* programs/sbf: add TEST_[FORBID|ALLOW]_WRITE_AFTER_OWNERSHIP_CHANGE*
* programs/sbf: add tests for the AccessViolation -> InstructionError mapping
* cpi: add more tests
* programs/sbf: add tests for immutable AccountInfo pointers
* programs/sbf: add tests for verification of SolAccountInfo pointers too
* programs/sbf: add tests for ref_to_len_in_vm handling in CPI
Add TEST_FORBID_LEN_UPDATE_AFTER_OWNERSHIP_CHANGE_MOVING_DATA_POINTER
and TEST_FORBID_LEN_UPDATE_AFTER_OWNERSHIP_CHANGE that exercise the new
logic.
* cpi: tweak tests
Remove some copy pasta and rename two tests to better describe what they're doing
* cpi: add tests that check that CPI updates all accounts at once
* direct mapping: test that writes to executable accounts trigger ExecutableDataModified
* programs/sbf: add explicit tests for when an account's data allocation changes
* allow pedantic invalid cast lint
* allow lint with false-positive triggered by `test-case` crate
* nightly `fmt` correction
* adapt to rust layout changes
* remove dubious test
* Use transmute instead of pointer cast and de/ref when check_aligned is false.
* Renames clippy::integer_arithmetic to clippy::arithmetic_side_effects.
* bump rust nightly to 2023-08-25
* Upgrades Rust to 1.72.0
---------
Co-authored-by: Trent Nelson <trent@solana.com>
Computing Poseidon[0] hashes is too expensive to be done in a Solana
program in one transaction. Poseidon is a zero-knowlege proof friendly
hash function, used by the majority of ZK-based projects, including the
ones built on top of Solana.
This change introduces the `sol_poseidon` syscall which takes 2D byte
slice as an input and then calculates a Poseidon hash using a BN254
curve and the following Poseidon parameters:
* x^5 S-boxes
* width - 2 ≤ t ≤ 13
* inputs - 1 ≤ n ≤ 12
* 8 full rounds and partial rounds depending on t: [56, 57, 56, 60, 60,
63, 64, 63, 60, 66, 60, 65]
Computation of Poseidon hashes is done with the light-poseidon[1]
crate, which is audited[2] and compatible with Circom[3] (BN254 curve,
the same parameters and constants).
Proposed compute costs depend on number of inputs and are based on
light-poseidon benchmarks[4].
[0] https://www.poseidon-hash.info/
[1] https://crates.io/crates/light-poseidon
[2] https://github.com/Lightprotocol/light-poseidon/blob/main/assets/audit.pdf
[3] https://docs.circom.io/
[4] https://github.com/Lightprotocol/light-poseidon/tree/main#performance
* remove unnecessary hashes around raw string literals
* remove unncessary literal `unwrap()`s
* remove panicking `unwrap()`
* remove unnecessary `unwrap()`
* use `[]` instead of `vec![]` where applicable
* remove (more) unnecessary explicit `into_iter()` calls
* remove redundant pattern matching
* don't cast to same type and constness
* do not `cfg(any(...` a single item
* remove needless pass by `&mut`
* prefer `or_default()` to `or_insert_with(T::default())`
* `filter_map()` better written as `filter()`
* incorrect `PartialOrd` impl on `Ord` type
* replace "slow zero-filled `Vec` initializations"
* remove redundant local bindings
* add required lifetime to associated constant
* dereplicode address alignment check
* Uses `checked_div` and `checked_rem` in built-in loaders.
* Uses `checked_div` and `checked_rem`.
* sdk: replace sub() with saturating_sub()
* eliminate `String` "arithmetic"
* allow arithmetic side-effects in tests and benches and on types we don't control
---------
Co-authored-by: Trent Nelson <trent@solana.com>
* sdk: Add concurrent support for rand 0.7 and 0.8
* Update rand, rand_chacha, and getrandom versions
* Run command to replace `gen_range`
Run `git grep -l gen_range | xargs sed -i'' -e 's/gen_range(\(\S*\), /gen_range(\1../'
* sdk: Fix users of older `gen_range`
* Replace `hash::new_rand` with `hash::new_with_thread_rng`
Run:
```
git grep -l hash::new_rand | xargs sed -i'' -e 's/hash::new_rand([^)]*/hash::new_with_thread_rng(/'
```
* perf: Use `Keypair::new()` instead of `generate`
* Use older rand version in zk-token-sdk
* program-runtime: Inline random key generation
* bloom: Fix clippy warnings in tests
* streamer: Scope rng usage correctly
* perf: Fix clippy warning
* accounts-db: Map to char to generate a random string
* Remove `from_secret_key_bytes`, it's just `keypair_from_seed`
* ledger: Generate keypairs by hand
* ed25519-tests: Use new rand
* runtime: Use new rand in all tests
* gossip: Clean up clippy and inline keypair generators
* core: Inline keypair generation for tests
* Push sbf lockfile change
* sdk: Sort dependencies correctly
* Remove `hash::new_with_thread_rng`, use `Hash::new_unique()`
* Use Keypair::new where chacha isn't used
* sdk: Fix build by marking rand 0.7 optional
* Hardcode secret key length, add static assertion
* Unify `getrandom` crate usage to fix linking errors
* bloom: Fix tests that require a random hash
* Remove some dependencies, try to unify others
* Remove unnecessary uses of rand and rand_core
* Update lockfiles
* Add back some dependencies to reduce rebuilds
* Increase max rebuilds from 14 to 15
* frozen-abi: Remove `getrandom`
* Bump rebuilds to 17
* Remove getrandom from zk-token-proof
* Fix C headers (the name of the syscall was incorrect).
* Add C SBF tests using the alt_bn128 syscall.
* Fix the Rust SBF program:
* Do not use serde and array-bytes, provide test cases as byte arrays
directly.
* Use the `custom_heap_default` macro.
* Replace `bpf` with `sbf` in the crate name.
* Execute both previously existing Rust tests and new C tests in
`programs/sbf/tests`, so they are actually tested on CI.
* AccountSharedData: make data_mut() private
This ensures that the inner Vec is never handed out. This is in
preparation of enforcing that the capacity of the inner vec never
shrinks, which is required for direct mapping.
* Adds the feature bpf_account_data_direct_mapping.
* Remaps EbpfError::AccessViolation into InstructionError::ReadonlyDataModified.
* WIP: Memory regions for each instruction account in create_vm().
* Fix serialization benches, run both copy and !copy variants
* rbpf-cli: fix build
* BorrowedAccount: ensure that account capacity is never reduced
Accounts can be directly mapped in address space. Their capacity can't
be reduced mid transaction as that would create holes in vm address
space that point to invalid host memory.
* bpf_load: run serialization tests for both copy and !copy account data
* bpf_loader: add Serializer::write_account
* fix lints
* BorrowedAccount: make_data_mut is host only
* Fix unused import warning
* Fix lints
* cpi: add explicit direct_mapping arg to update_(callee|caller)_account
* cpi: rename account_data_or_only_realloc_padding to serialized_data
* cpi: add CallerAccount::original_data_len comment
* cpi: add update_callee_account direct_mapping test
* cpi: add test_update_caller_account_data_direct_mapping and fix bug
We used to have a bug in zeroing data when shrinking account, where we zeroed
the spare account capacity but not the realloc padding.
* cpi: add tests for mutated readonly accounts
* cpi: update_caller_account doesn't need to change .serialized_data when direct_mapping is on
* cpi: update_caller_account: ensure that account capacity is always enough
Introduce a better way to ensure that account capacity never goes below what
might be mapped in memory regions.
* cpi: zero account capacity using the newly introduced BorrowedAccount::spare_data_capacity_mut()
Before we were using BorrowedAccount::get_data_mut() to get the base pointer to
the account data, then we were slicing the spare capacity from it. Calling
get_data_mut() doesn't work if an account has been closed tho, since the
current program doesn't own the account anymore and therefore get_data_mut()
errors out.
* bpf_loader: fix same lint for the umpteenth time
* bpf_loader: map AccessViolation to ReadonlyDataModified only for account region violations
* programs/sbf: realloc: add test for large write after realloc
Add a test that after a realloc does a large write that spans the
original account length and the realloc area. This ensures that memory
mapping works correctly across the boundary.
* programs/sbf: run test_program_sbf_realloc with both direct_mapping on and off
By default test banks test with all features on. This ensures we keep
testing the existing code until the new feature is enabled.
* bpf_loader: tweak memcmp syscall
Split the actual memcmp code in a separate function. Remove check
indexing the slices since the slices are guaranteed to have the correct
length by construction.
* bpf_loader: tweak the memset syscall
Use slice::fill, which is effectively memset.
* bpf_loader: syscalls: update mem syscalls to work with non contiguous memory
With direct mapping enabled, accounts can now span multiple memory
regions.
* fix lint, rebase mem_ops
* Implement CoW for writable accounts
* Fix CI
* Move CoW to the MemoryMapping level
* Update after rbpf API change
* Fix merge screwup
* Add create_vm macro. Fix benches.
* cpi: simplify update_caller_account
Simplify the logic to update a caller's memory region when a callee
causes an account data pointer to change (eg during CoW)
* benches/bpf_loader: move serialization out of create_vm bench
* benches/bpf_loader: don't copy accounts when direct mapping is on
* Fix review nits
* bpf_loader: mem_ops: handle u64 overflow in MemoryChunkIterator::new
When starting at u64::MAX, the chunk iterator would always return the
empty sequence (None on the first next()) call, instead of returning a
memory access violation.
Use checked instead of saturating arithmetic to detect the condition and
error out.
This commit also adds more tests around boundary conditions.
* Fix loader-v3 tests: data_mut => data_as_mut_slice
* Fix CI
* bpf_loader: fix tuner bench: account must be writable
With direct mapping on, invalid writes are caught early meaning the
tuner would fail on the first store and not consume the whole budget
like the benchmark expects.
---------
Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
* introduce workspace.package
* introduce workspace.dependencies
* read version from root cargo.toml
* pass check when version = { workspace = true }
* don't bump version when version = { workspace = true }
* including workspace Cargo.toml when bump version
* programs/sbf use workspace inheritance
* fix increasing cargo version ignore program/sbf/Cargo.toml
* introduce workspace.package
* introduce workspace.dependencies
* read version from root cargo.toml
* pass check when version = { workspace = true }
* don't bump version when version = { workspace = true }
* including workspace Cargo.toml when bump version
* programs/sbf use workspace inheritance
* fix increasing cargo version ignore program/sbf/Cargo.toml
* check android builds
* feature: set rent_epoch to Epoch::MAX
* tweaks
* Update runtime/src/rent_collector.rs
Co-authored-by: Brooks Prumo <brooks@prumo.org>
* simplify changes to tests
* back out some test changes
* calculate_rent_result passes through Exempt
* move calc outside loop
* if rent epoch is already max, use 'NoRentCollectionNow'
Co-authored-by: Brooks Prumo <brooks@prumo.org>
* Bump sbf-tools to v1.32
This version of sbf-tools is based on Rust 1.65.0 and LLVM 15.0.
* Temporary ignore build-sbf tests until issue with buildkite cache resolved
Alessandro Decina
Alexander Meißner
vadorovsky
Trent Nelson
Jon Cinque
HaoranYi
Samuel Moelius
Yihau Chen
Ryo Onodera
Michael Vines
Will Hickey
joeaba
valiksinev
Jeff Washington (jwash)
Dmitri Makarov
ananas-block
Brooks Prumo
Dmitri Makarov