Open erights opened 3 days ago
Latest commit: |
3152f63
|
Status: | ✅ Deploy successful! |
Preview URL: | https://96503a3a.agoric-sdk.pages.dev |
Branch Preview URL: | https://markm-retrier.agoric-sdk.pages.dev |
See https://github.com/Agoric/agoric-sdk/pull/9621 for an experiment of a different approach.
closes: #XXXX refs: #XXXX
Description
Retry idempotent eventual sends with reliable durable result vows that mask upgrade trauma.
The goal here is to support something like
E(bob).foo(carol)
but with several differences:.foo(carol)
to bob is rejected with anUpgradeDisconnection
, the message is resent, until finally the result of such a send settles in some other way, i.e., it is either fulfilled, or rejected by anything else.bob
, and the arguments, .e.g.,carol
, must themselves be storable in the zone in question --- typically meaning they must be durable as well.In this first PR, you can only express a retry-send of
const p = E(bob).foo(carol);
by sayingbut the intention is that the next PR will provide a more natural
E
-like syntax.Note we already have variations on
E
, likeheapVowE
that is scoped to the heap zone and have extra static methods. We can make similar variants ofE
that are scoped to the durable zone and have an extraretry
method. Suppose thisE
variant is calleddurableVowE
.We already have static methods on
E
that express variants ofE
, such asE.sendOnly(bob).foo(carol)
saying to just send the message tobob
as a one-way send without any result. Similarly, I imagine that the next PR may provide something likeBut hopefully we can invent something shorter but just as clear.
The internal API also provides a means to cancel the retry loop, so it doesn't go on forever after it is no longer relevant. Using the precedent of
E
taking an options bag as second argument, I imagine something likeonce we have adapted a cancellation token proposal such as https://github.com/tc39/proposal-cancellation . So this would be farther into the future.
Security Considerations
unpredicable resends of non-idempotent operations may be accidents threatening integrity. We currently have no in-band way to mark an operation as idempotent, and so no current means to check the consistency of these assumptions.
Scaling Considerations
Perpetual retries threaten availability and scalability. Though not much if they are only triggered by upgrade. Nevertheless, it would be nice to better support cancellation.
Documentation Considerations
Will need to be explained, including the caution to avoid retry-send on non-idempotent operations, which requires explaining idempotence.
Testing Considerations
As with the current state of async-flow, this only uses the lightweight low-fidelity upgrade testing framework. See https://github.com/Agoric/agoric-sdk/issues/9303
Upgrade Considerations
The point. Retry-sent messages will be retried across upgrade at either end until they settle to something else, masking upgrade trauma. Rather than a promise, a durable retry-send returns a reliable durable vow that itself survives upgrades.