-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read has very surprising behaviour (does not match spec) #119
Comments
Thanks for highlighting this. I suspect the read semantics may have been
clarified after the vchan code was written (or at least that's my excuse!)
I agree that we should make read spec-compliant. I don't mind about the
unsafe version -- it's a bit hard to use...
…On Wed, 5 Dec 2018, 18:44 Thomas Leonard ***@***.*** wrote:
A VChan endpoint claims to implement Mirage_flow_lwt.S. This says (
https://github.com/mirage/mirage-flow/blob/master/src/mirage_flow.mli#L62
):
val read: flow -> (buffer or_eof, error) result io
(** [read flow] blocks until some data is available and returns a fresh buffer containing it.
However, reading the code it seems that it does *not* return a fresh
buffer. Instead, it returns a region of the underlying ring (which is under
the control of the remote VM).
https://github.com/mirage/ocaml-vchan/blob/5fcd4e3662241751142c08506ee3f5b8f6462e05/lib/endpoint.ml#L327-L360
This means that:
- The data in the returned buffer can change at any time if the remote
VM is malicious. Users need to protect against this (e.g. by never reading
the same byte more than once).
- The data is only valid until the next read, which seems to be when
the library acks the read.
- Reading data is not sufficient to create more space in the ring
buffer. In particular, the sender may be blocked waiting for space even
after the receiver has read all of the data.
I think this needs documenting, at least. Perhaps consider renaming the
current read to read_unsafe, and providing a copying alternative? (the C
implementation copies)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#119>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMHuo9tyOnqhs5501DH2oE-062Xd7BKks5u2AX7gaJpZM4ZDdc9>
.
|
I'd be in favour of removing the non-copying version entirely, and implementing the safe version. It seems very hard to use the current one correctly. |
mirage-qubes actually uses this safely to fill a buffer of known size, which is a common thing to want to do, so I suggest that if we remove this read function, we provide a (safe) |
A VChan endpoint claims to implement
Mirage_flow_lwt.S
. This says (https://github.com/mirage/mirage-flow/blob/master/src/mirage_flow.mli#L62):However, reading the code it seems that it does not return a fresh buffer. Instead, it returns a region of the underlying ring (which is under the control of the remote VM).
ocaml-vchan/lib/endpoint.ml
Lines 327 to 360 in 5fcd4e3
This means that:
I think this needs documenting, at least. Perhaps consider renaming the current
read
toread_unsafe
, and providing a copying alternative? (the C implementation copies)The text was updated successfully, but these errors were encountered: