-
Notifications
You must be signed in to change notification settings - Fork 286
SIMD-0164: ExtendProgramChecked loader-v3 instruction
#164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| --- | ||
| simd: '0164' | ||
| title: ExtendProgramChecked loader-v3 instruction | ||
| authors: | ||
| - Alexander Meißner | ||
| category: Standard | ||
| type: Core | ||
| status: Review | ||
| created: 2025-08-05 | ||
| feature: '2oMRZEDWT2tqtYMofhmmfQ8SsjqUFzT6sYXppQDavxwz' | ||
| --- | ||
|
|
||
| ## Summary | ||
|
|
||
| Adds `ExtendProgramChecked` which is the same as `ExtendProgram`, but checks | ||
| that the authority signed. | ||
|
|
||
| ## Motivation | ||
|
|
||
| Currently anybody can extend (increase the size and funds of) programs, which | ||
| they do not control (have no authority over). This has basically no effect on | ||
| the programs as many choose to deploy with max length anyway, so tailing zeros | ||
| are generally not an issue. Additionally, doing so requires transferring funds, | ||
| which people rarely do for no gain. However, for the sake of consistency all | ||
| program management instructions should require the authority to sign. | ||
|
|
||
| ## Alternatives Considered | ||
|
|
||
| Ignoring it and waiting for loader-v4 as that does not have this issue. | ||
|
|
||
| ## New Terminology | ||
|
|
||
| None | ||
|
|
||
| ## Detailed Design | ||
|
|
||
| Existing instructions should not be changed (so transaction parsers remain | ||
| stable), thus a new instruction needs to be added, similar to `SetAuthority` | ||
| and `SetAuthorityChecked`. | ||
|
|
||
| Adds a new instruction `ExtendProgramChecked` to loader-v3 which: | ||
|
|
||
| - The following instruction accounts: | ||
| - 0. `[writable]` The program data account. | ||
| - 1. `[writable]` The program account. | ||
| - 2. `[signer]` The authority. | ||
| - 3. `[]` System program, optional, used to transfer lamports from the payer | ||
| to the ProgramData account. | ||
| - 4. `[signer]` The payer account, optional, that will pay necessary rent | ||
| exemption costs for the increased storage size. | ||
| - The following instruction data: | ||
| - The enum discriminant `8`. | ||
| - `u32` (little endian): Number of bytes to extend the program with. | ||
|
|
||
| `ExtendProgramChecked` behaves exactly the same as `ExtendProgram`, except | ||
| that: | ||
|
|
||
| - It is initially disabled. The associated feature gate must then enable | ||
| `ExtendProgramChecked` and disable `ExtendProgram`. | ||
| - It is available to be invoked via CPI. | ||
| - It expects the instruction account at index 2 to be the authority and | ||
| the two optional parameters are shifted up by one each. | ||
| - Immediately after the check that the program is not finalized | ||
| (which throws `Immutable`) it additionally must check (in that order) that: | ||
| - the provided authority matches the one stored in the program data account, | ||
| otherwise throwing `IncorrectAuthority` | ||
| - the provided authority is a signer, otherwise throwing | ||
| `MissingRequiredSignature` | ||
|
|
||
| `InvalidInstructionData` must be thrown when a disabled instruction is invoked. | ||
|
|
||
| ## Impact | ||
|
|
||
| A program is usually extended for a subsequent upgrade / redeployment which | ||
| does require an upgrade authority anyway. However, if that upgrade authority | ||
| is only available in CPI then a program can only be extended 10 KiB at a time. | ||
| If the upgrade authority is avaliable to top level instructions, then no such | ||
| limiting factor exists and a program can be extended to full length in one | ||
| (top level) instruction. | ||
|
|
||
| For programs which do self upgrade (have their own upgrade authority) via a CPI | ||
| call, they will have to first upgrade themselves to support the send the | ||
| `ExtendProgramChecked` instruction, before the feature of this SIMD becomes | ||
| active. We recommend to also add support for the loader-v3 `Migrate` (to | ||
| loader-v4) instruction and the new loader-v4 program management instructions | ||
| while at it. | ||
|
|
||
| For programs which are upgraded by an external upgrade authority via the CLI, | ||
| there should be no noticable difference for dApp developers. The CLI will check | ||
| the active feature set and either send `ExtendProgram` or | ||
| `ExtendProgramChecked` accordingly. | ||
|
|
||
| Independently of which upgrade path is used, one can opt to preemptively extend | ||
| the program to maximum size before the feature of this SIMD becomes active, | ||
| provided they are willing to lock the required rent exemption funds. Loader-v3 | ||
| does not support truncation / shrinking of programs, but loader-v4 does. Thus, | ||
| after a program is migrated to loader-v4 it is possible to undo this and | ||
| retrieve the locked funds, sending them to a recipient of your choosing, | ||
| provided the programs authority signs. | ||
|
|
||
| ## Security Considerations | ||
|
|
||
| None. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.