sui_adapter_latest/static_programmable_transactions/typing/verify/
drop_safety.rs

1// Copyright (c) Mysten Labs, Inc.
2// SPDX-License-Identifier: Apache-2.0
3
4use crate::{
5    execution_mode::ExecutionMode,
6    static_programmable_transactions::{env::Env, typing::ast as T},
7};
8
9/// Refines usage of values so that the last `Copy` of a value is a `Move` if it is not borrowed
10/// After, it verifies the following
11/// - No results without `drop` are unused (all unused non-input values have `drop`)
12pub fn refine_and_verify<Mode: ExecutionMode>(
13    env: &Env<Mode>,
14    ast: &mut T::Transaction,
15) -> Result<(), Mode::Error> {
16    refine::transaction(env, ast)?;
17    verify::transaction::<Mode>(env, ast)?;
18    Ok(())
19}
20
21mod refine {
22    use crate::execution_mode::ExecutionMode;
23    use sui_types::coin::{COIN_MODULE_NAME, SEND_FUNDS_FUNC_NAME};
24
25    use crate::{
26        sp,
27        static_programmable_transactions::{
28            env::Env,
29            spanned::sp,
30            typing::{
31                ast::{self as T, Type},
32                translate::coin_inner_type,
33            },
34        },
35    };
36    use std::collections::BTreeSet;
37
38    struct Context {
39        // All locations that were used
40        used: BTreeSet<T::Location>,
41        // All locations that were used via a Move. This is a subset of `used`, but `used` does
42        // not track how each value was used in each instance. For simplicity, this is kept as a
43        // separate set.
44        moved: BTreeSet<T::Location>,
45    }
46
47    impl Context {
48        fn new() -> Self {
49            Self {
50                used: BTreeSet::new(),
51                moved: BTreeSet::new(),
52            }
53        }
54    }
55
56    /// After memory safety, we can switch the last usage of a `Copy` to a `Move` if it is not
57    /// borrowed at the time of the last usage.
58    pub fn transaction<Mode: ExecutionMode>(
59        env: &Env<Mode>,
60        ast: &mut T::Transaction,
61    ) -> Result<(), Mode::Error> {
62        let mut context = Context::new();
63        for c in ast.commands.iter_mut().rev() {
64            command(&mut context, c);
65        }
66        return_unused_withdrawal_conversions(env, ast, &context.moved)
67    }
68
69    fn command(context: &mut Context, sp!(_, c): &mut T::Command) {
70        match &mut c.command {
71            T::Command__::MoveCall(mc) => arguments(context, &mut mc.arguments),
72            T::Command__::TransferObjects(objects, recipient) => {
73                argument(context, recipient);
74                arguments(context, objects);
75            }
76            T::Command__::SplitCoins(_, coin, amounts) => {
77                arguments(context, amounts);
78                argument(context, coin);
79            }
80            T::Command__::MergeCoins(_, target, coins) => {
81                arguments(context, coins);
82                argument(context, target);
83            }
84            T::Command__::MakeMoveVec(_, xs) => arguments(context, xs),
85            T::Command__::Publish(_, _, _) => (),
86            T::Command__::Upgrade(_, _, _, x, _) => argument(context, x),
87        }
88    }
89
90    fn arguments(context: &mut Context, args: &mut [T::Argument]) {
91        for arg in args.iter_mut().rev() {
92            argument(context, arg)
93        }
94    }
95
96    fn argument(context: &mut Context, arg: &mut T::Argument) {
97        let usage = match &mut arg.value.0 {
98            T::Argument__::Use(u) | T::Argument__::Read(u) | T::Argument__::Freeze(u) => u,
99            T::Argument__::Borrow(_, loc) => {
100                // mark location as used
101                context.used.insert(*loc);
102                return;
103            }
104        };
105        match &usage {
106            T::Usage::Move(loc) => {
107                // mark location as used
108                context.used.insert(*loc);
109                context.moved.insert(*loc);
110            }
111            T::Usage::Copy { location, borrowed } => {
112                // we are at the last usage of a reference result if it was not yet added to the set
113                let location = *location;
114                let last_usage = context.used.insert(location);
115                if last_usage && !borrowed.get().unwrap() {
116                    // if it was the last usage, we need to change the Copy to a Move
117                    *usage = T::Usage::Move(location);
118                    context.moved.insert(location);
119                }
120            }
121        }
122    }
123
124    /// For any withdrawal conversion where the value was not moved, send it back to the original
125    /// owner
126    fn return_unused_withdrawal_conversions<Mode: ExecutionMode>(
127        env: &Env<Mode>,
128        ast: &mut T::Transaction,
129        moved_locations: &BTreeSet<T::Location>,
130    ) -> Result<(), Mode::Error> {
131        // withdrawal conversions not empty ==> accumulators enabled
132        assert_invariant!(
133            ast.withdrawal_compatibility_conversions.is_empty()
134                || env.protocol_config.enable_accumulators(),
135            "Withdrawal conversions should be empty if accumulators are not enabled"
136        );
137        for conversion_info in
138            ast.withdrawal_compatibility_conversions
139                .values()
140                .filter(|conversion| {
141                    // The conversion result is always a single return value, as such we can specify
142                    // a secondary index of `0` without worrying about other results.
