Line data Source code
1 : #ifndef HEADER_fd_src_flamenco_vm_fd_vm_private_h
2 : #define HEADER_fd_src_flamenco_vm_fd_vm_private_h
3 :
4 : #include "fd_vm.h"
5 :
6 : #include "../runtime/fd_runtime_const.h"
7 : #include "../runtime/fd_runtime.h"
8 : #include "fd_vm_base.h"
9 :
10 : /* FD_VM_ALIGN_RUST_{} define the alignments for relevant rust types.
11 : Alignments are derived with std::mem::align_of::<T>() and are enforced
12 : by the VM (with the exception of v1 loader).
13 :
14 : In our implementation, when calling FD_VM_MEM_HADDR_ST / FD_VM_MEM_HADDR_LD,
15 : we need to make sure we're passing the correct alignment based on the Rust
16 : type in the corresponding mapping in Agave.
17 :
18 : FD_VM_ALIGN_RUST_{} has been generated with this Rust code:
19 : ```rust
20 : pub type Epoch = u64;
21 : pub struct Pubkey(pub [u8; 32]);
22 : pub struct AccountMeta {
23 : pub lamports: u64,
24 : pub rent_epoch: Epoch,
25 : pub owner: Pubkey,
26 : pub executable: bool,
27 : }
28 :
29 : pub struct PodScalar(pub [u8; 32]);
30 :
31 : fn main() {
32 : println!("u8: {}", std::mem::align_of::<u8>());
33 : println!("u32: {}", std::mem::align_of::<u32>());
34 : println!("u64: {}", std::mem::align_of::<u64>());
35 : println!("u128: {}", std::mem::align_of::<u128>());
36 : println!("&[u8]: {}", std::mem::align_of::<&[u8]>());
37 : println!("AccountMeta: {}", std::mem::align_of::<AccountMeta>());
38 : println!("PodScalar: {}", std::mem::align_of::<PodScalar>());
39 : println!("Pubkey: {}", std::mem::align_of::<Pubkey>());
40 : }
41 : ``` */
42 :
43 141 : #define FD_VM_ALIGN_RUST_U8 (1UL)
44 : #define FD_VM_ALIGN_RUST_U32 (4UL)
45 15 : #define FD_VM_ALIGN_RUST_I32 (4UL)
46 : #define FD_VM_ALIGN_RUST_U64 (8UL)
47 : #define FD_VM_ALIGN_RUST_SLICE_U8_REF (8UL)
48 33 : #define FD_VM_ALIGN_RUST_POD_U8_ARRAY (1UL)
49 0 : #define FD_VM_ALIGN_RUST_PUBKEY (1UL)
50 0 : #define FD_VM_ALIGN_RUST_SYSVAR_CLOCK (8UL)
51 0 : #define FD_VM_ALIGN_RUST_SYSVAR_EPOCH_SCHEDULE (8UL)
52 0 : #define FD_VM_ALIGN_RUST_SYSVAR_RENT (8UL)
53 0 : #define FD_VM_ALIGN_RUST_SYSVAR_LAST_RESTART_SLOT (8UL)
54 : #define FD_VM_ALIGN_RUST_SYSVAR_EPOCH_REWARDS (16UL)
55 :
56 : /* fd_vm_vec_t is the in-memory representation of a vector descriptor.
57 : Equal in layout to the Rust slice header &[_] and various vector
58 : types in the C version of the syscall API. */
59 : /* FIXME: WHEN IS VADDR NULL AND/OR SZ 0 OKAY? */
60 : /* FIXME: MOVE FD_VM_RUST_VEC_T FROM SYSCALL/FD_VM_CPI.H HERE TOO? */
61 :
62 : #define FD_VM_VEC_ALIGN FD_VM_ALIGN_RUST_SLICE_U8_REF
63 693 : #define FD_VM_VEC_SIZE (16UL)
64 :
65 : struct __attribute__((packed)) fd_vm_vec {
66 : ulong addr; /* FIXME: NAME -> VADDR */
67 : ulong len; /* FIXME: NAME -> SZ */
68 : };
69 :
70 : typedef struct fd_vm_vec fd_vm_vec_t;
71 :
72 : FD_STATIC_ASSERT( sizeof(fd_vm_vec_t)==FD_VM_VEC_SIZE, fd_vm_vec size mismatch );
73 :
74 : /* SBPF version and features
75 : https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/program.rs#L28
76 : Note: SIMDs enable or disable features, e.g. BPF instructions.
77 : If we have macros with names ENABLE vs DISABLE, we have the advantage that
78 : the condition is always pretty clear: sbpf_version <= activation_version,
79 : but the disadvantage of inconsistent names.
80 : Viceversa, calling everything ENABLE has the risk to invert a <= with a >=
81 : and create a huge mess.
82 : We define both, so hopefully it's foolproof. */
83 :
84 : /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L28-L93 */
85 : /* SIMD-0166 */
86 805941633 : #define FD_VM_SBPF_MANUAL_STACK_FRAME_BUMP(v) ( v == FD_SBPF_V1 || v == FD_SBPF_V2 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L32-L34 */
87 : #define FD_VM_SBPF_STACK_FRAME_GAPS(v) ( v == FD_SBPF_V0 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L36-L38 */
88 : /* SIMD-0174 */
89 2256258 : #define FD_VM_SBPF_ENABLE_PQR(v) ( v == FD_SBPF_V2 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L41-L43 */
90 181056 : #define FD_VM_SBPF_EXPLICIT_SIGN_EXTENSION_OF_RESULTS(v) ( v == FD_SBPF_V2 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L45-L47 */
91 90528 : #define FD_VM_SBPF_SWAP_SUB_REG_IMM_OPERANDS(v) ( v == FD_SBPF_V2 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L49-L51 */
92 56742 : #define FD_VM_SBPF_DISABLE_NEG(v) ( v == FD_SBPF_V2 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L53-L55 */
93 : /* SIMD-0173 */
94 11478 : #define FD_VM_SBPF_CALLX_USES_SRC_REG(v) ( v == FD_SBPF_V2 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L58-L60 */
95 113484 : #define FD_VM_SBPF_DISABLE_LDDW(v) ( v == FD_SBPF_V2 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L62-L64 */
96 56742 : #define FD_VM_SBPF_DISABLE_LE(v) ( v == FD_SBPF_V2 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L66-L68 */
97 1361808 : #define FD_VM_SBPF_MOVE_MEMORY_IX_CLASSES(v) ( v == FD_SBPF_V2 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L70-L72 */
98 : /* SIMD-0178 */
99 45264 : #define FD_VM_SBPF_STATIC_SYSCALLS(v) ( v >= FD_SBPF_V3 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L75-L77 */
100 : /* SIMD-0189 */
101 : #define FD_VM_SBPF_ENABLE_STRICTER_ELF_HEADERS(v) ( v >= FD_SBPF_V3 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L79-L81 */
102 34851 : #define FD_VM_SBPF_ENABLE_LOWER_RODATA_VADDR(v) ( v >= FD_SBPF_V3 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L83-L85 */
103 : /* SIMD-0377 */
104 1007286 : #define FD_VM_SBPF_ENABLE_JMP32(v) ( v >= FD_SBPF_V3 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L87-L89 */
105 7143 : #define FD_VM_SBPF_CALLX_USES_DST_REG(v) ( v >= FD_SBPF_V3 ) /* https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/program.rs#L91-L93 */
106 :
107 48912 : #define FD_VM_OFFSET_MASK (0xffffffffUL)
108 :
109 : /* https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L32 */
110 24 : #define FD_MAX_ACCOUNT_DATA_GROWTH_PER_TRANSACTION ((long)(FD_RUNTIME_ACC_SZ_MAX * 2UL))
111 :
112 : /* Kept equal to the canonical constant in fd_runtime_const.h, which the
113 : bpf loader serialization buffer bound relies on. */
114 : FD_STATIC_ASSERT( FD_MAX_ACCOUNT_DATA_GROWTH_PER_TRANSACTION==(long)FD_RUNTIME_ACC_DATA_GROWTH_MAX_PER_TXN, account_data_growth_cap );
115 :
116 : FD_PROTOTYPES_BEGIN
117 :
118 : /* Error logging handholding assertions */
119 :
120 : #ifdef FD_RUNTIME_ERR_HANDHOLDING
121 : /* Asserts that the error and error kind are populated (non-zero) */
122 : #define FD_VM_TEST_ERR_EXISTS( vm ) \
123 : FD_TEST( vm->instr_ctx->txn_out->err.exec_err ); \
124 : FD_TEST( vm->instr_ctx->txn_out->err.exec_err_kind )
125 :
126 : /* Used prior to a FD_VM_ERR_FOR_LOG_INSTR call to deliberately
127 : bypass overwrite handholding checks.
128 : Only use this if you know what you're doing. */
129 : #define FD_VM_PREPARE_ERR_OVERWRITE( vm ) \
130 : vm->instr_ctx->txn_out->err.exec_err = 0; \
131 : vm->instr_ctx->txn_out->err.exec_err_kind = 0
132 :
133 : /* Asserts that the error and error kind are not populated (zero) */
134 : #define FD_VM_TEST_ERR_OVERWRITE( vm ) \
135 : FD_TEST( !vm->instr_ctx->txn_out->err.exec_err ); \
136 : FD_TEST( !vm->instr_ctx->txn_out->err.exec_err_kind )
137 : #else
138 0 : #define FD_VM_TEST_ERR_EXISTS( vm ) ( ( void )0 )
139 81 : #define FD_VM_PREPARE_ERR_OVERWRITE( vm ) ( ( void )0 )
140 687 : #define FD_VM_TEST_ERR_OVERWRITE( vm ) ( ( void )0 )
141 : #endif
142 :
143 : /* Log error within the instr_ctx to match Agave/Rust error. */
144 :
145 99 : #define FD_VM_ERR_FOR_LOG_EBPF( vm, err_ ) (__extension__({ \
146 99 : FD_VM_TEST_ERR_OVERWRITE( vm ); \
147 99 : vm->instr_ctx->txn_out->err.exec_err = err_; \
148 99 : vm->instr_ctx->txn_out->err.exec_err_kind = FD_EXECUTOR_ERR_KIND_EBPF; \
149 99 : }))
150 :
151 288 : #define FD_VM_ERR_FOR_LOG_SYSCALL( vm, err_ ) (__extension__({ \
152 288 : FD_VM_TEST_ERR_OVERWRITE( vm ); \
153 288 : vm->instr_ctx->txn_out->err.exec_err = err_; \
154 288 : vm->instr_ctx->txn_out->err.exec_err_kind = FD_EXECUTOR_ERR_KIND_SYSCALL; \
155 288 : }))
156 :
157 300 : #define FD_VM_ERR_FOR_LOG_INSTR( vm, err_ ) (__extension__({ \
158 300 : FD_VM_TEST_ERR_OVERWRITE( vm ); \
159 300 : vm->instr_ctx->txn_out->err.exec_err = err_; \
160 300 : vm->instr_ctx->txn_out->err.exec_err_kind = FD_EXECUTOR_ERR_KIND_INSTR; \
161 300 : }))
162 :
163 48867 : #define FD_VADDR_TO_REGION( _vaddr ) fd_ulong_min( (_vaddr) >> FD_VM_MEM_MAP_REGION_VIRT_ADDR_BITS, FD_VM_HIGH_REGION )
164 :
165 : /* fd_vm_instr APIs ***************************************************/
166 :
167 : /* FIXME: MIGRATE FD_SBPF_INSTR_T STUFF TO THIS API */
168 :
169 : /* fd_vm_instr returns the SBPF instruction word corresponding to the
170 : given fields. */
171 :
172 : FD_FN_CONST static inline ulong
173 : fd_vm_instr( ulong opcode, /* Assumed valid */
174 : ulong dst, /* Assumed in [0,FD_VM_REG_CNT) */
175 : ulong src, /* Assumed in [0,FD_VM_REG_CNT) */
176 : short offset,
177 238758 : uint imm ) {
178 238758 : return opcode | (dst<<8) | (src<<12) | (((ulong)(ushort)offset)<<16) | (((ulong)imm)<<32);
179 238758 : }
180 :
181 : /* fd_vm_instr_* return the SBPF instruction field for the given word.
182 : fd_vm_instr_{normal,mem}_* only apply to {normal,mem} opclass
183 : instructions. */
184 :
185 490188 : FD_FN_CONST static inline ulong fd_vm_instr_opcode( ulong instr ) { return instr & 255UL; } /* In [0,256) */
186 490188 : FD_FN_CONST static inline ulong fd_vm_instr_dst ( ulong instr ) { return ((instr>> 8) & 15UL); } /* In [0,16) */
187 490188 : FD_FN_CONST static inline ulong fd_vm_instr_src ( ulong instr ) { return ((instr>>12) & 15UL); } /* In [0,16) */
188 490188 : FD_FN_CONST static inline ulong fd_vm_instr_offset( ulong instr ) { return (ulong)(long)(short)(ushort)(instr>>16); }
189 514332 : FD_FN_CONST static inline uint fd_vm_instr_imm ( ulong instr ) { return (uint)(instr>>32); }
190 :
191 0 : FD_FN_CONST static inline ulong fd_vm_instr_opclass ( ulong instr ) { return instr & 7UL; } /* In [0,8) */
192 0 : FD_FN_CONST static inline ulong fd_vm_instr_normal_opsrc ( ulong instr ) { return (instr>>3) & 1UL; } /* In [0,2) */
193 0 : FD_FN_CONST static inline ulong fd_vm_instr_normal_opmode ( ulong instr ) { return (instr>>4) & 15UL; } /* In [0,16) */
194 0 : FD_FN_CONST static inline ulong fd_vm_instr_mem_opsize ( ulong instr ) { return (instr>>3) & 3UL; } /* In [0,4) */
195 0 : FD_FN_CONST static inline ulong fd_vm_instr_mem_opaddrmode( ulong instr ) { return (instr>>5) & 7UL; } /* In [0,16) */
196 :
197 : /* fd_vm_mem API ******************************************************/
198 :
199 : /* fd_vm_mem APIs support the fast mapping of virtual address ranges to
200 : host address ranges. The SBPF virtual address space consists of
201 : 5 consecutive 4 GiB regions (see fd_vm_base.h for layout). The
202 : mapable size of each region is less than 4 GiB (as implied by
203 : FD_VM_MEM_MAP_REGION_SZ==2^32-1 and that Solana protocol limits are
204 : much smaller still), so a valid virtual address range cannot span
205 : multiple regions. */
206 :
207 : /* fd_vm_mem_cfg configures the vm's tlb arrays. Assumes vm is valid
208 : and vm already has configured the rodata, stack, heap and input
209 : regions. Returns vm. */
210 :
211 : static inline fd_vm_t *
212 17655 : fd_vm_mem_cfg( fd_vm_t * vm ) {
213 17655 : if( FD_VM_SBPF_ENABLE_LOWER_RODATA_VADDR( vm->sbpf_version ) ) {
214 : /* In SBPF V3, rodata is at vaddr 0:
215 : [rodata@0, empty@0x100000000, stack@0x200000000, heap@0x300000000, input@0x400000000]
216 :
217 : This is so that we don't need to do any relocations - all rodata
218 : accesses are direct offsets from 0.
219 :
220 : https://github.com/anza-xyz/sbpf/blob/v0.14.4/src/elf.rs#L358-L362
221 : https://github.com/anza-xyz/agave/blob/v4.0.0-beta.4/syscalls/src/lib.rs#L346 */
222 897 : vm->region_haddr[0] = (ulong)vm->rodata; vm->region_ld_sz[0] = (uint)vm->rodata_sz; vm->region_st_sz[0] = (uint)0UL;
223 897 : vm->region_haddr[FD_VM_PROG_REGION] = 0UL; vm->region_ld_sz[FD_VM_PROG_REGION] = (uint)0UL; vm->region_st_sz[FD_VM_PROG_REGION] = (uint)0UL;
224 16758 : } else {
225 : /* V0-V2: region 0 unused, rodata at region 1 (vaddr 0x100000000) */
226 16758 : vm->region_haddr[0] = 0UL; vm->region_ld_sz[0] = (uint)0UL; vm->region_st_sz[0] = (uint)0UL;
227 16758 : vm->region_haddr[FD_VM_PROG_REGION] = (ulong)vm->rodata; vm->region_ld_sz[FD_VM_PROG_REGION] = (uint)vm->rodata_sz; vm->region_st_sz[FD_VM_PROG_REGION] = (uint)0UL;
228 16758 : }
229 17655 : vm->region_haddr[FD_VM_STACK_REGION] = (ulong)vm->stack; vm->region_ld_sz[FD_VM_STACK_REGION] = (uint)FD_VM_STACK_MAX; vm->region_st_sz[FD_VM_STACK_REGION] = (uint)FD_VM_STACK_MAX;
230 17655 : vm->region_haddr[FD_VM_HEAP_REGION] = (ulong)vm->heap; vm->region_ld_sz[FD_VM_HEAP_REGION] = (uint)vm->heap_max; vm->region_st_sz[FD_VM_HEAP_REGION] = (uint)vm->heap_max;
231 17655 : vm->region_haddr[5] = 0UL; vm->region_ld_sz[5] = (uint)0UL; vm->region_st_sz[5] = (uint)0UL;
232 17655 : if( vm->direct_mapping || !vm->input_mem_regions_cnt ) {
233 : /* When direct mapping is enabled, we don't use these fields because
234 : the load and stores are fragmented. */
235 7320 : vm->region_haddr[FD_VM_INPUT_REGION] = 0UL;
236 7320 : vm->region_ld_sz[FD_VM_INPUT_REGION] = 0U;
237 7320 : vm->region_st_sz[FD_VM_INPUT_REGION] = 0U;
238 10335 : } else {
239 10335 : vm->region_haddr[FD_VM_INPUT_REGION] = vm->input_mem_regions[0].haddr;
240 10335 : vm->region_ld_sz[FD_VM_INPUT_REGION] = vm->input_mem_regions[0].region_sz;
241 10335 : vm->region_st_sz[FD_VM_INPUT_REGION] = vm->input_mem_regions[0].region_sz;
242 10335 : }
243 17655 : return vm;
244 17655 : }
245 :
246 : /* Simplified version of Agave's `generate_access_violation()` function
247 : that simply returns either FD_VM_ERR_EBPF_ACCESS_VIOLATION or
248 : FD_VM_ERR_EBPF_STACK_ACCESS_VIOLATION. This has no consensus
249 : effects and is purely for logging purposes for fuzzing. Returns
250 : FD_VM_ERR_EBPF_STACK_ACCESS_VIOLATION if the provided vaddr is in the
251 : stack (0x200000000) and FD_VM_ERR_EBPF_ACCESS_VIOLATION otherwise.
252 :
253 : https://github.com/anza-xyz/sbpf/blob/v0.11.1/src/memory_region.rs#L834-L869 */
254 : static FD_FN_PURE inline int
255 315 : fd_vm_generate_access_violation( ulong vaddr, ulong sbpf_version ) {
256 : /* rel_offset can be negative because there is an edge case where the
257 : first "frame" right before the stack region should also throw a
258 : stack access violation. */
259 315 : long rel_offset = fd_long_sat_sub( (long)vaddr, (long)FD_VM_MEM_MAP_STACK_REGION_START );
260 315 : long stack_frame = rel_offset / (long)FD_VM_STACK_FRAME_SZ;
261 315 : if( !fd_sbpf_manual_stack_frame_bump_enabled( sbpf_version ) &&
262 315 : stack_frame>=-1L && stack_frame<=(long)FD_VM_MAX_CALL_DEPTH ) {
263 0 : return FD_VM_ERR_EBPF_STACK_ACCESS_VIOLATION;
264 0 : }
265 315 : return FD_VM_ERR_EBPF_ACCESS_VIOLATION;
266 315 : }
267 :
268 : /* fd_vm_mem_haddr translates the vaddr range [vaddr,vaddr+sz) (in
269 : infinite precision math) into the non-wrapping haddr range
270 : [haddr,haddr+sz). On success, returns haddr and every byte in the
271 : haddr range is a valid address. On failure, returns sentinel and
272 : there was at least one byte in the virtual address range that did not
273 : have a corresponding byte in the host address range.
274 :
275 : IMPORTANT SAFETY TIP! When sz==0, the return value currently is
276 : arbitrary. This is often fine as there should be no
277 : actual accesses to a sz==0 region. However, this also means that
278 : testing return for sentinel is insufficient to tell if mapping
279 : failed. That is, assuming sentinel is a location that could never
280 : happen on success:
281 :
282 : sz!=0 and ret!=sentinel -> success
283 : sz!=0 and ret==sentinel -> failure
284 : sz==0 -> ignore ret, application specific handling
285 :
286 : With ~O(2) extra fast branchless instructions, the below could be
287 : tweaked in the sz==0 case to return NULL or return a non-NULL
288 : sentinel value. What is most optimal practically depends on how
289 : empty ranges and NULL vaddr handling is defined in the application.
290 :
291 : Requires ~O(10) fast branchless assembly instructions with 2 L1 cache
292 : hit loads and pretty good ILP.
293 :
294 : fd_vm_mem_haddr_fast is when the vaddr is for use when it is already
295 : known that the vaddr region has a valid mapping.
