@agoric/swingset-liveslots 0.10.3-dev-4733782.0 → 0.10.3-dev-af3ced9.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agoric/swingset-liveslots",
-  "version": "0.10.3-dev-4733782.0+4733782",
+  "version": "0.10.3-dev-af3ced9.0+af3ced9",
   "description": "SwingSet ocap support layer",
   "type": "module",
   "main": "src/index.js",
@@ -17,9 +17,9 @@
     "lint:eslint": "eslint ."
   },
   "dependencies": {
-    "@agoric/assert": "0.6.1-dev-4733782.0+4733782",
-    "@agoric/internal": "0.3.3-dev-4733782.0+4733782",
-    "@agoric/store": "0.9.3-dev-4733782.0+4733782",
+    "@agoric/assert": "0.6.1-dev-af3ced9.0+af3ced9",
+    "@agoric/internal": "0.3.3-dev-af3ced9.0+af3ced9",
+    "@agoric/store": "0.9.3-dev-af3ced9.0+af3ced9",
     "@endo/env-options": "^1.1.2",
     "@endo/errors": "^1.2.0",
     "@endo/eventual-send": "^1.2.0",
@@ -33,7 +33,7 @@
     "@endo/promise-kit": "^1.1.0"
   },
   "devDependencies": {
-    "@agoric/kmarshal": "0.1.1-dev-4733782.0+4733782",
+    "@agoric/kmarshal": "0.1.1-dev-af3ced9.0+af3ced9",
     "ava": "^5.3.0"
   },
   "files": [
@@ -69,5 +69,5 @@
   "typeCoverage": {
     "atLeast": 75.22
   },
-  "gitHead": "47337826034f90078930b0135aa0a81f3a1d773e"
+  "gitHead": "af3ced91861731353e10a45e4eae63450f74a0ea"
 }

package/src/vatDataTypes.d.ts

@@ -73,6 +73,41 @@ export type DefineKindOptions<C> = {
   finish?: (context: C) => void;
 
   /**
+   * If provided, it describes the shape of all state records of instances
+   * of this kind.
+   */
+  stateShape?: StateShape;
+
+  /**
+   * If a `receiveAmplifier` function is provided to an exo class kit definition,
+   * it will be called with an `Amplify` function. If provided to the definition
+   * of a normal exo or exo class, the definition will throw, since only
+   * exo kits can be amplified.
+   * An `Amplify` function is a function that takes a facet instance of
+   * this class kit as an argument, in which case it will return the facets
+   * record, giving access to all the facet instances of the same cohort.
+   */
+  receiveAmplifier?: ReceivePower<Amplify<F>>;
+
+  /**
+   * If a `receiveInstanceTester` function is provided, it will be called
+   * during the definition of the exo class or exo class kit with an
+   * `IsInstance` function. The first argument of `IsInstance`
+   * is the value to be tested. When it may be a facet instance of an
+   * exo class kit, the optional second argument, if provided, is
+   * a `facetName`. In that case, the function tests only if the first
+   * argument is an instance of that facet of the associated exo class kit.
+   */
+  receiveInstanceTester?: ReceivePower<IsInstance>;
+
+  // TODO properties above are identical to those in FarClassOptions.
+  // These are the only options that should be exposed by
+  // vat-data's public virtual/durable exo APIs. This DefineKindOptions
+  // should explicitly be a subtype, where the methods below are only for
+  // internal use, i.e., below the exo level.
+
+  /**
+   * As a kind option, intended for internal use only.
    * Meaningful to `makeScalarBigMapStore` and its siblings. These maker
    * fuctions will make either virtual or durable stores, depending on
    * this flag. Defaults to off, making virtual but not durable collections.
@@ -84,12 +119,6 @@ export type DefineKindOptions<C> = {
    */
   durable?: boolean;
 
-  /**
-   * If provided, it describes the shape of all state records of instances
-   * of this kind.
-   */
-  stateShape?: StateShape;
-
   /**
    * Intended for internal use only.
    * Should the raw methods receive their `context` argument as their first

package/src/virtualObjectManager.js

@@ -28,8 +28,18 @@ import {
  * @typedef {import('@endo/exo/src/exo-tools.js').KitContextProvider } KitContextProvider
  */
 
-const { hasOwn, defineProperty, getOwnPropertyNames, entries, fromEntries } =
-  Object;
+/**
+ *
+ */
+
+const {
+  hasOwn,
+  defineProperty,
+  getOwnPropertyNames,
+  values,
+  entries,
+  fromEntries,
+} = Object;
 const { ownKeys } = Reflect;
 
 // Turn on to give each exo instance its own toStringTag value which exposes
@@ -679,6 +689,8 @@ export const makeVirtualObjectManager = (
     const {
       finish = undefined,
       stateShape = undefined,
+      receiveAmplifier = undefined,
+      receiveInstanceTester = undefined,
       thisfulMethods = false,
     } = options;
     let {
@@ -766,6 +778,11 @@ export const makeVirtualObjectManager = (
       Fail`A stateShape must be a copyRecord: ${q(stateShape)}`;
     assertPattern(stateShape);
 
+    if (!multifaceted) {
+      receiveAmplifier === undefined ||
+        Fail`Only facets of an exo class kit can be amplified, not ${q(tag)}`;
+    }
+
     let facetNames;
 
     if (isDurable) {
@@ -948,14 +965,20 @@ export const makeVirtualObjectManager = (
     // and into method-invocation time (which is not).
 
     let proto;
+    /** @type {ClassContextProvider | undefined} */
+    let contextProviderVar;
+    /** @type { Record<string, KitContextProvider> | undefined } */
+    let contextProviderKitVar;
+
     if (multifaceted) {
-      /** @type { Record<string, KitContextProvider> } */
-      const contextProviderKit = fromEntries(
+      contextProviderKitVar = fromEntries(
         facetNames.map((name, index) => [
           name,
           rep => {
             const vref = getSlotForVal(rep);
-            assert(vref !== undefined);
+            if (vref === undefined) {
+              return undefined;
+            }
             const { baseRef, facet } = parseVatSlot(vref);
 
             // Without this check, an attacker (with access to both
@@ -966,7 +989,9 @@ export const makeVirtualObjectManager = (
             // objects, but they could invoke all their equivalent methods,
             // by using e.g.
             // cohort1.facetA.foo.apply(cohort2.facetB, [...args])
-            Number(facet) === index || Fail`illegal cross-facet access`;
+            if (Number(facet) !== index) {
+              return undefined;
+            }
 
             return harden(contextCache.get(baseRef));
           },
@@ -975,21 +1000,22 @@ export const makeVirtualObjectManager = (
 
       proto = defendPrototypeKit(
         tag,
-        harden(contextProviderKit),
+        harden(contextProviderKitVar),
         behavior,
         thisfulMethods,
         interfaceGuardKit,
       );
     } else {
-      /** @type {ClassContextProvider} */
-      const contextProvider = rep => {
+      contextProviderVar = rep => {
         const slot = getSlotForVal(rep);
-        assert(slot !== undefined);
+        if (slot === undefined) {
+          return undefined;
+        }
         return harden(contextCache.get(slot));
       };
       proto = defendPrototype(
         tag,
-        harden(contextProvider),
+        harden(contextProviderVar),
         behavior,
         thisfulMethods,
         interfaceGuard,
@@ -997,6 +1023,10 @@ export const makeVirtualObjectManager = (
     }
     harden(proto);
 
+    // All this to let typescript know that it won't vary during a closure
+    const contextProvider = contextProviderVar;
+    const contextProviderKit = contextProviderKitVar;
+
     // this builds new Representatives, both when creating a new instance and
     // for reanimating an existing one when the old rep gets GCed
 
@@ -1074,6 +1104,59 @@ export const makeVirtualObjectManager = (
       return val;
     };
 
+    if (receiveAmplifier) {
+      assert(contextProviderKit);
+
+      // Amplify a facet to a cohort
+      const amplify = exoFacet => {
+        for (const cp of values(contextProviderKit)) {
+          const context = cp(exoFacet);
+          if (context !== undefined) {
+            return context.facets;
+          }
+        }
+        throw Fail`Must be a facet of ${q(tag)}: ${exoFacet}`;
+      };
+      harden(amplify);
+      receiveAmplifier(amplify);
+    }
+
+    if (receiveInstanceTester) {
+      if (multifaceted) {
+        assert(contextProviderKit);
+
+        const isInstance = (exoFacet, facetName = undefined) => {
+          if (facetName === undefined) {
+            // Is exoFacet and instance of any facet of this class kit?
+            return values(contextProviderKit).some(
+              cp => cp(exoFacet) !== undefined,
+            );
+          }
+          // Is this exoFacet an instance of this specific facet column
+          // of this class kit?
+          assert.typeof(facetName, 'string');
+          const cp = contextProviderKit[facetName];
+          cp !== undefined ||
+            Fail`exo class kit ${q(tag)} has no facet named ${q(facetName)}`;
+          return cp(exoFacet) !== undefined;
+        };
+        harden(isInstance);
+        receiveInstanceTester(isInstance);
+      } else {
+        assert(contextProvider);
+        // Is this exo an instance of this class?
+        const isInstance = (exo, facetName = undefined) => {
+          facetName === undefined ||
+            Fail`facetName can only be used with an exo class kit: ${q(
+              tag,
+            )} has no facet ${q(facetName)}`;
+          return contextProvider(exo) !== undefined;
+        };
+        harden(isInstance);
+        receiveInstanceTester(isInstance);
+      }
+    }
+
     return makeNewInstance;
   };
 

package/test/virtual-objects/test-cross-facet.js

@@ -33,10 +33,12 @@ test('forbid cross-facet prototype attack', t => {
   thing2.mutable.set(2);
 
   t.throws(() => attack1(thing1.mutable, thing2.immutable), {
-    message: /^illegal cross-facet access/,
+    message:
+      '"In \\"set\\" method of (thing mutable)" may only be applied to a valid instance: "[Alleged: thing immutable]"',
   });
   t.throws(() => attack2(thing1.mutable, thing2.immutable), {
-    message: /^illegal cross-facet access/,
+    message:
+      '"In \\"set\\" method of (thing mutable)" may only be applied to a valid instance: "[Alleged: thing immutable]"',
   });
   t.is(thing1.immutable.get(), 1);
   t.is(thing2.immutable.get(), 2);