Conversation
Deploying agoric-sdk with
|
| Latest commit: |
e3f38fc
|
| Status: | 🚫 Build failed. |
|
No dependency changes detected. Learn more about Socket for GitHub. 👍 No dependency changes detected in pull request |
dckc
force-pushed
the
dc-wallet-justin
branch
2 times, most recently
from
2127774 to
315c79e
Compare
| // XXX worth using a nameHub vs. a mapStore? | ||
| const { nameHub, nameAdmin } = this.state.my; | ||
| const endowments = { E, harden, assert, nameHub, nameAdmin }; | ||
| const c = new Compartment(endowments); |
There was a problem hiding this comment.
endowments are additions to the HardenedJS default allowed properties of c.globalThis. To restrict the Compartment's globalThis so that only endowments can be reached, I think you'd need something more like (untested):
| const c = new Compartment(endowments); | |
| const c = new Compartment(); | |
| for (const key of Reflect.ownKeys(c.globalThis)) { | |
| assert(Reflect.deleteProperty(c.globalThis, key)); | |
| } | |
| for (const [key, value] of Object.entries(endowments)) { | |
| assert(Reflect.defineProperty(c.globalThis, key, { value })); | |
| } | |
| harden(c.globalThis); |
There was a problem hiding this comment.
I'm not sure about the scope of your suggestion... could you give an example of an expression that shows how things work differently with the suggested approach?
There was a problem hiding this comment.
Given evaluation of a Justin expression:
try {
const ret = c.evaluate(`Number.isSafeInteger(123)`);
console.log('@@@ returned', ret);
} catch (e) {
console.log('@@@ caught', e);
}With the existing code, all of HardenedJS's tamed globals, in addition to the explicit endowments, are reachable by c.evaluate:
@@@ returned true
With (something like) my proposed code, only the endowments are reachable, not any other globals, so the above c.evaluate(...) will instead do:
@@@ caught ReferenceError: Number is not defined
I suggest you indicate in a comment which of these behaviours you desire for the c.evaluate.
There was a problem hiding this comment.
It seems like Number.isSafeInteger should be available. Is there anything in the default environment of Compartment that carries authority?
I suppose compute time is relevant too... [...].sort() will be O(n log(n)) rather than the usual case of O(n) for Justin exprs. I'm not sure denying that is practical, though. hm.
There was a problem hiding this comment.
anything in...
Compartmentthat carries authority?
Not in the sense of the ability to break integrity, short of what is added to c.globalThis (such as the properties of additionalGlobals in new Compartment(additionalGlobals)).
I'm not sure denying that is practical
Just spitballing some ideas, neither of which is necessarily practical or desirable:
- Further restrict an individual Compartment's capabilities with an allowlist or membrane, but both of those require HardenedJS features that we don't have yet.
- Have the host vat spawn separate child vats to perform evaluations, but that doesn't scale well in the current SwingSet.
There was a problem hiding this comment.
Talking with @erights, it seems there's a sweet spot I hadn't considered:
- Have a multitenant vat provide a hand-written Justin interpreter:
- The interpreter can take a method allowlist as a parameter, and also have restricted implementations of JS builtins
- Interpreter-level metering can abort a particular evaluation long before an XS-level meter overflow would kill the vat
There was a problem hiding this comment.
@michaelfig , I agree with the first bullet.
On the second bullet, yes, with care.
Normally we allow the Justin program to cause synchronous side effects. But if you terminate it with any meter-like mechanism and you don't kill the vat it is affecting, then you leave behind inconsistent corrupt state. Unless you
- limit the Justin code to only performing synchronous invocations that it could have performed remotely and asynchronously.
- start the Justin execution in its own turn.
Then, any of the methods it could invoke are designed to transition the vat from a consistent state to a consistent state by itself, without making assumptions about future incoming messages causing other effects.
IOW, sudden termination of such a local Justin computation is equivalent to a remote invoker who stops.
| assert, | ||
| nameHub, | ||
| nameAdmin, | ||
| namesByAddress, |
There was a problem hiding this comment.
watch out for promises as arguments.
dckc
changed the title
WIP: state migration (upgrade)
WIP: validate Justin syntax
Logging sent error stack Error: In "readonly" method of (NamesByAddressAdmin): result: promise "[Promise]" - Must be a remotable
at makeError (file:///home/connolly/projects/agoric-sdk/node_modules/ses/src/error/assert.js:350:61)
at throwLabeled (.../common/throw-labeled.js:23:20)
at applyLabelingError (.../common/apply-labeling-error.js:43:5)
at checkMatches (.../patterns/src/patterns/patternMatchers.js:420:5)
at mustMatch (.../patterns/src/patterns/patternMatchers.js:596:5)
at In "readonly" method of (NamesByAddressAdmin) [as
readonly] (.../exo/src/exo-tools.js:173:11)
returns obj after rx[method](...args) resolves
- price contract tracks incarnation - carrier contract delivers prize and shuts down - get boardId for carrier instance without putting it in agoricNames - startContract() handles privateArgs - move name, issuers to options bag - different friction around type of startSwap - use my.XYZ instead of nameHub.lookup(...); e.g. my.priceSetter
| E( | ||
| after(my.kit.publicFacet, { | ||
| rx: my.kit.adminFacet as any, // XXX after() type | ||
| method: 'restartContract', | ||
| args: [my.kit.privateArgs], | ||
| }), | ||
| ).getIncarnation(); // use the public (TODO: creator) facet |
There was a problem hiding this comment.
I learned in discussion with @kriskowal that this is needlessly contorted; it could/should be:
after(my.kit.publicFacet, E(my.kit.adminFacet).restartContract(my.kit.privateArgs)).getIncarnation()
with...
const after = (obj, prereq) = E.when(prereq, () => obj)
| async evalExpr(expr) { | ||
| const { fromEntries } = Object; | ||
| trace( | ||
| 'TODO: validate Justin syntax; see https://github.com/endojs/Jessie/pull/121#discussion_r1988126110', |
There was a problem hiding this comment.
@michaelfig while Justin is designed to execute in O(N), here we'd be parsing it. The PEG parser... does it backtrack? That wouldn't be O(N), would it?
discovered in discussion with @kriskowal
There was a problem hiding this comment.
PEG is the bnf-like grammar definition language. Packrat is the generated parsing algorithm. Due to its heavy memoization, for most purposes, packrat is linear in time and space. See the original paper at Packrat Parsing:
Simple, Powerful, Lazy, Linear Time, or the wikipedia page.
There was a problem hiding this comment.
From Bryan Ford's paper:
The basic reason the backtracking parser can take super-linear
time is because of redundant calls to the same parse function on the
same input substring, and these redundant calls can be eliminated
through memoization.
refs: - #8733 - #11256 ## Description - add a `nameHub` and `nameAdmin` to state of each offer result - add `spec.after.saveAs` option in `OfferSpec` to save an offer result - add `invokeItem` method in `BridgeAction` that uses a format somewhat like `callPipe` DRAFT until the TODOs below are addressed. ### Security / Scaling Considerations This is intended to serve as an efficient, straightforward alternative to continuing offers for the (common) case when no asset exchange is happening. The motivating usage is ymax oracles (it facitiliates optimizing Fast USDC oracles too). TODO: - [x] think thru allowing everyone, not just oracles, to use `invokeItem`. Without a suitable invitation, it's useless; but what about griefing? - [x] `callPipe` was allowed only on `agoricContract`; are we ready to drop that limitation? - [x] length limit was 3; this is currently unlimited; we haven't found motivation to extend past 3, have we? ### Documentation / Testing Considerations One happy path test shows that the feature works and how to use it. TODO - [x] test failure modes - [x] the test uses bundled code, which doesn't mix well with coverage tools. Invest in testBundle tests for smartWallet? ### Upgrade Considerations TODO: - [ ] figure out upgrade implications of adding to smartWallet exo state
|
OBE |
3 participants
closes: #8733, #10926, #8550
refs:
Description
This is an exploration of a design space...
delegate upgrade of a contract to an executive (toward governed contracts upgradable by electorate #7420)
afterendowment as inE.after()my.XYZtest(boot): set price without zoe offer using evalExpr
void E.when(walletHelper.receive(result), ???, ???)in a sync context. This looks like another state in offer handling.Security Considerations
options for cost recovery / spam mitigation / credible governance:
evalExprevalExprStakingViewScaling Considerations
Justin expressions are designed to execute in O(N) in the size of the expressions, though using
Ecan result in large constant factors -- cross-vat calls.[...].sort()use O(n log(N)) timeTODO:
Documentation Considerations
docs such as Submitting the Offer in the UI tutorial should get updated.
Testing Considerations
only basic happy-path testing is in place
Upgrade Considerations
evalExpr? If not, do we want/need to support it? Or do CLI tools suffice?TODO: