Fix panicking overflow when calculating table sizes (#13244)

Return an error instead of panicking in the same manner that OOM is
handled.

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned map retains &'static str keys pointing into the original pool's
strings storage. Once the original Linker is dropped those keys dangle.

Cloning a Linker, then dropping the original one, leaves a linker whose
registered imports could no longer be found, causing instantiation to
fail with "unknown import".

Signed-off-by: Flavio Castelli <[email protected]>

* Fix pooling allocator predicate to reset VM permissions

This commit fixes a mistake that was introduced in #9583 where the logic
to reset a linear memory slot in the pooling allocator used the wrong
predicate. Specifically VM permissions must be reset if virtual memory
can be relied on at all, and the preexisting predicate of
`can_elide_bounds_check` was an inaccurate representation of this. The
correct predicate to check is `can_use_virtual_memory`.

* winch: Fix the type of the `table.size` output register

This commit corrects the tagged size of the output of the `table.size`
instruction. Previously this was hardcoded as a 32-bit integer instead
of consulting the table's index type to use the
index-type-sized-register instead.

* winch: Fix a host panic when executing `table.fill`

This commit fixes a possible panic when a Winch-compiled module executes
the `table.fill` instruction. Refactoring in #11254 updated Cranelift
but forgot to update Winch meaning that Winch's indices were still using
the module-level indices instead of the `DefinedTableIndex` space. This
adds some tests and updates Winch's translation to use preexisting
helpers.

* x64: Fix `f64x2.splat` without SSE3

Don't sink a load into `pshufd` which loads 16 bytes, instead force
`put_in_xmm` to ensure only 8 bytes are loaded.

* Properly verify alignment in string transcoding

This commit updates string transcoding between guest modules to properly
verify alignment. Previously alignment was only verified on the first
allocation, not reallocations, which is not spec-compliant. This
additionally fixes a possible host panic when dealing with unaligned
pointers.

* Fix type confusion in AArch64 amode RegScaled folding

* winch: Add add_uextend to perform explicit extension when needed.

This commit fixes an out-of-bounds access caused by the lack zero
extension in the code responsible for calculating the heap address for
loads/stores.

This issue manifests in aarch64 (unlike x64) given that no automatic
extension is performed, resulting in an out-of-bounds access.

An alternative approach is to emit an extend for the index, however
this approach is preferred given that it gives the MacroAssembler
layer better control of how to lower addition, e.g., in aarch64 we can
inline the desired extension in a single instruction.

* winch: Correctly type the result of table.grow

This commit fixes an out-of-bounds access caused by the lack of type
narrowing from the `table.grow` builtin. Without explicit narrowing,
the type is treated as 64-bit value, which could cause issues when
paired with loads/stores.

* Review comments

* Properly handle table index types

Only narrow when dealing with the 64-bit pointer/32-bit tables

* Fix panic with out-of-bounds flags in `Value`

This commit fixes a panic when a component model `Value` is lifted from
a flags value which specifies out-of-bounds bits as 1. This is specified
in the component model to ignore the out-of-bounds bits, which `flags!`
correctly did (and thus `bindgen!`), but `Value` treated out-of-bounds
bits as a panic due to indexing an array.

* Fix bounds checks in FACT's `string_to_compact` method

We need to bounds check the source byte length, not the number of code units.

* Add missing realloc validation in string transcoding

This commit adds a missing validation that a return value of `realloc`
is inbounds during string transcoding. This was accidentally missing on
the transcoding path from `utf8` to `latin1+utf16` which meant that a
nearly-raw pointer could get passed to the host to perform the
transcode.

* winch: Refine zero extension heuristic

This commit refines the zero extension heuristic such that it
unconditionally emits a zero extension when dealing with 32-bit
heaps. This eliminates any ambiguity related to the value of the
memory indices across ISAs.

* Fix failure on 32-bit

* Fix miri test

---------

Signed-off-by: Flavio Castelli <[email protected]>
Co-authored-by: Flavio Castelli <[email protected]>
Co-authored-by: Shun Kashiwa <[email protected]>
Co-authored-by: Saúl Cabrera <[email protected]>
Co-authored-by: Nick Fitzgerald <[email protected]>

show more ...

Handle OOM in `Func::call_async` and fiber creation (#12954)

* Handle OOM in `Func::call_async` and fiber creation

* fix clippy

* fix build

* really fix build

* address review feedback

* fix bu

Handle OOM in `Func::call_async` and fiber creation (#12954)

* Handle OOM in `Func::call_async` and fiber creation

* fix clippy

* fix build

* really fix build

* address review feedback

* fix build

* fix warnings

show more ...

Add GC zeal assertions (#12933)

* Add GC zeal assertions

- Poison freed GC objects and new heap memory
- Assert newly-allocated objects are filled with poison pattern
- Add `gc_assert!` checks for

Add GC zeal assertions (#12933)

* Add GC zeal assertions

- Poison freed GC objects and new heap memory
- Assert newly-allocated objects are filled with poison pattern
- Add `gc_assert!` checks for valid `VMGcKind` on `GcHeap::index[_mut]`
- Add `gc_assert!` checks for valid `VMGcKind` during tracing
- Add `VMGcKind::try_from_u32()` for fallible kind validation
- Add over-approximated stack roots list integrity checks, called before and
after trace and sweep. Validates kind, in-list bit, ref count, and that the
list is not cyclic.
- Add assertion that all free blocks of memory contain the poison pattern,
before and after trace and sweep

* review feedback

show more ...

Use traps when checking initial table/memory bounds (#12929)

Instead of using a custom error string this enables fuzzing to, for
example, see that a `Trap` was returned and consider the fuzz test ca

Use traps when checking initial table/memory bounds (#12929)

Instead of using a custom error string this enables fuzzing to, for
example, see that a `Trap` was returned and consider the fuzz test case
a normal failure. These code paths are only executed when `bulk_memory`
is disabled which is pretty rare, and also explains why it's come up in
fuzzing only just now after #12883.

show more ...

Debugging: add debugger support for `wasmtime serve`. (#12859)

This adopts a simple solution to #12776: it takes the "instance reuse"
paradigm to the extreme, instantiating exactly one instance and

Debugging: add debugger support for `wasmtime serve`. (#12859)

This adopts a simple solution to #12776: it takes the "instance reuse"
paradigm to the extreme, instantiating exactly one instance and
serializing all requests into that one instance. This allows the
debugger component to operate on one `Store`, setting breakpoint state
and presenting its execution to the attached debugger as a single
program execution and minimizing impedance mismatches.

This also adds an integration test that runs an existing wasi-http
test component under the debugger.

show more ...

mpk: Fix index used when purging a module in the pooling allocator (#12910)

This commit fixes an issue with the pooling allocator when MPK is
enabled, which is off-by-default at compile time. When a

mpk: Fix index used when purging a module in the pooling allocator (#12910)

This commit fixes an issue with the pooling allocator when MPK is
enabled, which is off-by-default at compile time. When a module is
dropped all remaining images are purged from the pooling allocator, but
the purging logic mistakenly used the wrong kind of index during purging
which led to corruption of the pooling allocator itself. This fixes the
logic and adds regression tests showcasing the issue as well.

show more ...

Handle more failures deallocating pooled memroy (#12888)

* Handle more failures deallocating pooled memroy

This commit replaces a few panics in the pooling allocator with
error-handling of what hap

Handle more failures deallocating pooled memroy (#12888)

* Handle more failures deallocating pooled memroy

This commit replaces a few panics in the pooling allocator with
error-handling of what happens at runtime. This is a defense-in-depth
measure to ensure that the pooling allocator doesn't panic at runtime
and instead handles errors where possible.

The first path fixed is in `deallocate_memory` where resetting a slot
could result in an error being returned on non-Linux platforms, and if
this happened it would cause a panic. The error is instead gracefully
handled by continuing slot deallocation but avoiding putting the image
itself back into memory. This leaves the slot in an `Unknown` state
which is already handled by resetting the state upon reuse. The main
consequence here is that future statistics about resident bytes won't be
accurate, but these are already inaccurate on non-Linux platforms
anyway, so there's no loss.

The second path fixes is in flushing a `DecommitQueue` where
`decommit_pages` was asserted to succeed. Instead now the error is
handled by dropping all images and leaving slots in an `Unknown` state,
similar to `deallocate_memory`.

* Review comments

show more ...

Fix overlap assertions in string transcoding (#12893)

Fixes an off-by-one assertion which is possible to happen when linear
memories are directly adjacent to each other. While an esoteric
situation,

Fix overlap assertions in string transcoding (#12893)

Fixes an off-by-one assertion which is possible to happen when linear
memories are directly adjacent to each other. While an esoteric
situation, it's technically possible as the added test shows.

Closes #12678

show more ...

Fix table64 initialization when bulk memory is disabled (#12894)

* Fix table64 initialization when bulk memory is disabled

This commit fixes a panic in the host during instantiation when the
`bulk_

Fix table64 initialization when bulk memory is disabled (#12894)

* Fix table64 initialization when bulk memory is disabled

This commit fixes a panic in the host during instantiation when the
`bulk_memory` wasm feature is disabled. In this mode the initialization
of tables/memories is slightly different and a refactoring for 64-bit
support wasn't applied to this code path, meaning that it resulted in a
panic instead of properly handling 64-bit tables.

* Fix clippy

show more ...

Handle OOM in the rest of Wasmtime's non-component, -async, -compilation APIs (#12858)

* Handle OOM in more places in the public API

A bunch of random places:

* Add: `Trap::try_new` to handle OOM

Handle OOM in the rest of Wasmtime's non-component, -async, -compilation APIs (#12858)

* Handle OOM in more places in the public API

A bunch of random places:

* Add: `Trap::try_new` to handle OOM while creating traps
* Use: `TryVec` inside `Func::call_impl_do_call` and `wasm_val_raw_storage` to
hold the args and rets
* Add: `Instance::try_exports` for iterating over an instance's exports while
handling OOM
* `Linker:try_get`, like `Linker::get` but handling OOM
* `Linker:try_get_by_import`, like `Linker::get_by_import` but handling OOM
* Use `try_new` to box things in `SharedMemory::new`
* Use `TryVec` instead of `Vec` in our dynamic tables

* Add OOM tests for most of Wasmtime's public API

Excludes component-, async-, and compilation-related APIs.

* address review feedback

* fix test compilation

* fix c-api

show more ...

Fix a panic with a massive `max_wasm_stack` configured (#12869)

* Fix a panic with a massive `max_wasm_stack` configured

This commit fixes a panic through a `checked_add(...).unwrap()` which
can ha

Fix a panic with a massive `max_wasm_stack` configured (#12869)

* Fix a panic with a massive `max_wasm_stack` configured

This commit fixes a panic through a `checked_add(...).unwrap()` which
can happen when `Config::max_wasm_stack` is configured to be a very
large value. This is a mostly benign panic as it's unlikely this is
configured much in the wild, but nevertheless seems like a good issues
to fix regardless.

* Fix an overflow/OOM panic in pulley

prtest:full

* Fix CI

* Another CI fix

* Fix test on 32-bit

* Fix miri test

show more ...

Reduce type complexity of `InstanceAllocator` async functions (#12887)

This is a follow-on to #12849 to try to simplify some of the resulting
signatures a bit. Notably the `Result<..., OutOfMemory>`

Reduce type complexity of `InstanceAllocator` async functions (#12887)

This is a follow-on to #12849 to try to simplify some of the resulting
signatures a bit. Notably the `Result<..., OutOfMemory>` is now packaged
up directly into the output future, so the functions still retain a sort
of "async trait" feel even though they're still incompatible with
`#[async_trait]` (and can't be defined with that anyway).

show more ...

Adjust behavior of 4gb memories with custom page sizes (#12884)

* Adjust behavior of 4gb memories with custom page sizes

This commit adjust what happens when a linear memory grows up to 4gb
large w

Adjust behavior of 4gb memories with custom page sizes (#12884)

* Adjust behavior of 4gb memories with custom page sizes

This commit adjust what happens when a linear memory grows up to 4gb
large when custom page sizes are used. This is an open question in the
upstream proposal at WebAssembly/custom-page-sizes#45 but without any
special handling a return value of -1 is ambiguous if it succeeded or
failed. For now eagerly trap memory operations reaching these conditions
while the upstream specification question is resolved.

* Fix CI

* Debug CI failure

prtest:full

* Fix 32-bit platforms

show more ...

Remove some more panics in `concurrent.rs` (#12874)

Downgrade some panics to `bail_bug!` or `?` where appropriate by
propagating `Result<T>` in a few more locations.

Handle OOM in `{Func,Memory,Table,Global}::new` and when calling an instance's exported function (#12855)

* Use `try_new` for `Box<dyn RuntimeLinearMemory>` in `DefaultMemoryCreator`

* Use `TryPrim

Handle OOM in `{Func,Memory,Table,Global}::new` and when calling an instance's exported function (#12855)

* Use `try_new` for `Box<dyn RuntimeLinearMemory>` in `DefaultMemoryCreator`

* Use `TryPrimaryMap` for `host_globals` in `Store`

* Add `Func::try_wrap` and use `try_new` for `Box<HostFunc>`

Add `Func::try_wrap` as a fallible version of `Func::wrap` that returns an error
on out-of-memory instead of panicking. `Func::wrap` now delegates to `try_wrap`.

Also use `try_new::<Box<_>>` instead of `Box::new` for `HostFunc`.

* Use `bumpalo`'s `try_alloc` for `FuncRefs`

* Use `try_new` for `Arc<Module>` in "trampoline" code

* Test that we handle OOM in `{Func,Memory,Table,Global}::new` and when calling an instance's exported function

* cargo fmt

show more ...

Return `OutOfMemory` from `alloc_dynamic_table_elements` on failure (#12852)

This is more correct and also `ensure!` will attempt to allocate, which trips up
the OOM test framework.

Use `try_new` for `Arc` in `MmapMemory::new` (#12851)

Use `TryPrimaryMap` in `ModuleMemoryImages` (#12850)

* Use `TryPrimaryMap` in `ModuleMemoryImages`

Also use `try_new::<Arc<_>>` instead of `Arc::new` for the memory
image allocations.

* cargo fmt

Use explicit boxing for InstanceAllocator async methods (#12849)

Change `allocate_memory` and `allocate_table` in the `InstanceAllocator` trait
from `async fn`s to regular `fn`s that return `Result<

Use explicit boxing for InstanceAllocator async methods (#12849)

Change `allocate_memory` and `allocate_table` in the `InstanceAllocator` trait
from `async fn`s to regular `fn`s that return `Result<Pin<Box<dyn Future<...>>>,
OutOfMemory>`.

This avoids the implicit `Box::new` allocation that `#[async_trait]` generates
when calling these methods through `dyn InstanceAllocator`, which would panic on
OOM instead of returning an error. Now the boxing is done explicitly via
`try_new::<Box<_>>` which returns `Err(OutOfMemory)` on allocation failure.

show more ...

Use `TryPrimaryMap` in `Instance` (#12848)

feat(style,doc): added typos-cli workspace configuration (#12827)

* init config values

* more manual changes

* typos write

* revert certain changes

* misused, tightened up hex encoding

fix: correct various typos (#12807)

Signed-off-by: Ho Kim <[email protected]>

Fix build on FreeBSD/aarch64 (#12820)

Include core instance sizes in component_instance_size limit (#12772)

* Include core instance sizes in component_instance_size limit

There exist several knobs for limiting the memory that might be

Include core instance sizes in component_instance_size limit (#12772)

* Include core instance sizes in component_instance_size limit

There exist several knobs for limiting the memory that might be consumed
for metadata for components. For core module instances within a
component, the two that previously existed to control metadata
allocations have been:
- A: max_core_instances_per_component
- B: component_instance_size

These allow for an embedder to set an upper bound on memory used by a
component's instances to A * B. This value could be quite large for
some systems and it would be nice to be able to set a cap on the total
memory that might be used for metadata across all instances while still
allowing for a greater number of instances with the potential for a
subset of those instances to be relatively large.

To allow for aggregate control over memory used within the runtime
for componenets, the existing `max_component_instance_size` limit
is extended to consider both the `VMComponentCtx` size as well as
the aggregate size of all core instances in the component.

* Fix err msg checks for component_instance_size_limit test

* Miri ignore component_core_instances_aggregate_size

show more ...