Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(pass-style): generalize passable errors, throwables #2223

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat(pass-style): generalize passable errors, throwables #2223

wants to merge 1 commit into from

Conversation

erights
Copy link
Contributor

@erights erights commented Apr 17, 2024
edited
Loading

Just placeholder for now. Not yet expected to work or almost work.

closes: #XXXX
refs: #XXXX

Description

Security Considerations

Scaling Considerations

Documentation Considerations

Testing Considerations

Compatibility Considerations

Upgrade Considerations

  • Includes *BREAKING*: in the commit message with migration instructions for any breaking change.
  • Updates NEWS.md for user-facing changes.

@erights erights self-assigned this Apr 17, 2024
@erights erights force-pushed the markm-to-throwable branch 2 times, most recently from 1402c8a to dd4b963 Compare April 21, 2024 22:56
@erights erights changed the base branch from master to markm-rebase-2233-on-2232 April 21, 2024 22:56
@erights erights marked this pull request as ready for review April 21, 2024 22:58
@erights erights marked this pull request as draft April 21, 2024 22:58
@erights erights changed the base branch from markm-rebase-2233-on-2232 to master April 21, 2024 22:59
@erights erights changed the base branch from master to markm-rebase-2233-on-2232 April 21, 2024 23:00
@erights erights mentioned this pull request May 5, 2024
Merged
1 task
erights added a commit that referenced this pull request May 6, 2024
@erights
feat(pass-style,exo): exo boundary only throws throwables (#2266)
2f0888e 
closes: #XXXX
refs: #2223 

## Description

Modest step towards #2223 , 
- bringing all the intended safety: the exo boundary only throws
throwables, and that `callWhen` async exo methods only reject with
throwable reasons.
- but with less flexibility: the definition of passable errors and
throwables is narrower than it need be.

### Security Considerations

This is one of three necessary steps towards having the exo boundaries
become the new intravat defensive security boundary, rather than
treating every object boundary as a potential defensive security
boundary. The rationale for this step is that the throw-control-path is
too hard for reviewers to pay full attention to, so we wish to prevent
caps from leaking over the exo boundary via the throw path. (E prevented
caps from escaping via throws in general, but we're not in a position to
be able to enforce that in general within Hardened JS.)

The other two steps are
- Converting uses of `Far` for making far objects into making exos.
- Addressing the leakage of promise settlements across exo boundaries
due to the inability to synchronously enforce such a constraint on a
promise passed through the boundary.

### Scaling Considerations

Given that the exceptional pathways (throws and rejects) are only used
for low frequency exceptional conditions, or at least exceptional
conditions whose speed we don't care about, making this slow path a tiny
bit slower should be inconsequential. Indeed, I expect the overall
impact to be unmeasurable. (But we won't know until we measure!)

### Documentation Considerations

This restriction on what can be throws across the exo boundary (or for
exo async `callWhen` methods, what can be used as a rejection reason)
needs to be documented. But it should not affect any normal code, and so
documents an edge case.

### Testing Considerations

tests included

### Compatibility Considerations

If there are currently any throws or rejects that violate these
constraints (likely) where other code depends on these violations
(unlikely), then we have a compat problem.

### Upgrade Considerations

None.

- ~[ ] Includes `*BREAKING*:` in the commit message with migration
instructions for any breaking change.~
- [x] Updates `NEWS.md` for user-facing changes.
@erights erights changed the base branch from markm-rebase-2233-on-2232 to master May 6, 2024 22:33
@erights erights mentioned this pull request May 6, 2024
Merged
@erights erights force-pushed the markm-to-throwable branch 4 times, most recently from 0d49be1 to b450373 Compare May 9, 2024 00:09
@erights erights force-pushed the markm-to-throwable branch 3 times, most recently from 55ee7c5 to 6d1363a Compare June 2, 2024 18:47
@erights erights added the ocapn label Jun 9, 2024
@erights erights force-pushed the markm-to-throwable branch 2 times, most recently from 2e2ee98 to 4163fa8 Compare June 13, 2024 13:30
This was referenced Aug 27, 2024
Open
Draft
@erights erights changed the base branch from master to markm-repair-arraybuffer-transfer-2 August 27, 2024 03:00
@erights erights changed the base branch from markm-repair-arraybuffer-transfer-2 to markm-anticipate-disposal August 27, 2024 03:07
@erights erights changed the base branch from markm-anticipate-disposal to master September 10, 2024 04:52
@mhofman
Copy link
Contributor

mhofman commented Oct 30, 2024

We should consider only allowing a passable error as a throwable so that we maintain the ability to reconstitute distributed stack traces. Only the top level needs to be a passable error, nested values can be any copy data or passable error.

@erights erights mentioned this pull request Oct 30, 2024
Open
@erights
Copy link
Contributor Author

erights commented Oct 30, 2024

See also Agoric/agoric-sdk#10375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@erights erights

Labels
ocapn
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erights @mhofman