Add safe JSContext wrapper with strict safety rules #638
Conversation
sagudev
changed the title
This comment was marked as outdated.
This comment was marked as outdated.
sagudev
force-pushed
the
cx
branch
2 times, most recently
from
3fca351 to
1a477d7
Compare
|
Yesterday I learned that searchfox actually has trigger gc/not gc labels on functions: https://matrix.to/#/!CZEbuMfGYVdQMIBKeP:mozilla.org/$gMT8sxO85ePN_QOJ6Paa0q-nRILwXATU2iJ_EzoNhq8 These are generated by CI, so I wonder if we could use this data for autogenerating wrappers. |
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
jdm
left a comment
jdm
left a comment
There was a problem hiding this comment.
This is exciting and very promising! My only complaint is the new & syntax in the rooting macros, but I don't actually have any suggestions.
Eventually when we will use safe JSContext in more places we will, we will make RootingGuard to take &JSContext (IIRC it does not GC), so all & will become redundant, but we are not there yet, so I've tried to find something minimal to minimize the diff. |
This PR is companion to servo/mozjs#638, currently it only make stuff compile. In follwups we will start passing/using safer JSContext down everywhere. Testing: Not needed as it's just refactorings. Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
This PR is companion to servo/mozjs#638, currently it only make stuff compile. In follwups we will start passing/using safer JSContext down everywhere. Testing: Not needed as it's just refactorings. try run: https://github.com/sagudev/servo/actions/runs/19196312972/job/54879090390 --------- Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
2 participants
Somehow related to #554, but it creates more strict JSContext. Companion PR in servo: servo/servo#40465
More concrete documentation is written at types: https://github.com/sagudev/mozjs/blob/cx/mozjs/src/context.rs and also includes some compile tests. Here I will only describe rough idea and motivation.
If we want to build any proper safe wrappers we need to have a notion of GC/NoGC,
JSContextsomehow fulfills the role of GC (generally every SM function that can trigger GC takes JSContext). But to be able to use JSContext (and it's lifetime) for this notion we need to make it not globally obtainable obtainable (it needs to be passed down as an arg as mentioned in https://github.com/asajeffrey/josephine). This is already happening withCanGCwe have in servo (this newJSContextwould replaceCanGC).This PR also introduce new wrappers that use lifetimed handles and new safe JSContext. More specifically they use
&mut JSContext(for functions that can trigger GC) or&JSContext(for functions that cannot trigger GC). We also remove https://doc.servo.org/mozjs/jsapi/struct.AutoRequireNoGC.html from args (as NoGC is already encoded in&JSContextargument).While this model is safe and usable from mozjs, it's somehow less usable in servo, where Runtime is always part of some *GlobalScope dom_struct or TLS. So in practice all entrypoints (where we get initial cx for passdown) will likely need to be unbounded (unsafe).
The plan forward
The idea is that we can incrementally introduce safety to servo:
JSContexteverywhere in servo (this will also replace can_gc effort) and use wrappers2'cxlifetime (bounded to cx) and rooting would erase the lifetime (make it'staticthus unbound it from cx).Notes on the model
While GC is run only on some compartments/realm, this becomes complicated to model because of cross references. So this model assumes all compartments in cx will get traced/GC (even if that is not the case; but that does happen on full GC I think). This is more strict than per compartments, but much easier to model and reason about (look at how complicated https://github.com/asajeffrey/josephine is). We can always introduced more relaxed model later.
This model is already discussed in #520, #560, #569 and something similar is also used in nova js engine: https://trynova.dev/blog/guide-to-nova-gc (I borrowed idea of explicit NoGC token).