pallet-revive: Raise contract size limit to one megabyte and raise call depth to 25

prdoc/pr_9267.prdoc

@@ -0,0 +1,38 @@
+title: 'pallet-revive: Raise contract size limit to one megabyte and raise call depth
+  to 25'
+doc:
+- audience: Runtime Dev
+  description: |-
+    This PR changes the contract code limit from roughly 100KiB to exactly 1MiB. It also raises the call stack depth from 5 to 25.
+
+    Those limits were in place because of memory constraints within the runtime. We work around them in those ways:
+    1) Removing the 4x safety margin for allocations which is no longer needed due to the new allocator.
+    2) Limiting the size of the compilation cache to a fixed size.
+    3) Resetting the compilation cache and flat map every time we call into a new contract.
+    4) Limiting the size of calldata and return data to 128KiB (only capped by tx size and RAM before). While this is a breaking change nobody will be affected since Geth effectively limits the call data to 128KiB.
+
+    ## 1MiB contracts
+
+    This is large enough so that all known contracts won't fail for size issues anymore.
+
+    The new limit is also much simpler to understand since it does not depend on the number of instructions. Just those two constraints:
+    ```
+    PVM_BLOB.len() < 1 MiB
+    PVM_BLOB.len() + (rw/ro/stack) < 1MiB + 512KiB
+    ```
+
+    This means:
+    1) A contract is guaranteed to have at least 512KiB of memory available.
+    2) A contract that is smaller in code can use more memory.
+    3) Limit is exactly 1MiB unless a user manually increase the memory usage of a contract to be larger than 512KiB.
+
+    ## Call stack depth `5 -> 25`
+
+    The limit of `5` was problematic because there are use cases which require deeper stacks. With the raise to `25` there should be no benign use cases anymore that won't work.
+
+    Please note that even with the low limit of `25` contracts are not vulnerable to stack depth exhaustion attacks: We do trap the caller's context when the depth limit is reached. This is different from Eth where this error can be handled and failure to do so leaves the contract vulnerable.
+crates:
+- name: pallet-revive-fixtures
+  bump: patch
+- name: pallet-revive
+  bump: patch

substrate/frame/revive/Cargo.toml

@@ -31,8 +31,8 @@ num-bigint = { workspace = true }
 num-integer = { workspace = true }
 num-traits = { workspace = true }
 paste = { workspace = true }
-polkavm = { version = "0.26.0", default-features = false }
-polkavm-common = { version = "0.26.0", default-features = false, optional = true }
+polkavm = { version = "0.27.0", default-features = false }
+polkavm-common = { version = "0.27.0", default-features = false, features = ["alloc"] }
 rand = { workspace = true, optional = true }
 rand_pcg = { workspace = true, optional = true }
 rlp = { workspace = true }
@@ -62,7 +62,6 @@ subxt-signer = { workspace = true, optional = true, features = ["unstable-eth"]
 [dev-dependencies]
 array-bytes = { workspace = true, default-features = true }
 assert_matches = { workspace = true }
-polkavm-common = { version = "0.26.0" }
 pretty_assertions = { workspace = true }
 secp256k1 = { workspace = true, features = ["recovery"] }
 serde_json = { workspace = true }
@@ -96,7 +95,7 @@ std = [
 	"pallet-timestamp/std",
 	"pallet-transaction-payment/std",
 	"pallet-utility/std",
-	"polkavm-common?/std",
+	"polkavm-common/std",
 	"polkavm/std",
 	"rand?/std",
 	"ripemd/std",
@@ -126,7 +125,6 @@ runtime-benchmarks = [
 	"pallet-timestamp/runtime-benchmarks",
 	"pallet-transaction-payment/runtime-benchmarks",
 	"pallet-utility/runtime-benchmarks",
-	"polkavm-common/alloc",
 	"rand",
 	"rand_pcg",
 	"sp-consensus-aura",

substrate/frame/revive/fixtures/Cargo.toml

@@ -24,7 +24,7 @@ sp-io = { workspace = true, default-features = true, optional = true }
 anyhow = { workspace = true, default-features = true }
 cargo_metadata = { workspace = true }
 pallet-revive-uapi = { workspace = true }
-polkavm-linker = { version = "0.26.0" }
+polkavm-linker = { version = "0.27.0" }
 toml = { workspace = true }
 
 [features]

substrate/frame/revive/fixtures/build/_Cargo.toml

@@ -14,7 +14,7 @@ edition = "2021"
 [dependencies]
 uapi = { package = 'pallet-revive-uapi', features = ["unstable-hostfn"], default-features = false }
 hex-literal = { version = "0.4.1", default-features = false }
-polkavm-derive = { version = "0.25.0" }
+polkavm-derive = { version = "0.27.0" }
 
 [profile.release]
 opt-level = 3

substrate/frame/revive/fixtures/contracts/call_and_returncode.rs

@@ -21,6 +21,8 @@
 #![no_main]
 include!("../panic_handler.rs");
 
+polkavm_derive::min_stack_size!(256 * 1024);
+
 use uapi::{input, u256_bytes, HostFn, HostFnImpl as api};
 
 #[no_mangle]
@@ -38,7 +40,7 @@ pub extern "C" fn call() {
 	);
 
 	// the first 4 bytes are reserved for the return code
-	let mut output = [0u8; 512];
+	let mut output = [0u8; 128 * 1024];
 	let output_ptr = &mut &mut output[4..];
 
 	let code = match api::call(

substrate/frame/revive/fixtures/contracts/call_with_input_size.rs

@@ -0,0 +1,51 @@
+// This file is part of Substrate.
+
+// Copyright (C) Parity Technologies (UK) Ltd.
+// SPDX-License-Identifier: Apache-2.0
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// 	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#![no_std]
+#![no_main]
+include!("../panic_handler.rs");
+
+polkavm_derive::min_stack_size!(512 * 1024);
+
+use uapi::{input, HostFn, HostFnImpl as api};
+
+#[no_mangle]
+#[polkavm_derive::polkavm_export]
+pub extern "C" fn deploy() {}
+
+#[no_mangle]
+#[polkavm_derive::polkavm_export]
+pub extern "C" fn call() {
+	input!(
+		input_size: u32,
+	);
+
+	let input_buf = [0u8; 256 * 1024];
+	let address = [1u8; 20];
+
+	// Call the callee
+	api::call(
+		uapi::CallFlags::empty(),
+		&address,
+		u64::MAX,       // How much ref_time to devote for the execution. u64::MAX = use all.
+		u64::MAX,       // How much proof_size to devote for the execution. u64::MAX = use all.
+		&[u8::MAX; 32], // No deposit limit.
+		&[0; 32],          // Value transferred to the contract.
+		&input_buf[..input_size as usize],
+		None,
+	).unwrap();
+}

substrate/frame/revive/fixtures/contracts/oom_ro.rs

@@ -25,7 +25,7 @@ include!("../panic_handler.rs");
 
 use uapi::{HostFn, HostFnImpl as api, ReturnFlags};
 
-static BUFFER: [u8; 1025 * 1024] = [0; 1025 * 1024];
+static BUFFER: [u8; 1024 * 1024] = [0; 1024 * 1024];
 
 #[no_mangle]
 #[polkavm_derive::polkavm_export]

substrate/frame/revive/fixtures/contracts/oom_rw_included.rs

@@ -25,9 +25,9 @@ include!("../panic_handler.rs");
 
 use uapi::{HostFn, HostFnImpl as api, ReturnFlags};
 
-static mut BUFFER: [u8; 513 * 1024] = [42; 513 * 1024];
+static mut BUFFER: [u8; 1024 * 1024] = [42; 1024 * 1024];
 
-unsafe fn buffer() -> &'static [u8; 513 * 1024] {
+unsafe fn buffer() -> &'static [u8; 1024 * 1024] {
 	let ptr = core::ptr::addr_of!(BUFFER);
 	&*ptr
 }