Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate Module Artifacts (CLI + WASIX ModuleCache) #3693

Merged
merged 2 commits into from
Mar 31, 2023
Merged

Validate Module Artifacts (CLI + WASIX ModuleCache) #3693

merged 2 commits into from
Mar 31, 2023

Conversation

theduke
Copy link
Contributor

@theduke theduke commented Mar 20, 2023

  • wasix: Use validation when loading serialized modules
  • cli: Use validation when loading module artifacts

@theduke theduke requested a review from syrusakbary as a code owner March 20, 2023 22:57
syrusakbary
syrusakbary previously requested changes Mar 20, 2023
View reviewed changes
Copy link
Member

@syrusakbary syrusakbary left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not solving the caching problem in the proper way.

We should be fixing this function:
https://github.com/wasmerio/wasmer/blob/master/lib/types/src/serialize.rs#L103-L118

To use: rkyv::check_archived_value instead (note that you may need to enable the validation feature in rkyv)

@ptitSeb
Copy link
Contributor

ptitSeb commented Mar 21, 2023

I think this #3695 is relevant here.

@theduke theduke marked this pull request as draft March 21, 2023 11:00
@theduke theduke force-pushed the wasix-no-unsafe-archive branch 3 times, most recently from f1fd9ca to 33f3f2a Compare March 30, 2023 14:47
@theduke theduke requested a review from ptitSeb March 30, 2023 14:56
@theduke theduke force-pushed the wasix-no-unsafe-archive branch from 33f3f2a to d4c65d3 Compare March 30, 2023 14:59
@theduke
Copy link
Contributor Author

theduke commented Mar 30, 2023

Important modifications:

commit d4c65d3 (HEAD -> wasix-no-unsafe-archive, origin/wasix-no-unsafe-archive)
Author: Christoph Herzog [email protected]
Date: Thu Mar 30 15:36:00 2023 +0200

Switch wasi module cache and CLI to use validated module deserialization

Prevents undefined behaviour when loading modules.

This is a much saner default option, since loading modules without
validation can cause UB.

commit 6c7d172
Author: Christoph Herzog [email protected]
Date: Thu Mar 30 15:32:51 2023 +0200

feat: Implement validation for serialized modules

Implement validation of rykv serialized modules with the "validation"
feature which uses bytecheck.

Bumps the MAGIC VERSION of the serialization header , because some
format changes were required.
(mostly setting an explicit repr() for enums)

Also updates various APIs to add unsafe methods as
"dangerous_deserialize_unchecked", deprecate the old unsafe "deserialize" methods
and to add new "deserialize_checked" methods

@theduke
Copy link
Contributor Author

theduke commented Mar 30, 2023

Also enabled rkyv strict mode by default, as requested in #3695 .

I think we want this on by default.

@theduke theduke marked this pull request as ready for review March 30, 2023 15:05
ptitSeb
ptitSeb approved these changes Mar 30, 2023
View reviewed changes
Copy link
Contributor

@ptitSeb ptitSeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the dangerous_ prefix is too much. The _checked/_uncheckedis enough I think (especialy since it was "unchecked" since the beggining...

@theduke theduke force-pushed the wasix-no-unsafe-archive branch from 58e34bb to 88de5c2 Compare March 30, 2023 18:19
@theduke
Copy link
Contributor Author

theduke commented Mar 30, 2023

I rather like the dangerous_ prefix, because it really makes the user notice "hey, really don't do this unless you are sure you want it".

But I don't mind much either way.
Thoughts, @syrusakbary ?

syrusakbary
syrusakbary reviewed Mar 30, 2023
View reviewed changes
lib/api/src/module.rs Outdated Show resolved Hide resolved
syrusakbary
syrusakbary reviewed Mar 30, 2023
View reviewed changes
Copy link
Member

@syrusakbary syrusakbary left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a better take. Rather than making deserialize unsafe and deprecated, we will make deserialize to call deserialize_checked and deserialize_unchecked as dangerous_deserialize_unchecked. Thoughts @theduke ?

@theduke
Copy link
Contributor Author

theduke commented Mar 31, 2023
edited
Loading

I don't think we want to change the behaviour of an existing funciton in a minor bump.

I'll just revert the renames and we can tackle that for 4.0.

@theduke theduke force-pushed the wasix-no-unsafe-archive branch 4 times, most recently from 076d350 to 484c002 Compare March 31, 2023 11:18
@theduke theduke dismissed syrusakbary’s stale review March 31, 2023 11:36

Properly implemented now.

@theduke theduke requested a review from ptitSeb March 31, 2023 11:37
theduke added 2 commits March 31, 2023 13:58
@theduke
feat: Implement safe, checked module artifact deserialization
1d4228b 
Enable rkyv validation of serialized module artifacts.

Required additions:
* derive the required CheckBytes trait for all types
* Add `_checked` variants of all the deserialization functions

Also enables the `strict` feature of rkyv by default.
This will ensure consistent archive binary layout across architectures
and Rust compiler versions.
@theduke
Switch wasi module cache and CLI to use validated module deserialization
03f6cad 
Prevents undefined behaviour when loading modules.

This is a much saner/safer default option, since loading modules without
validation can cause UB and segfaults.
@ptitSeb
Copy link
Contributor

ptitSeb commented Mar 31, 2023
edited
Loading

This is quite the oposite as the "dangerous_" one now. I would have created _unchecked high level variant with the current code, left the current one to just call the _unchecked and mark the current one as deprecatedand to use eithet _unchecked or _checked (to realy introduce the new versions)
Else, I'm unsure many will une the newly _checked version.

But I'm fine with current version, is just that I'm unsure it's enough this time.

@theduke theduke force-pushed the wasix-no-unsafe-archive branch from 484c002 to 03f6cad Compare March 31, 2023 11:58
@theduke
Copy link
Contributor Author

theduke commented Mar 31, 2023
edited
Loading

Syrus didn't want to deprecate methods, and I think adding new methods without deprecating the old ones makes the API too confusing and messy.

@ptitSeb
Copy link
Contributor

ptitSeb commented Mar 31, 2023

fine with me

@theduke
Copy link
Contributor Author

theduke commented Mar 31, 2023

4.0 shouldn't be too far off anyway.

@theduke theduke mentioned this pull request Mar 31, 2023
Closed
@ptitSeb
Copy link
Contributor

ptitSeb commented Mar 31, 2023

4.0 shouldn't be too far off anyway.

Yes, but 4.0 is too late to remove function if they have not been marked as deprecated before.
That means it's for the 5.0 for now.

@theduke theduke enabled auto-merge (rebase) March 31, 2023 12:47
@theduke theduke merged commit 9579240 into master Mar 31, 2023
@theduke theduke deleted the wasix-no-unsafe-archive branch March 31, 2023 13:02
@theduke theduke mentioned this pull request Mar 31, 2023
Closed
@Michael-F-Bryan Michael-F-Bryan mentioned this pull request Apr 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@syrusakbary syrusakbary syrusakbary left review comments

@ptitSeb ptitSeb ptitSeb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@theduke @ptitSeb @syrusakbary