@agoric/swingset-liveslots 0.10.3-u16.1 → 0.10.3-u17.1

package/src/collectionManager.js

@@ -1,10 +1,9 @@
-import { assert, q, Fail } from '@agoric/assert';
+import { assert, q, Fail } from '@endo/errors';
 import { Far, passStyleOf } from '@endo/far';
 import {
   zeroPad,
   makeEncodePassable,
   makeDecodePassable,
-  isEncodedRemotable,
   compareRank,
 } from '@endo/marshal';
 import {
@@ -66,6 +65,12 @@ function prefixc(collectionID, dbEntryKey) {
   return `vc.${collectionID}.${dbEntryKey}`;
 }
 
+export const collectionMetaKeys = new Set([
+  '|entryCount',
+  '|nextOrdinal',
+  '|schemata',
+]);
+
 /**
  * @typedef {object} SchemaCacheValue
  * @property {Pattern} keyShape
@@ -293,6 +298,20 @@ export function makeCollectionManager(
       return `${dbKeyPrefix}${dbEntryKey}`;
     }
 
+    // A "vref" is a string like "o-4" or "o+d44/2:0"
+    // An "EncodedKey" is the output of encode-passable:
+    // * strings become `s${string}`, like "foo" -> "sfoo"
+    // * small positive BigInts become `p${len}:${digits}`, like 47n -> "p2:47"
+    // * refs are assigned an "ordinal" and use `r${fixedLengthOrdinal}:${vref}`
+    //   * e.g. vref(o-4) becomes "r0000000001:o-4"
+    // A "DBKey" is used to index the vatstore. DBKeys for collection
+    // entries join a collection prefix and an EncodedKey. Some
+    // possible DBKeys for entries of collection "5", using collection
+    // prefix "vc.5.", are:
+    // * "foo" -> "vc.5.sfoo"
+    // * 47n -> "vc.5.p2:47"
+    // * vref(o-4) -> "vc.5.r0000000001:o-4"
+
     const encodeRemotable = remotable => {
       // eslint-disable-next-line no-use-before-define
       const ordinal = getOrdinal(remotable);
@@ -308,10 +327,11 @@ export function makeCollectionManager(
     // the resulting function will encode only `Key` arguments.
     const encodeKey = makeEncodePassable({ encodeRemotable });
 
-    const vrefFromDBKey = dbKey => dbKey.substring(BIGINT_TAG_LEN + 2);
+    const vrefFromEncodedKey = encodedKey =>
+      encodedKey.substring(1 + BIGINT_TAG_LEN + 1);
 
     const decodeRemotable = encodedKey =>
-      convertSlotToVal(vrefFromDBKey(encodedKey));
+      convertSlotToVal(vrefFromEncodedKey(encodedKey));
 
     // `makeDecodePassable` has three named options:
     // `decodeRemotable`, `decodeError`, and `decodePromise`.
@@ -347,10 +367,16 @@ export function makeCollectionManager(
     }
 
     function dbKeyToKey(dbKey) {
+      // convert e.g. vc.5.r0000000001:o+v10/1 to r0000000001:o+v10/1
       const dbEntryKey = dbKey.substring(dbKeyPrefix.length);
       return decodeKey(dbEntryKey);
     }
 
+    function dbKeyToEncodedKey(dbKey) {
+      assert(dbKey.startsWith(dbKeyPrefix), dbKey);
+      return dbKey.substring(dbKeyPrefix.length);
+    }
+
     function has(key) {
       const { keyShape } = getSchema();
       if (!matches(key, keyShape)) {
@@ -553,40 +579,58 @@ export function makeCollectionManager(
      */
     function clearInternalFull() {
       let doMoreGC = false;
-      const [coverStart, coverEnd] = getRankCover(M.any(), encodeKey);
-      const start = prefix(coverStart);
-      const end = prefix(coverEnd);
-
-      // this yields all keys for which (start <= key < end)
-      for (const dbKey of enumerateKeysStartEnd(syscall, start, end)) {
-        const value = JSON.parse(syscall.vatstoreGet(dbKey));
-        doMoreGC =
-          value.slots.map(vrm.removeReachableVref).some(b => b) || doMoreGC;
-        syscall.vatstoreDelete(dbKey);
-        if (isEncodedRemotable(dbKey)) {
-          const keyVref = vrefFromDBKey(dbKey);
+
+      // visit every DB entry associated with the collection, which
+      // (due to sorting) will be collection entries first, and then a
+      // mixture of ordinal-assignment mappings and size-independent
+      // metadata (both of which start with "|").
+      for (const dbKey of enumerateKeysWithPrefix(syscall, dbKeyPrefix)) {
+        const encodedKey = dbKeyToEncodedKey(dbKey);
+
+        // preserve general metadata ("|entryCount" and friends are
+        // cleared by our caller)
+        if (collectionMetaKeys.has(encodedKey)) continue;
+
+        if (encodedKey.startsWith('|')) {
+          // ordinal assignment; decref or de-recognize its vref
+          const keyVref = encodedKey.substring(1);
+          parseVatSlot(keyVref);
           if (hasWeakKeys) {
             vrm.removeRecognizableVref(keyVref, `${collectionID}`, true);
           } else {
             doMoreGC = vrm.removeReachableVref(keyVref) || doMoreGC;
           }
-          syscall.vatstoreDelete(prefix(`|${keyVref}`));
+        } else {
+          // a collection entry; decref slots from its value
+          const value = JSON.parse(syscall.vatstoreGet(dbKey));
+          doMoreGC =
+            value.slots.map(vrm.removeReachableVref).some(b => b) || doMoreGC;
         }
+
+        // in either case, delete the DB entry
+        syscall.vatstoreDelete(dbKey);
       }
+
       return doMoreGC;
     }
 
     function clearInternal(isDeleting, keyPatt, valuePatt) {
       let doMoreGC = false;
-      if (isDeleting || (matchAny(keyPatt) && matchAny(valuePatt))) {
+      if (isDeleting) {
         doMoreGC = clearInternalFull();
+        // |entryCount will be deleted along with metadata keys
+      } else if (matchAny(keyPatt) && matchAny(valuePatt)) {
+        doMoreGC = clearInternalFull();
+        if (!hasWeakKeys) {
+          syscall.vatstoreSet(prefix('|entryCount'), '0');
+        }
       } else {
+        let numDeleted = 0;
         for (const k of keys(keyPatt, valuePatt)) {
+          numDeleted += 1;
           doMoreGC = deleteInternal(k) || doMoreGC;
         }
-      }
-      if (!hasWeakKeys && !isDeleting) {
-        syscall.vatstoreSet(prefix('|entryCount'), '0');
+        updateEntryCount(-numDeleted);
       }
       return doMoreGC;
     }

package/src/facetiousness.js

@@ -1,4 +1,4 @@
-import { Fail } from '@agoric/assert';
+import { Fail } from '@endo/errors';
 
 /**
  * Assess the facetiousness of a value.  If the value is an object containing

package/src/liveslots.js

@@ -1,10 +1,7 @@
-import {
-  Remotable,
-  passStyleOf,
-  getInterfaceOf,
-  makeMarshal,
-} from '@endo/marshal';
-import { assert, Fail } from '@agoric/assert';
+import { annotateError, assert, Fail, makeError, X } from '@endo/errors';
+import { passStyleOf } from '@endo/pass-style';
+import { PassStyleOfEndowmentSymbol } from '@endo/pass-style/endow.js';
+import { Remotable, getInterfaceOf, makeMarshal } from '@endo/marshal';
 import { isPromise } from '@endo/promise-kit';
 import { E, HandledPromise } from '@endo/eventual-send';
 import { insistVatType, makeVatSlot, parseVatSlot } from './parseVatSlots.js';
@@ -15,12 +12,11 @@ import { makeVirtualReferenceManager } from './virtualReferences.js';
 import { makeVirtualObjectManager } from './virtualObjectManager.js';
 import { makeCollectionManager } from './collectionManager.js';
 import { makeWatchedPromiseManager } from './watchedPromises.js';
+import { makeBOYDKit } from './boyd-gc.js';
 
 const SYSCALL_CAPDATA_BODY_SIZE_LIMIT = 10_000_000;
 const SYSCALL_CAPDATA_SLOTS_LENGTH_LIMIT = 10_000;
 
-const { details: X } = assert;
-
 // 'makeLiveSlots' is a dispatcher which uses javascript Maps to keep track
 // of local objects which have been exported. These cannot be persisted
 // beyond the runtime of the javascript environment, so this mechanism is not
@@ -170,52 +166,6 @@ function build(
     }
   }
 
-  /*
-    Imports are in one of 5 states: UNKNOWN, REACHABLE, UNREACHABLE,
-    COLLECTED, FINALIZED. Note that there's no actual state machine with those
-    values, and we can't observe all of the transitions from JavaScript, but
-    we can describe what operations could cause a transition, and what our
-    observations allow us to deduce about the state:
-
-    * UNKNOWN moves to REACHABLE when a crank introduces a new import
-    * userspace holds a reference only in REACHABLE
-    * REACHABLE moves to UNREACHABLE only during a userspace crank
-    * UNREACHABLE moves to COLLECTED when GC runs, which queues the finalizer
-    * COLLECTED moves to FINALIZED when a new turn runs the finalizer
-    * liveslots moves from FINALIZED to UNKNOWN by syscalling dropImports
-
-    convertSlotToVal either imports a vref for the first time, or
-    re-introduces a previously-seen vref. It transitions from:
-
-    * UNKNOWN to REACHABLE by creating a new Presence
-    * UNREACHABLE to REACHABLE by re-using the old Presence that userspace
-      forgot about
-    * COLLECTED/FINALIZED to REACHABLE by creating a new Presence
-
-    Our tracking tables hold data that depends on the current state:
-
-    * slotToVal holds a WeakRef in [REACHABLE, UNREACHABLE, COLLECTED]
-    * that WeakRef .deref()s into something in [REACHABLE, UNREACHABLE]
-    * deadSet holds the vref only in FINALIZED
-    * re-introduction must ensure the vref is not in the deadSet
-
-    Each state thus has a set of perhaps-measurable properties:
-
-    * UNKNOWN: slotToVal[baseRef] is missing, baseRef not in deadSet
-    * REACHABLE: slotToVal has live weakref, userspace can reach
-    * UNREACHABLE: slotToVal has live weakref, userspace cannot reach
-    * COLLECTED: slotToVal[baseRef] has dead weakref
-    * FINALIZED: slotToVal[baseRef] is missing, baseRef is in deadSet
-
-    Our finalizer callback is queued by the engine's transition from
-    UNREACHABLE to COLLECTED, but the baseRef might be re-introduced before the
-    callback has a chance to run. There might even be multiple copies of the
-    finalizer callback queued. So the callback must deduce the current state
-    and only perform cleanup (i.e. delete the slotToVal entry and add the
-    baseRef to the deadSet) in the COLLECTED state.
-
-  */
-
   function finalizeDroppedObject(baseRef) {
     // TODO: Ideally this function should assert that it is not metered.  This
     // appears to be fine in practice, but it breaks a number of unit tests in
@@ -240,113 +190,6 @@ function build(
   }
   const vreffedObjectRegistry = new FinalizationRegistry(finalizeDroppedObject);
 
-  async function scanForDeadObjects() {
-    // `possiblyDeadSet` accumulates vrefs which have lost a supporting
-    // pillar (in-memory, export, or virtualized data refcount) since the
-    // last call to scanForDeadObjects. The vref might still be supported
-    // by a remaining pillar, or the pillar which was dropped might be back
-    // (e.g., given a new in-memory manifestation).
-
-    const importsToDrop = new Set();
-    const importsToRetire = new Set();
-    const exportsToRetire = new Set();
-    let doMore;
-    await null;
-    do {
-      doMore = false;
-
-      await gcTools.gcAndFinalize();
-
-      // possiblyDeadSet contains a baseref for everything (Presences,
-      // Remotables, Representatives) that might have lost a
-      // pillar. The object might still be supported by other pillars,
-      // and the lost pillar might have been reinstantiated by the
-      // time we get here. The first step is to filter this down to a
-      // list of definitely dead baserefs.
-
-      const deadSet = new Set();
-
-      for (const baseRef of possiblyDeadSet) {
-        if (slotToVal.has(baseRef)) {
-          continue; // RAM pillar remains
-        }
-        const { virtual, durable, type } = parseVatSlot(baseRef);
-        assert(type === 'object', `unprepared to track ${type}`);
-        if (virtual || durable) {
-          // eslint-disable-next-line no-use-before-define
-          if (vrm.isVirtualObjectReachable(baseRef)) {
-            continue; // vdata or export pillar remains
-          }
-        }
-        deadSet.add(baseRef);
-      }
-      possiblyDeadSet.clear();
-
-      // deadSet now contains objects which are certainly dead
-
-      // possiblyRetiredSet holds (a subset of??) baserefs which have
-      // lost a recognizer recently. TODO recheck this
-
-      for (const vref of possiblyRetiredSet) {
-        // eslint-disable-next-line no-use-before-define
-        if (!getValForSlot(vref) && !deadSet.has(vref)) {
-          // Don't retire things that haven't yet made the transition to dead,
-          // i.e., always drop before retiring
-          // eslint-disable-next-line no-use-before-define
-          if (!vrm.isVrefRecognizable(vref)) {
-            importsToRetire.add(vref);
-          }
-        }
-      }
-      possiblyRetiredSet.clear();
-
-      const deadBaseRefs = Array.from(deadSet);
-      deadBaseRefs.sort();
-      for (const baseRef of deadBaseRefs) {
-        const { virtual, durable, allocatedByVat, type } =
-          parseVatSlot(baseRef);
-        type === 'object' || Fail`unprepared to track ${type}`;
-        if (virtual || durable) {
-          // Representative: send nothing, but perform refcount checking
-          // eslint-disable-next-line no-use-before-define
-          const [gcAgain, retirees] = vrm.deleteVirtualObject(baseRef);
-          if (retirees) {
-            retirees.map(retiree => exportsToRetire.add(retiree));
-          }
-          doMore = doMore || gcAgain;
-        } else if (allocatedByVat) {
-          // Remotable: send retireExport
-          // for remotables, vref === baseRef
-          if (kernelRecognizableRemotables.has(baseRef)) {
-            kernelRecognizableRemotables.delete(baseRef);
-            exportsToRetire.add(baseRef);
-          }
-        } else {
-          // Presence: send dropImport unless reachable by VOM
-          // eslint-disable-next-line no-lonely-if, no-use-before-define
-          if (!vrm.isPresenceReachable(baseRef)) {
-            importsToDrop.add(baseRef);
-            // eslint-disable-next-line no-use-before-define
-            if (!vrm.isVrefRecognizable(baseRef)) {
-              // for presences, baseRef === vref
-              importsToRetire.add(baseRef);
-            }
-          }
-        }
-      }
-    } while (possiblyDeadSet.size > 0 || possiblyRetiredSet.size > 0 || doMore);
-
-    if (importsToDrop.size) {
-      syscall.dropImports(Array.from(importsToDrop).sort());
-    }
-    if (importsToRetire.size) {
-      syscall.retireImports(Array.from(importsToRetire).sort());
-    }
-    if (exportsToRetire.size) {
-      syscall.retireExports(Array.from(exportsToRetire).sort());
-    }
-  }
-
   /**
    * Remember disavowed Presences which will kill the vat if you try to talk
    * to them
@@ -747,39 +590,50 @@ function build(
       try {
         val = vrm.reanimate(baseRef);
       } catch (err) {
-        const wrappedError = assert.error(X`failed to reanimate ${iface}`);
-        assert.note(wrappedError, X`Original error: ${err}`);
+        const wrappedError = makeError(X`failed to reanimate ${iface}`);
+        annotateError(wrappedError, X`Original error: ${err}`);
         throw wrappedError;
       }
       if (facet !== undefined) {
         result = vrm.getFacet(id, val, facet);
       }
-    } else {
+    } else if (type === 'object') {
+      // Note: an abandonned (e.g. by an upgrade) exported ephemeral or virtual
+      // object would appear as an import if re-introduced. In the future we
+      // may need to change that if we want to keep recognizing such references
+      // In that case we'd need to create an imported presence for these
+      // unknown vrefs allocated by the vat.
+      // See https://github.com/Agoric/agoric-sdk/issues/9746
       !allocatedByVat || Fail`I don't remember allocating ${slot}`;
-      if (type === 'object') {
-        // this is a new import value
-        val = makeImportedPresence(slot, iface);
-      } else if (type === 'promise') {
-        const pRec = makePipelinablePromise(slot);
-        importedVPIDs.set(slot, pRec);
-        val = pRec.promise;
-        // ideally we'd wait until .then is called on p before subscribing,
-        // but the current Promise API doesn't give us a way to discover
-        // this, so we must subscribe right away. If we were using Vows or
-        // some other then-able, we could just hook then() to notify us.
-        if (importedPromises) {
-          // leave the subscribe() up to dispatch.notify()
-          importedPromises.add(slot);
-        } else {
-          // probably in dispatch.deliver(), so subscribe now
-          syscall.subscribe(slot);
-        }
-      } else if (type === 'device') {
-        val = makeDeviceNode(slot, iface);
-        importedDevices.add(val);
+      // this is a new import value
+      val = makeImportedPresence(slot, iface);
+    } else if (type === 'promise') {
+      // We unconditionally create a promise record, even if the promise looks
+      // like it was allocated by us. This can happen when re-importing a
+      // promise created by the previous incarnation. We may or may not have
+      // been the decider of the promise. If we were, the kernel will be
+      // rejecting the promise on our behalf. We may have previously been
+      // subscribed to that promise, but subscription is idempotent.
+      const pRec = makePipelinablePromise(slot);
+      importedVPIDs.set(slot, pRec);
+      val = pRec.promise;
+      // ideally we'd wait until .then is called on p before subscribing,
+      // but the current Promise API doesn't give us a way to discover
+      // this, so we must subscribe right away. If we were using Vows or
+      // some other then-able, we could just hook then() to notify us.
+      if (importedPromises) {
+        // leave the subscribe() up to dispatch.notify()
+        importedPromises.add(slot);
       } else {
-        Fail`unrecognized slot type '${type}'`;
+        // probably in dispatch.deliver(), so subscribe now
+        syscall.subscribe(slot);
       }
+    } else if (type === 'device') {
+      !allocatedByVat || Fail`unexpected device ${slot} allocated by vat`;
+      val = makeDeviceNode(slot, iface);
+      importedDevices.add(val);
+    } else {
+      Fail`unrecognized slot type '${type}'`;
     }
     registerValue(baseRef, val, facet !== undefined);
     if (!result) {
@@ -792,7 +646,25 @@ function build(
     meterControl.assertNotMetered();
     const { type } = parseVatSlot(slot);
     type === 'promise' || Fail`revivePromise called on non-promise ${slot}`;
-    !getValForSlot(slot) || Fail`revivePromise called on pre-existing ${slot}`;
+    const val = getValForSlot(slot);
+    if (val) {
+      // revivePromise is only called by loadWatchedPromiseTable, which runs
+      // after buildRootObject(), which is given the deserialized vatParameters.
+      // The only way revivePromise() might encounter a pre-existing vpid is if
+      // these vatParameters include a promise that the previous incarnation
+      // watched, but that `buildRootObject` in the new incarnation didn't
+      // explicitly watch again. This can be either a previously imported
+      // promise, or a promise the previous incarnation exported, regardless of
+      // who the decider now is.
+      //
+      // In that case convertSlotToVal() has already deserialized the vpid, but
+      // since `buildRootObject` didn't explicitely call watchPromise on it, no
+      // registration exists so loadWatchedPromiseTable attempts to revive the
+      // promise.
+      return val;
+    }
+    // NOTE: it is important that this code not do anything *more*
+    // than what convertSlotToVal(vpid) would do
     const pRec = makePipelinablePromise(slot);
     importedVPIDs.set(slot, pRec);
     const p = pRec.promise;
@@ -1341,6 +1213,7 @@ function build(
   const inescapableGlobalProperties = harden({
     WeakMap: vom.VirtualObjectAwareWeakMap,
     WeakSet: vom.VirtualObjectAwareWeakSet,
+    [PassStyleOfEndowmentSymbol]: passStyleOf,
   });
 
   function getRetentionStats() {
@@ -1520,16 +1393,15 @@ function build(
   // metered
   const unmeteredDispatch = meterControl.unmetered(dispatchToUserspace);
 
-  async function bringOutYourDead() {
-    await scanForDeadObjects();
-    // Now flush all the vatstore changes (deletions and refcounts) we
-    // made. dispatch() calls afterDispatchActions() automatically for
-    // most methods, but not bringOutYourDead().
-    // eslint-disable-next-line no-use-before-define
-    afterDispatchActions();
-    // XXX TODO: make this conditional on a config setting
-    return getRetentionStats();
-  }
+  const { scanForDeadObjects } = makeBOYDKit({
+    gcTools,
+    slotToVal,
+    vrm,
+    kernelRecognizableRemotables,
+    syscall,
+    possiblyDeadSet,
+    possiblyRetiredSet,
+  });
 
   /**
    * @param { import('./types.js').SwingSetCapData } _disconnectObjectCapData
@@ -1549,6 +1421,16 @@ function build(
     vom.flushStateCache();
   }
 
+  const bringOutYourDead = async () => {
+    await scanForDeadObjects();
+    // Now flush all the vatstore changes (deletions and refcounts) we
+    // made. dispatch() calls afterDispatchActions() automatically for
+    // most methods, but not bringOutYourDead().
+    afterDispatchActions();
+    // XXX TODO: make this conditional on a config setting
+    return getRetentionStats();
+  };
+
   /**
    * This 'dispatch' function is the entry point for the vat as a whole: the
    * vat-worker supervisor gives us VatDeliveryObjects (like
@@ -1595,12 +1477,10 @@ function build(
     } else if (delivery[0] === 'stopVat') {
       return meterControl.runWithoutMeteringAsync(() => stopVat(delivery[1]));
     } else {
-      let complete = false;
       // Start user code running, record any internal liveslots errors. We do
       // *not* directly wait for the userspace function to complete, nor for
       // any promise it returns to fire.
       const p = Promise.resolve(delivery).then(unmeteredDispatch);
-      void p.finally(() => (complete = true));
 
       // Instead, we wait for userspace to become idle by draining the
       // promise queue. We clean up and then examine/return 'p' so any
@@ -1611,10 +1491,11 @@ function build(
       return gcTools.waitUntilQuiescent().then(() => {
         afterDispatchActions();
         // eslint-disable-next-line prefer-promise-reject-errors
-        return complete ? p : Promise.reject('buildRootObject unresolved');
+        return Promise.race([p, Promise.reject('buildRootObject unresolved')]);
         // the only delivery that pays attention to a user-provided
         // Promise is startVat, so the error message is specialized to
-        // the only user problem that could cause complete===false
+        // the only user problem that could cause the promise to not be
+        // settled.
       });
     }
   }

package/src/message.js

@@ -1,4 +1,4 @@
-import { assert, Fail } from '@agoric/assert';
+import { assert, Fail } from '@endo/errors';
 import { insistCapData } from './capdata.js';
 
 /**

package/src/parseVatSlots.js

@@ -1,5 +1,5 @@
 import { Nat } from '@endo/nat';
-import { assert, Fail } from '@agoric/assert';
+import { assert, Fail } from '@endo/errors';
 
 // NOTE: confusing terminology: "slot" vs. "reference".  All these things
 // called "slots" are references, but the word "slot" suggests something into

package/src/vatDataTypes.d.ts

@@ -14,6 +14,7 @@ import type {
 } from '@agoric/store';
 import type { Amplify, IsInstance, ReceivePower, StateShape } from '@endo/exo';
 import type { RemotableObject } from '@endo/pass-style';
+import type { RemotableBrand } from '@endo/eventual-send';
 import type { InterfaceGuard, Pattern } from '@endo/patterns';
 import type { makeWatchedPromiseManager } from './watchedPromises.js';
 
@@ -38,9 +39,13 @@ type OmitFirstArg<F> = F extends (x: any, ...args: infer P) => infer R
   ? (...args: P) => R
   : never;
 
-export type KindFacet<O> = RemotableObject & {
+// The type of a passable local object with methods.
+// An internal helper to avoid having to repeat `O`.
+type PrimaryRemotable<O> = O & RemotableObject & RemotableBrand<{}, O>;
+
+export type KindFacet<O> = PrimaryRemotable<{
   [K in keyof O]: OmitFirstArg<O[K]>; // omit the 'context' parameter
-};
+}>;
 
 export type KindFacets<B> = {
   [FacetKey in keyof B]: KindFacet<B[FacetKey]>;

package/src/virtualObjectManager.js

@@ -2,12 +2,7 @@
 /* eslint-disable no-use-before-define, jsdoc/require-returns-type */
 
 import { environmentOptionsListHas } from '@endo/env-options';
-import {
-  assert,
-  throwRedacted as Fail,
-  quote as q,
-  bare as b,
-} from '@endo/errors';
+import { assert, Fail, q, b } from '@endo/errors';
 import { assertPattern, mustMatch } from '@agoric/store';
 import { defendPrototype, defendPrototypeKit } from '@endo/exo/tools.js';
 import { Far, passStyleOf } from '@endo/marshal';