alexcrichton requested wasmtime-fuzz-reviewers for a review on PR #9230.
alexcrichton opened PR #9230 from alexcrichton:no-signals
to bytecodealliance:main
:
This commit introduces a new configuration option
Config::host_trap_handlers
which enables disabling the reliance on host trap handlers (e.g. signal handlers on Unix) at runtime. This is intended to help increase portability in cases where signal handlers are otherwise difficult. This is achieved by plumbing the translation environment to more locations which now conditionally lowers to calls to a function to raise a trap instead of a trap instruction.The caveats of this support are:
- This is not yet implemented for Winch
- This requires disabling spectre mitigations
- This does not yet support shared memories since it forces dynamic memories to be used.
These points are all possible to address but it might be best to see how this feature evolves over time. I'll also note that this is not an optimized implementation and likely has a fair bit of overhead. For example the solution in #6926 of a more optimized stub to jump-and-trap is not implemented yet.
Closes #6926
<!--
Please make sure you include the following information:
If this work has been discussed elsewhere, please include a link to that
conversation. If it was discussed in an issue, just mention "issue #...".Explain why this change is needed. If the details are in an issue already,
this can be brief.Our development process is documented in the Wasmtime book:
https://docs.wasmtime.dev/contributing-development-process.htmlPlease ensure all communication follows the code of conduct:
https://github.com/bytecodealliance/wasmtime/blob/main/CODE_OF_CONDUCT.md
-->
alexcrichton requested elliottt for a review on PR #9230.
alexcrichton requested wasmtime-compiler-reviewers for a review on PR #9230.
alexcrichton requested wasmtime-core-reviewers for a review on PR #9230.
alexcrichton requested fitzgen for a review on PR #9230.
alexcrichton updated PR #9230.
github-actions[bot] commented on PR #9230:
Subscribe to Label Action
cc @fitzgen
<details>
This issue or pull request has been labeled: "cranelift", "cranelift:wasm", "fuzzing", "wasmtime:api", "wasmtime:config"Thus the following users have been cc'd because of the following labels:
- fitzgen: fuzzing
To subscribe or unsubscribe from this label, edit the <code>.github/subscribe-to-label.json</code> configuration file.
Learn more.
</details>
github-actions[bot] commented on PR #9230:
Label Messager: wasmtime:config
It looks like you are changing Wasmtime's configuration options. Make sure to
complete this check list:
[ ] If you added a new
Config
method, you wrote extensive documentation for
it.<details>
Our documentation should be of the following form:
```text
Short, simple summary sentence.More details. These details can be multiple paragraphs. There should be
information about not just the method, but its parameters and results as
well.Is this method fallible? If so, when can it return an error?
Can this method panic? If so, when does it panic?
Example
Optional example here.
```</details>
[ ] If you added a new
Config
method, or modified an existing one, you
ensured that this configuration is exercised by the fuzz targets.<details>
For example, if you expose a new strategy for allocating the next instance
slot inside the pooling allocator, you should ensure that at least one of our
fuzz targets exercises that new strategy.Often, all that is required of you is to ensure that there is a knob for this
configuration option in [wasmtime_fuzzing::Config
][fuzzing-config] (or one
of its nestedstruct
s).Rarely, this may require authoring a new fuzz target to specifically test this
configuration. See [our docs on fuzzing][fuzzing-docs] for more details.</details>
[ ] If you are enabling a configuration option by default, make sure that it
has been fuzzed for at least two weeks before turning it on by default.[fuzzing-config]: https://github.com/bytecodealliance/wasmtime/blob/ca0e8d0a1d8cefc0496dba2f77a670571d8fdcab/crates/fuzzing/src/generators.rs#L182-L194
[fuzzing-docs]: https://docs.wasmtime.dev/contributing-fuzzing.html
<details>
To modify this label's message, edit the <code>.github/label-messager/wasmtime-config.md</code> file.
To add new label messages or remove existing label messages, edit the
<code>.github/label-messager.json</code> configuration file.</details>
alexcrichton updated PR #9230.
fitzgen submitted PR review:
Very nice, thanks!
Did we also want to run the full spec test suite under this configuration, or do you think the differential fuzzing and spec test fuzzer are good enough?
r=me with a bunch of nitpicks and such below
fitzgen created PR review comment:
Can we debug assert or something that
env.can_use_virtual_memory_traps()
when spectre mitigations are enabled?
fitzgen created PR review comment:
Great!
fitzgen created PR review comment:
/// is here with an explicit check instead. Note that the explicit check is /// always present even if this is a "leaf" function, as we have to call into /// the host to trap when signal handlers are disabled.
fitzgen created PR review comment:
Maybe a little more context here? And/or a follow up issue to reference?
fitzgen created PR review comment:
I could interpret "host trap handlers" in two different and opposite ways:
- The host is allowed to rely on the virtual memory subsystem for traps, and should install signal handlers as it sees fit.
- Trapping should be implemented and handled "in the host" rather than in Wasm code and/or via the OS (i.e. emitting
ud2
, simply accessing memory and relying on a virtual memory fault if it is OoB, etc...)What do you think about renaming this, and the actual
wasmtime::Config
knob tovirtual_memory_traps
? I personally think that is much clearer, probably will be for external users too, I'd guess.
fitzgen created PR review comment:
This is to assert that we never return from the
trap
libcall, right? Care to add a quick comment noting that?
fitzgen created PR review comment:
Double checking, as I am not an ieee754 guru: always promoting
f32
tof64
here cannot affect rounding later on when converting to a 32-bit integer, right? Thinking specifically about very large (positive or negative) numbers where ieee754 has is non-contiguous and has holes between representable integers, but those holes will be different forf32
vsf64
. But I guess those would always be out of bounds of the 32-bit integer and cause a trap?cc @sunfishcode, who has delved into these depths more than I have...
fitzgen created PR review comment:
Can this take a
code: u8
instead of acode: u32
if it is just going tocode.try_into().unwrap()
it? Is there a reason for the weird mismatch of bit widths?
fitzgen created PR review comment:
Yeah, expanding on my previous naming bikeshed, I think phrasing/renaming this stuff as
virtual_memory_traps
or maybesignals_based_traps
will clarify things for users a lot here.The latter is slightly more precise in that a
ud2
isn't actually related to virtual memory, but opens the can of worms that is "windows has something else that is similar to signals but not actually called signals" I think.The other thing that might be good to flush out a tiny bit more here is the portability hazard bit and say something about which environments might want to disable these handlers. Even just adding something like "for example, embedded operating systems that do not support virtual memory" in parens after "can be a portability hazard in some environments" is probably good enough.
fitzgen created PR review comment:
Thanks for writing this test! Could you also add a comment at the top of the file detailing
- what this test is checking, and
- why it needs to be isolated in its own test binary
?
fitzgen created PR review comment:
It would be mildly nice/tidy/future-proof to scope down the
allow
s to just the relevant statements.
fitzgen created PR review comment:
And maybe just a quick one-line comment about why this is unix-only and (I presume) how we don't have a way of checking whether we installed exception handlers on windows or not.
fitzgen created PR review comment:
This seems to be identical to the component trapping libcall -- is there a reason we need two copies and can't just use this one everywhere?
fitzgen created PR review comment:
This reminds me that we should definitely be doing differential fuzzing between virtual-memory-traps={yes,no} configs. I assume you probably added that, but I haven't finished reading the PR yet. Just noting this down just in case.
github-actions[bot] commented on PR #9230:
Subscribe to Label Action
cc @fitzgen
<details>
This issue or pull request has been labeled: "wasmtime:ref-types"Thus the following users have been cc'd because of the following labels:
- fitzgen: wasmtime:ref-types
To subscribe or unsubscribe from this label, edit the <code>.github/subscribe-to-label.json</code> configuration file.
Learn more.
</details>
alexcrichton submitted PR review.
alexcrichton created PR review comment:
Very good points yeah, and I like the
signals_based_traps
name you suggested below, so I've gone with that.
alexcrichton submitted PR review.
alexcrichton created PR review comment:
Whoops I forgot to fill this out
alexcrichton submitted PR review.
alexcrichton created PR review comment:
Nah just more effort to plumb u8 to more locations, but I've now done that.
alexcrichton submitted PR review.
alexcrichton created PR review comment:
There's some subtle differences in the ABI like the exact return value and the first parameter between the component/core wasm side of things. The component side of things is a bit unfortunate because it's only needed for a degenerate case of always-trapping adapters, but I'll probably leave the minor duplication for now in the hopes this can be refactored away in the future
alexcrichton submitted PR review.
alexcrichton created PR review comment:
I believe that
f64
can losslessly represent af32
, yes, it's just the other way around that's bad. Additionally I think it's always valid to promote, perform an op, then demote. The bad thing is to promote, perform a few ops, then demote. Here though there's no "demotion" and it's just promote-and-convert which I believe in theory should.The wasm spec tests are actually somewhat comprehensive in the boundary cases here and differential fuzzing is also enabled, so I believe that this is correct. (famous last words)
alexcrichton updated PR #9230.
alexcrichton has enabled auto merge for PR #9230.
fitzgen submitted PR review.
fitzgen created PR review comment:
Ah gotcha. SGTM
alexcrichton updated PR #9230.
alexcrichton updated PR #9230.
alexcrichton has enabled auto merge for PR #9230.
alexcrichton merged PR #9230.
Last updated: Dec 23 2024 at 12:05 UTC