Open mhofman opened 1 year ago
Existing unit / integration tests succeed This includes running these test under the sanitizer (ASAN, MSAN, UBSAN) versions of xsnap-worker, and no new warnings being trigger compared to the outgoing version
For posterity the steps to do this are documented in https://github.com/agoric-labs/xsnap-pub/pull/35
@ivanlei and I think this can be pushed to vaults+1, because PR #7083 is ready to land, and this test was run on the new version of XS at least once. We want the test to be landed soon, so other people can run it, but the vaults release doesn't block on that landing.
I'm in the process of updating this issue with new manual testing instructions based on the latest Moddable SDK changes. Making that test automated would be a nice to have, but not strictly necessary.
I have updated the acceptance test instructions to reflect our new (still manual) methodology, and to suggest multi-environment testing that would hopefully help detect issues like https://github.com/Agoric/agoric-sdk/issues/7829 and https://github.com/Agoric/agoric-sdk/issues/7841
New issue that would have been caught had we run under multiple environments: https://github.com/Agoric/agoric-sdk/issues/7864
One thing to keep in mind is that this methodology may not work forever, and some XS changes may introduce observable execution difference when they pick up some spec changes. While JavaScript attempts to not break the web, not every change is fully backwards compatible. For example something that used to throw may no longer throw, or some property accesses may change order or be deduplicated (e.g. https://github.com/Moddable-OpenSource/moddable/issues/1223#issuecomment-1743941300).
While such changes are unlikely to be observed by most programs, that remains a possibility which would require some sort of mitigation (possibly changes to the engine to restore the former behavior if needed)
@mhofman and @siarhei-agoric will meet and break down this bigger issue into smaller chunks.
What is the Problem Being Solved?
With XS heap snapshots and transcripts in consensus (a requirement for state-sync), we need to make sure we don't regress on non divergent execution when updating XS versions.
Furthermore we now believe that our vat transcripts are agnostic of the version of XS used, or its allocation behavior, as long as the implemented JS spec didn't change its behavior. We may be able to use this property to enable transparent XS version upgrades.
Finally we need to ensure that a variety of environment and even CPU architectures produce consistent executions and snapshots (within the limits of know incompatibilities such as endianness for example).
Description of the Design
High level approach
While there is no formal way of verifying that XS is deterministic, especially when reload is involved, we can use empirical tests to help us gain confidence that XS stays consistent.
To confirm compatibility of XS engines, we have 2 main approaches, which should both be part of the acceptance criteria:
Generating the known good execution corpus
Our current corpus of execution is derived from the mainnet
pismo
release. Because of https://github.com/Agoric/agoric-sdk/issues/6784, and the lack of its mitigation in the pismo release, we cannot simply use the vat transcripts generated by a pismo follower node. Instead we use the vat transcripts that were generated using "chain transcripts" as follow:lockdown-bundle
,supervisor-bundle
, and vat transcripts from the chain replay's Swingstore usingpackages/Swingset/misc-tools/extract-transcript-from-kerneldb.js
packages/SwingSet/misc-tools/extract-transcript-from-slogfile.js
for any vat that has exited (missing transcript)These have already been generated up to block 8941748 (March 6th 2023) and are available on the benchmark machine.
Replay with newer XS version
packages/SwingSet/misc-tools/replay-transcript.js
to replay each vat transcript, forcing a reload when snapshots are taken--keep-worker-recent=20 --keep-worker-interval=20
)lockdown-bundle
that incorporates https://github.com/endojs/endo/pull/1579 to mitigate this issue.anachrophobia
or snapshot hashes differences occurred.grep -A4 anachrophobia replay-v*.log; grep -B2 hashes replay-v*.log
returning no matches.snapshot-activity.jsonl
generated by the replay tool).