|
| 1 | +--- |
| 2 | +simd: 'XXXX' |
| 3 | +title: Feature Activation Status Syscall |
| 4 | +authors: |
| 5 | + - Hana Mumei |
| 6 | +category: Standard |
| 7 | +type: Core |
| 8 | +status: Draft |
| 9 | +created: 2024-01-03 |
| 10 | +feature: (fill in with feature tracking issues once accepted) |
| 11 | +--- |
| 12 | + |
| 13 | +## Summary |
| 14 | + |
| 15 | +We propose a new syscall, `is_feature_active`, which can be invoked in a |
| 16 | +BPF program with a feature id to check whether that feature has been activated |
| 17 | +on the cluster. A proof of concept is provided |
| 18 | +[here](https://github.com/solana-labs/solana/pull/34611). |
| 19 | + |
| 20 | +## Motivation |
| 21 | + |
| 22 | +The immediate motivation for this is to enable porting native programs to |
| 23 | +BPF, as part of the work on Firedancer and Runtime v2. The Stake Program is |
| 24 | +regularly updated using feature gates, so some mechanism for it to be aware of |
| 25 | +their status is necessary. |
| 26 | + |
| 27 | +Currently there are four in use by the program, most notably |
| 28 | +`stake_raise_minimum_delegation_to_1_sol`, which will likely not be activated |
| 29 | +until some unknown time in the future. |
| 30 | + |
| 31 | +## Alternatives Considered |
| 32 | + |
| 33 | +The main alternative we considered was to eliminate the use of feature gates in |
| 34 | +what are now native programs, and instead upgrade them via a mechanism to |
| 35 | +swap the bytecode implementation of the program at the appropriate time, |
| 36 | +whether automatically or manually. However, this would be more complex and |
| 37 | +likely more brittle than the proposed solution, and may also make it |
| 38 | +easier to railroad changes without the same level over oversight that |
| 39 | +feature gates provide. |
| 40 | + |
| 41 | +We may also consider a null option, i.e. no longer making consensus-breaking |
| 42 | +changes to the native programs at all. But this is likely not a realistic |
| 43 | +option as the network continues to evolve. |
| 44 | + |
| 45 | +## New Terminology |
| 46 | + |
| 47 | +N/A. |
| 48 | + |
| 49 | +## Detailed Design |
| 50 | + |
| 51 | +Implementation is fairly straightforward. A new syscall is added to |
| 52 | +`programs/bpf_loader` called `SyscallIsFeatureActive`. It accepts two positional |
| 53 | +arguments: |
| 54 | + |
| 55 | +* `var_addr`: pointer to `bool`, a memory location to write feature status |
| 56 | +* `feature_pubkey_addr`: pointer to `Pubkey`, the id of the feature to check |
| 57 | + |
| 58 | +The syscall begins by consuming compute. As an example, we have used |
| 59 | +`sysvar_base_cost` plus `size_of::<bool>()`, but this can be discussed. |
| 60 | +Then the syscall checks `invoke_context.feature_set.is_active()` for the |
| 61 | +feature id, writes the result into `var_addr`, and returns `Ok(SUCCESS)`. |
| 62 | + |
| 63 | +As-written, the syscall successfully returns `false` if the feature id is not |
| 64 | +found. This is identical to the behavior of the `is_active()` function and seems |
| 65 | +more appropriate than signalling failure. |
| 66 | + |
| 67 | +A new function is provided in `sdk/program` called `is_feature_active()`, which |
| 68 | +accepts the feature id as `&Pubkey` and returns `Result<bool, ProgramError>`. |
| 69 | + |
| 70 | +The stub version of the syscall completes normally with an invariant result of |
| 71 | +`false`, though there is no reason it couldn't be `true`. |
| 72 | + |
| 73 | +We also move all feature ids from `sdk` to `sdk/program` so that they can be |
| 74 | +used in a program context. |
| 75 | + |
| 76 | +## Impact |
| 77 | + |
| 78 | +A benefit of this proposal is that dapp developers will be able to query feature |
| 79 | +activation status in any BPF program, which may allow them to make programs that |
| 80 | +are more robust to new features, to preemptively code against new features and |
| 81 | +let the chain state handle "activation," and allow upstream more flexibility in |
| 82 | +designing features, knowing they can signal information downstream this way. |
| 83 | + |
| 84 | +The first obvious impact is that the Firedancer team will need to approve and |
| 85 | +implement this. |
| 86 | + |
| 87 | +Another impact is the way in which this SIMD interacts with the Multi-Client |
| 88 | +Feature Gates SIMDs detailed in |
| 89 | +<https://github.com/solana-foundation/solana-improvement-documents/issues/76>. |
| 90 | +These SIMDs will need to be coordinated with each other, but it does not appear |
| 91 | +at first read that they will interfere. It does mean that feature ids and |
| 92 | +feature state will need to remain available via `InvokeContext` and cannot |
| 93 | +be made resident under the `Feature111111111111111111111111111111111111` |
| 94 | +program, but this would likely be the case anyway since features are used |
| 95 | +pervasively throughout the runtime. Further investigation is needed. |
| 96 | + |
| 97 | +## Security Considerations |
| 98 | + |
| 99 | +Other than possible mistakes in implementation, it does not seem that this has |
| 100 | +a potential security impact. The proof-of-concept implementation is modeled |
| 101 | +after `Clock::get()` and does not differ substantially: it simply surfaces |
| 102 | +data to a BPF program with no ability for the caller to mutate state. |
| 103 | + |
| 104 | +## Backwards Compatibility |
| 105 | + |
| 106 | +Feature ids moved to `sdk/program` are reexported in their original `sdk` module |
| 107 | +to ensure no interface breakage downstream. |
0 commit comments