core-eval needs mechanism to create+pass a Meter to zoe.startInstance

[warner]

What is the Problem Being Solved?

Our plan for protecting the chain against runaway contract-vat execution (#7938) depends upon new contract vats being created with a Meter. Issue #8216 is about adding this functionality to Zoe, but @mhofman noticed that we also need to somehow change or add behavior to vat-bootstrap, to allow CORE_EVAL snippets to pass this meter through to Zoe.

I may be wrong, but I think that CORE_EVAL snippets will call startUpgradable to ask for Zoe to create a new instance.

agoric-sdk/packages/vats/src/core/basic-behaviors.js

Lines 141 to 161 in de82c94

	/** @type {StartUpgradable} */
	const startUpgradable = async ({
	installation,
	issuerKeywordRecord,
	terms,
	privateArgs,
	label,
	}) => {
	const started = await E(zoe).startInstance(
	installation,
	issuerKeywordRecord,
	terms,
	privateArgs,
	label,
	);
	label ||= NonNullish(getInterfaceOf(started.instance));
	const kit = harden({ ...started, label });
	contractKits.init(kit.instance, kit);
	await E(diagnostics).savePrivateArgs(kit.instance, privateArgs);
	return kit;
	};

This wraps the call to E(zoe).startInstance(), and already has five arguments hard-coded into it, with no simple provision for passing additional/arbitrary options. So we don't currently have a way to reach the new argument that #8216 would add.

One possibility is to somehow add the Meter to one of the existing arguments. However the contract code should not be allowed to access its own Meter object (if it could, it could refill it as much as it wanted, negating the computrons limits).

Can we do a CORE_EVAL that adds a new startUpgradableWithMeter to the promise space?

Description of the Design

unknown

Security Considerations

Scaling Considerations

Test Plan

Upgrade Considerations

[warner]

@dckc pointed out that CORE_EVAL code can access zoe directly, and is not limited to the startUpgradable function, however they'll need to stash the other stuff themselves.. the suffix of that function:

   label ||= NonNullish(getInterfaceOf(started.instance)); 
   const kit = harden({ ...started, label }); 
   contractKits.init(kit.instance, kit); 
   await E(diagnostics).savePrivateArgs(kit.instance, privateArgs); 
   return kit; 

(and assuming that diagnostics is available too)

So this might not require a new feature in the vat-bootstrap promise space, but could probably be achieved with a different pattern in our instantiate-contract proposals.

[mhofman]

I'm not sure what the shape of a contractKit is supposed to be, but we do want to stash the meter somewhere, and it might be a good place for it.

[dckc]

fwiw...
https://github.com/Agoric/agoric-sdk/blob/mainnet1B/packages/vats/src/core/types.js#L271

StartedInstanceKitWithLabel is what you get back from E(zoe).install() plus a label: string