fix: move rejectAllPromises from stopVat to kernels-side upgradeVat

When upgrading a vat, we must reject all promises that were decided by the old incarnation, because none of them are durable (the new incarnation will be unable to resolve them). Previously, the vat's stopVat() delivery would do the rejection. This moves the responsibility to the kernel, to happen in the pause between the old version being shut down and the new version being launched. closes #6694
Agoric · Mar 7, 2023 · 3260509 · 3260509
1 parent ca9bb81
commit 3260509
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 25 deletions.
diff --git a/packages/SwingSet/src/kernel/kernel.js b/packages/SwingSet/src/kernel/kernel.js
@@ -882,7 +882,10 @@ export default function buildKernel(
 
     // stopVat succeeded. finish cleanup on behalf of the worker.
 
-    // TODO: walk c-list for all decided promises, reject them all #6694
+    // walk c-list for all decided promises, reject them all
+    for (const kpid of vatKeeper.getDecidedPromises()) {
+      doResolve(vatID, [[kpid, true, disconnectObjectCD]]);
+    }
 
     // TODO: getNonDurableObjectExports, synthesize abandonVSO,
     // execute it as if it were a syscall. (maybe distinguish between

diff --git a/packages/swingset-liveslots/src/stop-vat.js b/packages/swingset-liveslots/src/stop-vat.js
@@ -33,25 +33,6 @@ import { enumerateKeysWithPrefix } from './vatstore-iterators.js';
 
 const rootSlot = makeVatSlot('object', true, 0n);
 
-function rejectAllPromises({ deciderVPIDs, syscall, disconnectObjectCapData }) {
-  // Pretend that userspace rejected all non-durable promises. We
-  // basically do the same thing that `thenReject(p, vpid)(rejection)`
-  // would have done, but we skip ahead to the syscall.resolve
-  // part. The real `thenReject` also does pRec.reject(), which would
-  // give control to userspace (who might have re-imported the promise
-  // and attached a .then to it), and stopVat() must not allow
-  // userspace to gain agency.
-
-  const rejections = deciderVPIDs.map(vpid => [
-    vpid,
-    true,
-    disconnectObjectCapData,
-  ]);
-  if (rejections.length) {
-    syscall.resolve(rejections);
-  }
-}
-
 function identifyExportedRemotables(
   vrefSet,
   { exportedRemotables, valToSlot },
@@ -298,11 +279,6 @@ function deleteCollectionsWithDecref({ syscall, vrm }) {
 // END: the preceding functions aren't ready for use yet
 
 export async function releaseOldState(tools) {
-  // First, pretend that userspace has rejected all non-durable
-  // promises, so we'll resolve them into the kernel (and retire their
-  // IDs).
-
-  rejectAllPromises(tools);
 
   // The next step is to pretend that the kernel has dropped all
   // non-durable exports: both the in-RAM Remotables and the on-disk