[upgrade-compatibility] Disallow adding key ability to types during package upgrades (#11167)

tzakian · web-flow · commit 6f0699d12d54 · 2023-04-21T04:48:01.000Z
Adds a new protocol version (7) and adds a check to make sure that a
`key` ability cannot be added to a type during an upgrade.

This also updates the ability checker so that we can pass it an
`AbilitySet` of abilities that we don't want to allow to be added to
pre-existing types.
diff --git a/move-binary-format/src/compatibility.rs b/move-binary-format/src/compatibility.rs
@@ -31,6 +31,8 @@ pub struct Compatibility {
     pub check_friend_linking: bool,
     /// if false, treat `entry` as `private` when `check_struct_and_pub_function_linking`.
     pub check_private_entry_linking: bool,
+    /// The set of abilities that cannot be added to an already exisiting type.
+    pub disallowed_new_abilities: AbilitySet,
 }
 
 impl Default for Compatibility {
@@ -40,6 +42,7 @@ impl Default for Compatibility {
             check_struct_layout: true,
             check_friend_linking: true,
             check_private_entry_linking: true,
+            disallowed_new_abilities: AbilitySet::EMPTY,
         }
     }
 }
@@ -55,6 +58,7 @@ impl Compatibility {
             check_struct_layout: false,
             check_friend_linking: false,
             check_private_entry_linking: false,
+            disallowed_new_abilities: AbilitySet::EMPTY,
         }
     }
 
@@ -85,12 +89,14 @@ impl Compatibility {
                 break;
             };
 
-            if !struct_abilities_compatibile(old_struct.abilities, new_struct.abilities)
-                || !struct_type_parameters_compatibile(
-                    &old_struct.type_parameters,
-                    &new_struct.type_parameters,
-                )
-            {
+            if !struct_abilities_compatibile(
+                self.disallowed_new_abilities,
+                old_struct.abilities,
+                new_struct.abilities,
+            ) || !struct_type_parameters_compatibile(
+                &old_struct.type_parameters,
+                &new_struct.type_parameters,
+            ) {
                 struct_and_function_linking = false;
             }
             if new_struct.fields != old_struct.fields {
@@ -209,9 +215,18 @@ impl Compatibility {
 }
 
 // When upgrading, the new abilities must be a superset of the old abilities.
-// Adding an ability is fine, but removing an ability could cause existing usages to fail.
-fn struct_abilities_compatibile(old_abilities: AbilitySet, new_abilities: AbilitySet) -> bool {
+// Adding an ability is fine as long as it's not in the disallowed_new_abilities,
+// but removing an ability could cause existing usages to fail.
+fn struct_abilities_compatibile(
+    disallowed_new_abilities: AbilitySet,
+    old_abilities: AbilitySet,
+    new_abilities: AbilitySet,
+) -> bool {
     old_abilities.is_subset(new_abilities)
+        && disallowed_new_abilities.into_iter().all(|ability| {
+            // If the new abilities have the ability the old ones must have it to
+            !new_abilities.has_ability(ability) || old_abilities.has_ability(ability)
+        })
 }
 
