1 use crate::Trap; 2 use crate::prelude::*; 3 use crate::runtime::vm::{self, ExportMemory}; 4 use crate::store::{StoreInstanceId, StoreOpaque, StoreResourceLimiter}; 5 use crate::trampoline::generate_memory_export; 6 #[cfg(feature = "async")] 7 use crate::vm::VMStore; 8 use crate::{AsContext, AsContextMut, Engine, MemoryType, StoreContext, StoreContextMut}; 9 use core::cell::UnsafeCell; 10 use core::fmt; 11 use core::slice; 12 use core::time::Duration; 13 use wasmtime_environ::DefinedMemoryIndex; 14 15 pub use crate::runtime::vm::WaitResult; 16 17 /// Error for out of bounds [`Memory`] access. 18 #[derive(Debug)] 19 #[non_exhaustive] 20 pub struct MemoryAccessError { 21 // Keep struct internals private for future extensibility. 22 _private: (), 23 } 24 25 impl fmt::Display for MemoryAccessError { 26 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 27 write!(f, "out of bounds memory access") 28 } 29 } 30 31 impl core::error::Error for MemoryAccessError {} 32 33 /// A WebAssembly linear memory. 34 /// 35 /// WebAssembly memories represent a contiguous array of bytes that have a size 36 /// that is always a multiple of the WebAssembly page size, currently 64 37 /// kilobytes. 38 /// 39 /// WebAssembly memory is used for global data (not to be confused with wasm 40 /// `global` items), statics in C/C++/Rust, shadow stack memory, etc. Accessing 41 /// wasm memory is generally quite fast. 42 /// 43 /// Memories, like other wasm items, are owned by a [`Store`](crate::Store). 44 /// 45 /// # `Memory` and Safety 46 /// 47 /// Linear memory is a lynchpin of safety for WebAssembly. In Wasmtime there are 48 /// safe methods of interacting with a [`Memory`]: 49 /// 50 /// * [`Memory::read`] 51 /// * [`Memory::write`] 52 /// * [`Memory::data`] 53 /// * [`Memory::data_mut`] 54 /// 55 /// Note that all of these consider the entire store context as borrowed for the 56 /// duration of the call or the duration of the returned slice. This largely 57 /// means that while the function is running you'll be unable to borrow anything 58 /// else from the store. This includes getting access to the `T` on 59 /// [`Store<T>`](crate::Store), but it also means that you can't recursively 60 /// call into WebAssembly for instance. 61 /// 62 /// If you'd like to dip your toes into handling [`Memory`] in a more raw 63 /// fashion (e.g. by using raw pointers or raw slices), then there's a few 64 /// important points to consider when doing so: 65 /// 66 /// * Any recursive calls into WebAssembly can possibly modify any byte of the 67 /// entire memory. This means that whenever wasm is called Rust can't have any 68 /// long-lived borrows live across the wasm function call. Slices like `&mut 69 /// [u8]` will be violated because they're not actually exclusive at that 70 /// point, and slices like `&[u8]` are also violated because their contents 71 /// may be mutated. 72 /// 73 /// * WebAssembly memories can grow, and growth may change the base pointer. 74 /// This means that even holding a raw pointer to memory over a wasm function 75 /// call is also incorrect. Anywhere in the function call the base address of 76 /// memory may change. Note that growth can also be requested from the 77 /// embedding API as well. 78 /// 79 /// As a general rule of thumb it's recommended to stick to the safe methods of 80 /// [`Memory`] if you can. It's not advised to use raw pointers or `unsafe` 81 /// operations because of how easy it is to accidentally get things wrong. 82 /// 83 /// Some examples of safely interacting with memory are: 84 /// 85 /// ```rust 86 /// use wasmtime::{Memory, Store, MemoryAccessError}; 87 /// 88 /// // Memory can be read and written safely with the `Memory::read` and 89 /// // `Memory::write` methods. 90 /// // An error is returned if the copy did not succeed. 91 /// fn safe_examples(mem: Memory, store: &mut Store<()>) -> Result<(), MemoryAccessError> { 92 /// let offset = 5; 93 /// mem.write(&mut *store, offset, b"hello")?; 94 /// let mut buffer = [0u8; 5]; 95 /// mem.read(&store, offset, &mut buffer)?; 96 /// assert_eq!(b"hello", &buffer); 97 /// 98 /// // Note that while this is safe care must be taken because the indexing 99 /// // here may panic if the memory isn't large enough. 100 /// assert_eq!(&mem.data(&store)[offset..offset + 5], b"hello"); 101 /// mem.data_mut(&mut *store)[offset..offset + 5].copy_from_slice(b"bye!!"); 102 /// 103 /// Ok(()) 104 /// } 105 /// ``` 106 /// 107 /// It's worth also, however, covering some examples of **incorrect**, 108 /// **unsafe** usages of `Memory`. Do not do these things! 109 /// 110 /// ```rust 111 /// use wasmtime::{Memory, Result, Store}; 112 /// 113 /// // NOTE: All code in this function is not safe to execute and may cause 114 /// // segfaults/undefined behavior at runtime. Do not copy/paste these examples 115 /// // into production code! 116 /// unsafe fn unsafe_examples(mem: Memory, store: &mut Store<()>) -> Result<()> { 117 /// // First and foremost, any borrow can be invalidated at any time via the 118 /// // `Memory::grow` function. This can relocate memory which causes any 119 /// // previous pointer to be possibly invalid now. 120 /// unsafe { 121 /// let pointer: &u8 = &*mem.data_ptr(&store); 122 /// mem.grow(&mut *store, 1)?; // invalidates `pointer`! 123 /// // println!("{}", *pointer); // FATAL: use-after-free 124 /// } 125 /// 126 /// // Note that the use-after-free also applies to slices, whether they're 127 /// // slices of bytes or strings. 128 /// unsafe { 129 /// let mem_slice = std::slice::from_raw_parts( 130 /// mem.data_ptr(&store), 131 /// mem.data_size(&store), 132 /// ); 133 /// let slice: &[u8] = &mem_slice[0x100..0x102]; 134 /// mem.grow(&mut *store, 1)?; // invalidates `slice`! 135 /// // println!("{:?}", slice); // FATAL: use-after-free 136 /// } 137 /// 138 /// // The `Memory` type may be stored in other locations, so if you hand 139 /// // off access to the `Store` then those locations may also call 140 /// // `Memory::grow` or similar, so it's not enough to just audit code for 141 /// // calls to `Memory::grow`. 142 /// unsafe { 143 /// let pointer: &u8 = &*mem.data_ptr(&store); 144 /// some_other_function(store); // may invalidate `pointer` through use of `store` 145 /// // println!("{:?}", pointer); // FATAL: maybe a use-after-free 146 /// } 147 /// 148 /// // An especially subtle aspect of accessing a wasm instance's memory is 149 /// // that you need to be extremely careful about aliasing. Anyone at any 150 /// // time can call `data_unchecked()` or `data_unchecked_mut()`, which 151 /// // means you can easily have aliasing mutable references: 152 /// unsafe { 153 /// let ref1: &u8 = &*mem.data_ptr(&store).add(0x100); 154 /// let ref2: &mut u8 = &mut *mem.data_ptr(&store).add(0x100); 155 /// // *ref2 = *ref1; // FATAL: violates Rust's aliasing rules 156 /// } 157 /// 158 /// Ok(()) 159 /// } 160 /// # fn some_other_function(store: &mut Store<()>) {} 161 /// ``` 162 /// 163 /// Overall there's some general rules of thumb when unsafely working with 164 /// `Memory` and getting raw pointers inside of it: 165 /// 166 /// * If you never have a "long lived" pointer into memory, you're likely in the 167 /// clear. Care still needs to be taken in threaded scenarios or when/where 168 /// data is read, but you'll be shielded from many classes of issues. 169 /// * Long-lived pointers must always respect Rust'a aliasing rules. It's ok for 170 /// shared borrows to overlap with each other, but mutable borrows must 171 /// overlap with nothing. 172 /// * Long-lived pointers are only valid if they're not invalidated for their 173 /// lifetime. This means that [`Store`](crate::Store) isn't used to reenter 174 /// wasm or the memory itself is never grown or otherwise modified/aliased. 175 /// 176 /// At this point it's worth reiterating again that unsafely working with 177 /// `Memory` is pretty tricky and not recommended! It's highly recommended to 178 /// use the safe methods to interact with [`Memory`] whenever possible. 179 /// 180 /// ## `Memory` Safety and Threads 181 /// 182 /// Currently the `wasmtime` crate does not implement the wasm threads proposal, 183 /// but it is planned to do so. It may be interesting to readers to see how this 184 /// affects memory safety and what was previously just discussed as well. 185 /// 186 /// Once threads are added into the mix, all of the above rules still apply. 187 /// There's an additional consideration that all reads and writes can happen 188 /// concurrently, though. This effectively means that any borrow into wasm 189 /// memory are virtually never safe to have. 190 /// 191 /// Mutable pointers are fundamentally unsafe to have in a concurrent scenario 192 /// in the face of arbitrary wasm code. Only if you dynamically know for sure 193 /// that wasm won't access a region would it be safe to construct a mutable 194 /// pointer. Additionally even shared pointers are largely unsafe because their 195 /// underlying contents may change, so unless `UnsafeCell` in one form or 196 /// another is used everywhere there's no safety. 197 /// 198 /// One important point about concurrency is that while [`Memory::grow`] can 199 /// happen concurrently it will never relocate the base pointer. Shared 200 /// memories must always have a maximum size and they will be preallocated such 201 /// that growth will never relocate the base pointer. The current size of the 202 /// memory may still change over time though. 203 /// 204 /// Overall the general rule of thumb for shared memories is that you must 205 /// atomically read and write everything. Nothing can be borrowed and everything 206 /// must be eagerly copied out. This means that [`Memory::data`] and 207 /// [`Memory::data_mut`] won't work in the future (they'll probably return an 208 /// error) for shared memories when they're implemented. When possible it's 209 /// recommended to use [`Memory::read`] and [`Memory::write`] which will still 210 /// be provided. 211 #[derive(Copy, Clone, Debug)] 212 #[repr(C)] // here for the C API 213 pub struct Memory { 214 /// The internal store instance that this memory belongs to. 215 instance: StoreInstanceId, 216 /// The index of the memory, within `instance` above, that this memory 217 /// refers to. 218 index: DefinedMemoryIndex, 219 } 220 221 // Double-check that the C representation in `extern.h` matches our in-Rust 222 // representation here in terms of size/alignment/etc. 223 const _: () = { 224 #[repr(C)] 225 struct Tmp(u64, u32); 226 #[repr(C)] 227 struct C(Tmp, u32); 228 assert!(core::mem::size_of::<C>() == core::mem::size_of::<Memory>()); 229 assert!(core::mem::align_of::<C>() == core::mem::align_of::<Memory>()); 230 assert!(core::mem::offset_of!(Memory, instance) == 0); 231 }; 232 233 impl Memory { 234 /// Creates a new WebAssembly memory given the configuration of `ty`. 235 /// 236 /// The `store` argument will be the owner of the returned [`Memory`]. All 237 /// WebAssembly memory is initialized to zero. 238 /// 239 /// # Panics 240 /// 241 /// This function will panic if the [`Store`](`crate::Store`) has a 242 /// [`ResourceLimiterAsync`](`crate::ResourceLimiterAsync`) (see also: 243 /// [`Store::limiter_async`](`crate::Store::limiter_async`)). When 244 /// using an async resource limiter, use [`Memory::new_async`] instead. 245 /// 246 /// # Examples 247 /// 248 /// ``` 249 /// # use wasmtime::*; 250 /// # fn main() -> Result<()> { 251 /// let engine = Engine::default(); 252 /// let mut store = Store::new(&engine, ()); 253 /// 254 /// let memory_ty = MemoryType::new(1, None); 255 /// let memory = Memory::new(&mut store, memory_ty)?; 256 /// 257 /// let module = Module::new(&engine, "(module (memory (import \"\" \"\") 1))")?; 258 /// let instance = Instance::new(&mut store, &module, &[memory.into()])?; 259 /// // ... 260 /// # Ok(()) 261 /// # } 262 /// ``` 263 pub fn new(mut store: impl AsContextMut, ty: MemoryType) -> Result<Memory> { 264 let (mut limiter, store) = store 265 .as_context_mut() 266 .0 267 .validate_sync_resource_limiter_and_store_opaque()?; 268 vm::assert_ready(Self::_new(store, limiter.as_mut(), ty)) 269 } 270 271 /// Async variant of [`Memory::new`]. You must use this variant with 272 /// [`Store`](`crate::Store`)s which have a 273 /// [`ResourceLimiterAsync`](`crate::ResourceLimiterAsync`). 