implement validation, self & message syscalls on the kernel side. #137
Conversation
| @@ -362,17 +447,41 @@ where | |||
| } | |||
| } | |||
|
|
|||
| impl<B, E> ValidationOps for DefaultKernel<B, E> { | |||
| impl<B, E> ValidationOps for DefaultKernel<B, E> | |||
There was a problem hiding this comment.
Any reason we're not just implementing these inside the runtime (inside the actor itself)? These are basically just helper methods.
There was a problem hiding this comment.
I know this is how the current actors do it, but I believe that's mostly for ease of testing.
There was a problem hiding this comment.
Currently, these aren't just helper methods: the runtime enforces that every actor validates the call once and only once.
Having said that, in a world where we can only run built-in actors (up to M1 inclusive), it is indifferent to have this at the SDK level or at the kernel level.
In the future, where we place this will depend on the constraints we want to enforce.
- If we want to enforce that every actor validates every call once, it must continue in the kernel level, as the SDK is user-space and it would be trivial to bypass that constraint by using a different SDK.
- If we want to remove this constraint for user-deployed actors, but keep it for built-in (privileged) actors, then we can move it into the SDK, but we risk introducing programming errors that do not exist today unless we add some enforcement (could be at compile time through build-failing lints).
- If we want every actor to opt-in, or opt-out, we can have a "strict validation" mode.
| } | ||
|
|
||
| /// TODO it should be possible to consume an address without knowing its length a priori | ||
| pub fn self_destruct( |
There was a problem hiding this comment.
NOTE: it would be nice if we could pass in ID addresses, and resolve addresses in the actor runtime.
msg_paramssyscall since the params block ID is passed as an argument to the WASM entrypoint.