Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

review of Agoric additions to xsnap #2469

Closed
dckc opened this issue Feb 18, 2021 · 4 comments · Fixed by #3607
Closed

review of Agoric additions to xsnap #2469

dckc opened this issue Feb 18, 2021 · 4 comments · Fixed by #3607
Assignees
@warner @dckc
Labels
security xsnap the XS execution tool

Comments

@dckc
Copy link
Member

dckc commented Feb 18, 2021

No description provided.

@dckc dckc assigned dckc and warner Feb 18, 2021
@dckc dckc mentioned this issue Feb 18, 2021
Closed
5 tasks
@dckc
Copy link
Member Author

dckc commented Mar 4, 2021
edited
Loading

prereqs:

  1. seccomp - snapshots over pipes rather than file put xsnap worker in a seccomp jail #2386
  2. end-of-crank w.r.t. liveslots doing gc

@dckc dckc added the xsnap the XS execution tool label May 3, 2021
@dckc
Copy link
Member Author

dckc commented May 10, 2021

@warner writes May 7, 2021, 11:36 PM:

you might look at our handler in

agoric-sdk/packages/xsnap/src/xsnap.c

Lines 1467 to 1498 in 79df84a

static void fx_issueCommand(xsMachine *the)
{
int argc = xsToInteger(xsArgc);
if (argc < 1) {
mxTypeError("expected ArrayBuffer");
}
size_t length;
char* buf = NULL;
txSlot* arrayBuffer = &xsArg(0);
length = fxGetArrayBufferLength(the, arrayBuffer);
buf = malloc(length);
fxGetArrayBufferData(the, arrayBuffer, 0, buf, length);
int writeError = fxWriteNetString(toParent, "?", buf, length);
free(buf);
if (writeError != 0) {
xsUnknownError(fxWriteNetStringError(writeError));
}
// read netstring
size_t len;
int readError = fxReadNetString(fromParent, &buf, &len);
if (readError != 0) {
xsUnknownError(fxReadNetStringError(readError));
}
xsResult = xsArrayBuffer(buf, len);
}

@phoddie writes May 8, 2021, 12:28 AM:

  • Generally don't take the address of slots - &xsArg(0) as used here is safe, but not always. Instead of calling fxGetArrayBufferLegth and fxGetArrayBufferData use xsGetArrayBufferLegth and xsGetArrayBufferData which accept the slot directly.

  • Your call to malloc doesn't check for failure. Probably that's safe in your world. In our world, it would be a concern.

  • The buffer allocated by fxReadString is orphaned. It is passed to xsArrayBuffer which copies the data, but doesn't take ownership of the pointer. There should be a free(buf) at the end of the function.

  • In fxReadNetString, if there is a failure the buffer is freed. But then the freed pointer is then assigned to *dest. As long as everyone checks the return value, that's not a problem but.... seems unnecessarily risky.

p.s. I presume it's OK to share this.

cc @kriskowal

@dckc dckc changed the title review of Agoric additions to xsnap review of Agoric additions to xsnap (buffer allocated by fxReadString is orphaned, ...) May 10, 2021
@dckc dckc added the bug Something isn't working label May 10, 2021
@dckc dckc added this to the Testnet: Stress Test Phase milestone May 10, 2021
@dckc dckc mentioned this issue May 14, 2021
Merged
@dckc
Copy link
Member Author

dckc commented May 19, 2021

#3101 is landed but @warner expressed an interest in a more thorough review.

@dckc dckc changed the title review of Agoric additions to xsnap (buffer allocated by fxReadString is orphaned, ...) review of Agoric additions to xsnap May 19, 2021
@dckc dckc removed the bug Something isn't working label May 19, 2021
@dckc dckc removed this from the Testnet: Stress Test Phase milestone May 19, 2021
@dckc
Copy link
Member Author

dckc commented Jul 29, 2021
edited
Loading

We should probably clean up these warnings. I'm not quite sure how to approach some of them:
https://gist.github.com/jessysaurusrex/e28c5ec0230c50c8af3adce8dee26fa5

p.s. for follow-up, see #2466

@dckc dckc added the security label Jul 29, 2021
@dckc dckc mentioned this issue Jul 30, 2021
Merged
1 task
This was referenced Aug 10, 2021
Merged
Open
dckc added a commit that referenced this issue Aug 13, 2021
@dckc
chore(xsnap): add xsnap-native submodule
e797226 
  - xsnap -> xsnap-worker
    to distinguish cli app from long-running worker
  - get xsnap heap exhaustion crash fix
  - never mind meters beyond compute, allocate
  - get mac makefile update

fixes #2469
refs #3139
dckc added a commit that referenced this issue Aug 14, 2021
@dckc
chore(xsnap): add xsnap-native submodule
6175195 
  - xsnap -> xsnap-worker
    to distinguish cli app from long-running worker
  - get xsnap heap exhaustion crash fix
  - never mind meters beyond compute, allocate
  - get mac makefile update

fixes #2469
refs #3139
dckc added a commit that referenced this issue Aug 14, 2021
@dckc
fix(xsnap): take snapshot without impact on GC #3607
85b252c 
Moddable reworked the chunk allocator to always use a single memory block for chunk storage.

The change is implemented in `xsnapPlatform.c`. The implementation uses `mmap`/`mprotect` (`VirtualAlloc` on Windows) to reserve and to commit memory pages. 

To get this fix, we add an `xsnap-native` submodule that replaces `xsnap.c` and friends.
The submodule includes a few tweaks: https://github.com/agoric-labs/xsnap-pub/tree/endo-submodule

fixes #3577
fixes #3139 , bringing us back to stock XS.
fixes #2469 - Moddable reviewed the code well enough to substantially re-work it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@warner warner

@dckc dckc

Labels
security xsnap the XS execution tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(xsnap): take snapshot without impact on GC Agoric/agoric-sdk
2 participants
@warner @dckc