Mark the highlevel functions as unsafe. (WebAssembly#24)

Following @RalfJung's comment here: bytecodealliance/wasi-rs#8 (comment) as long as the functions are still taking integer file descriptor arguments, we should mark the APIs here `unsafe`. This is particularly interesting in the context of WASI, as it aligns with the OCap security model -- Rust's `std::fs::File` is an unforgeable handle in safe Rust. So while there are still integer file descriptors at the wasm level for now, programs compiled from safe Rust still have fine-grained isolation (with the caveat that until reference types are possible, this property isn't encoded in wasm in a verifiable way).
alexcrichton · Nov 23, 2019 · 864f12e · 864f12e
1 parent 3bbea34
commit 864f12e
Show file tree

Hide file tree

Showing 2 changed files with 368 additions and 467 deletions.
diff --git a/crates/generate-raw/src/lib.rs b/crates/generate-raw/src/lib.rs
@@ -262,8 +262,10 @@ fn render_highlevel(func: &InterfaceFunc, module: &str, src: &mut String) {
 
  // Render the function and its arguments, and note that the arguments here
  // are the exact type name arguments as opposed to the pointer/length pair
- // ones.
- src.push_str("pub fn ");
+ // ones. These functions are unsafe because they work with integer file
+ // descriptors, which are effectively forgeable and danglable raw pointers
+ // into the file descriptor address space.
+ src.push_str("pub unsafe fn ");
  src.push_str(&rust_name);
  src.push_str("(");
  for param in func.params.iter() {
@@ -295,7 +297,7 @@ fn render_highlevel(func: &InterfaceFunc, module: &str, src: &mut String) {
  src.push_str(">");
  }
 
- src.push_str("{ unsafe {");
+ src.push_str("{");
  for result in func.results.iter().skip(1) {
  src.push_str("let mut ");
  result.name.render(src);
@@ -350,7 +352,7 @@ fn render_highlevel(func: &InterfaceFunc, module: &str, src: &mut String) {
  }
  src.push_str(") }");
  }
- src.push_str("} }");
+ src.push_str("}");
 }
 
 impl Render for InterfaceFunc {