warner
commented
2 weeks ago Approach 2: Remap Exports
We can also approach this from the exporting side. The goal here would be to use adminNodeVatB to cause the Bob export to be forwarded, at the kernel level, to the replacement Carol object.
This would update all clients, even ones the upgrading party doesn't know about.
The simplest (but problematic) API would be E(adminNodeVatB).remapExports([ [bob, carol] ]). The kernel would use Bob to look up the kref, and then change the kernel object table to point the .owner for that kref at VatC (as the owner of Carol). It would then modify the VatC c-list for Carol's vref to map it to Bob's old kref.
If VatB is still operating, it would need to remove the VatB c-list entry, to maintain the invariant that objects are never simultaneously exported by multiple vats. It would be easier if VatB were disabled somehow (not terminated, which would trigger deletion, but it should certainly not be receiving deliveries).
The trouble is that Carol's original kref is already floating around: at the very least, both the upgrading (parent) vat and vat-vat-admin have seen it, and have Presences for both it and the original Bob. When we change VatC's "Carol" c-list entry to point at the old Bob kref, we should probably orphan the old Carol kref, and hope that the involved vats will drop it shortly.
As before, this would be easier if VatC is not really up and running yet, like if it's in some state where the replacement objects are ready to go, but it's holding off on talking to any other vat until its parent gives the all-clear.
Approach 3: Commandeer At First Export
To avoid exposing the initial Carol kref, we could use a scheme that involves a special "Claim" object. The adminNodeVatB is asked for ClaimBob Claims for Bob (and other exports), which are passed into VatC. Then, before Carol is exported for the first time, the code in VatC does something with liveslots to exercise the claim:
const startup = (claimBob, stuff) => {
const carol = ...;
vatPowers.claim(claimBob, carol);
};The Claim might be represented as a special kernel object, where instead of an .owner we have a .isClaim entry, maybe pointing at the kref being claimed. When liveslots sees the call to claim(), it does a special syscall, maybe:
syscall.claim(claimVref, replacementVref);This would be treated a bit like exporting replacementVref, as if we'd done e.g. syscall.send() with a methargs.slots=[replacementVref], except it wouldn't create a delivery. It would still create a new export c-list entry, but instead of the kernel allocating the next available kref, the kernel would:
- assign the claimed kref (e.g. Bob's kref) to VatC's carol vref
- change bobKref.owner to point at VatC
- remove the VatB c-list entry that used to point at bobKref
This would be easiest if VatB were no longer running, but we could also have the kernel allocate a new kref for Bob's old c-list entry (one which nobody is currently referencing). And/or somebody (maybe the claim() call?) could be given a reference to the old object, which it would be free to use or to drop as it sees fit. (it feels like there's a swap() pattern lurking in here somewhere, that might make things better, but I haven't nailed it down yet).
What is the Problem Being Solved?
When we designed the vat upgrade mechanism (
E(adminNode).upgrade(newBundlecap)), we kinda assumed that the first version of every vat would be prepared for upgrade. Back then, we figured it was just a question of the vat keeping all its state in durable baggage. But, time ran out, and we were unable to implement (and/or test) upgradability for all vats. And since then, we've discovered other impediments to upgrade, such as downstream vats not reacting well to the disconnected promises decided by the upgraded vats, where it is Vat2 that is preventing us from upgrading Vat1.As a result, while we've successfully upgraded several vats, we have at least a few which cannot be upgraded, or for which our full upgrade process is way more complicated than we want.
One workaround is to launch a replacement vat, then convince all the original vat's clients to talk to the replacement instead. We're in the process of doing that with the price feed vats, however we had to start by upgrading the client vat to be able to accept this "please talk to a replacement" request.
@erights and @dtribble were brainstorming about ways to accomplish our goals more easily, so we started talking about kernel support for this "please talk to a replacement" feature.
Description of the Design
The starting point is a client VatA, which has an object Alice, who is talking to a service object Bob in VatB:
Both VatA and VatB are "upgrade naïve": they're difficult (or impossible) to upgrade. But, we need to upgrade the service provided by VatB anyways. Our plan is to introduce a new VatC, with an object "Carol" which is prepared to take over the duties of Bob. When we're done, we want Alice to be transparently reconnected to Carol instead of Bob:
Preliminaries
We start with our standard ground rule. We must maintain ocap security: no ambient authority, and connectivity begets connectivity.
We leverage the sizable authority of the
adminNode. This is the object returned by the kernel'svatAdminServicewhen a vat is created. If Vat1 asks the kernel to create Vat2, the caller will receive an object we'll calladminNodeVat1. With this AdminNode, the caller (something in Vat1) can direct the kernel to upgrade Vat2 to new code, retaining access to durable state, including all imports, and retaining the right to define the behavior of all exports. AdminNodes also provide.terminate().We establish a rule: you can't "fight the future". The first version of Vat2 is entirely vulnerable to subsequent versions: whatever code it gets upgraded to will have full access to all its durable state. We declare that we won't support attempts by earlier versions to limit the power of later versions by e.g. deliberately keeping authorities in non-durable storage. Further, we assume that upgrade is intended to provide as much access as possible, even if the earlier version forgot to retain something that was important for the later version (our #1691 scheme would effectively reacquire such dropped authorities).
That means the acceptable authority of an AdminNode extends to manipulating things inside the corresponding vat. If you can upgrade a vat, you can grab any object the vat has access to (because you could upgrade the vat to code that gives you that object), or you can forward one of its exports to some other object (modulo questions about object identity) (because you could upgrade the vat to code that forwards each message).
Ideally, object identity is monotonic. Some of the approach we discuss would "merge" two objects into a single one, or manipulate c-lists to change one vat's notion of what their Presence points to. This could lead to
presence1 !== presence2at one point in time, but===at a later point in time, or to situations where a Presence sent out of the vat might round-trip back as a different Presence. That could get messy. It might be unavoidable, but if at all possible, we want all object identity comparisons to remain stable across the upgrade/replacement.Approach 1: Remap Imports
Given the AdminNode for VatA (the client), we could build a mechanism to remap its import of Bob to point at Carol instead.
The API would be something like
E(adminNodeVatA).remapImports([ [bob, carol] ]). Upon receipt, vat-vat-admin would invoke device-vat-admin, which would use itsvat-admin-hooks.jsAPI to tell the kernel to edit VatA's c-list entry, replacing the kref side, inserting Carol's kref where Bob's once was.This only affects VatA: if there are multiple clients, they must all be remapped separately.
VatB can continue to run, and VatC can be fully established before the remapping, neither need to be in any special state.
VatA retains the same Presence object across the remapping, with its pre-existing vref (
o-2). If VatA somehow had previous access to Carol, it might have a separate Presence (with e.g.o-6), already mapped to that same kref. This would cause c-list translation problems (breaking the "one to one" rule of c-lists). So theremapImportsAPI should be defined to throw an error if any of the replacement objects are already present in the vat's c-list. This is easier to avoid if the replacement VatC is not yet fully operational when the remapping occurs, and it hasn't spread its replacement objects widely enough to risk them appearing at the client yet. (Note that it much launch at least enough to deliver the replacement objects to the parent vat, who can send them into theremapImportsAPI).Approach 2: Commandeer Exports
TBD
Promises
TBD
Security Considerations
I believe these APIs are not more powerful than the existing
upgradeVat()authority, modulo the possibility of creating identity discontinuities.Scaling Considerations
Remapping a moderate number of objects should not be a scaling problem, although there might be cases where we need to scan all vat c-lists for a given kref, which would then scale with the number of vats (moderate now, but maybe larger in the future).
Test Plan
Upgrade Considerations
To add new functionality to the AdminNodes, we must:
vat-admin-hooks.jsThe kernel upgrade is straightforward. However, we don't currently have any mechanism to upgrade devices, so we'd need to invent one and implement it in the kernel. For vat-vat-admin, we have
controller.upgradeStaticVat(), but we don't currently have a great place to call that from the cosmic-swingset chain code. The final issue is that upgrading vat-vat-admin will cause the existingE(adminNode).done()promises to disconnect, and e.g. Zoe might mistake that for a contract vat dying, and might react by exiting all seats and returning all escrowed asserts.So there are many steps we must figure out before we could deploy these new APIs.