296 :
297 : These assumptions don't hold if direct mapping is enabled since input
298 : region lookups become O(log(n)). */
299 :
300 :
301 : /* fd_vm_get_input_mem_region_idx returns the index into the input memory
302 : region array with the largest region offset that is <= the offset that
303 : is passed in. This function makes NO guarantees about the input being
304 : a valid input region offset; the caller is responsible for safely handling
305 : it. */
306 : static inline ulong
307 22758 : fd_vm_get_input_mem_region_idx( fd_vm_t const * vm, ulong offset ) {
308 22758 : uint left = 0U;
309 22758 : uint right = vm->input_mem_regions_cnt - 1U;
310 22758 : uint mid = 0U;
311 :
312 104526 : while( left<right ) {
313 81768 : mid = (left+right) / 2U;
314 81768 : if( offset>=vm->input_mem_regions[ mid ].vaddr_offset+vm->input_mem_regions[ mid ].address_space_reserved ) {
315 987 : left = mid + 1U;
316 80781 : } else {
317 80781 : right = mid;
318 80781 : }
319 81768 : }
320 22758 : return left;
321 22758 : }
322 :
323 : /* If the region is an account, handle the resizing logic. This logic
324 : corresponds to
325 : solana_transaction_context::TransactionContext::access_violation_handler
326 :
327 : https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L510-L581 */
328 : static inline void
329 : fd_vm_handle_input_mem_region_oob( fd_vm_t const * vm,
330 : ulong offset,
331 : ulong sz,
332 : ulong region_idx,
333 144 : uchar write ) {
334 : /* If virtual_address_space_adjustments is not enabled, we don't need to
335 : do anything */
336 144 : if( FD_UNLIKELY( !vm->virtual_address_space_adjustments ) ) {
337 102 : return;
338 102 : }
339 :
340 : /* If the access is not a write, we don't need to do anything
341 : https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L523-L525 */
342 42 : if( FD_UNLIKELY( !write ) ) {
343 0 : return;
344 0 : }
345 :
346 42 : fd_vm_input_region_t * region = &vm->input_mem_regions[ region_idx ];
347 : /* If the region is not writable, we don't need to do anything
348 : https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L526-L529 */
349 42 : if( FD_UNLIKELY( !region->is_writable ) ) {
350 0 : return;
351 0 : }
352 :
353 : /* Calculate the requested length
354 : https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L532-L535 */
355 42 : ulong requested_len = fd_ulong_sat_sub( fd_ulong_sat_add( offset, sz ), region->vaddr_offset );
356 42 : if( FD_UNLIKELY( requested_len > region->address_space_reserved ) ) {
357 18 : return;
358 18 : }
359 :
360 : /* Calculate the remaining allowed growth
361 : https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L549-L551 */
362 24 : long remaining_growth_signed = fd_long_sat_sub(
363 24 : FD_MAX_ACCOUNT_DATA_GROWTH_PER_TRANSACTION,
364 24 : vm->instr_ctx->txn_out->details.accounts_resize_delta );
365 24 : ulong remaining_allowed_growth = (remaining_growth_signed > 0L)
366 24 : ? (ulong)remaining_growth_signed
367 24 : : 0UL;
368 :
369 : /* If the requested length is greater than the size of the region,
370 : resize the region
371 : https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L553-L571 */
372 24 : if( FD_UNLIKELY( requested_len > region->region_sz ) ) {
373 : /* Calculate the new region size
374 : https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L558-L560 */
375 24 : ulong new_region_sz = fd_ulong_min(
376 24 : fd_ulong_min( region->address_space_reserved, FD_RUNTIME_ACC_SZ_MAX ),
377 24 : fd_ulong_sat_add( region->region_sz, remaining_allowed_growth ) );
378 :
379 : /* Resize the account and the region
380 : https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L569-L570 */
381 24 : if( FD_UNLIKELY( new_region_sz > region->region_sz ) ) {
382 : /* Safe because new_region_sz > region->region_sz */
383 24 : long growth = (long)(new_region_sz - region->region_sz);
384 24 : vm->instr_ctx->txn_out->details.accounts_resize_delta = fd_long_sat_add(
385 24 : vm->instr_ctx->txn_out->details.accounts_resize_delta, growth );
386 :
