Re: [dev-servo] DOM rooting is live

2014-05-07 Thread Josh Matthews 
In the worst case, you have a GC hazard that is conceivably exploitable 
if the stars are in alignment.


Cheers,
Josh

On 05/06/2014 08:08 PM, Keegan McAllister wrote:

From js.rs:


 /// A rooted, JS-owned value. Must only be used as a field in other 
JS-owned types.
 pub struct JS {

What happens if I break this rule and allocate a JS on the stack, or return 
one from a function?  Is that a memory safety violation?

keegan

- Original Message -
From: "Josh Matthews" 
To: mozilla-dev-se...@lists.mozilla.org
Sent: Saturday, May 3, 2014 12:30:55 PM
Subject: [dev-servo] DOM rooting is live

https://github.com/mozilla/servo/pull/2101 has finally merged, so here's
what you need to know if you're writing DOM code now:

* members of DOM types that are themselves DOM types must use JS (eg.
parent_node: Option>)
* all WebIDL methods for type Foo must be declared in a public
FooMethods trait (except static Constructor methods, which still belong
to Foo proper)
* all FooMethods traits must be implemented on JSRef<'a, Foo>
* all non-WebIDL methods must be declared in a FooHelpers trait and
implemented on JSRef<'a, Foo>
* all functions that return a DOM type Foo must return Temporary
* all functions taking a DOM type Foo argument must now take &JSRef

In exchange for this slightly more complicated system of rules, we get
freedom from garbage collection hazards and safety from accidentally
breaking them. In particular, the following holds true:
* for any method called on a DOM type, the self pointer and any DOM
object reachable via self will be rooted for the duration of the method call
* for any method call that accepts DOM type arguments, they will be
rooted for the duration of the call
* for any DOM object returned from a function, it will remain rooted
until its Temporary value goes out of scope

The only remaining thing to know is that in order to obtain a JSRef
value out of a JS or Temporary value is to call the root() method,
and then dereference it. As such, you will see lots of code like

  > let window = self.window.root();
  > do_something_with_window(&*window);

or

  > let something = Something::new().root();
  > something.do_something();

Learn to love it. When you find a type error where something is asking
for a JSRef and you're not providing it, that's a potential GC hazard
that the compiler is rejecting.

Cheers,
Josh
___
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo



___
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo

Re: [dev-servo] DOM rooting is live

2014-05-07 Thread Patrick Walton 

On 5/7/14 11:16 AM, Josh Matthews wrote:

In the worst case, you have a GC hazard that is conceivably exploitable
if the stars are in alignment.


How would you create a `JS` on the stack? I would think that they 
aren't cloneable and the constructor for them is appropriately private.


Patrick

___
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo