[compiler][vm] add visibility modifier to structs/enums: step 3

[rahxephon89]

Description

This PR:

1. adds new attributes for struct apis;
2. introduces bytecode version 10 (which introduces base line changes in this PR);
3. adds new logic in the bytecode verifier to special case the borrow field mut API to avoid bytecode verification error;
4. adds new logic in the runtime reference check to special case the borrow field mut API to avoid invariant violation error generated by the check.

TODO: adds wellformedness check for struct apis to bytecode verifier;

close #18199

How Has This Been Tested?

update of existing test cases for struct APIs.

Key Areas to Review

Type of Change

• New feature
• Bug fix
• Breaking change
• Performance improvement
• Refactoring
• Dependency update
• Documentation update
• Tests

Which Components or Systems Does This Change Impact?

• Validator Node
• Full Node (API, Indexer, etc.)
• Move/Aptos Virtual Machine
• Aptos Framework
• Aptos CLI/SDK
• Developer Infrastructure
• Move Compiler
• Other (specify)

Checklist

• I have read and followed the CONTRIBUTING doc
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I identified and added all stakeholders and component owners affected by this change as reviewers
• I tested both happy and unhappy path of the functionality
• I have made corresponding changes to the documentation

---

Note

High Risk
Touches Move bytecode format (new function-attribute encodings + version gating) and alters reference-safety verification behavior for mutable borrow-field wrappers, which are correctness- and safety-critical paths.

Overview
Adds new FunctionAttribute variants (pack/unpack/test_variant plus variant- and field-offset forms, including BorrowField*) and extends bytecode serialization/deserialization to encode/decode them, gated to VERSION_10 with clearer malformed/version error messages.

Updates compiler v2 bytecode generation to attach these attributes to generated struct/enum API wrappers and adjusts compatibility checks to treat these attributes as non-removable.

Modifies reference-safety verification to special-case calls to functions marked BorrowFieldMutable (treating them as direct field-borrow effects) and updates/extends serializer tests and .exp fixtures to reflect the new attributes and the now-successful cross-module borrow-field scenario.

^{Written by Cursor Bugbot for commit 6bc992e. This will update automatically on new commits. Configure here.}

[rahxephon89]

• [compiler][vm] add visibility modifier to structs/enums: step 4 #18165 : 2 dependent PRs (#18381 , #18489 )
• [compiler][vm] add visibility modifier to structs/enums: step 3 #18117 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Reference safety bypass lacks wellformedness validation for attributes

Medium Severity

handle_borrow_field_mutable bypasses the normal call reference safety analysis (which checks CALL_BORROWED_MUTABLE_REFERENCE_ERROR) based solely on the presence of a BorrowFieldMutable attribute, without any bytecode verifier pass validating that the attribute is correctly placed. A crafted module could attach BorrowFieldMutable to an arbitrary function to bypass mutable reference safety checks, potentially enabling aliased mutable references. The TODO for the wellformedness check needs to land before or atomically with this change.

Additional Locations (1)

• third_party/move/move-bytecode-verifier/src/reference_safety/mod.rs#L465-L477

 

[github-actions]

✅ Forge suite compat success on 3d74b598d151879ab419e0c4377370b39b5c491f ==> 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a

Compatibility test results for 3d74b598d151879ab419e0c4377370b39b5c491f ==> 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a (PR)
1. Check liveness of validators at old version: 3d74b598d151879ab419e0c4377370b39b5c491f
compatibility::simple-validator-upgrade::liveness-check : committed: 13580.34 txn/s, latency: 2558.70 ms, (p50: 2700 ms, p70: 2800, p90: 3300 ms, p99: 3700 ms), latency samples: 444940
2. Upgrading first Validator to new version: 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a
compatibility::simple-validator-upgrade::single-validator-upgrade : committed: 5840.32 txn/s, latency: 5805.07 ms, (p50: 6500 ms, p70: 6600, p90: 6700 ms, p99: 6800 ms), latency samples: 201620
3. Upgrading rest of first batch to new version: 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a
compatibility::simple-validator-upgrade::half-validator-upgrade : committed: 5952.57 txn/s, latency: 5724.68 ms, (p50: 6200 ms, p70: 6400, p90: 6500 ms, p99: 6700 ms), latency samples: 204680
4. upgrading second batch to new version: 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a
compatibility::simple-validator-upgrade::rest-validator-upgrade : committed: 9932.80 txn/s, latency: 3273.73 ms, (p50: 3300 ms, p70: 3700, p90: 4600 ms, p99: 4900 ms), latency samples: 329860
5. check swarm health
Compatibility test for 3d74b598d151879ab419e0c4377370b39b5c491f ==> 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a passed
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite realistic_env_max_load success on 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a

two traffics test: inner traffic : committed: 13715.70 txn/s, submitted: 13716.02 txn/s, expired: 0.32 txn/s, latency: 2745.88 ms, (p50: 2700 ms, p70: 2900, p90: 3000 ms, p99: 3600 ms), latency samples: 5103340
two traffics test : committed: 100.01 txn/s, latency: 786.24 ms, (p50: 700 ms, p70: 800, p90: 900 ms, p99: 1200 ms), latency samples: 1660
Latency breakdown for phase 0: ["MempoolToBlockCreation: max: 2.190, avg: 2.121", "ConsensusProposalToOrdered: max: 0.168, avg: 0.165", "ConsensusOrderedToCommit: max: 0.071, avg: 0.069", "ConsensusProposalToCommit: max: 0.239, avg: 0.234"]
Max non-epoch-change gap was: 0 rounds at version 0 (avg 0.00) [limit 4], 0.46s no progress at version 4860018 (avg 0.07s) [limit 15].
Max epoch-change gap was: 0 rounds at version 0 (avg 0.00) [limit 4], 0.49s no progress at version 2430142 (avg 0.49s) [limit 16].
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite framework_upgrade success on 3d74b598d151879ab419e0c4377370b39b5c491f ==> 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a

Compatibility test results for 3d74b598d151879ab419e0c4377370b39b5c491f ==> 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a (PR)
Upgrade the nodes to version: 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a
framework_upgrade::framework-upgrade::full-framework-upgrade : committed: 2517.16 txn/s, submitted: 2525.79 txn/s, failed submission: 8.63 txn/s, expired: 8.63 txn/s, latency: 1155.76 ms, (p50: 1200 ms, p70: 1200, p90: 1500 ms, p99: 2100 ms), latency samples: 227622
framework_upgrade::framework-upgrade::full-framework-upgrade : committed: 2344.35 txn/s, submitted: 2350.03 txn/s, failed submission: 5.68 txn/s, expired: 5.68 txn/s, latency: 1242.96 ms, (p50: 1200 ms, p70: 1400, p90: 1600 ms, p99: 1900 ms), latency samples: 214680
5. check swarm health
Compatibility test for 3d74b598d151879ab419e0c4377370b39b5c491f ==> 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a passed
Upgrade the remaining nodes to version: 6bc992ebef67d83e6d9c5cbcc21f93005d13c16a
framework_upgrade::framework-upgrade::full-framework-upgrade : committed: 1515.56 txn/s, submitted: 1520.19 txn/s, failed submission: 4.63 txn/s, expired: 4.63 txn/s, latency: 1945.00 ms, (p50: 1200 ms, p70: 1500, p90: 2100 ms, p99: 11800 ms), latency samples: 137342
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking