Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(zoe): Make zcf singleton durable #9531

Merged
merged 5 commits into from
Jun 19, 2024
Merged

feat(zoe): Make zcf singleton durable #9531

merged 5 commits into from
Jun 19, 2024

Conversation

erights
Copy link
Member

@erights erights commented Jun 19, 2024

Staged on #9533

refs: #9281

Description

The zcf object will effectively need to be passed through orchestrate as an endowment. Because zcf is not durable, or even an exo, we were originally planning to do it with a mechanism involving a standing durable object, and then wrap and unwrap it on either side of the membrane. But if zcf were durable, we wouldn't need all this complexity. It turns out, if this PR is correct, that making zcf durable is trivial.

Security Considerations

Making zcf into a durable exo also involves giving it an interface guard. The interface guard in the first commit of this PR makes a needed exception for makeInvitation and setTestJig because both of them accept non-passable parameters. The defaultGuards: 'passable' option means that all other methods default to a guard that merely enforces that all arguments and return results are passable. This does make zcf somewhat more defensive, but not much.

Given this starting point, we can grow that ZcfI interface guard to do more explicit input validation of the other methods, which will help security, and make us less vulnerable to insufficient input validation in the zcf methods themselves. As we move more of the input validation to the method guards, we should be able to remove ad hoc input validation code in the method which has become redundant. Replacement of ad hoc input validation with declarative guard-based input validation should help security.

I don't yet know whether I'll grow the ZcfI interface guard to have these explicit method guards in further commits to this PR or in later PR.

Scaling Considerations

The extra guard checks are potentially an issue, but we won't know until we profile.

Documentation Considerations

none

Testing Considerations

I need to understand setTestJig better.

Upgrade Considerations

Making zcf durable means that it has a durable identity that survives upgrade. As a durable exo singleton, it is stateless, meaning that it gets back all the state it needs during prepareExo as state that its methods capture (close over) rather than as exo instance state. This reflects naturally the initial intuition that the zcf endowment, being stateless, could just be represented to asyncFlow as a singleton standin, re-endowed during the prepare phase.

@erights erights self-assigned this Jun 19, 2024
@erights erights requested a review from Chris-Hibbert June 19, 2024 00:47
Copy link

cloudflare-workers-and-pages bot commented Jun 19, 2024

Deploying agoric-sdk with  Cloudflare Pages  Cloudflare Pages

Latest commit: ecd1c75
Status: ✅  Deploy successful!
Preview URL: https://041634c6.agoric-sdk.pages.dev
Branch Preview URL: https://markm-exofy-zcf.agoric-sdk.pages.dev

View logs

@erights erights marked this pull request as ready for review June 19, 2024 03:03
@erights erights requested review from turadg and dtribble June 19, 2024 03:03
Copy link
Member

@turadg turadg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

For testing, I think our existing ZCF upgrade tests cover it

vm.CoreProposalStepForModules("@agoric/builders/scripts/vats/upgrade-zcf.js"),

However, that's part of current upgrade handler, so once this is in master @iomekam will need to be sure not to include in the u16 release branch. (I expect u16 is close enough to release that we shouldn't delay it with this; and it's easy to include in the next core-eval)

packages/zoe/src/contractFacet/typeGuards.js Show resolved Hide resolved
packages/zoe/src/contractFacet/zcfZygote.js Show resolved Hide resolved
packages/zoe/src/typeGuards.js Show resolved Hide resolved
packages/zoe/test/unitTests/zcf/zcf.test.js Show resolved Hide resolved
@erights erights changed the base branch from master to markm-setTestJig-param-optional June 19, 2024 16:53
Copy link
Contributor

@Chris-Hibbert Chris-Hibbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow! surprisingly trivial change.

@0xpatrickdev 0xpatrickdev added the automerge:rebase Automatically rebase updates, then merge label Jun 19, 2024
@turadg turadg removed the automerge:rebase Automatically rebase updates, then merge label Jun 19, 2024
@erights erights force-pushed the markm-setTestJig-param-optional branch from 5c8f836 to 426a3be Compare June 19, 2024 22:40
Base automatically changed from markm-setTestJig-param-optional to master June 19, 2024 22:55
@turadg turadg added automerge:rebase Automatically rebase updates, then merge automerge:squash Automatically squash merge and removed automerge:rebase Automatically rebase updates, then merge labels Jun 19, 2024
mergify bot added a commit that referenced this pull request Jun 19, 2024
closes: #XXXX
refs: #9531 (comment)

## Description

The implementation of `setTestJig` at https://github.com/Agoric/agoric-sdk/blob/37ec151b08de3d8e432a2599ccc532d4e72caedb/packages/zoe/src/contractFacet/zcfZygote.js#L358 treats its param as optional. The call to `setTestJig` at https://github.com/Agoric/documentation/blob/89a7dd53cd59b4008a36d23abdfa5665d1852336/snippets/tools/zcfTesterContract.js#L12 omits its parameter. The doc-comment on the type at https://github.com/Agoric/agoric-sdk/blob/37ec151b08de3d8e432a2599ccc532d4e72caedb/packages/zoe/src/contractFacet/types-ambient.d.ts#L139 explains the parameter as optional. But the type itself declares the parameter as mandatory.

This initially led me at #9531 to declare the parameter as mandatory in the new `ZcfI` interface guard, but that caused the failure in the documentation repo discussed at https://github.com/Agoric/agoric-sdk/blob/37ec151b08de3d8e432a2599ccc532d4e72caedb/packages/zoe/src/contractFacet/types-ambient.d.ts#L139 . My comment in the code there and the subsequent discussion assumes that the usage at the documentation repo is what needs to be fixed. But given this other evidence, I think the static type needs to be fixed to type that parameter as optional. #9531 would then be ok as is, only needing removal of the comment indicating something is amiss.

### Security Considerations
There is an existing security concern with the existence of `setTestJig` at all. But this PR does not affect that security concern at all.

### Scaling Considerations
none
### Documentation Considerations
This PR would make the `setTestJig` call currently in the documentation repo correct.
### Testing Considerations
This problem was initially detected when testing #9531 when the guard declared the parameter as mandatory. This does reenforce the lesson that TS types are unsound by enforced guards are sound.
### Upgrade Considerations
This PR is only a static change consistent with all current usage and implementation, and so should have no upgrade considerations. However, just to minimize risk, it still makes sense to hold this back till after master is snapshot for u16.
@erights
Copy link
Member Author

erights commented Jun 19, 2024

@Mergifyio requeue

Copy link
Contributor

mergify bot commented Jun 19, 2024

requeue

✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically

@mergify mergify bot merged commit 62c73f5 into master Jun 19, 2024
77 checks passed
@mergify mergify bot deleted the markm-exofy-zcf branch June 19, 2024 23:45
mhofman pushed a commit that referenced this pull request Jun 20, 2024
closes: #XXXX
refs: #9531 (comment)

## Description

The implementation of `setTestJig` at https://github.com/Agoric/agoric-sdk/blob/37ec151b08de3d8e432a2599ccc532d4e72caedb/packages/zoe/src/contractFacet/zcfZygote.js#L358 treats its param as optional. The call to `setTestJig` at https://github.com/Agoric/documentation/blob/89a7dd53cd59b4008a36d23abdfa5665d1852336/snippets/tools/zcfTesterContract.js#L12 omits its parameter. The doc-comment on the type at https://github.com/Agoric/agoric-sdk/blob/37ec151b08de3d8e432a2599ccc532d4e72caedb/packages/zoe/src/contractFacet/types-ambient.d.ts#L139 explains the parameter as optional. But the type itself declares the parameter as mandatory.

This initially led me at #9531 to declare the parameter as mandatory in the new `ZcfI` interface guard, but that caused the failure in the documentation repo discussed at https://github.com/Agoric/agoric-sdk/blob/37ec151b08de3d8e432a2599ccc532d4e72caedb/packages/zoe/src/contractFacet/types-ambient.d.ts#L139 . My comment in the code there and the subsequent discussion assumes that the usage at the documentation repo is what needs to be fixed. But given this other evidence, I think the static type needs to be fixed to type that parameter as optional. #9531 would then be ok as is, only needing removal of the comment indicating something is amiss.

### Security Considerations
There is an existing security concern with the existence of `setTestJig` at all. But this PR does not affect that security concern at all.

### Scaling Considerations
none
### Documentation Considerations
This PR would make the `setTestJig` call currently in the documentation repo correct.
### Testing Considerations
This problem was initially detected when testing #9531 when the guard declared the parameter as mandatory. This does reenforce the lesson that TS types are unsound by enforced guards are sound.
### Upgrade Considerations
This PR is only a static change consistent with all current usage and implementation, and so should have no upgrade considerations. However, just to minimize risk, it still makes sense to hold this back till after master is snapshot for u16.
mhofman pushed a commit that referenced this pull request Jun 22, 2024
closes: #XXXX
refs: #9531 (comment)

## Description

The implementation of `setTestJig` at https://github.com/Agoric/agoric-sdk/blob/37ec151b08de3d8e432a2599ccc532d4e72caedb/packages/zoe/src/contractFacet/zcfZygote.js#L358 treats its param as optional. The call to `setTestJig` at https://github.com/Agoric/documentation/blob/89a7dd53cd59b4008a36d23abdfa5665d1852336/snippets/tools/zcfTesterContract.js#L12 omits its parameter. The doc-comment on the type at https://github.com/Agoric/agoric-sdk/blob/37ec151b08de3d8e432a2599ccc532d4e72caedb/packages/zoe/src/contractFacet/types-ambient.d.ts#L139 explains the parameter as optional. But the type itself declares the parameter as mandatory.

This initially led me at #9531 to declare the parameter as mandatory in the new `ZcfI` interface guard, but that caused the failure in the documentation repo discussed at https://github.com/Agoric/agoric-sdk/blob/37ec151b08de3d8e432a2599ccc532d4e72caedb/packages/zoe/src/contractFacet/types-ambient.d.ts#L139 . My comment in the code there and the subsequent discussion assumes that the usage at the documentation repo is what needs to be fixed. But given this other evidence, I think the static type needs to be fixed to type that parameter as optional. #9531 would then be ok as is, only needing removal of the comment indicating something is amiss.

### Security Considerations
There is an existing security concern with the existence of `setTestJig` at all. But this PR does not affect that security concern at all.

### Scaling Considerations
none
### Documentation Considerations
This PR would make the `setTestJig` call currently in the documentation repo correct.
### Testing Considerations
This problem was initially detected when testing #9531 when the guard declared the parameter as mandatory. This does reenforce the lesson that TS types are unsound by enforced guards are sound.
### Upgrade Considerations
This PR is only a static change consistent with all current usage and implementation, and so should have no upgrade considerations. However, just to minimize risk, it still makes sense to hold this back till after master is snapshot for u16.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automerge:squash Automatically squash merge
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants