Add flag to disable ArbOwner outside on-chain execution

[bragaigor]

• Add --execution.disable-offchain-arbowner node config flag (default false)
• When enabled, OwnerPrecompile.Call panics if the run context is not IsExecutedOnChain() (blocks ethcall and gas estimation modes)
• The flag is an atomic.Bool field on the OwnerPrecompile struct, configured during ExecutionNode.Initialize() via gethhook.GetOwnerPrecompile()

The *OwnerPrecompile reference is held in an unexported var in the gethhook package, exposed via GetOwnerPrecompile(). This is necessary because precompile instances are created during gethhook.init() (a void function that runs at package load time), while node config only becomes available later in ExecutionNode.Initialize(). Since init() cannot return values, the pointer must be held somewhere to bridge that gap. An unexported var with a getter is the smallest surface area — set once, immutable after init, and the actual config (disableOffchain) lives on the OwnerPrecompile struct where it belongs.

closes NIT-4744

[codecov]

Codecov Report

❌ Patch coverage is 20.00000% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 29.12%. Comparing base (21e0cea) to head (a12d4d6).

❗ There is a different number of reports uploaded between BASE (21e0cea) and HEAD (a12d4d6). Click for more details.

HEAD has 2 uploads less than BASE

Flag	BASE (21e0cea)	HEAD (a12d4d6)
	5	3

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4591      +/-   ##
==========================================
- Coverage   34.30%   29.12%   -5.18%     
==========================================
  Files         498      498              
  Lines       59096    59115      +19     
==========================================
- Hits        20270    17217    -3053     
- Misses      35238    38768    +3530     
+ Partials     3588     3130     -458     

[github-actions]

❌ 242 Tests Failed:

Tests completed	Failed	Passed	Skipped
4566	242	4324	0

View the top 3 failed tests by shortest run time

TestDelayedMessageFilterAliasedSender

Stack Traces | -0.000s run time

=== RUN   TestDelayedMessageFilterAliasedSender
INFO [04-01|22:04:35.737] New Key                                  name=Owner               Address=0x26E554a8acF9003b83495c7f45F06edCB803d4e3
INFO [04-01|22:04:35.737] New Key                                  name=Faucet              Address=0xaF24Ca6c2831f4d4F629418b50C227DF0885613A
DEBUG[04-01|22:04:35.737] test database scheme                     testDatabaseEngine=in-memory
DEBUG[04-01|22:04:35.737] test database scheme                     testDatabaseEngine=in-memory
WARN [04-01|22:04:35.737] Sequencer ReadFromTxQueueTimeout is higher than MaxBlockSpeed ReadFromTxQueueTimeout=1s MaxBlockSpeed=10ms
WARN [04-01|22:04:35.737] Sequencer ReadFromTxQueueTimeout is higher than MaxBlockSpeed ReadFromTxQueueTimeout=1s MaxBlockSpeed=10ms
DEBUG[04-01|22:04:35.738] test database scheme                     testDatabaseEngine=in-memory
=== PAUSE TestDelayedMessageFilterAliasedSender
=== CONT  TestDelayedMessageFilterAliasedSender

TestArbRetryableTxDoesntRevert

Stack Traces | -0.000s run time

=== RUN   TestArbRetryableTxDoesntRevert
INFO [04-01|22:06:54.156] New Key                                  name=Owner               Address=0x26E554a8acF9003b83495c7f45F06edCB803d4e3
INFO [04-01|22:06:54.156] New Key                                  name=Faucet              Address=0xaF24Ca6c2831f4d4F629418b50C227DF0885613A
DEBUG[04-01|22:06:54.156] test database scheme                     testDatabaseEngine=in-memory
DEBUG[04-01|22:06:54.156] test database scheme                     testDatabaseEngine=in-memory
WARN [04-01|22:06:54.156] Sequencer ReadFromTxQueueTimeout is higher than MaxBlockSpeed ReadFromTxQueueTimeout=1s MaxBlockSpeed=10ms
WARN [04-01|22:06:54.156] Sequencer ReadFromTxQueueTimeout is higher than MaxBlockSpeed ReadFromTxQueueTimeout=1s MaxBlockSpeed=10ms
DEBUG[04-01|22:06:54.156] test database scheme                     testDatabaseEngine=in-memory
=== PAUSE TestArbRetryableTxDoesntRevert

TestL2GasBacklogTolerance

Stack Traces | -0.000s run time

=== RUN   TestL2GasBacklogTolerance
INFO [04-01|22:06:54.159] New Key                                  name=Owner               Address=0x26E554a8acF9003b83495c7f45F06edCB803d4e3
INFO [04-01|22:06:54.159] New Key                                  name=Faucet              Address=0xaF24Ca6c2831f4d4F629418b50C227DF0885613A
DEBUG[04-01|22:06:54.159] test database scheme                     testDatabaseEngine=in-memory
DEBUG[04-01|22:06:54.159] test database scheme                     testDatabaseEngine=in-memory
WARN [04-01|22:06:54.159] Sequencer ReadFromTxQueueTimeout is higher than MaxBlockSpeed ReadFromTxQueueTimeout=1s MaxBlockSpeed=10ms
WARN [04-01|22:06:54.159] Sequencer ReadFromTxQueueTimeout is higher than MaxBlockSpeed ReadFromTxQueueTimeout=1s MaxBlockSpeed=10ms
DEBUG[04-01|22:06:54.159] test database scheme                     testDatabaseEngine=in-memory
=== PAUSE TestL2GasBacklogTolerance

📣 Thoughts on this report? Let Codecov know! | Powered by Codecov

[bragaigor]

The *OwnerPrecompile reference in gethhook is an unexported package-level variable, which we'd normally avoid. Here's why it's necessary:

Precompile instances are created during gethhook.init() — a void function that runs automatically at package load time. Node config (DisableOffchainArbOwner) only becomes available much later in ExecutionNode.Initialize(). Since init() can't return values and has no caller to hand the instance to, the pointer must be held somewhere between creation and configuration. The alternatives we evaluated:

• storing it in chain config (wrong: this is a node-level concern, not consensus state)
• a freestanding global atomic bool (worse: config detached from the object it belongs to)
• or looking it up from the VM precompile maps (fragile: requires unwrapping across multiple layers and picking an arbitrary ArbOS version map)

all the above were all strictly worse. The unexported var with an exported getter is the smallest surface: set exactly once in init(), immutable after that, and the actual config flag (disableOffchain) lives on the OwnerPrecompile struct where it belongs.

In more detail:

1. gethhook/geth-hook.go init() — runs at package load time (triggered in gethexec/blockchain.go importing gethhook). This is where precompiles.Precompiles() is called, which creates the *OwnerPrecompile instance. That instance gets wrapped in ArbosPrecompileWrapper and stored in the VM's global precompile maps (vm.PrecompiledContractsBeforeArbOS30, etc.). After init() returns, nobody holds a direct reference to the *OwnerPrecompile — it's buried inside the wrapper inside the VM maps.
2. gethexec.CreateExecutionNode() — runs much later, when the node is actually being set up. This is where configFetcher (which has the DisableOffchainArbOwner flag) first becomes available.
3. ExecutionNode.Initialize() — called after CreateExecutionNode. This is where we want to call ownerPC.SetDisableOffchain(config.DisableOffchainArbOwner). But we need the *OwnerPrecompile pointer to do that.

