[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned

[44.0.0] Merged backports for security advisories (#13007)

* fix(environ): repair unsound StringPool::try_clone()

The 43.0 release introduced a soundness bug in StringPool::try_clone(): the
cloned map retains &'static str keys pointing into the original pool's
strings storage. Once the original Linker is dropped those keys dangle.

Cloning a Linker, then dropping the original one, leaves a linker whose
registered imports could no longer be found, causing instantiation to
fail with "unknown import".

Signed-off-by: Flavio Castelli <[email protected]>

* Fix pooling allocator predicate to reset VM permissions

This commit fixes a mistake that was introduced in #9583 where the logic
to reset a linear memory slot in the pooling allocator used the wrong
predicate. Specifically VM permissions must be reset if virtual memory
can be relied on at all, and the preexisting predicate of
`can_elide_bounds_check` was an inaccurate representation of this. The
correct predicate to check is `can_use_virtual_memory`.

* winch: Fix the type of the `table.size` output register

This commit corrects the tagged size of the output of the `table.size`
instruction. Previously this was hardcoded as a 32-bit integer instead
of consulting the table's index type to use the
index-type-sized-register instead.

* winch: Fix a host panic when executing `table.fill`

This commit fixes a possible panic when a Winch-compiled module executes
the `table.fill` instruction. Refactoring in #11254 updated Cranelift
but forgot to update Winch meaning that Winch's indices were still using
the module-level indices instead of the `DefinedTableIndex` space. This
adds some tests and updates Winch's translation to use preexisting
helpers.

* x64: Fix `f64x2.splat` without SSE3

Don't sink a load into `pshufd` which loads 16 bytes, instead force
`put_in_xmm` to ensure only 8 bytes are loaded.

* Properly verify alignment in string transcoding

This commit updates string transcoding between guest modules to properly
verify alignment. Previously alignment was only verified on the first
allocation, not reallocations, which is not spec-compliant. This
additionally fixes a possible host panic when dealing with unaligned
pointers.

* Fix type confusion in AArch64 amode RegScaled folding

* winch: Add add_uextend to perform explicit extension when needed.

This commit fixes an out-of-bounds access caused by the lack zero
extension in the code responsible for calculating the heap address for
loads/stores.

This issue manifests in aarch64 (unlike x64) given that no automatic
extension is performed, resulting in an out-of-bounds access.

An alternative approach is to emit an extend for the index, however
this approach is preferred given that it gives the MacroAssembler
layer better control of how to lower addition, e.g., in aarch64 we can
inline the desired extension in a single instruction.

* winch: Correctly type the result of table.grow

This commit fixes an out-of-bounds access caused by the lack of type
narrowing from the `table.grow` builtin. Without explicit narrowing,
the type is treated as 64-bit value, which could cause issues when
paired with loads/stores.

* Review comments

* Properly handle table index types

Only narrow when dealing with the 64-bit pointer/32-bit tables

* Fix panic with out-of-bounds flags in `Value`

This commit fixes a panic when a component model `Value` is lifted from
a flags value which specifies out-of-bounds bits as 1. This is specified
in the component model to ignore the out-of-bounds bits, which `flags!`
correctly did (and thus `bindgen!`), but `Value` treated out-of-bounds
bits as a panic due to indexing an array.

* Fix bounds checks in FACT's `string_to_compact` method

We need to bounds check the source byte length, not the number of code units.

* Add missing realloc validation in string transcoding

This commit adds a missing validation that a return value of `realloc`
is inbounds during string transcoding. This was accidentally missing on
the transcoding path from `utf8` to `latin1+utf16` which meant that a
nearly-raw pointer could get passed to the host to perform the
transcode.

* winch: Refine zero extension heuristic

This commit refines the zero extension heuristic such that it
unconditionally emits a zero extension when dealing with 32-bit
heaps. This eliminates any ambiguity related to the value of the
memory indices across ISAs.

* Fix failure on 32-bit

* Fix miri test

---------

Signed-off-by: Flavio Castelli <[email protected]>
Co-authored-by: Flavio Castelli <[email protected]>
Co-authored-by: Shun Kashiwa <[email protected]>
Co-authored-by: Saúl Cabrera <[email protected]>
Co-authored-by: Nick Fitzgerald <[email protected]>

show more ...

winch: implement ref.null, ref.is_null, ref.func, and typed select (#12940)

* winch: implement ref.null, ref.is_null, ref.func, and typed select

* add disas tests and ref.func call_indirect coverag

winch: implement ref.null, ref.is_null, ref.func, and typed select (#12940)

* winch: implement ref.null, ref.is_null, ref.func, and typed select

* add disas tests and ref.func call_indirect coverage

* register wasmtime module in fuzz wast_test to fix wast_smoke_test

show more ...

Introduce `wasmtime::Store::try_new`, which handles OOM (#12415)

* Introduce `wasmtime::Store::try_new`, which handles OOM

`Store::new` is an infallible constructor, so there is not a direct way to

Introduce `wasmtime::Store::try_new`, which handles OOM (#12415)

* Introduce `wasmtime::Store::try_new`, which handles OOM

`Store::new` is an infallible constructor, so there is not a direct way to make
it return an error on OOM. Additionally, it is one of the most-used functions in
the Wasmtime embedder API, so changing its signature to return a `Result` is a
non-starter -- it would cause way too much pain. So instead we define
`Store::try_new` which returns a `Result` and make `Store::new` call and unwrap
that new constructor.

Part of https://github.com/bytecodealliance/wasmtime/issues/12069

* update disas tests and fix winch

* Disable concurrency support in `Store::try_new` OOM test

* Add attributes that were lost in rebase

show more ...

Migrate winch-codegen to `wasmtime_environ::error` (#12297)

Enable `clippy::extra_unused_type_parameters` lint (#12004)

Delete `vm::Instance::table_grow` (#11216)

This commit is a further inch towards #11179 by removing internal
reliance on reading `VMContext` pointers and casting them to `Pin<&mut
Instance>` in vari

Delete `vm::Instance::table_grow` (#11216)

This commit is a further inch towards #11179 by removing internal
reliance on reading `VMContext` pointers and casting them to `Pin<&mut
Instance>` in various contexts. Notably now only a defined table needs
to be grown, which simplifies the internals of `vm::Instance` ever so
slightly. This is a similar change as #11211 which transitions libcalls
to using `DefinedTableIndex` instead of `TableIndex`.

show more ...

Make `vm::Instance::get_defined_memory` safe (#11211)

This is a small step forward to making `vm::Instance` safe internally.
Notably the `get_defined_memory` helper now returns a safe mutable
refere

Make `vm::Instance::get_defined_memory` safe (#11211)

This is a small step forward to making `vm::Instance` safe internally.
Notably the `get_defined_memory` helper now returns a safe mutable
reference instead of a raw pointer. This is then additionally coupled
with the canonicalization of always working with memories as "instance
plus defined memory index" instead of "instance plus memory index". This
enables removing some unsafe `VMContext` to `Instance` conversion as
well. This change, however, required updating libcalls to special-case
when an imported memory is operated on to load the vmcontext/index in
the libcall itself.

This change notably does not update the `memory_init` libcall just yet
due to the fact that the `DataIndex` is relative to the owning instance
even if the memory is owned by a different instance (e.g. it's
imported). Otherwise this chips away at some of the `unsafe` related to
memory/table management in `vm::Instance`.

show more ...

Rename `memory32_grow` builtin to `memory_grow` (#11208)

This builtin is used for both 32 and 64-bit linear memories, no need to
bake "32" into the name any more.

winch: Simplify constant handling, part 2/N (#10989)

* winch: Introduce register allocation for scratch registers

This commit introduces a register allocator for scratch registers. The
objective of

winch: Simplify constant handling, part 2/N (#10989)

* winch: Introduce register allocation for scratch registers

This commit introduces a register allocator for scratch registers. The
objective of this change is to make it generally safer to work with
scratch registers and prevent accidental clobbering of said registers.

This approach also has the advantage that allows for a more natural
abstraction over ISA-dependent scratch register definitions, e.g., we
can easily encode that fact that in aarch64 x16 and x17 are considered
scratch registers, while in x64 Winch's ABI defines a single global
scratch register.

* winch: Hook up the scratch allocator in each of the backends

This commit makes use of the scratch register allocator in both the
x64 and aarch64 backends for immediate value loading.

Given that the MacroAssembler is the boundary between ISA-agnostic
code and ISA-dependent code, it seems to be the natural location for
this allocator to live.

The allocator gives exclusive access to a scratch register of a
particular class, through the `Masm::with_scratch` method. Note that
the semantics of this allocator don't involve spilling or any other
form of register availability resolution. If a register is requested
and it's not available, this method will panic.

* Apply `cargo fmt`

* Update disassembly tests

Even though the entire change doens't contain major funcitonal
changes, a side effect of improving the constant handling in aarch64
is that we perform better instruction selection for instructions that
deal with immediattes, improving the generated code in some cases.

* Review edits

show more ...

winch: Move the `AtomicWaitKind` definition to the MacroAssembler (#10853)

This commit is a small refactoring which moves the definition of the
`AtomicWaitKind` enum to the `MacroAssembler`, to ensu

winch: Move the `AtomicWaitKind` definition to the MacroAssembler (#10853)

This commit is a small refactoring which moves the definition of the
`AtomicWaitKind` enum to the `MacroAssembler`, to ensure with the
other operation kind definitions.

show more ...

Enable the `useless_conversion` Clippy lint (#10838)

* Enable the `useless_conversion` Clippy lint

We've got lots of types in Wasmtime and convert between them quite a
lot, but often over time conv

Enable the `useless_conversion` Clippy lint (#10838)

* Enable the `useless_conversion` Clippy lint

We've got lots of types in Wasmtime and convert between them quite a
lot, but often over time conversions become unnecessary through
refactorings or similar. This will hopefully enable us to clean up some
conversions as they come up to try to have as few as possible ideally.

* Review comments

show more ...

winch: Use innermost frame to emit `br_table` (#10821)

* winch: Use innermost frame to emit `br_table`

Prior to this commit, the lowering of br_table used the default target
as the relative referen

winch: Use innermost frame to emit `br_table` (#10821)

* winch: Use innermost frame to emit `br_table`

Prior to this commit, the lowering of br_table used the default target
as the relative reference to pop ABI results. This approach is not
ideal, as it leads to a loss of precision regarding the stack pointer
position, causing unmet invariants at jump sites for all other
branches.

This commit, instead, takes advantage of the fact that all jumps are
"outward" and uses the innermost frame to pop ABI results when
lowering br_table. This ensures two main things:

* The stack pointer offset is correctly positioned according to the
expectations of the innermost block's end sequence, which will be
handled in the next eventual `end` sequence.
* We meet the jump site invariants introduced by CodegenContext::br,
which take advantage of Wasm semantics, given that all jumps are
"outward".

* Format

show more ...

Update Wasmtime to the 2024 Rust Edition (#10806)

* Update Wasmtime to the 2024 Rust Edition

Now that our MSRV supports the 2024 edition it's possible to make this
switch. This commit moves Wasmtim

Update Wasmtime to the 2024 Rust Edition (#10806)

* Update Wasmtime to the 2024 Rust Edition

Now that our MSRV supports the 2024 edition it's possible to make this
switch. This commit moves Wasmtime to the 2024 Edition to keep
up-to-date with Rust idioms and access many of the edition features
exclusive to the 2024 edition.

prtest:full

* Reformat with the 2024 edition

show more ...

winch: Consolidate branch emission (#10730)

This commit fixes https://github.com/bytecodealliance/wasmtime/issues/10613

When emitting some WebAssembly instructinos involving branches, like
`br_if`

winch: Consolidate branch emission (#10730)

This commit fixes https://github.com/bytecodealliance/wasmtime/issues/10613

When emitting some WebAssembly instructinos involving branches, like
`br_if` stack pointer expectations must be met at jump sites, more
importantly when these instructions deal with multiple branches or
fallthrough cases, the need to reclaim any extra stack space might
arise, and when it does, special handling is needed to ensure that
value location is respected. Prior to this change, the emission for
`br_table` was incorrectly handling multiple return values on the
stack, causing the miscompilation reported in the issue above.

This commit introduces a better mechanism to deal with branch
emission, ensuring that all invariants are applied to the main entry
points for branches: `return`, `br` , `br_if` and `br_table`.

show more ...

Switch to using Wasmtime-style builtins for ceil, floor, etc. (#10657)

* Switch to using Wasmtime-style builtins for ceil, floor, etc.

With this patch, all emitted calls are Wasmtime-style builtins

Switch to using Wasmtime-style builtins for ceil, floor, etc. (#10657)

* Switch to using Wasmtime-style builtins for ceil, floor, etc.

With this patch, all emitted calls are Wasmtime-style builtins, rather
than Cranelift-style libcalls. This ensures that all calls from
Cranelift-generated code into Wasmtime host code use the same mechanism,
and eliminates the relocation handling code for the libcall mechanism.

* Update tests.

* Avoid using x86_pshufb on non-x86 platforms.

* Revert unneeded f32/f64 changes in Pulley.

* Define i8x16 as an unconstructible type if sse isn't available.

* Delete the setters too.

* Fix f32/f64 setters.

* Test with prtest:full.

prtest:full

* Support fma.

* Return true for `has_native_fma` on pulley.

This works because pulley already has code implementing fma. This avoids
needing to marshal f32x4 values into builtin function calls on pulley.

* Update tests.

show more ...

Update wasm spec test suite, add exception feature flags (#10553)

* Update wasm spec test suite, add exception feature flags

This commit performs an update of the spec test suite submodule to the
n

Update wasm spec test suite, add exception feature flags (#10553)

* Update wasm spec test suite, add exception feature flags

This commit performs an update of the spec test suite submodule to the
next-to-latest commit. The latest commit will require updating the
`wast` dependency which isn't published yet.

This update brings in the `wasm-3.0` folder of tests since it's been
awhile since the last update. That update notably means that the
exception-handling proposal is mixed in with all the others with various
tests. Getting tests as flagged as passing or failing as a result was
unexpectedly difficult.

The solution I ended up settling on was to preemptively implement some
infrastructure for the exceptions proposal:

* `wasmtime::Config` methods
* `wasmtime` CLI flags
* integration with wast testing
* various updates to `should_fail`

It turns out we can run a few tests with the exception proposal, notably
due to tags being implemented for stack switching. That meant that this
couldn't blanket ignore the exceptions proposal and say it's expected to
fail. Instead the proposal is said "this passes!" and tests are
individually listed as "this is expected to fail".

This then required changing an `unsupported!` panic to plumbing errors
around to avoid actually implementing the exceptions proposal here.

* Review comments

show more ...

Winch: Add load_zero instructions for x64 with AVX (#10288)

Winch: Add implementations for pmin and pmax for x64 with AVX (#10284)

Winch: Add min and max for SIMD floats for x64 with AVX (#10271)

Winch: Add SIMD float arithmetic support for x64 with AVX (#10247)

* Winch: Add SIMD float arithmetic support for x64 with AVX

* Add ensure_has_avx to v128_neg method

Winch: Implement float rounding instructions for x64 with AVX (#10243)

Winch: Add implementation for `i8x16.popcnt` for x64 with AVX (#10241)

Winch: Refactor masm signatures to take kinds (#10242)

Winch: Fix i8x16.max_u to use unsigned instruction (#10236)

Winch: Implement avgr instructions for x64 with AVX (#10228)

* Winch: Implement avgr instructions for x64 with AVX

* Remove size check