[v1.60] Cherry pick 23913 (#24198)

## Description 

- Cherry pick #23913
- Let's start logging any issues with the new reference safety verifier 

## Test plan 

- Just a signing check
- ran tests (had to remove some old global storage ones)

---

## Release notes

Check each box that your changes affect. If none of the boxes relate to
your changes, release notes aren't required.

For each box you select, include information after the relevant heading
that describes the impact of your changes that a user might notice and
any actions they must take to implement updates.

- [ ] Protocol: 
- [ ] Nodes (Validators and Full nodes): 
- [ ] gRPC:
- [ ] JSON-RPC: 
- [ ] GraphQL: 
- [ ] CLI: 
- [ ] Rust SDK:

Author: tnowacki

Cargo.lock

@@ -12,6 +12,8 @@ pub const DEFAULT_MAX_PER_PKG_METER_UNITS: usize = 2_200_000;
 pub const DEFAULT_MAX_BACK_EDGES_PER_FUNCTION: usize = 10_000;
 pub const DEFAULT_MAX_BACK_EDGES_PER_MODULE: usize = 10_000;
 
+pub const DEFAULT_SANITY_CHECK_WITH_REGEX_REFERENCE_SAFETY_UNITS: usize = 2_200_000;
+
 /// This holds limits that are only set and used by the verifier during signing _only_. There are
 /// additional limits in the `MeterConfig` and `VerifierConfig` that are used during both signing
 /// and execution, however those limits cannot be set here and must be protocol versioned.
@@ -29,6 +31,9 @@ pub struct VerifierSigningConfig {
     max_back_edges_per_function: Option<usize>,
     #[serde(default)]
     max_back_edges_per_module: Option<usize>,
+
+    #[serde(default)]
+    pub sanity_check_with_regex_reference_safety: Option<usize>,
 }
 
 impl VerifierSigningConfig {
@@ -57,11 +62,17 @@ impl VerifierSigningConfig {
             .unwrap_or(DEFAULT_MAX_BACK_EDGES_PER_MODULE)
     }
 
+    pub fn sanity_check_with_regex_reference_safety(&self) -> usize {
+        self.sanity_check_with_regex_reference_safety
+            .unwrap_or(DEFAULT_SANITY_CHECK_WITH_REGEX_REFERENCE_SAFETY_UNITS)
+    }
+
     /// Return sign-time only limit for back edges for the verifier.
-    pub fn limits_for_signing(&self) -> (usize, usize) {
+    pub fn limits_for_signing(&self) -> (usize, usize, usize) {
         (
             self.max_back_edges_per_function(),
             self.max_back_edges_per_module(),
+            self.sanity_check_with_regex_reference_safety(),
         )
     }
 

crates/sui-config/src/verifier_signing_config.rs

@@ -4246,20 +4246,29 @@ impl ProtocolConfig {
         cfg
     }
 
-    // Extract the bytecode verifier config from this protocol config. `for_signing` indicates
-    // whether this config is used for verification during signing or execution.
-    pub fn verifier_config(&self, signing_limits: Option<(usize, usize)>) -> VerifierConfig {
-        let (max_back_edges_per_function, max_back_edges_per_module) = if let Some((
+    // Extract the bytecode verifier config from this protocol config.
+    // If used during signing, `signing_limits` should be set.
+    // The third limit configures`sanity_check_with_regex_reference_safety`,
+    // which runs the new regex-based reference safety check to check that it is strictly more
+    // permissive than the current implementation.
+    pub fn verifier_config(&self, signing_limits: Option<(usize, usize, usize)>) -> VerifierConfig {
+        let (
             max_back_edges_per_function,
             max_back_edges_per_module,
+            sanity_check_with_regex_reference_safety,
+        ) = if let Some((
+            max_back_edges_per_function,
+            max_back_edges_per_module,
+            sanity_check_with_regex_reference_safety,
         )) = signing_limits
         {
             (
                 Some(max_back_edges_per_function),
                 Some(max_back_edges_per_module),
+                Some(sanity_check_with_regex_reference_safety),
             )
         } else {
-            (None, None)
+            (None, None, None)
         };
 
         let additional_borrow_checks = if signing_limits.is_some() {
@@ -4295,6 +4304,8 @@ impl ProtocolConfig {
             additional_borrow_checks,
             better_loader_errors: self.better_loader_errors(),
             private_generics_verifier_v2: self.private_generics_verifier_v2(),
+            sanity_check_with_regex_reference_safety: sanity_check_with_regex_reference_safety
+                .map(|limit| limit as u128),
         }
     }
 

crates/sui-protocol-config/src/lib.rs

@@ -162,6 +162,7 @@ validator_configs:
       max-per-pkg-meter-units: ~
       max-back-edges-per-function: ~
       max-back-edges-per-module: ~
+      sanity-check-with-regex-reference-safety: ~
     transaction-driver-config:
       enable-early-validation: true
   - protocol-key-pair:
@@ -323,6 +324,7 @@ validator_configs:
       max-per-pkg-meter-units: ~
       max-back-edges-per-function: ~
       max-back-edges-per-module: ~
+      sanity-check-with-regex-reference-safety: ~
     transaction-driver-config:
       enable-early-validation: true
   - protocol-key-pair:
@@ -484,6 +486,7 @@ validator_configs:
       max-per-pkg-meter-units: ~
       max-back-edges-per-function: ~
       max-back-edges-per-module: ~
+      sanity-check-with-regex-reference-safety: ~
     transaction-driver-config:
       enable-early-validation: true
   - protocol-key-pair:
@@ -645,6 +648,7 @@ validator_configs:
       max-per-pkg-meter-units: ~
       max-back-edges-per-function: ~
       max-back-edges-per-module: ~
+      sanity-check-with-regex-reference-safety: ~
     transaction-driver-config:
       enable-early-validation: true
   - protocol-key-pair:
@@ -806,6 +810,7 @@ validator_configs:
       max-per-pkg-meter-units: ~
       max-back-edges-per-function: ~
       max-back-edges-per-module: ~
+      sanity-check-with-regex-reference-safety: ~
     transaction-driver-config:
       enable-early-validation: true
   - protocol-key-pair:
@@ -967,6 +972,7 @@ validator_configs:
       max-per-pkg-meter-units: ~
       max-back-edges-per-function: ~
       max-back-edges-per-module: ~
+      sanity-check-with-regex-reference-safety: ~
     transaction-driver-config:
       enable-early-validation: true
   - protocol-key-pair:
@@ -1128,6 +1134,7 @@ validator_configs:
       max-per-pkg-meter-units: ~
       max-back-edges-per-function: ~
       max-back-edges-per-module: ~
+      sanity-check-with-regex-reference-safety: ~
     transaction-driver-config:
       enable-early-validation: true
 account_keys:

crates/sui-swarm-config/tests/snapshots/snapshot_tests__network_config_snapshot_matches.snap

@@ -1161,7 +1161,8 @@ impl SuiClientCommands {
                     }
                 };
 
-                let signing_limits = Some(VerifierSigningConfig::default().limits_for_signing());
+                let limits = VerifierSigningConfig::default();
+                let signing_limits = Some(limits.limits_for_signing());
                 let mut verifier = sui_execution::verifier(
                     &protocol_config,
                     signing_limits,

crates/sui/src/client_commands.rs

@@ -32,42 +32,7 @@ macro_rules! do_test {
     }};
 }
 
-#[test]
-fn aptosd_swap() {
-    do_test!("aptosd_swap");
-}
-
-#[test]
-fn coin_store() {
-    do_test!("coin_store");
-}
-
-#[test]
-fn farming() {
-    do_test!("farming");
-}
-
-#[test]
-fn liquidity_pool() {
-    do_test!("liquidity_pool");
-}
-
-#[test]
-fn price_oracle() {
-    do_test!("price_oracle");
-}
-
-#[test]
-fn pool() {
-    do_test!("pool");
-}
-
 #[test]
 fn router() {
     do_test!("router");
 }
-
-#[test]
-fn whitelist() {
-    do_test!("whitelist");
-}

external-crates/move/Cargo.lock

@@ -56,6 +56,7 @@ pub(crate) fn production_config() -> (VerifierConfig, MeterConfig) {
             additional_borrow_checks: true,
             better_loader_errors: true,
             private_generics_verifier_v2: false,
+            sanity_check_with_regex_reference_safety: Some(2_200_000),
         },
         MeterConfig::old_default(),
     )

external-crates/move/crates/bytecode-verifier-tests/src/unit_tests/binary_samples.rs

@@ -360,7 +360,7 @@ fn test_merge_state() {
     );
     assert_eq!(
         result.unwrap_err().major_status(),
-        StatusCode::CONSTRAINT_NOT_SATISFIED
+        StatusCode::PROGRAM_TOO_COMPLEX
     );
 }