From 440bae1ba2eb0b74537a3147e9caf48e4d2bae87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Mei=C3=9Fner?= Date: Wed, 17 Jul 2024 19:52:39 +0200 Subject: [PATCH 1/2] First draft --- proposals/0163-lift-cpi-caller-restriction.md | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 proposals/0163-lift-cpi-caller-restriction.md diff --git a/proposals/0163-lift-cpi-caller-restriction.md b/proposals/0163-lift-cpi-caller-restriction.md new file mode 100644 index 000000000..2fe2eeb3f --- /dev/null +++ b/proposals/0163-lift-cpi-caller-restriction.md @@ -0,0 +1,96 @@ +--- +simd: '0163' +title: Lift the CPI caller restriction +authors: + - Alexander Meißner +category: Standard +type: Core +status: Draft +created: 2024-07-16 +feature: TBD +--- + +## Summary + +Remove the check which forces CPI callers to have the program account of the +callee available to them as an instruction account. + +## Motivation + +The restriction is purely historical and not necessary for the protocol or its +implementations. + +Removing it would improve composability and reduce transaction building +complexity because program accounts would no longer be passed all the way from +transaction level instructions to the inner most CPI instructions. + +Additionally, not passing these program accounts is a significant reduction in +data copied during serialization as program accounts of loader v1, v2 and v4 +contain the entire 10 MB ELF. This massively reduces the CU cost for nested CPI +and disincentivizes programs from accessing program accounts, which could later +allow us to remove program loading from transaction loading. + +### Example transaction + +- Accounts: + - Fee payer + - Caller Program + - Callee Program + - Token +- Transaction-level instruction: + - Program Account: Caller Program + - Instruction Accounts: + - **Callee Program** (this could be removed) + - Token + - CPI: + - Program Account: Callee Program + - Instruction Accounts: + - Token + +Currently, in order to be used as a program account for a nested instruction +the callee program must be passed as an instruction account to all outer +instructions recursively. + +## New Terminology + +None. + +## Detailed Design + +In CPI a feature gate must switch the search for the program id of the callee +from the instruction accounts of the caller to the account list of the +transaction. + +Invoking a program in CPI which was un/re/deployed in the same transaction is +prevented by the "delay visibility" feature and thus unproblematic. + +## Alternatives Considered + +None. + +## Impact + +See motivation. + +Dapp developers who wish to benefit from the lifting of the restriction shall: + +- Hard-code the callee address in the CPI call, in case they want a static +dispatch +- Use the instruction **data**, not instruction **accounts**, to receive the +callee address as a parameter, in case they want a dynamic dispatch + +## Security Considerations + +None. + +## Backwards Compatibility + +Existing programs, which have hard-coded the callee statically and only need it +as any instruction account to satisfy the constraint imposed by the runtime, +can be fed a placeholder like `NativeLoader1111111111111111111111111111111`, in +order not to shift the indices of the other instruction accounts. + +All other existing programs, which dynamically call whatever is passed in a +specific instruction account will have to be updated and redeployed to benefit +from the lifting of the restriction. Otherwise they remain unaffected the way +they are. From 55578fffe4cb17c022c42058ad1a9a66b43370c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Mei=C3=9Fner?= Date: Thu, 8 Aug 2024 21:59:10 +0200 Subject: [PATCH 2/2] Review feedback. --- proposals/0163-lift-cpi-caller-restriction.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/proposals/0163-lift-cpi-caller-restriction.md b/proposals/0163-lift-cpi-caller-restriction.md index 2fe2eeb3f..f71e9dbe1 100644 --- a/proposals/0163-lift-cpi-caller-restriction.md +++ b/proposals/0163-lift-cpi-caller-restriction.md @@ -79,12 +79,20 @@ dispatch - Use the instruction **data**, not instruction **accounts**, to receive the callee address as a parameter, in case they want a dynamic dispatch +Transaction building should append the required program accounts, which are not +passed as instruction accounts, at the end of the transaction accounts list. +How the dapps describe which callee prorgams they require to be present in the +transaction is explicitly left unspecified. + ## Security Considerations None. ## Backwards Compatibility +Programs remain unaffected the way they are, unless they want to profit from +this change. In that case they can do one of the following: + Existing programs, which have hard-coded the callee statically and only need it as any instruction account to satisfy the constraint imposed by the runtime, can be fed a placeholder like `NativeLoader1111111111111111111111111111111`, in @@ -92,5 +100,4 @@ order not to shift the indices of the other instruction accounts. All other existing programs, which dynamically call whatever is passed in a specific instruction account will have to be updated and redeployed to benefit -from the lifting of the restriction. Otherwise they remain unaffected the way -they are. +from the lifting of the restriction.