InstanceId can be used to bypass Gd not being Send
#886
Comments
|
Note – in some cases InstanceId can be used as, well, InstanceId, used to recognize given instance while passing message from the thread. While it is not a huge deal (InstanceId stil can be converted to u64) by itself, proper deprecation warnings would be much appreciated. Bigger issue might be some thread-safe APIs (according to docs - godot's servers – https://docs.godotengine.org/en/stable/tutorials/performance/thread_safe_apis.html#global-scope) that operate with InstanceIds. Example: |
Currently
Gddoes not implementSend, because it is unsound to send to another thread. However you can easily bypass this restriction by usingInstanceIdand callingGd::try_from_instance_id().Until we have a proper solution for multi-threaded code, this loophole should probably be available so that people who desperately need it can use it. But when we are going to support multi-threaded code, this loophole will need to be closed to ensure soundness.
My suggestion would be:
InstanceIdnot implementSendorSync. This will make it impossible to bypass multi-threading by merely passing anInstanceIdto another thread.InstanceIdfrom au64. This makes it so that you cant bypass the previous restriction by just passing the integer representation of anInstanceIdto another thread.This means we're effectively adding strict provenance to
InstanceId. Where it is only safe to obtain anInstanceIdwhich has a known provenance, and any attempt to create anInstanceIdout of thin air would be library UB since it can potentially violate arbitrary restrictions.I am not sure if it is possible to call
try_from_instance_idanother way, such as throughObject::call(). If that is possible then this suggestion would likely mean that that would need to be made unsafe as well. That would be non-ideal, but if we are going to impose any extra soundness criteria on top of Godot it may be unavoidable.The text was updated successfully, but these errors were encountered: