Close PVM2 interpreter↔recompiler conformance forks (B1/B2/B3/B5)#867
Conversation
Uncaught OutOfGas is currently mapped to a terminal `Faulted` outcome alongside Trap/Panic/PageFault, but unlike those it is not semantically terminal: OOG can only fire at a per-block gas check, i.e. at a bb_start, which is a sound resume point. Records that it should eventually become a resumable (Paused-persistent) pause so a chain can top up gas and resume. Pairs with docs/pvm-isa/discussions/pause-and-bb-start.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…/B3/B5)
The interpreter (consensus oracle) under-enforced what the PVM2 spec
requires and the x86 recompiler already enforced, so the oracle and
executor could fork on blobs both admit. Each fix makes the interpreter
match the recompiler's observable behavior; directed adversarial vectors
are added since bench guests cannot trigger these by construction.
B1 — static jal/branch to a non-block-start. The Jal and six branch arms
resolved targets with bare find_idx_for_pc and lacked the
is_gas_block_start gate the Jalr arm already had, so a mid-block static
target ran a partial block having charged zero gas. Add the gate to all
seven arms; a non-block-start target now Panics at execution, matching the
recompiler's emit_static_branch panic stub and closing the gas hole.
B2 — guest read of its own code. The interpreter based its data buffer at
DATA_BASE, so a code-region load (the auipc+load PIC idiom the spec
blesses) page-faulted, while the recompiler RO-maps code and allows it.
Thread the code bytes into Interpreter::run; loads fall back to a
read-only code-region read. Stores into code still fault.
B3 — store to a pinned/read-only page wrote silently. The interp store
fast path never consulted per-page perms and build_entry laid every
overlay ReadWrite. Gate the store arms on a per-page store_writable check
(guest stores only; trusted kernel writes bypass), and lay pinned-sourced
mappings read-only via the new shared ImageCap::mapping_is_pinned, used by
both interp drivers (Vm::build_entry and nub-arch-local; the latter had
the same bug). Derived from img.pinned at lay time, so RwOverlay's cap
hash is unchanged. Matches the recompiler, whose flat RW buffer is mapped
before the RO direct_maps so RO wins for pinned pages.
B5 — the two engine-side terminator classifiers (predecode::is_terminator
and the gas-LUT RVF_TERM) are hand-coded independently and must agree or
the engines disagree on basic-block starts. Add a generated test sweeping
the full RVC halfword space and a 4-byte opcode×funct matrix.
B4 ("no runtime admission validation") was re-audited and found to be a
PolkaVM-inherited misframing, not a missing check: jar's recompiler never
rejects at load (it lazy-panics bad targets/reserved encodings at
execution), and the interpreter deliberately mirrors that. A load-time
admission gate in the interpreter alone would create a new fork. B1 is the
real fix — both engines now validate target ∈ bb_starts at execution, so
bb_start soundness no longer rests on the linker's producer assumption
even for untrusted Images. No admission gate added. See
docs/pvm-isa/discussions/implementation-bugs.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Genesis ReviewComparison targets:
How to reviewPost a comment with the following format (rank from best to worst): Use the short commit hashes above and To meta-review another reviewer's comment, react with 👍 or 👎. |
…dation docs PVM2 validation splits in two: an Image's *structure* (sizes, bounds, slot indices, path depth) is validated eagerly when the untrusted SSZ Image is converted to an ImageCap (the "deblob"); instruction *semantics* are validated lazily, at execution. Structural validation is O(metadata) and never scans the code, so it doesn't foreclose lazy compilation. - Reject code longer than MAX_CODE_SIZE in image_cap — an oversized code region would alias the data region at CODE_BASE + offset. - Reject MemoryMapping.source_path_len > MAX_SOURCE_DEPTH at SSZ decode, and make MemoryMapping::path() total (clamp) so a malformed length can never index out of bounds and panic the host. - Document the structure-eager / semantics-lazy split on ImageCap and the SSZ Image. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ify register classification Two more interpreter↔recompiler conformance fixes, plus the refactor that removes the duplicated register-classification logic behind them. B6 — endpoint.entry_pc is untrusted Image metadata. The recompiler's prologue dispatches it through the dense table (a non-bb_start offset holds the panic stub), but the interpreter's loop-entry resolve used a bare find_idx_for_pc and would start mid-block with no gas precharge → a divergence. Gate the entry resolve on is_gas_block_start, matching the recompiler and the jalr arm. Lazy: panics at invocation, not admission. B7 — an instruction naming a reserved register is itself a reserved encoding: x3/x4 (PVM2-reserved) and x16-31 (these don't exist in the RV64E 16-register base, so naming one is illegal, standard RV). The interpreter's decoder had no guard — reg_read/reg_write aliased reserved registers to x0 — so it executed them while the recompiler panicked, and inconsistently (reserved source vs reserved dest differed). Now decode maps any reserved-register instruction to Reserved (lazy panic, 4-byte and RVC) via one exhaustive Inst::uses_reserved_reg (no wildcard: a new variant won't compile until classified); the recompiler's compile_rv4 panics via word_uses_reserved_reg, a cheap opcode-mask pinned equal to the Inst predicate for every non-reserved word (a literal decode_32 per instruction regressed cold compile +8-20%). Unify the classification: the valid/zero/reserved split was encoded redundantly in RV_SLOT_LUT, the interpreter's rv_slot_u8, rv_is_reserved (which had drifted stale to x==3||x==4, missing x16-31), and reg_read/reg_write. Collapse them into one source, javm_exec::regs::reg_class, from which the gas slot LUT, the recompiler slot map, and the reserved-register check all derive. Gas stays bit-identical (same slot values), and the two engines' gas maps are now provably one. validate_pvm2 (build-time) extended to x16-31. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Enabling LTO on the microkernel guest fails: it forces -Ccode-model=large (it loads at a low-half GVA, too far above 2 GiB for the default kernel model), but the precompiled core/alloc for x86_64-unknown-none use the target-default kernel model, and LTO (fat and thin) refuses to merge modules with conflicting Code Model flags (i32 4 vs i32 2). Making LTO work would need std rebuilt with the matching model via -Zbuild-std, i.e. a nightly toolchain (or RUSTC_BOOTSTRAP=1) — a departure from this crate's deliberate stable, no-build-std design. Left a NOTE so it isn't rediscovered. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
/review Consensus-fork closure across PVM2's interpreter↔recompiler boundary — four real forks closed (B1 zero-gas mid-block static target, B2 guest read of own code, B3 silent store to pinned/RO page, B5 drifting terminator classifier pair) plus B4 re-audited and reframed as a misframing rather than a missing check. Each fork was a potential validator-level state split: the interpreter under-enforced what the spec requires and the recompiler already enforced, so on a blob both engines admit, they could compute different state — the kind of bug a sandbox cannot catch. The fix framework is "make the interpreter match the recompiler's observable behavior, verified by reading both engines" — the right shape for closing this class of fork because the recompiler is the production executor. Two design signals stand above the rest. First, the B4 reframing: the obvious "add the missing up-front O(n) admission gate" fix would have created a new fork because the recompiler also doesn't reject at load ( 8 directed adversarial vectors (bench guests can't trigger these by construction); 393 tests pass including the interp↔recomp conformance/sub_vm gate; no recompiler regression. All CI green. |
|
JAR Bot: Quorum reached — triggering merge. |
|
JAR Bot: Merged (quorum reached). |
1 participant
What
The PVM2 interpreter (the consensus oracle) under-enforced what the spec requires and the x86 recompiler already enforced. On a blob both engines admit, the oracle and executor could then compute different state — a consensus fork that a sandbox cannot catch. This closes four such forks and pins the classifier pair that could create a fifth. Each fix makes the interpreter match the recompiler's observable behavior, verified by reading both engines (interp
javm-exec+ recompilernub-arch-x86/codegen.rs).Re-audited each finding against current source before fixing (a prior research pass had fabricated an artifact, so nothing was taken on trust).
Fixes
B1 — static
jal/branch to a non-block-start. TheJaland six branch arms resolved targets with barefind_idx_for_pcand lacked theis_gas_block_startgate theJalrarm already had, so a mid-block static target ran a partial block having charged zero gas. Added the gate to all seven arms; a non-block-start target nowPanics at execution, matching the recompiler'semit_static_branchpanic stub and closing the gas hole.B2 — guest read of its own code. The interpreter based its data buffer at
DATA_BASE, so a code-region load (theauipc+load PIC idiom the spec blesses) page-faulted, while the recompiler RO-maps code and allows it. Threaded the code bytes intoInterpreter::run; loads fall back to a read-only code-region read. Stores into code still fault.B3 — store to a pinned/read-only page wrote silently. The interp store fast path never consulted per-page perms and
build_entrylaid every overlayReadWrite. Now the store arms gate on a per-pagestore_writablecheck (guest stores only; trusted kernel writes bypass), and pinned-sourced mappings are laid read-only via the new sharedImageCap::mapping_is_pinned, used by both interp drivers (Vm::build_entryandnub-arch-local— the latter had the same bug). Derived fromimg.pinnedat lay time, soRwOverlay's cap hash is unchanged. Matches the recompiler, whose flat RW buffer is mapped before the ROdirect_maps, so RO wins for pinned pages.B5 — drifting terminator classifiers. The two engine-side classifiers (
predecode::is_terminatorand the gas-LUTRVF_TERM) are hand-coded independently and must agree or the engines disagree on basic-block starts. Added a generated test sweeping the full RVC halfword space and a 4-byte opcode×funct matrix. (The linker's third classifier is deferred — a 3-way test needs a cross-crate harness, and it is low-risk post-B1.)B4 — re-audited and found to be a misframing, not a missing check. The original "PVM2 dropped PolkaVM's up-front O(n) validation" premise is PolkaVM-inherited: jar's recompiler never rejects at load (
compilealways returns aCompileResult; bad targets/reserved → runtime panic stubs), and the interpreter deliberately mirrors that. A load-time admission gate in the interpreter alone would create a new fork. B1 is the real fix — both engines now validatetarget ∈ bb_startsat execution, sobb_startsoundness no longer rests on the linker's producer assumption even for untrusted Images. No admission gate added.Tests
8 directed adversarial vectors added (bench guests can't trigger these by construction):
branch_to_non_block_start_panics,jal_to_non_block_start_panics,branch_to_real_block_start_is_allowedauipc_load_reads_own_code_region,store_into_code_region_faultsstore_writable_respects_per_page_perms,guest_store_to_ro_page_faults,mapping_is_pinned_classifies_by_source_slotpredecode_and_gas_lut_terminator_agreecargo build --workspaceclean,clippy --all-targets -D warningsclean,fmtclean, 393 tests pass (incl.javm-guest-testsinterp↔recompconformance/sub_vm).javm-benchshows no regression (changes are off the recompiler's measured path).🤖 Generated with Claude Code