[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned map retains &'static str keys pointing into the original pool's
strings storage. Once the original Linker is dropped those keys dangle.

Cloning a Linker, then dropping the original one, leaves a linker whose
registered imports could no longer be found, causing instantiation to
fail with "unknown import".

Signed-off-by: Flavio Castelli <[email protected]>

* Fix pooling allocator predicate to reset VM permissions

This commit fixes a mistake that was introduced in #9583 where the logic
to reset a linear memory slot in the pooling allocator used the wrong
predicate. Specifically VM permissions must be reset if virtual memory
can be relied on at all, and the preexisting predicate of
`can_elide_bounds_check` was an inaccurate representation of this. The
correct predicate to check is `can_use_virtual_memory`.

* winch: Fix the type of the `table.size` output register

This commit corrects the tagged size of the output of the `table.size`
instruction. Previously this was hardcoded as a 32-bit integer instead
of consulting the table's index type to use the
index-type-sized-register instead.

* winch: Fix a host panic when executing `table.fill`

This commit fixes a possible panic when a Winch-compiled module executes
the `table.fill` instruction. Refactoring in #11254 updated Cranelift
but forgot to update Winch meaning that Winch's indices were still using
the module-level indices instead of the `DefinedTableIndex` space. This
adds some tests and updates Winch's translation to use preexisting
helpers.

* x64: Fix `f64x2.splat` without SSE3

Don't sink a load into `pshufd` which loads 16 bytes, instead force
`put_in_xmm` to ensure only 8 bytes are loaded.

* Properly verify alignment in string transcoding

This commit updates string transcoding between guest modules to properly
verify alignment. Previously alignment was only verified on the first
allocation, not reallocations, which is not spec-compliant. This
additionally fixes a possible host panic when dealing with unaligned
pointers.

* Fix type confusion in AArch64 amode RegScaled folding

* winch: Add add_uextend to perform explicit extension when needed.

This commit fixes an out-of-bounds access caused by the lack zero
extension in the code responsible for calculating the heap address for
loads/stores.

This issue manifests in aarch64 (unlike x64) given that no automatic
extension is performed, resulting in an out-of-bounds access.

An alternative approach is to emit an extend for the index, however
this approach is preferred given that it gives the MacroAssembler
layer better control of how to lower addition, e.g., in aarch64 we can
inline the desired extension in a single instruction.

* winch: Correctly type the result of table.grow

This commit fixes an out-of-bounds access caused by the lack of type
narrowing from the `table.grow` builtin. Without explicit narrowing,
the type is treated as 64-bit value, which could cause issues when
paired with loads/stores.

* Review comments

* Properly handle table index types

Only narrow when dealing with the 64-bit pointer/32-bit tables

* Fix panic with out-of-bounds flags in `Value`

This commit fixes a panic when a component model `Value` is lifted from
a flags value which specifies out-of-bounds bits as 1. This is specified
in the component model to ignore the out-of-bounds bits, which `flags!`
correctly did (and thus `bindgen!`), but `Value` treated out-of-bounds
bits as a panic due to indexing an array.

* Fix bounds checks in FACT's `string_to_compact` method

We need to bounds check the source byte length, not the number of code units.

* Add missing realloc validation in string transcoding

This commit adds a missing validation that a return value of `realloc`
is inbounds during string transcoding. This was accidentally missing on
the transcoding path from `utf8` to `latin1+utf16` which meant that a
nearly-raw pointer could get passed to the host to perform the
transcode.

* winch: Refine zero extension heuristic

This commit refines the zero extension heuristic such that it
unconditionally emits a zero extension when dealing with 32-bit
heaps. This eliminates any ambiguity related to the value of the
memory indices across ISAs.

* Fix failure on 32-bit

* Fix miri test

---------

Signed-off-by: Flavio Castelli <[email protected]>
Co-authored-by: Flavio Castelli <[email protected]>
Co-authored-by: Shun Kashiwa <[email protected]>
Co-authored-by: Saúl Cabrera <[email protected]>
Co-authored-by: Nick Fitzgerald <[email protected]>

show more ...

Migrate winch-codegen to `wasmtime_environ::error` (#12297)

Reduce scope of scratch registers for SIMD shifts (#11935)

Make `vm::Instance::get_defined_memory` safe (#11211)

This is a small step forward to making `vm::Instance` safe internally.
Notably the `get_defined_memory` helper now returns a safe mutable
refere

Make `vm::Instance::get_defined_memory` safe (#11211)

This is a small step forward to making `vm::Instance` safe internally.
Notably the `get_defined_memory` helper now returns a safe mutable
reference instead of a raw pointer. This is then additionally coupled
with the canonicalization of always working with memories as "instance
plus defined memory index" instead of "instance plus memory index". This
enables removing some unsafe `VMContext` to `Instance` conversion as
well. This change, however, required updating libcalls to special-case
when an imported memory is operated on to load the vmcontext/index in
the libcall itself.

This change notably does not update the `memory_init` libcall just yet
due to the fact that the `DataIndex` is relative to the owning instance
even if the memory is owned by a different instance (e.g. it's
imported). Otherwise this chips away at some of the `unsafe` related to
memory/table management in `vm::Instance`.

show more ...

winch: Use `Masm::with_scratch` in ISA-agnostic code (#10998)

* winch: Use `Masm::with_scratch` in ISA-agnostic code

This commit is a follow-up to
https://github.com/bytecodealliance/wasmtime/pull/

winch: Use `Masm::with_scratch` in ISA-agnostic code (#10998)

* winch: Use `Masm::with_scratch` in ISA-agnostic code

This commit is a follow-up to
https://github.com/bytecodealliance/wasmtime/pull/10989; it migrates
all the uses of the scratch register to use `Masm::with_scratch`. This
commit also updates the tests that can fail / are ignored, since many
of the bugs were introduced by accidental clobbers to scratch
registers.

Even though this change doesn't introduce any functional changes, the
disassembly changes in aarch64 are due to the usage of x17 as an extra
scratch registers. The updates in x64 dissembly are related to offset changes.

* Use `with_scratch!` in `pop_to_addr`

* Remove dead code

* Apply cargo fmt

* Remove `imports.wast` from ignore list

* Use the new version of `Masm::with_scratch`

* Introduce `Masm::with_scratch_for`

Helper to derive the register class needed for a particular Wasm value type

* Format

show more ...

winch: Generalize `with_scratch` function (#10997)

* Support any return value, not just `Result<()>`
* Use `FnOnce` instead of `FnMut`

This meant that many `Ok(())` values could be dropped, but oth

winch: Generalize `with_scratch` function (#10997)

* Support any return value, not just `Result<()>`
* Use `FnOnce` instead of `FnMut`

This meant that many `Ok(())` values could be dropped, but other values
using `?` needed to explicitly annotate the return type which is done by
returning `anyhow::Ok(())` to force the error type.

show more ...

winch: Simplify constant handling, part 2/N (#10989)

* winch: Introduce register allocation for scratch registers

This commit introduces a register allocator for scratch registers. The
objective of

winch: Simplify constant handling, part 2/N (#10989)

* winch: Introduce register allocation for scratch registers

This commit introduces a register allocator for scratch registers. The
objective of this change is to make it generally safer to work with
scratch registers and prevent accidental clobbering of said registers.

This approach also has the advantage that allows for a more natural
abstraction over ISA-dependent scratch register definitions, e.g., we
can easily encode that fact that in aarch64 x16 and x17 are considered
scratch registers, while in x64 Winch's ABI defines a single global
scratch register.

* winch: Hook up the scratch allocator in each of the backends

This commit makes use of the scratch register allocator in both the
x64 and aarch64 backends for immediate value loading.

Given that the MacroAssembler is the boundary between ISA-agnostic
code and ISA-dependent code, it seems to be the natural location for
this allocator to live.

The allocator gives exclusive access to a scratch register of a
particular class, through the `Masm::with_scratch` method. Note that
the semantics of this allocator don't involve spilling or any other
form of register availability resolution. If a register is requested
and it's not available, this method will panic.

* Apply `cargo fmt`

* Update disassembly tests

Even though the entire change doens't contain major funcitonal
changes, a side effect of improving the constant handling in aarch64
is that we perform better instruction selection for instructions that
deal with immediattes, improving the generated code in some cases.

* Review edits

show more ...

winch: Move the `AtomicWaitKind` definition to the MacroAssembler (#10853)

This commit is a small refactoring which moves the definition of the
`AtomicWaitKind` enum to the `MacroAssembler`, to ensu

winch: Move the `AtomicWaitKind` definition to the MacroAssembler (#10853)

This commit is a small refactoring which moves the definition of the
`AtomicWaitKind` enum to the `MacroAssembler`, to ensure with the
other operation kind definitions.

show more ...

Enable the `useless_conversion` Clippy lint (#10838)

* Enable the `useless_conversion` Clippy lint

We've got lots of types in Wasmtime and convert between them quite a
lot, but often over time conv

Enable the `useless_conversion` Clippy lint (#10838)

* Enable the `useless_conversion` Clippy lint

We've got lots of types in Wasmtime and convert between them quite a
lot, but often over time conversions become unnecessary through
refactorings or similar. This will hopefully enable us to clean up some
conversions as they come up to try to have as few as possible ideally.

* Review comments

show more ...

Update Wasmtime to the 2024 Rust Edition (#10806)

* Update Wasmtime to the 2024 Rust Edition

Now that our MSRV supports the 2024 edition it's possible to make this
switch. This commit moves Wasmtim

Update Wasmtime to the 2024 Rust Edition (#10806)

* Update Wasmtime to the 2024 Rust Edition

Now that our MSRV supports the 2024 edition it's possible to make this
switch. This commit moves Wasmtime to the 2024 Edition to keep
up-to-date with Rust idioms and access many of the edition features
exclusive to the 2024 edition.

prtest:full

* Reformat with the 2024 edition

show more ...

Switch to using Wasmtime-style builtins for ceil, floor, etc. (#10657)

* Switch to using Wasmtime-style builtins for ceil, floor, etc.

With this patch, all emitted calls are Wasmtime-style builtins

Switch to using Wasmtime-style builtins for ceil, floor, etc. (#10657)

* Switch to using Wasmtime-style builtins for ceil, floor, etc.

With this patch, all emitted calls are Wasmtime-style builtins, rather
than Cranelift-style libcalls. This ensures that all calls from
Cranelift-generated code into Wasmtime host code use the same mechanism,
and eliminates the relocation handling code for the libcall mechanism.

* Update tests.

* Avoid using x86_pshufb on non-x86 platforms.

* Revert unneeded f32/f64 changes in Pulley.

* Define i8x16 as an unconstructible type if sse isn't available.

* Delete the setters too.

* Fix f32/f64 setters.

* Test with prtest:full.

prtest:full

* Support fma.

* Return true for `has_native_fma` on pulley.

This works because pulley already has code implementing fma. This avoids
needing to marshal f32x4 values into builtin function calls on pulley.

* Update tests.

show more ...

Winch: Fix issue with multivalue returns (#10370)

chore: remove redundant words in comment (#10354)

Signed-off-by: NinaLua <[email protected]>

Winch: Fix extadd implementations (#10337)

* Winch: Fix extadd implementations

* Add new Wast test to excluded tests

winch(aarch64): Fix effective address calculation (#10297)

* winch(aarch64): Fix effective address calculation

`load_addr` should load the effective address, not the contents of the
address.

This

winch(aarch64): Fix effective address calculation (#10297)

* winch(aarch64): Fix effective address calculation

`load_addr` should load the effective address, not the contents of the
address.

This was causing issues with indirect function calls.

* Rename `load_addr` to `compute_addr`

show more ...

Winch: Add load_zero instructions for x64 with AVX (#10288)

Winch: Add implementations for pmin and pmax for x64 with AVX (#10284)

Winch: Add min and max for SIMD floats for x64 with AVX (#10271)

Winch: Add SIMD float arithmetic support for x64 with AVX (#10247)

* Winch: Add SIMD float arithmetic support for x64 with AVX

* Add ensure_has_avx to v128_neg method

Winch: Implement float rounding instructions for x64 with AVX (#10243)

Winch: Add implementation for `i8x16.popcnt` for x64 with AVX (#10241)

Winch: Refactor masm signatures to take kinds (#10242)

Winch: Implement avgr instructions for x64 with AVX (#10228)

* Winch: Implement avgr instructions for x64 with AVX

* Remove size check

Winch: Add `trunc_sat` instructions for x64 with AVX (#10226)

* Winch: Add `trunc_sat` instructions for x64 with AVX

* Free temp register

* Move implementations into helper methods

* Remove dupli

Winch: Add `trunc_sat` instructions for x64 with AVX (#10226)

* Winch: Add `trunc_sat` instructions for x64 with AVX

* Free temp register

* Move implementations into helper methods

* Remove duplicate Wast test entries

show more ...

Winch: v128 `min`, `max`, `extmul` and `extadd` (#10205)

* v128 min/max

* v128 extmul

* v128 extadd