JS -- Add a sandbox based on quickjs #12604
Conversation
calixteman
commented
Nov 9, 2020
calixteman
commented
- quickjs-eval.js has been generated using /~https://github.com/calixteman/pdf.js.quickjs/
- lazy load of sandbox code
|
We need to decide where /~https://github.com/calixteman/pdf.js.quickjs/ should live. |
There was a problem hiding this comment.
Besides a couple of comments based on a quick look, I've got a few more high-level questions:
- How's the quickjs-project licensed? Is it compatible with "Apache License 2.0", as that's what the PDF.js library uses?
- How will the quickjs-files, once added to the PDF.js library, be updated?
The reason for asking, is that we used to have loads of dependencies in theexternal/folder, which made updating and maintaining them very difficult and time-consuming (why we switched tonpmfor most dependencies). - Would it be at all possible to pull in the quickjs-files as a dependency, rather than simply dumping them into the PDF.js repository as-is?
gulpfile.js
Outdated
| return `\\${match}`; | ||
| }); | ||
| return gulp | ||
| .src("./src/scripting_api/quickjs-sandbox.js") |
There was a problem hiding this comment.
Please follow the same pattern as for all of the other bundles, see above, by adding a new /src/pdf.sandbox.js file instead of this one.
gulpfile.js
Outdated
| const defines = builder.merge(DEFINES, { GENERIC: true }); | ||
| const scriptingDefines = builder.merge(defines, { NO_SOURCE_MAP: true }); | ||
| return createScriptingBundle(scriptingDefines) | ||
| .pipe(stripComments()) |
There was a problem hiding this comment.
Doesn't the fact that the files are run through Webpack already remove comments?
There was a problem hiding this comment.
I thought the same but it seems that it isn't the case so I added that to do it.
| @@ -493,6 +521,20 @@ function makeRef(done, bot) { | |||
| }); | |||
| } | |||
|
|
|||
| gulp.task("sandbox", function (done) { | |||
There was a problem hiding this comment.
I'd suggest separating the createScriptingBundle from this gulp-task, and possible even remove this completely.
For the mozcentral task you added the createScriptingBundle to list existing list of tasks in
Lines 1065 to 1067 in 55f55f5
hence I suggest adding
createScriptingBundle and createSandboxBundle to buildGeneric instead: Lines 723 to 729 in 55f55f5
There was a problem hiding this comment.
It's on purpose.
The idea is to get a bundle from initialization.js and the convert the bundle content into a string and inject this string in the sandbox bundle. This string will be eval-ed in the sandbox in order to create all what we need for the JS api.
But of course, if you see a better way to do, please tell me.
According to https://raw.githubusercontent.com/bellard/quickjs/master/quickjs.c it's a MIT licence so it's ok with Apache License 2.0.
The easiest solution is the best here... so tell me what you prefer having.
I don't know enough to answer here. The way it's built now is:
If you think about a better way to do, feel free to tell it or amend the patch or whatever. |
calixteman
force-pushed
the
quickjs
branch
2 times, most recently
from
9bbd5fc to
37daefe
Compare
|
I moved my quickjs stuff under mozilla's umbrella: |
calixteman
force-pushed
the
quickjs
branch
6 times, most recently
from
dd18825 to
eccdfce
Compare
|
/botio test |
From: Bot.io (Linux m4)ReceivedCommand cmd_test from @calixteman received. Current queue size: 0 Live output at: http://54.67.70.0:8877/f7e194b0841c93a/output.txt |
From: Bot.io (Windows)ReceivedCommand cmd_test from @calixteman received. Current queue size: 0 Live output at: http://3.101.106.178:8877/09badca9d4b10e9/output.txt |
From: Bot.io (Linux m4)FailedFull output at http://54.67.70.0:8877/f7e194b0841c93a/output.txt Total script time: 26.06 mins
Image differences available at: http://54.67.70.0:8877/f7e194b0841c93a/reftest-analyzer.html#web=eq.log |
From: Bot.io (Windows)FailedFull output at http://3.101.106.178:8877/09badca9d4b10e9/output.txt Total script time: 29.12 mins
Image differences available at: http://3.101.106.178:8877/09badca9d4b10e9/reftest-analyzer.html#web=eq.log |
|
/botio test |
From: Bot.io (Linux m4)ReceivedCommand cmd_test from @calixteman received. Current queue size: 0 Live output at: http://54.67.70.0:8877/15e258dbf1c01a9/output.txt |
From: Bot.io (Windows)ReceivedCommand cmd_test from @calixteman received. Current queue size: 0 Live output at: http://3.101.106.178:8877/6be150a1b24be93/output.txt |
From: Bot.io (Linux m4)FailedFull output at http://54.67.70.0:8877/15e258dbf1c01a9/output.txt Total script time: 25.94 mins
Image differences available at: http://54.67.70.0:8877/15e258dbf1c01a9/reftest-analyzer.html#web=eq.log |
From: Bot.io (Windows)FailedFull output at http://3.101.106.178:8877/6be150a1b24be93/output.txt Total script time: 30.30 mins
Image differences available at: http://3.101.106.178:8877/6be150a1b24be93/reftest-analyzer.html#web=eq.log |
calixteman
force-pushed
the
quickjs
branch
2 times, most recently
from
7ef72aa to
0d23b10
Compare
| const promise = loadScript(AppOptions.get("scriptingSrc")).then(() => { | ||
| return window.pdfjsSandbox.QuickJSSandbox(); | ||
| }); | ||
| const sandbox = { |
There was a problem hiding this comment.
Is there a benefit to having all of these methods using promise.then vs have scripting return a promise and then have all the methods be direct calls? e.g.
get scripting() {
return loadScript(...).then((sbx) => {
return {
createSandbox(data) {
sbx.create(data);
},
...
There was a problem hiding this comment.
It's for consistency with:
Lines 257 to 269 in d3936ac
* quickjs-eval.js has been generated using /~https://github.com/mozilla/pdf.js.quickjs/ * lazy load of sandbox code * Rewrite tests to use the sandbox * Add a task `watch-sandbox` which update bundle pdf.sandbox.js on change in the sandbox code
|
At the very least, I would have expected e.g. a README file in /~https://github.com/mozilla/pdf.js/tree/master/external/quickjs mentioning things like:
Also, Lines 226 to 233 in c88e805 Furthermore, that block was placed among the API-options despite being a viewer-option! |