143                    let conversion_location = T::Location::Result(conversion.conversion_result, 0);
144                    !moved_locations.contains(&conversion_location)
145                })
146        {
147            let Some(cur_command) = ast.commands.len().checked_sub(1) else {
148                invariant_violation!("cannot be zero commands with a conversion")
149            };
150            let cur_command = checked_as!(cur_command, u16)?;
151            let T::WithdrawalCompatibilityConversion {
152                owner,
153                conversion_result,
154            } = *conversion_info;
155            let Some(conversion_command) = ast.commands.get(conversion_result as usize) else {
156                invariant_violation!("conversion result should be a valid command index")
157            };
158            assert_invariant!(
159                conversion_command.value.result_type.len() == 1,
160                "conversion should have one result"
161            );
162            let T::Location::PureInput(owner_pure_idx) = owner else {
163                invariant_violation!("owner should be a pure input")
164            };
165            assert_invariant!(
166                ast.pure.len() > owner_pure_idx as usize,
167                "owner pure input index out of bounds"
168            );
169            assert_invariant!(
170                ast.pure.get(owner_pure_idx as usize).unwrap().ty == T::Type::Address,
171                "owner pure input should be an address"
172            );
173            let Some(conversion_ty) = conversion_command.value.result_type.first() else {
174                invariant_violation!("conversion should have a result type")
175            };
176            let Some(inner_ty) = coin_inner_type(conversion_ty) else {
177                invariant_violation!("conversion result should be a coin type")
178            };
179            let move_result_ = T::Argument__::new_move(T::Location::Result(conversion_result, 0));
180            let move_result = sp(cur_command, (move_result_, conversion_ty.clone()));
181            let owner_ty = Type::Address;
182            let owner_arg_ = T::Argument__::new_move(owner);
183            let owner_arg = sp(cur_command, (owner_arg_, owner_ty));
184            let return_command__ = T::Command__::MoveCall(Box::new(T::MoveCall {
185                function: env.load_framework_function(
186                    COIN_MODULE_NAME,
187                    SEND_FUNDS_FUNC_NAME,
188                    vec![inner_ty.clone()],
189                )?,
190                arguments: vec![move_result, owner_arg],
191            }));
192            let return_command = sp(
193                cur_command,
194                T::Command_ {
195                    command: return_command__,
196                    result_type: vec![],
197                    drop_values: vec![],
198                    consumed_shared_objects: vec![],
199                },
200            );
201            ast.commands.push(return_command);
202        }
203        Ok(())
204    }
205}
206
207mod verify {
208    use crate::{
209        execution_mode::ExecutionMode,
210        sp,
211        static_programmable_transactions::{
212            env::Env,
213            typing::ast::{self as T, Type},
214        },
215    };
216    use mysten_common::ZipDebugEqIteratorExt;
217    use sui_types::error::{ExecutionErrorTrait, SafeIndex};
218    use sui_types::execution_status::ExecutionErrorKind;
219
220    #[must_use]
221    struct Value;
222
223    struct Context {
224        tx_context: Option<Value>,
225        gas_coin: Option<Value>,
226        objects: Vec<Option<Value>>,
227        withdrawals: Vec<Option<Value>>,
228        pure: Vec<Option<Value>>,
229        receiving: Vec<Option<Value>>,
230        results: Vec<Vec<Option<Value>>>,
231    }
232
233    impl Context {
234        fn new<Mode: ExecutionMode>(_env: &Env<Mode>, ast: &T::Transaction) -> Self {
235            let objects = ast.objects.iter().map(|_| Some(Value)).collect::<Vec<_>>();
236            let withdrawals = ast
237                .withdrawals
238                .iter()
239                .map(|_| Some(Value))
240                .collect::<Vec<_>>();
241            let pure = ast.pure.iter().map(|_| Some(Value)).collect::<Vec<_>>();
242            let receiving = ast
243                .receiving
244                .iter()
245                .map(|_| Some(Value))
246                .collect::<Vec<_>>();
247            let gas_coin = if ast.gas_payment.is_none() {
248                None
249            } else {
250                Some(Value)
251            };
252            Self {
253                tx_context: Some(Value),
254                gas_coin,
255                objects,
256                withdrawals,
257                pure,
258                receiving,
259                results: Vec::with_capacity(ast.commands.len()),
260            }
261        }
262
263        fn location<E: ExecutionErrorTrait>(
264            &mut self,
265            l: T::Location,
266        ) -> Result<&mut Option<Value>, E> {
267            Ok(match l {
268                T::Location::TxContext => &mut self.tx_context,
269                T::Location::GasCoin => &mut self.gas_coin,
270                T::Location::ObjectInput(i) => self.objects.safe_get_mut(i as usize)?,
271                T::Location::WithdrawalInput(i) => self.withdrawals.safe_get_mut(i as usize)?,
272                T::Location::PureInput(i) => self.pure.safe_get_mut(i as usize)?,
273                T::Location::ReceivingInput(i) => self.receiving.safe_get_mut(i as usize)?,
274                T::Location::Result(i, j) => self
275                    .results
276                    .safe_get_mut(i as usize)?
277                    .safe_get_mut(j as usize)?,
278            })
279        }
280    }
281
282    /// Checks the following
283    /// - All unused result values have `drop`
284    pub fn transaction<Mode: ExecutionMode>(
285        env: &Env<Mode>,
286        ast: &T::Transaction,
287    ) -> Result<(), Mode::Error> {
288        let mut context = Context::new(env, ast);
289        let commands = &ast.commands;
290        for c in commands {
291            let result = command::<Mode::Error>(&mut context, c)
292                .map_err(|e| e.with_command_index(c.idx as usize))?;
293            assert_invariant!(
294                result.len() == c.value.result_type.len(),
295                "result length mismatch"
296            );
297            // drop unused result values
298            assert_invariant!(
299                result.len() == c.value.drop_values.len(),
300                "drop values length mismatch"
301            );
302            let result_values = result
303                .into_iter()
304                .zip_debug_eq(c.value.drop_values.iter().copied())
305                .map(|(v, drop)| {
306                    if !drop {
307                        Some(v)
308                    } else {
309                        consume_value(v);
310                        None
311                    }
312                })
313                .collect();
314            context.results.push(result_values);
315        }
316
317        let Context {
318            tx_context,
319            gas_coin,
320            objects,
321            withdrawals,
322            pure,
323            receiving,
324            results,
325        } = context;
326        consume_value_opt(gas_coin);
327        // TODO do we want to check inputs in the dev inspect case?
328        consume_value_opts(objects);
329        consume_value_opts(withdrawals);
330        consume_value_opts(pure);
331        consume_value_opts(receiving);
332        assert_invariant!(results.len() == commands.len(), "result length mismatch");
333        for (i, (result, c)) in results.into_iter().zip_debug_eq(&ast.commands).enumerate() {
334            let tys = &c.value.result_type;
335            assert_invariant!(result.len() == tys.len(), "result length mismatch");
336            for (j, (vopt, ty)) in result.into_iter().zip_debug_eq(tys).enumerate() {
337                drop_value_opt::<Mode>((i, j), vopt, ty)?;
338            }
339        }
340        assert_invariant!(tx_context.is_some(), "tx_context should never be moved");
341        Ok(())
342    }
343
344    fn command<E: ExecutionErrorTrait>(
345        context: &mut Context,
346        sp!(_, c): &T::Command,
347    ) -> Result<Vec<Value>, E> {
348        let result_tys = &c.result_type;
349        Ok(match &c.command {
350            T::Command__::MoveCall(mc) => {
351                let T::MoveCall {
352                    function,
353                    arguments: args,
354                } = &**mc;
355                let return_ = &function.signature.return_;
356                let arg_values = arguments(context, args)?;
357                consume_values(arg_values);
358                (0..return_.len()).map(|_| Value).collect()
359            }
360            T::Command__::TransferObjects(objects, recipient) => {
361                let object_values = arguments(context, objects)?;
362                let recipient_value = argument(context, recipient)?;
363                consume_values(object_values);
364                consume_value(recipient_value);
365                vec![]
366            }
367            T::Command__::SplitCoins(_, coin, amounts) => {
368                let coin_value = argument(context, coin)?;
369                let amount_values = arguments(context, amounts)?;
370                consume_values(amount_values);
371                consume_value(coin_value);
372                (0..amounts.len()).map(|_| Value).collect()
373            }
374            T::Command__::MergeCoins(_, target, coins) => {
375                let target_value = argument(context, target)?;
376                let coin_values = arguments(context, coins)?;
377                consume_values(coin_values);
378                consume_value(target_value);
379                vec![]
380            }
381            T::Command__::MakeMoveVec(_, xs) => {
382                let vs = arguments(context, xs)?;
383                consume_values(vs);
384                vec![Value]
385            }
386            T::Command__::Publish(_, _, _) => result_tys.iter().map(|_| Value).collect(),
387            T::Command__::Upgrade(_, _, _, x, _) => {
388                let v = argument(context, x)?;
389                consume_value(v);
390                vec![Value]
391            }
392        })
393    }
394
395    fn consume_values(_: Vec<Value>) {}
396
397    fn consume_value(_: Value) {}
398
399    fn consume_value_opts(_: Vec<Option<Value>>) {}
400
401    fn consume_value_opt(_: Option<Value>) {}
402
403    fn drop_value_opt<Mode: ExecutionMode>(
404        idx: (usize, usize),
405        value: Option<Value>,
406        ty: &Type,
407    ) -> Result<(), Mode::Error> {
408        match value {
409            Some(v) => drop_value::<Mode>(idx, v, ty),
410            None => Ok(()),
411        }
412    }
413
414    fn drop_value<Mode: ExecutionMode>(
415        (i, j): (usize, usize),
416        value: Value,
417        ty: &Type,
418    ) -> Result<(), Mode::Error> {
419        let abilities = ty.abilities();
420        if !abilities.has_drop() && !Mode::allow_arbitrary_values() {
421            let msg = if abilities.has_copy() {
422                "The value has copy, but not drop. \
423                Its last usage must be by-value so it can be taken."
424            } else {
425                "Unused value without drop"
426            };
427            return Err(Mode::Error::new_with_source(
428                ExecutionErrorKind::UnusedValueWithoutDrop {
429                    result_idx: checked_as!(i, u16)?,
430                    secondary_idx: checked_as!(j, u16)?,
431                },
432                msg,
433            ));
434        }
435        consume_value(value);
436        Ok(())
437    }
438
439    fn arguments<E: ExecutionErrorTrait>(
440        context: &mut Context,
441        xs: &[T::Argument],
442    ) -> Result<Vec<Value>, E> {
443        xs.iter().map(|x| argument(context, x)).collect()
444    }
445
446    fn argument<E: ExecutionErrorTrait>(
447        context: &mut Context,
448        sp!(_, x): &T::Argument,
449    ) -> Result<Value, E> {
450        match &x.0 {
451            T::Argument__::Use(T::Usage::Move(location)) => move_value(context, *location),
452            T::Argument__::Use(T::Usage::Copy { location, .. }) => copy_value(context, *location),
453            T::Argument__::Borrow(_, location) => borrow_location(context, *location),
454            T::Argument__::Read(usage) => read_ref(context, usage),
455            T::Argument__::Freeze(usage) => freeze_ref(context, usage),
456        }
457    }
458
459    fn move_value<E: ExecutionErrorTrait>(
460        context: &mut Context,
461        l: T::Location,
462    ) -> Result<Value, E> {
463        let Some(value) = context.location::<E>(l)?.take() else {
464            invariant_violation!("memory safety should have failed")
465        };
466        Ok(value)
467    }
468
469    fn copy_value<E: ExecutionErrorTrait>(
470        context: &mut Context,
471        l: T::Location,
472    ) -> Result<Value, E> {
473        assert_invariant!(
474            context.location::<E>(l)?.is_some(),
475            "memory safety should have failed"
476        );
477        Ok(Value)
478    }
479
480    fn borrow_location<E: ExecutionErrorTrait>(
481        context: &mut Context,
482        l: T::Location,
483    ) -> Result<Value, E> {
484        assert_invariant!(
485            context.location::<E>(l)?.is_some(),
486            "memory safety should have failed"
487        );
488        Ok(Value)
489    }
490
491    fn read_ref<E: ExecutionErrorTrait>(context: &mut Context, u: &T::Usage) -> Result<Value, E> {
492        let value = match u {
493            T::Usage::Move(l) => move_value::<E>(context, *l)?,
494            T::Usage::Copy { location, .. } => copy_value::<E>(context, *location)?,
495        };
496        consume_value(value);
497        Ok(Value)
498    }
499
500    fn freeze_ref<E: ExecutionErrorTrait>(context: &mut Context, u: &T::Usage) -> Result<Value, E> {
501        let value = match u {
502            T::Usage::Move(l) => move_value::<E>(context, *l)?,
503            T::Usage::Copy { location, .. } => copy_value::<E>(context, *location)?,
504        };
505        consume_value(value);
506        Ok(Value)
507    }
508}