SIMD-0167: Loader-v4 #167
SIMD-0167: Loader-v4 #167
Conversation
Lichtso
force-pushed
the
loader-v4
branch
12 times, most recently
from
fc20b4e to
bd5ab89
Compare
proposals/0167-loader-v4.md
Outdated
|
|
||
| - loader-v3 clears the program proxy account (setting its size to zero) | ||
| - loader-v3 transfers all funds from the programdata to the proxy account | ||
| - loader-v3 gifts the program proxy account to loader-v4 |
There was a problem hiding this comment.
How would the gifting work? Do we need to add a new instruction to the v3 loader? Will this upgrade mechanism be specified in a future SIMD?
There was a problem hiding this comment.
I see three options here:
- A migrate instruction for loader-v3 which the dApp devs trigger themselves
- A migrate instruction for loader-v3 which we the protocol engineers trigger
- A feature gate which scans the accounts DB and migrates all loader-v3 programs
I would prefer the second option as that allows us to keep the gathering of the loader-v3 program list and then slowly working through it off-chain and still makes sure that all loader-v3 programs get migrated.
There was a problem hiding this comment.
Added a more detailed description of how this would work:
f2d4970
Lichtso
force-pushed
the
loader-v4
branch
2 times, most recently
from
1f95ac3 to
a788388
Compare
Lichtso
force-pushed
the
loader-v4
branch
3 times, most recently
from
05f0b13 to
f2d4970
Compare
There was a problem hiding this comment.
This is looking great! I dropped a bunch of nits but overall I'm pretty happy with the architecture. Thanks for all of the back and forth!
The last piece I'm stuck on is the overloading of the withdraw instruction. I think we should bikeshed a bit about what something like an Erase instruction might look like.
| - Copy the chunk into the program account at the offset shifted by the | ||
| header size |
There was a problem hiding this comment.
Do we want to have any limit on chunk size that's explicit in the program?
There was a problem hiding this comment.
I think we still need to come up with CU costs for all instructions. And that would then implicitly limit the amount you can copy.
There was a problem hiding this comment.
I think we still need to come up with CU costs for all instructions
If we go that way, I would like to have JMP32 and more registers in SBF so that we could improve codegen a bit.
There was a problem hiding this comment.
This is about the loaders instructions, not SBPF instructions.
| - Check there are at least three instruction accounts, | ||
| otherwise throw `NotEnoughAccountKeys` | ||
| - Check that program account and source account do not alias, | ||
| otherwise throw `AccountBorrowFailed` |
There was a problem hiding this comment.
IMO, this error sounds like a bug. I think it's better to let the user know their inputs were bad.
| otherwise throw `AccountBorrowFailed` | |
| otherwise throw `InvalidArgument` |
There was a problem hiding this comment.
This is what is generally emitted by the program runtime whenever borrows do alias. Thus it is consistent.
There was a problem hiding this comment.
I still think it's misleading in this context. It's not a runtime violation, it's a program instruction specification violation, and the violation is literally within the arguments to the program. Furthermore, most devs are familiar with AccountBorrowFailed whenever they obtain a reference to input region data that may have been invalidated.
Lichtso
force-pushed
the
loader-v4
branch
4 times, most recently
from
8450981 to
39d9a44
Compare
allows uninitialized program accounts to be closed and rekeys the feature.
…retract in the "Motivation" section.
Lichtso
force-pushed
the
loader-v4
branch
4 times, most recently
from
1e1d81e to
a41ad2b
Compare
proposals/0167-loader-v4.md
Outdated
| - Check that the status stored in the program account is `NeverBeenDeployed` | ||
| or `Retracted` | ||
| otherwise throw `InvalidArgument` | ||
| - Charge program_length_in_bytes CUs |
There was a problem hiding this comment.
Accounts can be 10MB, but the max CUs for a transaction is 1.4M CUs. So all costs that use the program length will need to be reduced
There was a problem hiding this comment.
Good point, should probably divide by cpi_bytes_per_unit
| otherwise throw `InvalidArgument` | ||
| - Check that there are enough funds in the program account for rent | ||
| exemption of the new length, otherwise throw `InsufficientFunds` | ||
| - Set the length of the program account to the requested new size plus |
There was a problem hiding this comment.
Is it worth specifying special behavior in CPI to limit the new size to size_at_start_of_top_level_instruction + 10kb?
There was a problem hiding this comment.
Getting really close on my side. Based on our last discussion we wanted to add the following to SetAuthority:
- If the program is
Uninitializedwill skip the existing authority check, set the new authority, and set the status toNeverBeenDeployed. - Programs that are
Retractedcan be finalized only if the program length is 0
| - Enum variant `2u32` | ||
| - `u32` The new size after the operation. | ||
| - Behavior: | ||
| - Charge 32 + new_size_in_bytes / cpi_bytes_per_unit CUs |
There was a problem hiding this comment.
Does this mean "new size of the ELF"? So, if I grow a 1,000 byte ELF to 1,005, I have to pay CUs on 1,005 bytes? Why not just charge the delta?
There was a problem hiding this comment.
It is on purpose. The runtime has to memcpy all the existing data when reallocating a vector.
| - Transfer lamports which are not needed for rent exemption from the | ||
| program account to the recipient account | ||
|
|
||
| #### WithdrawAllLamports |
There was a problem hiding this comment.
I really think this instruction should have a crystal-clear name that describes what it's going to do to your program. WithdrawAllLamports is super easy to conflate with WithdrawExcessLamports, and someone could end up destroying their program.
| #### WithdrawAllLamports | |
| #### Erase |
Or, more explicit:
| #### WithdrawAllLamports | |
| #### EraseAndWithdrawAllLamports |
| - Instruction data: | ||
| - Enum variant `5u32` | ||
| - Behavior: | ||
| - Charge 32 CUs |
There was a problem hiding this comment.
Very generous for ELF verification! Any thoughts on beefing this up a bit?
There was a problem hiding this comment.
Another CU charge happens later, a few lines down
No description provided.