fix(compartment-mapper): Stabilize hashes in face of layout changes

Previously, compartment names in an archive always included a sequence
number, which allowed for the possibility of two packages with the same
name and version.
With this change, a sequence number is replaced with a duplicate
number only when there are multiple packages with the same number.

Please see the detailed comments for the rationale for this change.
The result should be that archive hashes are much less sensitive
to differences in the layout of the dependency graph.

Fixes #919

packages/compartment-mapper/src/archive.js

@@ -50,18 +50,73 @@ const resolveLocation = (rel, abs) => new URL(rel, abs).toString();
 
 const { keys, entries, fromEntries } = Object;
 
+/** @type {<T>(a: T, b: T) => number} */
+// eslint-disable-next-line no-nested-ternary
+const compare = (a, b) => ((a === b ? 0 : a < b ? -1 : 1));
+
 /**
+ * We attempt to produce compartment maps that are consistent regardless of
+ * whether the packages were originally laid out on disk for development or
+ * production, and other trivia like the fully qualified path of a specific
+ * installation.
+ *
+ * Naming compartments for the self-ascribed name and version of each Node.js
+ * package is insufficient because they are not guaranteed to be unique.
+ * Dependencies do not necessarilly come from the npm registry and may be
+ * for example derived from fully qualified URL's or Github org and project
+ * names.
+ * Package managers are also not required to fully deduplicate the hard
+ * copy of each package even when they are identical resources.
+ * Duplication is undesirable, but we elect to defer that problem to solutions
+ * in the package managers, as the alternative would be to consistently hash
+ * the original sources of the packages themselves, which may not even be
+ * available much less pristine for us.
+ *
+ * So, instead, we use the lexically least path of dependency names, delimited
+ * by hashes.
+ * The compartment maps generated by the ./node-modules.js tooling pre-compute
+ * these traces for our use here.
+ * We sort the compartments lexically on their self-ascribed name and version,
+ * and use the lexically least dependency name path as a tie-breaker.
+ * The dependency path is logical and orthogonal to the package manager's
+ * actual installation location, so should be orthogonal to the vagaries of the
+ * package manager's deduplication algorithm.
+ *
  * @param {Record<string, CompartmentDescriptor>} compartments
  * @returns {Record<string, string>} map from old to new compartment names.
  */
 const renameCompartments = compartments => {
   /** @type {Record<string, string>} */
   const renames = Object.create(null);
-  let n = 0;
-  for (const [name, compartment] of entries(compartments)) {
-    const { label } = compartment;
-    renames[name] = `${label}-n${n}`;
-    n += 1;
+  let index = 0;
+  let prev = '';
+
+  // The sort below combines two comparators to avoid depending on sort
+  // stability, which became standard as recently as 2019.
+  // If that date seems quaint, please accept my regards from the distant past.
+  // We are very proud of you.
+  const compartmentsByPath = Object.entries(compartments)
+    .map(([name, compartment]) => ({
+      name,
+      path: compartment.path,
+      label: compartment.label,
+    }))
+    .sort((a, b) => {
+      if (a.label === b.label) {
+        return compare(a.path, b.path);
+      }
+      return compare(a.label, b.label);
+    });
+
+  for (const { name, label } of compartmentsByPath) {
+    if (label === prev) {
+      renames[name] = `${label}-n${index}`;
+      index += 1;
+    } else {
+      renames[name] = label;
+      prev = label;
+      index = 1;
+    }
   }
   return renames;
 };
@@ -73,7 +128,7 @@ const renameCompartments = compartments => {
  */
 const translateCompartmentMap = (compartments, sources, renames) => {
   const result = Object.create(null);
-  for (const compartmentName of keys(compartments).sort()) {
+  for (const compartmentName of keys(renames)) {
     const compartment = compartments[compartmentName];
     const { name, label, retained } = compartment;
     if (retained) {

packages/compartment-mapper/src/node-modules.js

@@ -23,6 +23,7 @@
  * @typedef {Object} Node
  * @property {string} label
  * @property {string} name
+ * @property {string} path
  * @property {boolean} explicit
  * @property {Record<string, string>} exports
  * @property {Record<string, string>} dependencies - from module name to
@@ -36,7 +37,6 @@
 import { inferExports } from './infer-exports.js';
 import { parseLocatedJson } from './json.js';
 import { unpackReadPowers } from './powers.js';
-import { assertCompartmentMap } from './compartment-map.js';
 
 const { assign, create, keys, values } = Object;
 
@@ -278,6 +278,7 @@ const graphPackage = async (
 
   Object.assign(result, {
     name,
+    path: '',
     label: `${name}${version ? `-v${version}` : ''}`,
     explicit: exports !== undefined,
     exports: inferExports(packageDescriptor, tags, types),
@@ -395,6 +396,40 @@ const graphPackages = async (
   return graph;
 };
 
+/**
+ * Compute the lexically shortest path from the entry package to each
+ * transitive dependency package.
+ * The path is a delimited with hashes, so hash is forbidden to dependency
+ * names.
+ * The empty string is a sentinel for a path that has not been computed.
+ *
+ * The shortest path serves as a suitable sort key for generating archives that
+ * are consistent even when the package layout on disk changes, as the package
+ * layout tends to differ between installation with and without devopment-time
+ * dependencies.
+ *
+ * @param {Graph} graph
+ * @param {string} location
+ * @param {string} path
+ */
+const trace = (graph, location, path) => {
+  const node = graph[location];
+  if (node.path !== '' && node.path <= path) {
+    return;
+  }
+  node.path = path;
+  for (const name of keys(node.dependencies)) {
+    if (name.includes('#')) {
+      throw new Error(
+        `Package at ${q(location)} has a dependency named ${q(
+          name,
+        )} containing the octothorpe symbol ("#") which frustrates use of "#" in dependency paths so Endo does not support such dependencies`,
+      );
+    }
+    trace(graph, node.dependencies[name], `${path}#${name}`);
+  }
+};
+
 /**
  * translateGraph converts the graph returned by graph packages (above) into a
  * compartment map.
@@ -425,7 +460,7 @@ const translateGraph = (
   // package and is a complete list of every external module that the
   // corresponding compartment can import.
   for (const packageLocation of keys(graph).sort()) {
-    const { name, label, dependencies, parsers, types } = graph[
+    const { name, path, label, dependencies, parsers, types } = graph[
       packageLocation
     ];
     /** @type {Record<string, ModuleDescriptor>} */
@@ -461,6 +496,7 @@ const translateGraph = (
     compartments[packageLocation] = {
       label,
       name,
+      path,
       location: packageLocation,
       modules,
       scopes,
@@ -507,18 +543,15 @@ export const compartmentMapForNodeModules = async (
     packageDescriptor,
     dev,
   );
+
+  trace(graph, packageLocation, '#');
+
   const compartmentMap = translateGraph(
     packageLocation,
     moduleSpecifier,
     graph,
     tags,
   );
 
-  // Cross-check:
-  // We assert that we have constructed a valid compartment map, not because it
-  // might not be, but to ensure that the assertCompartmentMap function can
-  // accept all valid compartment maps.
-  assertCompartmentMap(compartmentMap);
-
   return compartmentMap;
 };

packages/compartment-mapper/src/types.js

@@ -38,6 +38,7 @@ export {};
  *
  * @typedef {Object} CompartmentDescriptor
  * @property {string} label
+ * @property {string} [path] - shortest path of dependency names to this compartment
  * @property {string} name - the name of the originating package suitable for
  * constructing a sourceURL prefix that will match it to files in a developer
  * workspace.

packages/compartment-mapper/test/test-integrity.js

@@ -52,7 +52,7 @@ test('extracting an archive with a missing file', async t => {
   const reader = new ZipReader(validBytes);
   const writer = new ZipWriter();
   writer.files = reader.files;
-  writer.files.delete('app-v1.0.0-n0/main.js');
+  writer.files.delete('app-v1.0.0/main.js');
   const invalidBytes = writer.snapshot();
 
   await t.throwsAsync(
@@ -65,7 +65,7 @@ test('extracting an archive with a missing file', async t => {
       }),
     {
       message:
-        'Failed to load module "./main.js" in package "app-v1.0.0-n0" (1 underlying failures: Cannot find file app-v1.0.0-n0/main.js in Zip file missing.zip',
+        'Failed to load module "./main.js" in package "app-v1.0.0" (1 underlying failures: Cannot find file app-v1.0.0/main.js in Zip file missing.zip',
     },
   );
 
@@ -85,7 +85,7 @@ test('extracting an archive with an inconsistent hash', async t => {
   writer.files = reader.files;
 
   // Add a null byte to one file.
-  const node = writer.files.get('app-v1.0.0-n0/main.js');
+  const node = writer.files.get('app-v1.0.0/main.js');
   const content = new Uint8Array(node.content.byteLength + 1);
   content.set(node.content, 0);
   node.content = content;
@@ -101,7 +101,7 @@ test('extracting an archive with an inconsistent hash', async t => {
         },
       }),
     {
-      message: `Failed to load module "./main.js" in package "app-v1.0.0-n0" (1 underlying failures: Module "main.js" of package "app-v1.0.0-n0" in archive "corrupt.zip" failed a SHA-512 integrity check`,
+      message: `Failed to load module "./main.js" in package "app-v1.0.0" (1 underlying failures: Module "main.js" of package "app-v1.0.0" in archive "corrupt.zip" failed a SHA-512 integrity check`,
     },
   );