Write fully safe Rust bindings to SpiderMonkey

[DemiMarie]

The Rust bindings to SpiderMonkey are not really safe, even with the plugins. Layout must use unsafe accessors, asserts to prevent undefined behavior are not present in release builds, and the compiler plugins do not prevent all errors involving purely safe code.

One solution to this is to provide fully safe Rust bindings to SpiderMonkey. This seems (to me) to involve:

• Using the type system to ensure that the correct JSContext is passed to the JSAPI.
• Using the type system and/or a better compiler plugin to ensure that types like Rooted<T> are not misused. In particular, they should not be allowed as generic type parameters.
• Creating a container that can hold any number of Javascript objects, together with an arbitrary Rust payload, and use it for all heap-allocated objects containing Javascript values. Alternatively, make the existing unrooted_must_root lint sound.
• Look at the unsafe code generated by the WebIDL bindings. Can it be replaced by safe code?
• Packaging all of this up in such a way as to be useable by other Rust libraries and programs, not just Servo.

[Ms2ger]

While this would be nice, it is not a priority for us.

[DemiMarie]

I think I understand – in a web browser there is more to security than just memory safety.

[nox]

Cc @asajeffrey

[asajeffrey]

This is the goal of https://github.com/asajeffrey/linjs we shall see if it scales to something the size of servo!

[dralley]

Related to this? #8079

[jdm]

I don't see a compelling reason to keep this issue open. It would be better to file more specific issues in https://github.com/servo/rust-mozjs.