chore: make krefOf/extractSingleSlot more picky

When krefOf() is called as part of kmarshal.serialize, marshal will only give it things that are 'remotable' (Promises and the Far objects created by kslot()). When krefOf() is called by kernel code (as part of extractSingleSlot() or the vat-comms equivalent), it ought to throw if 'obj' is not one of the Far objects created by our kslot(). This also changes extractSingleSlot() to be just as precise as the old implementation, to be safe against future changes to krefOf() or the marshalling format (e.g. #2069 auxdata adding additional properties).
Agoric · Nov 17, 2022 · ab72cc5 · ab72cc5
1 parent 2435640
commit ab72cc5
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 14 deletions.
diff --git a/packages/SwingSet/src/lib/capdata.js b/packages/SwingSet/src/lib/capdata.js
@@ -1,4 +1,5 @@
 import { assert, details as X } from '@agoric/assert';
+import { passStyleOf } from '@endo/marshal';
 import { kunser, krefOf } from './kmarshal.js';
 
 /* eslint-disable jsdoc/require-returns-check */
@@ -30,12 +31,10 @@ export function insistCapData(capdata) {
  * @param {import('@endo/marshal').CapData<string>} data
  */
 export function extractSingleSlot(data) {
-  if (data.slots.length === 1) {
-    const encValue = kunser(data);
-    const slotValue = data.slots[0];
-    if (krefOf(encValue) === slotValue) {
-      return slotValue;
-    }
+  const value = kunser(data);
+  const style = passStyleOf(value);
+  if (style === 'remotable' || style === 'promise') {
+    return krefOf(value);
   }
   return null;
 }
diff --git a/packages/SwingSet/src/lib/kmarshal.js b/packages/SwingSet/src/lib/kmarshal.js
@@ -1,4 +1,4 @@
-import { Far, makeMarshal } from '@endo/marshal';
+import { Far, makeMarshal, passStyleOf } from '@endo/marshal';
 import { assert } from '@agoric/assert';
 
 // Simple wrapper for serializing and unserializing marshalled values inside the
@@ -52,13 +52,16 @@ export const krefOf = obj => {
   if (fromMap) {
     return fromMap;
   }
-  if (obj && typeof obj === 'object') {
-    const getKref = obj.getKref;
-    if (typeof getKref === 'function') {
-      return getKref();
-    }
-  }
-  return null;
+  // When krefOf() is called as part of kmarshal.serialize, marshal
+  // will only give it things that are 'remotable' (Promises and the
+  // Far objects created by kslot()).  When krefOf() is called by
+  // kernel code (as part of extractSingleSlot() or the vat-comms
+  // equivalent), it ought to throw if 'obj' is not one of the Far
+  // objects created by our kslot().
+  assert.equal(passStyleOf(obj), 'remotable', obj);
+  const getKref = obj.getKref;
+  assert.typeof(getKref, 'function');
+  return getKref();
 };
 
 const kmarshal = makeMarshal(krefOf, kslot, {