|
| 1 | +--- |
| 2 | +simd: '0319' |
| 3 | +title: Remove Accounts `is_executable` Flag Entirely |
| 4 | +authors: |
| 5 | + - Alexander Meißner |
| 6 | +category: Standard |
| 7 | +type: Core |
| 8 | +status: Review |
| 9 | +created: 2025-03-18 |
| 10 | +feature: TBD |
| 11 | +extends: 0162 |
| 12 | +--- |
| 13 | + |
| 14 | +## Summary |
| 15 | + |
| 16 | +Remove the accounts `is_executable` flag from the protocol entirely. |
| 17 | + |
| 18 | +## Motivation |
| 19 | + |
| 20 | +See SIMD-0162 for the reasons why the `is_executable` flag is unnecessary |
| 21 | +protocol complexity. That SIMD however only removes all checks of the flag |
| 22 | +which can abort a transaction. There are other influences the flag has on |
| 23 | +consensus which shall be removed as well. |
| 24 | + |
| 25 | +## New Terminology |
| 26 | + |
| 27 | +None. |
| 28 | + |
| 29 | +## Detailed Design |
| 30 | + |
| 31 | +The following changes in consensus relevant behavior must occur with the |
| 32 | +activation of the feature TBD: |
| 33 | + |
| 34 | +### Account append vector in snapshot format |
| 35 | + |
| 36 | +When loading existing snapshots the flag must be ignored. When storing |
| 37 | +snapshots the flag should be treated as being always `false`. |
| 38 | + |
| 39 | +### Snapshot minimization special case |
| 40 | + |
| 41 | +Program data accounts (owned by loader-v3) must not be filtered by their |
| 42 | +`is_executable` flag anymore. |
| 43 | + |
| 44 | +### Account hash |
| 45 | + |
| 46 | +The flag must not be added to the input of the hash function anymore. |
| 47 | +Note that this is different from hashing it as always `false`. |
| 48 | + |
| 49 | +### VM serialization |
| 50 | + |
| 51 | +ABI v2 will simply not have the flag from the start, however ABI v0 and v1 must |
| 52 | +change their serialization of the flag to be `true` if (and only if): |
| 53 | + |
| 54 | +- an account is owned by loader-v1 or loader-v2 |
| 55 | +- an account is owned by loader-v3 and contains the program (proxy) state |
| 56 | +- an account is owned by loader-v4 and has the deployed or finalized status |
| 57 | + |
| 58 | +### CPI special case |
| 59 | + |
| 60 | +Currently CPI ignores changes made by the caller to instruction accounts which |
| 61 | +have the flag set, meaning even requesting write access to a program account |
| 62 | +throws no error. Instead the flag must now be ignored, meaning all changes made |
| 63 | +by the caller to instruction accounts are treated equally. |
| 64 | + |
| 65 | +## Alternatives Considered |
| 66 | + |
| 67 | +None. |
| 68 | + |
| 69 | +## Impact |
| 70 | + |
| 71 | +The changes to the snapshots and account hashes should be irrelevant. The |
| 72 | +changes to the VM serialization should be mostly identical to the existing |
| 73 | +behavior. The changes to the CPI special case will technically allow for a new |
| 74 | +failure mode, when a caller attempts to give write access to a program |
| 75 | +account to a callee, but this case does not seem to occur in currently deployed |
| 76 | +dApps. |
| 77 | + |
| 78 | +## Security Considerations |
| 79 | + |
| 80 | +None. |
0 commit comments