Fix two security advisories. (#12652)

* Fix two security advisories.

This commit contains merged fixes for two security advisories in
Wasmtime:

* GHSA-852m-cvvp-9p4w
* GHSA-243v-98vx-264h

This in

Fix two security advisories. (#12652)

* Fix two security advisories.

This commit contains merged fixes for two security advisories in
Wasmtime:

* GHSA-852m-cvvp-9p4w
* GHSA-243v-98vx-264h

This introduces new knobs to Wasmtime to limit the scope of resources
that WASI implementations will allocate on behalf of guests. Unlike
backports to 41.0.x-and-prior these knobs all have default values which
are considered reasonable for hosts if they don't further tune them. The
following CLI knobs have been added:

* `-Smax-resources` - limits the total component-model resources a guest
can allocate in a table
* `-Shostcall-fuel` - a broad limit which enforces that at most this
amount of data will be copied from the guest to the host in any one
API call (e.g. `string` values can't be too big, `list<string>` can't
be quadratic, etc). This fuel is reset on each host function call.
* `-Smax-random-size` - the maximal size of the return value of the
`get-random-bytes` and `get-insecure-random-bytes` WASI functions.
* `-Smax-http-fields-size` - a limit on the size of `wasi:http` `fields`
values to avoid infinitely buffering data within the host.

The `http` crate has additionally been updated to avoid a panic when
adding too many headers to a `fields` object.

Co-authored-by: Mark Bundschuh <[email protected]>
Co-authored-by: Pat Hickey <[email protected]>
Co-authored-by: Joel Dice <[email protected]>

* CI fixes

* Run rustfmt
* Fix wasi-common build

* Fix tests on 32-bit

* Fix nightly test expectations

prtest:full

---------

Co-authored-by: Mark Bundschuh <[email protected]>
Co-authored-by: Pat Hickey <[email protected]>
Co-authored-by: Joel Dice <[email protected]>

show more ...

Disable `Tombstone` insertion in `ResourceTable` by default (#12114)

This was useful in the development of WASIp3 but given the relatively
big change in behavior to a foundational data structure I d

Disable `Tombstone` insertion in `ResourceTable` by default (#12114)

This was useful in the development of WASIp3 but given the relatively
big change in behavior to a foundational data structure I don't think
it's best to keep this tied to `cfg!(debug_assertions)`. Instead disable
it by default and use a source-editing approach to change it.

show more ...

merge `concurrent::table::Table` back into `ResourceTable` (#11547)

* merge `concurrent::table::Table` back into `ResourceTable`

When I started implementing component model async support, I copied

merge `concurrent::table::Table` back into `ResourceTable` (#11547)

* merge `concurrent::table::Table` back into `ResourceTable`

When I started implementing component model async support, I copied
`resource_table.rs` to `concurrent/table.rs` and made some modifications. Now
I'm unifying the implementations to reduce duplication.

- `concurrent/table.rs` now only contains the `TableId` type and the `TableDebug` trait; the `Table` type has been merged into `ResourceTable`.

- `TableId` can be thought of as a lightweight variation of `Resource` representing handles which can't be borrowed. It also implements `Copy`, `Hash`, `Debug`, etc. for convenience, and can be converted to and from `Resource`.

- `ResourceTable` now has `enable_debug`, `is_empty`, `add_child`, `remove_child`, and `iter_mut` methods.

- `ConcurrentState::table` is now of type `Mutex<ResourceTable>`; the `Mutex` wrapper is needed to ensure the field is `Sync`, but we never lock it.

Fixes #11190

Signed-off-by: Joel Dice <[email protected]>

* use `u32::MAX` as sentinal rep rather than zero

This helps avoid unnecessarily allocation in `ResourceTable::new`.

Signed-off-by: Joel Dice <[email protected]>

* remove `ConcurrentState::get`

`ConcurrentState::get_mut` is sufficient for all our needs.

Signed-off-by: Joel Dice <[email protected]>

* use `AlwaysMut` instead of `Mutex`

Signed-off-by: Joel Dice <[email protected]>

* toggle `ResourceTable` debugging via `cfg!(debug_assertions)`

This avoids the (slight) runtime overhead of using a `debug: bool` field to
debug tables individually.

Signed-off-by: Joel Dice <[email protected]>

* fix `ResourceTable` test regression

Signed-off-by: Joel Dice <[email protected]>

---------

Signed-off-by: Joel Dice <[email protected]>

show more ...

Split off wasmtime-wasi-io crate from wasmtime-wasi (#10036)

* stub: wasmtime-wasi-io crate

* wasmtime: component::ResourceTableError now impls core::error::Error

for compatibility without std

*

Split off wasmtime-wasi-io crate from wasmtime-wasi (#10036)

* stub: wasmtime-wasi-io crate

* wasmtime: component::ResourceTableError now impls core::error::Error

for compatibility without std

* relocate much of the wasi-io impl into wasmtime-wasi-io

* stump of poll that uses in_tokio

* finish moving instances over to wasmtime_wasi_io

* redirect wasmtime_wasi's bindgen properly over to wasmtime_wasi_io

* wasmtime-wasi-http: point directly at wasmtime_wasi_io in sources

it worked without these changes because all the re-exports are in the
right places, but this is nice to do

* comment work

* fix streams rename, migrate bindings to its own file

* move wasi-io impls into their own mod with appropriate name. check in CI.

* change ResourceTable::iter_entries from taking a HashMap to BTreeMap so it works without std

* crate-level docs for wasmtime-wasi-io

* more docs

* more docs, wasi-io gives an add_to_linker function for async only

* wasi-io: inline view into lib.rs. improve docs.

* more streams vs stream fixes...

* wasi-http stream->streams fixes

* fix adding wasmtime-wasi-io to public crates

* wasmtime-cli: drop overzealous `=` version constraint on wasmtime-wasi-http

wasmtime-wasi-http is part of the public API where we guarantee semver
is obeyed

* fix doctest

* mechanically rename the wasi-io pub traits, and resource types

resource type Pollable -> DynPollable
resource type InputStream -> DynInputStream
resource type OutputStream -> DynOutputStream

trait Subscribe -> Pollable
trait HostInputStream -> InputStream
trait HostOutputStream -> OutputStream

type alias PollableFuture -> DynFuture (little-used)

* delete unused ClosureFuture alias

* doc fixes

* wasmtime-wasi-http: use all of wasmtime-wasi-io through wasmtime-wasi re-exports

* fix nostd build

* missing separator. i love yml

* make wasmtime-wasi-io #![no_std]

show more ...

Enable `impl-trait-overcaptures` 2024 transition lint (#9965)

* Enable `impl-trait-overcaptures` 2024 transition lint

This lint detects cases where returning `impl Trait` will work
differently in 2

Enable `impl-trait-overcaptures` 2024 transition lint (#9965)

* Enable `impl-trait-overcaptures` 2024 transition lint

This lint detects cases where returning `impl Trait` will work
differently in 2024 than in the current 2021 edition. Ambiguities are
resolved with `use<..>` syntax stabilized in Rust 1.82.0 to mean the
same thing in both editions.

* Fix some more `impl Trait` returns

* Tighten bounds on settings `iter`

* Fix build on 1.82.0

* Fix another capture on MSRV

show more ...

Warn against `clippy::cast_possible_truncation` in Wasmtime (#9209)

* Warn against `clippy::cast_possible_truncation` in Wasmtime

This commit explicitly enables the `clippy::cast_possible_truncatio

Warn against `clippy::cast_possible_truncation` in Wasmtime (#9209)

* Warn against `clippy::cast_possible_truncation` in Wasmtime

This commit explicitly enables the `clippy::cast_possible_truncation`
lint in Clippy for just the `wasmtime::runtime` module. This does not
enable it for the entire workspace since it's a very noisy lint and in
general has a low signal value. For the domain that `wasmtime::runtime`
is working in, however, this is a much more useful lint. We in general
want to be very careful about casting between `usize`, `u32`, and `u64`
and the purpose of this module-targeted lint is to help with just that.
I was inspired to do this after reading over #9206 where especially when
refactoring code and changing types I think it would be useful to have
locations flagged as "truncation may happen here" which previously
weren't truncating.

The failure mode for this lint is that panics might be introduced where
truncation is explicitly intended. Most of the time though this isn't
actually desired so the more practical consequence of this lint is to
probably slow down wasmtime ever so slightly and bloat it ever so
slightly by having a few more checks in a few places. This is likely
best addressed in a more comprehensive manner, however, rather than
specifically for just this one case. This problem isn't unique to just
casts, but to many other forms of `.unwrap()` for example.

* Fix some casts in tests

show more ...

Fix some typos (#8641)

* occurred

* winch typos

* tests typos

* cli typos

* fuzz typos

* examples typos

* docs typos

* crates/wasmtime typos

* crates/environ typos

* crates/cranelift typos

Fix some typos (#8641)

* occurred

* winch typos

* tests typos

* cli typos

* fuzz typos

* examples typos

* docs typos

* crates/wasmtime typos

* crates/environ typos

* crates/cranelift typos

* crates/test-programs typos

* crates/c-api typos

* crates/cache typos

* crates other typos

* cranelift/codegen/src/isa typos

* cranelift/codegen/src other typos

* cranelift/codegen other typos

* cranelift other typos

* ci js typo

* .github workflows typo

* RELEASES typo

* Fix clang-format documentation line

---------

Co-authored-by: Andrew Brown <[email protected]>

show more ...

Add support for `#![no_std]` to the `wasmtime` crate (#8533)

* Always fall back to custom platform for Wasmtime

This commit updates Wasmtime's platform support to no longer require an
opt-in `RUSTF

Add support for `#![no_std]` to the `wasmtime` crate (#8533)

* Always fall back to custom platform for Wasmtime

This commit updates Wasmtime's platform support to no longer require an
opt-in `RUSTFLAGS` `--cfg` flag to be specified. With `no_std` becoming
officially supported this should provide a better onboarding experience
where the fallback custom platform is used. This will cause linker
errors if the symbols aren't implemented and searching/googling should
lead back to our docs/repo (eventually, hopefully).

* Change Wasmtime's TLS state to a single pointer

This commit updates the management of TLS to rely on just a single
pointer rather than a pair of a pointer and a `bool`. Additionally
management of the TLS state is pushed into platform-specific modules to
enable different means of managing it, namely the "custom" platform now
has a C function required to implement TLS state for Wasmtime.

* Delay conversion to `Instant` in atomic intrinsics

The `Duration` type is available in `no_std` but the `Instant` type is
not. The intention is to only support the `threads` proposal if `std` is
active but to assist with this split push the `Duration` further into
Wasmtime to avoid using a type that can't be mentioned in `no_std`.

* Gate more parts of Wasmtime on the `profiling` feature

Move `serde_json` to an optional dependency and gate the guest profiler
entirely on the `profiling` feature.

* Refactor conversion to `anyhow::Error` in `wasmtime-environ`

Have a dedicated trait for consuming `self` in addition to a
`Result`-friendly trait.

* Gate `gimli` in Wasmtime on `addr2line`

Cut down the dependency list if `addr2line` isn't enabled since then
the dependency is not used. While here additionally lift the version
requirement for `addr2line` up to the workspace level.

* Update `bindgen!` to have `no_std`-compatible output

Pull most types from Wasmtime's `__internal` module as the source of
truth.

* Use an `Option` for `gc_store` instead of `OnceCell`

No need for synchronization here when mutability is already available in
the necessary contexts.

* Enable embedder-defined host feature detection

* Add `#![no_std]` support to the `wasmtime` crate

This commit enables compiling the `runtime`, `gc`, and `component-model`
features of the `wasmtime` crate on targets that do not have `std`. This
tags the crate as `#![no_std]` and then updates everything internally to
import from `core` or `alloc` and adapt for the various idioms. This
ended up requiring some relatively extensive changes, but nothing too
too bad in the grand scheme of things.

* Require `std` for the perfmap profiling agent

prtest:full

* Fix build on wasm

* Fix windows build

* Remove unused import

* Fix Windows/Unix build without `std` feature

* Fix some doc links

* Remove unused import

* Fix build of wasi-common in isolation

* Fix no_std build on macos

* Re-fix build

* Fix standalone build of wasmtime-cli-flags

* Resolve a merge conflict

* Review comments

* Remove unused import

show more ...

Support compilation-only build by adding a `runtime` feature (#7766)

* Add `runtime` feature to `wasmtime` crate

This feature can be disabled to build `wasmtime` only for compilation.
This can be u

Support compilation-only build by adding a `runtime` feature (#7766)

* Add `runtime` feature to `wasmtime` crate

This feature can be disabled to build `wasmtime` only for compilation.
This can be useful when cross-compiling, especially on a target that
can't run wasmtime itself (e.g. `wasm32`).

* prtest:full

* don't round pages without runtime feature

* fix async assertions

* move profiling into runtime

* enable runtime for wasmtime-wasi

* enable runtime for c-api

* fix build_artifacts in non-cache case

* fix miri extensions

* enable runtime for wast

* enable runtime for explorer

* support cranelift all-arch on wasm32

* add doc links for `WeakEngine`

* simplify lib runtime cfgs

* move limits and resources to runtime

* move stack to runtime

* move coredump and debug to runtime

* add runtime to coredump and async features

* add wasm32 build job

* combine engine modules

* single compile mod

* remove allow for macro paths

* add comments

show more ...