pallet-revive: Raise contract size limit to one megabyte and raise call depth to 25 (#9267)

This PR changes the contract code limit from roughly 100KiB to exactly
1MiB. It also raises the call stack depth from 5 to 25.

Those limits were in place because of memory constraints within the
runtime. We work around them in those ways:
1) Removing the 4x safety margin for allocations which is no longer
needed due to the new allocator.
2) Limiting the size of the compilation cache to a fixed size.
3) Resetting the compilation cache and flat map every time we call into
a new contract.
4) Limiting the size of calldata and return data to 128KiB (only capped
by tx size and RAM before). While this is a breaking change nobody will
be affected since Geth effectively limits the call data to 128KiB.

## 1MiB contracts

This is large enough so that all known contracts won't fail for size
issues anymore.

The new limit is also much simpler to understand since it does not
depend on the number of instructions. Just those two constraints:
```
PVM_BLOB.len() < 1 MiB
PVM_BLOB.len() + (rw/ro/stack) < 1MiB + 512KiB
```

This means:
1) A contract is guaranteed to have at least 512KiB of memory available.
2) A contract that is smaller in code can use more memory.
3) Limit is exactly 1MiB unless a user manually increase the memory
usage of a contract to be larger than 512KiB.

## Call stack depth `5 -> 25`

The limit of `5` was problematic because there are use cases which
require deeper stacks. With the raise to `25` there should be no benign
use cases anymore that won't work.

Please note that even with the low limit of `25` contracts are not
vulnerable to stack depth exhaustion attacks: We do trap the caller's
context when the depth limit is reached. This is different from Eth
where this error can be handled and failure to do so leaves the contract
vulnerable.

---------

Co-authored-by: cmd[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: athei

Cargo.lock

@@ -0,0 +1,38 @@
+title: 'pallet-revive: Raise contract size limit to one megabyte and raise call depth
+  to 25'
+doc:
+- audience: Runtime Dev
+  description: |-
+    This PR changes the contract code limit from roughly 100KiB to exactly 1MiB. It also raises the call stack depth from 5 to 25.
+
+    Those limits were in place because of memory constraints within the runtime. We work around them in those ways:
+    1) Removing the 4x safety margin for allocations which is no longer needed due to the new allocator.
+    2) Limiting the size of the compilation cache to a fixed size.
+    3) Resetting the compilation cache and flat map every time we call into a new contract.
+    4) Limiting the size of calldata and return data to 128KiB (only capped by tx size and RAM before). While this is a breaking change nobody will be affected since Geth effectively limits the call data to 128KiB.
+
+    ## 1MiB contracts
+
+    This is large enough so that all known contracts won't fail for size issues anymore.
+
+    The new limit is also much simpler to understand since it does not depend on the number of instructions. Just those two constraints:
+    ```
+    PVM_BLOB.len() < 1 MiB
+    PVM_BLOB.len() + (rw/ro/stack) < 1MiB + 512KiB
+    ```
+
+    This means:
+    1) A contract is guaranteed to have at least 512KiB of memory available.
+    2) A contract that is smaller in code can use more memory.
+    3) Limit is exactly 1MiB unless a user manually increase the memory usage of a contract to be larger than 512KiB.
+
+    ## Call stack depth `5 -> 25`
+
+    The limit of `5` was problematic because there are use cases which require deeper stacks. With the raise to `25` there should be no benign use cases anymore that won't work.
+
+    Please note that even with the low limit of `25` contracts are not vulnerable to stack depth exhaustion attacks: We do trap the caller's context when the depth limit is reached. This is different from Eth where this error can be handled and failure to do so leaves the contract vulnerable.
+crates:
+- name: pallet-revive-fixtures
+  bump: patch
+- name: pallet-revive
+  bump: patch

prdoc/pr_9267.prdoc

@@ -31,8 +31,8 @@ num-bigint = { workspace = true }
 num-integer = { workspace = true }
 num-traits = { workspace = true }
 paste = { workspace = true }
-polkavm = { version = "0.26.0", default-features = false }
-polkavm-common = { version = "0.26.0", default-features = false, optional = true }
+polkavm = { version = "0.27.0", default-features = false }
+polkavm-common = { version = "0.27.0", default-features = false, features = ["alloc"] }
 rand = { workspace = true, optional = true }
 rand_pcg = { workspace = true, optional = true }
 rlp = { workspace = true }
@@ -62,7 +62,6 @@ subxt-signer = { workspace = true, optional = true, features = ["unstable-eth"]
 [dev-dependencies]
 array-bytes = { workspace = true, default-features = true }
 assert_matches = { workspace = true }
-polkavm-common = { version = "0.26.0" }
 pretty_assertions = { workspace = true }
 secp256k1 = { workspace = true, features = ["recovery"] }
 serde_json = { workspace = true }
@@ -96,7 +95,7 @@ std = [
 	"pallet-timestamp/std",
 	"pallet-transaction-payment/std",
 	"pallet-utility/std",
-	"polkavm-common?/std",
+	"polkavm-common/std",
 	"polkavm/std",
 	"rand?/std",
 	"ripemd/std",
@@ -126,7 +125,6 @@ runtime-benchmarks = [
 	"pallet-timestamp/runtime-benchmarks",
 	"pallet-transaction-payment/runtime-benchmarks",
 	"pallet-utility/runtime-benchmarks",
-	"polkavm-common/alloc",
 	"rand",
 	"rand_pcg",
 	"sp-consensus-aura",

