FVM: Actor Upgrades #396
Replies: 6 comments 4 replies
-
Thanks for writing this up, @Stebalien .
I think the I think a new entry point is also appropriate. This would also align with discussion about a separate constructor endpoint (https://github.com/filecoin-project/fvm-specs/issues/71), and if we were going to use this pattern again here I'd more or less shelve my points against it. If we're going to do it, let's make the most of it. |
Beta Was this translation helpful? Give feedback.
-
@vyzo suggested passing an upgrade "metadata" IPLD block instead of adding a new syscall. Basically: /// Called when an actor "upgrades" to this module's code.
///
/// # Parameters
///
/// `params` is an IPLD block handle for the upgrade params, if any.
///
/// # Returns
///
/// The return value is an IPLD block handle
#[no_mangle]
pub fn upgrade(params: u32, upgrade_info: u32) -> u32;
#[derive(Serialize_tuple, Deserialize_tuple)] // IPLD Block
pub struct UpgradeInfo {
old_code: Cid,
// maybe more properties?
}
|
Beta Was this translation helpful? Give feedback.
-
@fridrik01 pointed out an additional issue: re-entrant upgrades. I.e.
This is a potential security issue as the old code running as actor A could try to mutate the state after the upgrade. I believe the answer here is to abort. That is:
|
Beta Was this translation helpful? Give feedback.
-
I see a draft in progress for this. I'm a bit confused about the motivation though. What's the use case for upgradeable actors when users can't deploy any actors themselves anyway (#779)? |
Beta Was this translation helpful? Give feedback.
-
Support for actor upgrades was added in filecoin-project/ref-fvm#1866 and the FIP draft is #873. It follows the proposal in this discussion almost exactly, with the following minor changes:
|
Beta Was this translation helpful? Give feedback.
-
A curiosity for @jennijuju, @Stebalien, and @lemmih - Do Lotus/Venus/Forest currently support features that ought to exist in network actors, but don't because of the burden of migrating actor state for small changes? If/when upgradeable actors are implemented, are there implementation features that ought to be migrated into the actors codebase? |
Beta Was this translation helpful? Give feedback.
-
(This design is a collaboration from everyone on the FVM team)
The FVM would like to support atomically (and safely) upgrading actor code. This will allow actors to update themselves without having to rely on proxy patterns.
The general proposal is to add a
sself::become_actor
syscall that atomically switches to some new code CID, executing anupgrade
endpoint on the new code giving it a chance to upgrade the state, reject the upgrade, etc.Concretely, we're proposing:
sself::become_actor
andsself::get_old_code_cid
.upgrade
WASM entrypoint (in addition to theinvoke
entrypoint). Deployed actor code would only be a valid upgrade target if it defines this entrypoint.New WASM Entrypoint
When upgrading actor code, the new actor code needs an opportunity to:
Furthermore, upgrades must be opt-in. Otherwise, a malicious actor could upgrade to a "trusted" actor, leaving the trusted actor in a compromised state (either by seeding the trusted actor's state-tree, or by kicking off some chain of events that the trusted actor will later blindly complete).
To do this, we're proposing introducing a new WASM entrypoint. This entrypoint is defined as follows:
New Syscalls
We're proposing two new syscalls:
sself::become_actor
syscall to atomically switch to a new code CID.sself::get_old_code_cid
syscall to get the previous actor's code CID.sself::become_actor
Internally, this syscall would:
upgrade
entrypoint.upgrade
.sself::become_actor
.Note:
sself::become_actor
may be invoked recursively as follows:send(A2)
.become_actor(C2)
.become_actor(C3)
.B
.B
as the return result from the send in step 1.sself::get_old_code_cid
Open Questions
upgrade
entrypoint's signature is identical to send, so it's a bit unfortunate that we need a new endpoint.InvocationContext
(returned byvm::context
)? I assume we just leave everything as-is (caller, received value, etc.).Beta Was this translation helpful? Give feedback.
All reactions