[compiler][vm] add visibility modifier to structs/enums: step 5

[rahxephon89]

Description

This PR

• Adds validation logic to verify that structs/enums used as transaction arguments are:
  a. public (have public pack functions with #[struct_api(pack)] attribute)
  b. have the copy ability
  c. all field types are also valid transaction arguments
• Adds the logic to construct values of public structs by finding and calling the pack API
• Adds check to compiler for transaction arguments
• Adds supports of enum in JSON representation for argument types
• Adds a new feature flag PUBLIC_STRUCT_ENUM_ARGS for enabling public structs/enums as txn args.

Note that this PR does not contain code to support public structs in CLI because it requires encoding the type information.

How Has This Been Tested?

new e2e move tests and api tests.

Key Areas to Review

Whether the validation logic is correct and complete;
Whether the test cases give good coverage;
Whether this change may cause any compatibility issues.

Type of Change

• New feature
• Bug fix
• Breaking change
• Performance improvement
• Refactoring
• Dependency update
• Documentation update
• Tests

Which Components or Systems Does This Change Impact?

• Validator Node
• Full Node (API, Indexer, etc.)
• Move/Aptos Virtual Machine
• Aptos Framework
• Aptos CLI/SDK
• Developer Infrastructure
• Move Compiler
• Other (specify)

Checklist

• I have read and followed the CONTRIBUTING doc
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I identified and added all stakeholders and component owners affected by this change as reviewers
• I tested both happy and unhappy path of the functionality
• I have made corresponding changes to the documentation

---

Note

High Risk
Touches VM transaction argument validation/construction, type/layout plumbing, and on-chain feature gating, which can affect transaction acceptance and execution semantics. Although gated by PUBLIC_STRUCT_ENUM_ARGS, the change is broad and adds new parsing/construction paths (including generics and enums).

Overview
Enable public copy structs/enums as txn args behind PUBLIC_STRUCT_ENUM_ARGS. The VM verifier now treats non-whitelisted structs/enums as valid transaction arguments when they have copy ability, are public via generated pack$... functions, and all (recursively substituted) field types are themselves valid; it also constructs these arguments by invoking the appropriate cached pack function (including enum variants).

Expand API and tooling to encode/validate these types. The API JSON-to-BCS converter gains enum JSON parsing and generic parameter substitution for entry functions before argument conversion; Move layout/types plumbing is updated to carry type tags for WithVariants and to emit WithVariants layouts for general enums (while preserving Option’s legacy representation). A new on-chain feature flag is wired through release/prod configs, compiler extended checks are updated to match VM rules, and new API + e2e tests cover positive flows, malformed JSON/variants, generic/private type rejection, and feature-disable/enable behavior.

^{Written by Cursor Bugbot for commit 4f22f38. This will update automatically on new commits. Configure here.}

[rahxephon89]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• [CLI][Move] support public structs/enums as txn args in CLI #18591
• [compiler][vm] add visibility modifier to structs/enums: step 5 #18489 👈 (View in Graphite)
• [compiler][vm] add visibility modifier to structs/enums: step 4 #18165 : 1 other dependent PR (#18381 )
• [compiler][vm] add visibility modifier to structs/enums: step 3 #18117
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[georgemitenkov]

Why do we need a tag in WithVariants layout here?

[georgemitenkov]

Question: why this change? Looking through PR I do not see any usages of type_? But maybe I am missing something

[georgemitenkov]

I see, so it is used here. Do we need this for API? Or why exactly?

[rahxephon89]

In build_from_definition, when we instantiate a generic with enum, we need to support MoveStructLayout for enums. If we don't support it here, error will be raised.

[georgemitenkov]

I think having feature gate by v10 format lesehwere is better. For Move VM txn args are irrelevant, so I am not sure this is the best place to add this thing. Just gating in txn_arg_validation is good enough?

[rahxephon89]

Added a new feature flag PUBLIC_STRUCT_ENUM_ARGS to control it instead of using V10.

[georgemitenkov]

nit: looks like useless comment?

[rahxephon89]

removed

[georgemitenkov]

nit: looks like useless comment?

[rahxephon89]

removed

[georgemitenkov]

Can we factor out his so that:

if m.self_id().is_option() {
  build_option_layout_from_definition(...)
} else {
  build_any_variant_layout_from_definition(...)
}

[georgemitenkov]

Why we support it here, but not for option? I think we do not need this here and only WithTypes need to be supported, and if so, we can process all layouts here and do not even match on layout type: check it is with_types in advance.

[rahxephon89]

removed

[georgemitenkov]

Is this correct: we would allow Option<NonPublicStruct> here. Don't we need to check inst for Option (because we know it is a field)? How did it work before could you construct None of non-public type, bit not Some(..)?

[rahxephon89]

yes, because we don't know at the compile time whether T will be instantiated with a public or non-public values, which should be checked when running the entry function with full type instantiation.

[georgemitenkov]

nit: imports and use . syntax?

[rahxephon89]

done

[georgemitenkov]

we should never disable it though, because if you published v10 bytecode it becomes unloadable? is it better to split feature gating and having a dedicated feature for controlling such args? in a sense that this scenario is not really possible? what can happen is v9 bytecode is published and Point is non-public. We fail to run functions/ Then we enable v10. Running this entry starts to work?

[georgemitenkov]

Do we need a match? can unwrap in tests

[georgemitenkov]

Q: can we return Point struct from this view function, does it work even for non-public structs?

[rahxephon89]

currently view functions can already return a struct value

[cursor]

Negative test incorrectly assumes transaction is discarded

Medium Severity

The test test_generic_container_with_non_public_type_arg_rejected calls api_execute_txn (which expects HTTP 202 and commits the transaction) then asserts the transaction is NOT in the ledger. However, INVALID_MAIN_FUNCTION_SIGNATURE (status code 1011) falls in the Verification status range, so keep_or_discard returns Ok(KeptVMStatus::MiscellaneousError) — the transaction is kept, not discarded. The transaction will be committed to the ledger with a failed execution status, and the assertion !found_test_txn will fail because the transaction IS present.

 

[cursor]

Negative test incorrectly assumes transaction is discarded

Medium Severity

The test test_generic_container_with_non_public_type_arg_rejected calls api_execute_txn (which expects HTTP 202 and commits the transaction) then asserts the transaction is NOT in the ledger. However, INVALID_MAIN_FUNCTION_SIGNATURE (status code 1011) falls in the Verification status range, so keep_or_discard returns Ok(KeptVMStatus::MiscellaneousError) — the transaction is kept, not discarded. The transaction will be committed to the ledger with a failed execution status, and the assertion !found_test_txn will fail because the transaction IS present.

 

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Variant index cast to u16 without bounds check

Low Severity

In try_into_vm_value_struct, variant_index from enumerate() (a usize) is cast to u16 with variant_index as u16 without a bounds check. If an enum has more than 65535 variants, this would silently truncate. The VM-side construct_public_copy_struct correctly validates variant_idx_usize > u16::MAX, but this JSON conversion path does not.