New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WK2] Drop use of fixed-width types for size values in ArgumentCoder specializations #8781
Conversation
EWS run on previous version of this PR (hash 9ae8312) |
return; | ||
} | ||
|
||
encoder << static_cast<uint32_t>(string.length()); | ||
encoder << validateType<size_t>(string.length()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
encode.template encode<size_t>(string.length());
Which is more appropriate? I don't know..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Idea was to have compile-time validation of what the expected type returned by the size accessor is. This approach does it through a templated pass-through, avoiding adding static asserts everywhere.
Along with compile-time validation, it also specifies clearly the type that's going into the encoder, giving clear indication of the type that's expected on the decoding side. Just extra assurance against any future changes that might unknowingly end up tweaking these parts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that part is good.
What I mean is that there's an option:
Either:
a) validate via encoder << validateType<size_t>(...)
Or:
b) enforce via encode.template encode<size_t>(...)
Or:
c) enforce via encoder << static_cast<size_t>(..)
So the question is why validate instead of enforce?
If the enforce would be missing, in that case the validate would be missing aswell, so there's no additional security guarantee ?
Maybe the benefit of validate would be if there are warnings of redundant static_casts?
Or that we think that a developer will remove the redundant static cast?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validating, as done here, forces adjustment to the type that's returned by the size accessor, no unwitting conversion to anything else allowed. It's a bit clunky to work with, and as seen it doesn't really cause anything to be fixed at the moment.
Enforcing can, on integer types, cause problematic conversions. But at the moment I think that's not happening in any of these specializations, so I would just switch to that. b) seems nicest, and it allows to eventually implement validation in a more refined way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought encoder.template encoder<T>()
exists, but it doesn't. Can be added later. Going with c).
9ae8312
to
e44e2be
Compare
EWS run on current version of this PR (hash e44e2be) |
β¦specializations https://bugs.webkit.org/show_bug.cgi?id=250777 Reviewed by Kimmo Kinnunen. Instead of finding better or worse fixed-sized-type matches for size values in different ArgumentCoder specializations, the types of those size values should be used. This means simply encoding values of size_t or unsigned types. The target type of the size value should be noted in the code, just to provide the necessary context of what is being encoded and have it match the decoding side. This means the size type is explicitly used either in any temporary variable where the value is stored, or an additional static_cast is used to explicitly specify the type when the value is passed to the stream insertion operator. This still leaves open the possibility of using mismatched types, i.e. the size value type not matching what the encoding enforces. Some sort of validation could be implemented in the encoder class to make sure no undesired narrowing conversions occur. * Source/WebKit/Platform/IPC/ArgumentCoders.cpp: (IPC::ArgumentCoder<CString>::encode): (IPC::ArgumentCoder<CString>::decode): (IPC::ArgumentCoder<String>::encode): (IPC::decodeStringText): (IPC::ArgumentCoder<String>::decode): (IPC::ArgumentCoder<StringView>::encode): * Source/WebKit/Platform/IPC/ArgumentCoders.h: Canonical link: https://commits.webkit.org/259488@main
e44e2be
to
d5514af
Compare
Committed 259488@main (d5514af): https://commits.webkit.org/259488@main Reviewed commits have been landed. Closing PR #8781 and removing active labels. |
d5514af
e44e2be