@agoric/swingset-vat 0.33.0-upgrade-17-dev-ec448b0.0 → 0.33.0-upgrade-18-dev-b9b8db4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agoric/swingset-vat",
-  "version": "0.33.0-upgrade-17-dev-ec448b0.0+ec448b0",
+  "version": "0.33.0-upgrade-18-dev-b9b8db4.0+b9b8db4",
   "description": "Vat/Container Launcher",
   "type": "module",
   "main": "src/index.js",
@@ -27,34 +27,34 @@
     "@types/yargs-parser": "^21.0.0"
   },
   "dependencies": {
-    "@agoric/internal": "0.4.0-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@agoric/kmarshal": "0.1.1-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@agoric/store": "0.9.3-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@agoric/swing-store": "0.9.2-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@agoric/swingset-liveslots": "0.10.3-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@agoric/swingset-xsnap-supervisor": "0.10.3-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@agoric/time": "0.3.3-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@agoric/vat-data": "0.5.3-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@agoric/xsnap": "0.14.3-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@agoric/xsnap-lockdown": "0.14.1-upgrade-17-dev-ec448b0.0+ec448b0",
-    "@endo/base64": "^1.0.7",
-    "@endo/bundle-source": "^3.4.0",
-    "@endo/captp": "^4.3.0",
-    "@endo/check-bundle": "^1.0.9",
-    "@endo/compartment-mapper": "^1.2.2",
-    "@endo/errors": "^1.2.5",
-    "@endo/eventual-send": "^1.2.5",
-    "@endo/far": "^1.1.5",
-    "@endo/import-bundle": "^1.2.2",
-    "@endo/init": "^1.1.4",
-    "@endo/marshal": "^1.5.3",
-    "@endo/nat": "^5.0.10",
-    "@endo/pass-style": "^1.4.3",
-    "@endo/patterns": "^1.4.3",
-    "@endo/promise-kit": "^1.1.5",
-    "@endo/ses-ava": "^1.2.5",
-    "@endo/stream": "^1.2.5",
-    "@endo/zip": "^1.0.7",
+    "@agoric/internal": "0.4.0-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@agoric/kmarshal": "0.1.1-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@agoric/store": "0.9.3-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@agoric/swing-store": "0.10.0-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@agoric/swingset-liveslots": "0.10.3-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@agoric/swingset-xsnap-supervisor": "0.10.3-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@agoric/time": "0.3.3-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@agoric/vat-data": "0.5.3-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@agoric/xsnap": "0.14.3-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@agoric/xsnap-lockdown": "0.14.1-upgrade-18-dev-b9b8db4.0+b9b8db4",
+    "@endo/base64": "^1.0.8",
+    "@endo/bundle-source": "^3.4.2",
+    "@endo/captp": "^4.4.2",
+    "@endo/check-bundle": "^1.0.11",
+    "@endo/compartment-mapper": "^1.3.1",
+    "@endo/errors": "^1.2.7",
+    "@endo/eventual-send": "^1.2.7",
+    "@endo/far": "^1.1.8",
+    "@endo/import-bundle": "^1.3.1",
+    "@endo/init": "^1.1.6",
+    "@endo/marshal": "^1.6.1",
+    "@endo/nat": "^5.0.12",
+    "@endo/pass-style": "^1.4.6",
+    "@endo/patterns": "^1.4.6",
+    "@endo/promise-kit": "^1.1.7",
+    "@endo/ses-ava": "^1.2.7",
+    "@endo/stream": "^1.2.7",
+    "@endo/zip": "^1.0.8",
     "ansi-styles": "^6.2.1",
     "anylogger": "^0.21.0",
     "better-sqlite3": "^9.1.1",
@@ -101,7 +101,7 @@
     "access": "public"
   },
   "typeCoverage": {
-    "atLeast": 75.7
+    "atLeast": 75.82
   },
-  "gitHead": "ec448b081ac21cbe217f210e06f0b8f7989e73d6"
+  "gitHead": "b9b8db4f2cc3926bb71fb9ca516328c30863f246"
 }

package/src/controller/controller.js

@@ -366,6 +366,10 @@ export async function makeSwingsetController(
       return kref;
     },
 
+    kpRegisterInterest(kpid) {
+      return kernel.kpRegisterInterest(kpid);
+    },
+
     kpStatus(kpid) {
       return kernel.kpStatus(kpid);
     },
@@ -384,6 +388,8 @@ export async function makeSwingsetController(
       return kernel.deviceNameToID(deviceName);
     },
 
+    injectQueuedUpgradeEvents: () => kernel.injectQueuedUpgradeEvents(),
+
     /**
      * Queue a method call into the named vat
      *

package/src/controller/initializeSwingset.js

@@ -1,4 +1,4 @@
-/* global process */
+/* eslint-env node */
 import fs from 'fs';
 import path from 'path';
 

package/src/controller/upgradeSwingset.js

@@ -1,9 +1,17 @@
+import { Fail } from '@endo/errors';
 import {
   DEFAULT_REAP_DIRT_THRESHOLD_KEY,
   DEFAULT_GC_KREFS_PER_BOYD,
   getAllDynamicVats,
   getAllStaticVats,
+  incrementReferenceCount,
+  readQueue,
 } from '../kernel/state/kernelKeeper.js';
+import { enumeratePrefixedKeys } from '../kernel/state/storageHelper.js';
+
+/**
+ * @import {RunQueueEvent} from '../types-internal.js';
+ */
 
 const upgradeVatV0toV1 = (kvStore, defaultReapDirtThreshold, vatID) => {
   // This is called, once per vat, when upgradeSwingset migrates from
@@ -92,11 +100,13 @@ const upgradeVatV0toV1 = (kvStore, defaultReapDirtThreshold, vatID) => {
  * `hostStorage.commit()` afterwards.
  *
  * @param {SwingStoreKernelStorage} kernelStorage
- * @returns {boolean} true if any changes were made
+ * @returns {{ modified: boolean }}
  */
 export const upgradeSwingset = kernelStorage => {
   const { kvStore } = kernelStorage;
   let modified = false;
+  /** @type {RunQueueEvent[]} */
+  const upgradeEvents = [];
   let vstring = kvStore.get('version');
   if (vstring === undefined) {
     vstring = '0';
@@ -204,9 +214,129 @@ export const upgradeSwingset = kernelStorage => {
     version = 2;
   }
 
+  if (version < 3) {
+    // v3 means that we've completed remediation for bug #9039
+    console.log(`Starting remediation of bug #9039`);
+
+    // find all terminated vats
+    const terminated = new Set(JSON.parse(getRequired('vats.terminated')));
+
+    // find all live vats
+    const allVatIDs = [];
+    for (const [_name, vatID] of getAllStaticVats(kvStore)) {
+      if (!terminated.has(vatID)) {
+        allVatIDs.push(vatID);
+      }
+    }
+    for (const vatID of getAllDynamicVats(getRequired)) {
+      if (!terminated.has(vatID)) {
+        allVatIDs.push(vatID);
+      }
+    }
+
+    // find all pending notifies
+    const notifies = new Map(); // .get(kpid) = [vatIDs..];
+    for (const name of ['runQueue', 'acceptanceQueue']) {
+      for (const rq of readQueue(name, getRequired)) {
+        if (rq.type === 'notify') {
+          const { vatID, kpid } = rq;
+          assert(vatID);
+          assert(kpid);
+          let vats = notifies.get(kpid);
+          if (!vats) {
+            vats = [];
+            notifies.set(kpid, vats);
+          }
+          vats.push(vatID);
+        }
+      }
+    }
+    console.log(` - pending notifies:`, notifies);
+
+    // cache of known-settled kpids: will grow to num(kpids)
+    const KPIDStatus = new Map();
+    const isSettled = kpid => {
+      if (KPIDStatus.has(kpid)) {
+        return KPIDStatus.get(kpid);
+      }
+      const state = kvStore.get(`${kpid}.state`);
+      // missing state means the kpid is deleted somehow, shouldn't happen
+      state || Fail`${kpid}.state is missing`;
+      const settled = state !== 'unresolved';
+      KPIDStatus.set(kpid, settled);
+      return settled;
+    };
+
+    // walk vNN.c.kpNN for all vats, for each one check the
+    // kpNN.state, for the settled ones check for a pending notify,
+    // record the ones without a pending notify
+
+    const buggyKPIDs = []; // [kpid, vatID]
+    for (const vatID of allVatIDs) {
+      const prefix = `${vatID}.c.`;
+      const len = prefix.length;
+      const ckpPrefix = `${vatID}.c.kp`;
+      for (const key of enumeratePrefixedKeys(kvStore, ckpPrefix)) {
+        const kpid = key.slice(len);
+        if (isSettled(kpid)) {
+          const n = notifies.get(kpid);
+          if (!n || !n.includes(vatID)) {
+            // there is no pending notify
+            buggyKPIDs.push([kpid, vatID]);
+          }
+        }
+      }
+    }
+    console.log(` - found ${buggyKPIDs.length} buggy kpids, enqueueing fixes`);
+
+    // now fix it. The bug means we failed to delete the c-list entry
+    // and decref it back when the promise was rejected. That decref
+    // would have pushed the kpid onto maybeFreeKrefs, which would
+    // have triggered a refcount check at end-of-crank, which might
+    // have deleted the promise records (if nothing else was
+    // referencing the promise, like arguments in messages enqueued to
+    // unresolved promises, or something transient on the
+    // run-queue). Deleting those promise records might have decreffed
+    // krefs in the rejection data (although in general 9039 rejects
+    // those promises with non-slot-bearing DisconnectionObjects).
+    //
+    // To avoid duplicating a lot of kernel code inside this upgrade
+    // handler, we do the simplest possible thing: enqueue a notify to
+    // the upgraded vat for all these leftover promises. The new vat
+    // incarnation will ignore it (they don't recognize the vpid), but
+    // the dispatch.notify() delivery will clear the c-list and decref
+    // the kpid, and will trigger all the usual GC work. Note that
+    // these notifies will be delivered before any activity the host
+    // app might trigger for e.g. a chain upgrade, but they should not
+    // cause userspace-visible behavior (non-slot-bearing rejection
+    // data means no other vat will even get a gc-action delivery:
+    // only the upgraded vat will see anything, and those deliveries
+    // won't make it past liveslots).
+
+    let count = 0;
+    for (const [kpid, vatID] of buggyKPIDs) {
+      // account for the reference to this kpid in upgradeEvents
+      incrementReferenceCount(getRequired, kvStore, kpid, `enq|notify`);
+      upgradeEvents.push({ type: 'notify', vatID, kpid });
+      count += 1;
+    }
+
+    console.log(` - #9039 remediation complete, ${count} notifies to inject`);
+    modified = true;
+    version = 3;
+  }
+
+  if (upgradeEvents.length) {
+    assert(modified);
+    // stash until host calls controller.injectQueuedUpgradeEvents()
+    const oldEvents = JSON.parse(kvStore.get('upgradeEvents') || '[]');
+    const events = [...oldEvents, ...upgradeEvents];
+    kvStore.set('upgradeEvents', JSON.stringify(events));
+  }
+
   if (modified) {
     kvStore.set('version', `${version}`);
   }
-  return modified;
+  return harden({ modified });
 };
 harden(upgradeSwingset);

package/src/devices/mailbox/mailbox.js

@@ -71,6 +71,23 @@ import { Nat } from '@endo/nat';
 // replace it with one that tracks which parts of the state have been
 // modified, to build more efficient Merkle proofs.
 
+/**
+ * @typedef {object} Mailbox
+ * @property {bigint} ack
+ * @property {Map<bigint, unknown>} outbox
+ */
+
+/**
+ * @typedef {object} MailboxExport
+ * @property {number} ack
+ * @property {Array<[number, unknown]>} outbox
+ */
+
+/**
+ * @param {MailboxExport} data
+ * @param {Partial<Mailbox>} [inout]
+ * @returns {Mailbox}
+ */
 export function importMailbox(data, inout = {}) {
   const outbox = new Map();
   for (const m of data.outbox) {
@@ -78,10 +95,15 @@ export function importMailbox(data, inout = {}) {
   }
   inout.ack = Nat(data.ack);
   inout.outbox = outbox;
-  return inout;
+  return /** @type {Mailbox} */ (inout);
 }
 
+/**
+ * @param {Mailbox} inout
+ * @returns {MailboxExport}
+ */
 export function exportMailbox(inout) {
+  /** @type {MailboxExport['outbox']} */
   const messages = [];
   for (const [msgnum, body] of inout.outbox) {
     messages.push([Number(msgnum), body]);
@@ -93,64 +115,75 @@ export function exportMailbox(inout) {
   };
 }
 
-export function buildMailboxStateMap(state = harden(new Map())) {
-  function getOrCreatePeer(peer) {
-    if (!state.has(peer)) {
-      const inout = {
-        outbox: harden(new Map()),
-        ack: 0n,
-      };
-      state.set(peer, inout);
-    }
-    return state.get(peer);
+/**
+ * @param {Map<string, Mailbox>} state
+ */
+export function exportMailboxData(state) {
+  /** @type {Record<string, {inboundAck: MailboxExport['ack'], outbox: MailboxExport['outbox']}>} */
+  const data = {};
+  for (const [peer, inout] of state.entries()) {
+    const exported = exportMailbox(inout);
+    data[peer] = {
+      inboundAck: exported.ack,
+      outbox: exported.outbox,
+    };
   }
+  return harden(data);
+}
 
-  function add(peer, msgnum, body) {
-    getOrCreatePeer(`${peer}`).outbox.set(Nat(msgnum), `${body}`);
+function getOrCreatePeer(state, peer) {
+  if (!state.has(peer)) {
+    const inout = {
+      outbox: harden(new Map()),
+      ack: 0n,
+    };
+    state.set(peer, inout);
   }
+  return state.get(peer);
+}
 
-  function remove(peer, msgnum) {
-    const messages = getOrCreatePeer(`${peer}`).outbox;
-    messages.delete(Nat(msgnum));
+/**
+ * @param {ReturnType<exportMailboxData>} data
+ * @returns {Map<string, Mailbox>}
+ */
+export function makeEphemeralMailboxStorage(data) {
+  const state = harden(new Map());
+  for (const peer of Object.getOwnPropertyNames(data)) {
+    const inout = getOrCreatePeer(state, peer);
+    const d = data[peer];
+    importMailbox(
+      {
+        ack: d.inboundAck,
+        outbox: d.outbox,
+      },
+      inout,
+    );
   }
+  return state;
+}
 
-  function setAcknum(peer, msgnum) {
-    getOrCreatePeer(`${peer}`).ack = Nat(msgnum);
+/**
+ * @template [T=unknown]
+ * @param {Pick<Map<string, T>, 'has' | 'get'> & {set: (key: string, value: T) => void}} [state]
+ */
+export function buildMailboxStateMap(state = harden(new Map())) {
+  function add(peer, msgnum, body) {
+    getOrCreatePeer(state, `${peer}`).outbox.set(Nat(msgnum), `${body}`);
   }
 
-  function exportToData() {
-    const data = {};
-    for (const [peer, inout] of state.entries()) {
-      const exported = exportMailbox(inout);
-      data[peer] = {
-        inboundAck: exported.ack,
-        outbox: exported.outbox,
-      };
-    }
-    return harden(data);
+  function remove(peer, msgnum) {
+    const messages = getOrCreatePeer(state, `${peer}`).outbox;
+    messages.delete(Nat(msgnum));
   }
 
-  function populateFromData(data) {
-    !state.size || Fail`cannot populateFromData: outbox is not empty`;
-    for (const peer of Object.getOwnPropertyNames(data)) {
-      const inout = getOrCreatePeer(peer);
-      const d = data[peer];
-      importMailbox(
-        {
-          ack: d.inboundAck,
-          outbox: d.outbox,
-        },
-        inout,
-      );
-    }
+  function setAcknum(peer, msgnum) {
+    getOrCreatePeer(state, `${peer}`).ack = Nat(msgnum);
   }
 
   return harden({
     add,
     remove,
     setAcknum,
-    exportToData,
-    populateFromData,
   });
 }
 

package/src/index.js

@@ -13,6 +13,8 @@ export { upgradeSwingset } from './controller/upgradeSwingset.js';
 export {
   buildMailboxStateMap,
   buildMailbox,
+  exportMailboxData,
+  makeEphemeralMailboxStorage,
 } from './devices/mailbox/mailbox.js';
 export { buildTimer } from './devices/timer/timer.js';
 export { buildBridge } from './devices/bridge/bridge.js';

package/src/kernel/deviceTranslator.js

@@ -69,7 +69,7 @@ function makeDRTranslator(deviceID, kernelKeeper) {
  *
  * @param {string} deviceID
  * @param {string} deviceName
- * @param {*} kernelKeeper
+ * @param {KernelKeeper} kernelKeeper
  * @returns {(dsc: DeviceSyscallObject) => KernelSyscallObject}
  */
 export function makeDSTranslator(deviceID, deviceName, kernelKeeper) {

package/src/kernel/gc-actions.js

@@ -45,7 +45,7 @@ function parseAction(s) {
 }
 
 /**
- * @param {*} kernelKeeper
+ * @param {KernelKeeper} kernelKeeper
  * @returns {import('../types-internal.js').RunQueueEvent | undefined}
  */
 export function processGCActionSet(kernelKeeper) {
@@ -86,10 +86,9 @@ export function processGCActionSet(kernelKeeper) {
     const hasCList = vatKeeper.hasCListEntry(kref);
     const isReachable = hasCList ? vatKeeper.getReachableFlag(kref) : undefined;
     const exists = kernelKeeper.kernelObjectExists(kref);
-    // @ts-expect-error xxx
     const { reachable, recognizable } = exists
       ? kernelKeeper.getObjectRefCount(kref)
-      : {};
+      : { reachable: 0, recognizable: 0 };
 
     if (type === 'dropExport') {
       if (!exists) return false; // already, shouldn't happen

package/src/kernel/kernel.js

@@ -39,8 +39,10 @@ import { makeDeviceTranslators } from './deviceTranslator.js';
 import { notifyTermination } from './notifyTermination.js';
 import { makeVatAdminHooks } from './vat-admin-hooks.js';
 
-/** @import * as liveslots from '@agoric/swingset-liveslots' */
-/** @import {PolicyInputCleanupCounts} from '../types-external.js' */
+/**
+ * @import {MeterConsumption, VatDeliveryObject, VatDeliveryResult, VatSyscallObject, VatSyscallResult} from '@agoric/swingset-liveslots';
+ * @import {PolicyInputCleanupCounts} from '../types-external.js';
+ */
 
 function abbreviateReplacer(_, arg) {
   if (typeof arg === 'bigint') {
@@ -56,7 +58,7 @@ function abbreviateReplacer(_, arg) {
 /**
  * Provide the kref of a vat's root object, as if it had been exported.
  *
- * @param {*} kernelKeeper  Kernel keeper managing persistent kernel state.
+ * @param {KernelKeeper} kernelKeeper  Kernel keeper managing persistent kernel state.
  * @param {string} vatID  Vat ID of the vat whose root kref is sought.
  *
  * @returns {string} the kref of the root object of the given vat.
@@ -213,6 +215,10 @@ export default function buildKernel(
     return deviceID;
   }
 
+  function injectQueuedUpgradeEvents() {
+    kernelKeeper.injectQueuedUpgradeEvents();
+  }
+
   function addImport(forVatID, what) {
     if (!started) {
       throw Error('must do kernel.start() before addImport()');
@@ -285,15 +291,16 @@ export default function buildKernel(
       const vatKeeper = kernelKeeper.provideVatKeeper(vatID);
       critical = vatKeeper.getOptions().critical;
 
-      // Reject all promises decided by the vat, making sure to capture the list
-      // of kpids before that data is deleted.
-      const deadPromises = [...kernelKeeper.enumeratePromisesByDecider(vatID)];
-      // remove vatID from the list of live vats, and mark for deletion
+      // remove vatID from the list of live vats, and mark for
+      // deletion (which will happen later, in vat-cleanup events)
       kernelKeeper.deleteVatID(vatID);
       kernelKeeper.markVatAsTerminated(vatID);
       deferred.push(kernelKeeper.removeVatFromSwingStoreExports(vatID));
-      for (const kpid of deadPromises) {
-        resolveToError(kpid, makeError('vat terminated'), vatID);
+
+      // Reject all promises decided by the vat
+      const errdata = makeError('vat terminated');
+      for (const [kpid, _p] of kernelKeeper.enumeratePromisesByDecider(vatID)) {
+        resolveToError(kpid, errdata, vatID);
       }
     }
     if (critical) {
@@ -380,7 +387,6 @@ export default function buildKernel(
 
