Const integer bounds approach to bounds checking about rbpf HOT 6 CLOSED

@Lichtso
Here is how to do dynamic memory mapping:

Maintain the following metadata in EbpfElf and JitProgram:

// fields should always be positive
struct SectionInfo {
    bp_host_addr: i64,
    len: i64,
}

struct EbpfElf {
  ..
  // sections as indexed from 1 to 4
  section_infos: [SectionInfo; 4],
}

// memory remapping ops
SUBTRACT_HOST_ADDR: u8 = 0;
ADD_HOST_ADDR: u8 = 1;
SUBTRACT_LEN: u8 = 2;
ADD_LEN: u8 = 3;

struct OffsetEntry {
  offset: isize,
  op: u8,
}

struct JitProgram {
  ..
  // sections as indexed from 1 to 4
  section_infos: [SectionInfo; 4],
  remap_offsets: [Vec<OffsetEntry>; 4],
}

impl JitProgram {
  fn remap_memory(&mut self, new_section_infos: [SectionInfo; 4]) {
    let text_ptr_i64_loc = jit_program._sections.text_section as *mut i64;
    for ((info, new_info), offsets) self.section_infos.iter().zip(&new_section_infos).zip(&self.remap_offsets) {
      for entry in &offsets {
        let modifier = match entry.op {
          0 => info.bp_host_addr - new_info.bp_host_addr,
          1 => new_info.bp_host_addr - info.bp_host_addr,
          2 => info.len - new_info.len,
          3 => new_info.len - info.len,
          _ => Err,
        };
        unsafe { *text_ptr_i64_loc.offset(entry.offset) += modifier; }
      }
    }
    self.section_infos = new_infos;
  }
}

impl JitCompiler {
..
  fn emit_memory_translation(..) {
    // subtract input section's host base ptr addr from x86 i64 immediate.
    jit.add_offset_entry(
      section_index::INPUT, 
      remap_ops::SUBTRACT_HOST_ADDR,
      (jit.offset_in_text_section + opcode_leading_size) as isize, 
    );
    ..
  }
}

from rbpf.

I think this part here won't work:

struct EbpfElf {
  ..
  // sections as indexed from 1 to 4
  section_infos: [SectionInfo; 4],
}

The MemoryMapping must be in the VM, not the Executable, because the same Executable can be instanced and run in different VMs across multiple threads simultaneously (each having a different set of host addresses). Also, this is only intended for the "input" memory region, right?

from rbpf.

@Lichtso

Hmm, I believe this approach requires making a local copy of the executable everytime a VM is created.

That's because each instance should have its own memory mapping. So each instance needs to have a unique remapped executable.

So maybe I ought to first do a local copy into the VM. i.e. the VM should have a local copy of the JitProgram.

from rbpf.

@Lichtso , maybe in order to save on copies, I should make the semantics copy-on-write if shared, else write in place.

Well, one executor could be about 1MB or so, so this can save on copies. 1MB copy will take about 50-120us. This is already somewhat long. It's not clear the remapping operation will be quick either, since it needs to write to many random memory locations.

from rbpf.

Here is a simplified strategy to bounds checking:

1. First, add the offset to the register.
2. Check via the 33rd bit which section it is pointing to. jmp to section's bounds logic.
3. Do the upperbound check. If fail, jmp to OOB error. Add the required constant (host_addr_bp - section_addr_bp) to the vm_addr, and store it in the register. jmp to return.
4. perform operation

from rbpf.

I will close this for now, as #196 was merged.
The next thing to approach is solana-labs/solana#14523 and redesigning the entrypoint / ABI.
We might come back to another redesign of the address translation, but for now I think we have a reasonably good solution while maintaining backwards compatibility.

from rbpf.