warner
commented
1 year ago Some issues raised in today's kernel meeting:
- once a Delivery is submitted to a vat worker, the arrival order on that vat becomes fixed
- that conflicts with having a priority scheduler which allows some deliveries to jump to the head of the line
- we want to keep the pipeline full, for performance
- maybe we should submit the first N deliveries to the worker, but not the rest of the input queue
- a higher-priority message can jump to the Nth place in line, but not the 1st place
- or, we could spend an expensive
revert()if we really really wanted it to arrive first
- could the kernel pull events from the kernel inbound queue while between blocks?
- what sort of per-block vat state can we point to, for consensus checks and state-sync?
- I was thinking that every once in a while (on some well-defined in-consensus schedule), the worker builds a state snapshot
- launch a second process with a read txn on the DB, dump the relevant data, sort it into a canonical order, write it to a file, hash the file, retain the file
- then also record the state changes since that snapshot in a side table
- when the kernel is asked to record a state snapshot and report a snapshot hash (once every 1000 blocks or so, maybe once per day), it asks all workers to do the same. The worker remembers that it needs to retain its snapshot, and reports back a hash of the snapshot plus all the changes since then.
- maybe it just remembers the input events since the snapshot was recorded, and rebuilds the worker state that way
- also we to define how a new worker is built from the snapshot on a new validator: it needs receive all the submitted input events, even though it didn't execute the routing cranks that caused them to be submitted on the original validator
- so maybe the vat state snapshot should also remember the input events that haven't been executed yet
mhofman
FUDCo
This ticket documents a design that should allow swingset to execute deliveries on multiple vats in parallel, continuously (even while the kernel is not inside a
controller.run(), such as during the 5 seconds that Tendermint/Cosmos-SDK spends doing voting/consensus work), while still maintaining a consensus order of deliveries. We'd like this to improve performance over our current scheme, which only executes one vat delivery at a time, single-threaded, and only withincontroller.run.The first section defines the "CDP" model, upon which the rest is based. The second section describes how to rewrite the vat worker to fit this model, and how DB commits are arranged to avoid "hangover inconsistency".
CDPs: Communicating Deterministic Processes
This section defines a "CDP" (Communicating Deterministic Process). This is a refinement of CSP (where the S means "Sequential") and the Waterken model, designed to tolerate processes being terminated at unpredictable times, but also to make more opportunities for parallelism.
A CDP is an abstract process which evolves through a sequence of "steps", each of which accepts an input and produces an output. At its core, the CDP is defined by a completely deterministic transition function (of input and previous state) which produces an output and the new state.
The CDP might exist as a standalone process, or it might share a process with another CDP. Each CDP has it's own commit points, and interact in such a way that one CDP can crash without undermining the assumptions and reliances that other CDPs might have on it.
All blockchains with finalization (e.g. Cosmos-SDK -based chains) behave like a CDP, in which each step is called a "block" or "blockHeight", and the inputs are the contents of the finalized block (mostly the set of transactions to be executed). In the Agoric system, the host application (cosmic-swingset / agd) acts as one CDP, the swingset kernel acts as a second (because of the separate kerneldb commit point), and there are additional CDPs for each of the N active vats.
State vs Runtime Incarnation
We split the CDP into "state" and "runtime". The state is long-lived, created when the CDP is initialized, and surviving until we really don't need it anymore. The state is recorded in a database, and each commit records one or more steps (never a partial step). The state can only be changed by an active runtime.
The runtime is a live OS process (either standalone or embedded in some other process, possibly shared with other CDPs). At any moment, each CDP has either exactly one active runtime (the CDP is currently "online"), or zero ("offline"). CDPs may be kept offline if they are not currently in use (because keeping one around costs some RAM even if nobody talks to it), or they may be preemptively brought online (because starting one costs some CPU time and latency, slowing down response time). All the API calls are made on a runtime, so offline CDPs cannot be manipulated.
Each time a runtime is created, we get a new "runtime incarnation". An CDP's current incarnation may remember slightly more than its persistent state, e.g. steps that it has performed but which have not yet been committed. When an incarnation is shut down or killed, the next incarnation may not remember those steps.
Inputs and Ouptuts
The
submitInput(stepNum, input)method is used to submit a step input, andcollectOutput(stepNum)is used to collect a step output. The type/shape of the inputs and outputs are specific to the CDP and its state transformation function.submitInput()does not block, returns nothing, and is not obligated to execute the given step right away. It can be called multiple times (without interveningcollectOutputcalls) to fill the execution pipeline, allowing the CDP to perform work in the background or in parallel with other processes. Within any single incarnation (and barring arevert, described below), the sequence ofsubmitInput()calls must use sequentialstepNumvalues: no gaps, no repeats.collectOutput(stepNum)is an async function whose return Promise does not resolve until the given step has been executed. If the CDP managed to process the requested step in the background,collectOutputmay resolve immediately, otherwise the caller must wait until enough steps have been executed to produce the requested answer. It is an error to collect an output of astepNumfor which the CDP has never been given an input (although the input may have been given to an earlier incarnation). As withsubmitInput, within a single incarnation, the outputs must be collected from sequentialstepNumvalues, with no gaps or repeats.In general, the caller should provide inputs as soon as they are known (and well before the outputs are needed), to keep the pipeline full and maximize the opportunities for efficient parallel execution. If each
submitInput()is followed by an immediateawait collectOutput()for the samestepNum, there will be few opportunities for parallelism.In the Agoric system, the kernel CDP only performs one step (block) at a time, but vats may be able to execute many steps (deliveries) in parallel.
Replayed Steps
When a CDP runtime is brought online, its DB will remember some number of inputs, and some number of outputs, based upon which steps had been completed before the last
commit()performed by its predecessor.The caller is using a different database, with different commit points. So the caller may have submitted an input and collected and output for e.g. step 5, but then crashed before it was able to perform its own commit. When the caller starts back up again, it will re-submit the input for step 5. This is called a "replayed input", and CDPs must tolerate them.
There are two cases. In the first, the CDP received
submitInput(5, input5)but crashed before acommit(). In this case, the second incarnation can trivially tolerate the replay, because it does not remember the original. We rely upon the caller submitting exactly the same input, to avoid confusion.In the other, the CDP did
commit()after receivinginput5, and perhaps others. We call the highest such committed input "highestSubmittedInputStep". We track another number named "highestRetiredStep" (whereretireis described below).When a CDP runtime is started, the new incarnation's first
submitInput()call will accept anystepNumin a range from "highestRetiredStep" (exclusive) to "highestSubmittedInputStep" (inclusive). The secondsubmitInput()call must use astepNumexactly one higher than the first one, etc.If the CDP detects that a
submitInput()call is replaying an input, it refrains from actually executing the step. The "next expected stepNum" counter is incremented (or initialized), but no other state changes are made. The caller cannot tell, but CDP merely "pretends" to perform the step.A CDP should ideally have a way to compare the replayed inputs it receives against their originals, to throw an error if they diverge. This might help detect errors made by the caller. A single hash of the input would be sufficient to detect divergence and throw an error, however to actually diagnose the problem, it would be better to remember the complete input (so the error message can display both original and the faulty replay). However given that a replay of an uncommitted original cannot be detected by the CDP, it's not worth putting too much energy or code into remembering the originals.
Likewise, the caller may ask for
collectOutput(7)from one incarnation, then crash before persisting the results. When the caller restarts, it creates a new CDP runtime incarnation, and asks it (again) forcollectOutput(7). The CDP must return the same outputs that its predecessor did. As above, the firstcollectOutput()call that the new incarnation receives is allowed to use astepNumthat meetshighestRetiredStep < stepNum <= highestSubmittedInputStep, and all successive calls within that incarnation must use the next highest sequentialstepNum. The CDP also trackshighestCollectedOutputStep.This means that each time a step is executed, the CDP store the full output into its DB, so it can report a consistent+stable value to the caller (now, soon, or from some future incarnation).
Commit
To improve performance, the CDP is not obligated to commit its DB after every single step. It must never commit the partial states that occur in the middle of a step, but it is allowed to commit at any point between two complete steps.
