@agoric/swingset-vat 0.33.0-u17.1 → 0.33.0-u18.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agoric/swingset-vat",
-  "version": "0.33.0-u17.1",
+  "version": "0.33.0-u18.1",
   "description": "Vat/Container Launcher",
   "type": "module",
   "main": "src/index.js",
@@ -27,34 +27,33 @@
     "@types/yargs-parser": "^21.0.0"
   },
   "dependencies": {
-    "@agoric/internal": "^0.4.0-u17.1",
-    "@agoric/kmarshal": "^0.1.1-u17.1",
-    "@agoric/store": "^0.9.3-u17.1",
-    "@agoric/swing-store": "^0.9.2-u17.1",
-    "@agoric/swingset-liveslots": "^0.10.3-u17.1",
-    "@agoric/swingset-xsnap-supervisor": "^0.10.3-u17.1",
-    "@agoric/time": "^0.3.3-u17.1",
-    "@agoric/vat-data": "^0.5.3-u17.1",
-    "@agoric/xsnap": "^0.14.3-u17.1",
-    "@agoric/xsnap-lockdown": "^0.14.1-u17.1",
-    "@endo/base64": "^1.0.7",
-    "@endo/bundle-source": "^3.4.0",
-    "@endo/captp": "^4.3.0",
-    "@endo/check-bundle": "^1.0.9",
-    "@endo/compartment-mapper": "^1.2.2",
-    "@endo/errors": "^1.2.5",
-    "@endo/eventual-send": "^1.2.5",
-    "@endo/far": "^1.1.5",
-    "@endo/import-bundle": "^1.2.2",
-    "@endo/init": "^1.1.4",
-    "@endo/marshal": "^1.5.3",
-    "@endo/nat": "^5.0.10",
-    "@endo/pass-style": "^1.4.3",
-    "@endo/patterns": "^1.4.3",
-    "@endo/promise-kit": "^1.1.5",
-    "@endo/ses-ava": "^1.2.5",
-    "@endo/stream": "^1.2.5",
-    "@endo/zip": "^1.0.7",
+    "@agoric/internal": "^0.4.0-u18.1",
+    "@agoric/kmarshal": "^0.1.1-u18.1",
+    "@agoric/store": "^0.9.3-u18.1",
+    "@agoric/swing-store": "^0.10.0-u18.1",
+    "@agoric/swingset-liveslots": "^0.10.3-u18.1",
+    "@agoric/swingset-xsnap-supervisor": "^0.10.3-u18.1",
+    "@agoric/time": "^0.3.3-u18.1",
+    "@agoric/vat-data": "^0.5.3-u18.1",
+    "@agoric/xsnap-lockdown": "^0.14.1-u18.1",
+    "@endo/base64": "^1.0.9",
+    "@endo/bundle-source": "^3.5.0",
+    "@endo/captp": "^4.4.3",
+    "@endo/check-bundle": "^1.0.12",
+    "@endo/compartment-mapper": "^1.4.0",
+    "@endo/errors": "^1.2.8",
+    "@endo/eventual-send": "^1.2.8",
+    "@endo/far": "^1.1.9",
+    "@endo/import-bundle": "^1.3.2",
+    "@endo/init": "^1.1.7",
+    "@endo/marshal": "^1.6.2",
+    "@endo/nat": "^5.0.13",
+    "@endo/pass-style": "^1.4.7",
+    "@endo/patterns": "^1.4.7",
+    "@endo/promise-kit": "^1.1.8",
+    "@endo/ses-ava": "^1.2.8",
+    "@endo/stream": "^1.2.8",
+    "@endo/zip": "^1.0.9",
     "ansi-styles": "^6.2.1",
     "anylogger": "^0.21.0",
     "better-sqlite3": "^9.1.1",
@@ -65,6 +64,7 @@
     "yargs-parser": "^21.1.1"
   },
   "peerDependencies": {
+    "@agoric/xsnap": "^0.14.2",
     "ava": "^5.3.0"
   },
   "files": [
@@ -101,7 +101,7 @@
     "access": "public"
   },
   "typeCoverage": {
-    "atLeast": 75.7
+    "atLeast": 76.28
   },
-  "gitHead": "5259430561693bfcf58516c3ea54123895859708"
+  "gitHead": "f8c45b8a2e29a51522a81a6692af25b2d7f6b50f"
 }

package/src/controller/controller.js

@@ -15,6 +15,7 @@ import { initSwingStore } from '@agoric/swing-store';
 
 import { mustMatch, M } from '@endo/patterns';
 import { checkBundle } from '@endo/check-bundle/lite.js';
+import { deepCopyJsonable } from '@agoric/internal/src/js-utils.js';
 import engineGC from '@agoric/internal/src/lib-nodejs/engine-gc.js';
 import { startSubprocessWorker } from '@agoric/internal/src/lib-nodejs/spawnSubprocessWorker.js';
 import { waitUntilQuiescent } from '@agoric/internal/src/lib-nodejs/waitUntilQuiescent.js';
@@ -263,13 +264,6 @@ export async function makeSwingsetController(
 
   await kernel.start();
 
-  /**
-   * @param {T} x
-   * @returns {T}
-   * @template T
-   */
-  const defensiveCopy = x => JSON.parse(JSON.stringify(x));
-
   /**
    * Validate and install a code bundle.
    *
@@ -304,7 +298,7 @@ export async function makeSwingsetController(
     writeSlogObject,
 
     dump() {
-      return defensiveCopy(kernel.dump());
+      return deepCopyJsonable(kernel.dump());
     },
 
     verboseDebugMode(flag) {
@@ -340,11 +334,11 @@ export async function makeSwingsetController(
     },
 
     getStats() {
-      return defensiveCopy(kernel.getStats());
+      return deepCopyJsonable(kernel.getStats());
     },
 
     getStatus() {
-      return defensiveCopy(kernel.getStatus());
+      return deepCopyJsonable(kernel.getStatus());
     },
 
     getActivityhash() {
@@ -366,6 +360,10 @@ export async function makeSwingsetController(
       return kref;
     },
 
+    kpRegisterInterest(kpid) {
+      return kernel.kpRegisterInterest(kpid);
+    },
+
     kpStatus(kpid) {
       return kernel.kpStatus(kpid);
     },
@@ -384,6 +382,8 @@ export async function makeSwingsetController(
       return kernel.deviceNameToID(deviceName);
     },
 
+    injectQueuedUpgradeEvents: () => kernel.injectQueuedUpgradeEvents(),
+
     /**
      * Queue a method call into the named vat
      *

package/src/controller/initializeKernel.js

@@ -1,5 +1,3 @@
-/* eslint-disable no-use-before-define */
-
 import { assert, Fail } from '@endo/errors';
 import { makeMarshal } from '@endo/marshal';
 import { Far } from '@endo/far';

package/src/controller/initializeSwingset.js

@@ -1,9 +1,9 @@
-/* global process */
+/* eslint-env node */
 import fs from 'fs';
 import path from 'path';
 
-import { assert, Fail } from '@endo/errors';
-import { makeTracer } from '@agoric/internal';
+import { assert, b, Fail } from '@endo/errors';
+import { deepCopyJsonable, makeTracer } from '@agoric/internal';
 import { mustMatch } from '@agoric/store';
 import bundleSource from '@endo/bundle-source';
 import { resolve as resolveModuleSpecifier } from 'import-meta-resolve';
@@ -86,16 +86,6 @@ export async function buildKernelBundles() {
   return harden({ kernel: kernelBundle, ...vdBundles });
 }
 
-function byName(a, b) {
-  if (a.name < b.name) {
-    return -1;
-  }
-  if (a.name > b.name) {
-    return 1;
-  }
-  return 0;
-}
-
 /**
  * Scan a directory for files defining the vats to bootstrap for a swingset, and
  * produce a swingset config object for what was found there.  Looks for files
@@ -126,18 +116,18 @@ export function loadBasedir(basedir, options = {}) {
   const { includeDevDependencies = false, bundleFormat = undefined } = options;
   /** @type { SwingSetConfigDescriptor } */
   const vats = {};
-  const subs = fs.readdirSync(basedir, { withFileTypes: true });
-  subs.sort(byName);
-  for (const dirent of subs) {
-    if (
-      dirent.name.startsWith('vat-') &&
-      dirent.name.endsWith('.js') &&
-      dirent.isFile()
-    ) {
-      const name = dirent.name.slice('vat-'.length, -'.js'.length);
-      const vatSourcePath = path.resolve(basedir, dirent.name);
-      vats[name] = { sourceSpec: vatSourcePath, parameters: {} };
-    }
+  const rVatName = /^vat-(.*)\.js$/s;
+  const files = fs.readdirSync(basedir, { withFileTypes: true });
+  const vatFiles = files.flatMap(dirent => {
+    const file = dirent.name;
+    const m = rVatName.exec(file);
+    return m && dirent.isFile() ? [{ file, label: m[1] }] : [];
+  });
+  // eslint-disable-next-line no-shadow,no-nested-ternary
+  vatFiles.sort((a, b) => (a.label < b.label ? -1 : a.label > b.label ? 1 : 0));
+  for (const { file, label } of vatFiles) {
+    const vatSourcePath = path.resolve(basedir, file);
+    vats[label] = { sourceSpec: vatSourcePath, parameters: {} };
   }
   /** @type {string | void} */
   let bootstrapPath = path.resolve(basedir, 'bootstrap.js');
@@ -185,37 +175,42 @@ async function resolveSpecFromConfig(referrer, specPath) {
 }
 
 /**
- * For each entry in a config descriptor (i.e, `vats`, `bundles`, etc), convert
- * it to normal form: resolve each pathname to a context-insensitive absolute
- * path and make sure it has a `parameters` property if it's supposed to.
+ * Convert each entry in a config descriptor group (`vats`/`bundles`/etc.) to
+ * normal form: resolve each pathname to a context-insensitive absolute path and
+ * run any other appropriate fixup.
  *
- * @param {SwingSetConfigDescriptor | void} desc  The config descriptor to be normalized.
- * @param {string} referrer  The pathname of the file or directory in which the
- * config file was found
- * @param {boolean} expectParameters `true` if the entries should have parameters (for
- *    example, `true` for `vats` but `false` for bundles).
+ * @param {SwingSetConfig} config
+ * @param {'vats' | 'bundles' | 'devices'} groupName
+ * @param {string | undefined} configPath of the containing config file
+ * @param {string} referrer URL
+ * @param {(entry: SwingSetConfigProperties, name?: string) => void} [fixupEntry]
+ *   A function to call on each entry to e.g. add defaults for missing fields
+ *   such as vat `parameters`.
  */
-async function normalizeConfigDescriptor(desc, referrer, expectParameters) {
-  const normalizeSpec = async (entry, key) => {
-    return resolveSpecFromConfig(referrer, entry[key]).then(spec => {
-      fs.existsSync(spec) ||
-        Fail`spec for ${entry[key]} does not exist: ${spec}`;
-      entry[key] = spec;
-    });
+async function normalizeConfigDescriptor(
+  config,
+  groupName,
+  configPath,
+  referrer,
+  fixupEntry,
+) {
+  const normalizeSpec = async (entry, specKey, name) => {
+    const sourcePath = await resolveSpecFromConfig(referrer, entry[specKey]);
+    fs.existsSync(sourcePath) ||
+      Fail`${sourcePath} for ${b(groupName)}[${name}].${b(specKey)} in ${configPath} config file does not exist`;
+    entry[specKey] = sourcePath;
   };
 
   const jobs = [];
+  const desc = config[groupName];
   if (desc) {
-    for (const name of Object.keys(desc)) {
-      const entry = desc[name];
+    for (const [name, entry] of Object.entries(desc)) {
+      fixupEntry?.(entry, name);
       if ('sourceSpec' in entry) {
-        jobs.push(normalizeSpec(entry, 'sourceSpec'));
+        jobs.push(normalizeSpec(entry, 'sourceSpec', name));
       }
       if ('bundleSpec' in entry) {
-        jobs.push(normalizeSpec(entry, 'bundleSpec'));
-      }
-      if (expectParameters && !entry.parameters) {
-        entry.parameters = {};
+        jobs.push(normalizeSpec(entry, 'bundleSpec', name));
       }
     }
   }
@@ -223,27 +218,41 @@ async function normalizeConfigDescriptor(desc, referrer, expectParameters) {
 }
 
 /**
- * Read and parse a swingset config file and return it in normalized form.
- *
- * @param {string} configPath  Path to the config file to be processed
- *
- * @returns {Promise<SwingSetConfig | null>} the contained config object, in normalized form, or null if the
- *    requested config file did not exist.
+ * @param {SwingSetConfig} config
+ * @param {string} [configPath]
+ * @returns {Promise<void>}
+ * @throws {Error} if the config is invalid
+ */
+export async function normalizeConfig(config, configPath) {
+  const base = `file://${process.cwd()}/`;
+  const referrer = configPath
+    ? new URL(configPath, base).href
+    : new URL(base).href;
+  const fixupVat = vat => (vat.parameters ||= {});
+  await Promise.all([
+    normalizeConfigDescriptor(config, 'vats', configPath, referrer, fixupVat),
+    normalizeConfigDescriptor(config, 'bundles', configPath, referrer),
+    // TODO: represent devices
+    // normalizeConfigDescriptor(config, 'devices', configPath, referrer),
+  ]);
+  config.bootstrap ||
+    Fail`no designated bootstrap vat in ${configPath} config file`;
+  (config.vats && config.vats[/** @type {string} */ (config.bootstrap)]) ||
+    Fail`bootstrap vat ${config.bootstrap} not found in ${configPath} config file`;
+}
+
+/**
+ * Read and normalize a swingset config file.
  *
- * @throws {Error} if the file existed but was inaccessible, malformed, or otherwise
- *    invalid.
+ * @param {string} configPath
+ * @returns {Promise<SwingSetConfig | null>} the normalized config,
+ *   or null if the file did not exist
  */
 export async function loadSwingsetConfigFile(configPath) {
   await null;
   try {
     const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
-    const referrer = new URL(configPath, `file://${process.cwd()}/`).toString();
-    await normalizeConfigDescriptor(config.vats, referrer, true);
-    await normalizeConfigDescriptor(config.bundles, referrer, false);
-    // await normalizeConfigDescriptor(config.devices, referrer, true); // TODO: represent devices
-    config.bootstrap || Fail`no designated bootstrap vat in ${configPath}`;
-    (config.vats && config.vats[config.bootstrap]) ||
-      Fail`bootstrap vat ${config.bootstrap} not found in ${configPath}`;
+    await normalizeConfig(config, configPath);
     return config;
   } catch (e) {
     console.error(`failed to load ${configPath}`);
@@ -314,7 +323,7 @@ export async function initializeSwingset(
   } = runtimeOptions;
 
   // copy config so we can safely mess with it even if it's shared or hardened
-  config = JSON.parse(JSON.stringify(config));
+  config = deepCopyJsonable(config);
   if (!config.bundles) {
     config.bundles = {};
   }

package/src/controller/upgradeSwingset.js

@@ -1,14 +1,47 @@
+import { Fail } from '@endo/errors';
 import {
   DEFAULT_REAP_DIRT_THRESHOLD_KEY,
   DEFAULT_GC_KREFS_PER_BOYD,
   getAllDynamicVats,
   getAllStaticVats,
+  incrementReferenceCount,
+  readQueue,
 } from '../kernel/state/kernelKeeper.js';
+import { enumeratePrefixedKeys } from '../kernel/state/storageHelper.js';
 
-const upgradeVatV0toV1 = (kvStore, defaultReapDirtThreshold, vatID) => {
-  // This is called, once per vat, when upgradeSwingset migrates from
-  // v0 to v1
+/**
+ * @import {ReapDirtThreshold, RunQueueEvent} from '../types-internal.js';
+ */
+
+/**
+ * Parse a string of decimal digits into a number.
+ *
+ * @param {string} digits
+ * @param {string} label
+ * @returns {number}
+ */
+const mustParseInt = (digits, label) => {
+  assert(
+    digits.match(/^\d+$/),
+    `expected ${label}=${digits} to be a decimal integer`,
+  );
+  return Number(digits);
+};
 
+/**
+ * Called for each vat when upgradeSwingset migrates from v0 to v1.
+ *
+ * @param {KVStore} kvStore
+ * @param {(key: string) => string} getRequired
+ * @param {ReapDirtThreshold} defaultReapDirtThreshold
+ * @param {string} vatID
+ */
+const upgradeVatV0toV1 = (
+  kvStore,
+  getRequired,
+  defaultReapDirtThreshold,
+  vatID,
+) => {
   // schema v0:
   // Each vat has a `vNN.reapInterval` and `vNN.reapCountdown`.
   // vNN.options has a `.reapInterval` property (however it was not
@@ -25,15 +58,10 @@ const upgradeVatV0toV1 = (kvStore, defaultReapDirtThreshold, vatID) => {
   // `defaultReapDirtThreshold`)
 
   const reapDirtKey = `${vatID}.reapDirt`;
-
-  assert(kvStore.has(oldReapIntervalKey), oldReapIntervalKey);
-  assert(kvStore.has(oldReapCountdownKey), oldReapCountdownKey);
   assert(!kvStore.has(reapDirtKey), reapDirtKey);
 
-  const reapIntervalString = kvStore.get(oldReapIntervalKey);
-  const reapCountdownString = kvStore.get(oldReapCountdownKey);
-  assert(reapIntervalString !== undefined);
-  assert(reapCountdownString !== undefined);
+  const reapIntervalString = getRequired(oldReapIntervalKey);
+  const reapCountdownString = getRequired(oldReapCountdownKey);
 
   const intervalIsNever = reapIntervalString === 'never';
   const countdownIsNever = reapCountdownString === 'never';
@@ -54,8 +82,11 @@ const upgradeVatV0toV1 = (kvStore, defaultReapDirtThreshold, vatID) => {
     threshold.never = true;
   } else {
     // deduce delivery count from old countdown values
-    const reapInterval = Number.parseInt(reapIntervalString, 10);
-    const reapCountdown = Number.parseInt(reapCountdownString, 10);
+    const reapInterval = mustParseInt(reapIntervalString, oldReapIntervalKey);
+    const reapCountdown = mustParseInt(
+      reapCountdownString,
+      oldReapCountdownKey,
+    );
     const deliveries = reapInterval - reapCountdown;
     reapDirt.deliveries = Math.max(deliveries, 0); // just in case
     if (reapInterval !== defaultReapDirtThreshold.deliveries) {
@@ -68,7 +99,7 @@ const upgradeVatV0toV1 = (kvStore, defaultReapDirtThreshold, vatID) => {
   kvStore.set(reapDirtKey, JSON.stringify(reapDirt));
 
   // Update options to use the new schema.
-  const options = JSON.parse(kvStore.get(vatOptionsKey));
+  const options = JSON.parse(getRequired(vatOptionsKey));
   delete options.reapInterval;
   options.reapDirtThreshold = threshold;
   kvStore.set(vatOptionsKey, JSON.stringify(options));
@@ -92,16 +123,15 @@ const upgradeVatV0toV1 = (kvStore, defaultReapDirtThreshold, vatID) => {
  * `hostStorage.commit()` afterwards.
  *
  * @param {SwingStoreKernelStorage} kernelStorage
- * @returns {boolean} true if any changes were made
+ * @returns {{ modified: boolean }}
  */
 export const upgradeSwingset = kernelStorage => {
   const { kvStore } = kernelStorage;
-  let modified = false;
-  let vstring = kvStore.get('version');
-  if (vstring === undefined) {
-    vstring = '0';
-  }
-  let version = Number(vstring);
+  /** @type {RunQueueEvent[]} */
+  const upgradeEvents = [];
+  const vstring = kvStore.get('version');
+  const version = Number(vstring) || 0;
+  let newVersion;
 
