-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(async-flow): error on guest E use #9443
Conversation
Deploying agoric-sdk with Cloudflare Pages
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll let @michaelfig review the HandledPromise
logic in the makeGuest*
functions, my brain always hurt thinking of the handler plumbing.
- need to test what kind of error state this goes into. Should be a panic, so that an upgrade can unblock guest execution that got stuck trying to
E
.
I just had a pesky thought about the following:
const payment= E(purse).withdraw(amount);
foo.receive(payment); // note not using `E` here. `foo` is a guest wrapper of a host local exo
at the time receive
is called, payment
is a basic HandledPromise
unknown to the membrane because the promise handler is always called in a future turn (but always same crank). I honestly do now know how to solve this except providing our own E
with our own HandledPromise
implementation, or somehow enforce that the payment
promise argument becomes know by the next turn, but I'm really warry of going down turn counting routes.
I don't understand the problem. You didn't say what
My guest is you mean the first. But either way, AFAICT, it should work. What am I missing? |
I asked
offline @mhofman explained
to which I responded
|
agoric-sdk/packages/async-flow/test/bad-host.test.js Lines 64 to 67 in ceec1d5
verifies that passing a guest-created promise as argument of a host call is a panic. With that settled, this PR is Ready for re-review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Conditional approval assuming the suggested test change is not controversial. I would also still feel more comfortable if @michaelfig could double check that we're setting up eventual-send handlers the right way on guest objects.
Co-authored-by: Mathieu Hofman <86499+mhofman@users.noreply.github.com>
b1796b5
to
7416d5d
Compare
closes: #XXXX refs: #9322, #9299 #9443 ## Description PR #9322 is supposed to provide production quality support for asyncFlow guest functions to use `E`. It is being reviewed for that goal, and will not be merged until we think it meets that bar. However, we need to start integration testing of asyncFlow with orchestration, to spot mismatched assumptions we may have missed. For this purpose, we do not immediately need production quality `E` support. That is the purpose of this PR. It starts as a copy of the code from #9322 but need only be evaluated as adequate for these stopgap purposes before being merged. This PR does *NOT* claim to f-i-x #9299 , leaving that job to remain with #9322 Even though the requirements on this PR are so much lighter, reviewers should still look at the unresolved conversations on #9322 and determine if any of those need to first be solved even in this PR. ### Security Considerations When merging stopgap code to master, there is always the danger that it might be used as if it production code. We need to remember not to do so, instead waiting for #9322 to do the job for real. ### Scaling Considerations none ### Documentation Considerations just as this stopgap unblocks integration testing, it also likely unblocks documenting how to use asyncFlow, both in general and for orchestration. ### Testing Considerations As a stopgap, this PR does not need the rigorous testing that #9322 should have. ### Upgrade Considerations We need to not use this stopgap for production purposes.
closes: #XXXX
refs: #9299 #9322
Description
Prepare for #9322 by making any guest use of
E
until then cause an error. We expect that it might be a while before #9322 is ready for review. By merging this PR soon, we prevent any guest code or logs that would commit us to an incompat way of handlingE
.Security Considerations
none
Scaling Considerations
none
Documentation Considerations
Should document that guests cannot invoke host vows or remotables with
E
until #9322 , which won't happen immediately.Testing Considerations
E
.Upgrade Considerations
The point. By making such use of
E
an error now, we ensure that #9322 can proceed without causing any compat problem with committed durable state.