Stream: git-wasmtime

Topic: wasmtime / PR #9057 Validate import names given to `trapp...


view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 18:07):

elliottt opened PR #9057 from elliottt:trevor/validate-trappable-imports to bytecodealliance:main:

It's easy to accidentally use the generated name when passing names to the trappable_imports field of the bindgen! macro, yielding generated bindings that don't use the expected trappable_error_type. This PR adds some validation, ensuring that arguments to trappable_imports do parse as wit identifiers.

This is slightly more complicated than calling wit_parser::validate_id, on each entry of the trappable_imports list, as those entries can also refer to methods and constructors. As such, each part is validated in those cases, ensuring that the resource and method parts are valid wit identifiers.

It doesn't appear that we have negative tests for wasmtime-component-macro, but I'm happ to add some if I've missed something there.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 18:07):

elliottt requested pchickey for a review on PR #9057.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 18:07):

elliottt requested wasmtime-core-reviewers for a review on PR #9057.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 18:07):

elliottt requested alexcrichton for a review on PR #9057.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 18:58):

elliottt edited PR #9057:

It's easy to accidentally use the generated name when passing names to the trappable_imports field of the bindgen! macro, yielding generated bindings that don't use the expected trappable_error_type. This PR adds some validation, ensuring that arguments to trappable_imports do parse as wit identifiers.

This is slightly more complicated than calling wit_parser::validate_id, on each entry of the trappable_imports list, as those entries can also refer to methods and constructors. As such, each part is validated in those cases, ensuring that the resource and method parts are valid wit identifiers.

It doesn't appear that we have negative tests for wasmtime-component-macro, but I'm happy to add some if I've missed something there.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 18:58):

elliottt edited PR #9057:

It's easy to accidentally use the generated name when passing names to the trappable_imports field of the bindgen! macro, yielding generated bindings that don't use the expected trappable_error_type. This PR adds some validation, ensuring that arguments to trappable_imports do parse as wit identifiers.

This is slightly more complicated than calling wit_parser::validate_id, on each entry of the trappable_imports list, as those entries can also refer to methods and constructors. As such, each part is validated in those cases, ensuring that the resource and method parts are valid wit identifiers.

It doesn't appear that we have negative tests for wasmtime-component-macro, but I'm happy to add them if I've missed something there.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 19:48):

alexcrichton commented on PR #9057:

I realize it'd be more difficult, but would you be up for seeing how to validate that all the entries in this list are used in addition to them being valid? Or rather validation wouldn't be required if they're validated to be used. IIRC we already require that all with entries are used so it might be possible to reuse logic there perhaps?

I ask this because it feels like the most robust solution here in terms of ensuring we actually use all of the input and helping to catch typos/misconfiguration.

Also as for negative tests you're right in that we don't have any. They're unfortunately difficult to add because rustc's output changes over time, but we should probably look in to adding them at some point in the future.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 21:23):

elliottt commented on PR #9057:

I realize it'd be more difficult, but would you be up for seeing how to validate that all the entries in this list are used in addition to them being valid? Or rather validation wouldn't be required if they're validated to be used. IIRC we already require that all with entries are used so it might be possible to reuse logic there perhaps?

Yep, I'll have a look at doing that instead :+1:

view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 22:48):

elliottt updated PR #9057.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 01 2024 at 22:57):

elliottt commented on PR #9057:

I've reworked it to track the import names that get used, and check that all names specified in the list initially get used. If none are used, a similar error to the handling of the with clause will be reported.

One wrinkle here is that I had to mark names as used if can_trap returned true, rather than only if it was a name that had a trappable return type. With the more strict interpretation the tests fail, as we test cases where names mentioned in the list don't have any return type. I'm not sure that requiring names in trappable_imports have a trappable error is useful, given that names can overlap between different interfaces.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 02 2024 at 14:02):

alexcrichton submitted PR review:

Looks reasonable to me!

view this post on Zulip Wasmtime GitHub notifications bot (Aug 02 2024 at 14:02):

alexcrichton submitted PR review:

Looks reasonable to me!

view this post on Zulip Wasmtime GitHub notifications bot (Aug 02 2024 at 14:02):

alexcrichton created PR review comment:

Could this be added to special_case_trappable_error? (perhaps by updating that to take &Function)?

view this post on Zulip Wasmtime GitHub notifications bot (Aug 02 2024 at 14:02):

alexcrichton created PR review comment:

Mind updating these docs?

view this post on Zulip Wasmtime GitHub notifications bot (Aug 02 2024 at 15:27):

elliottt updated PR #9057.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 02 2024 at 15:56):

elliottt requested alexcrichton for a review on PR #9057.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 02 2024 at 15:57):

elliottt edited PR #9057:

It's easy to accidentally use the generated name when passing names to the trappable_imports field of the bindgen! macro, yielding generated bindings that don't use the expected trappable_error_type. This PR adds some validation, ensuring that arguments to trappable_imports are used during binding generation and raising an error if any are ignored.

It doesn't appear that we have negative tests for wasmtime-component-macro, but I'm happy to add them if I've missed something there.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 02 2024 at 16:12):

alexcrichton submitted PR review.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 02 2024 at 16:27):

alexcrichton merged PR #9057.


Last updated: Dec 23 2024 at 12:05 UTC