387 24 : ulong memset_sz = fd_ulong_sat_sub( new_region_sz, vm->acc_region_metas[ region->acc_region_meta_idx ].acc->data_len );
388 24 : fd_memset( vm->acc_region_metas[ region->acc_region_meta_idx ].acc->data+vm->acc_region_metas[ region->acc_region_meta_idx ].acc->data_len, 0, memset_sz );
389 24 : vm->acc_region_metas[ region->acc_region_meta_idx ].acc->data_len = new_region_sz;
390 24 : region->region_sz = (uint)new_region_sz;
391 24 : }
392 24 : }
393 24 : }
394 :
395 : /* fd_vm_find_input_mem_region returns the translated haddr for a given
396 : offset into the input region. If an offset/sz is invalid or if an
397 : illegal write is performed, the sentinel value is returned. If the offset
398 : provided is too large, it will choose the upper-most region as the
399 : region_idx. However, it will get caught for being too large of an access
400 : in the multi-region checks. */
401 : static inline ulong
402 : fd_vm_find_input_mem_region( fd_vm_t const * vm,
403 : ulong offset,
404 : ulong sz,
405 : uchar write,
406 22758 : ulong sentinel ) {
407 22758 : if( FD_UNLIKELY( vm->input_mem_regions_cnt==0 ) ) {
408 0 : return sentinel; /* Access is too large */
409 0 : }
410 :
411 : /* Binary search to find the correct memory region. If direct mapping is not
412 : enabled, then there is only 1 memory region which spans the input region. */
413 22758 : ulong region_idx = fd_vm_get_input_mem_region_idx( vm, offset );
414 22758 : if( FD_UNLIKELY( region_idx>=vm->input_mem_regions_cnt ) ) {
415 0 : return sentinel; /* Region not found */
416 0 : }
417 :
418 22758 : ulong bytes_in_region = fd_ulong_sat_sub( vm->input_mem_regions[ region_idx ].region_sz,
419 22758 : fd_ulong_sat_sub( offset, vm->input_mem_regions[ region_idx ].vaddr_offset ) );
420 :
421 : /* If the access is out of bounds, invoke the callback to handle the out of bounds access.
422 : This potentially resizes the region if necessary. */
423 22758 : if( FD_UNLIKELY( sz>bytes_in_region ) ) {
424 144 : fd_vm_handle_input_mem_region_oob( vm, offset, sz, region_idx, write );
425 144 : }
426 :
427 : /* After potentially resizing, re-check the bounds */
428 22758 : bytes_in_region = fd_ulong_sat_sub( vm->input_mem_regions[ region_idx ].region_sz,
429 22758 : fd_ulong_sat_sub( offset, vm->input_mem_regions[ region_idx ].vaddr_offset ) );
430 : /* If the access is still out of bounds, return the sentinel */
431 22758 : if( FD_UNLIKELY( sz>bytes_in_region ) ) {
432 120 : return sentinel;
433 120 : }
434 :
435 22638 : if( FD_UNLIKELY( write && vm->input_mem_regions[ region_idx ].is_writable==0U ) ) {
436 24 : return sentinel; /* Illegal write */
437 24 : }
438 :
439 22614 : ulong start_region_idx = region_idx;
440 :
441 22614 : ulong adjusted_haddr = vm->input_mem_regions[ start_region_idx ].haddr + offset - vm->input_mem_regions[ start_region_idx ].vaddr_offset;
442 22614 : return adjusted_haddr;
443 22638 : }
444 :
445 :
446 : static inline ulong
447 : fd_vm_mem_haddr( fd_vm_t const * vm,
448 : ulong vaddr,
449 : ulong sz,
450 : ulong const * vm_region_haddr, /* indexed [0,6) */
451 : uint const * vm_region_sz, /* indexed [0,6) */
452 : uchar write, /* 1 if the access is a write, 0 if it is a read */
453 48867 : ulong sentinel ) {
454 48867 : ulong region = FD_VADDR_TO_REGION( vaddr );
455 48867 : ulong offset = vaddr & FD_VM_OFFSET_MASK;
456 :
457 : /* Some configurations of the vm have unmapped gaps between each
458 : stack frame. If this is the case, we need to check that the access
459 : is not in a gap region. */
460 48867 : int stack_frame_gaps_enabled = vm->stack_push_frame_count > 1;
461 48867 : if( FD_UNLIKELY( region==FD_VM_STACK_REGION && stack_frame_gaps_enabled ) ) {
462 : /* If an access starts in a gap region, that is an access violation */
463 0 : if( FD_UNLIKELY( !!(vaddr & 0x1000) ) ) {
464 0 : return sentinel;
465 0 : }
466 :
467 : /* To account for the fact that we have gaps in the virtual address space but not in the
468 : physical address space, we need to subtract from the offset the size of all the virtual
469 : gap frames underneath it.
