Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can SwingSet run on browser? #58

Closed
danfinlay opened this issue Sep 16, 2019 · 11 comments
Closed

Can SwingSet run on browser? #58

danfinlay opened this issue Sep 16, 2019 · 11 comments
Assignees
@michaelfig
Labels
SwingSet package: SwingSet wontfix This will not be worked on

Comments

@danfinlay
Copy link

The docs make this look like a command line tool, but is there a way to also run these vats and support cross-process communication within a browser?
@erights
Copy link
Member

erights commented Sep 17, 2019

Hi @danfinlay !

We have not been. But we've been trying to stick to the discipline that, as much as possible, we assume only a standard modern JavaScript language, while keeping all host dependencies small and contained. So guessing: It probably doesn't quite work, but can be made to work without too much effort.

The the "it" there is running an entire SwingSet (the kernel and all the vats using that kernel) in one JavaScript process. When you say "cross-process", what do you have in mind?

@danfinlay
Copy link
Author

When you say "cross-process", what do you have in mind?

There was probably a better word I could have chosen. In this context by "process" I mean independent JavaScript event loops that do not have access to each other's memory or objects. I guess this is sometimes called "across an async membrane"? Still learning some of the lingo.

Some examples of "separate processes":

  • A WebExtension background script/process is separate from that of a website loaded.
  • Individual users' browsers connected to a common document, communicating over websockets or WebRTC are separate processes

I dream that things like the third use case (the ability to edit a specific paragraph in a document) could be as easy as participantB.canEdit(paragraphA), and the runtime (SwingSet, if running within a browser) could handle the serialization, signing, and deserialization, and signature verification on invocation of this remote function reference "under the hood".

Am I understanding correctly what role Swingset plays, and what it could do if it were modified to run within a browser?

@erights
Copy link
Member

erights commented Sep 19, 2019

Am I understanding correctly what role Swingset plays, and what it could do if it were modified to run within a browser?

I think so, but cc'ing @warner, @michaelfig, and @kriskowal who can correct me where I misstep. Some of your scenarios would be supported by multiple vats within one swingset, and some by multiple swingsets talking to each other. When explaining vats and swingsets, I start with

  • A vat is the unit of synchrony. Vats interact with other vats only asynchronously.
  • A Swingset is the unit of determinism.

Multiple vats within the same swingset effectively share one event loop, which is some interleaving of the turns for each of the member vats. Each turn of any vat runs to completion before anything happens in any other vat. There is no genuine parallelism within a swingset.

An object within one vat can have a direct reference only to other objects in its own vat. For all other objects, it holds only a remote reference to them, in the form of a handled promise which communicate to their swingset kernel through a data only interface. Although we are actually running them all within one realm, we could switch these to separate realms without any observable difference.

A separate worker within the browser is, to us, as separate as a remote server. Likewise with a background process, or anything reached over websockets or webrtc. We would put a separate swingset in each, each with its own comms vat.

Whatever the low level communications mechanism is between these units, we'd need to abstract it into a vattp connection. Q-Connection did something similar.

@danfinlay
Copy link
Author

This helps a lot, thanks for clarifying the role between a vat and a SwingSet.

Q-Connection is very nice, and maybe usable for what I was looking for at the moment. In part I was considering whether some of this prior work had tooling that I could use as an alternative to building capnode (a remote object-proxy library), and while its interface isn't as open-ended, I really like that it supports pipelining out of the box.

I was also curious whether those messages were being cryptographically signed within SwingSet, or maybe you could point me to which layer of the stack the cryptographic serialization is happening at?

@kriskowal
Copy link
Member

kriskowal commented Sep 20, 2019 via email

@erights
Copy link
Member

erights commented Sep 20, 2019

I was also curious whether those messages were being cryptographically signed within SwingSet, or maybe you could point me to which layer of the stack the cryptographic serialization is happening at?

The crypto should be happening within the vattp layer. The comms vat should not know about crypto.

@warner
Copy link
Member

warner commented Oct 4, 2019

FWIW, I think of SwingSet as a library first, which must be embedded/instantiated inside some "host". The host creates the kernel and the initial vats, and gets back a controller. The host can use the controller to process the run-queue. The host should also (generally) set up some "devices" at the same time (e.g. the Mailbox device) and use them to cause messages to be added to the run queue. The host also provides something to store kernel+vat state in.

The bin/vat executable is a bare-bones demo host: it's really only useful for running a set of vats from bootstrap to completion, with no facilities for adding new messages. I'm thinking of adding some comms functionality to make it more useful, but I'm not sure that a command-line tool is the most natural home for a swingset.

Our "cosmic-swingset" repo is a blockchain-based host for a swingset environment. Since the state management of the vats (checkpointing at the end of each large turn) is very similar to the state management of a blockchain (one checkpoint per block), it's fairly straightforward to treat the swingset library as the state machine inside the blockchain world: each signed transaction may deliver a message through the Mailbox device, and then for each block we process the runqueue to completion.

We may have some work to do before it's possible, but in general you should be able to instantiate a swingset environment in a browser. But we have to decide what the "host" looks like, and how it satisfies the swingset's needs from the host: somewhere to store state (unless you're satisfied with ephemeral vats), some way to get messages in (unless you're satisfied with very short-lived vats), and some way for messages to get out (unless you're satisfied with having no side-effects).

The work that may need to be done includes:

  • getting SES to work in the environment (e.g. Workers) without a DOM, from which the Realms shim gets an <iframe> to get a new set of primordials. The Compartments API is the way forward here.
  • providing a meaningful durable state-storage object. Maybe IndexedDB or something.
  • providing messaging channels: WebSocket comes to mind but there are a lot of questions about how new connections are established and named that we need to figure out first. The IBC protocol that we're helping to develop is relevant too

@warner warner transferred this issue from Agoric/SwingSet Dec 1, 2019
@warner warner added the SwingSet package: SwingSet label Dec 1, 2019
dckc pushed a commit to dckc/agoric-sdk that referenced this issue Dec 5, 2019
@jackzampolin
Merge PR Agoric#58: Small docs fix
4062955 
Three stores had been combined in Agoric#43.
dckc pushed a commit to dckc/agoric-sdk that referenced this issue Dec 5, 2019
@warner
Merge branch '58-state-2'
b830d73 
Rewrite our state-management approach: pass in a state object when building
the kernel/controller, and all kernel state will be read-from/written-to it
as messages are processed. You can make that object persistent any way you
like, as long as you pass an equivalent one into the kernel the next time the
process starts.

closes Agoric#58
dckc pushed a commit to dckc/agoric-sdk that referenced this issue Dec 5, 2019
@Chris-Hibbert
A test case for presence corruption with the eventual send candidate. (
e481d91 
…Agoric#58)

* A test case for presence corruption with the eventual send candidate.

* turn off test.only

* Move this directory to the new location for SwingsetTests

* Rename the root test case and add a comment explaining its purpose.

fix the test after directory move.
@warner warner mentioned this issue May 21, 2020
Closed
@dckc
Copy link
Member

dckc commented Jan 16, 2021

@ski I think you asked me this question a few weeks ago.

@erights
Copy link
Member

erights commented Feb 26, 2021

Hi @michaelfig I think this is closest to things you are working on, so may I assign you?

@michaelfig
Copy link
Member

The short answer of "can SwingSet run in a browser" is "not without a lot of work." The long answer is #58 (comment) And also, that work is not really on Agoric's roadmap at this time.

A better question is "can a vat run in a browser" (i.e. without the deterministic persistent multi-vat world that SwingSet provides for)? The answer to that is "yes"! Use SES and CapTP, and be prepared to reestablish your remote objects from scratch on reload. You can take advantage of any platform features in this model (like async databases, remote hosts, etc): no need to be deterministic. What we're missing is LavaMoat integration to partition risk nearly as seamlessly as SwingSet provides.

Our most obvious example of this is the wallet UI which uses SES and CapTP messaging to talk to the local ag-solo. It's in Svelte. We're making more examples of this kind of UI Really Soon Now.

As far as making this pattern generalisable to other runtime environments: -cough-Endo-cough-. But as @danfinlay
knows, MetaMask and Agoric are both going together in this direction. And we have a plan for how to get there in phases. As for @ski, the Svelte captp stuff may be what you're looking for. Feel free to open another issue if you have questions about how to reproduce that model in (IIRC) Vue.

Closing this issue until somebody signs up to do the "lot of work" it would take.

@dckc dckc added the wontfix This will not be worked on label Sep 14, 2021
@dckc
Copy link
Member

dckc commented Sep 14, 2021

It seems like a bunch of the hard work has actually been done. I wonder how much is left:

The work that may need to be done includes:

  • getting SES to work in the environment (e.g. Workers) without a DOM, from which the Realms shim gets an <iframe> to get a new set of primordials. The Compartments API is the way forward here.

The Compartment API is pretty mature by now.

  • providing a meaningful durable state-storage object. Maybe IndexedDB or something.

#3171 seems to make that feasible.

  • providing messaging channels: WebSocket comes to mind but there are a lot of questions about how new connections are established and named that we need to figure out first. The IBC protocol that we're helping to develop is relevant too

I guess that part has a ways to go... but we're making progress: #1670 ,

see also #3180

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelfig michaelfig

Labels
SwingSet package: SwingSet wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@warner @kriskowal @dckc @erights @michaelfig @danfinlay