-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aborted modules must be poisoned #3687
Comments
I left some additional questions/comments in the Zulip discussions, but to summarize: I'm not entirely convinced that this is a problem in |
What is the type of throwing a JS exception in Rust? AFAIK wasm is a no-unwind target. So every function that returns |
It is indeed If this is just a "semantic" issue, I would like to propose to change that in Rust: not require |
The concern is around optimizations Rust performs that need this rule, so it's not something we can fix by just changing some wording somewhere. I'll need to better understand what this function does and doesn't do... once I have time I'll catch up on Zulip and have some questions there. |
So conclusion: From I would prefer to wait for now, I will definitely find time to make some experiments in Rust and see how we can implement poisoning there. |
Using wasm-bindgen, a wasm module can be resumed after abort by calling into it again from JavaScript. This violates Rust's soundness preconditions: abort must terminate forward progress.
The wasm component model prevents wasm modules from being reused in this way by locking out calls into them after a module has trapped. However, wasm bindgen runs on wasm itself, which lacks this safeguard.
It is likely that wasm-bindgen should be implementing the check that poisons calls into it, or shuts off access in any other way. Even if this were implemented upstream for all users of wasm32-unknown-unknown, it would be best for wasm-bindgen to deprecate any interfaces that serve primarily to expose this route to unsound interactions to userspace. The ability to throw JavaScript exceptions has been called out as a likely example.
Also see:
The text was updated successfully, but these errors were encountered: