Add a check to command modules to ensure that they're only started once. #329
+10
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sbc100
reviewed
Sep 30, 2022
libc-bottom-half/crt/crt1-command.c
Outdated
| @@ -3,8 +3,20 @@ extern void __wasm_call_ctors(void); | |||
| extern int __main_void(void); | |||
| extern void __wasm_call_dtors(void); | |||
|
|
|||
| // Commands should only be called once per instance. This simple check ensures | |||
| // that the `_start` function isn't started more than once. `address_space(1)` | |||
| // tells clang to put this variable in a wasm global. | |||
There was a problem hiding this comment.
Does that actually work? It seems a little risky to depend on this now. Why not just is a simple static?
There was a problem hiding this comment.
No big reason; and depending on it breaks LLVM 11, which we still support for now, so I'll switch to a static.
libc-bottom-half/crt/crt1-command.c
Outdated
| if (started != 0) { | ||
| __builtin_trap(); | ||
| } | ||
| started = 0; |
There was a problem hiding this comment.
Seems like it would be good place for #ifndef NDEBUG but we don't have a debug version of libc yet IIUC
There was a problem hiding this comment.
I care about code size, but this is just a few bytes. And this hazard comes up in both component use cases and JS embedding use cases, where creating an instance is separated from running the command and there's no other way to prevent the command from being run multiple times, causing UB.
Wasm command modules should only be called once per instance, because the programming model doesn't leave linear memory in a reusable state when the program exits. As use cases arise for loading wasm modules in environments that want to treat them like reactors, add a safety check to ensure that command modules are used according to their expectations.
sunfishcode
force-pushed
the
sunfishcode/command-called-once
branch
from
8f56960 to
2323070
Compare
sbc100
approved these changes
Sep 30, 2022
libc-bottom-half/crt/crt1-command.c
Outdated
| if (started != 0) { | ||
| __builtin_trap(); | ||
| } | ||
| started = 0; |
|
Oops; fixed. |
john-sharratt
pushed a commit
to john-sharratt/wasix-libc
that referenced
this pull request
Mar 6, 2023
…ce. (WebAssembly#329) * Add a check to command modules to ensure that they're only started once. Wasm command modules should only be called once per instance, because the programming model doesn't leave linear memory in a reusable state when the program exits. As use cases arise for loading wasm modules in environments that want to treat them like reactors, add a safety check to ensure that command modules are used according to their expectations.
john-sharratt
pushed a commit
to john-sharratt/wasix-libc
that referenced
this pull request
Mar 6, 2023
…nce (WebAssembly#388) Calling _initialize multiple times is undefined behavior, since the ctors are not guaranteed to be idempotent. We should have this safety check which is similar to WebAssembly#329.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Wasm command modules should only be called once per instance, because the programming model doesn't leave linear memory in a reusable state when the program exits. As use cases arise for loading wasm modules in environments that want to treat them like reactors, add a safety check to ensure that command modules are used according to their expectations.