Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Soundness bug with Send+Sync implementations in the browser #4158

Open
Michael-F-Bryan opened this issue Aug 17, 2023 · 0 comments
Open

Soundness bug with Send+Sync implementations in the browser #4158

Michael-F-Bryan opened this issue Aug 17, 2023 · 0 comments
Labels
🚨 breaking change This Issue or PR involves a breaking change 📦 lib-api About wasmer priority-high High priority issue 🔈soundness Bugs causing an unsound API
Milestone
v4.4

Comments

@Michael-F-Bryan
Copy link
Contributor

Describe the bug

It looks like we accidentally introduced a soundness bug in #3556 when adding Send+Sync bounds to things like wasmer::js::Module and wasmer::js::Memory.

Here's one example:

wasmer/lib/api/src/js/module.rs

Lines 48 to 57 in d53b9e2

// Module implements `structuredClone` in js, so it's safe it to make it Send.
// https://developer.mozilla.org/en-US/docs/Web/API/structuredClone
// ```js
// const module = new WebAssembly.Module(new Uint8Array([
// 0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00
// ]));
// structuredClone(module)
// ```
unsafe impl Send for Module {}
unsafe impl Sync for Module {}

The underlying assumption is that because a type implements structuredClone it's fine to implement Send and Sync.

However, structuredClone only applies when sending values to a worker using postMessage.

If you use any other method to transfer a value to another thread (e.g. channels) then the underlying JsValue will point to the wrong object on that thread's wasm-bindgen "heap" and you'll have a bad time.

Additional context

See the conversation on Slack for more
@Michael-F-Bryan Michael-F-Bryan added 🔈soundness Bugs causing an unsound API 📦 lib-api About wasmer priority-high High priority issue 🚨 breaking change This Issue or PR involves a breaking change labels Aug 17, 2023
@Michael-F-Bryan Michael-F-Bryan added this to the v4.1.2 milestone Aug 17, 2023
@Michael-F-Bryan Michael-F-Bryan mentioned this issue Aug 17, 2023
Closed
@ptitSeb ptitSeb modified the milestones: v4.1.2, v4.2 Aug 17, 2023
This was referenced Aug 28, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🚨 breaking change This Issue or PR involves a breaking change 📦 lib-api About wasmer priority-high High priority issue 🔈soundness Bugs causing an unsound API
Projects
None yet
Milestone
v4.4
Development

Successfully merging a pull request may close this issue.

Remove Send and Sync from wasmer types backed by JavaScript objects wasmerio/wasmer
2 participants
@ptitSeb @Michael-F-Bryan