Add support for actor upgrades

[fridrik01]

See: #717

This PR adds support for actor upgrades through a new sdk::actor::upgrade_actor syscall. This allows actors to upgrade to a new version while still keeping the same address, balance, etc.

The implementation follows the proposal discussed in filecoin-project/FIPs#396 almost exactly except with the two minor changes:

• The new syscall was referred to as sself::become_actor but we renamed it to sdk::actor::upgrade_actor to better reflect its meaning
• We decided to not create a separate syscall to get the code cid of the actor initiating the upgrade, but instead the new syscall takes a second UpgradeInfo parameter to pass in metadata IPLD block (see FVM: Actor Upgrades FIPs#396 (comment))

[codecov-commenter]

Codecov Report

Merging #1866 (84a47d1) into master (e9044cb) will decrease coverage by 19.68%.
Report is 2 commits behind head on master.
The diff coverage is 0.00%.

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #1866       +/-   ##
===========================================
- Coverage   75.73%   56.05%   -19.68%     
===========================================
  Files         152      153        +1     
  Lines       15073    15259      +186     
===========================================
- Hits        11415     8553     -2862     
- Misses       3658     6706     +3048     

Files	Coverage Δ
fvm/src/kernel/error.rs	60.00% <ø> (-12.10%)	⬇️
fvm/src/syscalls/send.rs	0.00% <ø> (-100.00%)	⬇️
fvm/src/trace/mod.rs	0.00% <ø> (-100.00%)	⬇️
shared/src/error/mod.rs	0.00% <ø> (-48.58%)	⬇️
shared/src/lib.rs	20.00% <ø> (ø)
fvm/src/call_manager/backtrace.rs	0.00% <0.00%> (-84.06%)	⬇️
fvm/src/syscalls/error.rs	0.00% <0.00%> (-48.49%)	⬇️
shared/src/upgrade/mod.rs	0.00% <0.00%> (ø)
sdk/src/send.rs	0.00% <0.00%> (ø)
fvm/src/syscalls/mod.rs	0.00% <0.00%> (-97.82%)	⬇️
... and 9 more

... and 45 files with indirect coverage changes

[Stebalien]

initial feedback

[Stebalien]

So, honestly, we can probably treat these errors as "fatal" and check earlier. I.e., the final version of upgrade (not for this PR, but later) would:

1. Lookup the target code CID in some "deployed actors" table in the init actor.
2. Check some metadata generated on deploy to see if the actor supports the upgrade entrypoint.

By the time we get to this code, everything will have been checked and any errors would be considered "fatal".

---

For now, what we'd likely do is check if:

1. The caller is one of builtin actor types X/Y/Z (in this case, it would be restricted to an eth account).
2. The target code CID is an EVM actor (again, using the builtin actors manifest).

Because that's the immediate use-case (upgrading eth accounts into EVM actors).

[Stebalien]

Some more thoughts. Let's talk tomorrow.

[Stebalien]

IMO, we should treat invoke params the same way (if possible).

[fridrik01]

@Stebalien ready for another review. There are still some build errors in CI which are not occurring on my machine which I am looking into

[Stebalien]

Only major thing is recursion handling. Otherwise, quibbles but LGTM. I'll take one more look tomorrow.

[Stebalien]

I think this check should actually be in send, not upgrade. I.e.:

1. If an actor calls A (upgrade -> upgrade -> upgrade), that's fine. Because, on success, we'll "unwind" past all the upgrade calls all at once.
2. If an actor has a call stack like A -> B -> A (upgrade), that's not fine and we need to abort when we return to the top-level call into A. Otherwise, we'd end up running old code.

It's that last point that's problematic: We never want to re-enter some actor code after we've upgraded away from it.

[Stebalien]

And, in that second case, we should treat it as a "revert" of B (I think?).

[Stebalien]

Actually, after talking this through with @maciejwitowski, there's an alternative here that I kind of like. Instead of catching this when we return to the top-level invocation of A, we can catch this on the upgrade syscall itself. To do this, we'd need to:

1. Keep a map of ActorID -> reentrancy count, incrementing the count each time we re-enter an actor already on the call-stack.
2. In the upgrade syscall, if this count is non-zero (for the current actor), return a Forbidden syscall error (or something like that).

One reason I like this approach is that, independent of this particular change, I'd like to find a way to expose whether or not a call is reentrant to actors. I.e., some kind of flag in their environment where they can detect that they're within a reentrant call. I expect most actors will, at that point, simply abort with an error.

[fridrik01]

@Stebalien I played around with this approach in 109c5e9

[Stebalien]

Ah, I mean that we need to keep track of calls in progress, not upgrades. I.e., if some actor A is already on the call stack, no "deeper" instance of A should be able to call the upgrade syscall.

[fridrik01]

Oh lets talk sync today, Oh I see, updated the PR with that in mind and added new tests

[Stebalien]

We can remove this now, right?

[Stebalien]

Testing: Let's make sure we cover cases like:

• Selfdestruct -> upgrade
• Re-entrent call -> upgrade
• upgrade -> upgrade
• failure in a recursive upgrade where the top-level upgrade sticks (e.g., the code CID should be changed).
• upgrade to some code CID that doesn't exist (maybe?)
• upgrade to some code CID that doesn't implement the upgrade entrypoint.

You're probably already covering some of these cases.

[Stebalien]

We can leave it like this for now, but we should have a better API.

• We generally take Cid by reference (it's large so we avoid copying till we need to).
• There is no "success" case here.

It should probably look something like:

Suggested change

	pub fn upgrade_actor(new_code_cid: Cid, params: Option<IpldBlock>) -> SyscallResult<Response> {
	pub enum UpgradeError {
	CodeNotInstalled, // code not available, could be worded better.
	InvalidUpgradeTarget, // code doesn't implement the upgrade entrypoint.
	ReentrentUpgrade, // actor already on the call stack.
	UpgradeFailed(Response),
	}
	pub fn upgrade_actor(new_code_cid: Cid, params: Option<IpldBlock>) -> Result<std::convert::Infallible, UpgradeError> {

I wish we could use ! (the correct never type) but that's not stable yet.

[Stebalien]

The reason to do this is that we want to treat every possible return here as an error. If the user blindly writes upgrade_actor(...)? or upgrade_actor(...).expect("upgrade failed"), that should work.

[Stebalien]

Hm. ReentrentUpgrade may not quite work (see my other comments on the conflict with selfdestruct). Honestly, I'd just change the variant in this enum to IllegalOperation and document it as an "either or" case (where, 99% of the time, it'll be because the actor doesn't exist).

[fridrik01]

I changed to take CID by reference, will take a look at infallable/UpgradeError next

[Stebalien]

Per our conversation below, InvalidUpgradeTarget likely isn't something we need to include in this enum (that's covered by an exit code, not an error number, and we should probably leave the exit codes alone).

[Stebalien]

Once we're done with everything else, let's make sure to go back and revisit this.

[fridrik01]

Testing: Let's make sure we cover cases like:

• Selfdestruct -> upgrade
• Re-entrent call -> upgrade
• upgrade -> upgrade
• failure in a recursive upgrade where the top-level upgrade sticks (e.g., the code CID should be changed).
• upgrade to some code CID that doesn't exist (maybe?)
• upgrade to some code CID that doesn't implement the upgrade entrypoint.

You're probably already covering some of these cases.

From this list, we are at least covering:

• Selfdestruct -> upgrade: covered with method 5 in fil-upgrade-actor
• Re-entrent call -> upgrade: covered with method 4 in fil-upgrade-actor
• upgrade -> upgrade: covered with method 3 in fil-upgrade-actor
• upgrade to some code CID that doesn't implement the upgrade entrypoint: covered in fil-syscall-actor).

From the remaining cases:

• upgrade to some code CID that doesn't exist (maybe?): Right now we blindly accept code_cids in the kernel (as long as they could be parsed) and add them to the actor state. What would be the way to go do check if that code actually exists? (maybe store.get_cbor)?
• failure in a recursive upgrade where the top-level upgrade sticks (e.g., the code CID should be changed): Not sure I understand this, so its a case of "upgrade -> upgrade" , how would the 2nd upgrade CID stick around as long as the syscall succeded.

[Stebalien]

upgrade to some code CID that doesn't exist (maybe?): Right now we blindly accept code_cids in the kernel (as long as they could be parsed) and add them to the actor state. What would be the way to go do check if that code actually exists? (maybe store.get_cbor)?

It's probably fine to leave that out, in that case.

failure in a recursive upgrade where the top-level upgrade sticks (e.g., the code CID should be changed): Not sure I understand this, so its a case of "upgrade -> upgrade" , how would the 2nd upgrade CID stick around as long as the syscall succeded.

I mean, I want to make sure that the following works:

1. Upgrade from code A to code B.
2. Inside code B's upgrade function, try to recursively upgrade to code C. Fail.
3. Return success from code B's upgrade function.

At this point, the actor's code CID should be B, not A or C.

[Stebalien]

upgrade -> upgrade: covered with method 3 in fil-upgrade-actor

Are you sure it's testing the right thing? I.e., upgrade (to code A) -> upgrade (to code B) should result in code B.

See #1866 (comment)

[Stebalien]

🎉