-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not unnecessarily re-verify unloaded program #32722
Do not unnecessarily re-verify unloaded program #32722
Conversation
380e8e2
to
bb0b285
Compare
Codecov Report
@@ Coverage Diff @@
## master #32722 +/- ##
=========================================
- Coverage 82.1% 82.1% -0.1%
=========================================
Files 785 785
Lines 211205 211381 +176
=========================================
+ Hits 173432 173559 +127
- Misses 37773 37822 +49 |
ddf2e50
to
9de8fc5
Compare
LGTM |
9de8fc5
to
45b1f74
Compare
@@ -228,16 +228,22 @@ impl LoadedProgram { | |||
elf_bytes: &[u8], | |||
account_size: usize, | |||
metrics: &mut LoadProgramMetrics, | |||
reloading: bool, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not very familiar with this code, but this PR lgtm.
That said, the API now exposes a potential footgun: you get the
reloading argument wrong and we end up executing untrusted code, which
potentially has catastrophic consequences.
We don't do what I'm about to suggest a lot (sadly), so I'm fine if you want to
merge this as is. However I think we should get into the habit of not having
footguns at the type system level. In this case, I think a safer and rustier API
could be:
fn new(
...leave it as is, no reloading argument
)
/// Reloads an user program, *without* running the verifier.
///
/// This method is unsafe since it assumes that the program has already been verified. Should
/// only be called when ...
unsafe fn reloaded(
...
)
The methods could call a new private new_internal
constructor which does
what new()
does now in this PR.
With this API, all but one call sites wouldn't have to worry about potentially
executing unverified code. The (future) call site that will reload, will have a
safety comment like:
// Safety: this is safe because ...
unsafe { LoadedProgram::reload(...) };
I realize that in this context this might seem like somewhat of a pedantic/paranoid
remark! But I do wish we did this everywhere in the validator, and we gotta
start somewhere :P
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea of keeping the reload as a separate API that requires an explicit call to it. I'll update the PR.
Problem
The programs might get unloaded from the cache due to cache overflow. The current code re-verifies these programs when reloaded. This is not needed if the runtime environment hasn't changed.
Summary of Changes
Do not re-verify the unloaded programs if the environment hasn't changed.
Fixes #