Quick rant about memory safety and #WebAssembly
-
-
First off, what *is* memory safety? It's a slippery term but there's at least two core principles:
1 reply 0 retweets 5 likesShow this thread -
- Temporal safety: No allocation can be accessed after it is freed (failure mode: use-after-free)
1 reply 0 retweets 12 likesShow this thread -
- Spatial safety: No reference to an allocation can be used to access memory outside the allocated range (failure mode: buffer overflow)
1 reply 0 retweets 10 likesShow this thread -
#WebAssembly is memory safe because a module instance allocates all of its memory at once, and is bounds checked, it enjoys the two properties. A good way to think is: "The Module object is memory safe". wasm protects the surrounding system from whatever the wasm code is doing.1 reply 0 retweets 9 likesShow this thread -
While wasm is memory-safe, your code, compiled to wasm, may not be.
1 reply 0 retweets 15 likesShow this thread -
If you compile old openSSL to wasm via emscripten, it's still vulnerable to heartbleed!
1 reply 1 retweet 18 likesShow this thread -
When you compile C code to wasm, it has its own notion of allocation (malloc). All heap allocations happen within the Wasm linear memory, with nothing to enforce the boundary between allocations or to prevent use-after-free. Just like when you normally write C.
1 reply 0 retweets 19 likesShow this thread -
Unfortunately, memory-safety in C is not something we can always verify statically, it's a dynamic property of the program which means enforcing it has cost. With the use of "page-table magic" we can get these properties with middling but not awful overhead. See "Oscar" from UCB
2 replies 0 retweets 7 likesShow this thread -
But in wasm, we don't have access to page table syscalls. The memory model is much simpler. And so, wasm is actually a step backward for memory-safe C code. Languages like
#rustlang that provide static guarantees, can produce performant memory safe programs in wasm.5 replies 2 retweets 21 likesShow this thread
Rust will produce memory safe programs only if the compilation tool chain is bug-free, if the unsafe keyword is never used, and if applications don’t implement any kind of custom allocators (including pools, slabs, etc).
-
-
For sure, rust offers escape hatches that are still allowed to bite you. Rust has official custom allocators now so you can still get memory safety if your allocator fulfills some basic rules. (no overlapping & proper size). Re: Toolchain, we only have to be free of specific bugs
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.