-
Notifications
You must be signed in to change notification settings - Fork 214
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(swingset-liveslots): endow passStyleOf to liveslots guest compar…
…tment (#9874) A variant of #9431 . @warner , feel free to just adopt these changes into #9431 rather than reviewing this alternate. closes: #9781 refs: #9431 endojs/endo#2377 endojs/endo#2408 ## Description The code running under liveslots, i.e., user-level vat code such as contracts, must not be able to sense gc. Thus, liveslots endows them with virtual-storage-aware WeakMap and WeakSet, which treats the virtual object as the weakly held key, whereas the builtin WeakMap and WeakSet would treat the momentary representative as the weakly held key. To achieve this, the virtual-storage-aware WeakMap and WeakSet must impose a comparative storage leak. However, some WeakMaps and WeakSets are used purely as an encapsulated unobservable memo, in the sense that the clients of encapsulating abstraction cannot sense whether the memo hit or missed (modulo timing of course, which we can also deny). `passStyleOf` is such an abstraction. Measurements show that the storage leak it causes is significant. The judgement of `passStyleOf` is only to report the pass-style of its arguments, and all virtual objects that have representative have a pass-style of `'remotable'` every time any of its representatives are tested. To avoid this storage leak, endojs/endo#2377 (merged, released, and synced with agoric-sdk) and endojs/endo#2408 (still in review) together enable liveslots to endow the compartment it unbundles with its own efficient `passStyleOf`, built from the primitive WeakMap which it encapsulates. This PR does two things: - makes the change to liveslots to do this endowing, according to the conventions supported by endojs/endo#2377 and endojs/endo#2408 - because endojs/endo#2408 is not yet synced with agoric-sdk, this PR adds an "equivalent" patch, so that we can depend on it before the next endo sync. ### Security Considerations This design *assumes* that the endowed `passStyleOf` makes the memo hits vs misses unobservable, so its dependence on these does not enable the code using it to observe gc. If there is some way to trick it into exposing the difference between a hit and miss, that would be a security concern. ### Scaling Considerations The point. With this PR, the storage leak caused by the `passStyleOf` memo should go away. For some vats, this should be a big improvement. ### Documentation Considerations For the normal developer, none. ### Testing Considerations Adapts the tests originally written by @warner in #9431 , which seem to demonstrate that this works both for node-based and for XS-based vats. ### Upgrade Considerations I don't believe there are any. When linked with an endo preceding even endojs/endo#2377 , the only consequence should be that the storage leak remains unfixed. Likewise, if an endo with endojs/endo#2377 and even endojs/endo#2408 is linked with an agoric-sdk prior to the PR, the only consequence should be that the storage leak remains unfixed.
- Loading branch information
Showing
8 changed files
with
118 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
// @ts-nocheck | ||
import '@endo/init/debug.js'; | ||
import test from 'ava'; | ||
import { Far } from '@endo/marshal'; | ||
import { kser } from '@agoric/kmarshal'; | ||
import { passStyleOf } from '@endo/pass-style'; | ||
import { PassStyleOfEndowmentSymbol } from '@endo/pass-style/endow.js'; | ||
import { makeLiveSlots } from '../src/index.js'; | ||
import { makeStartVat } from './util.js'; | ||
import { buildSyscall } from './liveslots-helpers.js'; | ||
import { makeMockGC } from './mock-gc.js'; | ||
|
||
test('vat globals', async t => { | ||
const { syscall } = buildSyscall(); | ||
const gcTools = makeMockGC(); | ||
const buildRootObject = () => Far('root', {}); | ||
let called = 0; | ||
let vatGlobals; | ||
let inescapableGlobalProperties; | ||
const vatNS = harden({ buildRootObject }); | ||
// buildVatNamespace | ||
const bVN = async (vG, iGP) => { | ||
called += 1; | ||
vatGlobals = vG; | ||
inescapableGlobalProperties = iGP; | ||
return vatNS; | ||
}; | ||
|
||
const ls = makeLiveSlots(syscall, 'vatA', {}, {}, gcTools, undefined, bVN); | ||
t.is(called, 0); // not called yet | ||
await ls.dispatch(makeStartVat(kser())); | ||
t.is(called, 1); | ||
t.truthy(vatGlobals); | ||
|
||
// 'harden' is provided by SES (installed by the lockdown bundle), | ||
// not liveslots | ||
t.is(typeof vatGlobals.harden, 'undefined'); | ||
|
||
// but liveslots provides VatData | ||
t.is(typeof vatGlobals.VatData, 'object'); | ||
t.is(typeof vatGlobals.VatData, 'object'); | ||
t.is(typeof vatGlobals.VatData.defineKind, 'function'); | ||
t.is(typeof vatGlobals.VatData.defineKindMulti, 'function'); | ||
t.is(typeof vatGlobals.VatData.defineDurableKind, 'function'); | ||
t.is(typeof vatGlobals.VatData.defineDurableKindMulti, 'function'); | ||
t.is(typeof vatGlobals.VatData.makeKindHandle, 'function'); | ||
t.is(typeof vatGlobals.VatData.canBeDurable, 'function'); | ||
t.is(typeof vatGlobals.VatData.providePromiseWatcher, 'function'); | ||
t.is(typeof vatGlobals.VatData.watchPromise, 'function'); | ||
t.is(typeof vatGlobals.VatData.makeScalarBigMapStore, 'function'); | ||
t.is(typeof vatGlobals.VatData.makeScalarBigWeakMapStore, 'function'); | ||
t.is(typeof vatGlobals.VatData.makeScalarBigSetStore, 'function'); | ||
t.is(typeof vatGlobals.VatData.makeScalarBigWeakSetStore, 'function'); | ||
t.is(typeof vatGlobals[PassStyleOfEndowmentSymbol], 'function'); | ||
// this is the passStyleOf created by liveslots, with a real WeakMap | ||
t.is(vatGlobals[PassStyleOfEndowmentSymbol], passStyleOf); | ||
|
||
t.is(typeof inescapableGlobalProperties.WeakMap, 'function'); | ||
t.not(inescapableGlobalProperties.WeakMap, WeakMap); | ||
t.is(typeof inescapableGlobalProperties.WeakSet, 'function'); | ||
t.not(inescapableGlobalProperties.WeakSet, WeakSet); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
diff --git a/node_modules/@endo/compartment-mapper/src/policy.js b/node_modules/@endo/compartment-mapper/src/policy.js | ||
index ee2a8fb..98af69a 100644 | ||
--- a/node_modules/@endo/compartment-mapper/src/policy.js | ||
+++ b/node_modules/@endo/compartment-mapper/src/policy.js | ||
@@ -10,7 +10,9 @@ import { | ||
policyLookupHelper, | ||
} from './policy-format.js'; | ||
|
||
-const { create, entries, values, assign, keys, freeze } = Object; | ||
+const { create, entries, values, assign, freeze, getOwnPropertyDescriptors } = | ||
+ Object; | ||
+const { ownKeys } = Reflect; | ||
const q = JSON.stringify; | ||
|
||
/** | ||
@@ -28,7 +30,12 @@ export const ATTENUATORS_COMPARTMENT = '<ATTENUATORS>'; | ||
*/ | ||
const selectiveCopy = (from, to, list) => { | ||
if (!list) { | ||
- list = keys(from); | ||
+ const descs = getOwnPropertyDescriptors(from); | ||
+ list = ownKeys(from).filter( | ||
+ key => | ||
+ // @ts-expect-error TypeScript still confused about a symbol as index | ||
+ descs[key].enumerable, | ||
+ ); | ||
} | ||
for (let index = 0; index < list.length; index += 1) { | ||
const key = list[index]; |