revive: Bump PolkaVM and add static code validation

[athei]

This PR adds static validation that prevents upload of code that:

1. Contains basic blocks larger than the specified limit (currently 200)
2. Contains invalid instructions
3. Uses the sbrk instruction

Doing that statically at upload time (instead of at runtime) allows us to change the basic block limit or add instructions later without worrying about breaking old code. This is well worth the linear scan of the whole blob on deployment in my opinion. Please note that those checks are not applied when existing code is just run (hot path).

Also some drive by fixes:

• Remove superflous publish = true
• Abort fixture build on warning and fix existing warnings
• Re-enable optimizations in fixture builds (should be fixed now in PolkaVM)
• Disable stripping for fixture builds (maybe we can get some line information on trap via RUST_LOG)

[athei]

bot bench substrate-pallet --pallet=pallet_revive

[command-bot]

@athei https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/7517121 was started for your command "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --features=riscv --pallet=pallet_revive. Check out https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/pipelines?page=1&scope=all&username=group_605_bot to know what else is being executed currently.

Comment bot cancel 20-fc723e0a-1450-4c19-87d8-351a73728504 to cancel this command or bot cancel to cancel all commands in this pull request.

[command-bot]

@athei Command "$PIPELINE_SCRIPTS_DIR/commands/bench/bench.sh" --subcommand=pallet --runtime=dev --target_dir=substrate --features=riscv --pallet=pallet_revive has finished. Result: https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/7517121 has finished. If any artifacts were generated, you can download them from https://gitlab.parity.io/parity/mirrors/polkadot-sdk/-/jobs/7517121/artifacts/download.

[xermicus]

A malicious program could trigger the compilation of the whole program

Compilation of a whole program should not be a problem regardless of the amount and size of basic blocks it contains. It follows that the compilation is not properly metered, and the charge for compilation of any BB is implied by the maximum BB size and a combination of some other limits. However we can't easily establish a sensible maximum limit, and charging the maximum for each basic block should heavily penalize contracts with many but small BBs.

We can benchmark the compilation of basic blocks and charge the overhead to ref_time then this wouldn't be a problem?

If this is really required, the PolkaVM linker should have a configurable maximum size for basic blocks, such that too large BBs are split up artificially so this is never going to a problem for contracts compiled with some toolchain that is aware. Otherwise we create a bad experience: We fail compilation of Solidity or ink! contracts if we see too large BBs in the final linked blob, and tell people "sorry you need to refactor your code so that it compiles to smaller basic blocks; glhf". This is nothing developers should never need to care about and reminds me of the Solidity StackTooDeep exception.

With tooling support we can at least counter the user experience problems; but the proper solution would be to benchmark and charge for any work done, including lazy compilation overhead, properly?

[athei]

It follows that the compilation is not properly metered

AFAIK the compilation is not metered at all. IMHO the proper solution would be that the PolkaVM interpreter charges gas up front when encountering a new basic block. I consider the limit a stop gap solution.

However we can't easily establish a sensible maximum limit, and charging the maximum for each basic block should heavily penalize contracts with many but small BBs.

Story of my life. This is always the problem with benchmarking. Only solution is to meter the compilation itself.

If this is really required, the PolkaVM linker should have a configurable maximum size for basic blocks, such that too large BBs are split up artificially so this is never going to a problem for contracts compiled with some toolchain that is aware.

Yes. I think it should be easy to add this to the linker.

[xermicus]

Thanks for the clarification. FWIW I'm fine with this change as a stop-gap given we set the limit to something that makes basic code examples work (like at least 1000 instructions per BB).

[athei]

200 is just what made the example fixtures work. I happily increase the number to whatever you think is appropriate. As of right now it is just a basic line of defense against trivial exploits.

[pgherveou]

You may need to update the umbrella crate as well to get ci to pass

[athei]

Why? publish = true is a noop and this is why I removed it.

[pgherveou]

ok nvm then, I thought I thought the umbrella python script was filtering crate based on the publish flag

[xermicus]

Yeah I see. Well the maximum limit should be what we can set without it causing a DOS vuln. But it's hard to understand what that would be. Since the revive integration tests currently pass with a limit of 584, we have some headroom left with 1000. So I suggest 1000 if it is acceptable security wise.

[pgherveou]

Is that better / faster than not doing the max but checking the block size inside the if block, before resetting it to 0?

[athei]

I moved it into the block.