wasmtime / PR #10880 Merge `vm::Instance::vmctx_plus_offs... · git-wasmtime

Stream: git-wasmtime

Topic: wasmtime / PR #10880 Merge `vm::Instance::vmctx_plus_offs...

Wasmtime GitHub notifications bot (May 30 2025 at 23:05):

alexcrichton opened PR #10880 from alexcrichton:refactor-vmctx-plus-offset to bytecodealliance:main:

This commit merges two helper methods to calculate an internal pointer with a VMContext. Historically these two methods mapped different levels of mutability but nowadays there's no need for this. The provenance/mutability of VMContext memory is independent of &self meaning that it's safe to create/mutate through a NonNull in the vmctx area through a &self-derived pointer.

The purpose of this commit is to avoid needlessly requiring &mut self throughout methods on Instance. Currently many of them require mutability to only create a pointer, and this mutability is a burden that need not be required.

Wasmtime GitHub notifications bot (May 30 2025 at 23:05):

alexcrichton requested fitzgen for a review on PR #10880.

Wasmtime GitHub notifications bot (May 30 2025 at 23:05):

alexcrichton requested wasmtime-core-reviewers for a review on PR #10880.

Wasmtime GitHub notifications bot (May 30 2025 at 23:13):

alexcrichton commented on PR #10880:

Hm ok thinking more about this is mainly means that Sync is no longer correctly inferred, as Instance should no longer be Sync. I feel like we probably do want to keep it Sync, though, so now I'm souring a bit on this approach.

I think I have an idea of how to tackle this, improve safety, and keep Sync, so converting this to a draft.

Wasmtime GitHub notifications bot (May 31 2025 at 01:27):

alexcrichton updated PR #10880.

Wasmtime GitHub notifications bot (May 31 2025 at 01:27):

alexcrichton edited PR #10880:

Currently acquiring a mutable pointer to VMContext memory requires
&mut Instance which for many methods is a tall ask. Some methods are
basically just reading data structures and shuffling bits around, but
requiring a mutable instance prohibits their use in some contexts. The
general goal of this commit is to make it possible to read, but not
necessarily manipulate data structures with &self instead of requiring
&mut.

Specifically this commit redefines the preexisting
vmctx_plus_offset{,_mut} methods as returning a safe reference, not a
raw reference. This ensures that the lifetime of the returned reference
is scoped properly and it inherits the mutability of self to retain
being Send and Sync by default. To make up for lost ground though
this commit additionally adds a new vmctx_plus_offset_raw method which
these prior two methods delegate to. This new method returns a
NonNull<T> and is the primary way of acquiring a raw pointer to
VMContext fields. This new method notably takes &self as an
argument.

The end result is that small/quick mutations of a VMContext are able
to keep using vmctx_plus_offset{,_mut} with a little extra safety, but
many callers have migrated to the *_raw variant which no longer
requires &mut self. This will end up being used in further commits and
methods aren't switched over just yet.

It's worth noting the relevance to https://github.com/advisories/GHSA-ch89-5g45-qwc7 in this commit as
well. Historically the acquisition of a mutable pointer from &self led
to true undefined behavior at runtime resulting in incorrect execution.
This is naively moving right back to such a model where a &self-based
method is returning a pointer through which a mutation is happening, but
this is crucially different in how the base vmctx pointer is created.
Previously it was calculated as an offset from &self, but now the
address is calculated from &self but the provenance comes from a
known-mutable pointer. This construction means that annotations on
&self are not applicable to the vmctx pointer itself and thus not
applicable to the returned pointer. In the end this means that it should
be safe to acquire mutable pointers to vmctx memory from &self on an
instance.

Last updated: Dec 06 2025 at 06:05 UTC