introduces the `sol_poseidon` syscall which takes 2D byte
slice as an input and then calculates a Poseidon hash using a BN254
curve and the following Poseidon parameters:
* x^5 S-boxes
* width - 2 ≤ t ≤ 13
* inputs - 1 ≤ n ≤ 12
* 8 full rounds and partial rounds depending on t: [56, 57, 56, 60, 60,
63, 64, 63, 60, 66, 60, 65]
Computation of Poseidon hashes is done with the light-poseidon[1]
crate, which is audited[2] and compatible with Circom[3] (BN254 curve,
the same parameters and constants).
Proposed compute costs depend on number of inputs and are based on
light-poseidon benchmarks[4].
[0] https://www.poseidon-hash.info/
[1] https://crates.io/crates/light-poseidon
[2] https://github.com/Lightprotocol/light-poseidon/blob/main/assets/audit.pdf
[3] https://docs.circom.io/
[4] https://github.com/Lightprotocol/light-poseidon/tree/main#performance
* transaction_context: update make_data_mut comment
* bpf_loader: cpi: pass SerializeAccountMetadata to CallerAccount::from*
We now have a way to provide CallerAccount with trusted values coming
from our internal serialization code and not from untrusted vm space
* bpf_loader: direct_mapping: enforce account info pointers to be immutable
When direct mapping is enabled, we might need to update account data
memory regions across CPI calls. Since the only way we have to retrieve
the regions is based on their vm addresses, we enforce vm addresses to
be stable. Accounts can still be mutated and resized of course, but it
must be done in place.
This also locks all other AccountInfo pointers, since there's no legitimate
reason to make them point to anything else.
* bpf_loader: cpi: access ref_to_len_in_vm through VmValue
Direct mapping needs to translate vm values at each access since
permissions of the underlying memory might have changed.
* direct mapping: improve memory permission tracking across CPI calls
Ensure that the data and realloc regions of an account always track the
account's permissions. In order to do this, we also need to split
realloc regions in their own self contained regions, where before we
had:
[account fields][account data][account realloc + more account fields + next account fields][next account data][...]
we now have:
[account fields][account data][account realloc][more account fields + next account fields][next account data][...]
Tested in TEST_[FORBID|ALLOW]_WRITE_AFTER_OWNERSHIP_CHANGE*
Additionally when direct mapping is on, we must update all perms at once before
doing account data updates. Otherwise, updating an account might write into
another account whose perms we haven't updated yet. Tested in
TEST_FORBID_LEN_UPDATE_AFTER_OWNERSHIP_CHANGE.
* bpf_loader: serialization: address review comment don't return vm_addr from push_account_region
* bpf_loader: rename push_account_region to push_account_data_region
* cpi: fix slow edge case zeroing extra account capacity after shrinking an account
When returning from CPI we need to zero all the account memory up to the
original length only if we know we're potentially dealing with uninitialized
memory.
When we know that the spare capacity has deterministic content, we only need to
zero new_len..prev_len.
This fixes a slow edge case that was triggerable by the following scenario:
- load a large account (say 10MB) into the vm
- shrink to 10 bytes - would memset 10..10MB
- shrink to 9 bytes - would memset 9..10MB
- shrink to 8 bytes - would memset 8..10MB
- ...
Now instead in the scenario above the following will happen:
- load a large account (say 10MB) into the vm
- shrink to 10 bytes - memsets 10..10MB
- shrink to 9 bytes - memsets 9..10
- shrink to 8 bytes - memset 8..9
- ...
* bpf_loader: add account_data_region_memory_state helper
Shared between serialization and CPI to figure out the MemoryState of an
account.
* cpi: direct_mapping: error out if ref_to_len_in_vm points to account memory
If ref_to_len_in_vm is allowed to be in account memory, calles could mutate it,
essentially letting callees directly mutate callers memory.
* bpf_loader: direct_mapping: map AccessViolation -> InstructionError
Return the proper ReadonlyDataModified / ExecutableDataModified /
ExternalAccountDataModified depending on where the violation occurs
* bpf_loader: cpi: remove unnecessary infallible slice::get call
* dereplicode address alignment check
* Uses `checked_div` and `checked_rem` in built-in loaders.
* Uses `checked_div` and `checked_rem`.
* sdk: replace sub() with saturating_sub()
* eliminate `String` "arithmetic"
* allow arithmetic side-effects in tests and benches and on types we don't control
---------
Co-authored-by: Trent Nelson <trent@solana.com>
Bank::get_leader_schedule_epoch returns: 1 + EpochSchedule::get_epoch.
As a result, at the epoch boundaries when the propagated shred is from
the next epoch, we are looking for epoch stakes for 2 epochs ahead of
the root or working bank's epoch.
However, the bank structure only contains epoch stakes for one epoch
ahead. This results in shreds propagated at epoch boundary having
unknown epoch stakes.
* sdk: Add concurrent support for rand 0.7 and 0.8
* Update rand, rand_chacha, and getrandom versions
* Run command to replace `gen_range`
Run `git grep -l gen_range | xargs sed -i'' -e 's/gen_range(\(\S*\), /gen_range(\1../'
* sdk: Fix users of older `gen_range`
* Replace `hash::new_rand` with `hash::new_with_thread_rng`
Run:
```
git grep -l hash::new_rand | xargs sed -i'' -e 's/hash::new_rand([^)]*/hash::new_with_thread_rng(/'
```
* perf: Use `Keypair::new()` instead of `generate`
* Use older rand version in zk-token-sdk
* program-runtime: Inline random key generation
* bloom: Fix clippy warnings in tests
* streamer: Scope rng usage correctly
* perf: Fix clippy warning
* accounts-db: Map to char to generate a random string
* Remove `from_secret_key_bytes`, it's just `keypair_from_seed`
* ledger: Generate keypairs by hand
* ed25519-tests: Use new rand
* runtime: Use new rand in all tests
* gossip: Clean up clippy and inline keypair generators
* core: Inline keypair generation for tests
* Push sbf lockfile change
* sdk: Sort dependencies correctly
* Remove `hash::new_with_thread_rng`, use `Hash::new_unique()`
* Use Keypair::new where chacha isn't used
* sdk: Fix build by marking rand 0.7 optional
* Hardcode secret key length, add static assertion
* Unify `getrandom` crate usage to fix linking errors
* bloom: Fix tests that require a random hash
* Remove some dependencies, try to unify others
* Remove unnecessary uses of rand and rand_core
* Update lockfiles
* Add back some dependencies to reduce rebuilds
* Increase max rebuilds from 14 to 15
* frozen-abi: Remove `getrandom`
* Bump rebuilds to 17
* Remove getrandom from zk-token-proof
* stake: pub use config constants for api backwards compatibility
* Add deprecate
Co-authored-by: Trent Nelson <trent.a.b.nelson@gmail.com>
---------
Co-authored-by: Trent Nelson <trent.a.b.nelson@gmail.com>
* stake: deprecate on chain warmup/cooldown rate and config
* Pr feedback: Deprecate since 1.16.7
Co-authored-by: Jon Cinque <me@jonc.dev>
---------
Co-authored-by: Jon Cinque <me@jonc.dev>
This extra argument serves as an extra guardrail to ensure that the
feature key holder is activating the feature on the intended cluster,
and not solely using a default or config-file stored RPC url to
determine which cluster the feature will be activated on.
* Add epoch rewards sysvar test to program test
* Add a test to check epoch rewards sysvar inside/outisde reward interval
---------
Co-authored-by: HaoranYi <haoran.yi@solana.com>
* Restrict access to Bank's HardForks
Callers could previously obtain a a lock to read/write HardForks from
any Bank. This would allow any caller to modify, and creates the
opportunity for inconsistent handling of what is considered a valid hard
fork (ie too old).
This PR adds a function to Bank so consistent sanity checks can be
applied; the caller will already have a Bank as that is where they would
have obtained the HardForks from in the first place. Additionally,
change the getter to return a copy of HardForks (simple Vec).
* Allow hard fork at bank slot if bank is not yet frozen
* add sysvar and logic for last restart slot
* cleanup
* add test for getting last restart slot from account
* format code
* add some basic rustdoc
* copy+paste error
* feature flag for last_restart_slot
* add to sysvars.md
* updated wording in sysvars.md
* rename sol_get_last_restart_slot_sysvar > sol_get_last_restart_slot
* create sbf C header for sol_get_last_restart_slot
* cleanup imports
* reverted hardened_unpack workaround
* cleanup imports
* cleanup logs + blank lines
* Implementing ui changes for last restart slot, nit
* Some more nit change and implementing the UI for sysvar
* fixing the CI
* Minor clippy fix
* format changes
* changes suggested by mvines and lichtso
* increase timeout in local_cluster test
* fix code format
* use keypair for feature flag from mvines
* delete test.json file
* Revert "increase timeout in local_cluster test"
This reverts commit a67465ae22.
* last restart slot should be always less than or equal to current slot
* fixing bug
* changes after steviez comments
* format issue fixed
* fixing the comment on premature application of future hardfork
* nit change in test
Co-authored-by: steviez <steven@solana.com>
* reverting sysvar_cache.rs because change was not necessary
---------
Co-authored-by: steve-gg <grooviegermanikus@gmail.com>
Co-authored-by: steviez <steven@solana.com>
The function signature was changed in #31767, but these instances were
not updated due to the PR being created before the instances were added
to the repo.
* Bump borsh to 0.10.3
transaction-status relies on SPL which still requires borsh 0.9, so
until SPL also gets updated that package alone will use an older version of
borsh.
* ci: Temporarily disable spl and openbook-dex builds
* Fix C headers (the name of the syscall was incorrect).
* Add C SBF tests using the alt_bn128 syscall.
* Fix the Rust SBF program:
* Do not use serde and array-bytes, provide test cases as byte arrays
directly.
* Use the `custom_heap_default` macro.
* Replace `bpf` with `sbf` in the crate name.
* Execute both previously existing Rust tests and new C tests in
`programs/sbf/tests`, so they are actually tested on CI.
Changes:
marshallpierce/rust-base64@v0.13.1...v0.21.0
`base64::{encode,decode}` are now deprecated in favor of an API that
explicitly selects an `Engine`. Migrated all calls to the new API.
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
* Add failing test
* Add config struct for vote-account creation
* Add create-vote-account ix builders that use CreateVoteAccountConfig
* Test now passes; add case to demonstrate failure after activation
* Deprecate existing ix builders
* Use new builders in solana-cli
* Query feature status to use correct VoteState size in solana-cli
* Fix tests and clippy warnings
* Improve ugly conditional block
* Enforce used_underscore_binding
* Fix all
* Work around for cfg()-ed code...
* ci....
* Make clipply fixes more pleasant
* Clone exit signal while intentionally shadowing
* Use more verbose code to avoid any #[allow(...)]s
* Moves the registration of bpf_loader built-ins from the ledger into the runtime.
* Removes bpf_loader built-ins registration in tests and benchmarks.
* Removes declare_builtin!() of bpf_loader built-ins.
* Removes built-ins from the SDK.
* Adjusts tests.
Add new vote state version that replaces Lockout with LandedVote to allow vote latency to be tracked in a future change.
Includes a feature to be enabled which will when enabled cause the vote state to be written in the new form.
* generalize `Keypair` to using `EncodableKey` trait in clap-v3-utils
* add associated `Pubkey` type to `EncodableKey`
* remove associated type `Pubkey` from `EncodableKey`
* rename `EncodableKey` associated function names
* remove default overrides for `{read,write}_file`
* resolve dependencies for test
* remove `pubkey_string` from `EncodableKey` trait
* bump ark-works 0.4.0
* removed obsolete commented code
* bumped deps again after rebase
* paring: merged two vectors into one
* added zero serialization test
* reverted formatting change
* updated Cargo.lock after rebase
* fixed Cargo.lock
* Adds the feature gate stop_truncating_strings_in_syscalls.
* Removes the truncation of everything after the first NULL byte in translate_string_and_do().
* relax Sized bound for Signers in Transaction and Client
* also relax Sized bounds in client, runtime, thin-client and tpu-client
* add tests for using non-sized transaction signers
* fix macro for thin_client vs ?Sized
* move tests to transactions, add Sized relaxation to mut macro
* fix clippy warning
* get rid of unnecessary imports
Alessandro Decina
Alexander Meißner
Ryo Onodera
behzad nouri
samkim-crypto
vadorovsky
HaoranYi
Trent Nelson
Jon Cinque
steviez
Lijun Wang
bji
Ashwin Sekar
Yihau Chen
cavemanloverboy
dependabot[bot]
Andrew Fitzgerald
Pankaj Garg
Brooks
Justin Starry
Jon Cinque
Dmitri Makarov
hana
mvines
galactus
Jeff Washington (jwash)
Proph3t
Kevin Ji
Will Hickey
alpharush
Tao Zhu
Illia Bobyr
Tyera
ananas-block
blackghost1987
Brennan