Re: [whatwg/streams] Could a byte stream read directly into and out of a SAB (w/o transfer)? (#757) from Adam Rice on 2023-03-27 (public-webapps-github@w3.org from March 2023)

From: Adam Rice <notifications@github.com>
Date: Mon, 27 Mar 2023 00:49:02 -0700
To: whatwg/streams <streams@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/streams/issues/757/1484664859@github.com>

I've been thinking about this a bit more, and I have an idea. I propose adding an extra option to `getReader()`, `unsafe`. This would only be used with `mode: 'byob'`. Setting `unsafe: true` would disable the buffer detach behavior, regardless of whether it is shared or not.

The reason for disabling detaching the buffer even when it is not shared is for the convenience of wasm programs which would like to be able to use part of their memory as a buffer without losing access to the rest of it.

`controller.byobRequest` would gain an extra attribute, also called `unsafe`, which reflects which kind of reader this buffer was supplied by. This can be used by the underlying source to add an extra memory copy for safety if it does something more complex than a simple copy into the destination.

JavaScript underlying sources mostly won't need to pay attention to the `unsafe` attribute because we assume they trust the other JavaScript or wasm running on the same page. But it may be useful in environments where there's only "partial" trust, for example when authoring a third-party library.

For underlying sources implemented as part of the platform it is far more serious. When implemented in C++, we don't even know beyond doubt that we can safely `memcpy()` into a hostile SharedArrayBuffer, as the language provides no guarantees. We just have to assume it is safe because otherwise we wouldn't be able to do anything at all. What I'm thinking of doing in Chromium is making the C++ API do a copy by default when `unsafe` is true for the target buffer, and then require the underlying source implementation to explicitly opt-out if all it's doing is a `memcpy()` anyway.

If we do this we should also rethink the [enqueue algorithm called by other standards](https://streams.spec.whatwg.org/#readablestream-enqueue) to be safe-by-default.

--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/streams/issues/757#issuecomment-1484664859
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/streams/issues/757/1484664859@github.com>

Received on Monday, 27 March 2023 07:49:17 UTC