Add test for integrity of static and stack regions in memory

Author: Bargsteen

concordium-std/CHANGELOG.md

@@ -1,12 +1,12 @@
 # Changelog
 
 ## Unreleased changes
+- Remove the feature `wee_alloc` and replace it with `bump_alloc`, which enables a small and simple global allocator that can only be used in Wasm.
 
 ## concordium-std 9.0.2 (2024-02-07)
 
 - Make the `concordium_dbg!` and related macros also usable with the full syntax
   that `println!` supports.
-- Remove the feature `wee_alloc` and replace it with `bump_alloc`, which enables a small and simple global allocator that can only be used in Wasm.
 
 ## concordium-std 9.0.1 (2024-01-26)
 

concordium-std/src/bump_alloc.rs

@@ -102,6 +102,7 @@ impl BumpAllocator {
             heap_start:  UnsafeCell::new(0),
             // Initialized to the dummy value `0`, which is checked during first initialization.
             heap_end:    UnsafeCell::new(0),
+            // Keeps track of the number of active allocations.
             allocations: UnsafeCell::new(0),
             // Initialized to the dummy value `0`.
             // Must be set to the same initial address as `next`.
@@ -113,7 +114,7 @@ impl BumpAllocator {
     ///
     /// If successful, it returns the previous number of memory pages.
     /// Otherwise, it returns [`ERROR_PAGE_COUNT`] to indicate out of memory.
-    fn grow_memory(&self, delta: PageCount) -> PageCount {
+    fn memory_grow(&self, delta: PageCount) -> PageCount {
         // The first argument refers to the index of memory to return the size of.
         // Currently, Wasm only supports a single slot of memory, so `0` must always be
         // used. Source: https://doc.rust-lang.org/beta/core/arch/wasm32/fn.memory_grow.html
@@ -129,7 +130,7 @@ impl BumpAllocator {
     ///  - The heap.
     ///
     /// To get the start location of the heap, use `__heap_base`.
-    fn size(&self) -> PageCount {
+    fn memory_size(&self) -> PageCount {
         // The argument refers to the index of memory to return the size of.
         // Currently, Wasm only supports a single slot of memory, so `0` must always be
         // used. Source: https://doc.rust-lang.org/beta/core/arch/wasm32/fn.memory_size.html
@@ -154,7 +155,7 @@ unsafe impl GlobalAlloc for BumpAllocator {
             let heap_base = unsafe { &__heap_base as *const _ as usize };
             // Get the actual size of the memory, which is also the end of the heap, as the
             // heap is the last section in the memory.
-            let actual_size = self.size().size_in_bytes();
+            let actual_size = self.memory_size().size_in_bytes();
             // Replace all the dummy values.
             *next = heap_base;
             *self.heap_start.get() = heap_base;
@@ -175,7 +176,7 @@ unsafe impl GlobalAlloc for BumpAllocator {
         if alloc_end > *heap_end {
             let space_needed = alloc_end - *heap_end;
             let pages_to_request = pages_to_request(space_needed);
-            let previous_page_count = self.grow_memory(pages_to_request);
+            let previous_page_count = self.memory_grow(pages_to_request);
             // Check if we are out of memory.
             if previous_page_count == ERROR_PAGE_COUNT {
                 return ptr::null_mut();
@@ -225,7 +226,8 @@ fn align_up(addr: usize, align: usize) -> usize { (addr + align - 1) & !(align -
 /// Calculates the number of memory pages needed to allocate an additional
 /// `space_needed` bytes.
 ///
-/// This function simply performs an integer division and rounds up the result.
+/// This function simply performs an integer division with `PAGE_SIZE` and
+/// rounds up the result.
 ///
 /// ```
 /// assert_eq!(pages_to_request(0), PageCount(0));

concordium-std/src/lib.rs

@@ -131,11 +131,10 @@
 //! i.e, the resulting smart contracts are going to be smaller by about 6-10kB,
 //! which means they are cheaper to deploy and run. `bump_alloc` is designed to
 //! be simple and fast, but it does not use the memory very efficiently. For
-//! short-lived programs, such as smart contracts, this is usually a perfectly
-//! acceptable tradeoff.
-//! For an allocator with different tradeoffs, see [dlmalloc](https://docs.rs/dlmalloc/).
-//!
-//! See the Rust [allocator](https://doc.rust-lang.org/std/alloc/index.html#the-global_allocator-attribute)
+//! short-lived programs, such as smart contracts, this is usually the right
+//! tradeoff. Especially for contracts such as those dealing with tokens.
+//! For very complex contracts it may be beneficial to run benchmarks to see
+//! whether `bump_alloc` is the best option. See the Rust [allocator](https://doc.rust-lang.org/std/alloc/index.html#the-global_allocator-attribute)
 //! documentation for more context and details on using custom allocators.
 //!
 //! Emit debug information

examples/bump-alloc-tests/src/lib.rs

@@ -78,7 +78,7 @@ fn allocate_one_mib(_ctx: &ReceiveContext, _host: &Host<State>) -> ReceiveResult
 #[receive(contract = "bump_alloc_tests", name = "dealloc_last_optimization")]
 fn dealloc_last_optimization(ctx: &ReceiveContext, _host: &Host<State>) -> ReceiveResult<()> {
     let n: u64 = ctx.parameter_cursor().get()?;
-    let mut long_lasting = black_box(Box::new(0u64));
+    let mut long_lived = black_box(Box::new(0u64));
     for i in 0..n {
         let addr_a = {
             let a = black_box(vec![i]);
@@ -89,11 +89,76 @@ fn dealloc_last_optimization(ctx: &ReceiveContext, _host: &Host<State>) -> Recei
             b.as_ptr() as usize
         };
         if addr_a != addr_b {
-            *long_lasting += 1;
+            *long_lived += 1;
         }
     }
-    if *long_lasting != 0 {
+    if *long_lived != 0 {
         return Err(Reject::default());
     }
     Ok(())
 }
+
+/// Tests that the allocator does not overwrite the static and stack regions of
+/// the memory.
+///
+/// The general idea is to create static and local variables, perform some
+/// recursive calls and subsequently check the integrity of all the data.
+/// The details are in written in the internal comments and in the documentation
+/// for the recursive helper function `appender`.
+#[receive(contract = "bump_alloc_tests", name = "stack_and_static")]
+fn stack_and_static(ctx: &ReceiveContext, _host: &Host<State>) -> ReceiveResult<()> {
+    // Create a static variable and some local variables.
+    static ON_ODD: &str = "ODD";
+    let (mut text, n, on_even): (String, u32, String) = ctx.parameter_cursor().get()?;
+    let original_n = n;
+    let original_text_len = text.len();
+    // Allocate a long lived box on the heap.
+    let long_lived: Box<Vec<u32>> = black_box(Box::new((0..n).collect()));
+    // Run the appender function. Wrapped in a [`black_box`] to ensure that the
+    // compiler won't try to optimize the internals away.
+    black_box(appender(&mut text, n, &on_even, ON_ODD));
+    // Use some of the local variables defined before the recursive call.
+    // Abort if `n` should have been altered.
+    if original_n != n {
+        return Err(Reject::default());
+    }
+    // Abort if the text length hasn't increased when `n` is positive.
+    if n != 0 && original_text_len == text.len() {
+        return Err(Reject::default());
+    }
+    let n_usize = n as usize;
+    // Use the box to ensure that it is long lived.
+    if long_lived[n_usize - 100] != n - 100 {
+        return Err(Reject::default());
+    }
+    // Calculate the expected length of the `text` and check it.
+    let expected_len = original_text_len
+        + (ON_ODD.len() * (n_usize / 2)) // Append `ON_ODD` half the times.
+        + (on_even.len() * (n_usize / 2)) // Append `on_even` half the times.
+        + (ON_ODD.len() * (n_usize % 2)); // Append an extra `ON_ODD` if `n` is odd.
+    if expected_len != text.len() {
+        return Err(Reject::default());
+    }
+    Ok(())
+}
+
+/// Recursively alternates between appending `on_even` and `on_odd` to the
+/// `text` `n` times.
+///
+/// For example with ("ORIGINAL", 3, "EVEN", "ODD"), the final `text` becomes:
+///
+///         |  |   |
+/// ORIGINALODDEVENODD
+///         |  |   |
+fn appender(text: &mut String, n: u32, on_even: &str, on_odd: &str) {
+    if n == 0 {
+        return;
+    }
+    let is_even = n % 2 == 0;
+    if is_even {
+        text.push_str(on_even);
+    } else {
+        text.push_str(on_odd);
+    }
+    appender(text, n - 1, on_even, on_odd);
+}

examples/bump-alloc-tests/tests/tests.rs

@@ -113,6 +113,30 @@ fn test_dealloc_last_optimization() {
         .expect("Update should succeed");
 }
 
+/// Tests that stack and static data isn't overwritten in the allocator.
+#[test]
+fn test_stack_and_static() {
+    let (chain, contract_address) = initialize_chain_and_contract();
+
+    chain
+        .contract_invoke(
+            ACC_0,
+            Address::Account(ACC_0),
+            Energy::from(100_000_000),
+            UpdateContractPayload {
+                amount:       Amount::zero(),
+                address:      contract_address,
+                receive_name: OwnedReceiveName::new_unchecked(
+                    "bump_alloc_tests.stack_and_static".to_string(),
+                ),
+                message:      OwnedParameter::from_serial(&("ORIGINAL", 123456, "EVEN"))
+                    .expect("Parameter size is below limit."),
+            },
+        )
+        .print_emitted_events()
+        .expect("Update should succeed");
+}
+
 /// A helper method for initializing the chain and contract.
 fn initialize_chain_and_contract() -> (Chain, ContractAddress) {
     // Create the test chain.