LCOV - code coverage report
Current view: top level - ballet/sbpf - fd_sbpf_loader.h (source / functions) Hit Total Coverage
Test: cov.lcov Lines: 27 64 42.2 %
Date: 2025-11-08 04:42:58 Functions: 9 1666 0.5 % 

          Line data    Source code
       1             : #ifndef HEADER_fd_src_ballet_sbpf_fd_sbpf_loader_h
       2             : #define HEADER_fd_src_ballet_sbpf_fd_sbpf_loader_h
       3             : 
       4             : /* fd_sbpf_loader prepares an sBPF program for execution.  This involves
       5             :    parsing and dynamic relocation.
       6             : 
       7             :    Due to historical reasons, this loader is neither a pure static
       8             :    linker nor a real dynamic loader.  For instance, it will ignore the
       9             :    program header table and instead load specific sections at predefined
      10             :    addresses.  However, it will perform dynamic relocation. */
      11             : 
      12             : #include "../../util/fd_util_base.h"
      13             : #include "../elf/fd_elf64.h"
      14             : 
      15             : /* Error types ********************************************************/
      16             : 
      17             : /* FIXME make error types more specific */
      18             : #define FD_SBPF_ERR_INVALID_ELF (1)
      19           6 : #define FD_SBPF_PROG_RODATA_ALIGN 8UL
      20             : 
      21             : /* https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/elf_parser/mod.rs#L17 */
      22             : #define FD_SBPF_ELF_PARSER_SUCCESS                           ( 0)
      23           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_FILE_HEADER           (-1)
      24           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_PROGRAM_HEADER        (-2)
      25           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_SECTION_HEADER        (-3)
      26             : #define FD_SBPF_ELF_PARSER_ERR_INVALID_STRING                (-4)
      27           3 : #define FD_SBPF_ELF_PARSER_ERR_STRING_TOO_LONG               (-5)
      28           0 : #define FD_SBPF_ELF_PARSER_ERR_OUT_OF_BOUNDS                 (-6)
      29           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_SIZE                  (-7)
      30           0 : #define FD_SBPF_ELF_PARSER_ERR_OVERLAP                       (-8)
      31           0 : #define FD_SBPF_ELF_PARSER_ERR_SECTION_NOT_IN_ORDER          (-9)
      32           0 : #define FD_SBPF_ELF_PARSER_ERR_NO_SECTION_NAME_STRING_TABLE  (-10)
      33           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_DYNAMIC_SECTION_TABLE (-11)
      34             : #define FD_SBPF_ELF_PARSER_ERR_INVALID_RELOCATION_TABLE      (-12)
      35           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_ALIGNMENT             (-13)
      36             : #define FD_SBPF_ELF_PARSER_ERR_NO_STRING_TABLE               (-14)
      37             : #define FD_SBPF_ELF_PARSER_ERR_NO_DYNAMIC_STRING_TABLE       (-15)
      38             : 
      39             : /* Map Rust ElfError (elf.rs v0.12.2) to C error codes */
      40             : /* https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/elf.rs#L40-L66 */
      41       21957 : #define FD_SBPF_ELF_SUCCESS                                  (  0)
      42           3 : #define FD_SBPF_ELF_ERR_FAILED_TO_PARSE                      ( -1)
      43           0 : #define FD_SBPF_ELF_ERR_ENTRYPOINT_OUT_OF_BOUNDS             ( -2)
      44           0 : #define FD_SBPF_ELF_ERR_INVALID_ENTRYPOINT                   ( -3)
      45             : #define FD_SBPF_ELF_ERR_FAILED_TO_GET_SECTION                ( -4)
      46           0 : #define FD_SBPF_ELF_ERR_UNRESOLVED_SYMBOL                    ( -5)
      47             : #define FD_SBPF_ELF_ERR_SECTION_NOT_FOUND                    ( -6)
      48           0 : #define FD_SBPF_ELF_ERR_RELATIVE_JUMP_OUT_OF_BOUNDS          ( -7)
      49           0 : #define FD_SBPF_ELF_ERR_SYMBOL_HASH_COLLISION                ( -8)
      50           0 : #define FD_SBPF_ELF_ERR_WRONG_ENDIANNESS                     ( -9)
      51           0 : #define FD_SBPF_ELF_ERR_WRONG_ABI                            (-10)
      52           0 : #define FD_SBPF_ELF_ERR_WRONG_MACHINE                        (-11)
      53           0 : #define FD_SBPF_ELF_ERR_WRONG_CLASS                          (-12)
      54           0 : #define FD_SBPF_ELF_ERR_NOT_ONE_TEXT_SECTION                 (-13)
      55           3 : #define FD_SBPF_ELF_ERR_WRITABLE_SECTION_NOT_SUPPORTED       (-14)
      56             : #define FD_SBPF_ELF_ERR_ADDRESS_OUTSIDE_LOADABLE_SECTION     (-15)
      57           0 : #define FD_SBPF_ELF_ERR_INVALID_VIRTUAL_ADDRESS              (-16)
      58           0 : #define FD_SBPF_ELF_ERR_UNKNOWN_RELOCATION                   (-17)
      59             : #define FD_SBPF_ELF_ERR_FAILED_TO_READ_RELOCATION_INFO       (-18)
      60           0 : #define FD_SBPF_ELF_ERR_WRONG_TYPE                           (-19)
      61           0 : #define FD_SBPF_ELF_ERR_UNKNOWN_SYMBOL                       (-20)
      62           0 : #define FD_SBPF_ELF_ERR_VALUE_OUT_OF_BOUNDS                  (-21)
      63          42 : #define FD_SBPF_ELF_ERR_UNSUPPORTED_SBPF_VERSION             (-22)
      64           0 : #define FD_SBPF_ELF_ERR_INVALID_PROGRAM_HEADER               (-23)
      65             : 
      66             : /* https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/program.rs */
      67         180 : #define FD_SBPF_VERSION_COUNT (5U)
      68         276 : #define FD_SBPF_V0            (0U)
      69       21177 : #define FD_SBPF_V1            (1U)
      70     2339625 : #define FD_SBPF_V2            (2U)
      71   805652562 : #define FD_SBPF_V3            (3U)
      72             : #define FD_SBPF_V4            (4U)
      73         180 : #define FD_SBPF_RESERVED      (FD_SBPF_VERSION_COUNT)
      74             : 
      75             : /* Hardcoded constant for the murmur3_32 hash of the entrypoint. */
      76       12492 : #define FD_SBPF_ENTRYPOINT_PC   (0xb00c380U)
      77          90 : #define FD_SBPF_ENTRYPOINT_HASH (0x71e3cf81U) /* fd_pchash( FD_SBPF_ENTRYPOINT_PC ) */
      78             : 
      79          12 : #define E_FLAGS_SBPF_V2         (0x20U)
      80             : 
      81             : /* Program struct *****************************************************/
      82             : 
      83             : /* fd_sbpf_calldests is a bit vector of valid call destinations.
      84             :    Should be configured to fit any possible program counter.  The max
      85             :    program counter is <size of ELF binary> divided by 8. */
      86             : 
      87             : #define SET_NAME fd_sbpf_calldests
      88             : #include "../../util/tmpl/fd_set_dynamic.c"
      89             : 
      90             : /* The sbpf program footprint is large when stricter elf headers are
      91             :    not enabled due to the calldests bitmap being included.  So, the
      92             :    total footprint of the sbpf_program is the size of the sbpf_program
      93             :    struct plus the calldests bitmap.
      94             : 
      95             :    The calldests bitmap is variable with the text_cnt.  A loose bound on
      96             :    the textcnt is the max size of an account / 8.  So, the max possible
      97             :    text_cnt is 1310720.  So the footprint of the sbpf_calldests is as
      98             :    follows:
      99             :    sizeof(SET_(private_t))-sizeof(SET_(t)) + sizeof(SET_(t))*SET_(private_word_cnt)( max )
     100             :    private_word_cnt(1310720) = 20480
     101             :    sizeof(SET_(t)) = 8 (ulong)
     102             :    sizeof(SET_(private_t)) = 32
     103             :    */
     104             : #define FD_SBPF_TEXT_CNT_MAX (FD_RUNTIME_ACC_SZ_MAX / 8UL)
     105             : #define FD_SBPF_CALLDESTS_PRIVATE_WORD_CNT ( (FD_SBPF_TEXT_CNT_MAX +63UL)>>6 )
     106             : #define FD_SBPF_PROGRAM_FOOTPRINT (sizeof(fd_sbpf_calldests_private_t)-sizeof(ulong) + sizeof(ulong)*FD_SBPF_CALLDESTS_PRIVATE_WORD_CNT )
     107             : 
     108             : /* fd_sbpf_syscall_func_t is a callback implementing an sBPF syscall.
     109             :    vm is a handle to the running VM.  Returns 0 on suceess or an integer
     110             :    error code on failure.
     111             : 
     112             :    IMPORTANT SAFETY TIP!  See notes in
     113             :    flamenco/vm/syscall/fd_vm_syscall.h on what a syscall should expect
     114             :    to see and expect to return. */
     115             : 
     116             : /* FIXME: THIS BELONGS IN FLAMENCO/VM */
     117             : 
     118             : typedef int
     119             : (*fd_sbpf_syscall_func_t)( void *  vm,
     120             :                            ulong   arg0,
     121             :                            ulong   arg1,
     122             :                            ulong   arg2,
     123             :                            ulong   arg3,
     124             :                            ulong   arg4,
     125             :                            ulong * _ret );
     126             : 
     127             : /* fd_sbpf_syscalls_t maps syscall IDs => a name and a VM specific
     128             :    context.  FIXME: THIS ALSO PROBABLY BELONGS IN FLAMENCO/VM */
     129             : 
     130     1029234 : #define FD_SBPF_SYSCALLS_LG_SLOT_CNT (7)
     131             : #define FD_SBPF_SYSCALLS_SLOT_CNT    (1UL<<FD_SBPF_SYSCALLS_LG_SLOT_CNT)
     132             : 
     133             : /* The syscalls map keys should technically be of type uint since they are
     134             :    just murmur32 hashes. However, Agave's BTree allows the full range to be
     135             :    used as a key [0, UINT_MAX]. So we need to define a wider key type to
     136             :    allow for a NULL value that is outside this range. We use ulong here. */
     137             : 
     138             : struct fd_sbpf_syscalls {
     139             :   ulong                  key;  /* Murmur3-32 hash of function name */
     140             :   fd_sbpf_syscall_func_t func; /* Function pointer */
     141             :   char const *           name; /* Infinite lifetime pointer to function name */
     142             : };
     143             : 
     144             : typedef struct fd_sbpf_syscalls fd_sbpf_syscalls_t;
     145             : 
     146             : #define MAP_NAME              fd_sbpf_syscalls
     147       16965 : #define MAP_T                 fd_sbpf_syscalls_t
     148        9225 : #define MAP_HASH_T            ulong
     149      996873 : #define MAP_KEY_NULL          ULONG_MAX         /* Any number greater than UINT_MAX works */
     150       14730 : #define MAP_KEY_INVAL(k)      ( k > UINT_MAX )  /* Force keys to uint size */
     151       11871 : #define MAP_KEY_EQUAL(k0,k1)  (k0)==(k1)
     152             : #define MAP_KEY_EQUAL_IS_SLOW 0
     153        9225 : #define MAP_KEY_HASH(k)       (k)
     154             : #define MAP_MEMOIZE           0
     155     1028847 : #define MAP_LG_SLOT_CNT       FD_SBPF_SYSCALLS_LG_SLOT_CNT
     156             : #include "../../util/tmpl/fd_map.c"
     157             : 
     158             : #define FD_SBPF_SYSCALLS_FOOTPRINT (sizeof(fd_sbpf_syscalls_t) * (1UL<<FD_SBPF_SYSCALLS_LG_SLOT_CNT))
     159             : #define FD_SBPF_SYSCALLS_ALIGN     alignof(fd_sbpf_syscalls_t)
     160             : 
     161             : /* fd_sbpf_elf_info_t contains basic information extracted from an ELF
     162             :    binary. Indicates how much scratch memory and buffer size is required
     163             :    to fully load the program. */
     164             : 
     165             : struct fd_sbpf_elf_info {
     166             :   ulong bin_sz;   /* size of ELF binary */
     167             : 
     168             :   uint  text_off; /* File offset of .text section (overlaps rodata segment) */
     169             :   uint  text_cnt; /* Instruction count */
     170             :   ulong text_sz;  /* size of text segment. Guaranteed to be <= bin_sz. */
     171             : 
     172             :   /* Known section indices
     173             :      In [-1,USHORT_MAX) where -1 means "not found" */
     174             :   int shndx_text;
     175             :   int shndx_symtab;
     176             :   int shndx_strtab;
     177             :   int shndx_dyn;
     178             :   int shndx_dynstr;
     179             :   int shndx_dynsymtab; /* Section header index of the dynamic symbol table */
     180             : 
     181             :   /* Known program header indices (like shndx_*) */
     182             :   int phndx_dyn;
     183             : 
     184             :   /* Dynamic relocation table entries */
     185             :   uint dt_rel_off; /* File offset of dynamic relocation table */
     186             :   uint dt_rel_sz;  /* Number of dynamic relocation table entries */
     187             : 
     188             :   /* SBPF version, SIMD-0161 */
     189             :   ulong sbpf_version;
     190             : };
     191             : typedef struct fd_sbpf_elf_info fd_sbpf_elf_info_t;
     192             : 
     193             : /* fd_sbpf_program_t describes a loaded program in memory.
     194             : 
     195             :    [rodata,rodata+bin_sz) is an externally allocated buffer holding
     196             :    the read-only segment to be loaded into the VM.  WARNING: The rodata
     197             :    area required doing load (bin_sz) is larger than the area mapped into
     198             :    the VM (rodata_sz).
     199             : 
     200             :    [text,text+8*text_cnt) is a sub-region of the read-only segment
     201             :    containing executable code.
     202             : 
     203             :    We need to maintain a separate value tracking the entrypoint calldest
     204             :    because we lay out our calldests in a set instead of a map (like
     205             :    Agave does), which is more performant but comes with a few footguns.
     206             :    Since we only store the target PC and not a keypair of <hash, target
     207             :    PC>, we need to make sure we unregister the correct target PC from
     208             :    the map. For all other cases besides the b"entrypoint" string, we can
     209             :    simply check for membership within the calldests set because the
     210             :    32-bit murmur3 hash function is bijective, implying key collision iff
     211             :    value collision. However, the b"entrypoint" string is a special case
     212             :    because the key is the hardcoded hash of the b"entrypoint" string,
     213             :    but the value can correspond to any target PC. This means that
     214             :    someone could register several different target PCs with the same
     215             :    entrypoint PC, and we cannot figure out which target PC we must
     216             :    unregister. Additionally, we would not be able to check for
     217             :    collisions for multiple registered b"entrypoint" strings with
     218             :    different target PCs.
