+1 to the idea. Can you elaborate about how you're making sure that Javascript race conditions on elements of SharedArrayBuffers (which have unspecified results) don't become race conditions in C++ code (which have undefined behavior, leading to potential security problems)?
Basically +1 for implementing/experimenting this.A few questions-- per spec the definition of "worker" could be either worker or main thread. Are you going to support this on the main thread too? Also does this intent include worker suspension and wake-up APIs (e.g. futexWait, futexWake)?
Looks like there're questions whether these should be in a form of futex-based design or not, and also how the waiting API should be exposed on the main thread (as we generally try to avoid having blocking API on the main thread).
On Sun, Apr 19, 2015 at 9:41 AM, <j...@chromium.org> wrote:+1 here too.
On Friday, April 17, 2015 at 6:42:40 PM UTC-7, Jeffrey Yasskin wrote:+1 to the idea. Can you elaborate about how you're making sure that Javascript race conditions on elements of SharedArrayBuffers (which have unspecified results) don't become race conditions in C++ code (which have undefined behavior, leading to potential security problems)?
Just to be clear: the C++ race is in developer code compiled to JS, not in the browser's own C++ code. The security issue is therefore not in the browser itself, but in the website. Did I understand properly? If so, I think it means the C++ code already had a race and was UB if that race ever executed, correct? You're asking how the SAB implementation restricts the UB effects that can manifest?
On Friday, April 17, 2015 at 6:42:40 PM UTC-7, Jeffrey Yasskin wrote:+1 to the idea. Can you elaborate about how you're making sure that Javascript race conditions on elements of SharedArrayBuffers (which have unspecified results) don't become race conditions in C++ code (which have undefined behavior, leading to potential security problems)?Just to be clear: the C++ race is in developer code compiled to JS, not in the browser's own C++ code. The security issue is therefore not in the browser itself, but in the website. Did I understand properly? If so, I think it means the C++ code already had a race and was UB if that race ever executed, correct? You're asking how the SAB implementation restricts the UB effects that can manifest?I'm understanding this as a different question. Let's ignore the C++ that is compiled to JavaScript for now. If two workers race on a SharedArrayBuffer element, then this is equivalent to two C++ threads racing on access to shared memory, which is UB and could have security implications for Blink. I guess this is irrelevant for the JIT case as C++ code generation is bypassed. If the JavaScript is interpreted, perhaps it is enough to implement all SAB accesses on the slow path as relaxed atomics? Not sure the affect on performance this would have, however. Does this sound right, or am I totally off?
Jeffrey
On Mon, Apr 20, 2015 at 4:59 PM, Jeffrey Yasskin <jyas...@chromium.org> wrote:On Sat, Apr 18, 2015 at 5:41 PM, <j...@chromium.org> wrote:
> +1 here too.
>
>
>
> On Friday, April 17, 2015 at 6:42:40 PM UTC-7, Jeffrey Yasskin wrote:
>>
>> +1 to the idea. Can you elaborate about how you're making sure that
>> Javascript race conditions on elements of SharedArrayBuffers (which have
>> unspecified results) don't become race conditions in C++ code (which have
>> undefined behavior, leading to potential security problems)?
>
>
> Just to be clear: the C++ race is in developer code compiled to JS, not in
> the browser's own C++ code. The security issue is therefore not in the
> browser itself, but in the website. Did I understand properly?
I'm much more worried about the browser's own C++ code. As an example,
the ArrayBuffer interface in v8.h appears to return a (void*,size_t)
pair to let browser C++ code read and modify the contents of the
ArrayBuffer. That interface can never be added for SharedArrayBuffer.
Are we just never going to give browser C++ code access to
SharedArrayBuffer, or is there another mechanism planned?You're referring to v8::ArrayBuffer::{GetContents,Externalize}? My WIP blink CL requires these for SharedArrayBuffers as well, though just to forward it to the new SharedArrayBuffer. The initial plan is that no browser code will need to access data in the SAB, though that may change in the future (passing SAB to WebGL, for example).
Until that time, maybe the best solution is to remove the Data/ByteLength accessors from the v8::SharedArrayBuffer::Contents API. Hmm, actually I think this won't work because ownership of the memory is passed from v8::SharedArrayBuffer::Contents to WTF::ArrayBufferContents when wrapping it as a DOM object. Do you have a mechanism in mind for how to make this more safe without getting in the way of legitimate use?
The spec says that this should function for shared workers. Is the proposed blink implementation going to support this?
I'm simply curious.daveOn Wed, Apr 22, 2015 at 6:29 PM, Jeffrey Yasskin <jyas...@chromium.org> wrote:On Wed, Apr 22, 2015 at 6:06 PM, Ben Smith <bi...@chromium.org> wrote:On Mon, Apr 20, 2015 at 4:59 PM, Jeffrey Yasskin <jyas...@chromium.org> wrote:On Sat, Apr 18, 2015 at 5:41 PM, <j...@chromium.org> wrote:
> +1 here too.
>
>
>
> On Friday, April 17, 2015 at 6:42:40 PM UTC-7, Jeffrey Yasskin wrote:
>>
>> +1 to the idea. Can you elaborate about how you're making sure that
>> Javascript race conditions on elements of SharedArrayBuffers (which have
>> unspecified results) don't become race conditions in C++ code (which have
>> undefined behavior, leading to potential security problems)?
>
>
> Just to be clear: the C++ race is in developer code compiled to JS, not in
> the browser's own C++ code. The security issue is therefore not in the
> browser itself, but in the website. Did I understand properly?
I'm much more worried about the browser's own C++ code. As an example,
the ArrayBuffer interface in v8.h appears to return a (void*,size_t)
pair to let browser C++ code read and modify the contents of the
ArrayBuffer. That interface can never be added for SharedArrayBuffer.
Are we just never going to give browser C++ code access to
SharedArrayBuffer, or is there another mechanism planned?You're referring to v8::ArrayBuffer::{GetContents,Externalize}? My WIP blink CL requires these for SharedArrayBuffers as well, though just to forward it to the new SharedArrayBuffer. The initial plan is that no browser code will need to access data in the SAB, though that may change in the future (passing SAB to WebGL, for example)."Passing SAB to WebGL" is exactly the sort of thing I'm worried about. It's clearly useful, but you can't use C++ code in WebGL to read the data out of the SAB. V8 will need to provide enough primitives to use the data without giving the C++ compiler access to the actual memory reads.
Until that time, maybe the best solution is to remove the Data/ByteLength accessors from the v8::SharedArrayBuffer::Contents API. Hmm, actually I think this won't work because ownership of the memory is passed from v8::SharedArrayBuffer::Contents to WTF::ArrayBufferContents when wrapping it as a DOM object. Do you have a mechanism in mind for how to make this more safe without getting in the way of legitimate use?Pass around the v8::SharedArrayBuffer::Contents instead of the pointer+size it contains?
On Wed, Apr 22, 2015 at 10:45 PM, David Levin <le...@chromium.org> wrote:The spec says that this should function for shared workers. Is the proposed blink implementation going to support this?I haven't yet considered this. Is it possible to communicate with a SharedWorker cross-process?
On Fri, Apr 24, 2015 at 2:42 PM 'Ben Smith' via blink-dev <blin...@chromium.org> wrote:On Wed, Apr 22, 2015 at 10:45 PM, David Levin <le...@chromium.org> wrote:The spec says that this should function for shared workers. Is the proposed blink implementation going to support this?I haven't yet considered this. Is it possible to communicate with a SharedWorker cross-process?
For a multi-process browser, that would require allocating chunks of shared pages between the renderers, no? That seems a ton complexity for not all that much gain. What happens if I try to share thousands of 5-byte buffers between a SharedWorker and a document? You don't even know a priori that these SABs will be sent to a SharedWorker, so that's even more complexity. Either you have to defensively allocate every SAB to pages that can be shared, or you have some mechanism where SABs get promoted to such pages. Which would require synchronizing across all the dedicated workers that the SAB was already shared with.
If the spec supports this, I think we should push back on it. I expect the primary use of this sort of thing would be to port pthreads code over to the web, in which case dedicated workers are just fine. Most platforms distinguish "threads" vs "processes" with sharing memory between the latter being much more involved. So limiting this to things scoped to one document seems not totally without analog.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
On Fri, Apr 24, 2015 at 12:37 PM, David Benjamin <davi...@chromium.org> wrote:On Fri, Apr 24, 2015 at 2:42 PM 'Ben Smith' via blink-dev <blin...@chromium.org> wrote:On Wed, Apr 22, 2015 at 10:45 PM, David Levin <le...@chromium.org> wrote:The spec says that this should function for shared workers. Is the proposed blink implementation going to support this?I haven't yet considered this. Is it possible to communicate with a SharedWorker cross-process?
For a multi-process browser, that would require allocating chunks of shared pages between the renderers, no? That seems a ton complexity for not all that much gain. What happens if I try to share thousands of 5-byte buffers between a SharedWorker and a document? You don't even know a priori that these SABs will be sent to a SharedWorker, so that's even more complexity. Either you have to defensively allocate every SAB to pages that can be shared, or you have some mechanism where SABs get promoted to such pages. Which would require synchronizing across all the dedicated workers that the SAB was already shared with.
If the spec supports this, I think we should push back on it. I expect the primary use of this sort of thing would be to port pthreads code over to the web, in which case dedicated workers are just fine. Most platforms distinguish "threads" vs "processes" with sharing memory between the latter being much more involved. So limiting this to things scoped to one document seems not totally without analog.What about regular WebWorkers that might be implemented cross-process? The spec currently does not disallow that.
On Fri, Apr 24, 2015 at 12:37 PM, David Benjamin <davi...@chromium.org> wrote:On Fri, Apr 24, 2015 at 2:42 PM 'Ben Smith' via blink-dev <blin...@chromium.org> wrote:On Wed, Apr 22, 2015 at 10:45 PM, David Levin <le...@chromium.org> wrote:The spec says that this should function for shared workers. Is the proposed blink implementation going to support this?I haven't yet considered this. Is it possible to communicate with a SharedWorker cross-process?
