fix(patterns): Tolerate old guard format #2038
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
erights
added a commit
that referenced
this pull request
Feb 6, 2024
erights
force-pushed
the
markm-8826-tolerate-old-guards
branch
2 times, most recently
from
ae5d2d5
to
540a01b
Compare
erights
changed the base branch from
master
to
markm-8826-test-old-guard-tolerance
erights
force-pushed
the
markm-8826-tolerate-old-guards
branch
2 times, most recently
from
9b32d72
to
0e26252
Compare
2 tasks
erights
added a commit
that referenced
this pull request
Feb 7, 2024
erights
force-pushed
the
markm-8826-test-old-guard-tolerance
branch
from
350c1ca
to
321156b
Compare
erights
force-pushed
the
markm-8826-tolerate-old-guards
branch
2 times, most recently
from
806c2f2
to
a53d9ed
Compare
|
I have not yet reviewed, but I have verified that applied as a patch to agoric-sdk, the upgrade case which re-used an old zcf bundle no longer fails. |
erights
force-pushed
the
markm-8826-tolerate-old-guards
branch
from
a53d9ed
to
277331d
Compare
erights
added a commit
that referenced
this pull request
Feb 7, 2024
erights
force-pushed
the
markm-8826-test-old-guard-tolerance
branch
from
bf73f5e
to
a0ed14e
Compare
Base automatically changed from
markm-8826-test-old-guard-tolerance
to
master
February 7, 2024 21:59
erights
added a commit
that referenced
this pull request
Feb 7, 2024
erights
force-pushed
the
markm-8826-tolerate-old-guards
branch
from
277331d
to
2e108c3
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Staged on #2039
closes: Agoric/agoric-sdk#8826
refs: #2039 #1712 #1745
Description
We currently believe the actual compat problem with Agoric/agoric-sdk#8826 , or at least the problem that we actually need to fix, occurs when old contracts that were bundled with an endo preceding #1712 is used with a new liveslots, bundled with an endo including #1712 . The problem is that the old endo is producing old guards using the old
klassformat.Fortunately, #1745 anticipated part of the compat issue that #1712 caused, by introducing
get*GuardPayloadfunctions, to encapsulate the actual guard representation so that other code using these guards could mostly consume them through these functions. It anticipated that we would switch from old to new guard formats, but not that they would need to co-exist across a version slippage boundary, like liveslots vs contracts.This PR leverages the abstraction provided by #1745 to provide this version slippage tolerance only by modifying these getter functions to be tolerant of both formats on input, and to produce the corresponding modern payload as a result.
The nested guard adaptation provided by this PR is limited, for two reasons
Security Considerations
Technically, tolerating the old
LegacyAwaitArgGuardShapeis an exploitable bug, in that a record that matches this shape is also a valid parameter pattern that should allow an argument that matches that pattern, i.e., a copyRecord argument that at least contains aklass: 'awaitArgGuard'property. However, to be exploitable, the victim code would have had to accidentally write such a copyRecord pattern with aklassproperty and use it in as an arg guard. The chances of this happening accidentally are vanishingly small. Nevertheless, once we no longer need to support code preceding #1712 , we should remove all this extra complexity, and thus plug this in-theory exploitable bug.Unlike
LegacyAwaitArgGuardShape, tolerating the other legacy guard shapes does not seem like a currently exploitable bug, because there isScaling Considerations
I tried to code this so that the non-legacy success case was the fast path, and paid minimal cost for being adaptable to this legacy.
Documentation Considerations
Other than fixing a surprising vexing problem, I don't think developers need to be aware of this change at all. Since the current Agoric/agoric-sdk#8826 problem is surprising, this PR relieves us of the need to explain that surprise.
Testing Considerations
This PR is staged on #2039 so that the changes this PR makes to
test-legacy-guard-tolerance.jsdemonstrate the relevant differences in behavior caused by this PR.Compatibility Considerations
The whole point of this PR is for new code that consumes guards via the
get*GuardPayloadfunctions to become compatible with both old and new code that produces what were valid guards at that time. In particular, so that old contracts that bundle old endo preceding #1712 can be linked with new liveslots bundling an endo that includes #1712 .This PR does not attempt to tolerate version slippage in the other direction. That would be hard because by assumption it would not be able to change the behavior of guard consuming code.
Upgrade Considerations
The problem of Agoric/agoric-sdk#8826 manifested during an upgrade. This PR attempts to fix the problem that we think we actually need to fix to enable such upgrades. However, this PR and its predecessor #2039 only contain unit tests for this tolerance. We won't know if it fixes Agoric/agoric-sdk#8826 until new relevant integration tests which are separately in progress (attn @mhofman ).
@mhofman has since done this integration testing and verified that this PR does fix Agoric/agoric-sdk#8826. The test upgrade succeeded.
At such a time that we decide we no longer need to support code preceding #1712 or guard data generated by that code, all the adaptation complexity in
getGuardPayloads.jsshould be deleted. It can stay a separate file, but a much simpler one.*BREAKING*:in the commit message with migration instructions for any breaking change.NEWS.mdfor user-facing changes.