470 :
471 : https://github.com/solana-labs/rbpf/blob/b503a1867a9cfa13f93b4d99679a17fe219831de/src/memory_region.rs#L147-L149 */
472 0 : ulong gap_mask = 0xFFFFFFFFFFFFF000;
473 0 : offset = ( ( offset & gap_mask ) >> 1 ) | ( offset & ~gap_mask );
474 0 : }
475 :
476 48867 : ulong region_sz = (ulong)vm_region_sz[ region ];
477 48867 : ulong sz_max = region_sz - fd_ulong_min( offset, region_sz );
478 :
479 : /* If the region is an account, handle the resizing logic. This logic corresponds to
480 : solana_transaction_context::TransactionContext::access_violation_handler
481 :
482 : https://github.com/anza-xyz/agave/blob/v3.0.1/transaction-context/src/lib.rs#L510-L581 */
483 48867 : if( region==FD_VM_INPUT_REGION ) {
484 22758 : return fd_vm_find_input_mem_region( vm, offset, sz, write, sentinel );
485 22758 : }
486 :
487 : # ifdef FD_VM_INTERP_MEM_TRACING_ENABLED
488 : if ( FD_LIKELY( sz<=sz_max ) ) {
489 : fd_vm_trace_event_mem( vm->trace, write, vaddr, sz, vm_region_haddr[ region ] + offset );
490 : }
491 : # endif
492 26109 : return fd_ulong_if( sz<=sz_max, vm_region_haddr[ region ] + offset, sentinel );
493 48867 : }
494 :
495 : static inline ulong
496 : fd_vm_mem_haddr_fast( fd_vm_t const * vm,
497 : ulong vaddr,
498 0 : ulong const * vm_region_haddr ) { /* indexed [0,6) */
499 0 : ulong region = FD_VADDR_TO_REGION( vaddr );
500 0 : ulong offset = vaddr & FD_VM_OFFSET_MASK;
501 0 : if( FD_UNLIKELY( region==FD_VM_INPUT_REGION ) ) {
502 0 : return fd_vm_find_input_mem_region( vm, offset, 1UL, 0, 0UL );
503 0 : }
504 0 : return vm_region_haddr[ region ] + offset;
505 0 : }
506 :
507 54 : FD_FN_PURE static inline ulong fd_vm_mem_ld_1( ulong haddr ) {
508 54 : return (ulong)*(uchar const *)haddr;
509 54 : }
510 :
511 60 : FD_FN_PURE static inline ulong fd_vm_mem_ld_2( ulong haddr ) {
512 60 : ushort t;
513 60 : memcpy( &t, (void const *)haddr, sizeof(ushort) );
514 60 : return (ulong)t;
515 60 : }
516 :
517 60 : FD_FN_PURE static inline ulong fd_vm_mem_ld_4( ulong haddr ) {
518 60 : uint t;
519 60 : memcpy( &t, (void const *)haddr, sizeof(uint) );
520 60 : return (ulong)t;
521 60 : }
522 :
523 42 : FD_FN_PURE static inline ulong fd_vm_mem_ld_8( ulong haddr ) {
524 42 : ulong t;
525 42 : memcpy( &t, (void const *)haddr, sizeof(ulong) );
526 42 : return t;
527 42 : }
528 :
529 1842 : static inline void fd_vm_mem_st_1( ulong haddr, uchar val ) {
530 1842 : *(uchar *)haddr = val;
531 1842 : }
532 :
533 : static inline void fd_vm_mem_st_2( ulong haddr,
534 6 : ushort val ) {
535 6 : memcpy( (void *)haddr, &val, sizeof(ushort) );
536 6 : }
537 :
538 : static inline void fd_vm_mem_st_4( ulong haddr,
539 6 : uint val ) {
540 6 : memcpy( (void *)haddr, &val, sizeof(uint) );
541 6 : }
542 :
543 : static inline void fd_vm_mem_st_8( ulong haddr,
544 777 : ulong val ) {
545 777 : memcpy( (void *)haddr, &val, sizeof(ulong) );
546 777 : }
547 :
548 : FD_PROTOTYPES_END
549 :
550 : #endif /* HEADER_fd_src_flamenco_vm_fd_vm_private_h */
|
