exception unsealer to go with SES console

[dckc]

The censoring in the SES assert and console are an approximation of exception sealing. But we lack a reified exception unsealer that we can use for example, in our REPL.

Exception sealing is motivated by the observation that throw-catch is dynamically scoped, contrary to encapsulation as needed for Cap discipline.

Section 4.3 Exceptions and Errors of the 2010 Joe-E paper is a good write-up including this example:

To see how this can cause unpleasant surprises, suppose Alice calls Bob. Bob has some special capability that she
lacks, and Bob wants to avoid leaking this to her. At some point, Bob might need to invoke Chuck to perform some operation, passing this capability to Chuck. If (unbeknownst to Bob) Chuck can throw an exception that Bob doesn’t catch, this exception might propagate to Alice. If this exception contains Bob’s precious capability, this might cause the capability to leak to Alice, against Bob’s wishes and despite Chuck’s good intentions.

See also Reid to cap-talk 13 April 2010.

ava-xs has a work-around that logs errors before sending them over the wire because that's where the SES console that knows the uncensored details are:

https://github.com/Agoric/agoric-sdk/blob/23ed67c070a6ea04fb305d469283107b1d3d65f3/packages/xsnap/src/avaAssertXS.js#L344

This came up in discussion of Agoric/agoric-sdk#3079 .

If we could grant the test() function an exception unsealer, it could serialize the uncensored error details and send them along with other test result info.

Another place that should be able to unseal errors is the REPL. (cc @michaelfig )

[erights]

Thanks!

[dckc]

yes, move to endo
use case: t.log

[erights]

See also

• WIP: Better errors from t.fail, t.notThrows, t.notThrowsAsync #701

[dckc]

related: passing DEBUG and related env vars into xsnap-worker

[dckc]

@erights seems to be working on something that looks like it will address this.

[erights]

Just noting that #2109 is related, but would not close this bug.