feat(ses,module-source): Add ModuleSource shim #2463
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kriskowal
changed the title
kriskowal
force-pushed
the
kriskowal-module-source-shim
branch
from
98d1cbd
to
2e47ef8
Compare
kriskowal
commented
Sep 20, 2024
Comment on lines
+164
to
+172
| if (globalThis.ModuleSource) { | ||
| const AbstractModuleSourcePrototype = getPrototypeOf( | ||
| globalThis.ModuleSource.prototype, | ||
| ); | ||
| intrinsics['%AbstractModuleSourcePrototype%'] = | ||
| AbstractModuleSourcePrototype; | ||
| intrinsics['%AbstractModuleSource%'] = | ||
| AbstractModuleSourcePrototype.constructor; | ||
| } |
There was a problem hiding this comment.
A valid but annoying feedback reviewers might provide here is that we can’t anticipate whether ModuleSource will land in the language with or without an AbstractModuleSource on its prototype chain, so we could hedge our bets and add a repair for ModuleSource to force it to appear one way or the other, so that lockdown() doesn’t break if the AbstractModuleSource is absent. Or, we could go the other way and not have AbstractModuleSource by default, in which case SES would just delete it and issue a warning if it showed up.
There was a problem hiding this comment.
You read my mind, but that's just the risk with front-running proposals. No suggestion.
There was a problem hiding this comment.
Capturing here my reasoning for keeping AbstractModuleSource since it appears to be the path of least regret.
- We shim AbstractModuleSource and include it in SES permits:
- The application includes module-source/shim.js:
- The VM implements AbstractModuleSource: ✅ Lockdown’s fine
- The VM does not implement AbstractModuleSource: ✅ Lockdown’s fine. The shim currently stomps the native implementation. If it didn’t stomp the native implementation, Lockdown would tolerate the incomplete intrinsics.
- The application excludes module-source/shim.js:
- The VM implements AbstractModuleSource: ✅ Lockdown’s fine
- The VM does not implement AbstractModuleSource: ✅ Lockdown’s fine, but intrinsics are incomplete
- The application includes module-source/shim.js:
- We do not shim AbstractModuleSource and exclude it in SES permits:
- The application includes module-source/shim.js:
- The VM implements AbstractModuleSource: ✅ :man-shrugging: The shim currently stomps the native implementation, so this works out. But, if the shim surfaced the native implementation (and perhaps feature-checks that the native implementation behaves just like the shim deigning to fall through to native)
- The VM does not implement AbstractModuleSource: ✅ Lockdown’s fine
- The application excludes module-source/shim.js:
- The VM implements AbstractModuleSource: 💔 Lockdown is surprised to find AbstractModuleSource and chooses throw rather than attempt a repair. We don’t have the module source shim in play, so there’s nothing it can do to mitigate. We can’t require the module-source/shim.js because it entrains Babel.
- The VM does not implement AbstractModuleSource: ✅ Lockdown’s fine
- The application includes module-source/shim.js:
gibson042
approved these changes
Sep 20, 2024
kriskowal
force-pushed
the
kriskowal-module-source-shim
branch
2 times, most recently
from
fb9a58e
to
928cd19
Compare
kriskowal
force-pushed
the
kriskowal-module-source-shim
branch
from
928cd19
to
8f6291d
Compare
29 tasks
gibson042
approved these changes
Sep 24, 2024
kriskowal
force-pushed
the
kriskowal-module-source-shim
branch
from
8f6291d
to
f78f9d9
Compare
kriskowal
added a commit
that referenced
this pull request
Sep 24, 2024
This reverts commit 0d210a3. ## Description This change caused a failure for Lockdown on XS in Agoric SDK, indicating that it is a breaking change. ### Testing Considerations Reverting this change is a temporary mitigation. We will first address the gap in XS CI coverage and then persue a fix. ### Compatibility Considerations We will pursue a follow-up change that addresses XS coverage in CI #2463 and then consider repairing the native `ModuleSource` intrinsic under `repairIntrinsics` in SES.
kriskowal
added a commit
that referenced
this pull request
Sep 26, 2024
Refs: #2463, #2252 ## Description In #2463 we introduced ModuleSource to the SES permits, but this interacted catastrophically with the native XS ModuleSource. We reverted this change #2468 to unbreak Agoric SDK integration. This change reintroduces the ModuleSource permits, such that they are compatible with both XS and the `@endo/module-source/shim.js`, which anticipates the introduction of an AbstractModuleSource base class. Because SES can more gracefully tolerate the absence of an permitted [[Proto]] than the presence of a non-permitted [[Proto]], this adjusts the shim to ensure that the AbstractModuleSource shape exists as a side-effect of repairs/taming, before permits are applied. ### Security Considerations Increase in memory safety exposure in native code implementation of ModuleSource where applicable. ### Scaling Considerations None. ### Documentation Considerations This change reintroduces a note in NEWS.md for the next release. ### Testing Considerations The prior regression went unnoticed because we did not yet have CI for XS #2465. With this change, `yarn test:xs` in SES validates the shim on XS. We also test `@endo/module-source/shim.js` in `ses/test/module-source.test.js` on Node.js. ### Compatibility Considerations This change is designed to tolerate either path forward for the language, whether or not it accepts an AbstractModuleSource base class. ### Upgrade Considerations None.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refs: #2252
Description
To test feature the degree of compatibility between a version of XS, XS with Endo shims, and Node.js with Endo shims, we need a shim for ModuleSource proper. This lets us create an environment with a global
ModuleSource, whereModuleSourceis a shared intrinsic of all Compartments.This change both introduces the shim and the necessary accommodations for the existence of a global ModuleSource shared intrinsic in SES.
Security Considerations
The new ModuleSource is subject to hardening of shared intrinsics during SES lockdown. A failure to harden the shared intrinsic would lead to a potential for interference or communication between isolated compartments.
Scaling Considerations
None.
Documentation Considerations
None.
Testing Considerations
This includes a test for SES that verifies that ModuleSource is properly propagated and hardened.
Compatibility Considerations
None.
Upgrade Considerations
None.