Deprecate account meta executable read/update in bpf loaders

[HaoranYi]

Problem

Part of effort for #33970

We are deprecating executable meta flags on account. Instead of relying on executable flag on account to determine whether the account is executable, we are going to check the owner of the account and the loader's meta data in account data to determine whether the account is executable.

Summary of Changes

• use owner + metadata in accounts data to determine whether the account is executable in transaction loading/processing.
• add disable_bpf_loader_instructions feature to disable bpf loader management instructions,
• add deprecate_executable_meta_update_in_bpf_loader feature to deprecate executable meta update in bpf loader

Feature Gate Issues:

• 34424
• 34425

SIMD

• SIMD-0093
• SIMD-0094

Fixes #

[Lichtso]

It just occurred to me that there is one more complicating factor here, the migration of built-in programs to on-chain programs: solana-foundation/solana-improvement-documents#88

So, in the end almost all programs (except for the loaders) will be on-chain and be owned by the loaders. But until then we still have to support built-in programs which also count as "executable" sometimes, but not always. E.g. built-ins don't need to be loaded into the LoadedPrograms cache.

Thus, we might need a boolean parameter to the is_executable() function replacement or two versions:

• One for user programs only: Which returns true if the owner is in PROGRAM_OWNERS
• One for built-ins: Which also returns true if the owner is native_loader::id()

Related code sites:

• solana/programs/bpf_loader/src/lib.rs

  Line 430 in 481c357

  if native_loader::check_id(owner_id) {

• solana/programs/bpf_loader/src/syscalls/cpi.rs

  Line 1037 in 481c357

  if native_loader::check_id(program_id)

• solana/program-runtime/src/invoke_context.rs

  Line 458 in 481c357

  if native_loader::check_id(owner_id) {

[Lichtso]

This seems to be an un-feature-gated change to consensus.

[HaoranYi]

yeah. this needs to be feature-gated.

[Lichtso]

Actually, I would prefer if we would find a way to do this refactoring transparently, without consensus changes.

[HaoranYi]

ok. let me think about it.

Another question:

https://github.com/solana-labs/solana/blob/master/sdk/src/transaction_context.rs#L1082

With the change of is_executable() on BorrowedAccount, this seems not correct any more? upgradable account can_data_be_changed?

@@ -1079,7 +1081,9 @@ impl<'a> BorrowedAccount<'a> {
     #[cfg(not(target_os = "solana"))]
     pub fn can_data_be_changed(&self) -> Result<(), InstructionError> {
         // Only non-executable accounts data can be changed
-        if self.is_executable() {
+        if self.is_executable()
+            && !solana_program::bpf_loader_upgradeable::check_id(self.account.owner())
+        {
             return Err(InstructionError::ExecutableDataModified);
         }

[HaoranYi]

The following are the behavior changes with this PR found in test

1. if program owner changes to non bpf-loader, while its executable flags are
   set. IncorrectProgramId --> AccountNotExecutable

2. if program data is unitialized, while its executable flags are
   set. InvalidAccountData --> AccountNotExecutable

3. for account, whose owner is bpf_loader, while its executable flags are set.
   running LoaderInstruction::write, Ok --> ExecutableDataModified

@Lichtso Can we review them to be sure that these scenarios are not possible practically?

[Lichtso]

1. Such a test should be deleted because transferring the ownership of an executable account is explicitly forbidden:
   

   solana/sdk/src/transaction_context.rs

   Line 752 in 53c723a

   if self.is_executable() {

2. Again, makes no sense. Once an account is marked as executable it becomes immutable (

   solana/sdk/src/transaction_context.rs

   Line 1082 in 53c723a

   if self.is_executable() {

   ), so it could never leave the uninitialized state. Thus, the executable flag is only set after the state is initialized.

3. Uff, this will actually be a problem. The first two loaders did not write any metadata into the program account, so the only way to distinguish the writing-in-progress from the finalized state is the executable flag. Obviously, that can not be emulated without the executable flag so we do need a feature gate here. Also, we will probably have to disable deployments for everything but the upgradeable loader (v3), which was planned anyways.

[HaoranYi]

Makes sense. I will update.

…

On Wed, Nov 22, 2023, 15:06 Alexander Meißner ***@***.***> wrote: 1. Such a test should be deleted because transferring the ownership of an executable account is explicitly forbidden: https://github.com/solana-labs/solana/blob/53c723ae3f6b3013b9bfe275ea683ef2088737b3/sdk/src/transaction_context.rs#L752 2. Again, makes no sense. Once an account is marked as executable it becomes immutable ( https://github.com/solana-labs/solana/blob/53c723ae3f6b3013b9bfe275ea683ef2088737b3/sdk/src/transaction_context.rs#L1082), so it could never leave the uninitialized state. Thus, the executable flag is only set after the state is initialized. 3. Uff, this will actually be a problem. The first two loaders did not write any metadata into the program account, so the only way to distinguish the writing-in-progress from the finalized state is the executable flag. Obviously, that can not be emulated without the executable flag so we do need a feature gate here. Also, we will probably have to disable deployments for everything but the upgradeable loader (v3), which was planned anyways. — Reply to this email directly, view it on GitHub <#34194 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABVSJCHCDJEAEVIBLUIZYDYFZSMFAVCNFSM6AAAAAA7UYRPOOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRTGUYDEMBQGY> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[HaoranYi]

I have tried to add a feature gate for executable flag. But it turns out that
leads to quite a few API changesfor Account and BorrowedAccount, which is
not very clean. I think we may want to avoid adding a feature flag. Instead,
can we partially disable usage of executable flag for the loaders? i.e. for bpf_loader_upgradeable
and loader_v4, we disable the usage of executable flag, while for
'bpf_loader' and 'bpf_loader_deprecated', we still use executable flags. When
we disable deployments for these two loaders, we can remove the code that use
executable flags for them? Wdyt? @Lichtso

[codecov]

Codecov Report

Attention: 43 lines in your changes are missing coverage. Please review.

Comparison is base (d6146af) 81.8% compared to head (d59193c) 81.8%.
Report is 10 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff            @@
##           master   #34194    +/-   ##
========================================
  Coverage    81.8%    81.8%            
========================================
  Files         824      824            
  Lines      222262   222393   +131     
========================================
+ Hits       181860   182065   +205     
+ Misses      40402    40328    -74     

[HaoranYi]

https://explorer.solana.com/tx/4UzC7fuDiB5spFJmb1tBd6b44zvMYNsbHNBzFnawW5PM1z9ZzmfMpAagvbjuMxSPUHuhHqbKzWzgxrtYDezL18mA

Fails because BPFUpgradableLoader was hijacked by fn account_shared_data_from_program, which creates a dummy account with empty data. That's why it fails with this PR.

aaf2748 fixed it.

I have deploy this PR again on my node again to run against mnt overnight.

[HaoranYi]

FYI. A node with this change has been running for the past 5 days against mainnet! So far, it looks good!

[HaoranYi]

I added two featuregates in this PR:
a) disable bpfloader v1 deployment instructions
b) skip updating executable during bpf program deployment.

Aso, I created two SIMDs for these two features.

@Lichtso @pgarg66 @brooksprumo Please take a look. Let me know if you have any more comments. Thanks!

[Lichtso]

It seems that deprecate_executable_meta_update_in_bpf_loader only gates one call site of set_executable(), not all of them. Also, the switch from using the account executable flag to the inferred one in is_executable() needs to be feature gated (can be done inside is_executable() with deprecate_executable_meta_update_in_bpf_loader) because the deprecated loader can not be emulated (thus we need to disable its deployment with disable_bpf_loader_instructions beforehand).

[Lichtso]

return true;
That will be safe once deployments on loader-v2 are disabled. And we don't switch to this emulation here before that feature is activated.

[Lichtso]

@HaoranYi Can you split off the changes where you wire in feature_set in all the methods of BorrowedAccount into a separate PR? Otherwise I would say this looks good, can you run it on a validator against MNB?

[HaoranYi]

@HaoranYi Can you split off the changes where you wire in feature_set in all the methods of BorrowedAccount into a separate PR? Otherwise I would say this looks good, can you run it on a validator against MNB?

Yeah. #34542 is the refactor PR that pass feature_set into BorrowedAccount.
I just started a validator on my node, will keep it running.

[HaoranYi]

@HaoranYi Can you split off the changes where you wire in feature_set in all the methods of BorrowedAccount into a separate PR? Otherwise I would say this looks good, can you run it on a validator against MNB?

Yeah. #34542 is the refactor PR that pass feature_set into BorrowedAccount. I just started a validator on my node, will keep it running.

My node has been running fine with the PR over the holidays.

[Lichtso]

For all the tests of loader-v2 it would be preferable to just force deactivate the feature instead of altering the tests.

[HaoranYi]

yeah. restored.

[Lichtso]

After loader-v2 is disabled its management instructions will be removed. Thus, we need to rework the tests in programs/sbf/tests/programs.rs to use loader-v3 instead. However, that can happen in a separate PR.

[t-nelson]

please DO NOT introduce multiple feature gates in the same pull request!