fix: address critical safety gaps (SR-17, SR-25, SR-31)#27
Merged
Conversation
Add weighted-gap-analysis.md cross-referencing BA RFC #46 discussion with current STPA gaps. Update traceability matrix to reflect actual test coverage (195 tests, 14 fixtures). Add SR-31 (multiply-instantiated module detection), LS-M-5, GAP-7, GAP-8. Mark GAP-4 resolved. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add support for resource-related imports in the P2 component wrapper, enabling the resources wit-bindgen fixture to pass component validation. The fused core module can have three categories of resource imports: - [export]-prefixed modules (e.g., [export]imports, [export]exports) with [resource-drop], [resource-new], and [resource-rep] operations for locally-defined component resources - Non-WASI modules with unresolvable [resource-drop] fields for internal inter-component resource lifecycle - WASI instance resource drops (already handled) For local resources, the wrapper now: 1. Aliases the destructor function from the fused module exports 2. Defines a component-level resource type with that destructor 3. Generates canon resource.drop/new/rep core functions 4. Caches resource types so each unique (interface, resource) pair gets exactly one type definition Key changes: - ImportResolution enum replaces flat (u32, String) tuples - parse_resource_field() extracts operation and name from field names - has_non_resource_op check updated to exclude resource-new/rep - Tests upgraded from graceful degradation to hard assertions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
36 tests across parser, resolver, adapter, and integration: - Parser: CanonStringEncoding parsing, default/override behavior (11 tests) - Adapter: canon_to_string_encoding, alignment, needs_transcoding (10 tests) - Resolver: string_transcoding flag, 3×3 encoding matrix (14 tests) - Integration: UTF-8 caller ↔ UTF-16 callee adapter transcoding (1 test) Closes SR-17 verification gap identified in weighted gap analysis. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add check_no_duplicate_instantiations() to merger that detects when the same core module is instantiated more than once within a component. Returns DuplicateModuleInstantiation error instead of silently producing corrupt output. Called at the start of Merger::merge(). Addresses critical gap GAP-P2-1 from weighted gap analysis (LS-M-5). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…upport Bump wasmparser/wasm-encoder/wasmprinter to 0.230 to gain support for the 0x67 (FixedSizeList) component type encoding contributed by Christof Petig. API migration: - ComponentFuncType.results → .result (single result type) - F32Const/F64Const now take Ieee32/Ieee64 instead of raw floats - New ComponentDefinedType variants: FixedSizeList, Future, Stream - New PrimitiveValType::ErrorContext, CanonicalOption::Async/Callback - ThreadSpawn → ThreadSpawnRef FixedSizeList(element_type, length) is an inline fixed-length array: - align = element align, size = element stride * length - No heap pointers (unlike variable-length List which is ptr+len) - Handled in all canonical ABI functions (size, align, flat count, pointer positions, conditional pointers, return area slots) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add rivet.yaml with stpa + aspice + dev schemas, cross-repo links to kiln and synth - Convert safety-requirements.yaml to generic-yaml format (artifacts with type, links, fields) - Fix hazards.yaml: move H-8/H-9/H-10 from sub-hazards to hazards section (they're top-level hazards, not refinements) - Add hazards field to all 19 loss scenarios for Rivet traceability - Generate .rivet/agent-context.md Rivet validates: 213 artifacts, 88.7% coverage, 0 errors. STPA traceability is 100% for all rules (hazard→loss, constraint→hazard, UCA→hazard, UCA→controller, controller-constraint→UCA). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses the three highest-priority gaps from the weighted STPA gap analysis:
SR-31 (CRITICAL): Fail-fast detection of multiply-instantiated modules in the merger. Previously, if a component instantiated the same core module twice, the merger silently produced corrupt output. Now returns
DuplicateModuleInstantiationerror. (GAP-P2-1)SR-25 (HIGH): Resource handle support in P2 component wrapper. Adds
ImportResolutionenum to classify imports into WASI instances,[export]-prefixed resources, and internal resources. Emitscanon resource.drop/new/repoperations with resource type dedup. Resources fixture now passes component validation. (GAP-P2-2)SR-17 (HIGH): String transcoding verification with 36 tests across parser, resolver, adapter, and integration layers. Covers all 3×3 encoding pairs (UTF-8, UTF-16, CompactUTF16), default behavior, and cross-encoding adapter transcoding. (GAP-P2-3)
Also includes updated weighted gap analysis and refreshed traceability matrix.
Test plan
test_duplicate_module_instantiation_rejected,test_single_instantiation_accepted,test_no_instances_accepted🤖 Generated with Claude Code