 // When upgrading, the new type parameters must be the same length, and the new type parameter
diff --git a/move-binary-format/src/unit_tests/compatibility_tests.rs b/move-binary-format/src/unit_tests/compatibility_tests.rs
@@ -518,6 +518,7 @@ fn private_entry_signature_change_allowed() {
         check_struct_layout: true,
         check_friend_linking: true,
         check_private_entry_linking: false,
+        disallowed_new_abilities: AbilitySet::EMPTY,
     }
     .check(&module, &updated_module)
     .is_ok());
@@ -528,6 +529,7 @@ fn private_entry_signature_change_allowed() {
         check_struct_layout: true,
         check_friend_linking: true,
         check_private_entry_linking: false,
+        disallowed_new_abilities: AbilitySet::EMPTY,
     }
     .check(&updated_module, &module)
     .is_ok());
@@ -614,6 +616,7 @@ fn entry_fun_compat_tests() {
             check_struct_layout: true,
             check_friend_linking: true,
             check_private_entry_linking: false,
+            disallowed_new_abilities: AbilitySet::EMPTY,
         }
         .check(prev, new)
         .is_ok());
@@ -631,6 +634,7 @@ fn entry_fun_compat_tests() {
             check_struct_layout: true,
             check_friend_linking: false,
             check_private_entry_linking: false,
+            disallowed_new_abilities: AbilitySet::EMPTY,
         }
         .check(prev, new)
         .is_ok());
@@ -640,6 +644,7 @@ fn entry_fun_compat_tests() {
             check_struct_layout: true,
             check_friend_linking: true,
             check_private_entry_linking: false,
+            disallowed_new_abilities: AbilitySet::EMPTY,
         }
         .check(prev, new)
         .is_err());
@@ -651,6 +656,7 @@ fn entry_fun_compat_tests() {
             check_struct_layout: true,
             check_friend_linking: true,
             check_private_entry_linking: false,
+            disallowed_new_abilities: AbilitySet::EMPTY,
         }
         .check(prev, new)
         .is_err());
@@ -673,7 +679,8 @@ fn public_entry_signature_change_disallowed() {
         check_struct_and_pub_function_linking: true,
         check_struct_layout: true,
         check_friend_linking: true,
-        check_private_entry_linking: false
+        check_private_entry_linking: false,
+        disallowed_new_abilities: AbilitySet::EMPTY,
     }
     .check(&module, &updated_module)
     .is_err());
@@ -682,7 +689,8 @@ fn public_entry_signature_change_disallowed() {
         check_struct_and_pub_function_linking: true,
         check_struct_layout: true,
         check_friend_linking: true,
-        check_private_entry_linking: false
+        check_private_entry_linking: false,
+        disallowed_new_abilities: AbilitySet::EMPTY,
     }
     .check(&updated_module, &module)
     .is_err());
@@ -691,7 +699,8 @@ fn public_entry_signature_change_disallowed() {
         check_struct_and_pub_function_linking: true,
         check_struct_layout: true,
         check_friend_linking: true,
-        check_private_entry_linking: true
+        check_private_entry_linking: true,
+        disallowed_new_abilities: AbilitySet::EMPTY,
     }
     .check(&module, &updated_module)
     .is_err());
@@ -712,7 +721,8 @@ fn friend_entry_signature_change_allowed() {
         check_struct_and_pub_function_linking: true,
         check_struct_layout: true,
         check_friend_linking: false,
-        check_private_entry_linking: false
+        check_private_entry_linking: false,
+        disallowed_new_abilities: AbilitySet::EMPTY,
     }
     .check(&module, &updated_module)
     .is_ok());
@@ -721,7 +731,8 @@ fn friend_entry_signature_change_allowed() {
         check_struct_and_pub_function_linking: true,
         check_struct_layout: true,
         check_friend_linking: true,
-        check_private_entry_linking: false
+        check_private_entry_linking: false,
+        disallowed_new_abilities: AbilitySet::EMPTY,
     }
     .check(&module, &updated_module)
     .is_err());
@@ -730,7 +741,8 @@ fn friend_entry_signature_change_allowed() {
         check_struct_and_pub_function_linking: true,
         check_struct_layout: true,
         check_friend_linking: false,
-        check_private_entry_linking: true
+        check_private_entry_linking: true,
+        disallowed_new_abilities: AbilitySet::EMPTY,
     }
     .check(&module, &updated_module)
     .is_err());
@@ -739,7 +751,8 @@ fn friend_entry_signature_change_allowed() {
         check_struct_and_pub_function_linking: true,
         check_struct_layout: true,
         check_friend_linking: true,
-        check_private_entry_linking: true
+        check_private_entry_linking: true,
+        disallowed_new_abilities: AbilitySet::EMPTY,
     }
     .check(&module, &updated_module)
     .is_err());
diff --git a/tools/move-cli/src/sandbox/utils/mod.rs b/tools/move-cli/src/sandbox/utils/mod.rs
@@ -350,6 +350,7 @@ pub(crate) fn explain_publish_error(
                 check_struct_layout: true,
                 check_friend_linking: false,
                 check_private_entry_linking: true,
+                disallowed_new_abilities: AbilitySet::EMPTY,
             })
             .check(&old_api, &new_api)
             .is_err()
@@ -362,6 +363,7 @@ pub(crate) fn explain_publish_error(
                 check_struct_layout: false,
                 check_friend_linking: false,
                 check_private_entry_linking: true,
+                disallowed_new_abilities: AbilitySet::EMPTY,
             })
             .check(&old_api, &new_api)
             .is_err()
