|
| 1 | +--- |
| 2 | +simd: '0418' |
| 3 | +title: Enable Loader v2 to v3 Program Migrations |
| 4 | +authors: |
| 5 | + - febo (Anza) |
| 6 | +category: Standard |
| 7 | +type: Core |
| 8 | +status: Review |
| 9 | +created: 2025-11-27 |
| 10 | +feature: N/A |
| 11 | +--- |
| 12 | + |
| 13 | +## Summary |
| 14 | + |
| 15 | +This proposal introduces a feature-gated mechanism for runtime-level migration |
| 16 | +of Loader v2 programs to Loader v3. |
| 17 | + |
| 18 | +## Motivation |
| 19 | + |
| 20 | +Loader v2 programs are immutable by design, as the loader does not support |
| 21 | +program upgrades. However, several essential Loader v2 programs would benefit |
| 22 | +from a feature-gated, consensus-driven mechanism that allows the community to |
| 23 | +approve targeted upgrades to specific programs (e.g., SPL Token). |
| 24 | + |
| 25 | +## Alternatives Considered |
| 26 | + |
| 27 | +Previously, the runtime could "upgrade" Loader v2 programs by directly modifying |
| 28 | +their account data. This approach is no longer recommended due to the introduction |
| 29 | +of the global program cache, since it can cause inconsistencies if account data is |
| 30 | +modified in-place. The global program cache does not support upgrades of Loader v2 |
| 31 | +programs because in Loader v2 there is no upgrade path and thus also no last |
| 32 | +upgrade slot metainfo. Without this metainfo, the global program cache cannot |
| 33 | +distinguish the old and new version across forks. When migrating to Loader v3 |
| 34 | +this would not be a problem because the owner is a distinguishing feature and |
| 35 | +Loader v3 does have the last upgrade slot metainfo for further future changes. |
| 36 | + |
| 37 | +## New Terminology |
| 38 | + |
| 39 | +N/A |
| 40 | + |
| 41 | +## Detailed Design |
| 42 | + |
| 43 | +The migration from Loader v2 program to Loader v3 is only performed by the |
| 44 | +runtime and activated via a feature gate. This SIMD describes the procedure |
| 45 | +to follow to execute the migration. Each individual program upgrade will |
| 46 | +reference the procedure described in this SIMD when proposing a migration |
| 47 | +and specify its corresponding feature gate. |
| 48 | + |
| 49 | +Migrating a Loader v2 program to Loader v3 involves creating a buffer |
| 50 | +account owned by the Loader v3 (BPF Upgradable Loader) that contains |
| 51 | +the ELF bytes of the program's implementation to be migrated. This |
| 52 | +buffer is deployed before initiating the migration, and a portion |
| 53 | +of its lamports is later used to fund the new program and program data |
| 54 | +accounts. Any remaining lamports in the buffer are burned as part of |
| 55 | +the migration process. |
| 56 | + |
| 57 | +The migration proceeds in the following steps: |
| 58 | + |
| 59 | +* **Create the program data account**: |
| 60 | + A program data account is derived from the program ID. This account must |
| 61 | + not already exist, with one exception: if an account with the derived address |
| 62 | + exists, holds lamports, and is owned by the System Program, it may be reused. |
| 63 | + In that case, any excess lamports are burned. The ELF bytes from the buffer |
| 64 | + account are then copied into this program data account. |
| 65 | + |
| 66 | +* **Rewrite the program account**: |
| 67 | + The existing Loader v2 program account is replaced with a Loader v3 program |
| 68 | + account that references the newly created program data account. Because |
| 69 | + Loader v2 programs are not upgradable, they do not have an upgrade authority, |
| 70 | + and `None` is assigned during migration. |
| 71 | + |
| 72 | +* **Close the buffer account**: |
| 73 | + Once both program and program data accounts have been created and populated, |
| 74 | + the buffer account is closed and any remaining lamports are burned. |
| 75 | + |
| 76 | +In the slot immediately following the feature activation, the program will not be |
| 77 | +invocable. This status will last one slot, then the program will be fully operational. |
| 78 | +The program ID does not change by this migration process. |
| 79 | + |
| 80 | +Each individual program migration should be controlled by its own feature gate, |
| 81 | +which triggers the migration process when activated. |
| 82 | + |
| 83 | +## Impact |
| 84 | + |
| 85 | +This change introduces a feature-gated, consensus-driven mechanism that allows |
| 86 | +the community to approve targeted upgrades for specific programs that would |
| 87 | +otherwise be non-upgradeable. |
| 88 | + |
| 89 | +## Security Considerations |
| 90 | + |
| 91 | +Migrating Loader v2 programs have serious security implications surrounding |
| 92 | +the replacement of essential programs with the contents of another account. |
| 93 | +This is an extremely sensitive process that must be handled with maximum |
| 94 | +caution. |
| 95 | + |
| 96 | +## Backwards Compatibility |
| 97 | + |
| 98 | +This proposal itself does not directly introduce any breaking changes. The code |
| 99 | +introduced to migrate Loader v2 programs to Loader v3 programs will exist off of |
| 100 | +the runtime's "hot path" until it's actually used for a migration. |
| 101 | + |
| 102 | +When a migration is conducted, the Loader v3 version of a program is expected to |
| 103 | +be backwards compatible *functionally* — its Loader v3 version must provide |
| 104 | +the exact same results as the Loader v2 program it aims to replace. |
0 commit comments