make Zoe durable #5997
make Zoe durable #5997
Conversation
Chris-Hibbert
force-pushed
the
4383-durable-InstanceAdmin
branch
from
575fd50 to
e989f7f
Compare
Chris-Hibbert
changed the base branch from
master
to
gibson-4567-notifier-package-durability
Chris-Hibbert
added
Zoe
Chris-Hibbert
force-pushed
the
4383-durable-InstanceAdmin
branch
from
e989f7f to
350b919
Compare
Chris-Hibbert
changed the title
Chris-Hibbert
force-pushed
the
4383-durable-InstanceAdmin
branch
2 times, most recently
from
e63d04d to
c3010a4
Compare
Chris-Hibbert
force-pushed
the
4383-durable-InstanceAdmin
branch
2 times, most recently
from
58d46cf to
86dcfcc
Compare
There was a problem hiding this comment.
Review so far. I got through all of zcf and everything but zoe itself. Of course, zoe is where the action is, so it will still take significant time to complete.
High level comment so far: I don't understand why zcf needed such radical surgery, since coveredCall-durable.js already demonstrates that zcf is upgradable. If we really were saving all the precious semantic state that the successor needs to revivify a working zcf, then the additional durable things seem like a distraction.
gibson042
force-pushed
the
gibson-4567-notifier-package-durability
branch
from
b5c2470 to
3a8498c
Compare
This is an important question. The original Zoe and ZCF shared some state using Promises and bags of functions. It's no longer possible for Zoe to hold onto a loose function, so some things that didn't have to be durable object for the ZCF upgrade case have to be durable In order for Zoe to hold onto them. |
gibson042
force-pushed
the
gibson-4567-notifier-package-durability
branch
2 times, most recently
from
eac2982 to
dc22548
Compare
|
This review pass done. |
Chris-Hibbert
force-pushed
the
4383-durable-InstanceAdmin
branch
from
7ebfd2d to
8137369
Compare
Chris-Hibbert
force-pushed
the
4383-durable-InstanceAdmin
branch
from
8137369 to
2c41f06
Compare
packages/zoe/src/typeGuards.js
Outdated
| export const BundleShape = M.and( | ||
| M.partial({ moduleFormat: M.string() }), | ||
| M.recordOf(M.string(), M.string()), | ||
| ); |
There was a problem hiding this comment.
I think this was more correct before literally taking @kriskowal 's advice.
- @Chris-Hibbert , We still need the
{ stringLengthLimit: Infinity }to evade the limit check, right? - @kriskowal ,
M.partialis deprecated in favor ofM.splitArrayandM.splitRecord. - @kriskowal , By using
M.partialyou're saying thatmoduleFormatis optional, as did the old code when the first argument tosplitRecordwasharden({}). But your prose says it is mandatory. Assuming it is mandatory, I removed that first argument tosplitRecordbelow.
So, does the following look right?
export const ModuleFormatBundleShape = M.splitRecord(
harden({ moduleFormat: M.any() }),
);
export const BundleShape = M.and(ModuleFormatBundleShape, SourceBundleShape);There was a problem hiding this comment.
(just edited my suggested code from M.or to M.and)
There was a problem hiding this comment.
We still need the { stringLengthLimit: Infinity } to evade the limit check, right?
I believe so. It's still in SourceBundleShape. I don't think it's necessary anywhere else.
export const SourceBundleShape = M.recordOf(
M.string(),
M.string({ stringLengthLimit: Infinity }),
);
There was a problem hiding this comment.
I pushed this change, and tests are passing now.
@kriskowal with your agreement that this change is correct, I'll merge this PR.
packages/zoe/src/typeGuards.js
Outdated
| export const SourceBundleShape = M.recordOf( | ||
| M.string(), | ||
| M.string({ stringLengthLimit: Infinity }), | ||
| ); | ||
| export const ModuleFormatBundleShape = M.splitRecord( | ||
| harden({ moduleFormat: M.any() }), | ||
| ); | ||
| export const BundleShape = M.and(ModuleFormatBundleShape, SourceBundleShape); |
There was a problem hiding this comment.
| export const SourceBundleShape = M.recordOf( | |
| M.string(), | |
| M.string({ stringLengthLimit: Infinity }), | |
| ); | |
| export const ModuleFormatBundleShape = M.splitRecord( | |
| harden({ moduleFormat: M.any() }), | |
| ); | |
| export const BundleShape = M.and(ModuleFormatBundleShape, SourceBundleShape); | |
| export const BundleShape = M.and( | |
| M.splitRecord(harden({ moduleFormat: M.string() })), | |
| M.recordOf( | |
| M.string(), | |
| M.string(harden({ stringLengthLimit: Infinity })), | |
| ), | |
| ); |
How does splitRecord differ from partial? Is harden necessary there in a way that would apply equally to M.string’s arg?
The bundle shape described in this way applies equally well to source bundles and hash bundles, so the intermediate names are not useful. If we wish to cut finer distinctions, we’ll need shapes for SourceBundle and HashBundle that are the union of supported formats in each case. HashBundle is of the form { moduleFormat: 'endoZipBase64Sha512', endoZipBase64Sha512: string } and SourceBundle is one of { moduleFormat: 'getExports', source: string }, { moduleFormat: 'nestedEvaluate', source: string }, or { moduleFormat: 'endoZipBase64', endoZipBase64: string, endoZipBase64Sha512?: string }.
There was a problem hiding this comment.
I switched to this simplified BundleShape, and used it in all the places BundleShape or SourceBundleShape appeared. I'll merge like this.
Chris-Hibbert
force-pushed
the
4383-durable-InstanceAdmin
branch
from
b0864f0 to
ad36f3c
Compare
closes: #4383
refs: #6502
Description
Make Zoe durable.
The prior version passed around many bundles of functions. Those had to be converted to durable facets to be passable.
Security Considerations
Pervasive
Documentation Considerations
seat notifiers (which notified on interim allocations) have been dropped and replaced with a subscriber that only notifies when the seat exits.
The way feeMintAccess is obtained changed.
The methods that allowed requests for internal allocation state (
getCurrentAllocationJig) has been dropped. Many of the clients can usegetFinalAllocation()instead.zoe.bindDefaultFeePurse,zoe.makeFeePurse, andzcf.assert()were dropped.Testing Considerations
Test timing changed in some cases, since Promises can no longer be used.