Release Wasmtime 44.0.1 (#13241)

[automatically-tag-and-release-this-commit]

Co-authored-by: Wasmtime Publish <[email protected]>

Fix panicking overflow when calculating table sizes (#13244)

Return an error instead of panicking in the same manner that OOM is
handled.

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned map retains &'static str keys pointing into the original pool's
strings storage. Once the original Linker is dropped those keys dangle.

Cloning a Linker, then dropping the original one, leaves a linker whose
registered imports could no longer be found, causing instantiation to
fail with "unknown import".

Signed-off-by: Flavio Castelli <[email protected]>

* Fix pooling allocator predicate to reset VM permissions

This commit fixes a mistake that was introduced in #9583 where the logic
to reset a linear memory slot in the pooling allocator used the wrong
predicate. Specifically VM permissions must be reset if virtual memory
can be relied on at all, and the preexisting predicate of
`can_elide_bounds_check` was an inaccurate representation of this. The
correct predicate to check is `can_use_virtual_memory`.

* winch: Fix the type of the `table.size` output register

This commit corrects the tagged size of the output of the `table.size`
instruction. Previously this was hardcoded as a 32-bit integer instead
of consulting the table's index type to use the
index-type-sized-register instead.

* winch: Fix a host panic when executing `table.fill`

This commit fixes a possible panic when a Winch-compiled module executes
the `table.fill` instruction. Refactoring in #11254 updated Cranelift
but forgot to update Winch meaning that Winch's indices were still using
the module-level indices instead of the `DefinedTableIndex` space. This
adds some tests and updates Winch's translation to use preexisting
helpers.

* x64: Fix `f64x2.splat` without SSE3

Don't sink a load into `pshufd` which loads 16 bytes, instead force
`put_in_xmm` to ensure only 8 bytes are loaded.

* Properly verify alignment in string transcoding

This commit updates string transcoding between guest modules to properly
verify alignment. Previously alignment was only verified on the first
allocation, not reallocations, which is not spec-compliant. This
additionally fixes a possible host panic when dealing with unaligned
pointers.

* Fix type confusion in AArch64 amode RegScaled folding

* winch: Add add_uextend to perform explicit extension when needed.

This commit fixes an out-of-bounds access caused by the lack zero
extension in the code responsible for calculating the heap address for
loads/stores.

This issue manifests in aarch64 (unlike x64) given that no automatic
extension is performed, resulting in an out-of-bounds access.

An alternative approach is to emit an extend for the index, however
this approach is preferred given that it gives the MacroAssembler
layer better control of how to lower addition, e.g., in aarch64 we can
inline the desired extension in a single instruction.

* winch: Correctly type the result of table.grow

This commit fixes an out-of-bounds access caused by the lack of type
narrowing from the `table.grow` builtin. Without explicit narrowing,
the type is treated as 64-bit value, which could cause issues when
paired with loads/stores.

* Review comments

* Properly handle table index types

Only narrow when dealing with the 64-bit pointer/32-bit tables

* Fix panic with out-of-bounds flags in `Value`

This commit fixes a panic when a component model `Value` is lifted from
a flags value which specifies out-of-bounds bits as 1. This is specified
in the component model to ignore the out-of-bounds bits, which `flags!`
correctly did (and thus `bindgen!`), but `Value` treated out-of-bounds
bits as a panic due to indexing an array.

* Fix bounds checks in FACT's `string_to_compact` method

We need to bounds check the source byte length, not the number of code units.

* Add missing realloc validation in string transcoding

This commit adds a missing validation that a return value of `realloc`
is inbounds during string transcoding. This was accidentally missing on
the transcoding path from `utf8` to `latin1+utf16` which meant that a
nearly-raw pointer could get passed to the host to perform the
transcode.

* winch: Refine zero extension heuristic

This commit refines the zero extension heuristic such that it
unconditionally emits a zero extension when dealing with 32-bit
heaps. This eliminates any ambiguity related to the value of the
memory indices across ISAs.

* Fix failure on 32-bit

* Fix miri test

---------

Signed-off-by: Flavio Castelli <[email protected]>
Co-authored-by: Flavio Castelli <[email protected]>
Co-authored-by: Shun Kashiwa <[email protected]>
Co-authored-by: Saúl Cabrera <[email protected]>
Co-authored-by: Nick Fitzgerald <[email protected]>

show more ...

Handle OOM in `Func::call_async` and fiber creation (#12954)

* Handle OOM in `Func::call_async` and fiber creation

* fix clippy

* fix build

* really fix build

* address review feedback

* fix bu

Handle OOM in `Func::call_async` and fiber creation (#12954)

* Handle OOM in `Func::call_async` and fiber creation

* fix clippy

* fix build

* really fix build

* address review feedback

* fix build

* fix warnings

show more ...

Add `anyref` downcast methods to the C and C++ APIs (#12917)

Add support for async tests to our OOM test infrastructure (#12953)

* Add support for async tests to our OOM test infrastructure

* address review feedback

Add support for `arrayref`s to the C and C++ APIs (#12916)

* Add support for `arrayref`s to the C and C++ APIs

Also array types and `ArrayRefPre`.

* add docs and address similar issues from struct

Add support for `arrayref`s to the C and C++ APIs (#12916)

* Add support for `arrayref`s to the C and C++ APIs

Also array types and `ArrayRefPre`.

* add docs and address similar issues from structref PR's review

* fix doc build

show more ...

Add wasi:http support to the C API (#12950)

gc_ops: Add support for struct subtypes (#12931)

* Add struct subtypes

* Supertypes with probability

winch: implement ref.null, ref.is_null, ref.func, and typed select (#12940)

* winch: implement ref.null, ref.is_null, ref.func, and typed select

* add disas tests and ref.func call_indirect coverag

winch: implement ref.null, ref.is_null, ref.func, and typed select (#12940)

* winch: implement ref.null, ref.is_null, ref.func, and typed select

* add disas tests and ref.func call_indirect coverage

* register wasmtime module in fuzz wast_test to fix wast_smoke_test

show more ...

Add GC zeal assertions (#12933)

* Add GC zeal assertions

- Poison freed GC objects and new heap memory
- Assert newly-allocated objects are filled with poison pattern
- Add `gc_assert!` checks for

Add GC zeal assertions (#12933)

* Add GC zeal assertions

- Poison freed GC objects and new heap memory
- Assert newly-allocated objects are filled with poison pattern
- Add `gc_assert!` checks for valid `VMGcKind` on `GcHeap::index[_mut]`
- Add `gc_assert!` checks for valid `VMGcKind` during tracing
- Add `VMGcKind::try_from_u32()` for fallible kind validation
- Add over-approximated stack roots list integrity checks, called before and
after trace and sweep. Validates kind, in-list bit, ref count, and that the
list is not cyclic.
- Add assertion that all free blocks of memory contain the poison pattern,
before and after trace and sweep

* review feedback

show more ...

Add support for `structref` to the C and C++ APIs (#12915)

* Add support for `structref` to the C and C++ APIs

Also requires adding support for struct and field types, as well as
`StructRefPre`.

*

Add support for `structref` to the C and C++ APIs (#12915)

* Add support for `structref` to the C and C++ APIs

Also requires adding support for struct and field types, as well as
`StructRefPre`.

* review feedback and rebase

* fix doc build

* really fix doc build

* fix more docs

show more ...

Add missing stack map declaration for `array.new_elem` (#12936)

`translate_array_new_elem` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stack_map()`

Add missing stack map declaration for `array.new_elem` (#12936)

`translate_array_new_elem` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stack_map()` on the result. This meant
the reference was not included in stack maps at subsequent safepoints, so if a
GC occurred, the reference became stale (leading to use-after-free within the GC
heap sandbox).

show more ...

Add missing missing stack map declaration for `array.new_data` (#12935)

`translate_array_new_data` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stac

Add missing missing stack map declaration for `array.new_data` (#12935)

`translate_array_new_data` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stack_map()` on the result. This meant
that the reference was not included in stack maps at subsequent safepoints, so
if a GC occurred, the reference became stale (leading to use-after-free bugs
inside the GC heap sandbox).

show more ...

Preserve `try_call[_indirect]` stack maps during lowering (#12934)

* Preserve `try_call[_indirect]` stack maps during lowering

Branch instructions are skipped in the main lowering loop, which means

Preserve `try_call[_indirect]` stack maps during lowering (#12934)

* Preserve `try_call[_indirect]` stack maps during lowering

Branch instructions are skipped in the main lowering loop, which means the stack
map forwarding code is never reached for them. The branch lowering path didn't
forward stack maps either. This was fine because branch instructions couldn't
previously ever be safepoints. However, with the introduction of `try_call` and
`try_call_indirect`, we now have instructions that are both safepoints and
branches.

This caused GC references live across `try_call[_indirect]` instructions to not
be traced during garbage collection, leading to use-after-free within the GC
heap sandbox when the collector swept those untraced-but-still-live objects.

The fix adds stack map forwarding after branch lowering, mirroring the
existing logic for non-branch instructions.

Fixes bytecodealliance/wasmtime#11753.

* update disas test

show more ...

Exceptions: add exception-specific (command-sequence) fuzzer. (#12923)

* Exceptions: add exception-specific (command-sequence) fuzzer.

This fuzzer uses a description of a set of "scenarios", arbitr

Exceptions: add exception-specific (command-sequence) fuzzer. (#12923)

* Exceptions: add exception-specific (command-sequence) fuzzer.

This fuzzer uses a description of a set of "scenarios", arbitrarily
generated, to produce a specific kind of module that tests throw/catch
behavior. The module contains a chain of functions that invoke each
other; one will throw, and the rest may have catch clauses that do or
do not catch.

* Review feedback.

show more ...

Update fibers to avoid no-return functions (#12928)

* Update fibers to avoid no-return functions

This commit is aimed at fixing the ASAN false positives in #12899.
Initially the fix there was to in

Update fibers to avoid no-return functions (#12928)

* Update fibers to avoid no-return functions

This commit is aimed at fixing the ASAN false positives in #12899.
Initially the fix there was to invoke some `__asan_*` intrinsics, and
I ended up finding a sort of smaller set of `__asan_*` intrinsics to
call as well. In the end what's happening though is that fibers, upon
terminating, have a few frames of Rust code on the stack before
switching off. To ASAN these frames never returned so when a stack is
subsequently reused ASAN is tricked into thinking this is buffer
overflow or use-after-free since it's stomping on frames that haven't
returned.

The fix in this commit is to avoid this style of function which doesn't
returns. Functions which don't return in Rust are easy to leak memory
from and are a hazard from a safety perspective as well (e.g. it's
unsafe to skip running destructors of stack variables). I feel we've had
better success over time with "all Rust functions always return" and so
what's what was applied here. Unlike #12899 or my thoughts on that PR
this does not have any new `__asan_*` intrinsic calls. Instead what this
does is it shuffles around responsibility for what exact piece of the
infrastructure is responsible for what. Specifically `fiber_start`
functions now actually return, meaning the `wasmtime_fiber_start` naked
function actually resumes execution, unlike before. The
`wasmtime_fiber_start` then delegates to `wasmtime_fiber_switch`
immediately to perform the final switch.

Effectively there's now only two function frames that never return, and
both of these frames are handwritten inline assembly. This means that
ASAN gets to see that all normal functions return and updates all of its
metadata accordingly. The end result is that the original issue from #12899
is fixed and this I feel is in general more robust as well.

One caveat is that the handwritten `wasmtime_fiber_start` assembly needs
to invoke a sibling `wasmtime_fiber_switch_` function. In lieu of trying
to figure out how to get PIC-vs-not calls working (e.g. static calls)
I've opted to use indirect function calls and pointers instead. This
mirrors historical changes in our fiber implementation too.

* Fix CI builds

* Fix miri

show more ...

Add "GC Zeal" infrastructure for additional, aggressive GC assertions (#12921)

* Add "GC Zeal" infrastructure for additional, aggressive GC assertions

This initial commit just sets up the initial G

Add "GC Zeal" infrastructure for additional, aggressive GC assertions (#12921)

* Add "GC Zeal" infrastructure for additional, aggressive GC assertions

This initial commit just sets up the initial GC Zeal infrastructure, it doesn't
actually start using it anywhere yet.

* Adds support for `cfg(gc_zeal)` to `crates/wasmtime/build.rs` and
`crates/cranelift/build.rs`
* Defines `gc_assert!` macro
* Defines `wasmtime_environ::gc::POISON` constant for GC heap poisoning
* Adds debug assert that `POISON` doesn't overlap any valid `VMGcKind`
discriminant
* Adds CI job to run GC-related tests with `cfg(gc_zeal)`

* Review feedback

show more ...

Add `eqref` support to the C and C++ APIs (#12914)

* Add `eqref` support to the C and C++ APIs

* fix doc build

Allow another error in `p3_sockets_tcp_streams` test (#12927)

Captured in a failure in #12924

Closes #12924

Use traps when checking initial table/memory bounds (#12929)

Instead of using a custom error string this enables fuzzing to, for
example, see that a `Trap` was returned and consider the fuzz test ca

Use traps when checking initial table/memory bounds (#12929)

Instead of using a custom error string this enables fuzzing to, for
example, see that a `Trap` was returned and consider the fuzz test case
a normal failure. These code paths are only executed when `bulk_memory`
is disabled which is pretty rare, and also explains why it's come up in
fuzzing only just now after #12883.

show more ...

Debugging: add debugger support for `wasmtime serve`. (#12859)

This adopts a simple solution to #12776: it takes the "instance reuse"
paradigm to the extreme, instantiating exactly one instance and

Debugging: add debugger support for `wasmtime serve`. (#12859)

This adopts a simple solution to #12776: it takes the "instance reuse"
paradigm to the extreme, instantiating exactly one instance and
serializing all requests into that one instance. This allows the
debugger component to operate on one `Store`, setting breakpoint state
and presenting its execution to the attached debugger as a single
program execution and minimizing impedance mismatches.

This also adds an integration test that runs an existing wasi-http
test component under the debugger.

show more ...

mpk: Fix index used when purging a module in the pooling allocator (#12910)

This commit fixes an issue with the pooling allocator when MPK is
enabled, which is off-by-default at compile time. When a

mpk: Fix index used when purging a module in the pooling allocator (#12910)

This commit fixes an issue with the pooling allocator when MPK is
enabled, which is off-by-default at compile time. When a module is
dropped all remaining images are purged from the pooling allocator, but
the purging logic mistakenly used the wrong kind of index during purging
which led to corruption of the pooling allocator itself. This fixes the
logic and adds regression tests showcasing the issue as well.

show more ...

Exceptions: implement C API. (#12861)

* Exceptions: implement C API.

This PR implements C (and C++) API support for Wasm exceptions, one
final remaining hurdle (aside from fuzz-testing) for making

Exceptions: implement C API. (#12861)

* Exceptions: implement C API.

This PR implements C (and C++) API support for Wasm exceptions, one
final remaining hurdle (aside from fuzz-testing) for making exceptions
tier-1 and on-by-default.

* Review feedback, and add exnref case to `wasmtime_val_t`.

* Review feedback: GC feature guard.

* clang-format

* add docs to exn.hh.

* Remove tag size asserts: broken on 32-bit platforms, but not needed for correctness wrt C struct.

show more ...

Address assertion failure in the types fixup(): Dedup A TypeId that appears in multiple rec groups' member sets. (#12900)