     219             : 
     220             :    Once entry_pc is set, any future calls to set the entry_pc within the
     221             :    loader will error out with FD_SBPF_ELF_ERR_SYMBOL_HASH_COLLISION. */
     222             : 
     223             : struct __attribute__((aligned(32UL))) fd_sbpf_program {
     224             :   fd_sbpf_elf_info_t info;
     225             : 
     226             :   /* rodata segment to be mapped into VM memory */
     227             :   void * rodata;     /* rodata segment data */
     228             :   ulong  rodata_sz;  /* size of read-only data */
     229             : 
     230             :   /* text section within rodata segment */
     231             :   ulong * text;
     232             :   ulong   entry_pc;  /* entrypoint PC (at text[ entry_pc ]). ULONG_MAX if not set. */
     233             : 
     234             :   /* Bit vector of valid call destinations (bit count is text_cnt). */
     235             :   void * calldests_shmem;
     236             :   /* Local join to bit vector of valid call destinations (target PCs) */
     237             :   fd_sbpf_calldests_t * calldests;
     238             : };
     239             : typedef struct fd_sbpf_program fd_sbpf_program_t;
     240             : 
     241             : struct fd_sbpf_loader_config {
     242             :   union {
     243             :    int elf_deploy_checks;
     244             :    int reject_broken_elfs;
     245             :   };
     246             :   uint sbpf_min_version;
     247             :   uint sbpf_max_version;
     248             : };
     249             : typedef struct fd_sbpf_loader_config fd_sbpf_loader_config_t;
     250             : 
     251             : /* Prototypes *********************************************************/
     252             : 
     253             : FD_PROTOTYPES_BEGIN
     254             : 
     255             : /* fd_sbpf_elf_peek partially parses the given ELF file in memory region
     256             :    [bin,bin+bin_sz)  Populates `info`.  Returns `info` on success.  On
     257             :    failure, returns NULL.
     258             : 
     259             :    elf_deploy_checks: The Agave ELF loader introduced additional checks
     260             :    that would fail on (certain) existing mainnet programs. Since it is
     261             :    impossible to retroactively enforce these checks on already deployed programs,
     262             :    a guard flag is used to enable these checks only when deploying programs.
     263             : 
     264             :    sbpf_min_version, sbpf_max_version: determine the min, max SBPF version
     265             :    allowed, version is retrieved from the ELF header. See SIMD-0161. */
     266             : 
     267             : int
     268             : fd_sbpf_elf_peek( fd_sbpf_elf_info_t *            info,
     269             :                   void const *                    bin,
     270             :                   ulong                           bin_sz,
     271             :                   fd_sbpf_loader_config_t const * config );
     272             : 
     273             : /* fd_sbpf_program_{align,footprint} return the alignment and size
     274             :    requirements of the memory region backing the fd_sbpf_program_t
     275             :    object. */
     276             : 
     277             : FD_FN_CONST ulong
     278             : fd_sbpf_program_align( void );
     279             : 
     280             : FD_FN_PURE ulong
     281             : fd_sbpf_program_footprint( fd_sbpf_elf_info_t const * info );
     282             : 
     283             : /* fd_sbpf_program_new formats prog_mem to hold an fd_sbpf_program_t.
     284             :    prog_mem must match footprint requirements of the given elf_info.
     285             :    elf_info may be deallocated on return.
     286             : 
     287             :    rodata is the read-only segment buffer that the program is configured
     288             :    against and must be valid for the lifetime of the program object. It
     289             :    should also meet the alignment requirements of the program object.
     290             :    */
     291             : 
     292             : fd_sbpf_program_t *
     293             : fd_sbpf_program_new( void *                     prog_mem,
     294             :                      fd_sbpf_elf_info_t const * elf_info,
     295             :                      void *                     rodata );
     296             : 
     297             : /* fd_sbpf_program_load loads an eBPF program for execution.
     298             : 
     299             :    prog is a program object allocated with fd_sbpf_program_new and must
     300             :    match the footprint requirements of this ELF file.
     301             : 
     302             :    Initializes and populates the program struct with information about
     303             :    the program and prepares the read-only segment provided in
     304             :    fd_sbpf_program_new. This includes performing relocations in the
     305             :    ELF file and zeroing gaps between rodata sections.
     306             : 
     307             :    Memory region [bin,bin+bin_sz) contains the ELF file to be loaded.
     308             : 
     309             :    syscalls should be a pointer to a map of registered syscalls and
     310             :    will be checked against when registering calldests for potential
     311             :    symbol collisions.
     312             : 
     313             :    scratch should be a pointer to a scratch area with size scratch_sz,
     314             :    used to allocate a temporary buffer for the parsed rodata sections
     315             :    before copying it back into the rodata.  recommended size is bin_sz.
     316             : 
     317             :    On success, returns 0.
     318             :    On error, returns FD_SBPF_ERR_*.
     319             : 
     320             :    ### Compliance
     321             : 
     322             :    As of writing, this loader is conformant with Solana SBPF v0.12.2,
     323             :    SBPF versions V0, V1, and V2.
     324             :    */
     325             : 
     326             : int
     327             : fd_sbpf_program_load( fd_sbpf_program_t *             prog,
     328             :                       void const *                    bin,
     329             :                       ulong                           bin_sz,
     330             :                       fd_sbpf_syscalls_t *            syscalls,
     331             :                       fd_sbpf_loader_config_t const * config,
     332             :                       void *                          scratch,
     333             :                       ulong                           scratch_sz );
     334             : 
     335             : /* fd_sbpf_program_delete destroys the program object and unformats the
     336             :    memory regions holding it. */
     337             : 
     338             : void *
     339             : fd_sbpf_program_delete( fd_sbpf_program_t * program );
     340             : 
     341             : /* SBPF versions and features. This should stay in sync with the macro
     342             :    definitions in fd_vm_private.h until they are removed (once Agave
     343             :    cleans up the jump table).
     344             :    https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/program.rs#L28 */
     345             : 
     346          12 : #define FD_VM_SBPF_DYNAMIC_STACK_FRAMES_ALIGN (64U)
     347             : 
     348             : /* SIMD-0166 */
     349         297 : static inline int fd_sbpf_dynamic_stack_frames_enabled       ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V1; }
     350             : 
     351             : /* SIMD-0173 */
     352          42 : static inline int fd_sbpf_callx_uses_src_reg_enabled         ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     353           0 : static inline int fd_sbpf_enable_lddw_enabled                ( ulong sbpf_version ) { return sbpf_version<FD_SBPF_V2; }
     354           0 : static inline int fd_sbpf_enable_le_enabled                  ( ulong sbpf_version ) { return sbpf_version<FD_SBPF_V2; }
     355           0 : static inline int fd_sbpf_move_memory_ix_classes_enabled     ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     356             : 
     357             : /* SIMD-0174 */
     358           0 : static inline int fd_sbpf_enable_neg_enabled                 ( ulong sbpf_version ) { return sbpf_version<FD_SBPF_V2; }
     359           0 : static inline int fd_sbpf_swap_sub_reg_imm_operands_enabled  ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     360           0 : static inline int fd_sbpf_explicit_sign_ext_enabled          ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     361           0 : static inline int fd_sbpf_enable_pqr_enabled                 ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     362             : 
     363             : /* SIMD-0178 */
     364           0 : static inline int fd_sbpf_static_syscalls_enabled            ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V3; }
     365           0 : static inline int fd_sbpf_enable_elf_vaddr_enabled           ( ulong sbpf_version ) { return sbpf_version!=FD_SBPF_V0; }
     366           0 : static inline int fd_sbpf_reject_rodata_stack_overlap_enabled( ulong sbpf_version ) { return sbpf_version!=FD_SBPF_V0; }
     367             : 
     368             : /* SIMD-0189 */
     369   805496394 : static inline int fd_sbpf_enable_stricter_elf_headers_enabled( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V3; }
     370           0 : static inline int fd_sbpf_enable_lower_bytecode_vaddr_enabled( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V3; }
     371             : 
     372             : FD_PROTOTYPES_END
     373             : 
     374             : #endif /* HEADER_fd_src_ballet_sbpf_fd_sbpf_loader_h */

Generated by: LCOV version 1.14