Rename ExecutionMode to IsolationStrategy (#1932)

* Rename ExecutionMode to IsolationStrategy

Execution mode is too generic name and can imply a lot of different
aspects of execution. The notion of isolation better describes the
meant aspect.

And while I am at it, I also renamed mode -> strategy cause it seems a
bit more appropriate, although that is way more subjective.

* Fix compilation in wasm_executor tests.

* Add a comment to IsolationStrategy

* Update comments on IsolationStrategy

* Update node/core/candidate-validation/src/lib.rs

Co-authored-by: Bastian Köcher <bkchr@users.noreply.github.com>

* Accomodate the point on interruption

* Update parachain/src/wasm_executor/mod.rs

Co-authored-by: Andronik Ordian <write@reusable.software>

* Naming nits

Co-authored-by: Bastian Köcher <bkchr@users.noreply.github.com>
Co-authored-by: Andronik Ordian <write@reusable.software>

polkadot/parachain/src/wasm_executor/mod.rs

@@ -37,9 +37,40 @@ const MAX_RUNTIME_MEM: usize = 1024 * 1024 * 1024; // 1 GiB
 const MAX_CODE_MEM: usize = 16 * 1024 * 1024; // 16 MiB
 const MAX_VALIDATION_RESULT_HEADER_MEM: usize = MAX_CODE_MEM + 1024; // 16.001 MiB
 
-/// The execution mode for the `ValidationPool`.
+/// The strategy we employ for isolating execution of wasm parachain validation function (PVF).
+///
+/// For a typical validator an external process is the default way to run PVF. The rationale is based
+/// on the following observations:
+///
+/// (a) PVF is completely under control of parachain developers who may or may not be malicious.
+/// (b) Collators are in charge of providing PoV who also may or may not be malicious.
+/// (c) PVF is executed by a wasm engine based on optimizing compiler which is a very complex piece
+///     of machinery.
+///
+/// (a) and (b) may lead to a situation where due to a combination of PVF and PoV the validation work
+/// can stuck in an infinite loop, which can open up resource exhaustion or DoS attack vectors.
+///
+/// While some execution engines provide functionality to interrupt execution of wasm module from
+/// another thread, there are also some caveats to that: there is no clean way to interrupt execution
+/// if the control flow is in the host side and at the moment we haven't rigoriously vetted that all
+/// host functions terminate or, at least, return in a short amount of time. Additionally, we want
+/// some freedom on choosing wasm execution environment.
+///
+/// On top of that, execution in a separate process helps to minimize impact of (c) if exploited.
+/// It's not only the risk of miscompilation, but it also includes risk of JIT-bombs, i.e. cases
+/// of specially crafted code that take enourmous amounts of time and memory to compile.
+///
+/// At the same time, since PVF validates self-contained candidates, validation workers don't require
+/// extensive communication with polkadot host, therefore there should be no observable performance penalty
+/// coming from inter process communication.
+///
+/// All of the above should give a sense why isolation is crucial for a typical use-case.
+///
+/// However, in some cases, e.g. when running PVF validation on android (for whatever reason), we
+/// cannot afford the luxury of process isolation and thus there is an option to run validation in
+/// process. Also, running in process is convenient for testing.
 #[derive(Clone, Debug)]
-pub enum ExecutionMode {
+pub enum IsolationStrategy {
 	/// The validation worker is ran in a thread inside the same process.
 	InProcess,
 	/// The validation worker is ran using the process' executable and the subcommand `validation-worker` is passed
@@ -60,7 +91,7 @@ pub enum ExecutionMode {
 	},
 }
 
-impl Default for ExecutionMode {
+impl Default for IsolationStrategy {
 	fn default() -> Self {
 		#[cfg(not(any(target_os = "android", target_os = "unknown")))]
 		{
@@ -136,19 +167,19 @@ pub enum InternalError {
 pub fn validate_candidate(
 	validation_code: &[u8],
 	params: ValidationParams,
-	execution_mode: &ExecutionMode,
+	isolation_strategy: &IsolationStrategy,
 	spawner: impl SpawnNamed + 'static,
 ) -> Result<ValidationResult, ValidationError> {
-	match execution_mode {
-		ExecutionMode::InProcess => {
+	match isolation_strategy {
+		IsolationStrategy::InProcess => {
 			validate_candidate_internal(validation_code, &params.encode(), spawner)
 		},
 		#[cfg(not(any(target_os = "android", target_os = "unknown")))]
-		ExecutionMode::ExternalProcessSelfHost(pool) => {
+		IsolationStrategy::ExternalProcessSelfHost(pool) => {
 			pool.validate_candidate(validation_code, params)
 		},
 		#[cfg(not(any(target_os = "android", target_os = "unknown")))]
-		ExecutionMode::ExternalProcessCustomHost { pool, binary, args } => {
+		IsolationStrategy::ExternalProcessCustomHost { pool, binary, args } => {
 			let args: Vec<&str> = args.iter().map(|x| x.as_str()).collect();
 			pool.validate_candidate_custom(validation_code, params, binary, &args)
 		},