SC: Sync call entry point validation for eosvm, eosvm-jit, and eosvmoc

[linh2931]

This PR implements a new method to validate sync call entry point. It is applicable to eosvm, eosvm-jit, and eosvmoc. When an account code is deployed, check whether sync_call entry point exists. If it does, its signature is checked. A flag sync_call_supported is added to code_object. Before a sync call is executed, sync_call_supported is used to determine whether the call be proceeded.

sync_call_supported is not written into snapshots. It is populated from the code when reading from snapshots.

Resolves #1219 and #1392

[linh2931]

I was debating whether I should do the sync_call check here inside validate(), or call is_sync_call_supported() separately so not changing validate()'s signature. I opted to do it in validate() to save reconstruction of vm::backend from the code and an extra call to is_sync_call_supported().

[heifner]

Returning a struct of bools (only sync_call_supported for now) would be better I think.

[linh2931]

Initially I thought about returning a bool, but that does not sound right as the method name is validate. A struct of bools is a better choice. Thanks.

[spoonincode]

I'm a little confused on this new snapshot_code_object_v1 because it's the same as the code_object previously was serialized. Also, when we're converting from different chainbase<->snapshot types usually (always?) we use snapshot_row_traits which I don't see anywhere in here.

I'm suspicious we don't need any of these snapshot changes and can instead add a code_object::reflector_init() which just populates the new sync_call_supported field. (this would mean that we'd not include sync_call_supported as part of the fc_reflect which is a little weird but not unheard of)

I'm not 100% confident on the above but I'd suggest trying it

[linh2931]

The new snapshot_code_object_v1 is for snapshot versions prior to sync call protocol feature. We have similar structs for block_state and chain_config.

Will try using code_object::reflector_init(). Thanks.

[spoonincode]

ah okay yeah I saw maximum_version = 8; but I forgot we were on 9 on this branch

[linh2931]

Thanks!

code_object::reflector_init() works. We don't need to place sync_call_supported into snapshots.

[spoonincode]

Looks really good

[spoonincode]

This line is unnecessary.

[linh2931]

fa7a3c6

[spoonincode]

I know it is academic for Vaulta, but in the case where CONFIGURABLE_WASM_LIMITS2 has not be activated we fall down below and don't populate sync_call_supported. We really should populate it both places.

[linh2931]

I thought about it. Because sync_call depends on all previous protocol features, CONFIGURABLE_WASM_LIMITS2 should have been activated. That's why I did not add to the other validate(). But will add for completeness and for not missing some corner cases.

[linh2931]

13e5f5e

[linh2931]

Looks really good

Thanks for all your suggestions

[heifner]

Since you already look it up here. Seems like it would be cleaner to pass code_object into execute. Then code_hash, vm_type, and vm_version do not have to be passed in.

[linh2931]

apply_context uses the same execute() and it does not dip code_object. Even if we pass in code_object here, we still need to split it and pass in code_hash, vm_type and vm_version before calling wasm_interface_private::execute() to reuse the same code.

[heifner]

I think apply_context might as well look it up and pass it in. In either case it is needed inside wasm_interface_private::execute().

[linh2931]

It only looks code_object when the code is not cached. We will need two execute()s with different signatures to avoid unnecessary lookup for apply_context. Can we do this refactor in a separate PR?

[heifner]

Good point about code_object not always needing to be looked up. Maybe we should cache the sync_call_supported in wasm_cache_entry and code_descriptor. That would mean it would have to validated in execute().

[heifner]

We already have call_offset for oc we can check. Seems a bit fragile to rely on the JIT check, so probably should check it. So add it to the wasm_cache_entry?

[spoonincode]

We already have call_offset for oc we can check

Not really though, since it isn't checking for signature now.

[linh2931]

In current VM JIT implementation, it will crash if sync_call() is not exported. In OC, we have an assert if code.call_offset is 0.

[linh2931]

I plan to do a separate PR for the sync call case to avoid second look up of code_object in wasm_interface_private::get_or_build_instantiated_module().

[linh2931]

#1461

Will maintain the current simplicity

[heifner]

Returning a struct of bools (only sync_call_supported for now) would be better I think.

[spoonincode]

afaict this is good now, but it's something to be mindful of in the future -- if we ever relax WASM validation via some protocol feature in the future, this could cause problems.

[linh2931]

What problems might be? Do you mean previously non-supported becomes supported?

[spoonincode]

When activating CONFIGURABLE_WASM_LIMITS2 validation becomes more strict on setcode to prevent some violations of wasm spec. (contracts that violate these rules would still work after activation but could not be setcode again)

So creating a backend with pre-CONFIGURABLE_WASM_LIMITS2 rules is okay since CONFIGURABLE_WASM_LIMITS2 is more strict.

However let's say we made a protocol feature that relaxed validation for the "read only host functions" we've considered; let's just call that READONLY_HF. This would be a problem because here we'd not allow that relaxation since we're still validating against pre-READONLY_HF (and pre-CONFIGURABLE_WASM_LIMITS2) rules. We'd need access to what protocol features are enabled to know what kind of backend to create, and we don't have access to that information readily in the reflector_init()

[linh2931]

Thanks for the detailed explanation. If that happens, we will have to save sync_call_supported in the snapshot, so that the caller of is_sync_call_supported() can pass in controller to have access to protocol feature set. I will add a comment.