@@ -7,7 +7,9 @@ category: Standard
77type : Core
88status : Review
99created : 2024-08-15
10- feature : TBD
10+ feature :
11+ - 8Cb77yHjPWe9wuWUfXeh6iszFGCDGNCoFk3tprViYHNm
12+ - EmhbpdVtZ2hWRGFWBDjn2i3SJD8Z36z4mpMcZJEnebnP
1113---
1214
1315## Summary
@@ -45,13 +47,15 @@ None.
4547
4648## Detailed Design
4749
48- The associated feature gate must:
50+ The feature gate ` 8Cb77yHjPWe9wuWUfXeh6iszFGCDGNCoFk3tprViYHNm ` must:
4951
50- - add loader-v4 to the write lock demotion exceptions
5152- enable loader-v4 ` LoaderV411111111111111111111111111111111111 ` program
52- management and execution
53- - simultaneously disable new deployments on loader-v3
54- (` BPFLoaderUpgradeab1e11111111111111111111111 ` ),
53+ management and execution.
54+ - enable the loader-v3 ` BPFLoaderUpgradeab1e11111111111111111111111 `
55+ instruction ` UpgradeableLoaderInstruction::Migrate ` .
56+
57+ An additional feature gate ` EmhbpdVtZ2hWRGFWBDjn2i3SJD8Z36z4mpMcZJEnebnP `
58+ must disable new deployments on loader-v3,
5559throwing ` InvalidIstructionData ` if ` DeployWithMaxDataLen ` is called.
5660
5761### Owned Program Accounts
@@ -111,7 +115,7 @@ All program management instructions must cost 2000 CUs.
111115 - ` [signer] ` The authority of the program.
112116- Instruction data:
113117 - Enum variant ` 0u32 `
114- - ` u32 ` Offset at which to write the given bytes
118+ - ` u32 ` Byte offset at which to write the given bytes
115119 - ` [u8] ` Chunk of the programs executable file
116120- Behavior:
117121 - Check there are at least two instruction accounts,
@@ -221,7 +225,8 @@ All program management instructions must cost 2000 CUs.
221225 (deployment cooldown), otherwise throw ` InvalidArgument `
222226 - Check that the status stored in the program account is retracted
223227 otherwise throw ` InvalidArgument `
224- - In case a source program was provided (instruction account at index 2):
228+ - In case a source program was provided (instruction account at index 2)
229+ which is not the program account:
225230 - Verify the source program account
226231 - Check that the status stored in the source program account is retracted,
227232 otherwise throw ` InvalidArgument `
@@ -235,7 +240,7 @@ All program management instructions must cost 2000 CUs.
235240 - Set the length of the source program account to zero
236241 - Transfer all funds of the source program account to the program
237242 account
238- - In case no source program was provided:
243+ - otherwise, if no source program was provided:
239244 - Check that the executable file stored in the program account passes
240245 executable verification
241246 - Change the slot in the program account to the current slot
@@ -372,35 +377,29 @@ exception when shortening the length of program accounts or closing them.
372377instruction, instead of having to build and redeploy an empty program.
373378- properly alignes the executable file relative to the beginning of the
374379account. In loader-v3 it is misaligned.
375- - once all loader-v3 programs are migrated:
376- - allows transaction account loading to be simplifed, because every program
377- would load exactly one account, no need to load the proxy account to get to
378- the actual program data (which is not listed in the transaction accounts).
379- - allows the removal of the write lock demotion exception if loader-v3 is
380- present in a transaction.
381- - corrects the miscounting of the proxy account size towards the total
382- transaction account loading limit.
380+
381+ Once new programs can not be deployed on loader-v3 anymore, the list of all
382+ loader-v3 programs becomes fixed and can be extracted from a snapshot. Using
383+ the added loader-v3 migration instruction and the global migration authority,
384+ the core protocol developers will then migrate all loader-v3 programs to
385+ loader-v4 programs, which once completed:
386+
387+ - allows transaction account loading to be simplifed, because every program
388+ would load exactly one account, no need to load the proxy account to get to
389+ the actual program data (which is not listed in the transaction accounts).
390+ - allows the removal of the write lock demotion exception if loader-v3 is
391+ present in a transaction.
392+ - corrects the miscounting of the program data account size towards the total
393+ transaction account loading limit.
394+ - allows dApp devs to resuscitate closed loader-v3 programs if they still
395+ control the program authority. This allows redeployment at the same address
396+ or completely closing the program account in order to retrieve the locked
397+ funds.
383398
384399## Security Considerations
385400
386401None.
387402
388403## Backwards Compatibility
389404
390- This proposal does not break any existing programs. However, dapp developers
391- might want to profit from the new program mangement instructions without
392- influencing their users work flows. To do so they would need a way to turn the
393- program accounts of loader-v3 to program accounts of loader-v4, changing the
394- account owner but keeping the program address. A potential issue is that the
395- programdata header of loader-v3 is only 45 bytes long while loader-v4 takes 48
396- bytes. An automatic mechanism in the program runtime (triggered by feature
397- activation) could then perform the following steps per program:
398-
399- - loader-v3 clears the program proxy account (setting its size to zero)
400- - loader-v3 transfers all funds from the programdata to the proxy account
401- - loader-v3 gifts the program proxy account to loader-v4
402- - loader-v4 initializes it via ` Truncate `
403- - loader-v4 copies the data from the programdata account via ` Write `
404- - loader-v4 deploys it via ` Deploy `
405- - Optinally, loader-v4 finalizes it without a next version forwarding
406- - loader-v3 closes the programdata account (setting its size to zero)
405+ None.
0 commit comments