Allow Wasm to neuter the constructor for a generated TO struct that has (ref T) typed fields

RESOLVED FIXED in Firefox 63

Status

()

enhancement
P3
normal
RESOLVED FIXED
9 months ago
9 months ago

People

(Reporter: lth, Assigned: lth)

Tracking

unspecified
mozilla63
Points:
---

Firefox Tracking Flags

(firefox63 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

9 months ago
For now, we don't want to deal with type export from a wasm module, so we must not expose functionality that allows JS to store pointers into TO fields that have type constraints more specific than 'anyref'.

As the constructor for a type can be obtained from the instance of the type, and the constructor can be used to perform such a store, we must be able to mark the constructor as not-invokable.
(Assignee)

Comment 1

9 months ago
This seems to be sufficient except for the following, which I think we should clean up:

The MUTABLE flag that was introduced in bug 1478982 is only really used on primitive fields right now and does double duty here as a CONSTRUCTIBLE flag.  I don't actually think this is a great idea since the current TO system can have fields of struct type and those fields can be immutable, while those struct types can themselves be full object types where they will need an independent bit to indicate constructibility.  Instead of introducing a bunch of single-bit slots on the object we should shift to a flag vector and then we'll use fewer slots and have greater flexibility.
Attachment #8996249 - Flags: feedback?(till)
Comment on attachment 8996249 [details] [diff] [review]
bug1479718-neuter-to-constructor.patch

Review of attachment 8996249 [details] [diff] [review]:
-----------------------------------------------------------------

I agree that it'd be nice to clean up the flags situation. I'd be entirely ok with landing this as-is in the meantime, however: it doesn't seem strictly necessary to clean this up as a precondition to landing. I'll of course not stand in the way of doing the cleanup, but r=me, with or without nit addressed, just in case :)

::: js/src/builtin/TypedObject.h
@@ +334,5 @@
>          return getReservedSlot(JS_DESCR_SLOT_TYPROTO).toObject().as<TypedProto>();
>      }
> +
> +    bool allowConstruct() const {
> +        bool b = getReservedSlot(JS_DESCR_SLOT_ALLOW_CONSTRUCT).toBoolean();

Nit: could just return the result of toBoolean directly.
Attachment #8996249 - Flags: feedback?(till) → review+

Comment 3

9 months ago
Pushed by lhansen@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1cd14797e7cc
Allow Wasm to prevent a TypedObject constructor from being invoked from JS. r=till

Comment 4

9 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/1cd14797e7cc
Status: ASSIGNED → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.