WIP final gnovm fix for noncrossing functions passed to realms

[jaekwon]

This PR will finalize the gno interrealm spec.
The primary goal is to address the Oak security audit issue found.
Also will unify terminology, and double-check consistency of interrealm spec.

Making a PR to allow commenting on the initial commit of mental model.

[Gno2D2]

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):

• IGNORE the bot requirements for this PR (force green CI check)

Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

No automated checks match this pull request.

☑️ Contributor Actions:

1. Fix any issues flagged by automated checks.
2. Follow the Contributor Checklist to ensure your PR is ready for review.
   • Add new tests, or document why they are unnecessary.
   • Provide clear examples/screenshots, if necessary.
   • Update documentation, if required.
   • Ensure no breaking changes, or include BREAKING CHANGE notes.
   • Link related issues/PRs, where applicable.

☑️ Reviewer Actions:

1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.

📚 Resources:

• Report a bug with the bot.
• View the bot’s configuration file.

Debug

Manual Checks

**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

• Any user with comment edit permission

[moul]

contradictory?

[moul]

Suggested change

	bob.Do(obj.Method) // FAIL: not yet unattached
	alice.SetClosure(cls) // obj recursively attached to alice late
	bob.Do(obj.Method) // SUCCESS: attached to bob
	bob.Do(obj.Method) // FAIL: not yet attached
	alice.SetClosure(cls) // obj recursively attached to alice late
	bob.Do(obj.Method) // FAIL: attached to alice (but need bob)

?

[jaekwon]

you're right, i'll update with a better example. bob.SetClosure().

[moul]

Suggested change

	bob.Do(obj.Method) // FAIL: not yet unattached
	alice.SetClosure(cls) // obj recursively attached via cls to alice late
	bob.Do(obj.Method) // SUCCESS: attached to bob
	bob.Do(obj.Method) // FAIL: not yet attached
	alice.SetClosure(cls) // obj recursively attached via cls to alice late
	bob.Do(obj.Method) // FAIL: attached to alice (but need bob)

[ltzmaxwell]

if in package alice, Method is declared as:

func (obj *Object) Method() { // CASE rB2~4, CASE rC1~5
        // mutate unintended exported global var by assignment 
        bob.Private2 = -1
        // mutate intended global var
		bob.PrivateFunc()
}

it can be inferred that a realm should never declare an exported global var, if there are any method/closure attached/injected, to avoid unintended mutation, right?

[jaekwon]

interesting point.

bob has to be careful what he exposes; if he exposes something like this, needs to be careful about what he attaches, unless it is meant to be modified this way.

it is intentional, if we think of .Exposed variables as basically having implied GetExposed() and SetExposed() functions.

[ltzmaxwell]

This seems to increase the developer’s mental burden — they have to be aware of whether their realm will attach functions, and whether there are any global variables that should not be exposed.

How about requiring that all global variables of realm be mutated only through functions?

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[ltzmaxwell]

convert the spec into txtar. the pXXXs are not included here as p cannot import r.

[ltzmaxwell]

the initial "issue". the "issue" is same as previous comment: "bob has to be careful what he exposes; if he exposes something like this, needs to be careful about what he attaches, unless it is meant to be modified this way."