refactor: prepare for non-trapping integrity trait #2679
Conversation
erights
force-pushed
the
markm-prepare-for-stabilize-2
branch
2 times, most recently
from
ce2d645 to
526e404
Compare
erights
changed the title
erights
force-pushed
the
markm-prepare-for-stabilize-2
branch
from
526e404 to
b12eb43
Compare
erights
force-pushed
the
markm-prepare-for-stabilize-2
branch
2 times, most recently
from
9925c0c to
6ff2c89
Compare
erights
force-pushed
the
markm-prepare-for-stabilize-2
branch
from
6ff2c89 to
c3b3d92
Compare
There was a problem hiding this comment.
Reading this and thinking through the implications, I have concerns we may be painting ourselves in a corner. Our recommendation is that one should harden values before passing them around. That implies we will never be able to use a Proxy as a remotable value. Is that something we're ok with? I know you have reservations with using O style objects as presences, but I'm a little worried about forever closing the door to this possibility.
erights
force-pushed
the
markm-prepare-for-stabilize-2
branch
3 times, most recently
from
f5d2c57 to
02a6965
Compare
|
ping |
|
Reviewers: I claim that this PR by itself prior to the introduction or use of the non-trapping or stabilize integrity traits is a pure refactor, i.e., it should not produce any observable changes. Please review with that claim in mind. If you do spot something that looks like an observable change, please let me know. Thanks! |
erights
force-pushed
the
markm-prepare-for-stabilize-2
branch
from
02a6965 to
39b46e1
Compare
| const hardenToBeSuppressTrapping = harden; | ||
|
|
||
| /** | ||
| * Local alias of `harden` to eventually be switched to whatever applies |
There was a problem hiding this comment.
| * Local alias of `harden` to eventually be switched to whatever applies | |
| * Local alias of `freeze` to eventually be switched to whatever applies |
| * explicitly make this non-trapping, which we cannot yet express. | ||
| * @see https://github.com/endojs/endo/blob/master/packages/ses/docs/preparing-for-stabilize.md | ||
| */ | ||
| const makeInput = () => freeze({ __proto__: mercurialProto }); |
There was a problem hiding this comment.
| const makeInput = () => freeze({ __proto__: mercurialProto }); | |
| const makeInput = () => freezeToBeSuppressTrapping({ __proto__: mercurialProto }); |
Closes: #XXXX
Refs: Agoric/agoric-sdk#10795
Description
Prepare for anticipated introduction and use of the non-trapping integrity trait as explained at https://github.com/endojs/endo/blob/b12eb434b6672f0ceae41be55aac7f24c4562b7b/packages/ses/docs/preparing-for-stabilize.md
These preparations must work now, before these traits are introduced, and should continue to work after these traits are introduced and used.
Security Considerations
Some things that had been deeply frozen automatically by
hardenare now manually frozen by explicit calls tofreeze. We need to review these carefully to ensure that nothing has inadvertently be left unfrozen as a result of the changes in this PR.Some proxies will become unhardenable, but they will still be hardenable as of now, so mistaken hardenings will not be detected.
Scaling Considerations
For this PR by itself, none. Using the shim-based implementation of the non-trapping trait will have scaling consequences: #2675
Documentation Considerations
https://github.com/endojs/endo/blob/b12eb434b6672f0ceae41be55aac7f24c4562b7b/packages/ses/docs/preparing-for-stabilize.md will need to be reflected in developer docs.
Testing Considerations
Since this PR by itself should be a pure refactor with no observable changes, there is nothing to test at this stage. The testing burden will come with #2675 to see how adequate these preparations were.
Compatibility Considerations
The point. This changes to coding patterns that should be compat both with the current status quo and with #2675
Upgrade Considerations
As a pure refactor, none.