Agoric / agoric-sdk

monorepo for the Agoric Javascript smart contract platform
Apache License 2.0
327 stars 207 forks source link

Acceptance test for new Moddable XS versions #6929

Open mhofman opened 1 year ago

mhofman commented 1 year ago

What is the Problem Being Solved?

With XS heap snapshots and transcripts in consensus (a requirement for state-sync), we need to make sure we don't regress on non divergent execution when updating XS versions.

Furthermore we now believe that our vat transcripts are agnostic of the version of XS used, or its allocation behavior, as long as the implemented JS spec didn't change its behavior. We may be able to use this property to enable transparent XS version upgrades.

Finally we need to ensure that a variety of environment and even CPU architectures produce consistent executions and snapshots (within the limits of know incompatibilities such as endianness for example).

Description of the Design

High level approach

While there is no formal way of verifying that XS is deterministic, especially when reload is involved, we can use empirical tests to help us gain confidence that XS stays consistent.

To confirm compatibility of XS engines, we have 2 main approaches, which should both be part of the acceptance criteria:

Generating the known good execution corpus

Our current corpus of execution is derived from the mainnet pismo release. Because of https://github.com/Agoric/agoric-sdk/issues/6784, and the lack of its mitigation in the pismo release, we cannot simply use the vat transcripts generated by a pismo follower node. Instead we use the vat transcripts that were generated using "chain transcripts" as follow:

These have already been generated up to block 8941748 (March 6th 2023) and are available on the benchmark machine.

Replay with newer XS version

### Tasks
- [ ] https://github.com/Agoric/agoric-sdk/issues/8494
raphdev commented 1 year ago

Existing unit / integration tests succeed This includes running these test under the sanitizer (ASAN, MSAN, UBSAN) versions of xsnap-worker, and no new warnings being trigger compared to the outgoing version

For posterity the steps to do this are documented in https://github.com/agoric-labs/xsnap-pub/pull/35

warner commented 1 year ago

@ivanlei and I think this can be pushed to vaults+1, because PR #7083 is ready to land, and this test was run on the new version of XS at least once. We want the test to be landed soon, so other people can run it, but the vaults release doesn't block on that landing.

mhofman commented 1 year ago

I'm in the process of updating this issue with new manual testing instructions based on the latest Moddable SDK changes. Making that test automated would be a nice to have, but not strictly necessary.

mhofman commented 1 year ago

I have updated the acceptance test instructions to reflect our new (still manual) methodology, and to suggest multi-environment testing that would hopefully help detect issues like https://github.com/Agoric/agoric-sdk/issues/7829 and https://github.com/Agoric/agoric-sdk/issues/7841

mhofman commented 1 year ago

New issue that would have been caught had we run under multiple environments: https://github.com/Agoric/agoric-sdk/issues/7864

mhofman commented 1 year ago

One thing to keep in mind is that this methodology may not work forever, and some XS changes may introduce observable execution difference when they pick up some spec changes. While JavaScript attempts to not break the web, not every change is fully backwards compatible. For example something that used to throw may no longer throw, or some property accesses may change order or be deduplicated (e.g. https://github.com/Moddable-OpenSource/moddable/issues/1223#issuecomment-1743941300).

While such changes are unlikely to be observed by most programs, that remains a possibility which would require some sort of mitigation (possibly changes to the engine to restore the former behavior if needed)

toliaqat commented 2 months ago

@mhofman and @siarhei-agoric will meet and break down this bigger issue into smaller chunks.