Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIMD-0182: Consume requested CUs for sBPF failures #182

Merged
108 changes: 108 additions & 0 deletions proposals/simd-0182-conditional-cu-metering.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
---
simd: '0182'
title: Consume requested CUs for sBPF failures
authors:
- Tao Zhu (Anza)
category: Standard
type: Core
status: Review
created: 2024-10-03
feature:
supersedes:
superseded-by:
extends:
---

## Summary

Adjusting how CU consumption is measured based on the conditions of transaction
execution: successful completion will consume actual CUs, but certain irregular
failures in the sBPF VM will result in the transaction automatically consuming
all requested CUs.

## Motivation

In the Solana protocol, tracking transaction Compute Unit (CU) consumption is a
critical aspect of maintaining consensus. Block costs are part of this
consensus, meaning that all clients must agree on the execution cost of each
transaction, including those that error out during execution. Ensuring
consistency in CU tracking across clients is essential for maintaining protocol
integrity.

To improve performance, Solana programs are often compiled with a JIT that works
at the level of Basic Blocks — linear sequences of sBPF instructions with a
single entry and exit point, and no loops or branches. Basic Blocks allow for
efficient execution by reducing the overhead associated with tracking CU
consumption for each individual sBPF instruction.

Other than in less common situations discussed below, the total CU
consumption for a Basic Block is deterministic and CU accounting can be
done once per basic block instead of at each instruction. A transaction
completing successfully or with most errors implies that execution exited each
basic block at its single exit point, and thus that the total CU consumption of
the execution is equal to the sum of the CU cost of each Basic Block executed.

However, when an exception is thrown during the execution of a Basic Block
(e.g., a null memory dereference or other faults), determining the exact number
of CUs consumed up to the point of failure requires additional effort. For
instance, the Agave client implements a mechanism that tracks the Instruction
Pointer (IP) or Program Counter (PC) to backtrack and estimate the CUs consumed
when an exception occurs. More details on this mechanism can be found
[here](https://github.com/solana-labs/rbpf/blob/57139e9e1fca4f01155f7d99bc55cdcc25b0bc04/src/jit.rs#L267).

While this approach is effective, it introduces additional work and complexity.
These mechanisms are often implementation-specific, and requiring all clients to
track the exact number of executed sBPF instructions for consensus is costly and
unnecessary. Such precision is not essential for protocol-level consensus,
especially since these cases are infrequent.

Instead of mandating implementation-specific work to handle exceptions, we
propose the following clarification in the protocol:

- For successful execution of a Basic Block (i.e., the block exits at the last
sBPF instruction), the deterministic CU cost of the block will be charged to
the transaction’s CU meter. This ensures that CU consumption for successful
transactions is accurately accounted for.
- In the event of irregular failure, where execution aborts from the middle of
basic block, the requested CUs for the transaction will be charged to the CU
meter. This allows for a simple and efficient fallback mechanism that avoids the
need for tracking the exact number of executed instructions up to the point of
failure.
tao-stones marked this conversation as resolved.
Show resolved Hide resolved

By adopting this approach, the protocol avoids the overhead of requiring precise
instruction-level CU tracking for transactions that fail. Instead, the requested
CU limit of the transaction will be used, simplifying the handling of
irregularly failed transactions while still maintaining consensus.

## Alternatives Considered

None

## New Terminology

- [Basic Block](https://en.wikipedia.org/wiki/Basic_block): In the context of
JIT execution and BPF processing, a Basic Block is a sequence of BPF
instructions that forms a single, linear flow of control with no loops or
conditional branches except for the entry and exit points. It represents a
segment of code where execution starts at the first instruction and proceeds
sequentially through to the last instruction without deviation. The Basic Block
is characterized by its predictable execution path, allowing for efficient
budget checks and optimizations, as its Compute Unit (CU) cost can be determined
before execution and verified at the end of the block.

- Irregular transaction failure: A rare case that a Transaction execution aborts
in the middle of executing basic block, results in consuming all requested CUs.

## Detailed Design

If VM execution returns any error except `SyscallError`, transaction's CU meter
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that with direct mapping enabled, we convert EbpfError::AccessViolation into the SyscallError variant here: https://github.com/anza-xyz/agave/blob/af0ed22174999cb62579a0621f6b274c85ebf267/programs/bpf_loader/src/lib.rs#L1501

I am assuming that this access violation should also deplete compute units and should not be considered as an exception right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, same reasoning as: #182 (comment)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should consume all cu's or not?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we should. This is not caused by a syscall so the exact instruction counter would have to be calculated otherwise.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just want to call out that this type of access violation is probably going to be fairly common when direct mapping is enabled. So it's not exactly true to say that these types of errors are "rare, exceptional situations" or "A rare case" as we say in the SIMD. We should update the SIMD to say that these types of failures are "less common" rather than rare at least.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that with direct mapping enabled, we convert EbpfError::AccessViolation into the SyscallError variant here: https://github.com/anza-xyz/agave/blob/af0ed22174999cb62579a0621f6b274c85ebf267/programs/bpf_loader/src/lib.rs#L1501

I am assuming that this access violation should also deplete compute units and should not be considered as an exception right?

@tao-stones this should probably be made explicit in the SIMD. Maybe we can say that all EBPF errors from the vm are treated as irregular.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mmm, imo, SIMD's text If VM execution returns any error except SyscallError, .... is clearer.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that a spec should be based on "arbitrary" rust types.
We should clarify what's the expected behavior, for example if there's a memory issue inside a syscall, is that a Syscall or Epbf error?

I agree that if we enter a syscall and that fails, we know the exact number of CUs consumed, and so there's no need to deplete them all. I'm not sure if checking the SyscallError type is the correct implementation though. (In the example above, imo a memory issue inside a syscall should NOT deplete, however I don't know if the error thrown is SyscallError or EbpfError)

should be fully depleted, in another words, all requested CUs are consumed;
otherwise consumes the actual executed CUs.
Comment on lines +98 to +100
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just out of curiosity, why make syscall errors exempt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is syscall not happen in VM realm. @Lichtso @ptaffet-jump please correct me if I'm wrong.

Copy link

@topointon-jump topointon-jump Nov 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Syscall errors are never thrown in the middle of basic blocks, so we can easily know exactly how many CUs were consumed when the error was thrown. This is why we can safely make them exempt.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the usual definition of basic blocks, call instructions can occur anywhere in a basic block (apart from the last instruction). So I would say this is unclear.

Also, it does not explain the need for the exemption. I would expect all CUs to be all consumed if a program failed, including if that failure was in a syscall.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would expect all CUs to be all consumed if a program failed, including if that failure was in a syscall.

Why would you expect that? If a program makes a CPI and that invoked program returns an error, we immediately stop executing the transaction and therefore have more time to execute other transactions in a block. If we consume all remaining CUs for that failure, we are wasting that capacity for execution.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@seanyoung: This is mostly about how easy / hard it is to pinpoint the precise fault location. During syscalls the VM has stopped anyway and the return address is known on the stack. Otherwise it can be any location since the last metering (which happens at controlflow instructions). Also syscall errors are far more common and expected to happen regularly, whereas other faults such as access violation only happen in broken programs.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Lichtso that makes sense 👍


## Impact

None

## Security Considerations

None
Loading