docs(ses): document Compartment availability and OOM limits (#2742)#68
docs(ses): document Compartment availability and OOM limits (#2742)#68kriscendobot wants to merge 5 commits into
Conversation
kriskowal
left a comment
kriskowal
left a comment
There was a problem hiding this comment.
Generally avoid em-dashes. Please integrate that feedback into CLAUDE.md in the style guide.
| but every compartment in a realm shares the same JavaScript *agent* — in | ||
| engine terms, a single thread of execution and a single heap. |
There was a problem hiding this comment.
Separate sentences in this case. The em-dash is not more clear.
There was a problem hiding this comment.
Addressed in 5995742: split the agent-introduction sentence so the en-dash is gone and the second clause stands on its own ("...shares the same JavaScript agent. In engine terms, that is a single thread of execution and a single heap.").
| as a separate worker, process, or operating-system sandbox, around the | ||
| suspect code. |
There was a problem hiding this comment.
| as a separate worker, process, or operating-system sandbox, around the | |
| suspect code. | |
| as a separate worker or process around the | |
| suspect code. |
| A compartment cannot protect availability for code running in sibling | ||
| compartments or in the start compartment. | ||
| Because all compartments share the agent's single thread, a guest that enters | ||
| an infinite loop, a `while (true) {}`, a runaway recursion, or any other |
There was a problem hiding this comment.
Consider for (;;) {}, which I like to call a C’thuloop.
There was a problem hiding this comment.
Swapped while (true) {} for for (;;) {} in 5995742. Did not include the C'thuloop label inline (the surrounding paragraph already enumerates the failure modes by name); happy to add a parenthetical if you want the label to ship in the doc.
Adds a "Limitations" section to docs/lockdown.md describing two threats a Compartment cannot mitigate, both intrinsic to sharing a single JavaScript agent: (a) availability — an infinite loop or runaway synchronous computation in any compartment denies progress to all sibling compartments until the engine intervenes; and (b) memory exhaustion — because the JS spec does not require an OOM to abort the agent (see the TC39 OOM-fails-fast proposal), a malicious compartment can intentionally exhaust memory and surface failures inside unrelated synchronous calls, turning an availability concern into an integrity one. Cross-links the new section from packages/ses/README.md's Compartment section so readers reach it from the place Compartment is introduced. Refs: endojs/endo#2742 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Split the agent-introduction sentence rather than using an em-dash.
- Apply review suggestion: drop "operating-system sandbox" and reword
the coarser-boundary clause to "as a separate worker or process
around the suspect code."
- Replace the `while (true) {}` example with `for (;;) {}`.
- Sweep remaining em-dashes from the new Limitations section.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
kriscendobot
force-pushed
the
design/issue-2742-compartment-limits-doc
branch
from
e435d96 to
5995742
Compare
Per kriskowal review on #2742: em-dashes obscure technical prose and almost always read better as separate sentences, parentheses, or colons. Lock the rule into AGENTS.md so future agents pick it up without rediscovering the convention. Also surfaces the existing "wrap 80–100 columns, sentence-per-line" markdown rule that lived only in CONTRIBUTING.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
| A host that needs to defend against them must impose a coarser boundary, | ||
| as a separate worker or process around the | ||
| suspect code. |
There was a problem hiding this comment.
Should dedicate a section timing side-channels. Note that the default Compartment does not include any timers of any resolution, but it is very difficult to avoid inadvertently giving a guest program the ability to measure duration. Asynchronous communication to another worker or process is often enough to inadvertently expose a confined guest to a gadget for measuring the passage of time.
There was a problem hiding this comment.
Added the Timing side-channels section in f299f8e, placed as a third subsection under Limitations alongside Availability and Memory exhaustion. The section notes that the default Compartment excludes Date, performance.now, setTimeout, setImmediate, and other host scheduling primitives; explains that asynchronous round-trips to any other agent recover wall-clock duration; spells out the audit obligation (every async boundary the guest can reach, not just timer-like APIs in the global scope); and lists the host mitigation menu (separate worker or process; outbound rate throttling; padded guest-visible message timing).
There was a problem hiding this comment.
The section on timing side channels should cite https://papers.agoric.com/taxonomy-of-security-issues/
There was a problem hiding this comment.
Added a reference paragraph at the end of the Timing side-channels section pointing at https://papers.agoric.com/taxonomy-of-security-issues/ as the broader catalog this section samples. Pushed in the latest commit.
…742) Document the third class of containment limit alongside Availability and Memory exhaustion. Note that the default Compartment intentionally omits Date, performance.now, setTimeout, and other host scheduling primitives, but that any asynchronous boundary the guest can drive is also a potential timing source: the round-trip recovers wall-clock duration. Spell out the audit obligation (every async boundary, not just timer enumeration) and the host's mitigation menu (separate worker or process; outbound rate throttling; padded message timing). Addresses kriskowal review 4233409679.
|
Addressed both reviews; ready for another look. Review 4209498509 (already in tree at 5995742):
Review 4233409679 (new in f299f8e):
Thread replies posted on each of the four inline comments citing the |
…er B sweep Builder B's 2026-05-10 sweep found 4 of 7 queue items already covered by existing OPEN/MERGED PRs (#67/#64/#68 open, #66 closed because #2749 merged upstream as #3227), plus 2 with misclassified plans (#922 names a package not in this repo; #1298 is per-file investigation, not mechanical mop-up). Net 1 new PR (#182 for #947). Updated AGENT-READY to surface PR numbers for each in-flight item and reframe the impasses.
|
Ferried upstream as endojs/endo#3275 (head The upstream PR squashes 4 of the 5 commits on this branch ( |
4 participants
Summary
Implements endojs/endo#2742 by documenting two threats a
Compartmentcannot mitigate, both intrinsic to running JavaScript in a single agent.docs/lockdown.mdwith two subsections:packages/ses/README.md's### Compartmentsection so readers find it whereCompartmentis introduced.Both items are phrased as "what a Compartment cannot protect against" rather than as a critique — they are intrinsic to sharing one JavaScript agent.
New section preview
Anchor used for the cross-link:
./docs/lockdown.md#limitations(verified by buildingyarn docsand inspecting the generatedapi-docs/documents/lockdown.html).Test plan
npx prettier --check docs/lockdown.md packages/ses/README.md— cleanyarn docs— typedoc still builds; new#limitationsanchor is generated