Question: capabilities, externref, and the C language #537
Comments
|
Your summary of the current state of affairs sounds reasonable to me. Remember that there are many languages that can/will target WASI, and not all of them have the same limitations that C/C++ does. The only work I know of that is happening with adding such support to the C/C++ frontend is the work being done by igalia here: https://github.com/Igalia/ref-cpp. Some of that work has landed already, but IIUC there followup work to make it really usable has been put on hold. Somebody with time/energy to invest in it you could potentially try to push it forward. Also, even if all the work in https://github.com/Igalia/ref-cpp is completed it would not help with the wasi-libc problem that you are refering too since we cannot change the type signature of the core C library functions open/close/read/write without breaking existing code. Existing code expects |
Interesting, so it's not just an ABI break but an actual API break because people write int fd = open(...)it's a bit too bad that the file descriptors weren't typed as a newtype of some sort so that it would be possible to only break API and not ABI. Of course that would have negative consequences for porting pre-existing posix code but it seems to be the worst of both worlds to break posix but not get actual "fine grained capabilities"... Perhaps one could use a compiler flag to choose between a future |
|
Even if file descriptors in POSIX had been some form of newtype, I expect we'd still be in this position, because However, in source languages which support user-defined newtypes, it is possible to wrap up a handle index that you'll get from the component model canonical ABI in a newtype, and then the source-language-level type system can enforce finer-grained capabilities. For example, in Rust |
Back in 2019 in #109 @sbc100 and @sunfishcode had this interaction:
I am curious whether my understanding of the state of affairs is correct:
externrefs?More specifically, the key idea of capabilities as I understand it is that they are supposed to be unforgeable even within wasm modules. So that if a particular wasm function does not have access to the capability either as a global or as an argument, it cannot access it at all even if other wasm functions in the same module can access the capability.
But in the case of file descriptors, currently wasi-libc does
typedef uint32_t __wasi_fd_t;meaning that a file descriptor is just a number and a function only has to guess the number in order to access the backing stream. In @sunfishcode's terms, this is a ghost. The only way to get around this is to havetypedef externref __wasi_fd_t;but there is currently no way to express this in valid C code.Is this state of affairs correct? Is it documented anywhere? And is anyone working on adding
externrefsupport to C? Based on my understanding, this seems pretty important to the success of wasi as a project. Although using the webassembly module as the barrier for capabilities works fine and does not requireexternref.The text was updated successfully, but these errors were encountered: