Release Wasmtime 44.0.1 (#13241)

[automatically-tag-and-release-this-commit]

Co-authored-by: Wasmtime Publish <[email protected]>

Fix panicking overflow when calculating table sizes (#13244)

Return an error instead of panicking in the same manner that OOM is
handled.

[44.0.x] Fix CI and improve reliability (#13160)

* Fix CI now that Wasmtime 44 is published (#13150)

The cycle begins anew

* Disable overflow-checks in Tokio, not debug asserts (#13151)

I didn't

[44.0.x] Fix CI and improve reliability (#13160)

* Fix CI now that Wasmtime 44 is published (#13150)

The cycle begins anew

* Disable overflow-checks in Tokio, not debug asserts (#13151)

I didn't let my loop run long enough to test whether #13147 fixed the
issue... In any case overflow-checks is what we want, not debug
assertions.

show more ...

Release Wasmtime 44.0.0 (#13143)

[automatically-tag-and-release-this-commit]

Co-authored-by: Wasmtime Publish <[email protected]>

Add release notes (#13096)

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned map retains &'static str keys pointing into the original pool's
strings storage. Once the original Linker is dropped those keys dangle.

Cloning a Linker, then dropping the original one, leaves a linker whose
registered imports could no longer be found, causing instantiation to
fail with "unknown import".

Signed-off-by: Flavio Castelli <[email protected]>

* Fix pooling allocator predicate to reset VM permissions

This commit fixes a mistake that was introduced in #9583 where the logic
to reset a linear memory slot in the pooling allocator used the wrong
predicate. Specifically VM permissions must be reset if virtual memory
can be relied on at all, and the preexisting predicate of
`can_elide_bounds_check` was an inaccurate representation of this. The
correct predicate to check is `can_use_virtual_memory`.

* winch: Fix the type of the `table.size` output register

This commit corrects the tagged size of the output of the `table.size`
instruction. Previously this was hardcoded as a 32-bit integer instead
of consulting the table's index type to use the
index-type-sized-register instead.

* winch: Fix a host panic when executing `table.fill`

This commit fixes a possible panic when a Winch-compiled module executes
the `table.fill` instruction. Refactoring in #11254 updated Cranelift
but forgot to update Winch meaning that Winch's indices were still using
the module-level indices instead of the `DefinedTableIndex` space. This
adds some tests and updates Winch's translation to use preexisting
helpers.

* x64: Fix `f64x2.splat` without SSE3

Don't sink a load into `pshufd` which loads 16 bytes, instead force
`put_in_xmm` to ensure only 8 bytes are loaded.

* Properly verify alignment in string transcoding

This commit updates string transcoding between guest modules to properly
verify alignment. Previously alignment was only verified on the first
allocation, not reallocations, which is not spec-compliant. This
additionally fixes a possible host panic when dealing with unaligned
pointers.

* Fix type confusion in AArch64 amode RegScaled folding

* winch: Add add_uextend to perform explicit extension when needed.

This commit fixes an out-of-bounds access caused by the lack zero
extension in the code responsible for calculating the heap address for
loads/stores.

This issue manifests in aarch64 (unlike x64) given that no automatic
extension is performed, resulting in an out-of-bounds access.

An alternative approach is to emit an extend for the index, however
this approach is preferred given that it gives the MacroAssembler
layer better control of how to lower addition, e.g., in aarch64 we can
inline the desired extension in a single instruction.

* winch: Correctly type the result of table.grow

This commit fixes an out-of-bounds access caused by the lack of type
narrowing from the `table.grow` builtin. Without explicit narrowing,
the type is treated as 64-bit value, which could cause issues when
paired with loads/stores.

* Review comments

* Properly handle table index types

Only narrow when dealing with the 64-bit pointer/32-bit tables

* Fix panic with out-of-bounds flags in `Value`

This commit fixes a panic when a component model `Value` is lifted from
a flags value which specifies out-of-bounds bits as 1. This is specified
in the component model to ignore the out-of-bounds bits, which `flags!`
correctly did (and thus `bindgen!`), but `Value` treated out-of-bounds
bits as a panic due to indexing an array.

* Fix bounds checks in FACT's `string_to_compact` method

We need to bounds check the source byte length, not the number of code units.

* Add missing realloc validation in string transcoding

This commit adds a missing validation that a return value of `realloc`
is inbounds during string transcoding. This was accidentally missing on
the transcoding path from `utf8` to `latin1+utf16` which meant that a
nearly-raw pointer could get passed to the host to perform the
transcode.

* winch: Refine zero extension heuristic

This commit refines the zero extension heuristic such that it
unconditionally emits a zero extension when dealing with 32-bit
heaps. This eliminates any ambiguity related to the value of the
memory indices across ISAs.

* Fix failure on 32-bit

* Fix miri test

---------

Signed-off-by: Flavio Castelli <[email protected]>
Co-authored-by: Flavio Castelli <[email protected]>
Co-authored-by: Shun Kashiwa <[email protected]>
Co-authored-by: Saúl Cabrera <[email protected]>
Co-authored-by: Nick Fitzgerald <[email protected]>

show more ...

Fix another panic optimizing vector expressions (#12961)

Leftover from #12957

Handle OOM in `Func::call_async` and fiber creation (#12954)

* Handle OOM in `Func::call_async` and fiber creation

* fix clippy

* fix build

* really fix build

* address review feedback

* fix bu

Handle OOM in `Func::call_async` and fiber creation (#12954)

* Handle OOM in `Func::call_async` and fiber creation

* fix clippy

* fix build

* really fix build

* address review feedback

* fix build

* fix warnings

show more ...

Update GC proposal status in docs (#12918)

After https://github.com/bytecodealliance/wasmtime/pull/12917, we now have
support for the GC proposal in the C and C++ APIs.

Fix panic optimizing vector expressions (#12957)

This commit fixes an accidental regression from #12926 where `iconst_u`
was called with vector types which caused a panic. The fix is is to
disallow

Fix panic optimizing vector expressions (#12957)

This commit fixes an accidental regression from #12926 where `iconst_u`
was called with vector types which caused a panic. The fix is is to
disallow vector types in these ISLE rules and defer vector optimizations
to a future commit.

show more ...

Add `anyref` downcast methods to the C and C++ APIs (#12917)

Add support for async tests to our OOM test infrastructure (#12953)

* Add support for async tests to our OOM test infrastructure

* address review feedback

Add support for `arrayref`s to the C and C++ APIs (#12916)

* Add support for `arrayref`s to the C and C++ APIs

Also array types and `ArrayRefPre`.

* add docs and address similar issues from struct

Add support for `arrayref`s to the C and C++ APIs (#12916)

* Add support for `arrayref`s to the C and C++ APIs

Also array types and `ArrayRefPre`.

* add docs and address similar issues from structref PR's review

* fix doc build

show more ...

Cranelift: riscv64: fix zero-extension in trapif + icmp folding. (#12952)

* Add bad test.

* Fix lowering to properly zero-extend compared values.

Add wasi:http support to the C API (#12950)

riscv64: Fix `uadd_overflow` for 32-bit integers (#12951)

This commit fixes a mistake from #11583 where the implementation of
`uadd_overflow` on riscv64 was not correct for some inputs. This fix
gen

riscv64: Fix `uadd_overflow` for 32-bit integers (#12951)

This commit fixes a mistake from #11583 where the implementation of
`uadd_overflow` on riscv64 was not correct for some inputs. This fix
generates the same codegen as `uadd_overflow_trap` which is to
zero-extend both inputs, perform a 64-bit add, and use the 33rd bit as
the overflow flag.

This sequence does notably differ from what LLVM generates. For example
this input function

#[unsafe(no_mangle)]
pub fn uadd_overflow(a: u64, b: u64) -> (u32, bool) {
(a as u32).overflowing_add(b as u32)
}

generates:

uadd_overflow:
addw a0, a0, a1
sext.w a1, a1
sltu a1, a0, a1
ret

While this is probably correct I find it tough to reason about how
`addw` produces a sign-extended result, `sext.w` sign-extends one of the
operands, and then an unsigned comparison is used to generate the
overflow flag for an unsigned addition. Overall I felt it was easier to
just match the `uadd_overflow_trap` codegen.

show more ...

x64: Fix possible overflow in `Amode::offset` (#12949)

* x64: Fix possible overflow in `Amode::offset`

This commit fixes an issue in the x64 backend of Cranelift where the
`Amode::offset` method co

x64: Fix possible overflow in `Amode::offset` (#12949)

* x64: Fix possible overflow in `Amode::offset`

This commit fixes an issue in the x64 backend of Cranelift where the
`Amode::offset` method contained unchecked arithmetic meaning that it
could possibly overflow. This in turn could lead to a miscompile of
loading/storing 128-bit integers where this method is used to generate
an `Amode` that is 8 bytes beyond the based address to load the upper
bits. This miscompile isn't reachable from WebAssembly but is
nonetheless still a good bugfix to have for Cranelift.

The fix here is to switch the `Amode::offset` method to being fallible,
returning `None` on overflow. This then propagates up into ISLE where
the `amode_offset` helper now has a separate case for when the addition
fails, using `lea` to generate a register with an address in it. This
then subsequently also needed fixing for various `Atomic128*` operations
where instead of storing just a single `SyntheticAmode` they now store
two, one for the address of the low bits and one for the address of the
high bits.

* Fix tests

Notably package up all the arguments into a boxed structure for the
atomic128 ops to avoid making `Inst` too large.

* Fix clippy

show more ...

Update `mutatis` dep to 0.4.0 (#12945)

Cranelift: aarch64: fix `preserve-all` to save full vector registers. (#12944)

It turns out that the `preserve-all` ABI was only preserving some, not
all (false advertising!): specifically, the aarc

Cranelift: aarch64: fix `preserve-all` to save full vector registers. (#12944)

It turns out that the `preserve-all` ABI was only preserving some, not
all (false advertising!): specifically, the aarch64 ABI code was
continuing to use low-64-bit loads/stores on vector/float registers, as
it does for the ordinary AAPCS (SysV) calling convention. `PreserveAll`
specifically indicates that the *entire* vector register should be
saved; so now we do that.

show more ...

gc_ops: Add support for struct subtypes (#12931)

* Add struct subtypes

* Supertypes with probability

winch: implement ref.null, ref.is_null, ref.func, and typed select (#12940)

* winch: implement ref.null, ref.is_null, ref.func, and typed select

* add disas tests and ref.func call_indirect coverag

winch: implement ref.null, ref.is_null, ref.func, and typed select (#12940)

* winch: implement ref.null, ref.is_null, ref.func, and typed select

* add disas tests and ref.func call_indirect coverage

* register wasmtime module in fuzz wast_test to fix wast_smoke_test

show more ...

Add GC zeal assertions (#12933)

* Add GC zeal assertions

- Poison freed GC objects and new heap memory
- Assert newly-allocated objects are filled with poison pattern
- Add `gc_assert!` checks for

Add GC zeal assertions (#12933)

* Add GC zeal assertions

- Poison freed GC objects and new heap memory
- Assert newly-allocated objects are filled with poison pattern
- Add `gc_assert!` checks for valid `VMGcKind` on `GcHeap::index[_mut]`
- Add `gc_assert!` checks for valid `VMGcKind` during tracing
- Add `VMGcKind::try_from_u32()` for fallible kind validation
- Add over-approximated stack roots list integrity checks, called before and
after trace and sweep. Validates kind, in-list bit, ref count, and that the
list is not cyclic.
- Add assertion that all free blocks of memory contain the poison pattern,
before and after trace and sweep

* review feedback

show more ...

Add support for `structref` to the C and C++ APIs (#12915)

* Add support for `structref` to the C and C++ APIs

Also requires adding support for struct and field types, as well as
`StructRefPre`.

*

Add support for `structref` to the C and C++ APIs (#12915)

* Add support for `structref` to the C and C++ APIs

Also requires adding support for struct and field types, as well as
`StructRefPre`.

* review feedback and rebase

* fix doc build

* really fix doc build

* fix more docs

show more ...

[Cranelift] add simplification rules (#12937)

Add missing stack map declaration for `array.new_elem` (#12936)

`translate_array_new_elem` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stack_map()`

Add missing stack map declaration for `array.new_elem` (#12936)

`translate_array_new_elem` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stack_map()` on the result. This meant
the reference was not included in stack maps at subsequent safepoints, so if a
GC occurred, the reference became stale (leading to use-after-free within the GC
heap sandbox).

show more ...