-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discuss implementation defined behavior #75
Comments
Our present answers:
There's also:
|
|
AstSemantics.md has the full scoop. Shift counts are unsigned, unmasked, unclamped, and not treated as zero unless they are zero. |
A few more things:
Unless I've missed something, this is a comprehensive list of incompletely specified behavior in the language itself, at present. |
On Wed, May 20, 2015 at 4:30 AM, Dan Gohman notifications@github.com
|
Another thing:
|
I created #87 to start a document collecting the list here. |
I'm hoping that we can explain UB as a progressive filtering: C++ has wide UB, the compiler narrows it somehow, sanitizers can narrow it more, and then wasm filters it more into implementation-defined behavior. |
I agree, that sounds useful. |
On the other hand, this isn't specific to WebAssembly; it's just how C++ works, on any platform. So while there's value in explaining how C++ works to C++ developers, it's not clear where this would fit into the WebAssembly documentation. |
I think it's important that we limit the scope of undefined behavior or -B On Mon, Jun 1, 2015 at 8:16 PM, Dan Gohman notifications@github.com wrote:
|
And we do have pretty good control flow integrity, since return addresses are stored on the trusted stack and can't be clobbered, and indirect calls will always call into the beginning of some function, never into the middle of a function or into garbage memory. We should advertise this more in the documentation. However, we can't change C++ itself. After a program is compiled to wasm, its behavior will be relatively fixed (races and other documented details notwithstanding), but before that, C++ optimizers are known to take extensive advantage of the threat of nasal demons, and can trash half the heap if they think they're optimizing something. |
On Tue, Jun 2, 2015 at 3:56 AM, Dan Gohman notifications@github.com wrote:
Agree; nasal demons are C++ compiler territory; we should just make this -B
|
#102 is an attempt at addressing the concerns discussed here. |
I'd like to capture a point I made in #102: I'm not sure that we want to guarantee that there is a trusted call stack, that branches always have a valid destination, or that an application can't clobber the call stack. In the context of running untrusted code on the web we definitely want this guarantee, but I see it as an implementation detail. We should make it possible to implement Web Assembly with entirely different sandboxes, or under entirely different security models. Two examples:
|
Linking to issue #105: Alignment will probably require implementation-defined behavior. |
@jfbastien does #102 address the concerns here, or is there more you'd like to do here? |
I'll want to revisit this with @davidsehr and others, but that can wait until after going public. Let's just leave it open for now, and try to close before MVP. |
Closing along with #107 being closed. |
This issue was actually addressed by the following text: |
Opening this bug so I go back and write documentation about this.
We want to avoid all forms of undefined behavior which can lead to nasal demons, and instead discuss how the wasm platforms allows for implementation defined behavior and what acceptable behavior is.
C/C++ UB is progressively refined by the compiler, and can be affected by tools such as sanitizers. The wasm platform then nails down some behaviors and leaves other open to the implementation. The implementation can then decide, based on the OS/ISA it's executing on, what the behavior is.
Note that behaviors include: "what happens if an enum is out of range", "shift by bitwidth or larger", "what do out-of-bounds accesses do", "what about unaligned accesses", "data races", and much more exciting things!
As a reference PNaCl has a non-comprehensive list of undefined behavior.
The text was updated successfully, but these errors were encountered: