feat: zoeTools.localTransfer error paths

[0xpatrickdev]

closes: #9925
refs: #9193

Description

• This PR primarily hardens the zoeTools implementation for orchestrated async-flows by:
  • ensuring payments handled in zoeTools.localTransfer are recovered to the original seat in the event of failure or partial failure
  • providing a zoeTools.withdrawFromSeat retriable function to facilitate withdrawing funds from a LocalChainAccount to a User seat. Ensures all changes are rolled back in the event of partial failure.
  • using asVow instead of retriable since these operations are not idempotent
• Creates src/fixtures/zoe-tools.contract.js to facilitate testing error paths
• To facilitate the change, vowTools.allVowsSettled was implemented in @agoric/vow. See feat: vowTools.allSettled #10077 which this PR depends on

Security Considerations

Improves safety around Payment handling in async-flow contracts in @agoric/orchestration

Scaling Considerations

n/a

Documentation Considerations

Updates jsdoc strings for localTransfer and withdrawToSeat. As maintainer notes for considerations around asVow and promptness.

Testing Considerations

Includes tests with different failure paths previously unaccounted for.

Upgrade Considerations

Unreleased code that will be part of an npm release

[cloudflare-workers-and-pages]

Deploying agoric-sdk with    Cloudflare Pages

Latest commit:	ea73ef7
Status:	✅  Deploy successful!
Preview URL:	https://cf7f029a.agoric-sdk.pages.dev
Branch Preview URL:	https://pc-send-anywhere-fixups.agoric-sdk.pages.dev

View logs

[turadg]

Good work. I've only done a quick reading pass. I'll come back for more thorough logic checking

[turadg]

because Fail throws, I think we're developing some confusion by using throw Fail. WDYT of only using Fail for the check || Fail assertion pattern?

Suggested change

	throw Fail`One or more deposits to LCA failed. ${q(errors)}`;
	throw makeError`One or more deposits to LCA failed. ${q(errors)}`;

[0xpatrickdev]

I am onboard! This makes things clearer.

[0xpatrickdev]

Do you have a preference for makeError('One or more deposits to LCA failed. ${q(errors)}') vs makeError('One or more deposits to LCA failed', undefined, { errors }?

I've implemented the latter since that's what the interface was guiding towards. A draw back is that the nested error(s) only appears in logs.

[turadg]

I usually defer to @Chris-Hibbert on error elision

[Chris-Hibbert]

I think this is fine. I wouldn't expect the errors to reveal any sensitive details, and we believe we've returned the funds to the originator.

How does the end user become aware of the problem? Or if this is a tool for implementors to use, how can they detect the problem?

[Chris-Hibbert]

I'm beginning to think @turadg misdirected this question to me, and meant @kriskowal. I don't know much about makeError--that's deep inside endo.

we anticipate some level of error reporting in vstorage

that sounds very helpful.

[turadg]

I meant you @Chris-Hibbert because I recall your attention to redaction in Inter Protocol

[Chris-Hibbert]

I don't see a problem here.

[kriskowal]

I think that throw makeError is more theoretically sound, but throw Fail has the same effect (the throw is unreachable because Fail throws, that subsequent code is unreachable), and provides a more obvious, local indication that the following code is unreachable.

[turadg]

throw Fail has the same effect here but not always. I think we should avoid using throw Fail,

• lint against throw Fail #10118

[Chris-Hibbert]

comments so far.

I may be away for an unknown period this afternoon, so sending what I have now.

[Chris-Hibbert]

should this complain if no infos are found? Wouldn't it normally be a surprise if none were found? Maybe it would be helpful to return a count of the number that were found?

[0xpatrickdev]

In a production-grade example, I agree this could be improved with more helpful messaging. But since this is just a test fixture, some checks to catch errors earlier are skipped.

[turadg]

consider a @file comment that this is not exemplary and takes shortcuts to support testing

[Chris-Hibbert]

There can be payouts that aren't in give. Where are those handled?

[0xpatrickdev]

give is maybe a poor variable name - I didn't choose to rename it with these changes but can. give is a PaymentKeywordRecord so all payments should be accounted for.

[turadg]

paid?

[0xpatrickdev]

I misspoke, it's an AmountKeywordRecrod not a PaymentKeywordRecord. What about amounts? Alternatively, we could use fromAmounts here and toAmounts for withdrawToSeat, mimicking atomicRearrange

[Chris-Hibbert]

There aren't two seats here, so amounts is fine.

AIUI, withdrawToSeat may have two seats, but the same amounts are transferred from and to, so amounts works there as well.

[Chris-Hibbert]

I'd like to see a test of this. (I didn't miss it, did I?)

[0xpatrickdev]

There are a few in /test/utils/zoe-tools.test.ts:

• 'withdraw (withdrawToSeat) from LCA with insufficient balance'
• 'withdraw (withdrawToSeat) happy path'
• 'withdrawToSeat, unknown brand'
• and near 'withdrawToSeat recovers from: simulated sendAll failure' in 'zoeTool.localTransfer error path' (withdrawSeat is used by localTransfer to recover)

[Chris-Hibbert]

oh, sorry. hidden by large diffs not rendered by default

[Chris-Hibbert]

That's distracting. There's nothing error-ish about this use, AFAICT. I'd prefer

Suggested change

	const anAmt = ist.make(SIMULATED_ERRORS.TIMEOUT);
	const arbitraryNat = 37n;
	const anAmt = ist.make(arbitraryNat);

[0xpatrickdev]

We've been using the SIMULATED_ERRORS constant to make it clear we are intentionally throwing an error in the test:

agoric-sdk/packages/vats/tools/fake-bridge.js

Lines 171 to 180 in 66e4cc0

	/**
	* Constants that can be used to force an error state in a bridge transaction.
	* Typically used for the LocalChainBridge which currently accepts all messages
	* unless specified otherwise. Less useful for the DibcBridge which rejects all
	* messages unless specified otherwise.
	*/
	export const SIMULATED_ERRORS = {
	TIMEOUT: 504n,
	BAD_REQUEST: 400n,
	};

The IBC bridge (used here) isn't trained to throw on these magic constants - it throws if it receives a message that doesn't have a handler registered via addMockAck. But the Localchain bridge is trained to do this, so I think consistently adopting this practice makes intentional errors clearer.

[Chris-Hibbert]

But the Localchain bridge is trained to do this,

It throws when it sees Amounts with these magic values? It can be difficult to inject errors, so I'll go along with this.

[0xpatrickdev]

Yes, see fakeLocalChainBridgeTxMsgHandler:

agoric-sdk/packages/vats/tools/fake-bridge.js

Lines 193 to 228 in c1c5a6f

	export const fakeLocalChainBridgeTxMsgHandler = (message, sequence) => {
	switch (message['@type']) {
	// TODO #9402 reference bank to ensure caller has tokens they are transferring
	case '/ibc.applications.transfer.v1.MsgTransfer': {
	if (message.token.amount === String(SIMULATED_ERRORS.TIMEOUT)) {
	throw Error('simulated unexpected MsgTransfer packet timeout');
	}
	// like `JsonSafe<MsgTransferResponse>`, but bigints are converted to numbers
	// FIXME should vlocalchain return a string instead of number for bigint?
	return {
	sequence,
	};
	}
	case '/cosmos.bank.v1beta1.MsgSend': {
	if (message.amount[0].amount === String(SIMULATED_ERRORS.BAD_REQUEST)) {
	throw Error('simulated error');
	}
	return /** @type {JsonSafe<MsgSendResponse>} */ ({});
	}
	case '/cosmos.staking.v1beta1.MsgDelegate': {
	if (message.amount.amount === String(SIMULATED_ERRORS.TIMEOUT)) {
	throw Error('simulated packet timeout');
	}
	return /** @type {JsonSafe<MsgDelegateResponse>} */ ({});
	}
	case '/cosmos.staking.v1beta1.MsgUndelegate': {
	return /** @type {JsonSafe<MsgUndelegateResponse>} */ ({
	// 5 seconds from unix epoch
	completionTime: { seconds: '5', nanos: 0 },
	});
	}
	// returns one empty object per message unless specified
	default:
	return {};
	}
	};

It can be difficult to inject errors

+1

[0xpatrickdev]

Thanks @Chris-Hibbert ! I too will be afk and plan to revisit this tomorrow AM

[0xpatrickdev]

There are a few in /test/utils/zoe-tools.test.ts:

• 'withdraw (withdrawToSeat) from LCA with insufficient balance'
• 'withdraw (withdrawToSeat) happy path'
• 'withdrawToSeat, unknown brand'
• and near 'withdrawToSeat recovers from: simulated sendAll failure' in 'zoeTool.localTransfer error path' (withdrawSeat is used by localTransfer to recover)

[0xpatrickdev]

We've been using the SIMULATED_ERRORS constant to make it clear we are intentionally throwing an error in the test:

agoric-sdk/packages/vats/tools/fake-bridge.js

Lines 171 to 180 in 66e4cc0

	/**
	* Constants that can be used to force an error state in a bridge transaction.
	* Typically used for the LocalChainBridge which currently accepts all messages
	* unless specified otherwise. Less useful for the DibcBridge which rejects all
	* messages unless specified otherwise.
	*/
	export const SIMULATED_ERRORS = {
	TIMEOUT: 504n,
	BAD_REQUEST: 400n,
	};

The IBC bridge (used here) isn't trained to throw on these magic constants - it throws if it receives a message that doesn't have a handler registered via addMockAck. But the Localchain bridge is trained to do this, so I think consistently adopting this practice makes intentional errors clearer.

[0xpatrickdev]

give is maybe a poor variable name - I didn't choose to rename it with these changes but can. give is a PaymentKeywordRecord so all payments should be accounted for.

[0xpatrickdev]

In a production-grade example, I agree this could be improved with more helpful messaging. But since this is just a test fixture, some checks to catch errors earlier are skipped.

[Chris-Hibbert]

Thanks for letting me see this. I don't see anything objectionable. I'll leave it to others with more context to approve.

[Chris-Hibbert]

oh, sorry. hidden by large diffs not rendered by default

[Chris-Hibbert]

What's the benefit of putting multiple apparently separate tests into a single ava test run? The usual guideline is that independent tests should have separate test names, so their failures can be reported individually.

The usual exceptions are that execution must be in a particular order, or that setup is expensive. Neither seems to be the case here.

[0xpatrickdev]

setup is expensive

This was the main reasoning, for the 6 nested conditions in this file I think it'd be an extra ~90 LOC. We haven't been diligent about enforcing 1 test assertion in 1 test run in this package, but usually use the optional 3rd message argument to help report the failure.

[Chris-Hibbert]

There aren't two seats here, so amounts is fine.

AIUI, withdrawToSeat may have two seats, but the same amounts are transferred from and to, so amounts works there as well.

[Chris-Hibbert]

Suggested change

	* Transfer the `give` of a seat to a local account. If any of the deposits
	* Transfer the `give` amounts from srcSeat to localAccount. If any of the deposits

or after renaming,

Suggested change

	* Transfer the `give` of a seat to a local account. If any of the deposits
	* Transfer the amounts from srcSeat to localAccount. If any of the deposits

[Chris-Hibbert]

update the comment above.

[github-actions]

Base branch is changed to master. Please re-run the integration tests by adding 'force:integration' label.

[Chris-Hibbert]

seat.fail() returns nothing. I see that our docs suggest this, but it doesn't make any sense to me.

I see the pattern in some of our example contracts, but not our production contracts.

[0xpatrickdev]

What would you expect to see instead?

With:

  seat.fail(makeError(`IBC Transfer failed ${q(e)}`));
  return;

I see Promise resolved with undefined.

With only:

 seat.fail(makeError(`IBC Transfer failed ${q(e)}`));

Execution continues and the seat.exit() a few lines down causes a rejection with Error: seat has been exited.

I'm using yarn test test/examples/send-anywhere.test.ts -m 'failed ibc transfer returns give' to hit this path.

[0xpatrickdev]

Another option considered a while back was:

  seat.exit();
  throw makeError(`IBC Transfer failed ${q(e)}`) 

but this seemed like an anti-pattern since seat.fail exists

[Chris-Hibbert]

I would have gone with

  const errorMsg = `IBC Transfer failed ${q(e)}`;
  seat.exit(errorMsg);
  throw  makeError(errorMsg);

[Chris-Hibbert]

Suggested change

	atomicTransfer(zcf, srcSeat, tempSeat, amounts);
	zcf.atomicTransfer(srcSeat, tempSeat, amounts);

[0xpatrickdev]

Please see c5ada2f

[turadg]

are we always going to have the unqualified name be the guest? I don't recall if we've made that decision.

Consider not defining ZoeTools and letting the guest places use GuestInterface<ZoeToolsHost>

[turadg]

why delay the destructuring? It allows for a mixing of call styles in the same closure.

  return asVow((

  return vowTools.aVow(

[turadg]

this explanation is helpful but strikes me as something to document and reference. (It's repeated twice here and surely there are other places equally worth noting it.)

Not a blocker for merge but something we should improve

[0xpatrickdev]

Agree, moved to the @file declaration