   /**
    * @param {string} key
@@ -156,11 +186,7 @@ export const upgradeSwingset = kernelStorage => {
     assert(kvStore.has(oldDefaultReapIntervalKey));
     assert(!kvStore.has(DEFAULT_REAP_DIRT_THRESHOLD_KEY));
 
-    /**
-     * @typedef { import('../types-internal.js').ReapDirtThreshold } ReapDirtThreshold
-     */
-
-    /** @type ReapDirtThreshold */
+    /** @type {ReapDirtThreshold} */
     const threshold = {
       deliveries: 'never',
       gcKrefs: 'never',
@@ -169,9 +195,7 @@ export const upgradeSwingset = kernelStorage => {
 
     const oldValue = getRequired(oldDefaultReapIntervalKey);
     if (oldValue !== 'never') {
-      const value = Number.parseInt(oldValue, 10);
-      assert.typeof(value, 'number');
-      threshold.deliveries = value;
+      threshold.deliveries = mustParseInt(oldValue, oldDefaultReapIntervalKey);
       // if BOYD wasn't turned off entirely (eg
       // defaultReapInterval='never', which only happens in unit
       // tests), then pretend we wanted a gcKrefs= threshold all
@@ -186,27 +210,146 @@ export const upgradeSwingset = kernelStorage => {
 
     // now upgrade all vats
     for (const [_name, vatID] of getAllStaticVats(kvStore)) {
-      upgradeVatV0toV1(kvStore, threshold, vatID);
+      upgradeVatV0toV1(kvStore, getRequired, threshold, vatID);
     }
     for (const vatID of getAllDynamicVats(getRequired)) {
-      upgradeVatV0toV1(kvStore, threshold, vatID);
+      upgradeVatV0toV1(kvStore, getRequired, threshold, vatID);
     }
 
-    modified = true;
-    version = 1;
+    newVersion = 1;
   }
 
   if (version < 2) {
     // schema v2: add vats.terminated = []
     assert(!kvStore.has('vats.terminated'));
     kvStore.set('vats.terminated', JSON.stringify([]));
-    modified = true;
-    version = 2;
+    newVersion = 2;
+  }
+
+  if (version < 3) {
+    // v3 means that we've completed remediation for bug #9039
+    console.log(`Starting remediation of bug #9039`);
+
+    // find all terminated vats
+    const terminated = new Set(JSON.parse(getRequired('vats.terminated')));
+
+    // find all live vats
+    const allVatIDs = [];
+    for (const [_name, vatID] of getAllStaticVats(kvStore)) {
+      if (!terminated.has(vatID)) {
+        allVatIDs.push(vatID);
+      }
+    }
+    for (const vatID of getAllDynamicVats(getRequired)) {
+      if (!terminated.has(vatID)) {
+        allVatIDs.push(vatID);
+      }
+    }
+
+    // find all pending notifies
+    const notifies = new Map(); // .get(kpid) = [vatIDs..];
+    for (const name of ['runQueue', 'acceptanceQueue']) {
+      for (const rq of readQueue(name, getRequired)) {
+        if (rq.type === 'notify') {
+          const { vatID, kpid } = rq;
+          assert(vatID);
+          assert(kpid);
+          let vats = notifies.get(kpid);
+          if (!vats) {
+            vats = [];
+            notifies.set(kpid, vats);
+          }
+          vats.push(vatID);
+        }
+      }
+    }
+    console.log(` - pending notifies:`, notifies);
+
+    // cache of known-settled kpids: will grow to num(kpids)
+    const KPIDStatus = new Map();
+    const isSettled = kpid => {
+      if (KPIDStatus.has(kpid)) {
+        return KPIDStatus.get(kpid);
+      }
+      const state = kvStore.get(`${kpid}.state`);
+      // missing state means the kpid is deleted somehow, shouldn't happen
+      state || Fail`${kpid}.state is missing`;
+      const settled = state !== 'unresolved';
+      KPIDStatus.set(kpid, settled);
+      return settled;
+    };
+
+    // walk vNN.c.kpNN for all vats, for each one check the
+    // kpNN.state, for the settled ones check for a pending notify,
+    // record the ones without a pending notify
+
+    const buggyKPIDs = []; // [kpid, vatID]
+    for (const vatID of allVatIDs) {
+      const prefix = `${vatID}.c.`;
+      const len = prefix.length;
+      const ckpPrefix = `${vatID}.c.kp`;
+      for (const key of enumeratePrefixedKeys(kvStore, ckpPrefix)) {
+        const kpid = key.slice(len);
+        if (isSettled(kpid)) {
+          const n = notifies.get(kpid);
+          if (!n || !n.includes(vatID)) {
+            // there is no pending notify
+            buggyKPIDs.push([kpid, vatID]);
+          }
+        }
+      }
+    }
+    console.log(` - found ${buggyKPIDs.length} buggy kpids, enqueueing fixes`);
+
+    // now fix it. The bug means we failed to delete the c-list entry
+    // and decref it back when the promise was rejected. That decref
+    // would have pushed the kpid onto maybeFreeKrefs, which would
+    // have triggered a refcount check at end-of-crank, which might
+    // have deleted the promise records (if nothing else was
+    // referencing the promise, like arguments in messages enqueued to
+    // unresolved promises, or something transient on the
+    // run-queue). Deleting those promise records might have decreffed
+    // krefs in the rejection data (although in general 9039 rejects
+    // those promises with non-slot-bearing DisconnectionObjects).
+    //
+    // To avoid duplicating a lot of kernel code inside this upgrade
+    // handler, we do the simplest possible thing: enqueue a notify to
+    // the upgraded vat for all these leftover promises. The new vat
+    // incarnation will ignore it (they don't recognize the vpid), but
+    // the dispatch.notify() delivery will clear the c-list and decref
+    // the kpid, and will trigger all the usual GC work. Note that
+    // these notifies will be delivered before any activity the host
+    // app might trigger for e.g. a chain upgrade, but they should not
+    // cause userspace-visible behavior (non-slot-bearing rejection
+    // data means no other vat will even get a gc-action delivery:
+    // only the upgraded vat will see anything, and those deliveries
+    // won't make it past liveslots).
+
+    let count = 0;
+    for (const [kpid, vatID] of buggyKPIDs) {
+      // account for the reference to this kpid in upgradeEvents
+      incrementReferenceCount(getRequired, kvStore, kpid, `enq|notify`);
+      upgradeEvents.push({ type: 'notify', vatID, kpid });
+      count += 1;
+    }
+
+    console.log(` - #9039 remediation complete, ${count} notifies to inject`);
+    newVersion = 3;
+  }
+
+  const modified = newVersion !== undefined;
+
+  if (upgradeEvents.length) {
+    assert(modified);
+    // stash until host calls controller.injectQueuedUpgradeEvents()
+    const oldEvents = JSON.parse(kvStore.get('upgradeEvents') || '[]');
+    const events = [...oldEvents, ...upgradeEvents];
+    kvStore.set('upgradeEvents', JSON.stringify(events));
   }
 
   if (modified) {
-    kvStore.set('version', `${version}`);
+    kvStore.set('version', `${newVersion}`);
   }
-  return modified;
+  return harden({ modified });
 };
 harden(upgradeSwingset);

package/src/devices/bridge/device-bridge.js

@@ -1,5 +1,6 @@
 import { Fail } from '@endo/errors';
 import { Far } from '@endo/far';
+import { deepCopyJsonable } from '@agoric/internal/src/js-utils.js';
 
 function sanitize(data) {
   if (data === undefined) {
@@ -8,7 +9,7 @@ function sanitize(data) {
   if (data instanceof Error) {
     data = data.stack;
   }
-  return JSON.parse(JSON.stringify(data));
+  return deepCopyJsonable(data);
 }
 
 /**
@@ -32,7 +33,7 @@ export function buildRootDeviceNode(tools) {
 
   function inboundCallback(...args) {
     inboundHandler || Fail`inboundHandler not yet registered`;
-    const safeArgs = JSON.parse(JSON.stringify(args));
+    const safeArgs = deepCopyJsonable(args);
     try {
       SO(inboundHandler).inbound(...harden(safeArgs));
     } catch (e) {