feat(move): Move view functions (verifier implementation) - package upgradability (#11449)

# Description of change

View Functions metadata upgradability

## Links to any relevant issues

fixes #11414

---------

Co-authored-by: Mirko Zichichi <mirko.zichichi@iota.org>

Author: lollobene

crates/iota-core/src/unit_tests/data/move_upgrade/view_base/Move.toml

@@ -0,0 +1,7 @@
+[package]
+name = "package_upgrade_base"
+version = "0.0.1"
+edition = "2024"
+
+[addresses]
+base_addr = "0x0"

crates/iota-core/src/unit_tests/data/move_upgrade/view_base/sources/base.move

@@ -0,0 +1,8 @@
+// Copyright (c) Mysten Labs, Inc.
+// Modifications Copyright (c) 2026 IOTA Stiftung
+// SPDX-License-Identifier: Apache-2.0
+
+module base_addr::base {
+    #[view]
+    public fun return_0(): u64 { 0 }
+}

crates/iota-core/src/unit_tests/data/move_upgrade/view_removed/Move.toml

@@ -0,0 +1,7 @@
+[package]
+name = "package_upgrade_base"
+version = "0.0.1"
+edition = "2024"
+
+[addresses]
+base_addr = "0x0"

crates/iota-core/src/unit_tests/data/move_upgrade/view_removed/sources/base.move

@@ -0,0 +1,7 @@
+// Copyright (c) Mysten Labs, Inc.
+// Modifications Copyright (c) 2026 IOTA Stiftung
+// SPDX-License-Identifier: Apache-2.0
+
+module base_addr::base {
+    public fun return_0(): u64 { 0 }
+}

crates/iota-core/src/unit_tests/move_package_upgrade_tests.rs

@@ -459,6 +459,23 @@ async fn test_upgrade_incompatible() {
     )
 }
 
+#[tokio::test]
+async fn test_upgrade_cannot_remove_view_attribute() {
+    let mut runner = UpgradeStateRunner::new("move_upgrade/view_base").await;
+
+    let (digest, modules) = build_upgrade_test_modules("view_removed");
+    let effects = runner
+        .upgrade(UpgradePolicy::COMPATIBLE, digest, modules, vec![])
+        .await;
+
+    assert_eq!(
+        effects.into_status().unwrap_err().0,
+        ExecutionFailureStatus::PackageUpgradeError {
+            upgrade_error: PackageUpgradeError::IncompatibleUpgrade,
+        },
+    )
+}
+
 #[tokio::test]
 async fn test_upgrade_package_incorrect_digest() {
     let mut runner = UpgradeStateRunner::new("move_upgrade/base").await;

crates/iota-types/src/move_package.rs

@@ -42,7 +42,9 @@ use derive_more::Display;
 use fastcrypto::hash::HashFunction;
 use iota_protocol_config::ProtocolConfig;
 use move_binary_format::{
-    binary_config::BinaryConfig, file_format::CompiledModule, file_format_common::VERSION_6,
+    binary_config::BinaryConfig,
+    file_format::CompiledModule,
+    file_format_common::{IOTA_METADATA_KEY, VERSION_6},
     normalized,
 };
 use move_core_types::{
@@ -755,6 +757,43 @@ where
     Ok(normalized_modules)
 }
 
+/// If `include_code` is set to `false`, the normalized module will skip
+/// function bodies but still include the signatures.
+///
+/// The returned metadata is the IOTA-specific runtime metadata attached to the
+/// module, or the default empty metadata when the module has no IOTA metadata.
+pub fn normalize_modules_with_metadata<
+    'a,
+    S: Hash + Eq + Clone + ToString,
+    Pool: normalized::StringPool<String = S>,
+    I,
+>(
+    pool: &mut Pool,
+    modules: I,
+    binary_config: &BinaryConfig,
+    include_code: bool,
+) -> IotaResult<BTreeMap<String, (normalized::Module<S>, RuntimeModuleMetadata)>>
+where
+    I: Iterator<Item = &'a Vec<u8>>,
+{
+    let mut normalized_modules = BTreeMap::new();
+    for bytecode in modules {
+        let module =
+            CompiledModule::deserialize_with_config(bytecode, binary_config).map_err(|error| {
+                IotaError::ModuleDeserializationFailure {
+                    error: error.to_string(),
+                }
+            })?;
+        let metadata = runtime_module_metadata(&module)?;
+        let normalized_module = normalized::Module::new(pool, &module, include_code);
+        normalized_modules.insert(
+            normalized_module.name().to_string(),
+            (normalized_module, metadata),
+        );
+    }
+    Ok(normalized_modules)
+}
+
 /// If `include_code` is set to `false`, the normalized module will skip
 /// function bodies but still include the signatures.
 pub fn normalize_deserialized_modules<
@@ -778,6 +817,54 @@ where
     normalized_modules
 }
 
+/// If `include_code` is set to `false`, the normalized module will skip
+/// function bodies but still include the signatures.
+///
+/// The returned metadata is the IOTA-specific runtime metadata attached to the
+/// module, or the default empty metadata when the module has no IOTA metadata.
+pub fn normalize_deserialized_modules_with_metadata<
+    'a,
+    S: Hash + Eq + Clone + ToString,
+    Pool: normalized::StringPool<String = S>,
+    I,
+>(
+    pool: &mut Pool,
+    modules: I,
+    include_code: bool,
+) -> IotaResult<BTreeMap<String, (normalized::Module<S>, RuntimeModuleMetadata)>>
+where
+    I: Iterator<Item = &'a CompiledModule>,
+{
+    let mut normalized_modules = BTreeMap::new();
+    for module in modules {
+        let metadata = runtime_module_metadata(module)?;
+        let normalized_module = normalized::Module::new(pool, module, include_code);
+        normalized_modules.insert(
+            normalized_module.name().to_string(),
+            (normalized_module, metadata),
+        );
+    }
+    Ok(normalized_modules)
+}
+
+fn runtime_module_metadata(module: &CompiledModule) -> IotaResult<RuntimeModuleMetadata> {
+    let Some(metadata) = module
+        .metadata
+        .iter()
+        .find(|metadata| metadata.key == IOTA_METADATA_KEY)
+    else {
+        return Ok(RuntimeModuleMetadata::default());
+    };
+
+    let metadata_wrapper: RuntimeModuleMetadataWrapper =
+        bcs::from_bytes(&metadata.value).map_err(|error| {
+            IotaError::RuntimeModuleMetadataDeserialization {
+                error: error.to_string(),
+            }
+        })?;
+    RuntimeModuleMetadata::try_from(metadata_wrapper)
+}
+
 fn build_linkage_table<'p>(
     mut immediate_dependencies: BTreeSet<ObjectID>,
     transitive_dependencies: impl IntoIterator<Item = &'p MovePackage>,

iota-execution/latest/iota-adapter/src/programmable_transactions/execution.rs

@@ -24,15 +24,15 @@ mod checked {
             TxContext, TxContextKind,
         },
         coin::Coin,
-        error::{ExecutionError, ExecutionErrorKind, command_argument_error},
+        error::{ExecutionError, ExecutionErrorKind, IotaError, command_argument_error},
         execution_config_utils::to_binary_config,
         execution_status::{CommandArgumentError, PackageUpgradeError},
         id::RESOLVED_IOTA_ID,
         metrics::LimitsMetrics,
         move_package::{
             IotaAttribute, MovePackage, PackageMetadata, RuntimeModuleMetadata,
             RuntimeModuleMetadataWrapper, UpgradeCap, UpgradePolicy, UpgradeReceipt, UpgradeTicket,
-            normalize_deserialized_modules,
+            normalize_deserialized_modules_with_metadata, normalize_modules_with_metadata,
         },
         object::OBJECT_START_VERSION,
         storage::{PackageObject, get_package_objects},
@@ -769,10 +769,24 @@ mod checked {
 
         let pool = &mut normalized::RcPool::new();
         let binary_config = to_binary_config(context.protocol_config);
-        let Ok(current_normalized) =
-            existing_package.normalize(pool, &binary_config, /* include code */ true)
-        else {
-            invariant_violation!("Tried to normalize modules in existing package but failed")
+        let current_normalized = match normalize_modules_with_metadata(
+            pool,
+            existing_package.serialized_module_map().values(),
+            &binary_config,
+            true, // include code
+        ) {
+            Ok(modules) => modules,
+            Err(IotaError::ModuleDeserializationFailure { .. }) => {
+                invariant_violation!("Tried to normalize modules in existing package but failed")
+            }
+            Err(e) => {
+                return Err(ExecutionError::new_with_source(
+                    ExecutionErrorKind::PackageUpgradeError {
+                        upgrade_error: PackageUpgradeError::IncompatibleUpgrade,
+                    },
+                    e,
+                ));
+            }
         };
 
         let existing_modules_len = current_normalized.len();
@@ -792,13 +806,22 @@ mod checked {
                 ),
             ));
         }
-        let mut new_normalized = normalize_deserialized_modules(
+
+        let mut new_normalized = normalize_deserialized_modules_with_metadata(
             pool,
             upgrading_modules.iter(),
             true, // include code
-        );
-        for (name, cur_module) in current_normalized {
-            let Some(new_module) = new_normalized.remove(&name) else {
+        )
+        .map_err(|e| {
+            ExecutionError::new_with_source(
+                ExecutionErrorKind::PackageUpgradeError {
+                    upgrade_error: PackageUpgradeError::IncompatibleUpgrade,
+                },
+                e,
+            )
+        })?;
+        for (name, (cur_module, cur_metadata)) in current_normalized {
+            let Some((new_module, new_metadata)) = new_normalized.remove(&name) else {
                 return Err(ExecutionError::new_with_source(
                     ExecutionErrorKind::PackageUpgradeError {
                         upgrade_error: PackageUpgradeError::IncompatibleUpgrade,
@@ -807,6 +830,7 @@ mod checked {
                 ));
             };
 
+            check_view_function_compatibility(&name, &cur_metadata, &new_metadata)?;
             check_module_compatibility(&policy, &cur_module, &new_module)?;
         }
 
@@ -846,6 +870,51 @@ mod checked {
         })
     }
 
+    /// Verifies that any function marked `#[view]` in the current package
+    /// remains marked `#[view]` in the upgraded package. Removing the attribute
+    /// would preserve the Move bytecode signature but break clients that rely
+    /// on view-function metadata for read-only execution.
+    fn check_view_function_compatibility(
+        module_name: &str,
+        cur_metadata: &RuntimeModuleMetadata,
+        new_metadata: &RuntimeModuleMetadata,
+    ) -> Result<(), ExecutionError> {
+        let cur_view_functions = view_functions(cur_metadata);
+        if cur_view_functions.is_empty() {
+            return Ok(());
+        }
+
+        let new_view_functions = view_functions(new_metadata);
+        for function_name in cur_view_functions {
+            if !new_view_functions.contains(&function_name) {
+                return Err(ExecutionError::new_with_source(
+                    ExecutionErrorKind::PackageUpgradeError {
+                        upgrade_error: PackageUpgradeError::IncompatibleUpgrade,
+                    },
+                    format!(
+                        "Function {module_name}::{function_name} was marked #[view] in the \
+                         previous package version but is not marked #[view] in the upgraded \
+                         package"
+                    ),
+                ));
+            }
+        }
+
+        Ok(())
+    }
+
+    fn view_functions(metadata: &RuntimeModuleMetadata) -> BTreeSet<String> {
+        metadata
+            .fun_attributes_iter()
+            .filter(|&(_function_name, attributes)| {
+                attributes
+                    .iter()
+                    .any(|attribute| matches!(attribute, IotaAttribute::View))
+            })
+            .map(|(function_name, _attributes)| function_name.clone())
+            .collect()
+    }
+
     /// Retrieves a `PackageObject` from the storage based on the provided
     /// `package_id`. It ensures that exactly one package is fetched,
     /// returning an invariant violation if the number of fetched packages