`null` strings cause crash

[surma]

I think this was introduced with #1682. That PR seems to indicate that null strings should be handled as the empty string, but they can cause a memory access out of bounds error.

export function prefix(s: string): string {
  return "prefix:" + s;
}

<!DOCTYPE html>
<script>
  async function main() {
    const { instance } = await WebAssembly.instantiateStreaming(
      fetch("lol.wasm"),
      {
        env: {
          abort() {
            throw Error("ARGH");
          },
        },
      }
    );
    const strPtr = 0; // !! Invalid string pointer
    instance.exports.prefix(strPtr);
  }
  main();
</script>

[MaxGraey]

yes, currently you should check external exported strings for null.
Will be great make some warning / error for such case if s: string is not s: string | null

[surma]

Okay cool, good to know!

Have y’all considered checking those types automatically at the module boundary? (Maybe with an opt-in via flag?) You could wrap the exported function, and that wrapper is only used for call from the hostat the module boundary so that types can be validated. Module-internally, the original function would be used, avoiding the extra overhead.

export function prefix(s: string): string {
  String.validate(s); // Traps if `s` doesn’t point to a string object.
  return prefix_original(s);
}

function prefix_original(s: string): string {
  return "prefix:" + s;
}

For now I can punt this responsibility to the glue code, but could be nice to have the compiler do that work for me. Closing this.

[MaxGraey]

Yeah, we already do similar trampoline for exported to host functions with default arguments. This auto check should take into account this case as well:

export function prefix(s: string | null = null): string {
}

and skip inserting such null validation

[surma]

Actually, I’m gonna re-open this issue, because the error message should be better (took me a bit to figure out what exactly was causing String.concat() to throw.

Maybe at least in --debug builds the compiler could add not-null assertions in String methods? WDYT?

[dcodeIO]

I like the idea of adding a check in debug builds, yeah. In release builds, however, it seems to involve a trade-off, in that even if someone is very careful to pass data matching the types, or if a linker-like program like as-bind does that for them, they'd still have a then-redundant check around. So I wonder if that's separable to the linker?

[surma]

I’d be happy if this was limited to debug builds (it might be interesting to have an opt-in to enable type checks for built-in type methods — mostly for the sake of better error messages). But yes, most responsibility here should probably fall onto as-bind et al.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in one week if no further activity occurs. Thank you for your contributions!