Stream: git-wasmtime

Topic: wasmtime / PR #8569 [20.0.0]: Backport fixes from main br...


view this post on Zulip Wasmtime GitHub notifications bot (May 07 2024 at 10:08):

dundargoc opened PR #8569 from dundargoc:backport/release-20.0.0 to bytecodealliance:release-20.0.0.

view this post on Zulip Wasmtime GitHub notifications bot (May 07 2024 at 10:08):

dundargoc requested elliottt for a review on PR #8569.

view this post on Zulip Wasmtime GitHub notifications bot (May 07 2024 at 10:08):

dundargoc requested wasmtime-core-reviewers for a review on PR #8569.

view this post on Zulip Wasmtime GitHub notifications bot (May 07 2024 at 10:08):

dundargoc requested wasmtime-default-reviewers for a review on PR #8569.

view this post on Zulip Wasmtime GitHub notifications bot (May 07 2024 at 10:08):

dundargoc edited PR #8569:

When we compute the amount of space that we need in a stack frame for
the stack limit check, we were only counting spill-slots and explicit
stack-slots. However, we need to account for all uses of the stack which
occur before the next stack limit check. That includes clobbers and any
stack arguments we want to pass to callees.

The maximum amount that we could have missed by is essentially bounded
by the number of arguments which could be passed to a function. In
Wasmtime, that is limited by MAX_WASM_FUNCTION_PARAMS in
wasmparser::limits, which is set to 1,000, and the largest arguments
are 16-byte vectors, so this could undercount by about 16kB.

This is not a security issue according to Wasmtime's security policy
(https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html)
because it's the embedder's responsibility to ensure that the stack
where Wasmtime is running has enough extra space on top of the
configured max_wasm_stack size, and getting within 16kB of the host
stack size is too small to be safe even with this fixed.

However, this was definitely not the intended behavior when stack limit
checks or stack probes are enabled, and anyone with non-default
configurations or non-Wasmtime uses of Cranelift should evaluate whether
this bug impacts your use case.

(For reference: When Wasmtime is used in async mode or on Linux, the
default stack size is 1.5MB larger than the default WebAssembly stack
limit, so such configurations are typically safe regardless. On the
other hand, on macOS the default non-async stack size for threads other
than the main thread is the same size as the default for
max_wasm_stack, so that is too small with or without this bug fix.)

Signed-off-by: Brian H <brian.hardock@fermyon.com>

Deduping bitcasts to integers from references can make the references no long
longer live across safepoints, and instead only the bitcasted integer results
would be. Because the reference is no longer live after the safepoint, the
safepoint's stack map would not have an entry for the reference, which could
result in the collector reclaiming an object too early, which is basically a
use-after-free bug. Luckily, we sandbox the GC heap now, so such UAF bugs aren't
memory unsafe, but they could potentially result in denial of service
attacks. Either way, we don't want those bugs!

On the other hand, it is technically fine to dedupe bitcasts to reference
types. Doing so extends, rather than shortens, the live range of the GC
reference. This potentially adds it to more stack maps than it otherwise would
have been in, which means it might unnecessarily survive a GC it otherwise
wouldn't have. But that is fine. Shrinking live ranges of GC references, and
removing them from stack maps they otherwise should have been in, is the
problematic transformation.

Fixes https://github.com/bytecodealliance/wasmtime/issues/8322


Signed-off-by: Brian H <brian.hardock@fermyon.com>
Co-authored-by: Jamey Sharp <jsharp@fastly.com>
Co-authored-by: Brian <brian.hardock@fermyon.com>
Co-authored-by: Nick Fitzgerald <fitzgen@gmail.com>


Co-authored-by: Trevor Elliott <telliott@fastly.com>


Co-authored-by: Pat Hickey <phickey@fastly.com>

This renames some types and adds some type aliases to help us better distinguish
between wasm.h APIs and wasmtime.h APIs, primarily for Store-related
types. In general, WasmFoo is related to wasm.h and WasmtimeFoo is related
to wasmtime.h.

This renames some types and adds some type aliases to help us better distinguish
between wasm.h APIs and wasmtime.h APIs, primarily for Store-related
types. In general, WasmFoo is related to wasm.h and WasmtimeFoo is related
to wasmtime.h.

A couple small tweaks: error message improvements, exhaustive matching, etc...

Turns out we haven't been running wasi-common tests for some time in CI
and they've started failing. Force enable the test at all times and then
fix the test failures. The test failures here were introduced in #8277
and weren't caught due to the test not running and the fix was to relax
the implementation of fd_pread to avoid taking multiple mutable
borrows.

A busy release!

Match the Wasmtime crate in this respect

Restores support for externref in wasmtime_val_t, methods for manipulating
them and getting their wrapped host data, and examples/tests for these things.

Additionally adds support for anyref in wasmtime_val_t, clone/delete methods
similar to those for externref, and a few i31ref-specific methods. Also adds
C and Rust example / test for working with anyref.

In addition to excluding i31 also exclude funcrefs.

This was removed in #8066

This commit fixes an issue where wasmtime_val_raw_t had an incorrect
alignment. In Rust ValRaw contains a u128 which has an alignment of
16 but in C the representation had a smaller alignment meaning that the
alignment of the two structures was different. This was seen to cause
alignment faults when structure were passed from C++ to Rust, for
example.

This commit changes the Rust representation of ValRaw's v128 field
to do the same as C which is to use [u8; 16]. This avoids the need to
raise the alignment in C which appears to be nontrivial. Cranelift is
appropriately adjusted to understand that loads/stores from ValRaw are
no longer aligned. Technically this only applies to the v128 field but
it's not too bad to apply it to the other fields as well.

Prevents any updates to rustc or crates from accidentally causing issues
by ensuring that the same set of deps is used over time.

The documentation referring to this example was removed in #6994 and
that forgot to remove this as well. This example is building without a
lock file which is causing issues in #8368.


Co-authored-by: Nick Fitzgerald <fitzgen@gmail.com>

This commit changes the wasmtime_val_t::{from_val, to_val} methods to
take a RootScope instead of any AsContextMut. This then required a
number of refactorings in callers to ensure that a RootScope was
created for any function that needed one. This is required to ensure
that GC references in the C API aren't forced to live for the entire
lifetime of the store.

This additionally added *_unrooted variants which do the same thing
but don't require RootScope. This was needed for when the C API calls
out to the embedder through a function call because a new RootScope
wouldn't work for return values (they're bound to a scope within the
closure when we want them to outlive the closure). In these situations
though we know a RootScope is already present at the entrypoint.

Closes #8367

[message truncated]

view this post on Zulip Wasmtime GitHub notifications bot (May 07 2024 at 10:09):

dundargoc edited PR #8569:

Instead of

Performing build step for
'wasmtime-crate''WASMTIME_CARGO_BINARY-NOTFOUND' is not recognized as an
internal or external command, operable program or batch file.

this will now instead output

"cargo" was not found. Ensure "cargo" is in PATH. Aborting...

This is extremely useful for cases where the default optimizations just
are not enough.

Background: neovim is interested to
add wasmtime support in https://github.com/neovim/neovim/pull/28415 but
we noticed that including wasmtime, even when not using wasmtime
directly, heavily affects runtime performance. This is not only
reflected in the increased startuptime but affects the runtime
performance overall.

Here are the benchmarks for startuptimes for different configurations.
Important to note is that all of runtime is affected, but the
startuptime is a decent proxy to measure runtime performance:

No wasm
  Time (mean ± σ):      50.5 ms ±   1.5 ms    [User: 32.8 ms, System: 12.3 ms]
  Range (min  max):    48.3 ms   54.4 ms    56 runs

Wasm, lto=thin
  Time (mean ± σ):     104.9 ms ±   3.5 ms    [User: 86.5 ms, System: 12.7 ms]
  Range (min  max):    99.5 ms  111.1 ms    26 runs

Wasm, lto=true
  Time (mean ± σ):      83.8 ms ±   2.5 ms    [User: 65.8 ms, System: 12.1 ms]
  Range (min  max):    80.5 ms   93.3 ms    31 runs

Wasm, lto=true, strip="none", incremental=false, codegen-units=1, panic="abort"
  Time (mean ± σ):      53.1 ms ±   1.0 ms    [User: 35.5 ms, System: 12.5 ms]
  Range (min  max):    50.6 ms   55.5 ms    54 runs

view this post on Zulip Wasmtime GitHub notifications bot (May 07 2024 at 18:13):

alexcrichton submitted PR review.

view this post on Zulip Wasmtime GitHub notifications bot (May 07 2024 at 18:13):

alexcrichton merged PR #8569.


Last updated: Dec 23 2024 at 13:07 UTC