Wasmtime GitHub notifications bot (Jun 05 2025 at 22:57): Wasmtime GitHub notifications bot (Jun 05 2025 at 22:57):alexcrichton opened PR #10943 from alexcrichton:instance-pin to bytecodealliance:main:
This commit represents more effort to bring safety to
vm::Instanceand, eventually,ComponentInstance. This is specifically addressing two points of safety aroundvm::Instance:
Previously ownership of this was murky where
InstanceHandlesort of represented ownership but sort of didn't either through theInstanceHandle::clonemethod. NowInstanceHandlehas a destructor for instances and no longer hasclone, so there's one exclusive owner of an instance.Previously
&mut Instancewas liberally passed around, but this is not sound because certain fields cannot be mutated (e.g. runtime offset information). While not a perfect solution this PR switches to usingPin<&mut Instance>everywhere instead. This prevents safe access to&mut Instanceand we hand-write accessors to individual fields. Notably we omit mutable access to theruntime_infofield.This naturally involved a lot of refactoring internally, but notably this started bringing up preexisting issues around how there are locations in the codebase that simultaneously have
&mut Instanceand&mut StoreOpaquewhich is technically not sound due to being able to get back to the instance from the store. Some issues here were address by passing around indices more often such as in instance initialization and const-expr evaluation.Note that all proxy methods on
InstanceHandleare also all removed now and there's now only two:getandget_mut. This reflects howInstanceHandleshould in general no longer be used and insteadInstanceitself, and some pointer-to thereof, should be exclusively used.cc #10933
<!--
Please make sure you include the following information:
If this work has been discussed elsewhere, please include a link to that
conversation. If it was discussed in an issue, just mention "issue #...".Explain why this change is needed. If the details are in an issue already,
this can be brief.Our development process is documented in the Wasmtime book:
https://docs.wasmtime.dev/contributing-development-process.htmlPlease ensure all communication follows the code of conduct:
https://github.com/bytecodealliance/wasmtime/blob/main/CODE_OF_CONDUCT.md
-->
Wasmtime GitHub notifications bot (Jun 05 2025 at 22:57):alexcrichton requested fitzgen for a review on PR #10943.
Wasmtime GitHub notifications bot (Jun 05 2025 at 22:57):alexcrichton requested wasmtime-core-reviewers for a review on PR #10943.
Wasmtime GitHub notifications bot (Jun 05 2025 at 23:00):alexcrichton updated PR #10943.
Wasmtime GitHub notifications bot (Jun 05 2025 at 23:09):alexcrichton updated PR #10943.
Wasmtime GitHub notifications bot (Jun 05 2025 at 23:10):fitzgen submitted PR review:
nice
Wasmtime GitHub notifications bot (Jun 05 2025 at 23:12):alexcrichton commented on PR #10943:
I'll also note that ownership-wise this brings core wasm in line with components, where components have
OwnedComponentInstancewhich is now basically the exact same thing asInstanceHandle(and I'll try to eventually get around to aligning on naming conventions too)
Wasmtime GitHub notifications bot (Jun 05 2025 at 23:17):alexcrichton has enabled auto merge for PR #10943.
Wasmtime GitHub notifications bot (Jun 05 2025 at 23:58):alexcrichton commented on PR #10943:
While I have no reason to believe that's a flaky test failure I'm neverthless curious. If it's flaky that's quite worrisome. If it's not flaky that's also worrisome...
Wasmtime GitHub notifications bot (Jun 06 2025 at 00:24):alexcrichton commented on PR #10943:
Ok spurious failures should be fixed by https://github.com/bytecodealliance/wasmtime/pull/10947
Wasmtime GitHub notifications bot (Jun 06 2025 at 16:41):alexcrichton merged PR #10943.
Last updated: Dec 06 2025 at 07:03 UTC