feat(marshal): Allow promise stand-ins

[gibson042]

Stacked on #1311

Fixes #1312

This is the most restrictive solution, in which a pseudo-promise is not
allowed to have any properties or methods (although that may be relaxed
in the future to support a then method and/or settlement/resolution
data).

TODO:

• combine promise and safe-promise helpers (after perf(marshal): Extend new assert style to passStyleOf check calls #1310 )

[erights]

@gibson042 since this is stacked on #1311 , I edited the github PR to compare to #1311 's fork for easier reviewability. If this is not appropriate, feel free to change back.

(#1311 has since been merged, so this note is no longer relevant)

[mhofman]

Seems like we're duplicating the isPromise check if the candidate is not a native promise, which means really we're creating 2 throw away Promise objects.

[erights]

But only one extra one, since we gotta do at least one. Unless we wanna invert the order of tests, which is likely to be net more expensive.

[gibson042]

It's actually even more than that, because passStyleOf itself uses isPromise on every [frozen] object, and then every one that fails the check and does not have an explicit PASS_STYLE is subject to iteration over each helper's canBeValid in priority order, with promise's using isPromise and then each object accepted by that canBeValid is passed to assertValid (which also uses isPromise). I'll reorder to check PASS_STYLE first, but that will still leave two calls for ersatz promises, and if we really care then I think we'll need a WeakMap.

[erights]

passStyleOf memoizes

[mhofman]

I thought that for @FUDCo's use case, we needed at least a toString() method? When discussing this with @erights we didn't see a need to disallow any more methods than for remotables.

[FUDCo]

Being able to specify the toString() method is literally the only thing that matters to me here. Everything else is just machinery to enable that to work.

[erights]

... toString() method ...

Cannot do that in any case, and this PR wisely does not attempt to. What do you really need? What are you doing now, so that your current state works? My sense is that you only need a pair of functions which can be local to a context, where

getSomething(makePromiseWithSomething(something)) === something

for some appropriate somethings. We can do that trivially with real promises and a weakmap, yes?

[erights]

When discussing this with @erights we didn't see a need to disallow any more methods than for remotables.

True. And what I said then contradicts what I said above. There are two simple extremes, and we should do one or the other.

• Allow mostly-arbitrary unvalidatable methods, like we do for remotables. This is why remotables can have an arbitrary toString method.
• Data-only, which is where this PR currently is, and why I'm trying to avoid any unvalidatable behavior.

The problem is that we are still operating under the "any module might be multiply instantiated" restriction, and so any objective predicate, like passStyleOf, cannot brand things to remember that they are safe by construction. It can only tell that it is safe by inspection. passStyleOf does use a memo table to avoid redundant work, which is much like a brand table. Except that if absent, it always falls back to inspection. The behavior of non-primordial non-global methods cannot be inspected to be safe.

[gibson042]

This comes down to a tension between practicality and the principle that unmarshaling should recover full state. We can relax this constraint if the use case is in fact sufficiently strong, but we can't go in the other direction.

[erights]

Not approving for two reasons:

• The requested changes, in particular using checkTagRecord for better validation.
• In light of subsequent discussions, I am queasy about introducing something passStyleOf recognizes as a promise type, but which cannot yet work with E( nor E.when(.

Despite the second bullet, please do respond to requested changes, so we'll be closer to moving ahead if/when the second bullet is resolved. There are two needs this PR would be a step towards:

• @FUDCo 's immediate need for his encode/decode manipulation in the post-smallcaps SwingSet tests,
• @mhofman 's plans for virtual persistent promises.

@FUDCo already has something working. I'd like to see that before judging that use to be urgent. Assuming it is not urgent, I'd like to hold this off until we find something that works with E and E.when, probably as part of doing virtual and durable promises as the same time.

[erights]

Whoa! TIL Exclude

[erights]

I see this is from #1043 which I should have paid more attention to at the time. It surprises me, but it does look good.

