Just as normal security threats can be divided into breach and denial of service, so attempts to escape determinism can be divided into divergence and denial of replay. E does not yet prevent either attack, and so does not yet provide for deterministic replay. However, E is designed to prevent divergence. Once it does, E will have fail-stop deterministic replay.
Preventing Denial of Replay
E does not yet provide loggable non-determinism, but it is designed to and expected to provide a somewhat weaker form. E cannot prevent an adversarial subgraph from escaping reply, because for Vat-destroying virtual machine errors (especially java.lang.OutOfMemoryError) can be induced in an unloggably non-deterministic manner, and an adversary cannot be prevented for inducing some of these conditions.
However, so long as the non-preventable unloggable sources of non-determinism all manifest as the occurrences of Vat-destroying errors, as seems to be the case, E can achieve the weaker property of fail-stop replay: If X is an original computation and Y is a replay of that computation, then if neither computation self-destructs with one of these errors, then these computations must be identical in their external effects. Further, if either or both do self-destruct, then the computation up to the earlier destruct point must be identical.
(link to Tyler's message)
Unless stated otherwise, all text on this page which is either unattributed or by Mark S. Miller is hereby placed in the public domain.