Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow vats to be marked critical and panic the kernel if a critical vat fails #5436

Merged
merged 2 commits into from
May 28, 2022
Merged

feat: allow vats to be marked critical and panic the kernel if a critical vat fails #5436

merged 2 commits into from
May 28, 2022

Conversation

FUDCo
Copy link
Contributor

@FUDCo FUDCo commented May 26, 2022

Vats now accept a critical property as one of their creation options. If a vat is marked as critical, failure of that vat causes a kernel panic.

In order to avoid allowing just anyone to set up a situation that could bring down the kernel and thus the chain, dynamic vats cannot be configured as critical simply by setting the critical option to true (as they can with static vats). Instead, for the critical option value you must provide the "critical vat key", a capability that can only be obtained from the vatAdmin vat. The vatAdmin root now supports an additional method, getCriticalVatKey() which returns this capability. Note that this is only available on the vatAdmin root object, not on any vatAdminService object, and thus is initially only available to the bootstrap vat.

Fixes #4279

@FUDCo FUDCo added enhancement New feature or request SwingSet package: SwingSet labels May 26, 2022
@FUDCo FUDCo requested a review from warner May 26, 2022 00:57
@FUDCo FUDCo self-assigned this May 26, 2022
warner
warner approved these changes May 26, 2022
View reviewed changes
Copy link
Member

@warner warner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thanks for catching that exitVatWithFailure-doesn't-unwind bug.

A few nits, and we need to figure out the CI thing (but it's probably transient, maybe a timeout or the CI host got rebooted or something?).

packages/SwingSet/src/kernel/kernel.js Outdated Show resolved Hide resolved
packages/SwingSet/src/kernel/kernel.js Outdated Show resolved Hide resolved
packages/SwingSet/src/kernel/kernel.js Show resolved Hide resolved
packages/SwingSet/test/vat-admin/terminate/test-terminate.js Show resolved Hide resolved
@FUDCo FUDCo added automerge:rebase Automatically rebase updates, then merge and removed automerge:rebase Automatically rebase updates, then merge labels May 26, 2022
@mhofman mhofman mentioned this pull request May 27, 2022
Closed
@FUDCo FUDCo added the automerge:rebase Automatically rebase updates, then merge label May 28, 2022
@mergify mergify bot merged commit c4c452f into master May 28, 2022
@mergify mergify bot deleted the 4279-critical-vat-panic branch May 28, 2022 02:16
@warner warner mentioned this pull request Jul 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@warner warner warner approved these changes

Assignees

@FUDCo FUDCo

Labels
automerge:rebase Automatically rebase updates, then merge enhancement New feature or request SwingSet package: SwingSet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

mark some vats as critical, panic the kernel if one dies
2 participants
@FUDCo @warner