Stream: wasi

Topic: ✔ string buffer soundness


view this post on Zulip Pavel Šavara (Aug 01 2024 at 20:22):

I would like to know if the guest component could rely on the soundness/validity of provided buffer being valid UTF-16/UTF-8.

When 2 components send each other string and the host could "do fused adapter"
Is the host (wasmtime, jco) responsible for validating the buffer ?
Or should the guest component (in our case dotnet) be responsible to validate strings ?

Is that defined in the spec ?

I found soundness discussion here, but I'm not sure what's the latest.
https://github.com/WebAssembly/interface-types/issues/128

Consider that if the host would do it, it could be implemented possibly in more optimized way than the guest could do it.

On the other hand, if it's guest's responsibility I'm not sure that declaring my component to be UTF-16 makes significant perf benefit (because I need to scan/parse the bytes again anyway).

This question is in context of code generated by wit-bindgen for C#

cc @Joel Dice

After a few recent conversations with @RossTate and @fgmccabe where this came up, I wanted to share my thoughts about how I see the relationship between Interface Types and core WebAssembly and see...

view this post on Zulip Joel Dice (Aug 01 2024 at 20:24):

Tracing through the Wasmtime code, I can see that fused adapters call into the host to perform both validation and copying, so @Pavel Šavara and I are wondering if it's required by the spec to do that validation, i.e. can the guest rely on it?

view this post on Zulip Alex Crichton (Aug 01 2024 at 20:48):

Yes a guest is guaranteed that all bytes it receives are a valid encoding

view this post on Zulip Alex Crichton (Aug 01 2024 at 20:49):

Wasmtime doesn't validate strings going into a guest from the host but that's only because Rust provides the guarantee invalid utf8

view this post on Zulip Joel Dice (Aug 01 2024 at 20:50):

Thanks. Is the guarantee made explicit in e.g. https://github.com/WebAssembly/component-model/blob/main/design/mvp/CanonicalABI.md? I couldn't find it.

Repository for design and specification of the Component Model - WebAssembly/component-model

view this post on Zulip Alex Crichton (Aug 01 2024 at 20:52):

In load_string_from_range the UnicodeError and trap() handle this

view this post on Zulip Alex Crichton (Aug 01 2024 at 20:52):

Where all strings are always valid and the only constructor in the abi is a lift operation

view this post on Zulip Alex Crichton (Aug 01 2024 at 20:53):

We really need a "canonical abi intro" document

view this post on Zulip Milan (Aug 02 2024 at 13:05):

FWIW this issue goes into the same question: https://github.com/WebAssembly/component-model/issues/224

Forgive me if I'm missing it, but is there a discussion of how the Unicode UTR 36: UTF-8 Exploits are addressed by the component model strings? From what I can tell looking at the CanonicalABI it l...

view this post on Zulip Notification Bot (Aug 02 2024 at 13:27):

Pavel Šavara has marked this topic as resolved.


Last updated: Dec 23 2024 at 12:05 UTC