substrate/frame/revive/Cargo.toml

@@ -24,7 +24,7 @@ sp-io = { workspace = true, default-features = true, optional = true }
 anyhow = { workspace = true, default-features = true }
 cargo_metadata = { workspace = true }
 pallet-revive-uapi = { workspace = true }
-polkavm-linker = { version = "0.26.0" }
+polkavm-linker = { version = "0.27.0" }
 toml = { workspace = true }
 
 [features]

substrate/frame/revive/fixtures/Cargo.toml

@@ -14,7 +14,7 @@ edition = "2021"
 [dependencies]
 uapi = { package = 'pallet-revive-uapi', features = ["unstable-hostfn"], default-features = false }
 hex-literal = { version = "0.4.1", default-features = false }
-polkavm-derive = { version = "0.25.0" }
+polkavm-derive = { version = "0.27.0" }
 
 [profile.release]
 opt-level = 3

substrate/frame/revive/fixtures/build/_Cargo.toml

@@ -21,6 +21,8 @@
 #![no_main]
 include!("../panic_handler.rs");
 
+polkavm_derive::min_stack_size!(256 * 1024);
+
 use uapi::{input, u256_bytes, HostFn, HostFnImpl as api};
 
 #[no_mangle]
@@ -38,7 +40,7 @@ pub extern "C" fn call() {
 	);
 
 	// the first 4 bytes are reserved for the return code
-	let mut output = [0u8; 512];
+	let mut output = [0u8; 128 * 1024];
 	let output_ptr = &mut &mut output[4..];
 
 	let code = match api::call(

substrate/frame/revive/fixtures/contracts/call_and_returncode.rs

@@ -0,0 +1,51 @@
+// This file is part of Substrate.
+
+// Copyright (C) Parity Technologies (UK) Ltd.
+// SPDX-License-Identifier: Apache-2.0
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// 	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#![no_std]
+#![no_main]
+include!("../panic_handler.rs");
+
+polkavm_derive::min_stack_size!(512 * 1024);
+
+use uapi::{input, HostFn, HostFnImpl as api};
+
+#[no_mangle]
+#[polkavm_derive::polkavm_export]
+pub extern "C" fn deploy() {}
+
+#[no_mangle]
+#[polkavm_derive::polkavm_export]
+pub extern "C" fn call() {
+	input!(
+		input_size: u32,
+	);
+
+	let input_buf = [0u8; 256 * 1024];
+	let address = [1u8; 20];
+
+	// Call the callee
+	api::call(
+		uapi::CallFlags::empty(),
+		&address,
+		u64::MAX,       // How much ref_time to devote for the execution. u64::MAX = use all.
+		u64::MAX,       // How much proof_size to devote for the execution. u64::MAX = use all.
+		&[u8::MAX; 32], // No deposit limit.
+		&[0; 32],          // Value transferred to the contract.
+		&input_buf[..input_size as usize],
+		None,
+	).unwrap();
+}

substrate/frame/revive/fixtures/contracts/call_with_input_size.rs

@@ -25,7 +25,7 @@ include!("../panic_handler.rs");
 
 use uapi::{HostFn, HostFnImpl as api, ReturnFlags};
 
-static BUFFER: [u8; 1025 * 1024] = [0; 1025 * 1024];
+static BUFFER: [u8; 1024 * 1024] = [0; 1024 * 1024];
 
 #[no_mangle]
 #[polkavm_derive::polkavm_export]

substrate/frame/revive/fixtures/contracts/oom_ro.rs

@@ -25,9 +25,9 @@ include!("../panic_handler.rs");
 
 use uapi::{HostFn, HostFnImpl as api, ReturnFlags};
 
-static mut BUFFER: [u8; 513 * 1024] = [42; 513 * 1024];
+static mut BUFFER: [u8; 1024 * 1024] = [42; 1024 * 1024];
 
-unsafe fn buffer() -> &'static [u8; 513 * 1024] {
+unsafe fn buffer() -> &'static [u8; 1024 * 1024] {
 	let ptr = core::ptr::addr_of!(BUFFER);
 	&*ptr
 }