caelunshun opened PR #9697 from caelunshun:cranelift-entity-bytemuck
to bytecodealliance:main
:
Adds optional implementations of
Pod
andZeroable
forEntityList
andPackedOption
.This helps avoid some unsafe code in my downstream crates.
caelunshun requested abrown for a review on PR #9697.
caelunshun requested wasmtime-compiler-reviewers for a review on PR #9697.
caelunshun requested wasmtime-default-reviewers for a review on PR #9697.
caelunshun updated PR #9697.
@cfallin, you want to take this review?
cfallin requested cfallin for a review on PR #9697.
cfallin commented on PR #9697:
@abrown Will do!
cfallin submitted PR review:
Thanks for the PR, @caelunshun!
I have a specific comment below, but also a higher-level thought: in general we try to avoid taking on dependencies, even optional ones, because it adds to our vetting overhead (you can see the
cargo vet
failure in CI here; one of us would have to go and read thebytemuck
sources to vet it) and just in general adds complexity. In particular here I'm somewhat concerned that this crate permits unsafe low-level casting and is claiming additional properties about our data structures; they may be true today, or may not (see comment), but we're also taking on additional burden reasoning about and upholding these properties going forward.For your particular use-case, would it be a possible alternative for you to wrap whatever types need these trait impls in your own types, and impl them locally? That way you could carry the maintenance task of ensuring the properties still hold, and of vetting dependencies, without adding those overheads here. Curious what you think.
cfallin created PR review comment:
This is a valid argument for the soundness of
Pod
, but not ofZeroable
, as far as I can tell, right? In fact an all-zero-bitsEntityList
is not guaranteed to be valid at all, and we don't otherwise allow the existence ofEntityList
values that are "dangling"...
caelunshun created PR review comment:
For this specific comment, an all-zero-bits
EntityList
is sound to create; in fact the existingDefault
implementation already does so (the docs there say it creates an empty list).
caelunshun submitted PR review:
Thanks for the review. Yes, not wanting to take on extra dependencies makes sense; I wasn't aware of the vetting policy.
From my impression
bytemuck
is a fairly central ecosystem crate, seeing use in security-conscious projects like Servo and wgpu, and is also vetted for use in Google's projects. And givencranelift-entity
's applications outside of Wasmtime, integrating with the broader ecosystem would make sense to me. But it's not a big deal to me one way or the other.As for your comment about guaranteeing a particular representation, the docs already do so implicitly, with
EntityList
being described as a singleu32
andPackedOption<T>
being a trivial wrapper aroundT
. So implementing these traits incranelift-entity
just allows downstream crates to take advantage of this layout without unsafe code that could silently break with a version bump.The reason I couldn't write a newtype around
cranelift-entity
types and implementPod
is because their layout is not currently guaranteed; the upstream types would need to berepr(C)
orrepr(transparent)
(as changed in this PR) for that to be sound. I could change the PR to simply add theserepr
annotations and not thebytemuck
dependency if you like.
cfallin submitted PR review.
cfallin created PR review comment:
Ah, yes, you're right; I had forgotten that we use zero as an empty-list sentinel here. Thanks!
cfallin commented on PR #9697:
Thanks for the additional detail! Given all that, I think the deciding factor for me is the vetting overhead: we apparently don't pull in that Google vet (or it's not sufficient for our required level?) and I don't have cycles to go read all of
bytemuck
and convince myself of its correctness right now, so I think I'd prefer to see this be a minimal PR that adds the necessaryrepr
directives to structs instead and documents invariants (zero-valued sentinels, etc) appropriately. I'd be happy to approve and merge such a PR.
caelunshun updated PR #9697.
caelunshun updated PR #9697.
Last updated: Dec 23 2024 at 12:05 UTC