SIMD-0167: Loader-v4

[Lichtso]

No description provided.

[nickfrosty]

I also noticed there are several typos on the word "throw"

[topointon-jump]

Very nice to see this well-written, well-specified SIMD!

Would be great to get more detail on the migration path from v3 to v4.

[topointon-jump]

How would the gifting work? Do we need to add a new instruction to the v3 loader? Will this upgrade mechanism be specified in a future SIMD?

[Lichtso]

I see three options here:

1. A migrate instruction for loader-v3 which the dApp devs trigger themselves
2. A migrate instruction for loader-v3 which we the protocol engineers trigger
3. A feature gate which scans the accounts DB and migrates all loader-v3 programs

I would prefer the second option as that allows us to keep the gathering of the loader-v3 program list and then slowly working through it off-chain and still makes sure that all loader-v3 programs get migrated.

[Lichtso]

Added a more detailed description of how this would work:
f2d4970

[buffalojoec]

Getting really close on my side. Based on our last discussion we wanted to add the following to SetAuthority:

• If the program is Uninitialized will skip the existing authority check, set the new authority, and set the status to NeverBeenDeployed.
• Programs that are Retracted can be finalized only if the program length is 0

[buffalojoec]

Let's do it!

[jstarry]

Can we define "delay visibility" or "deployment cooldown" in terminology and use the term consistently in this SIMD?

[jstarry]

This instruction does three different actions: initialize, set-authority, or finalize. All of them set the authority field but they are all different enough that they warrant having specific instructions, in my opinion.

Splitting this instruction up would help clarify instruction account requirements:

1. Initialize does not require an instruction account to specify the current authority
2. SetAuthority would always require the new authority to be a signer, no need to specify it as optional
3. Finalize does not require an instruction account to specify a new authority

Additionally, the way SetAuthority is specified to be treated as an "initialization" is an anti-pattern because it's typically assumed that when initializing accounts on solana that the caller allocates the account data before invoking the initialization instruction.

[jstarry]

@Lichtso I don't think this has been addressed yet (https://github.com/solana-foundation/solana-improvement-documents/pull/167/files#r2184891211)

[jstarry]

nit: I don't really understand what "owned" is supposed to indicate here. Can we call this section "Program Account Layout"?

[jstarry]

I don't think this was addressed (https://github.com/solana-foundation/solana-improvement-documents/pull/167/files#r2226342431)

[jstarry]

some typo fixes (u64 -> u32 and Uninitalized -> Uninitialized) and a new naming suggestion for NeverBeenDeployed -> Buffered.

Suggested change

	- Enum variant `0u64`: `Uninitalized`, account was zero-filled externally
	- Enum variant `1u64`: `NeverBeenDeployed`, used as write buffer
	- Enum variant `2u64`: `Retracted`, program is in maintenance
	- Enum variant `3u64`: `Deployed`, program is ready to be executed
	- Enum variant `4u64`: `Finalized`, same as `Deployed`, but can not be
	- Enum variant `0u32`: `Uninitialized`, account was zero-filled externally
	- Enum variant `1u32`: `Buffered`, used as write buffer
	- Enum variant `2u32`: `Retracted`, program is in maintenance
	- Enum variant `3u32`: `Deployed`, program is ready to be executed
	- Enum variant `4u32`: `Finalized`, same as `Deployed`, but can not be

[jstarry]

Suggested change

	Verification the program account checks in the following order that:
	Verification of the program account checks the following in order:

[jstarry]

Suggested change

	- the program account is at least as long enough for the header (48 bytes),
	- the program account is at least long enough for the header (48 bytes),

[jstarry]

In light of the conversation here should we change this to check that the program account is strictly greater than the length of the header? A finalized program with executable length of zero definitely wouldn't be executable. But this is technically a sub-case of the later "executable verification" check anyways.

[jstarry]

Suggested change

	The loader-v4 intructions Deploy and Retract are not authorized in CPI.
	The loader-v4 instructions Deploy and Retract are not authorized in CPI. If
	these instructions are invoked from another program, throw
	`ProgramFailedToComplete`.

[Lichtso]

Was thinking about the CPI restriction some more: Isn't it a problem for multisig and governance? E.g. #167 (comment) would not work, right?

[jstarry]

Ah yeah, you're right. Didn't think about that. Let's try to remove this restriction then. If I remember correctly it's because we don't yet allow changing the executable flag from CPI.

[jstarry]

We should only charge CU's for the increased size (if any)

[Lichtso]

I think we discussed this before. The reason why we charge for the entire length is because the program runtime has to copy over the existing data into the new allocation.

[jstarry]

Ah yeah, you're right never mind.

[jstarry]

This looks different from loader-v3 which serializes the length of the chunk as a u64 before the chunk data. Are you implying that the length isn't serialized here and that chunk_length_in_bytes is inferred from ix.data.len - 4 bytes (enum variant) - 4 bytes (offset)? I think we should match loader-v3 behavior and serialize the chunk length as well. But consider serializing the length as u16 or u32 instead of u64 to save some bytes

[Lichtso]

What is the advantage of doing so? It would introduce additional failure cases of the explicit field and implicit calculation disagreeing.

[jstarry]

Should also add a note saying that instruction data length is limited to 1232 bytes to match loader-v3 behavior

[jstarry]

We should only charge for the executable length rather than the full account data length

Suggested change

	- Charge program_length_in_bytes / cpi_bytes_per_unit CUs
	- Charge executable length / cpi_bytes_per_unit CUs

[jstarry]

Suggested change

	- Change the executable length in the program account header
	- Change the executable length in the program account header to the specified
	value.

[Lichtso]

If we explicitly encode the ELF length anyway, we might as well move the header down to become a footer:

From Header | ELF | Empty Space to e.g. ELF | Footer | Empty Space | ELF Length. This has the advantage that the meta-data becomes extensible, which makes it more future proof, as the footer could grow without changing any layout.