fix(inter-protocol): ensure PSM availability after staging failure

[dckc]

closes: #6096

Description

When an attempt to trade IST for anchor/reference token fails due to lack of anchor funds in the PSM, seat stagings were left in an inconsistent state, preventing further service. This fix clears the seat stagings on failure.

@erights @Chris-Hibbert this also includes a couple zoe tweaks that @dtribble helped me with.

Security Considerations

availability is good :)

Testing Considerations

added a reasonably thorough unit test

[turadg]

ticket? we probably will want to reference it often and it can serve to teach why and when to clear.

[dckc]

Dunno. That comment pre-dates this PR.

[turadg]

Ok. Since it's written in this contract twice and relevant to other contracts, I'm requesting a ticket to document the footgun and that it be referenced from the places like this that say "someday…"

[dtribble]

note that only one of the comments is valid (the one before the mintGains). The assert got copied to provide a better diagnostic, but the comment needs to be deleted.

[dckc]

added #6116 and cited it. I don't understand that issue very well, so I'd appreciate it if someone else would clarify the title / description. @michaelfig helped me a little.

[turadg]

could we codify this pattern now with a contract helper? something like,

atomicReallocate(zcf, [
  [seat, anchorPool, { In: given }, { Anchor: given }],
  [stage, seat, { Stable: afterFee }, { Out: afterFee }],
  [stage, feePool, { Stable: fee }],
]);

[Chris-Hibbert]

I think it needs an onFail: clause to invoke burnLosses

[dckc]

postponed to #6116

[erights]

Progress on #6116 at #6577 , where stageMgr.commit() replaces zcf.reallocate(...) and does guarantee that all staging are cleared, whether the commit succeeded or failed.

@dtribble 's suggested stageMgr.transfer operation is much like @turadg 's rows of atomicReallocate above. The contrast between the list and the reified stageMgr is approx the contrast between #6577 and #4327

[turadg]

yay for typing. this param would benefit from more docs:

```suggestion
     * @param {{seat: UserSeat, offerResult: *}} [out] will be filled

[turadg]

But I find the need for this suspicious. This function is returning payouts to abstract away seat and offerResult… but here we are needing to punch through. Will contract users need to also? If so we should just change the return type to hide less: {seat, offerResult, payouts}.

Or would it be sufficient to have {numWantsSatisfied, payouts}?

[dckc]

Yes, I was too lazy to change the other call sites. Returning just the seat might be most straightforward.

[dckc]

I refactored the driver to have additional methods that expose the seat.

[turadg]

this data driven test calls for Ava macros. See #5900

[dckc]

Note that the items have to be used within one test. The whole point is to not make a new PSM between them. Do macros work that way?

[turadg]

usually things that need be shared between tests are configured with before and beforeEach. but I won't block on this.

[dckc]

it needs to be shared between these trades but no other tests

[turadg]

then another file would work well. this test function is doing a lot of work to replicate some of the before and macro semantics.

[dckc]

Let's punt on this for today.

[turadg]

just parroting the linter here: gotta remove the ignoreContext import

[turadg]

though, why delegate here at all? we can delete the const clear above.

Suggested change

	clear: ({ self }) => clear(self),
	clear: ({ self }) => {
	if (zcfSeatToStagedAllocations.has(self)) {
	zcfSeatToStagedAllocations.delete(self);
	}
	};

[Chris-Hibbert]

I think MarkM hinted at the right choice here. Please inline the method, so it'll be more apparent that the parameter handling is parallel to the sibling methods.

[turadg]

this is a change to the throw behavior of clear. was the earlier behavior documented or tested?

I'll go google it since our API docs aren't on the APIs ;-) https://docs.agoric.com/zoe/api/zoe-contract-facet.html#zcfseat-clear Nope.

[Chris-Hibbert]

Not only are there no tests for clear, there appear to be no tests for zcfSeat.

[not suggesting this PR add anything.]

[Chris-Hibbert]

I think there's more discussion going on, so I'm going to submit my current comments and wait to see how it settles before reviewing again.

[Chris-Hibbert]

Even though I've been working with JS for a couple years now, seeing false and 1 as two possible values of a flag strikes me as wrong.

[Chris-Hibbert]

Does the TODO on line 158 interact with the current problem at all? Can it be updated?

[dckc]

we certainly have relevant tests; I'm getting rid of that TODO in favor of #6116

[Chris-Hibbert]

I think it needs an onFail: clause to invoke burnLosses

[Chris-Hibbert]

I think MarkM hinted at the right choice here. Please inline the method, so it'll be more apparent that the parameter handling is parallel to the sibling methods.

[turadg]

LGTM given #6116 (which I've added to PSM audit release)

[Chris-Hibbert]

I like this. It's a definite improvement on my approach of making the proposal, and then adding the want later.

[Chris-Hibbert]

I get what this is doing now, but only because of side conversations about ava macros. It would be nice if it said that the first line was intended to fail because the PSM doesn't have any anchor until after a want completes. Does the third fail because it doesn't include fees?