For a multi-process browser, that would require allocating chunks of shared pages between the renderers, no? That seems a ton complexity for not all that much gain. What happens if I try to share thousands of 5-byte buffers between a SharedWorker and a document? You don't even know a priori that these SABs will be sent to a SharedWorker, so that's even more complexity. Either you have to defensively allocate every SAB to pages that can be shared, or you have some mechanism where SABs get promoted to such pages. Which would require synchronizing across all the dedicated workers that the SAB was already shared with.
If the spec supports this, I think we should push back on it. I expect the primary use of this sort of thing would be to port pthreads code over to the web, in which case dedicated workers are just fine. Most platforms distinguish "threads" vs "processes" with sharing memory between the latter being much more involved. So limiting this to things scoped to one document seems not totally without analog.What about regular WebWorkers that might be implemented cross-process? The spec currently does not disallow that.
On Wed, Apr 22, 2015 at 6:29 PM, Jeffrey Yasskin <jyas...@chromium.org> wrote:On Wed, Apr 22, 2015 at 6:06 PM, Ben Smith <bi...@chromium.org> wrote:You're referring to v8::ArrayBuffer::{GetContents,Externalize}? My WIP blink CL requires these for SharedArrayBuffers as well, though just to forward it to the new SharedArrayBuffer. The initial plan is that no browser code will need to access data in the SAB, though that may change in the future (passing SAB to WebGL, for example)."Passing SAB to WebGL" is exactly the sort of thing I'm worried about. It's clearly useful, but you can't use C++ code in WebGL to read the data out of the SAB. V8 will need to provide enough primitives to use the data without giving the C++ compiler access to the actual memory reads.I feel like this V8 API is something that can be postponed until we want to access data from the SAB in C++. It doesn't seem like we know exactly how we will use it, so designing the API will be difficult.
Until that time, maybe the best solution is to remove the Data/ByteLength accessors from the v8::SharedArrayBuffer::Contents API. Hmm, actually I think this won't work because ownership of the memory is passed from v8::SharedArrayBuffer::Contents to WTF::ArrayBufferContents when wrapping it as a DOM object. Do you have a mechanism in mind for how to make this more safe without getting in the way of legitimate use?Pass around the v8::SharedArrayBuffer::Contents instead of the pointer+size it contains?Yes, though it seems strange to me that a WTF type would reference a v8 type. I guess instead the DOMSharedArrayBuffer type would reference the v8 types directly instead of using WTF::ArrayBuffer{,Contents}.
On Fri, Apr 24, 2015 at 3:44 PM Chris Harrelson <chri...@chromium.org> wrote:On Fri, Apr 24, 2015 at 12:37 PM, David Benjamin <davi...@chromium.org> wrote:On Fri, Apr 24, 2015 at 2:42 PM 'Ben Smith' via blink-dev <blin...@chromium.org> wrote:On Wed, Apr 22, 2015 at 10:45 PM, David Levin <le...@chromium.org> wrote:The spec says that this should function for shared workers. Is the proposed blink implementation going to support this?I haven't yet considered this. Is it possible to communicate with a SharedWorker cross-process?
For a multi-process browser, that would require allocating chunks of shared pages between the renderers, no? That seems a ton complexity for not all that much gain. What happens if I try to share thousands of 5-byte buffers between a SharedWorker and a document? You don't even know a priori that these SABs will be sent to a SharedWorker, so that's even more complexity. Either you have to defensively allocate every SAB to pages that can be shared, or you have some mechanism where SABs get promoted to such pages. Which would require synchronizing across all the dedicated workers that the SAB was already shared with.
If the spec supports this, I think we should push back on it. I expect the primary use of this sort of thing would be to port pthreads code over to the web, in which case dedicated workers are just fine. Most platforms distinguish "threads" vs "processes" with sharing memory between the latter being much more involved. So limiting this to things scoped to one document seems not totally without analog.What about regular WebWorkers that might be implemented cross-process? The spec currently does not disallow that.
The spec wouldn't say anything about processes in general. It still has implications for implementors which choose do to things with multiple processes (or any other implementation strategy). As a random example, the existence of document.domain and a couple other APIs implies that, if foo.example.com does a window.open(bar.example.com), those two documents need to be in the same process. (Obviously you could imagine a UA which manages to serialize and migrate live documents once they can mutually script each other, but Chrome certainly doesn't...)I believe we currently implement dedicated workers in-process and SharedWorkers out-of-process. The former is a pretty reasonable implementation choice since those workers are going to be same-origin and bound together in lifetime. Whereas we can have multiple documents in one renderer Likewise the latter is forced on us if we can have two same-origin documents not share a renderer (when they're not in one BrowsingInstance). I dunno if Site Isolation folks have any plans on collapsing that, but I doubt it'd be possible to make that work right before out-of-process iframes.