But to enable the caller to rely upon the stability of the outputs, the caller can insist upon a commit point, by calling the CDP's
commit()API. This async method will not resolve until the state and outputs of every step up to and includinghighestCollectedOutputStephas been committed. The CDP may have performed more work (whose output hasn't been collected yet): if so, these extra steps are committed too. But the caller is only allowed to rely upon the retention of the steps that it has collected.In general, the CDP should use DB transactions or nested transactions to ensure that only complete steps might be committed, but refrain from doing an actual commit until requested by
commit(). If the RAM requirements of the uncommitted base transaction becomes an issue, it can perform an unsolicited commit without causing problems, but minimizing commits (and their slowfsync()calls) will generally yield better performance.Note: this is specifically intended to take advantage of SQLite's fast "WAL" mode, with
PRAGMA synchronous = NORMAL. In this mode, the DB only records changes when a transaction is closed (preventing partial-step commits), but the DB is vulnerable to power failures and host OS crashes until a "checkpoint" occurs. These checkpoints happen spontaneously when the WAL grows large enough (so we must tolerate them), but can be forced with aPRAGMA wal_checkpoint(FULL). The CDPcommit()API should force a checkpoint before returning.Retire
To keep the CDP's "old-outputs storage" obligation bounded, the caller tells the CDP when it is safe to "retire" a step.
Once the caller collects the outputs of e.g. step 7, it will perform some other work, and then eventually commit its own state. Once the caller commits, it can use
retire(7)to inform the CDP that it will never ask for the output of step 7 again (nor will it attempt to submit the inputs for step 7). The CDP can then delete the saved output for that step, as well as whatever diagnostic information it retained about the inputs (perhaps a hash, perhaps the full input data). The caller cannot safely retire a step until it has itself committed, otherwise a crash (after thecollectOutput(7)but before the callers' commit) would violate the caller's promise. The CDP won't necessarily commit its memory of the retirement promptly (it is not obligated to do so until thecommit()API is called), but since it is allowed to commit earlier, the caller must not reveal its intention toretire()until it is really ready for the old data to go away.The caller might collect the outputs of multiple steps (7, 8, 9) before it gets to a convenient commit point. In that case, it only has to call
retire(9), and that will implicitly retire all earlier steps.A call to
retire(9)will also sethighestRetiredStep = 9. This value lives in the DB, but is not deserving of its own commit. The value will be committed as a side effect of the next step-execution orcommit()-triggered DB commit.In general, the a non-pipelining caller will execute in a loop like the following (suppose the recorded
stepNumin the first pass is 6, so the first input submitted is for step 7):stepNumstepNumfor whichcollectOutput()was called and processed)cdp.retire(stepNum)stepNum += 1cdp.submitInput(stepNum)await collectOutput(stepNum)await commit()The caller/CDP might crash at various points in this loop:
submitInput(7)but beforecollectOutput: the CDP committed state may or may not include the execution ofstepNum7, so the new caller incarnation will replay the old input, which will either be ignored (if the CDP did execute and commit it), or re-executed (if it did not manage to commit it)collectOutputbut beforecommit: again the CDP committed state may or may not include that step 7, same cases as abovecommitbut before the caller commits: the CDP state definitely includes step 7, so the new caller incarnation will request a replay, which the CDP will ignore. Thecdp.commit()might commit extra steps (if it managed to make process on some pipelined inputs) or might be a NOP.retire: the CDP has definitely not been told it is safe to retire step 7, so it will still be in the CDP DB. The new caller incarnation will start by retiring step 7, then submitting inputs for step 8retire(7)but beforesubmitInput(8): the change tohighestRetiredStepmay or may not have been committed, but the consequence is minimal: slightly higher DB usage until the next loop reaches a commit pointBy performing the
retire()at the beginning of the loop, the caller will start each incarnation by clearing out the unnecessary data from its predecessor.Revert
Some CDPs are one-way, but others can support the
revert(backToStepNum)operation. If supported, the caller can instruct the CDP to revert its internal state back to that of some previous step, at which point the caller is allowed to submit different inputs (and can observe different outputs) than before.revertis generally expensive, and should only be used for exceptional cases. In the Agoric system, the primary example is an important vat whose latest delivery causes an internal fault, which we think we can repair through some sort of vat upgrade process. By reverting the vat to the state just before the fatal delivery, we can arrange for the next delivery to be something which changes/upgrades the internal state (to fix the bug). Another possibility is a metering fault (too much computation), where we don't want the vat to get away with using more computrons than it paid for, so we unwind the expensive delivery and require the vat to pay their compute bills before allowing that delivery to be repeated (note there are some questionable economics here, but the example is still useful). An Agoric vat worker would implementrevertby discarding thexsnapworker and building a new one from the most recent heap snapshot (which must have been made before the target step), and omitting a few deliveries from the end of the transcript it replays (everything past the target step). It would also delete the omitted transcript entries, so they don't accidentally reappear in some future incarnation.There is a limit to how many steps can be reverted:
backToStepNum > highestRetiredStep, wherehighestRetiredStepis updated by eachretire()call. A revert-capable CDP must remember (or be capable of regenerating) all old states back tohighestRetiredStep + 1. For the Agoric vat worker, that means we must retain at least one heap snapshot withstepNum <= highestRetiredStep + 1(which might cause us to remember multiple heap snapshots for a single vat).API Summary
The library that provides a CDP with a given transition function will provide the following API:
initialize(stateDirectory, initialParameters): create an empty database in the given directory, then populate it with some initial state based upon the parametersruntime = createRuntime(stateDirectory): start a "runtime" object, on which other API calls can be made. Multiple runtimes may not exist simultaneously.runtime.submitInput(stepNum, input): submit input for eventual execution. Does not wait for execution. Does not return anything.runtime.collectOutput(stepNum) -> Promise<output>: request the step to be executed promptly, and waits for the output to be returnedruntime.commit() -> Promise<void>: request the worker commit at least all previously-collected steps to the DB before returning, so the caller can rely upon the results being present in a later incarnation. The worker is allowed to commit on any step boundary, but is not obligated to do so until thiscommit()is invoked.runtime.retire(upToStepNum): inform the worker that the given step (and all previous steps) can be forgotten, so the worker can delete the state required to remember them. The actual deletion will not touch the persistent state until the next commit happens. Does not wait for commit, does not return anything.runtime.revert(backToStepNum) -> Promise<void>: tell the worker to revert tobackToStepNumand commit immediately. The resulting worker will behave as if the last calls it saw weresubmitInput(stepNum),collectOutput(stepNum), andcommit(), thus forgetting about previous calls for>= stepNum+1retire(upToStepNum), they may not userevert()beyond that point:backToStepNum > upToStepNumSwingset Kernel as a CDP
Now that we have the CDP framework, how are the various Agoric/Swingset layers expressed?
The cosmic-swingset layer is already pretty well suited. As a block is processed, our cosmos-sdk Handlers push "actions" like
bridgeInboundanddeliverInbound(defined in https://github.com/Agoric/agoric-sdk/blob/master/packages/cosmic-swingset/src/action-types.js) into a queue on the Golang side. When we get to the END_BLOCK event (https://github.com/Agoric/agoric-sdk/blob/master/packages/cosmic-swingset/src/launch-chain.js), the JS code submits these actions into the kernel, and then runs the kernel until it reaches therunPolicylimit. As the kernel runs, it emits responses (chainSend) like storage writes. Betweenchain-main.jsandlaunch-chain.js, the cosmic-swingset package has code that tolerates one block's worth of replay, to handle the case where the kernel commits its DB but the process crashes before cosmos-sdk can commit its own.We can thus define cosmic-swingset's kernel as a non-reverting CDP whose "steps" are blocks, whose inputs are the "actions", and whose outputs are the
chainSendmessages. The host application performs steps without any sort of pipelining: eachsubmitInputis immediately followed by a matchingawait collectOutput(), then anawait commit(). Theretiremethod is omitted, and the kernel is implicitly allowed to forget everything beyond one step in the past.One constraint is that the outputs/
chainSendcalls are not allowed to have return values. The most likely example would be a chain-storage read, however I don't think we currently do any of those (there might be a method to return the externally-queryable chain-storage IAVL/RPC path: we'd need to implement that in different way).Swingset Vat as a CDP
To take advantage of the parallelism offered by CDPs, we need to make some changes to the kernel/worker boundary:
vatstore, inside that DBsyscall.vatstoreGet/etc are no longer routed to the kernel, but are handled locally by the workerWith
vatstoreGet/vatstoreGetNext/etc out of the way,syscall.callNow(i.e. device-node invocation) is the only remaining syscall with a non-trivial return value. In practice, we have two kinds of device-node interaction:getBundlereadsThe chain-storage writes do not have a return value, so we really only need an answer for
getBundle. I think we can manage this by following through on "blobcaps" (#46), which would be a new form of kref/vref (e.g.bNNandvb-NN), that refers to some sequence of immutable bytes. The kernel needs to pay attention to the vrefs being translated in a VatDeliveryObject and notice when a new one has been added to the c-list. That delivery should include a copy of the data, so the worker can stash it in its DB for later access. We'll probably need refcounts on these, or (given how infrequently we use them) we might just decide to declare that vat workers remember the blob forever.Once that's done, we can express each vat as a CDP where:
VatDeliveryObjectTo satisfy other compatibility/stability requirements, I think we'll wind up with all of the vat worker's components (endo/lockdown, supervisor, liveslots) living in a single
swingset-vat-worker-xsnap-1package. The kernel will no longer send the lockdown/supervisor bundles into the worker; instead they'll be bundled by the worker library itself and fed to xsnap as needed. The worker's DB will include any heap snapshots and transcripts that it needs to satisfy the CDP API, as well as additional calls to perform a "sleeper-agent" full-transcript-replay kind of upgrade (#1691).The
-1suffix is a version identifier that combines everything which could influence the deterministic behavior. Once you've deployed a vat with the-1worker, its behavior will remain stable despite any changes on the kernel side. No new versions ofswingset-vat-worker-xsnap-1will change that behavior: at most they will fix/improve things that do not threaten determinism. To make any significant changes (upgrade liveslots, new version of XS, etc), we must release a new package namedswingset-vat-worker-xsnap-2, and (baggage-style) upgrade vats to use it. The first swingset kernel package will depend upon the-1package, the second can depend upon both-1and-2, the third can depend solely upon-2(and all vat upgrades must be completed before you can upgrade a deployment from the second kernel package to the third).Kernel Scheduler
Our improved scheduling plans call for each vat to have an input queue (of deliveries), and an output queue (of delivery results, including message-like syscalls like
syscall.sendandsyscall.resolve). The kernel will also have a single inbound queue for device input events likebridge-inboundanddeliver-inboundand something for the timer device. The kernel scheduler will decide which queue to service next, based on criteria like priority, how many messages a vat has emitted recently, how many messages have been delivered into the vat, etc. Hopefully we can find an algorithm that allows short multi-vat operations to complete fairly promptly, but larger ones to be scheduled fairly.The scheduler will be invoked multiple times during the processing of a block. The input will be the size of all the queues (2*numVats+1) and the computron budget remaining. The output will be which queue to service, and how many items to process. If the output is "none", the block ends and control returns to the host.
When a vat's input queue is serviced, the kernel performs a "delivery crank", whose nominal behavior is to pull the VDO from the head of the input queue and deliver it to the vat, which produces zero or more output events, all of which are pushed onto the tail of the output queue. When the output queue is serviced, the kernel performs a "routing crank", which examines the item and routes any
sends to some other vat's input queue (or enqueues them on a promise queue in the kernelDB), and process anyresolves by updating the kernel promise table and maybe enqueueingnotifyevents onto input queues (as well as transferring any queued messages to the new target vat). When the kernel's singular inbound queue is serviced, it also performs a routing crank, to route the message to some device or handling vat.The scheduler's decisions form a total ordering of all input/output events. This ordering is in-consensus, and each event should produce a hash (like the current
crankHash) which can be folded into the shared state, so divergence is detected quickly. The total order is also broken up into blocks, and the kernel does not run (nor can it change state) between the blocks, which is when the consensus algorithm does its voting work.That ordering is too constrained to allow much room for performance improvements, but fortunately it is merely the kernel's required order. We can achieve parallel execution between vats, and also perform execution during the voting time, by allowing each vat to run independently, and only observing a partial order that fits within the kernel-wide total order. The vat charges ahead and executes as many deliveries as it can (out of the ones it has been given so far), and the kernel merely refrains from collecting the results until the appointed moment.
To take advantage of this, as soon as the routing crank pushes a VDO onto the tail of vat-A's input queue, it should immediately call
workerA.submitInput()with the VDO, instead of waiting for it to reach the head of that queue. That allows the worker to execute the crank in the background, unsynchronized with anything else, well in advance of when the scheduler actually decides to process that item on the input queue. We might fiddle with thenicesettings on each worker to influence the OS kernel's execution priority, but in general we just want to fill each worker with work.Suppose VDOs 1/2/3 are pushed onto the input queue. All three have been
submitInput()ed to the worker, but none have been collected. At some point, the scheduler will process the input queue and "deliver" VDO-1 to the vat. What it really does at that point is to callawait collectOutput(1), which tells the worker "ok now I really do need that execution", and blocks if the worker didn't manage to get that far yet. The output is pushed onto the output queue for later processing, however if we can process that output quickly (andsubmitInput()the results to some other vat quickly), that will keep the pipelines as full as possible.There is a tradeoff between fairness (which wants to limit the servicing of a deep output-queue), and using parallelism to improve performance (by feeding more work to other vats). There is also a tradeoff between head-of-line latency (which is minimized by only doing one large-scale operation at a time) and performance (having lots of tasks available to keep the pipelines full).
At some point the kernel scheduler decides that we've done enough work for the block. The workers continue on in the background, but the kernek won't call
collectOutput()again until the next block. Instead, the kernel callscommit()(in parallel) on all workers with which it interacted during this block. That ensures that all the previoussubmitInputandcollectOutputdata will not be forgotten by a worker which crashes in the meantime. Once all workers have completed their commit, the kernel can commit its own DB (which means it will never again submit or collect those steps). Then the kernel can provide results (chain-storage events, etc) back to the host application.When the kernel starts the next block (actually when sends the first message of the block to any given vat), it can send a
retire()to enable the worker to free up the deliveries that are now safely committed by the kernel. (The kernel could do this as soon as it finishes its own commit, but it saves time on the critical path to defer this until after the host app has regained control).Rewinding Deliveries
Sometimes, the kernel must be able to rewind a delivery. The main use case we have so far is the
dispatch.stopVatjust before a vat upgrade: the old vat is stopped, the new vat (with new code) is started, but if the new vat fails to launch, we want to revert the old vat to the point just beforestopVat, as if the upgrade were never requested. We can also imagine some forms of metering faults or invariant checks that would justify unwinding a delivery.The kernel won't know whether or not the delivery should be unwound until sometime after the delivery ouputs are collected. But the kernel can refrain from calling
retire()until it knows we no longer need to roll back that far.The vat worker will support
revert(backToStepNum)by retaining at least one heap snapshot withstepNum <= highestRetiredStep + 1. When asked to revert, the worker will kill off any currentxsnapprocess, delete all inputs and outputs beyondbackToStepNumfrom its DB, commit the changes, then start up normally. This will load the most recent heap snapshot into a freshxsnapand resume execution of the saved inputs. By this re-execution process "early" (before the now-deleted inputs), we wind up with a worker state equivalent to the old step, ready to proceed in a different direction.(Another option is to not restart the worker right away, and instead wait until the kernel scheduler decides to submit a new input or collect a previous output. However that might induce latency in a later block that could have been paid for during earlier idle time.)
Rewinding a worker is not cheap: it takes about as much work as evicting the worker (i.e. to limit concurrent memory consumption) and immediately restarting it. That expense must be considered when deciding how to implement higher-level fault management procedures.
Vat Upgrade, Worker Replacement
Our "baggage-style" vat upgrade process works by shutting down the old worker with a
stopVat()delivery, to let it flush any remaining data to its vatstore DB, then launching a new worker with new code, and sending it astartVat()to spin everything back up. The two workers have independent transcripts and run different code: any of SES/xsnap/supervisor/liveslots/vat-bundle/contract-bundle can be changed across the upgrade. Only the vat's identity and the vat store survive (plus all the kernel-side data like c-lists and responsibility for exported kernel objects/promises).To complicate matters, if either the
stopVatorstartVatfail, we want to abandon the upgrade, and rewind everything to the point just before thestopVat. So the upgrade process must retain enough data to support the rewind.Within the CDP model, the CDP state is retained (with modifications), but the CDP runtime worker is replaced.
I think that means our worker must be aware of upgrade, and must be prepared to cooperate with a new worker version (
swingset-vat-worker-xsnap-2). The two workers will share a SQLite DB, and the-2version must not make any changes/migrations that would prevent the-1from taking over, at least not until the new version is known to be successful.This suggests:
upgradeCount)transcriptsDB table has bothupgradeCountanddeliveryNumcolumns, to retain old transcriptsDELETE FROM transcripts WHERE ugpradeCount=oldCountonce the ugprade is successful, or we might retain it for future sleeper-agent upgrades that need the full multi-version transcriptupgradeCount: step numbers are cross-upgradestopVatis delivered and collected, andcommit()called, then the worker instance is shut downupgradeCountin the DB and starts working with a new empty transcriptstartVatand immediately waits for the outputcommit()and a special "you can abandon the old version now" APIabandonUpgrade(), which deletes the changes and returns the DB to the previous (post-v1-stopVat) state, and shut down the v2 workerrevertthestopVat, and now we're back in the original statestartVatmust not commit any changes to the vatstore until we we're beyond the possibility of reverting to v1We may also want an API to report back the transcripts of each upgraded version, concatenated together, to facilite a sleeper-agent -style "deep replay" upgrade.