The gap: the instance is created in step 1, the config arrives in step 3, and there's no object that naturally carries the pointer from 1 to 3. Hence the global

[bragaigor]

question for reviewer: we could update this comment to include more details, something like:

// arbOwnerPrecompile is an unexported package-level variable holding the
// *OwnerPrecompile created during init(). We'd normally avoid a package-level
// var, but the precompile lifecycle requires it:
//
//   - init() calls precompiles.Precompiles(), which creates the *OwnerPrecompile.
//     That instance is then wrapped in ArbosPrecompileWrapper and stored in the
//     VM's global precompile maps (vm.PrecompiledContractsBeforeArbOS30, etc.).
//     After init() returns, no one holds a direct reference to the inner
//     *OwnerPrecompile — it's buried inside the wrapper inside the VM maps.
//
//   - ExecutionNode.Initialize() runs much later, once node config (including
//     DisableOffchainArbOwner) is available. It needs the *OwnerPrecompile
//     pointer to call SetDisableOffchain.
//
// There is no object that naturally carries the pointer from init() to
// Initialize(), so this variable bridges the gap. Alternatives considered:
//
//   - Storing it in chain config: wrong scope (node-level concern, not consensus).
//   - A freestanding global atomic.Bool: worse (config detached from the object).
//   - Looking it up from the VM precompile maps: fragile (requires unwrapping
//     across multiple layers and picking an arbitrary ArbOS version map).
//
// This var is set exactly once during init() and never reassigned. The actual
// config flag (disableOffchain) lives on the OwnerPrecompile struct where it
// belongs.

no strong opinion to which one to use

[joshuacolvin0]

short description is better than long description

[diegoximenes]

No need to have this second return value.
The map returned by Precompiles can be used to retrieve the OwnerPrecompile, just use ArbOwnerImpl.Address as the key for accessing through the map

[bragaigor]

That's a good catch thanks!

[diegoximenes]

Why it needs to be atomic?

[bragaigor]

Nope, it was remanence of an initial solution I strayed fro. Using regular bool

[diegoximenes]

If you check MessageRunContext, you are going to see that NonMutating happens to be the negation of ExecutedOnChain.
So using non mutating here can be more appropriate than using offchain.

[bragaigor]

Yeah and furthermore IsNonMutating() and !IsExecutedOnChain() are equivalent:

func (c *MessageRunContext) IsNonMutating() bool {
	return c.runMode == messageGasEstimationMode || c.runMode == messageEthcallMode
}
...
func (c *MessageRunContext) IsExecutedOnChain() bool {
	return c.IsCommitMode() || c.runMode == messageReplayMode || c.runMode == messageRecordingMode
}

@joshuacolvin0 please advice if you had any other plans for DisableOffchainArbOwner as using IsNonMutating seems to be doing exactly what DisableOffchainArbOwner. If we went with IsNonMutating then the following check:

 if wrapper.disableOffchain {                                                                                           
      txProcessor, ok := evm.ProcessingHook.(*arbos.TxProcessor)                                                         
      if !ok || !txProcessor.RunContext().IsExecutedOnChain() {
          return nil, gasSupplied, multigas.ZeroGas(), errors.New("ArbOwner precompile is disabled outside on-chain      
  execution")                                                                                                            
      }                                                                                                                  
  }   

would turn into something like:

  txProcessor, ok := evm.ProcessingHook.(*arbos.TxProcessor)                                                             
  if !ok || txProcessor.MsgIsNonMutating() {                                                                           
      return nil, gasSupplied, multigas.ZeroGas(), errors.New("ArbOwner precompile is disabled outside on-chain 
  execution")                                                                                                            
  }

[diegoximenes]

The task mentions to use IsExecutedOnChain.
Check with who created the task if you can use evm.ProcessinHook.MsgIsNonMutating() instead, which today is the negation of IsExecutedOnChain.
This way you avoid casting.

If not possible then split this if in two.
One to return an error due to casting, and another to return the error that is being proposed here.

[bragaigor]

related to #4591 (comment)

[diegoximenes]

Why returning 0 and multigas.ComputationGas(gasSupplied)?
I am not sure what is the expected behavior, related to those gas values, for eth_estimateGas if it returns an error.

[bragaigor]

I think it's best to follow what the rest of Call does so modifying to return:

return nil, gasSupplied, multigas.ZeroGas(), errors.New("ArbOwner precompile is disabled outside on-chain execution")

[diegoximenes]

I didn't go over this test func yet, but a test in system_tests, sending eth_call and eth_estimateGas, and using the new Execution node config added by this PR, couldn't be used instead of this?