Use scope borrows

Author: febo

program/src/entrypoint.rs

@@ -43,7 +43,7 @@ pub fn process_instruction(
             #[cfg(feature = "logging")]
             pinocchio::msg!("Instruction: InitializeMint");
 
-            process_initialize_mint(accounts, instruction_data, true)
+            process_initialize_mint(accounts, instruction_data)
         }
 
         // 3 - Transfer

program/src/processor/amount_to_ui_amount.rs

@@ -23,7 +23,7 @@ pub fn process_amount_to_ui_amount(
 
     let mint_info = accounts.first().ok_or(ProgramError::NotEnoughAccountKeys)?;
     check_account_owner(mint_info)?;
-    // SAFETY: there is a single borrow to the `Mint` account.
+    // SAFETY: there is a single immutable borrow of the `Mint` account data.
     let mint = unsafe {
         load::<Mint>(mint_info.borrow_data_unchecked()).map_err(|_| TokenError::InvalidMint)?
     };

program/src/processor/close_account.rs

@@ -3,7 +3,7 @@ use pinocchio::{
 };
 use token_interface::{
     error::TokenError,
-    state::{account::Account, load_mut},
+    state::{account::Account, load},
 };
 
 use super::validate_owner;
@@ -26,24 +26,30 @@ pub fn process_close_account(accounts: &[AccountInfo]) -> ProgramResult {
         return Err(ProgramError::InvalidAccountData);
     }
 
-    let source_account =
-        unsafe { load_mut::<Account>(source_account_info.borrow_mut_data_unchecked())? };
-
-    if !source_account.is_native() && source_account.amount() != 0 {
-        return Err(TokenError::NonNativeHasBalance.into());
-    }
-
-    let authority = source_account
-        .close_authority()
-        .unwrap_or(&source_account.owner);
-
-    if !source_account.is_owned_by_system_program_or_incinerator() {
-        validate_owner(authority, authority_info, remaining)?;
-    } else if destination_account_info.key() != &INCINERATOR_ID {
-        return Err(ProgramError::InvalidAccountData);
+    // SAFETY: scoped immutable borrow of the source account data. Changes to the
+    // account info data happens after the borrow ends.
+    {
+        let source_account =
+            unsafe { load::<Account>(source_account_info.borrow_data_unchecked())? };
+
+        if !source_account.is_native() && source_account.amount() != 0 {
+            return Err(TokenError::NonNativeHasBalance.into());
+        }
+
+        let authority = source_account
+            .close_authority()
+            .unwrap_or(&source_account.owner);
+
+        if !source_account.is_owned_by_system_program_or_incinerator() {
+            validate_owner(authority, authority_info, remaining)?;
+        } else if destination_account_info.key() != &INCINERATOR_ID {
+            return Err(ProgramError::InvalidAccountData);
+        }
     }
 
     let destination_starting_lamports = destination_account_info.lamports();
+    // SAFETY: there are no other borrows of the source and destination accounts
+    // at this point.
     unsafe {
         // Moves the lamports to the destination account.
         *destination_account_info.borrow_mut_lamports_unchecked() = destination_starting_lamports

program/src/processor/get_account_data_size.rs

@@ -16,7 +16,9 @@ pub fn process_get_account_data_size(accounts: &[AccountInfo]) -> ProgramResult
 
     // Make sure the mint is valid.
     check_account_owner(mint_info)?;
-
+    // SAFETY: there is a single immutable borrow of the `Mint` account data.
+    //
+    // The `Mint` account is loaded to check if it is initialized.
     let _ = unsafe {
         load::<Mint>(mint_info.borrow_data_unchecked()).map_err(|_| TokenError::InvalidMint)?
     };

program/src/processor/initialize_immutable_owner.rs

@@ -7,7 +7,7 @@ use token_interface::{
 #[inline(always)]
 pub fn process_initialize_immutable_owner(accounts: &[AccountInfo]) -> ProgramResult {
     let token_account_info = accounts.first().ok_or(ProgramError::NotEnoughAccountKeys)?;
-
+    // SAFETY: there is a single immutable borrow of the `Account` account data.
     let account = unsafe { load_unchecked::<Account>(token_account_info.borrow_data_unchecked())? };
 
     if account.is_initialized() {

program/src/processor/initialize_mint.rs

@@ -1,114 +1,8 @@
-use core::{marker::PhantomData, mem::size_of};
-use pinocchio::{
-    account_info::AccountInfo,
-    program_error::ProgramError,
-    pubkey::Pubkey,
-    sysvars::{rent::Rent, Sysvar},
-    ProgramResult,
-};
-use token_interface::{
-    error::TokenError,
-    state::{load_mut_unchecked, mint::Mint, Initializable},
-};
+use pinocchio::{account_info::AccountInfo, ProgramResult};
 
-#[inline(always)]
-pub fn process_initialize_mint(
-    accounts: &[AccountInfo],
-    instruction_data: &[u8],
-    rent_sysvar_account: bool,
-) -> ProgramResult {
-    // Validates the instruction data.
-
-    let args = InitializeMint::try_from_bytes(instruction_data)?;
-
-    // Validates the accounts.
-
-    let (mint_info, rent_sysvar_info) = if rent_sysvar_account {
-        let [mint_info, rent_sysvar_info, _remaining @ ..] = accounts else {
-            return Err(ProgramError::NotEnoughAccountKeys);
-        };
-        (mint_info, Some(rent_sysvar_info))
-    } else {
-        let [mint_info, _remaining @ ..] = accounts else {
-            return Err(ProgramError::NotEnoughAccountKeys);
-        };
-        (mint_info, None)
-    };
-
-    let mint = unsafe { load_mut_unchecked::<Mint>(mint_info.borrow_mut_data_unchecked())? };
-
-    if mint.is_initialized() {
-        return Err(TokenError::AlreadyInUse.into());
-    }
-
-    // Check rent-exempt status of the mint account.
-
-    let is_exempt = if let Some(rent_sysvar_info) = rent_sysvar_info {
-        let rent = unsafe { Rent::from_bytes(rent_sysvar_info.borrow_data_unchecked())? };
-        rent.is_exempt(mint_info.lamports(), size_of::<Mint>())
-    } else {
-        Rent::get()?.is_exempt(mint_info.lamports(), size_of::<Mint>())
-    };
-
-    if !is_exempt {
-        return Err(TokenError::NotRentExempt.into());
-    }
-
-    // Initialize the mint.
-
-    mint.set_initialized(true);
-    mint.set_mint_authority(args.mint_authority());
-    mint.decimals = args.decimals();
+use super::shared;
 
-    if let Some(freeze_authority) = args.freeze_authority() {
-        mint.set_freeze_authority(freeze_authority);
-    }
-
-    Ok(())
-}
-
-/// Instruction data for the `InitializeMint` instruction.
-pub struct InitializeMint<'a> {
-    raw: *const u8,
-
-    _data: PhantomData<&'a [u8]>,
-}
-
-impl InitializeMint<'_> {
-    #[inline]
-    pub fn try_from_bytes(bytes: &[u8]) -> Result<InitializeMint, ProgramError> {
-        // The minimum expected size of the instruction data.
-        // - decimals (1 byte)
-        // - mint_authority (32 bytes)
-        // - option + freeze_authority (1 byte + 32 bytes)
-        if bytes.len() < 34 {
-            return Err(ProgramError::InvalidInstructionData);
-        }
-
-        Ok(InitializeMint {
-            raw: bytes.as_ptr(),
-            _data: PhantomData,
-        })
-    }
-
-    #[inline]
-    pub fn decimals(&self) -> u8 {
-        unsafe { *self.raw }
-    }
-
-    #[inline]
-    pub fn mint_authority(&self) -> &Pubkey {
-        unsafe { &*(self.raw.add(1) as *const Pubkey) }
-    }
-
-    #[inline]
-    pub fn freeze_authority(&self) -> Option<&Pubkey> {
-        unsafe {
-            if *self.raw.add(33) == 0 {
-                Option::None
-            } else {
-                Option::Some(&*(self.raw.add(34) as *const Pubkey))
-            }
-        }
-    }
+#[inline(always)]
+pub fn process_initialize_mint(accounts: &[AccountInfo], instruction_data: &[u8]) -> ProgramResult {
+    shared::initialize_mint::process_initialize_mint(accounts, instruction_data, true)
 }

program/src/processor/initialize_mint2.rs

@@ -1,11 +1,11 @@
 use pinocchio::{account_info::AccountInfo, ProgramResult};
 