[erights]

No change suggested.

[erights]

Shouldn't you also delete

          if (isPromise(inner)) {
            assertSafePromise(inner);
            return 'promise';
          }

from lines 150-153 above?

[gibson042]

Only if we also move the prohibition of a then method. It seemed cleaner to keep it at the expense of some redundancy.

[erights]

More better testing once we have arb-passable.js?

[gibson042]

Absolutely!

[erights]

;)

No change suggested for this PR.

[erights]

But it is an addition provided by this same PR. In what scenario could this condition ever happen?

[gibson042]

If any code outside of this package calls makePassStyleOf, which is exported. However, there are no examples of that anywhere in endo or agoric-sdk AFAICT... should I remove this leeway?

[erights]

Where is makePassStyleOf exported? I should not be.

[gibson042]

Oh, my mistake! I guess I was looking elsewhere. Fixed.

[erights]

Aha. Would be vulnerable to the obscure Object.prototype.value = junk arrack on descriptors we just talked about in the endo meeting. (Were you there for that?) However, this is in the marshal package, not the ses package, which should only execute after lockdown, and so is not vulnerable. But amusing nonetheless!

No change suggested.

[erights]

Yes, good choice moving checkTagRecord from canBeValid to assertValid.

No change suggested.

[erights]

Good question. Yes, I think both should. But here's a counter-argument that says we shouldn't support it at all, i.e., that we should remove such support even from copyRecords:

Any such non-standard null prototype is not pass invariant. If such a copyRecord is passed through any marshal barrier, the copyRecord that gets unserialized on the other side will always inherit directly from `Object.prototype'.

So, I am still on the fence. Opinions?

[gibson042]

I am in favor of removing support for all null-prototype passables unless we have a clear scenario benefiting from them, in which case every check for Object.prototype should be expanded accordingly.

[erights]

I agree. So no change suggested here. Anytime you'd like to propagate this reform (assuming it doesn't break anything but tests), I'll happily review. Thanks!

[gibson042]

#1324

[mhofman]

Necroing this thread but an argument could be made that a copyRecord should be unmarshalled with a null prototype instead.

[erights]

Given that we agree on preserving pass-invariance, there are only two solutions:

1. All CopyRecords inherit from Object.prototype (status quo)
2. All CopyRecords inherit from null (what we’d all prefer if we could have it everywhere at reasonable cost)

Yes, we could change passStyleOf and unserialize to be consistent with (2). What we cannot reasonably change is requiring everyone to write

harden({
  __proto__: null,
  foo: 3
})

rather than the status quo

harden({foo: 3})

Yes, there are approaches to this notational constraint, like using something instead of harden that either

• modifies the argument record in place (like Far does), or
• produces a new object derived from the argument object

Altogether, for the way we use CopyRecords everywhere, I don’t think either of these coping strategies are at reasonable notational and explanatory cost. Such a cure would be worse than the disease.

[erights]

No change suggested.

[erights]

;)

No change suggested for this PR.

[erights]

This one is genuinely fake. No change suggested.

[erights]

Were we to go ahead with this, its current state would LGTM

[erights]

Cool name!

No change suggested.

[gibson042]

https://en.wikipedia.org/wiki/No-hair_theorem 🤓

[mhofman]

This seems overly restrictive. I'm wondering if we may ever want to differentiate between different kinds of pseudo promises in which case toStringTag would be appropriate.

[gibson042]

I figure we can relax this constraint if that need arises.

[mhofman]

Suggested change

	assert.fail(X`Unexpected properties on pseudo-promise ${keys}`);
	assert.fail(X`Unexpected properties on pseudo-promise ${keys.filter(k => k !== PASS_STYLE && k !== toStringTag)}`);

[gibson042]

Done with the ...rest pattern used elsewhere.

[erights]

@mhofman I just created the label pseudo-promise and labeled this PR with that label, to keep track of PRs and issues relevant for thinking about possible pseudo-promise semantics.