Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decide+implement API for durable virtual objects/collections: makeDurableKind? #4495

Closed
warner opened this issue Feb 8, 2022 · 1 comment · Fixed by #4824
Closed

decide+implement API for durable virtual objects/collections: makeDurableKind? #4495

warner opened this issue Feb 8, 2022 · 1 comment · Fixed by #4824
Assignees
@FUDCo
Labels
enhancement New feature or request SwingSet package: SwingSet
Milestone
Mainnet 1 RC0

Comments

@warner
Copy link
Member

warner commented Feb 8, 2022

What is the Problem Being Solved?

Our plan for vat upgrade requires user code to use "Durable" to mark their precious-for-upgrade data. Instead of plain "virtual objects", they must use "durable objects" (aka "durable virtual objects", we're still seeking out a comfortable name). Instead of #2004 "virtual collections", they must use "durable collections".

For durable collections, the API is the same as for non-durable collections, so we only need to pick new names. I think @FUDCo is going with something like makeScalarDurableMapStore vs makeScalarBigMapStore, etc, for the four kinds of collections we currently have (makeScalarBig{Weak,}{Map,Set}Store). These collection objects can be serialized to the #4325 "baggage" to be retrieved by the new version during upgrade.

For non-durable virtual objects, we define makeInstance = makeKind(behavior), which creates the instance maker from a behavior record. For durable virtual objects, we need a way for the new version to establish replacement behavior, which requires some sort of handle that is distinct from the mere instance-making authority. @FUDCo 's current proposal is:

const handle = allocateDurableKind();
const makeInstance = makeDurableKind(handle, behavior);
baggage.set('name', handle);

The handle is an unforgeable serializable durable object. If the kind creates instances with vrefs like o+12/NN, then the handle would serialize to just o+12. It is technically exportable, although it's unlikely you would ever send it off-vat. Since it's durable, it can be stored in the baggage and retrieved by the next version. That next version can call makeDurableKind with the new behavior:

const handle = baggage.get('name');
const makeInstance = makeDurableKind(handle, newBehavior);

Description of the Design

Once we agree upon the API, the implementation needs are:

  • define the durable versions of the collection creation functions, add to VatData
    • this is mostly trivial, the main work is to forbid non-durable data as keys/values
  • define makeDurableKind, make the handle serializable
  • docs to explain to userspace authors how to use the durability

We need to sketch out enough of the upgrade process to see what a vat's version2 would look like, and decide that we're happy with the approach. We don't need to implement baggage or upgrade for this ticket, but upgrade needs to follow smoothly from the API choices we make here.

Security Considerations

The "handle" should be closely held, to make sure only the right portion of the new vat's code gets the ability to commandeer the durable objects.

Storage Considerations

We need to decide how and when the vat's non-durable data gets deleted during upgrade, which may influence the implementation of the durable stores. I see two constraints:

One option is that liveslots and the kernel have an agreement, e.g. "all vatstore keys starting with vsd. are durable and retained, all keys starting with vs. are non-durable and deleted). Then the kernel begins the upgrade-vat event by deleting all the non-durable keys. These deletions are stored in the crank buffer, and unwound if the upgrade crank fails.

Another option is that liveslots is responsible for enumerating and deleting all the non-durable keys itself. This reduces coupling between liveslots and kernel, however it would involve O(N) syscalls that'll be pretty expensive.

@FUDCo pointed out that each kind has an ID (o+NN), and each kind is either durable or not, and the metadata to indicate durability is stored in the vatstore. So if the kernel knows about the algorithm liveslots uses, the DB has enough information to figure out which keys should be kept. I'm concerned about reducing the coupling, though, so I'd be more comfortable with a protocol like vsd.*.

Test Plan

unit tests
@warner warner added enhancement New feature or request SwingSet package: SwingSet labels Feb 8, 2022
@FUDCo
Copy link
Contributor

FUDCo commented Feb 8, 2022

Note: We already implement the durable collection creation functions and already implement the exclusion of non-durable stuff from them and from durable virtual objects.

FUDCo added a commit that referenced this issue Mar 11, 2022
@FUDCo
feat: implement the durable kind API
14a0ebc 
Closes issue #4495
This was referenced Mar 11, 2022
Merged
Closed
FUDCo added a commit that referenced this issue Mar 16, 2022
@FUDCo
feat: implement the durable kind API
02fc356 
Closes issue #4495
FUDCo added a commit that referenced this issue Mar 18, 2022
@FUDCo
feat: implement the durable kind API
56bad98 
Closes #4495
@mergify mergify bot closed this as completed in #4824 Mar 18, 2022
@Tartuffo Tartuffo added this to the Mainnet 1 milestone Mar 23, 2022
@warner warner mentioned this issue Apr 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FUDCo FUDCo

Labels
enhancement New feature or request SwingSet package: SwingSet
Projects
None yet
Milestone
Mainnet 1 RC0
Development

Successfully merging a pull request may close this issue.

Implement durable kind API Agoric/agoric-sdk
3 participants
@warner @Tartuffo @FUDCo