-use super::initialize_mint::process_initialize_mint;
+use super::shared;
 
 #[inline(always)]
 pub fn process_initialize_mint2(
     accounts: &[AccountInfo],
     instruction_data: &[u8],
 ) -> ProgramResult {
-    process_initialize_mint(accounts, instruction_data, false)
+    shared::initialize_mint::process_initialize_mint(accounts, instruction_data, false)
 }

program/src/processor/mod.rs

@@ -106,6 +106,9 @@ fn validate_owner(
     if owner_account_info.data_len() == Multisig::LEN
         && owner_account_info.owner() == &TOKEN_PROGRAM_ID
     {
+        // SAFETY: the caller guarantees that there are no mutable borrows of `owner_account_info`
+        // account data, so it is ok to have multiple immutable borrows (this would normally only
+        // happen if the account/mint is the same as the owner).
         let multisig = unsafe { load::<Multisig>(owner_account_info.borrow_data_unchecked())? };
 
         let mut num_signers = 0;

program/src/processor/revoke.rs

@@ -11,14 +11,15 @@ pub fn process_revoke(accounts: &[AccountInfo], _instruction_data: &[u8]) -> Pro
     let [source_account_info, owner_info, remaning @ ..] = accounts else {
         return Err(ProgramError::NotEnoughAccountKeys);
     };
-
+    // SAFETY: there are no other borrows of the `source_account` data.
     let source_account =
         unsafe { load_mut::<Account>(source_account_info.borrow_mut_data_unchecked())? };
 
     if source_account.is_frozen() {
         return Err(TokenError::AccountFrozen.into());
     }
 
+    // TODO: can source == owner?
     validate_owner(&source_account.owner, owner_info, remaning)?;
 
     source_account.clear_delegate();

program/src/processor/set_authority.rs

@@ -27,6 +27,7 @@ pub fn process_set_authority(accounts: &[AccountInfo], instruction_data: &[u8])
     };
 
     if account_info.data_len() == Account::LEN {
+        // SAFETY: there are no other active borrows of the `account` data.
         let account = unsafe { load_mut::<Account>(account_info.borrow_mut_data_unchecked())? };
 
         if account.is_frozen() {
@@ -35,6 +36,7 @@ pub fn process_set_authority(accounts: &[AccountInfo], instruction_data: &[u8])
 
         match authority_type {
             AuthorityType::AccountOwner => {
+                // TODO: Can account and authority be the same?
                 validate_owner(&account.owner, authority_info, remaning)?;
 
                 if let Some(authority) = new_authority {
@@ -52,6 +54,7 @@ pub fn process_set_authority(accounts: &[AccountInfo], instruction_data: &[u8])
             }
             AuthorityType::CloseAccount => {
                 let authority = account.close_authority().unwrap_or(&account.owner);
+                // TODO: Can account and authority be the same?
                 validate_owner(authority, authority_info, remaning)?;
 
                 if let Some(authority) = new_authority {
@@ -65,14 +68,15 @@ pub fn process_set_authority(accounts: &[AccountInfo], instruction_data: &[u8])
             }
         }
     } else if account_info.data_len() == Mint::LEN {
+        // SAFETY: there are no other active borrows of the `account` data.
         let mint = unsafe { load_mut::<Mint>(account_info.borrow_mut_data_unchecked())? };
 
         match authority_type {
             AuthorityType::MintTokens => {
                 // Once a mint's supply is fixed, it cannot be undone by setting a new
                 // mint_authority.
                 let mint_authority = mint.mint_authority().ok_or(TokenError::FixedSupply)?;
-
+                // TODO: Can account and authority be the same?
                 validate_owner(mint_authority, authority_info, remaning)?;
 
                 if let Some(authority) = new_authority {
@@ -87,7 +91,7 @@ pub fn process_set_authority(accounts: &[AccountInfo], instruction_data: &[u8])
                 let freeze_authority = mint
                     .freeze_authority()
                     .ok_or(TokenError::MintCannotFreeze)?;
-
+                // TODO: Can account and authority be the same?
                 validate_owner(freeze_authority, authority_info, remaning)?;
 
                 if let Some(authority) = new_authority {