funk, flamenco: reverify program cache after epoch boundary

Author: mjain-jump

src/discof/replay/fd_replay_tile.c

@@ -1683,6 +1683,12 @@ exec_slice( fd_replay_tile_ctx_t * ctx,
       if( FD_UNLIKELY( !pay_sz || !txn_sz || txn_sz > FD_TXN_MTU ) ) {
         FD_LOG_ERR(( "failed to parse transaction in replay" ));
       }
+
+      /* Reverify invoked programs for this epoch, if needed
+         FIXME: this should be done during txn parsing so that we don't have to loop
+         over all accounts a second time. */
+      fd_runtime_reverify_cached_programs( ctx->slot_ctx, &txn_p, ctx->runtime_spad );
+
       fd_memcpy( txn_p.payload, ctx->mbatch + ctx->slice_exec_ctx.wmark, pay_sz );
       txn_p.payload_sz           = pay_sz;
       ctx->slice_exec_ctx.wmark += pay_sz;

src/flamenco/runtime/fd_acc_mgr.c

@@ -67,7 +67,7 @@ fd_funk_get_acc_meta_mutable( fd_funk_t *             funk,
   /* the record does not exist in the current funk transaction */
   if( !rec ) {
     /* clones a record from an ancestor transaction */
-    rec = fd_funk_rec_clone( funk, txn, &id, out_prepare, &funk_err );
+    rec = fd_funk_rec_clone( funk, txn, &id, out_prepare, NULL, &funk_err );
 
     if( rec == NULL ) {
       /* the record does not exist at all */

src/flamenco/runtime/fd_executor.c

@@ -110,6 +110,14 @@ fd_executor_lookup_native_precompile_program( fd_txn_account_t const * prog_acc
   return fd_native_precompile_program_fn_lookup_tbl_query( pubkey, &null_function )->fn;
 }
 
+uchar
+fd_executor_pubkey_is_bpf_loader( fd_pubkey_t const * pubkey ) {
+  return !memcmp( pubkey, fd_solana_bpf_loader_deprecated_program_id.key, sizeof(fd_pubkey_t) ) ||
+         !memcmp( pubkey, fd_solana_bpf_loader_program_id.key, sizeof(fd_pubkey_t) ) ||
+         !memcmp( pubkey, fd_solana_bpf_loader_upgradeable_program_id.key, sizeof(fd_pubkey_t) ) ||
+         !memcmp( pubkey, fd_solana_bpf_loader_v4_program_id.key, sizeof(fd_pubkey_t) );
+}
+
 /* fd_executor_lookup_native_program returns the appropriate instruction processor for the given
    native program ID. Returns NULL if given ID is not a recognized native program.
    https://github.com/anza-xyz/agave/blob/v2.2.6/program-runtime/src/invoke_context.rs#L520-L544 */
@@ -134,10 +142,7 @@ fd_executor_lookup_native_program( fd_txn_account_t const * prog_acc,
   int is_native_program = !memcmp( owner, fd_solana_native_loader_id.key, sizeof(fd_pubkey_t) );
 
   if( !is_native_program && FD_FEATURE_ACTIVE( txn_ctx->slot, txn_ctx->features, remove_accounts_executable_flag_checks ) ) {
-    if ( FD_UNLIKELY( memcmp( owner, fd_solana_bpf_loader_deprecated_program_id.key, sizeof(fd_pubkey_t) ) &&
-                      memcmp( owner, fd_solana_bpf_loader_program_id.key, sizeof(fd_pubkey_t) ) &&
-                      memcmp( owner, fd_solana_bpf_loader_upgradeable_program_id.key, sizeof(fd_pubkey_t) ) &&
-                      memcmp( owner, fd_solana_bpf_loader_v4_program_id.key, sizeof(fd_pubkey_t) ) ) ) {
+    if( FD_UNLIKELY( !fd_executor_pubkey_is_bpf_loader( owner ) ) ) {
       return FD_EXECUTOR_INSTR_ERR_UNSUPPORTED_PROGRAM_ID;
     }
   }

src/flamenco/runtime/fd_executor.h

@@ -44,6 +44,9 @@ typedef int (* fd_exec_instr_fn_t)( fd_exec_instr_ctx_t * ctx );
 fd_exec_instr_fn_t
 fd_executor_lookup_native_precompile_program( fd_txn_account_t const * prog_acc );
 
+uchar
+fd_executor_pubkey_is_bpf_loader( fd_pubkey_t const * pubkey );
+
 int
 fd_executor_check_transactions( fd_exec_txn_ctx_t * txn_ctx );
 

src/flamenco/runtime/fd_runtime.c

@@ -2932,6 +2932,47 @@ fd_runtime_parse_microblock_hdr( void const *          buf FD_PARAM_UNUSED,
   return 0;
 }
 
+void
+fd_runtime_reverify_cached_programs( fd_exec_slot_ctx_t * slot_ctx,
+                                     fd_txn_p_t const *   txn_p,
+                                     fd_spad_t *          runtime_spad ) {
+  fd_txn_t const * txn_descriptor = TXN( txn_p );
+
+  /* Iterate over account keys referenced directly in the transaction first */
+  fd_acct_addr_t const * acc_addrs = fd_txn_get_acct_addrs( txn_descriptor, txn_p );
+  for( ushort acc_idx=0; acc_idx<txn_descriptor->acct_addr_cnt; acc_idx++ ) {
+    fd_pubkey_t const * account = fd_type_pun_const( &acc_addrs[acc_idx] );
+    fd_bpf_program_reverify( slot_ctx, account, runtime_spad );
+  }
+
+  if( txn_descriptor->transaction_version==FD_TXN_V0 ) {
+
+    /* Iterate over account keys referenced in ALUTs */
+    fd_acct_addr_t alut_accounts[256];
+    fd_slot_hashes_global_t const * slot_hashes_global = fd_sysvar_cache_slot_hashes( slot_ctx->sysvar_cache, slot_ctx->runtime_wksp );
+    if( FD_UNLIKELY( !slot_hashes_global ) ) {
+      return;
+    }
+
+    fd_slot_hash_t * slot_hash = deq_fd_slot_hash_t_join( (uchar *)slot_hashes_global + slot_hashes_global->hashes_offset );
+
+    if( FD_UNLIKELY( fd_runtime_load_txn_address_lookup_tables( txn_descriptor,
+                                                                txn_p->payload,
+                                                                slot_ctx->funk,
+                                                                slot_ctx->funk_txn,
+                                                                slot_ctx->slot_bank.slot,
+                                                                slot_hash,
+                                                                alut_accounts ) ) ) {
+      return;
+    }
+
+    for( ushort alut_idx=0; alut_idx<txn_descriptor->addr_table_adtl_cnt; alut_idx++ ) {
+      fd_pubkey_t const * account = fd_type_pun_const( &alut_accounts[alut_idx] );
+      fd_bpf_program_reverify( slot_ctx, account, runtime_spad );
+    }
+  }
+}
+
 /* if we are currently in the middle of a batch, batch_cnt will include the current batch.
    if we are at the start of a batch, batch_cnt will include the current batch. */
 static fd_raw_block_txn_iter_t
@@ -4098,6 +4139,11 @@ fd_runtime_block_execute_tpool( fd_exec_slot_ctx_t *    slot_ctx,
 
       if( !mblock_txn_cnt ) continue;
 
+      /* Reverify programs for this epoch if needed */
+      for( ulong txn_idx=0UL; txn_idx<mblock_txn_cnt; txn_idx++ ) {
+        fd_runtime_reverify_cached_programs( slot_ctx, &mblock_txn_ptrs[txn_idx], runtime_spad );
+      }
+
       res = fd_runtime_process_txns_in_microblock_stream( slot_ctx,
                                                           capture_ctx,
                                                           mblock_txn_ptrs,

src/flamenco/runtime/fd_runtime.h

@@ -615,6 +615,18 @@ fd_runtime_block_pre_execute_process_new_epoch( fd_exec_slot_ctx_t * slot_ctx,
                                                 fd_spad_t *          runtime_spad,
                                                 int *                is_epoch_boundary );
 
+/* When the cluster's feature set changes at an epoch, there is a possibility that existing programs
+   fail new SBPF / ELF header checks. Therefore, after every epoch, we should reverify all programs
+   and replenish our program cache so that users cannot invoke those old programs. Since iterating through
+   all programs every single epoch is expensive, we adopt a lazy approach where we reverify programs as they
+   are referenced in transactions, since only a small subset of all programs are actually referenced at any
+   time. We also make sure each program is only verified once per epoch, so repeated executions of a
+   program within the same epoch will only trigger verification once at the very first invocation. */
+void
+fd_runtime_reverify_cached_programs( fd_exec_slot_ctx_t * slot_ctx,
+                                     fd_txn_p_t const *   txn_p,
+                                     fd_spad_t *          runtime_spad );
+
 /* Debugging Tools ************************************************************/
 
 void