Sorry that I didn't explain more! It's safe for within the same security regime, and of course it's mostly[1] safe to copy *from* these types. However, it's not necessarily safe to copy *to* these types if you don't trust the source of the copy, such as receiving untrusted bytes from over IPC. Generally speaking C++ only guarantees the behavior of operations on type T for objects that are backed by valid-for-T bits. * If you memcpy 0x02 into a bool, things can get weird from what I can tell? * Our serialization code does generally specialize for `bool`, but `is_trivially_copyable<bool>::value` is `true`, as would any struct-of-bools be. * If you cast an out-of-bounds value to an enum, that's actually totally valid C++. (even though it's also valid C++ to exhaustively enumerate an enum without having a default label. . .) * Copying padding bytes can be a vulnerability vector (this caveats [1]) We also of course have the more general problem of (struct) invariants, such that not every possible bit pattern represents a safe and valid struct. I think this is generally a different level of problem, and that what we're wanting here is to have safe transit of scalarizeable structs. (We have a lot of code that assumes `gfx::IntSize`s are non-negative, and would break if you copied in bits from rand()) I have an approach that makes it fairly easy to serialize structs field by field, adds bool and enum handling for fields of structs, and also adds a new safe approach for enum validation. (And generally tries to move such things closer to the struct declaration, rather than being spread between files)
Bug 1778808 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Sorry that I didn't explain more! It's safe for within the same security regime, and of course it's mostly[1] safe to copy *from* these types. However, it's not necessarily safe to copy *to* these types if you don't trust the source of the copy, such as receiving untrusted bytes from over IPC. Generally speaking C++ only guarantees the behavior of operations on type T for objects that are backed by valid-for-T bits. * If you memcpy 0x02 into a bool, things can get weird from what I can tell? * Our serialization code does generally specialize for `bool`, but `is_trivially_copyable<bool>::value` is `true`, as would any struct-of-bools be. * If you cast an out-of-bounds value to an enum, that's actually totally valid C++. (even though it's also valid C++ to exhaustively enumerate an enum without having a default label. . .) * Copying padding bytes can be a vulnerability vector (this caveats [1]) We also of course have the more general problem of (struct) invariants, such that not every possible bit pattern represents a safe and valid struct. (E.g. We have a lot of code that assumes `gfx::IntSize`s are non-negative, and would break if you copied in bits from rand()) I think this is generally a different level of problem, and that what we're wanting here is to have safe transit of scalarizeable structs. I have an approach that makes it fairly easy to serialize structs field by field, adds bool and enum handling for fields of structs, and also adds a new safe approach for enum validation. (And generally tries to move such things closer to the struct declaration, rather than being spread between files)