Fix panicking overflow when calculating table sizes (#13244)

Return an error instead of panicking in the same manner that OOM is
handled.

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned map retains &'static str keys pointing into the original pool's
strings storage. Once the original Linker is dropped those keys dangle.

Cloning a Linker, then dropping the original one, leaves a linker whose
registered imports could no longer be found, causing instantiation to
fail with "unknown import".

Signed-off-by: Flavio Castelli <[email protected]>

* Fix pooling allocator predicate to reset VM permissions

This commit fixes a mistake that was introduced in #9583 where the logic
to reset a linear memory slot in the pooling allocator used the wrong
predicate. Specifically VM permissions must be reset if virtual memory
can be relied on at all, and the preexisting predicate of
`can_elide_bounds_check` was an inaccurate representation of this. The
correct predicate to check is `can_use_virtual_memory`.

* winch: Fix the type of the `table.size` output register

This commit corrects the tagged size of the output of the `table.size`
instruction. Previously this was hardcoded as a 32-bit integer instead
of consulting the table's index type to use the
index-type-sized-register instead.

* winch: Fix a host panic when executing `table.fill`

This commit fixes a possible panic when a Winch-compiled module executes
the `table.fill` instruction. Refactoring in #11254 updated Cranelift
but forgot to update Winch meaning that Winch's indices were still using
the module-level indices instead of the `DefinedTableIndex` space. This
adds some tests and updates Winch's translation to use preexisting
helpers.

* x64: Fix `f64x2.splat` without SSE3

Don't sink a load into `pshufd` which loads 16 bytes, instead force
`put_in_xmm` to ensure only 8 bytes are loaded.

* Properly verify alignment in string transcoding

This commit updates string transcoding between guest modules to properly
verify alignment. Previously alignment was only verified on the first
allocation, not reallocations, which is not spec-compliant. This
additionally fixes a possible host panic when dealing with unaligned
pointers.

* Fix type confusion in AArch64 amode RegScaled folding

* winch: Add add_uextend to perform explicit extension when needed.

This commit fixes an out-of-bounds access caused by the lack zero
extension in the code responsible for calculating the heap address for
loads/stores.

This issue manifests in aarch64 (unlike x64) given that no automatic
extension is performed, resulting in an out-of-bounds access.

An alternative approach is to emit an extend for the index, however
this approach is preferred given that it gives the MacroAssembler
layer better control of how to lower addition, e.g., in aarch64 we can
inline the desired extension in a single instruction.

* winch: Correctly type the result of table.grow

This commit fixes an out-of-bounds access caused by the lack of type
narrowing from the `table.grow` builtin. Without explicit narrowing,
the type is treated as 64-bit value, which could cause issues when
paired with loads/stores.

* Review comments

* Properly handle table index types

Only narrow when dealing with the 64-bit pointer/32-bit tables

* Fix panic with out-of-bounds flags in `Value`

This commit fixes a panic when a component model `Value` is lifted from
a flags value which specifies out-of-bounds bits as 1. This is specified
in the component model to ignore the out-of-bounds bits, which `flags!`
correctly did (and thus `bindgen!`), but `Value` treated out-of-bounds
bits as a panic due to indexing an array.

* Fix bounds checks in FACT's `string_to_compact` method

We need to bounds check the source byte length, not the number of code units.

* Add missing realloc validation in string transcoding

This commit adds a missing validation that a return value of `realloc`
is inbounds during string transcoding. This was accidentally missing on
the transcoding path from `utf8` to `latin1+utf16` which meant that a
nearly-raw pointer could get passed to the host to perform the
transcode.

* winch: Refine zero extension heuristic

This commit refines the zero extension heuristic such that it
unconditionally emits a zero extension when dealing with 32-bit
heaps. This eliminates any ambiguity related to the value of the
memory indices across ISAs.

* Fix failure on 32-bit

* Fix miri test

---------

Signed-off-by: Flavio Castelli <[email protected]>
Co-authored-by: Flavio Castelli <[email protected]>
Co-authored-by: Shun Kashiwa <[email protected]>
Co-authored-by: Saúl Cabrera <[email protected]>
Co-authored-by: Nick Fitzgerald <[email protected]>

show more ...

winch: implement ref.null, ref.is_null, ref.func, and typed select (#12940)

* winch: implement ref.null, ref.is_null, ref.func, and typed select

* add disas tests and ref.func call_indirect coverag

winch: implement ref.null, ref.is_null, ref.func, and typed select (#12940)

* winch: implement ref.null, ref.is_null, ref.func, and typed select

* add disas tests and ref.func call_indirect coverage

* register wasmtime module in fuzz wast_test to fix wast_smoke_test

show more ...

Add missing stack map declaration for `array.new_elem` (#12936)

`translate_array_new_elem` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stack_map()`

Add missing stack map declaration for `array.new_elem` (#12936)

`translate_array_new_elem` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stack_map()` on the result. This meant
the reference was not included in stack maps at subsequent safepoints, so if a
GC occurred, the reference became stale (leading to use-after-free within the GC
heap sandbox).

show more ...

Add missing missing stack map declaration for `array.new_data` (#12935)

`translate_array_new_data` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stac

Add missing missing stack map declaration for `array.new_data` (#12935)

`translate_array_new_data` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stack_map()` on the result. This meant
that the reference was not included in stack maps at subsequent safepoints, so
if a GC occurred, the reference became stale (leading to use-after-free bugs
inside the GC heap sandbox).

show more ...

Preserve `try_call[_indirect]` stack maps during lowering (#12934)

* Preserve `try_call[_indirect]` stack maps during lowering

Branch instructions are skipped in the main lowering loop, which means

Preserve `try_call[_indirect]` stack maps during lowering (#12934)

* Preserve `try_call[_indirect]` stack maps during lowering

Branch instructions are skipped in the main lowering loop, which means the stack
map forwarding code is never reached for them. The branch lowering path didn't
forward stack maps either. This was fine because branch instructions couldn't
previously ever be safepoints. However, with the introduction of `try_call` and
`try_call_indirect`, we now have instructions that are both safepoints and
branches.

This caused GC references live across `try_call[_indirect]` instructions to not
be traced during garbage collection, leading to use-after-free within the GC
heap sandbox when the collector swept those untraced-but-still-live objects.

The fix adds stack map forwarding after branch lowering, mirroring the
existing logic for non-branch instructions.

Fixes bytecodealliance/wasmtime#11753.

* update disas test

show more ...

aarch64: Disable csdb emission by default (#12932)

* aarch64: Disable csdb emission by default

This has a massive performance penalty on macOS, for example, and peer
compilers are not emitting this

aarch64: Disable csdb emission by default (#12932)

* aarch64: Disable csdb emission by default

This has a massive performance penalty on macOS, for example, and peer
compilers are not emitting this as part of on-by-default mitigations.
This commit preserves the option to emit it with an aarch64-specific
`use_csdb` flag, but the default is now `false` meaning that this is not
emitted by default.

Closes #12789

* Fix tests

* Fix tests & review comments

* Use ISLE rule introduced

show more ...

Add "GC Zeal" infrastructure for additional, aggressive GC assertions (#12921)

* Add "GC Zeal" infrastructure for additional, aggressive GC assertions

This initial commit just sets up the initial G

Add "GC Zeal" infrastructure for additional, aggressive GC assertions (#12921)

* Add "GC Zeal" infrastructure for additional, aggressive GC assertions

This initial commit just sets up the initial GC Zeal infrastructure, it doesn't
actually start using it anywhere yet.

* Adds support for `cfg(gc_zeal)` to `crates/wasmtime/build.rs` and
`crates/cranelift/build.rs`
* Defines `gc_assert!` macro
* Defines `wasmtime_environ::gc::POISON` constant for GC heap poisoning
* Adds debug assert that `POISON` doesn't overlap any valid `VMGcKind`
discriminant
* Adds CI job to run GC-related tests with `cfg(gc_zeal)`

* Review feedback

show more ...

winch: Fix spectre-related table indexing comparison size (#12930)

This commit fixes a minor issue in the Winch backend when loading a
value from a table when spectre mitigations are enabled. In thi

winch: Fix spectre-related table indexing comparison size (#12930)

This commit fixes a minor issue in the Winch backend when loading a
value from a table when spectre mitigations are enabled. In this
situation an extra comparison and conditional move is executed after the
original bounds check and load to specifically handle the speculation
case and ensure that out-of-bounds values can't be speculated on. The
comparison performed on this path, however, was an incorrect one where
it unconditionally used a 32-bit comparison. The comparison instead
needs to use `bound_size` to handle platform/table differences. This
matches the actual bounds check, for example, which occurs prior to the
spectre-related mitigation.

show more ...

Debugging: add debugger support for `wasmtime serve`. (#12859)

This adopts a simple solution to #12776: it takes the "instance reuse"
paradigm to the extreme, instantiating exactly one instance and

Debugging: add debugger support for `wasmtime serve`. (#12859)

This adopts a simple solution to #12776: it takes the "instance reuse"
paradigm to the extreme, instantiating exactly one instance and
serializing all requests into that one instance. This allows the
debugger component to operate on one `Store`, setting breakpoint state
and presenting its execution to the attached debugger as a single
program execution and minimizing impedance mismatches.

This also adds an integration test that runs an existing wasi-http
test component under the debugger.

show more ...

mpk: Fix index used when purging a module in the pooling allocator (#12910)

This commit fixes an issue with the pooling allocator when MPK is
enabled, which is off-by-default at compile time. When a

mpk: Fix index used when purging a module in the pooling allocator (#12910)

This commit fixes an issue with the pooling allocator when MPK is
enabled, which is off-by-default at compile time. When a module is
dropped all remaining images are purged from the pooling allocator, but
the purging logic mistakenly used the wrong kind of index during purging
which led to corruption of the pooling allocator itself. This fixes the
logic and adds regression tests showcasing the issue as well.

show more ...

winch: Fix `memory.atomic.*` with overflowing offsets (#12909)

* winch: Fix `memory.atomic.*` with overflowing offsets

This commit fixes a spec-compliance issue with `memory.atomic.*`
instructions

winch: Fix `memory.atomic.*` with overflowing offsets (#12909)

* winch: Fix `memory.atomic.*` with overflowing offsets

This commit fixes a spec-compliance issue with `memory.atomic.*`
instructions using the Winch compiler. Specifically Winch previously
added the dynamic offset to the static offset when calculating the
effective address of the operation, but this addition was allowed to
overflow. This meant that an operation which should trap would continue
instead. The fix here is to use checked arithmetic at runtime to ensure
that the address computation does not overflow.

* Update test expectations

show more ...

Several fixes to debugging infrastructure: component vs. module PCs and gdbstub wasm module names. (#12901)

* Debugging: fix module-relative vs component-relative PCs and unique library names.

Two

Several fixes to debugging infrastructure: component vs. module PCs and gdbstub wasm module names. (#12901)

* Debugging: fix module-relative vs component-relative PCs and unique library names.

Two bugfixes for guest debugging with components:

1. Convert component-relative source locations to module-relative PCs
in the frame table. The guest-debug API presents a core-Wasm view
where components are deconstructed into individual modules, so all
PCs must be module-relative. This adds a `wasm_module_offset` field
to `ModuleTranslation` and `FuncEnvironment`, set during component
translation, and subtracts it in `debug_tags()`.

2. Give unique names to "library" entries in the gdbstub XML response.
LLDB's DynamicLoader deduplicates by name, so using "wasm" for all
modules caused only the first to be loaded.

* Debugging: add ModulePC and ComponentPC newtypes for Wasm PC offsets.

Introduce `ModulePC` (module-relative) and `ComponentPC`
(component-relative) newtype wrappers around u32 Wasm bytecode
offsets. These replace raw u32 values throughout the frame table,
breakpoint, and debug systems to prevent confusion between the two
offset spaces.

* Debugging: add regression test for component module-relative PCs.

show more ...

aarch64: Fix miscompile lowering the `extr` instruction (#12907)

This commit fixes a miscompile in the lowering of the `extr` instruction
for the aarch64 backend where one of the shift operands is 0

aarch64: Fix miscompile lowering the `extr` instruction (#12907)

This commit fixes a miscompile in the lowering of the `extr` instruction
for the aarch64 backend where one of the shift operands is 0. In this
edge case the generated `extr` instruction did not match the input CLIF
semantics, calculating a different value. The fix here is to only use
the `extr` instruction when both immediates are larger than 0.

show more ...

winch: Fix `memory.size` on maximally-sized 32-bit memories (#12908)

* winch: Fix `memory.size` on maximally-sized 32-bit memories

This commit fixes a minor issue in the Winch backend where when a

winch: Fix `memory.size` on maximally-sized 32-bit memories (#12908)

* winch: Fix `memory.size` on maximally-sized 32-bit memories

This commit fixes a minor issue in the Winch backend where when a 32-bit
linear memory had the full 4GiB size the `memory.size` instruction would
return 0 instead of returning `0x1_0000`. This is due to the shift to
create the number of pages being done with the index type of the linear
memory instead of the pointer size of the machine.

* Update test expectations

show more ...

PCC: remove proof-carrying code (for now?). (#12800)

In late 2023, we built out an experimental feature called
Proof-Carrying Code (PCC), where we attached "facts" to values in the
CLIF IR and built

PCC: remove proof-carrying code (for now?). (#12800)

In late 2023, we built out an experimental feature called
Proof-Carrying Code (PCC), where we attached "facts" to values in the
CLIF IR and built verification of these facts after lowering to
machine instructions. We also added "memory types" describing layout
of memory and a "checked" flag on memory operations such that we could
verify that any checked memory operation accessed valid memory (as
defined by memory types attached to pointer values via
facts). Wasmtime's Cranelift backend then put appropriate memory types
and facts in its IR such that all accesses to memory (aspirationally)
could be checked, taking the whole mid-end and lowering backend of
Cranelift out of the trusted core that enforces SFI.

This basically worked, at the time, for static memories; but never for
dynamic memories, and then work on the feature lost
prioritization (aka I had to work on other things) and I wasn't able
to complete it and put it in fuzzing/enable it as a production option.

Unfortunately since then it has bit-rotted significantly -- as we add
new backend optimizations and instruction lowerings we haven't kept
the PCC framework up to date.

Inspired by the discussion in #12497 I think it's time to delete
it (hopefully just "for now"?) unless/until we can build it again. And
when we do that, we should probably get it to the point of validating
robust operation on all combinations of memory configurations before
merging. (That implies a big experiment branch rather than a bunch of
eager PRs in-tree, but so it goes.) I still believe it is possible to
build this (and I have ideas on how to do it!) but not right now.

show more ...

Verify alignment of returned component-model strings (#12897)

* Verify alignment of returned component-model strings

The lifting code erroneously forgot to check for this. There's no actual
consequ

Verify alignment of returned component-model strings (#12897)

* Verify alignment of returned component-model strings

The lifting code erroneously forgot to check for this. There's no actual
consequence to this in Wasmtime per-se, but it's required in the
component model spec to trap, so a trap is added here.

* Fix tests

* Optimize alignment check

* Fix build

show more ...

winch(aarch64): Improve addressing modes (#12708)

Prior to this commit, Winch's `Address` representation relied on the
general `(reg, offset)` form for offset-based addressing, leaving the
materiali

winch(aarch64): Improve addressing modes (#12708)

Prior to this commit, Winch's `Address` representation relied on the
general `(reg, offset)` form for offset-based addressing, leaving the
materialization of the addressing mode to Cranelift. This approach led
to the following bug found by the fuzzer:

When offsets cannot be encoded as a 9-bit signed immediate offset or a
12-bit unsigned immediate offset with scaling, the offset must be
loaded into a register and the addressing mode is transformed to its
`(reg, reg)` form. Cranelift's addressing mode materialization currently
uses `x16` as a scratch register to load the offset; even though
both Cranelift and Winch use `x16` as a scratch register, its usage is
not in sync, therefore clobbers can happen.

This commit improves addressing modes by requiring early
materialization of addressing modes into their respective Cranelift
variants.

show more ...

Fix overlap assertions in string transcoding (#12893)

Fixes an off-by-one assertion which is possible to happen when linear
memories are directly adjacent to each other. While an esoteric
situation,

Fix overlap assertions in string transcoding (#12893)

Fixes an off-by-one assertion which is possible to happen when linear
memories are directly adjacent to each other. While an esoteric
situation, it's technically possible as the added test shows.

Closes #12678

show more ...

Fix table64 initialization when bulk memory is disabled (#12894)

* Fix table64 initialization when bulk memory is disabled

This commit fixes a panic in the host during instantiation when the
`bulk_

Fix table64 initialization when bulk memory is disabled (#12894)

* Fix table64 initialization when bulk memory is disabled

This commit fixes a panic in the host during instantiation when the
`bulk_memory` wasm feature is disabled. In this mode the initialization
of tables/memories is slightly different and a refactoring for 64-bit
support wasn't applied to this code path, meaning that it resulted in a
panic instead of properly handling 64-bit tables.

* Fix clippy

show more ...

Handle OOM in the rest of Wasmtime's non-component, -async, -compilation APIs (#12858)

* Handle OOM in more places in the public API

A bunch of random places:

* Add: `Trap::try_new` to handle OOM

Handle OOM in the rest of Wasmtime's non-component, -async, -compilation APIs (#12858)

* Handle OOM in more places in the public API

A bunch of random places:

* Add: `Trap::try_new` to handle OOM while creating traps
* Use: `TryVec` inside `Func::call_impl_do_call` and `wasm_val_raw_storage` to
hold the args and rets
* Add: `Instance::try_exports` for iterating over an instance's exports while
handling OOM
* `Linker:try_get`, like `Linker::get` but handling OOM
* `Linker:try_get_by_import`, like `Linker::get_by_import` but handling OOM
* Use `try_new` to box things in `SharedMemory::new`
* Use `TryVec` instead of `Vec` in our dynamic tables

* Add OOM tests for most of Wasmtime's public API

Excludes component-, async-, and compilation-related APIs.

* address review feedback

* fix test compilation

* fix c-api

show more ...

Fix a panic with a massive `max_wasm_stack` configured (#12869)

* Fix a panic with a massive `max_wasm_stack` configured

This commit fixes a panic through a `checked_add(...).unwrap()` which
can ha

Fix a panic with a massive `max_wasm_stack` configured (#12869)

* Fix a panic with a massive `max_wasm_stack` configured

This commit fixes a panic through a `checked_add(...).unwrap()` which
can happen when `Config::max_wasm_stack` is configured to be a very
large value. This is a mostly benign panic as it's unlikely this is
configured much in the wild, but nevertheless seems like a good issues
to fix regardless.

* Fix an overflow/OOM panic in pulley

prtest:full

* Fix CI

* Another CI fix

* Fix test on 32-bit

* Fix miri test

show more ...

Fix bounds check for `error-context.debug-message` (#12879)

* Fix bounds check for `error-context.debug-message`

This fixes a possible subsequent panic when lowering the message itself.

* Review c

Fix bounds check for `error-context.debug-message` (#12879)

* Fix bounds check for `error-context.debug-message`

This fixes a possible subsequent panic when lowering the message itself.

* Review comments

show more ...

Fix a stacked borrows violation in futures/streams copy (#12872)

* Fix a stacked borrows violation in futures/streams copy

This commit fixes an issue in the copy implementation for
futures/streams

Fix a stacked borrows violation in futures/streams copy (#12872)

* Fix a stacked borrows violation in futures/streams copy

This commit fixes an issue in the copy implementation for
futures/streams related to component-model-async. Specifically the added
tests here tripped an error in Miri which is related to intra-component
copies and stacked borrows. This refactoring ends up using `copy_within`
for the intra-component case and `copy_to_nonoverlapping` for the
inter-component case to resolve this issue. This commit additionally
refactors the validation/checks to happen in one location instead of in
a few to ensure that all validation is done up-front in a shared manner.

* Fix CI

* Fix expected error message

* Review comments

show more ...

Fix state of futures/streams after cancellation (#12881)

* Fix state of futures/streams after cancellation

This fixes two related but distinct issues with respect to delivering
events to stream/fut

Fix state of futures/streams after cancellation (#12881)

* Fix state of futures/streams after cancellation

This fixes two related but distinct issues with respect to delivering
events to stream/future handles. First when delivering an event to a
future or a stream the shared code is now more unified into one path.
This fixes an issue with futures where they would always have `done`
flagged as `false` accidentally. This then fixes an additional issue
where this `on_delivery` function wasn't invoked when futures/streams
had their operations cancelled.

* Fix CI

show more ...