Giters

rustwasm / wasm-bindgen

Facilitating high-level interactions between Wasm modules and JavaScript

Home Page:https://rustwasm.github.io/docs/wasm-bindgen/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Does `MutSlice` handle empty boxed slices correctly?

djkoloski opened this issue · comments

commented

Summary

While auditing wasm-bindgen for import into Fuchsia, we tried to make sure that the call to __wbindgen_copy_to_typed_array in src/convert/slices.rs was safe even when contents is a box of an empty slice. That would make the pointer from it dangling, which could cause some bad behavior. We were unable to track down exactly what happens with that pointer. Can anyone offer some insight into how this intrinsic gets implemented? Is it safe to pass garbage pointers as long as the length of the slice is zero?

Additional Details

Review in progress

commented

That intrinsic is defined here:

wasm-bindgen/crates/cli-support/src/intrinsic.rs

Lines 264 to 266 in 12889ef

#[symbol = "__wbindgen_copy_to_typed_array"]
#[signature = fn(slice(U8), ref_externref()) -> Unit]
CopyToTypedArray,

And the JS for it is generated here:

wasm-bindgen/crates/cli-support/src/js/mod.rs

Lines 3564 to 3571 in 12889ef

Intrinsic::CopyToTypedArray => {
assert_eq!(args.len(), 2);
format!(
"new Uint8Array({dst}.buffer, {dst}.byteOffset, {dst}.byteLength).set({src})",
src = args[0],
dst = args[1]
)
}

So yes, it should be fine. src is a Uint8Array pointing to the raw bytes of the boxed slice in Rust (automatically created from Rust's ptr + len thanks to the #[signature = fn(slice(U8), ref_externref()) -> Unit] annotation), and dst is the original typed array that was passed to Rust. So if the boxed slice's length is 0, src and dst's lengths will both be 0, and the set won't do anything.

commented

Thank you! Sounds good to me. 🙂