   /**
    *
-   * @typedef { import('@agoric/swingset-liveslots').MeterConsumption } MeterConsumption
    * @typedef { import('../types-internal.js').MeterID } MeterID
    * @typedef { import('../types-internal.js').Dirt } Dirt
    *
@@ -416,7 +422,7 @@ export default function buildKernel(
    *
    * @param {VatID} vatID
    * @param {KernelDeliveryObject} kd
-   * @param {liveslots.VatDeliveryObject} vd
+   * @param {VatDeliveryObject} vd
    */
   async function deliverAndLogToVat(vatID, kd, vd) {
     vatRequestedTermination = undefined;
@@ -426,7 +432,7 @@ export default function buildKernel(
     const vs = kernelSlog.provideVatSlogger(vatID).vatSlog;
     await null;
     try {
-      /** @type { liveslots.VatDeliveryResult } */
+      /** @type { VatDeliveryResult } */
       const deliveryResult = await vatWarehouse.deliverToVat(vatID, kd, vd, vs);
       insistVatDeliveryResult(deliveryResult);
       // const [ ok, problem, usage ] = deliveryResult;
@@ -596,7 +602,9 @@ export default function buildKernel(
     const p = kernelKeeper.getKernelPromise(kpid);
     kernelKeeper.incStat('dispatchNotify');
     const vatKeeper = kernelKeeper.provideVatKeeper(vatID);
-    p.state !== 'unresolved' || Fail`spurious notification ${kpid}`;
+    if (p.state === 'unresolved') {
+      throw Fail`spurious notification ${kpid}`;
+    }
     /** @type { KernelDeliveryOneNotify[] } */
     const resolutions = [];
     if (!vatKeeper.hasCListEntry(kpid)) {
@@ -611,7 +619,9 @@ export default function buildKernel(
       return NO_DELIVERY_CRANK_RESULTS;
     }
     for (const toResolve of targets) {
-      const { state, data } = kernelKeeper.getKernelPromise(toResolve);
+      const tp = kernelKeeper.getKernelPromise(toResolve);
+      assert(tp.state !== 'unresolved');
+      const { state, data } = tp;
       resolutions.push([toResolve, { state, data }]);
     }
     /** @type { KernelDeliveryNotify } */
@@ -700,6 +710,7 @@ export default function buildKernel(
       total:
         work.exports +
         work.imports +
+        work.promises +
         work.kv +
         work.snapshots +
         work.transcripts,
@@ -741,6 +752,8 @@ export default function buildKernel(
       kdebug(`vat ${vatID} terminated before startVat delivered`);
       return NO_DELIVERY_CRANK_RESULTS;
     }
+    const vatKeeper = kernelKeeper.provideVatKeeper(vatID);
+    vatKeeper.setVatParameters(vatParameters);
     const { meterID } = vatInfo;
     /** @type { KernelDeliveryStartVat } */
     const kd = harden(['startVat', vatParameters]);
@@ -994,9 +1007,30 @@ export default function buildKernel(
       return results;
     }
 
-    // reject all promises for which the vat was decider
-    for (const kpid of kernelKeeper.enumeratePromisesByDecider(vatID)) {
-      resolveToError(kpid, disconnectionCapData, vatID);
+    // We are homesick for a future in which most promises are
+    // durable, and vats do not need to subscribe to their own
+    // promises to make promise-watchers work. In that world, vats
+    // somehow mark the non-durable promises, which we must
+    // reject/disconnect on their behalf during upgrade.
+    //
+    // To handle the present reality, without durable promises, we
+    // pretend that all promises are so marked.
+
+    // reject all ephemeral promises for which the vat was decider
+    for (const [kpid, p] of kernelKeeper.enumeratePromisesByDecider(vatID)) {
+      const isEphemeral = true; // future vats will mark these explicitly
+      const selfSubscribed =
+        p.state === 'unresolved' && p.subscribers.includes(vatID);
+      if (isEphemeral) {
+        resolveToError(kpid, disconnectionCapData, vatID);
+        if (!selfSubscribed) {
+          // If the vat was subscribed to its own promise, the
+          // resolveToError will enqueue a dispatch.notify, whose delivery
+          // will delete the c-list entry. If it is *not* subscribed, we
+          // should delete the c-list entry now, because nobody else will.
+          vatKeeper.deleteCListEntriesForKernelSlots([kpid]);
+        }
+      }
     }
 
     // simulate an abandonExports syscall from the vat,
@@ -1020,6 +1054,7 @@ export default function buildKernel(
     });
     const vatOptions = harden({ ...origOptions, workerOptions });
     vatKeeper.setSourceAndOptions(source, vatOptions);
+    vatKeeper.setVatParameters(vatParameters);
     // TODO: decref the bundleID once setSourceAndOptions increfs it
 
     // pause, take a deep breath, appreciate this moment of silence
@@ -1185,6 +1220,7 @@ export default function buildKernel(
         }
       }
       default:
+        // @ts-expect-error
         throw Fail`unknown promise resolution '${kp.state}'`;
     }
   }
@@ -1542,8 +1578,8 @@ export default function buildKernel(
     // not
     /**
      *
-     * @param {liveslots.VatSyscallObject} vatSyscallObject
-     * @returns {liveslots.VatSyscallResult}
+     * @param {VatSyscallObject} vatSyscallObject
+     * @returns {VatSyscallResult}
      */
     function vatSyscallHandler(vatSyscallObject) {
       if (!vatWarehouse.lookup(vatID)) {
@@ -1558,7 +1594,7 @@ export default function buildKernel(
       let ksc;
       /** @type { KernelSyscallResult } */
       let kres = harden(['error', 'incomplete']);
-      /** @type { liveslots.VatSyscallResult } */
+      /** @type { VatSyscallResult } */
       let vres = harden(['error', 'incomplete']);
 
       try {
@@ -1819,6 +1855,7 @@ export default function buildKernel(
       {
         exports: M.number(),
         imports: M.number(),
+        promises: M.number(),
         kv: M.number(),
         snapshots: M.number(),
         transcripts: M.number(),
@@ -2080,6 +2117,7 @@ export default function buildKernel(
         return p.data;
       }
       default: {
+        // @ts-expect-error
         throw Fail`invalid state for ${kpid}: ${p.state}`;
       }
     }
@@ -2178,6 +2216,7 @@ export default function buildKernel(
     pinObject,
     vatNameToID,
     deviceNameToID,
+    injectQueuedUpgradeEvents,
     queueToKref,
     kpRegisterInterest,
     kpStatus,

package/src/kernel/state/kernelKeeper.js

@@ -45,14 +45,16 @@ const enableKernelGC = true;
  * @typedef { import('../../types-external.js').VatKeeper } VatKeeper
  * @typedef { import('../../types-internal.js').InternalKernelOptions } InternalKernelOptions
  * @typedef { import('../../types-internal.js').ReapDirtThreshold } ReapDirtThreshold
+ * @import {PromiseRecord} from '../../types-internal.js';
  * @import {CleanupBudget, CleanupWork, PolicyOutputCleanupBudget} from '../../types-external.js';
  * @import {RunQueueEventCleanupTerminatedVat} from '../../types-internal.js';
+ * @import {SwingStoreKernelStorage} from '@agoric/swing-store';
  */
 
 export { DEFAULT_REAP_DIRT_THRESHOLD_KEY };
 
 // most recent DB schema version
-export const CURRENT_SCHEMA_VERSION = 2;
+export const CURRENT_SCHEMA_VERSION = 3;
 
 // Kernel state lives in a key-value store supporting key retrieval by
 // lexicographic range. All keys and values are strings.
@@ -71,9 +73,9 @@ export const CURRENT_SCHEMA_VERSION = 2;
 // only modified by a call to upgradeSwingset(). See below for
 // deltas/upgrades from one version to the next.
 //
-// The current ("v2") schema keys/values are:
+// The current ("v3") schema keys/values are:
 //
-// version = '2'
+// version = '3'
 // vat.names = JSON([names..])
 // vat.dynamicIDs = JSON([vatIDs..])
 // vat.name.$NAME = $vatID = v$NN
@@ -117,6 +119,8 @@ export const CURRENT_SCHEMA_VERSION = 2;
 // old (v0): v$NN.reapCountdown = $NN or 'never'
 // v$NN.reapDirt = JSON({ deliveries, gcKrefs, computrons }) // missing keys treated as zero
 // (leave room for v$NN.snapshotDirt and options.snapshotDirtThreshold for #6786)
+// v$NN.vatParameters = JSON(capdata) // missing for vats created/upgraded before #8947
+//
 // exclude from consensus
 // local.*
 
@@ -141,6 +145,7 @@ export const CURRENT_SCHEMA_VERSION = 2;
 // gcActions = JSON(gcActions)
 // reapQueue = JSON([vatIDs...])
 // pinnedObjects = ko$NN[,ko$NN..]
+// upgradeEvents = JSON([events..])
 
 // ko.nextID = $NN
 // ko$NN.owner = $vatID
@@ -177,7 +182,13 @@ export const CURRENT_SCHEMA_VERSION = 2;
 // v2:
 //   * change `version` to `'2'`
 //   * add `vats.terminated` with `[]` as initial value
+// v3:
+//   * change `version` to `'3'`
+//   * perform remediation for bug #9039
+// (after v3, does not get its own version)
+//   * `upgradeEvents` recognized, but omitted if empty
 
+/** @type {(s: string) => string[]} s */
 export function commaSplit(s) {
   if (s === '') {
     return [];
@@ -211,6 +222,77 @@ export const getAllDynamicVats = getRequired => {
   return JSON.parse(getRequired('vat.dynamicIDs'));
 };
 
+const getObjectReferenceCount = (kvStore, kref) => {
+  const data = kvStore.get(`${kref}.refCount`);
+  if (!data) {
+    return { reachable: 0, recognizable: 0 };
+  }
+  const [reachable, recognizable] = commaSplit(data).map(Number);
+  reachable <= recognizable ||
+    Fail`refmismatch(get) ${kref} ${reachable},${recognizable}`;
+  return { reachable, recognizable };
+};
+
+const setObjectReferenceCount = (kvStore, kref, counts) => {
+  const { reachable, recognizable } = counts;
+  assert.typeof(reachable, 'number');
+  assert.typeof(recognizable, 'number');
+  (reachable >= 0 && recognizable >= 0) ||
+    Fail`${kref} underflow ${reachable},${recognizable}`;
+  reachable <= recognizable ||
+    Fail`refmismatch(set) ${kref} ${reachable},${recognizable}`;
+  kvStore.set(`${kref}.refCount`, `${reachable},${recognizable}`);
+};
+
+/**
+ * Increment the reference count associated with some kernel object.
+ *
+ * We track references to promises and objects, but not devices. Promises
+ * have only a "reachable" count, whereas objects track both "reachable"
+ * and "recognizable" counts.
+ *
+ * @param { (key: string) => string} getRequired
+ * @param { import('@agoric/swing-store').KVStore } kvStore
+ * @param {string} kref  The kernel slot whose refcount is to be incremented.
+ * @param {string?} tag  Debugging note with rough source of the reference.
+ * @param {{ isExport?: boolean, onlyRecognizable?: boolean }} options
+ * 'isExport' means the reference comes from a clist export, which counts
+ * for promises but not objects. 'onlyRecognizable' means the reference
+ * provides only recognition, not reachability
+ */
+export const incrementReferenceCount = (
+  getRequired,
+  kvStore,
+  kref,
+  tag,
+  options = {},
+) => {
+  const { isExport = false, onlyRecognizable = false } = options;
+  kref || Fail`incrementRefCount called with empty kref, tag=${tag}`;
+  const { type } = parseKernelSlot(kref);
+  if (type === 'promise') {
+    const refCount = Number(getRequired(`${kref}.refCount`)) + 1;
+    // kdebug(`++ ${kref}  ${tag} ${refCount}`);
+    kvStore.set(`${kref}.refCount`, `${refCount}`);
+  }
+  if (type === 'object' && !isExport) {
+    let { reachable, recognizable } = getObjectReferenceCount(kvStore, kref);
+    if (!onlyRecognizable) {
+      reachable += 1;
+    }
+    recognizable += 1;
+    // kdebug(`++ ${kref}  ${tag} ${reachable},${recognizable}`);
+    setObjectReferenceCount(kvStore, kref, { reachable, recognizable });
+  }
+};
+
+export function* readQueue(queue, getRequired) {
+  const [head, tail] = JSON.parse(getRequired(`${queue}`));
+  for (let i = head; i < tail; i += 1) {
+    yield JSON.parse(getRequired(`${queue}.${i}`));
+  }
+}
+
 // we use different starting index values for the various vNN/koNN/kdNN/kpNN
 // slots, to reduce confusing overlap when looking at debug messages (e.g.
 // seeing both kp1 and ko1, which are completely unrelated despite having the
@@ -388,14 +470,7 @@ export default function makeKernelKeeper(
     return tail - head;
   }
 
-  function dumpQueue(queue) {
-    const [head, tail] = JSON.parse(getRequired(`${queue}`));
-    const result = [];
-    for (let i = head; i < tail; i += 1) {
-      result.push(JSON.parse(getRequired(`${queue}.${i}`)));
-    }
-    return result;
-  }
+  const dumpQueue = queue => [...readQueue(queue, getRequired)];
 
   /**
    * @param {InternalKernelOptions} kernelOptions
@@ -619,26 +694,9 @@ export default function makeKernelKeeper(
     return parseReachableAndVatSlot(kvStore.get(kernelKey));
   }
 
-  function getObjectRefCount(kernelSlot) {
-    const data = kvStore.get(`${kernelSlot}.refCount`);
-    if (!data) {
-      return { reachable: 0, recognizable: 0 };
-    }
-    const [reachable, recognizable] = commaSplit(data).map(Number);
-    reachable <= recognizable ||
-      Fail`refmismatch(get) ${kernelSlot} ${reachable},${recognizable}`;
-    return { reachable, recognizable };
-  }
-
-  function setObjectRefCount(kernelSlot, { reachable, recognizable }) {
-    assert.typeof(reachable, 'number');
-    assert.typeof(recognizable, 'number');
-    (reachable >= 0 && recognizable >= 0) ||
-      Fail`${kernelSlot} underflow ${reachable},${recognizable}`;
-    reachable <= recognizable ||
-      Fail`refmismatch(set) ${kernelSlot} ${reachable},${recognizable}`;
-    kvStore.set(`${kernelSlot}.refCount`, `${reachable},${recognizable}`);
-  }
+  const getObjectRefCount = kref => getObjectReferenceCount(kvStore, kref);
+  const setObjectRefCount = (kref, counts) =>
+    setObjectReferenceCount(kvStore, kref, counts);
 
   /**
    * Iterate over non-durable objects exported by a vat.
@@ -790,43 +848,41 @@ export default function makeKernelKeeper(
     return kpid;
   }
 
+  /**
+   * @param {string} kernelSlot
+   * @returns {PromiseRecord}
+   */
   function getKernelPromise(kernelSlot) {
     insistKernelType('promise', kernelSlot);
-    const p = { state: getRequired(`${kernelSlot}.state`) };
-    switch (p.state) {
-      case undefined: {
-        throw Fail`unknown kernelPromise '${kernelSlot}'`;
-      }
+    const state = getRequired(`${kernelSlot}.state`);
+    const refCount = Number(kvStore.get(`${kernelSlot}.refCount`));
+    switch (state) {
       case 'unresolved': {
-        p.refCount = Number(kvStore.get(`${kernelSlot}.refCount`));
-        p.decider = kvStore.get(`${kernelSlot}.decider`);
-        if (p.decider === '') {
-          p.decider = undefined;
-        }
-        p.policy = kvStore.get(`${kernelSlot}.policy`) || 'ignore';
-        p.subscribers = commaSplit(kvStore.get(`${kernelSlot}.subscribers`));
-        p.queue = Array.from(
+        const decider = kvStore.get(`${kernelSlot}.decider`) || undefined;
+        const policy = kvStore.get(`${kernelSlot}.policy`) || 'ignore';
+        const subscribers = commaSplit(
+          kvStore.get(`${kernelSlot}.subscribers`) || '',
+        );
+        const queue = Array.from(
           getPrefixedValues(kvStore, `${kernelSlot}.queue.`),
         ).map(s => JSON.parse(s));
-        break;
+        return harden({ state, refCount, decider, policy, subscribers, queue });
       }
       case 'fulfilled':
       case 'rejected': {
-        p.refCount = Number(kvStore.get(`${kernelSlot}.refCount`));
-        p.data = {
-          body: kvStore.get(`${kernelSlot}.data.body`),
-          slots: commaSplit(kvStore.get(`${kernelSlot}.data.slots`)),
+        const data = {
+          body: getRequired(`${kernelSlot}.data.body`),
+          slots: commaSplit(getRequired(`${kernelSlot}.data.slots`)),
         };
-        for (const s of p.data.slots) {
+        for (const s of data.slots) {
           parseKernelSlot(s);
         }
-        break;
+        return harden({ state, refCount, data });
       }
       default: {
-        throw Fail`unknown state for ${kernelSlot}: ${p.state}`;
+        throw Fail`unknown state for ${kernelSlot}: ${state}`;
       }
     }
-    return harden(p);
   }
 
   function getResolveablePromise(kpid, expectedDecider) {
@@ -835,7 +891,9 @@ export default function makeKernelKeeper(
       insistVatID(expectedDecider);
     }
     const p = getKernelPromise(kpid);
-    p.state === 'unresolved' || Fail`${kpid} was already resolved`;
+    if (p.state !== 'unresolved') {
+      throw Fail`${kpid} was already resolved`;
+    }
     if (expectedDecider) {
       p.decider === expectedDecider ||
         Fail`${kpid} is decided by ${p.decider}, not ${expectedDecider}`;
@@ -894,6 +952,7 @@ export default function makeKernelKeeper(
     // up the resolution *now* and set the correct target early. Doing that
     // might make it easier to remove the Promise Table entry earlier.
     const p = getKernelPromise(kernelSlot);
+    assert.equal(p.state, 'unresolved');
     for (const msg of p.queue) {
       const entry = harden({ type: 'send', target: kernelSlot, msg });
       enqueue('acceptanceQueue', entry);
@@ -964,6 +1023,7 @@ export default function makeKernelKeeper(
     const work = {
       exports: 0,
       imports: 0,
+      promises: 0,
       kv: 0,
       snapshots: 0,
       transcripts: 0,
@@ -988,6 +1048,7 @@ export default function makeKernelKeeper(
     const clistPrefix = `${vatID}.c.`;
     const exportPrefix = `${clistPrefix}o+`;
     const importPrefix = `${clistPrefix}o-`;
+    const promisePrefix = `${clistPrefix}p`;
 
     // Note: ASCII order is "+,-./", and we rely upon this to split the
     // keyspace into the various o+NN/o-NN/etc spaces. If we were using a
@@ -1040,8 +1101,22 @@ export default function makeKernelKeeper(
       }
     }
 
-    // the caller used enumeratePromisesByDecider() before calling us,
-    // so they already know the orphaned promises to reject
+    // The caller used enumeratePromisesByDecider() before calling us,
+    // so they have already rejected the orphan promises, but those
+    // kpids are still present in the dead vat's c-list. Clean those
+    // up now.
+    remaining = budget.promises ?? budget.default;
+    for (const k of enumeratePrefixedKeys(kvStore, promisePrefix)) {
+      const kref = kvStore.get(k) || Fail`getNextKey ensures get`;
+      const vref = stripPrefix(clistPrefix, k);
+      vatKeeper.deleteCListEntry(kref, vref);
+      // that will also delete both db keys
+      work.promises += 1;
+      remaining -= 1;
+      if (remaining <= 0) {
+        return { done: false, work };
+      }
+    }
 
     // now loop back through everything and delete it all
     remaining = budget.kv ?? budget.default;
@@ -1139,18 +1214,22 @@ export default function makeKernelKeeper(
   function setDecider(kpid, decider) {
     insistVatID(decider);
     const p = getKernelPromise(kpid);
-    p.state === 'unresolved' || Fail`${kpid} was already resolved`;
-    !p.decider || Fail`${kpid} has decider ${p.decider}, not empty`;
+    assert.equal(p.state, 'unresolved', `${kpid} was already resolved`);
+    assert(!p.decider, `${kpid} has decider ${p.decider}, not empty`);
     kvStore.set(`${kpid}.decider`, decider);
   }
 
   function clearDecider(kpid) {
     const p = getKernelPromise(kpid);
-    p.state === 'unresolved' || Fail`${kpid} was already resolved`;
-    p.decider || Fail`${kpid} does not have a decider`;
+    assert.equal(p.state, 'unresolved', `${kpid} was already resolved`);
+    assert(p.decider, `${kpid} does not have a decider`);
     kvStore.set(`${kpid}.decider`, '');
   }
 
+  /**
+   * @param {string} vatID
+   * @returns {IterableIterator<[kpid: string, p: PromiseRecord]>}
+   */
   function* enumeratePromisesByDecider(vatID) {
     insistVatID(vatID);
     const promisePrefix = `${vatID}.c.p`;
@@ -1164,10 +1243,10 @@ export default function makeKernelKeeper(
       // whether the vat is the decider or not.  If it is, we add the promise
       // to the list of promises that must be rejected because the dead vat
       // will never be able to act upon them.
-      const kpid = kvStore.get(k);
+      const kpid = getRequired(k);
       const p = getKernelPromise(kpid);
       if (p.state === 'unresolved' && p.decider === vatID) {
-        yield kpid;
+        yield [kpid, p];
       }
     }
   }
@@ -1177,6 +1256,7 @@ export default function makeKernelKeeper(
     insistKernelType('promise', kernelSlot);
     insistVatID(vatID);
     const p = getKernelPromise(kernelSlot);
+    assert.equal(p.state, 'unresolved');
     const s = new Set(p.subscribers);
     s.add(vatID);
     const v = Array.from(s).sort().join(',');
@@ -1207,6 +1287,27 @@ export default function makeKernelKeeper(
     return dequeue('acceptanceQueue');
   }
 
+  function injectQueuedUpgradeEvents() {
+    // refcounts: Any krefs in `upgradeEvents` must have a refcount to
+    // represent the list's hold on those objects. When
+    // upgradeSwingset() creates these events, it must also
+    // incref(kref), otherwise we run the risk of dropping the kref by
+    // the time injectQueuedUpgradeEvents() is called. We're nominally
+    // removing each event from upgradeEvents (decref), then pushing
+    // it onto the run-queue (incref), but since those two cancel each
+    // other out, we don't actually need to modify any reference
+    // counts from within this function. Note that
+    // addToAcceptanceQueue does not increment refcounts, just kernel
+    // queue-length stats.
+
+    const events = JSON.parse(kvStore.get('upgradeEvents') || '[]');
+    kvStore.delete('upgradeEvents');
+    for (const e of events) {
+      assert(e.type, `not an event`);
+      addToAcceptanceQueue(e);
+    }
+  }
+
   function allocateMeter(remaining, threshold) {
     if (remaining !== 'unlimited') {
       assert.typeof(remaining, 'bigint');
@@ -1414,40 +1515,8 @@ export default function makeKernelKeeper(
     maybeFreeKrefs.add(kref);
   }
 
-  /**
-   * Increment the reference count associated with some kernel object.
-   *
-   * We track references to promises and objects, but not devices. Promises
-   * have only a "reachable" count, whereas objects track both "reachable"
-   * and "recognizable" counts.
-   *
-   * @param {unknown} kernelSlot  The kernel slot whose refcount is to be incremented.
-   * @param {string?} tag  Debugging note with rough source of the reference.
-   * @param {{ isExport?: boolean, onlyRecognizable?: boolean }} options
-   * 'isExport' means the reference comes from a clist export, which counts
-   * for promises but not objects. 'onlyRecognizable' means the reference
-   * provides only recognition, not reachability
-   */
-  function incrementRefCount(kernelSlot, tag, options = {}) {
-    const { isExport = false, onlyRecognizable = false } = options;
-    kernelSlot ||
-      Fail`incrementRefCount called with empty kernelSlot, tag=${tag}`;
-    const { type } = parseKernelSlot(kernelSlot);
-    if (type === 'promise') {
-      const refCount = Nat(BigInt(getRequired(`${kernelSlot}.refCount`))) + 1n;
-      // kdebug(`++ ${kernelSlot}  ${tag} ${refCount}`);
-      kvStore.set(`${kernelSlot}.refCount`, `${refCount}`);
-    }
-    if (type === 'object' && !isExport) {
-      let { reachable, recognizable } = getObjectRefCount(kernelSlot);
-      if (!onlyRecognizable) {
-        reachable += 1;
-      }
-      recognizable += 1;
-      // kdebug(`++ ${kernelSlot}  ${tag} ${reachable},${recognizable}`);
-      setObjectRefCount(kernelSlot, { reachable, recognizable });
-    }
-  }
+  const incrementRefCount = (kref, tag, options = {}) =>
+    incrementReferenceCount(getRequired, kvStore, kref, tag, options);
 
   /**
    * Decrement the reference count associated with some kernel object.
@@ -1539,13 +1608,15 @@ export default function makeKernelKeeper(
           const kp = getKernelPromise(kpid);
           if (kp.refCount === 0) {
             let idx = 0;
-            // TODO (#9889) don't assume promise is settled
-            for (const slot of kp.data.slots) {
-              // Note: the following decrement can result in an addition to the
-              // maybeFreeKrefs set, which we are in the midst of iterating.
-              // TC39 went to a lot of trouble to ensure that this is kosher.
-              decrementRefCount(slot, `gc|${kpid}|s${idx}`);
-              idx += 1;
+            if (kp.state === 'fulfilled' || kp.state === 'rejected') {
+              // #9889 don't assume promise is settled
+              for (const slot of kp.data.slots) {
+                // Note: the following decrement can result in an addition to the
+                // maybeFreeKrefs set, which we are in the midst of iterating.
+                // TC39 went to a lot of trouble to ensure that this is kosher.
+                decrementRefCount(slot, `gc|${kpid}|s${idx}`);
+                idx += 1;
+              }
             }
             deleteKernelPromise(kpid);
           }
@@ -1936,6 +2007,8 @@ export default function makeKernelKeeper(
     getAcceptanceQueueLength,
     getNextAcceptanceQueueMsg,
 
+    injectQueuedUpgradeEvents,
+
     allocateMeter,
     addMeterRemaining,
     setMeterThreshold,
@@ -1981,3 +2054,4 @@ export default function makeKernelKeeper(
     dump,
   });
 }
+/** @typedef {ReturnType<typeof makeKernelKeeper>} KernelKeeper */

package/src/kernel/state/vatKeeper.js

@@ -7,6 +7,7 @@ import { isObject } from '@endo/marshal';
 import { parseKernelSlot } from '../parseKernelSlots.js';
 import { makeVatSlot, parseVatSlot } from '../../lib/parseVatSlots.js';
 import { insistVatID } from '../../lib/id.js';
+import { insistCapData } from '../../lib/capdata.js';
 import { kdebug } from '../../lib/kdebug.js';
 import {
   parseReachableAndVatSlot,
@@ -173,6 +174,35 @@ export function makeVatKeeper(
     return harden(options);
   }
 
+  /**
+   * @param {SwingSetCapData} newVPCD
+   */
+  function setVatParameters(newVPCD) {
+    insistCapData(newVPCD);
+    const key = `${vatID}.vatParameters`;
+    // increment-before-decrement to minimize spurious rc=0 checks
+    for (const kref of newVPCD.slots) {
+      incrementRefCount(kref, `${vatID}.vatParameters`);
+    }
+    const old = kvStore.get(key) || '{"slots":[]}';
+    for (const kref of JSON.parse(old).slots) {
+      decrementRefCount(kref, `${vatID}.vatParameters`);
+    }
+    kvStore.set(key, JSON.stringify(newVPCD));
+  }
+
+  /**
+   * @returns {SwingSetCapData | undefined} vpcd
+   */
+  function getVatParameters() {
+    const key = `${vatID}.vatParameters`;
+    const old = kvStore.get(key);
+    if (old) {
+      return JSON.parse(old);
+    }
+    return undefined;
+  }
+
   // This is named "addDirt" because it should increment all dirt
   // counters (both for reap/BOYD and for heap snapshotting). We don't
   // have `heapSnapshotDirt` yet, but when we do, it should get
@@ -768,6 +798,8 @@ export function makeVatKeeper(
     setSourceAndOptions,
     getSourceAndOptions,
     getOptions,
+    setVatParameters,
+    getVatParameters,
     addDirt,
     getReapDirt,
     clearReapDirt,

package/src/kernel/vatTranslator.js

@@ -50,6 +50,7 @@ function makeTranslateKernelDeliveryToVatDelivery(vatID, kernelKeeper) {
       parseVatSlot(targetSlot).allocatedByVat || Fail`deliver() to wrong vat`;
     } else if (type === 'promise') {
       const p = kernelKeeper.getKernelPromise(target);
+      assert(p.state === 'unresolved');
       p.decider === vatID || Fail`wrong decider`;
     }
     const inputSlots = msg.methargs.slots.map(slot =>
@@ -59,7 +60,9 @@ function makeTranslateKernelDeliveryToVatDelivery(vatID, kernelKeeper) {
     if (msg.result) {
       insistKernelType('promise', msg.result);
       const p = kernelKeeper.getKernelPromise(msg.result);
-      p.state === 'unresolved' || Fail`result ${msg.result} already resolved`;
+      if (p.state !== 'unresolved') {
+        throw Fail`result ${msg.result} already resolved`;
+      }
       !p.decider || Fail`result ${msg.result} already has decider ${p.decider}`;
       resultSlot = vatKeeper.mapKernelSlotToVatSlot(msg.result);
       insistVatType('promise', resultSlot);
@@ -318,8 +321,9 @@ function makeTranslateVatSyscallToKernelSyscall(vatID, kernelKeeper) {
       // In the case of non-pipelining vats these checks are redundant since
       // we're guaranteed to have a promise newly allocated by the vat.
       const p = kernelKeeper.getKernelPromise(result);
-      p.state === 'unresolved' ||
-        Fail`send() result ${result} is already resolved`;
+      if (p.state !== 'unresolved') {
+        throw Fail`send() result ${result} is already resolved`;
+      }
       p.decider === vatID ||
         Fail`send() result ${result} is decided by ${p.decider} not ${vatID}`;
       kernelKeeper.clearDecider(result);

package/src/types-external.js

@@ -124,7 +124,7 @@ export {};
  *
  * @typedef { { transcriptCount: number } } VatStats
  * @typedef { ReturnType<typeof import('./kernel/state/vatKeeper.js').makeVatKeeper> } VatKeeper
- * @typedef { ReturnType<typeof import('./kernel/state/kernelKeeper.js').default> } KernelKeeper
+ * @typedef { import('./kernel/state/kernelKeeper.js').KernelKeeper } KernelKeeper
  * @typedef { Awaited<ReturnType<typeof import('@agoric/xsnap').xsnap>> } XSnap
  * @typedef { (dr: VatDeliveryResult) => void } SlogFinishDelivery
  * @typedef { (ksr: KernelSyscallResult, vsr: VatSyscallResult) => void } SlogFinishSyscall
@@ -227,6 +227,7 @@ export {};
  *
  * @typedef { { exports: number,
  *              imports: number,
+ *              promises: number,
  *              kv: number,
  *              snapshots: number,
  *              transcripts: number,
@@ -283,6 +284,13 @@ export {};
  * @property { boolean } [restartWorkerOnSnapshot]     Reload worker immediately upon snapshot creation
  */
 
+/**
+ * @typedef { import('./devices/mailbox/mailbox.js').Mailbox } Mailbox
+ */
+/**
+ * @typedef { import('./devices/mailbox/mailbox.js').MailboxExport } MailboxExport
+ */
+
 /**
  * Vat Creation and Management
  *

package/src/types-internal.js

@@ -92,6 +92,17 @@ export {};
  * @property {number} [computrons]
  */
 
+/**
+ * @typedef {{ state: 'unresolved', refCount: number,
+ *             decider: string | undefined, policy: string,
+ *             subscribers: string[], queue: string[],
+ *          }} UnresolvedPromiseRecord
+ * @typedef {{ state: 'fulfilled' | 'rejected', refCount: number,
+ *             data: SwingSetCapData,
+ *          }} SettledPromiseRecord
+ * @typedef {UnresolvedPromiseRecord | SettledPromiseRecord} PromiseRecord
+ */
+
 /**
  * @typedef {{
  *   enablePipelining: boolean,

package/tools/prepare-strict-test-env-ava.js

@@ -0,0 +1,19 @@
+/**
+ * Like prepare-strict-test-env but also sets up ses-ava and provides
+ * the ses-ava `test` function to be used as if it is the ava
+ * `test` function.
+ */
+
+import '@agoric/swingset-liveslots/tools/prepare-strict-test-env.js';
+
+import { wrapTest } from '@endo/ses-ava';
+import rawTest from 'ava';
+
+export * from '@agoric/swingset-liveslots/tools/prepare-strict-test-env.js';
+
+export const test = wrapTest(rawTest);
+
+// Does not import from a module because we're testing the global env
+/* global globalThis */
+export const VatData = globalThis.VatData;
+assert(VatData);