274 /// 275 /// # Panics 276 /// 277 /// This function will panic when used with a non-async 278 /// [`Store`](`crate::Store`). 279 #[cfg(feature = "async")] 280 pub async fn new_async(mut store: impl AsContextMut, ty: MemoryType) -> Result<Memory> { 281 let (mut limiter, store) = store.as_context_mut().0.resource_limiter_and_store_opaque(); 282 Self::_new(store, limiter.as_mut(), ty).await 283 } 284 285 /// Helper function for attaching the memory to a "frankenstein" instance 286 async fn _new( 287 store: &mut StoreOpaque, 288 limiter: Option<&mut StoreResourceLimiter<'_>>, 289 ty: MemoryType, 290 ) -> Result<Memory> { 291 if ty.is_shared() { 292 bail!("shared memories must be created through `SharedMemory`") 293 } 294 Ok(generate_memory_export(store, limiter, &ty, None) 295 .await? 296 .unshared() 297 .unwrap()) 298 } 299 300 /// Returns the underlying type of this memory. 301 /// 302 /// # Panics 303 /// 304 /// Panics if this memory doesn't belong to `store`. 305 /// 306 /// # Examples 307 /// 308 /// ``` 309 /// # use wasmtime::*; 310 /// # fn main() -> Result<()> { 311 /// let engine = Engine::default(); 312 /// let mut store = Store::new(&engine, ()); 313 /// let module = Module::new(&engine, "(module (memory (export \"mem\") 1))")?; 314 /// let instance = Instance::new(&mut store, &module, &[])?; 315 /// let memory = instance.get_memory(&mut store, "mem").unwrap(); 316 /// let ty = memory.ty(&store); 317 /// assert_eq!(ty.minimum(), 1); 318 /// # Ok(()) 319 /// # } 320 /// ``` 321 pub fn ty(&self, store: impl AsContext) -> MemoryType { 322 let store = store.as_context(); 323 MemoryType::from_wasmtime_memory(self.wasmtime_ty(store.0)) 324 } 325 326 /// Safely reads memory contents at the given offset into a buffer. 327 /// 328 /// The entire buffer will be filled. 329 /// 330 /// If `offset + buffer.len()` exceed the current memory capacity, then the 331 /// buffer is left untouched and a [`MemoryAccessError`] is returned. 332 /// 333 /// # Panics 334 /// 335 /// Panics if this memory doesn't belong to `store`. 336 pub fn read( 337 &self, 338 store: impl AsContext, 339 offset: usize, 340 buffer: &mut [u8], 341 ) -> Result<(), MemoryAccessError> { 342 let store = store.as_context(); 343 let slice = self 344 .data(&store) 345 .get(offset..) 346 .and_then(|s| s.get(..buffer.len())) 347 .ok_or(MemoryAccessError { _private: () })?; 348 buffer.copy_from_slice(slice); 349 Ok(()) 350 } 351 352 /// Safely writes contents of a buffer to this memory at the given offset. 353 /// 354 /// If the `offset + buffer.len()` exceeds the current memory capacity, then 355 /// none of the buffer is written to memory and a [`MemoryAccessError`] is 356 /// returned. 357 /// 358 /// # Panics 359 /// 360 /// Panics if this memory doesn't belong to `store`. 361 pub fn write( 362 &self, 363 mut store: impl AsContextMut, 364 offset: usize, 365 buffer: &[u8], 366 ) -> Result<(), MemoryAccessError> { 367 let mut context = store.as_context_mut(); 368 self.data_mut(&mut context) 369 .get_mut(offset..) 370 .and_then(|s| s.get_mut(..buffer.len())) 371 .ok_or(MemoryAccessError { _private: () })? 372 .copy_from_slice(buffer); 373 Ok(()) 374 } 375 376 /// Returns this memory as a native Rust slice. 377 /// 378 /// Note that this method will consider the entire store context provided as 379 /// borrowed for the duration of the lifetime of the returned slice. 380 /// 381 /// # Panics 382 /// 383 /// Panics if this memory doesn't belong to `store`. 384 pub fn data<'a, T: 'static>(&self, store: impl Into<StoreContext<'a, T>>) -> &'a [u8] { 385 unsafe { 386 let store = store.into(); 387 let definition = store[self.instance].memory(self.index); 388 debug_assert!(!self.ty(store).is_shared()); 389 slice::from_raw_parts(definition.base.as_ptr(), definition.current_length()) 390 } 391 } 392 393 /// Returns this memory as a native Rust mutable slice. 394 /// 395 /// Note that this method will consider the entire store context provided as 396 /// borrowed for the duration of the lifetime of the returned slice. 397 /// 398 /// # Panics 399 /// 400 /// Panics if this memory doesn't belong to `store`. 401 pub fn data_mut<'a, T: 'static>( 402 &self, 403 store: impl Into<StoreContextMut<'a, T>>, 404 ) -> &'a mut [u8] { 405 unsafe { 406 let store = store.into(); 407 let definition = store[self.instance].memory(self.index); 408 debug_assert!(!self.ty(store).is_shared()); 409 slice::from_raw_parts_mut(definition.base.as_ptr(), definition.current_length()) 410 } 411 } 412 413 /// Same as [`Memory::data_mut`], but also returns the `T` from the 414 /// [`StoreContextMut`]. 415 /// 416 /// This method can be used when you want to simultaneously work with the 417 /// `T` in the store as well as the memory behind this [`Memory`]. Using 418 /// [`Memory::data_mut`] would consider the entire store borrowed, whereas 419 /// this method allows the Rust compiler to see that the borrow of this 420 /// memory and the borrow of `T` are disjoint. 421 /// 422 /// # Panics 423 /// 424 /// Panics if this memory doesn't belong to `store`. 425 pub fn data_and_store_mut<'a, T: 'static>( 426 &self, 427 store: impl Into<StoreContextMut<'a, T>>, 428 ) -> (&'a mut [u8], &'a mut T) { 429 // Note the unsafety here. Our goal is to simultaneously borrow the 430 // memory and custom data from `store`, and the store it's connected 431 // to. Rust will not let us do that, however, because we must call two 432 // separate methods (both of which borrow the whole `store`) and one of 433 // our borrows is mutable (the custom data). 434 // 435 // This operation, however, is safe because these borrows do not overlap 436 // and in the process of borrowing them mutability doesn't actually 437 // touch anything. This is akin to mutably borrowing two indices in an 438 // array, which is safe so long as the indices are separate. 439 unsafe { 440 let mut store = store.into(); 441 let data = &mut *(store.data_mut() as *mut T); 442 (self.data_mut(store), data) 443 } 444 } 445 446 /// Returns the base pointer, in the host's address space, that the memory 447 /// is located at. 448 /// 449 /// For more information and examples see the documentation on the 450 /// [`Memory`] type. 451 /// 452 /// # Panics 453 /// 454 /// Panics if this memory doesn't belong to `store`. 455 pub fn data_ptr(&self, store: impl AsContext) -> *mut u8 { 456 store.as_context()[self.instance] 457 .memory(self.index) 458 .base 459 .as_ptr() 460 } 461 462 /// Returns the byte length of this memory. 463 /// 464 /// WebAssembly memories are made up of a whole number of pages, so the byte 465 /// size returned will always be a multiple of this memory's page size. Note 466 /// that different Wasm memories may have different page sizes. You can get 467 /// a memory's page size via the [`Memory::page_size`] method. 468 /// 469 /// By default the page size is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or 470 /// `65536`) but [the custom-page-sizes proposal] allows a memory to opt 471 /// into a page size of `1`. Future extensions might allow any power of two 472 /// as a page size. 473 /// 474 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 475 /// 476 /// For more information and examples see the documentation on the 477 /// [`Memory`] type. 478 /// 479 /// # Panics 480 /// 481 /// Panics if this memory doesn't belong to `store`. 482 pub fn data_size(&self, store: impl AsContext) -> usize { 483 self.internal_data_size(store.as_context().0) 484 } 485 486 pub(crate) fn internal_data_size(&self, store: &StoreOpaque) -> usize { 487 store[self.instance].memory(self.index).current_length() 488 } 489 490 /// Returns the size, in units of pages, of this Wasm memory. 491 /// 492 /// WebAssembly memories are made up of a whole number of pages, so the byte 493 /// size returned will always be a multiple of this memory's page size. Note 494 /// that different Wasm memories may have different page sizes. You can get 495 /// a memory's page size via the [`Memory::page_size`] method. 496 /// 497 /// By default the page size is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or 498 /// `65536`) but [the custom-page-sizes proposal] allows a memory to opt 499 /// into a page size of `1`. Future extensions might allow any power of two 500 /// as a page size. 501 /// 502 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 503 /// 504 /// # Panics 505 /// 506 /// Panics if this memory doesn't belong to `store`. 507 pub fn size(&self, store: impl AsContext) -> u64 { 508 self.internal_size(store.as_context().0) 509 } 510 511 pub(crate) fn internal_size(&self, store: &StoreOpaque) -> u64 { 512 let byte_size = self.internal_data_size(store); 513 let page_size = usize::try_from(self._page_size(store)).unwrap(); 514 u64::try_from(byte_size / page_size).unwrap() 515 } 516 517 /// Returns the size of a page, in bytes, for this memory. 518 /// 519 /// WebAssembly memories are made up of a whole number of pages, so the byte 520 /// size (as returned by [`Memory::data_size`]) will always be a multiple of 521 /// their page size. Different Wasm memories may have different page sizes. 522 /// 523 /// By default this is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or `65536`) 524 /// but [the custom-page-sizes proposal] allows opting into a page size of 525 /// `1`. Future extensions might allow any power of two as a page size. 526 /// 527 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 528 pub fn page_size(&self, store: impl AsContext) -> u64 { 529 self._page_size(store.as_context().0) 530 } 531 532 pub(crate) fn _page_size(&self, store: &StoreOpaque) -> u64 { 533 self.wasmtime_ty(store).page_size() 534 } 535 536 /// Returns the log2 of this memory's page size, in bytes. 537 /// 538 /// WebAssembly memories are made up of a whole number of pages, so the byte 539 /// size (as returned by [`Memory::data_size`]) will always be a multiple of 540 /// their page size. Different Wasm memories may have different page sizes. 541 /// 542 /// By default the page size is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or 543 /// `65536`) but [the custom-page-sizes proposal] allows opting into a page 544 /// size of `1`. Future extensions might allow any power of two as a page 545 /// size. 546 /// 547 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 548 pub fn page_size_log2(&self, store: impl AsContext) -> u8 { 549 self._page_size_log2(store.as_context().0) 550 } 551 552 pub(crate) fn _page_size_log2(&self, store: &StoreOpaque) -> u8 { 553 self.wasmtime_ty(store).page_size_log2 554 } 555 556 /// Grows this WebAssembly memory by `delta` pages. 557 /// 558 /// This will attempt to add `delta` more pages of memory on to the end of 559 /// this `Memory` instance. If successful this may relocate the memory and 560 /// cause [`Memory::data_ptr`] to return a new value. Additionally any 561 /// unsafely constructed slices into this memory may no longer be valid. 562 /// 563 /// On success returns the number of pages this memory previously had 564 /// before the growth succeeded. 565 /// 566 /// Note that, by default, a WebAssembly memory's page size is 64KiB (aka 567 /// 65536 or 2<sup>16</sup>). The [custom-page-sizes proposal] allows Wasm 568 /// memories to opt into a page size of one byte (and this may be further 569 /// relaxed to any power of two in a future extension). 570 /// 571 /// [custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 572 /// 573 /// # Errors 574 /// 575 /// Returns an error if memory could not be grown, for example if it exceeds 576 /// the maximum limits of this memory. A 577 /// [`ResourceLimiter`](crate::ResourceLimiter) is another example of 578 /// preventing a memory to grow. 579 /// 580 /// This function will return an error if the [`Store`](`crate::Store`) has 581 /// a [`ResourceLimiterAsync`](`crate::ResourceLimiterAsync`) (see also: 582 /// [`Store::limiter_async`](`crate::Store::limiter_async`). When using an 583 /// async resource limiter, use [`Memory::grow_async`] instead. 584 /// 585 /// # Panics 586 /// 587 /// Panics if this memory doesn't belong to `store`. 588 /// 589 /// # Examples 590 /// 591 /// ``` 592 /// # use wasmtime::*; 593 /// # fn main() -> Result<()> { 594 /// let engine = Engine::default(); 595 /// let mut store = Store::new(&engine, ()); 596 /// let module = Module::new(&engine, "(module (memory (export \"mem\") 1 2))")?; 597 /// let instance = Instance::new(&mut store, &module, &[])?; 598 /// let memory = instance.get_memory(&mut store, "mem").unwrap(); 599 /// 600 /// assert_eq!(memory.size(&store), 1); 601 /// assert_eq!(memory.grow(&mut store, 1)?, 1); 602 /// assert_eq!(memory.size(&store), 2); 603 /// assert!(memory.grow(&mut store, 1).is_err()); 604 /// assert_eq!(memory.size(&store), 2); 605 /// assert_eq!(memory.grow(&mut store, 0)?, 2); 606 /// # Ok(()) 607 /// # } 608 /// ``` 609 pub fn grow(&self, mut store: impl AsContextMut, delta: u64) -> Result<u64> { 610 let store = store.as_context_mut().0; 611 let (mut limiter, store) = store.validate_sync_resource_limiter_and_store_opaque()?; 612 vm::assert_ready(self._grow(store, limiter.as_mut(), delta)) 613 } 614 615 /// Async variant of [`Memory::grow`]. Required when using a 616 /// [`ResourceLimiterAsync`](`crate::ResourceLimiterAsync`). 617 /// 618 /// # Panics 619 /// 620 /// This function will panic when used with a non-async 621 /// [`Store`](`crate::Store`). 622 #[cfg(feature = "async")] 623 pub async fn grow_async(&self, mut store: impl AsContextMut, delta: u64) -> Result<u64> { 624 let store = store.as_context_mut(); 625 let (mut limiter, store) = store.0.resource_limiter_and_store_opaque(); 626 self._grow(store, limiter.as_mut(), delta).await 627 } 628 629 async fn _grow( 630 &self, 631 store: &mut StoreOpaque, 632 limiter: Option<&mut StoreResourceLimiter<'_>>, 633 delta: u64, 634 ) -> Result<u64> { 635 let result = self 636 .instance 637 .get_mut(store) 638 .memory_grow(limiter, self.index, delta) 639 .await?; 640 match result { 641 Some(size) => { 642 let page_size = self.wasmtime_ty(store).page_size(); 643 Ok(u64::try_from(size).unwrap() / page_size) 644 } 645 None => bail!("failed to grow memory by `{delta}`"), 646 } 647 } 648 649 /// Creates a new memory from its raw component parts. 650 /// 651 /// # Safety 652 /// 653 /// The caller must ensure that the memory pointed to by `instance` and 654 /// `index` is not a shared memory. For that `SharedMemory` must be used 655 /// instead. 656 pub(crate) unsafe fn from_raw(instance: StoreInstanceId, index: DefinedMemoryIndex) -> Memory { 657 Memory { instance, index } 658 } 659 660 pub(crate) fn wasmtime_ty<'a>(&self, store: &'a StoreOpaque) -> &'a wasmtime_environ::Memory { 661 let module = store[self.instance].env_module(); 662 let index = module.memory_index(self.index); 663 &module.memories[index] 664 } 665 666 pub(crate) fn vmimport(&self, store: &StoreOpaque) -> crate::runtime::vm::VMMemoryImport { 667 store[self.instance].get_defined_memory_vmimport(self.index) 668 } 669 670 pub(crate) fn comes_from_same_store(&self, store: &StoreOpaque) -> bool { 671 store.id() == self.instance.store_id() 672 } 673 674 /// Get a stable hash key for this memory. 675 /// 676 /// Even if the same underlying memory definition is added to the 677 /// `StoreData` multiple times and becomes multiple `wasmtime::Memory`s, 678 /// this hash key will be consistent across all of these memories. 679 #[cfg(feature = "coredump")] 680 pub(crate) fn hash_key(&self, store: &StoreOpaque) -> impl core::hash::Hash + Eq + use<> { 681 store[self.instance].memory_ptr(self.index).as_ptr().addr() 682 } 683 } 684 685 /// A linear memory. This trait provides an interface for raw memory buffers 686 /// which are used by wasmtime, e.g. inside ['Memory']. Such buffers are in 687 /// principle not thread safe. By implementing this trait together with 688 /// MemoryCreator, one can supply wasmtime with custom allocated host managed 689 /// memory. 690 /// 691 /// # Safety 692 /// 693 /// The memory should be page aligned and a multiple of page size. 694 /// To prevent possible silent overflows, the memory should be protected by a 695 /// guard page. Additionally the safety concerns explained in ['Memory'], for 696 /// accessing the memory apply here as well. 697 /// 698 /// Note that this is a relatively advanced feature and it is recommended to be 699 /// familiar with wasmtime runtime code to use it. 700 pub unsafe trait LinearMemory: Send + Sync + 'static { 701 /// Returns the number of allocated bytes which are accessible at this time. 702 fn byte_size(&self) -> usize; 703 704 /// Returns byte capacity of this linear memory's current allocation. 705 /// 706 /// Growth up to this value should not relocate the linear memory base 707 /// pointer. 708 fn byte_capacity(&self) -> usize; 709 710 /// Grows this memory to have the `new_size`, in bytes, specified. 711 /// 712 /// Returns `Err` if memory can't be grown by the specified amount 713 /// of bytes. The error may be downcastable to `std::io::Error`. 714 /// Returns `Ok` if memory was grown successfully. 715 fn grow_to(&mut self, new_size: usize) -> Result<()>; 716 717 /// Return the allocated memory as a mutable pointer to u8. 718 fn as_ptr(&self) -> *mut u8; 719 } 720 721 /// A memory creator. Can be used to provide a memory creator 722 /// to wasmtime which supplies host managed memory. 723 /// 724 /// # Safety 725 /// 726 /// This trait is unsafe, as the memory safety depends on proper implementation 727 /// of memory management. Memories created by the MemoryCreator should always be 728 /// treated as owned by wasmtime instance, and any modification of them outside 729 /// of wasmtime invoked routines is unsafe and may lead to corruption. 730 /// 731 /// Note that this is a relatively advanced feature and it is recommended to be 732 /// familiar with Wasmtime runtime code to use it. 733 pub unsafe trait MemoryCreator: Send + Sync { 734 /// Create a new `LinearMemory` object from the specified parameters. 735 /// 736 /// The type of memory being created is specified by `ty` which indicates 737 /// both the minimum and maximum size, in wasm pages. The minimum and 738 /// maximum sizes, in bytes, are also specified as parameters to avoid 739 /// integer conversion if desired. 740 /// 741 /// The `reserved_size_in_bytes` value indicates the expected size of the 742 /// reservation that is to be made for this memory. If this value is `None` 743 /// than the implementation is free to allocate memory as it sees fit. If 744 /// the value is `Some`, however, then the implementation is expected to 745 /// reserve that many bytes for the memory's allocation, plus the guard 746 /// size at the end. Note that this reservation need only be a virtual 747 /// memory reservation, physical memory does not need to be allocated 748 /// immediately. In this case `grow` should never move the base pointer and 749 /// the maximum size of `ty` is guaranteed to fit within 750 /// `reserved_size_in_bytes`. 751 /// 752 /// The `guard_size_in_bytes` parameter indicates how many bytes of space, 753 /// after the memory allocation, is expected to be unmapped. JIT code will 754 /// elide bounds checks based on the `guard_size_in_bytes` provided, so for 755 /// JIT code to work correctly the memory returned will need to be properly 756 /// guarded with `guard_size_in_bytes` bytes left unmapped after the base 757 /// allocation. 758 /// 759 /// Note that the `reserved_size_in_bytes` and `guard_size_in_bytes` options 760 /// are tuned from the various [`Config`](crate::Config) methods about 761 /// memory sizes/guards. Additionally these two values are guaranteed to be 762 /// multiples of the system page size. 763 /// 764 /// Memory created from this method should be zero filled. 765 fn new_memory( 766 &self, 767 ty: MemoryType, 768 minimum: usize, 769 maximum: Option<usize>, 770 reserved_size_in_bytes: Option<usize>, 771 guard_size_in_bytes: usize, 772 ) -> Result<Box<dyn LinearMemory>, String>; 773 } 774 775 /// A constructor for externally-created shared memory. 776 /// 777 /// The [threads proposal] adds the concept of "shared memory" to WebAssembly. 778 /// This is much the same as a Wasm linear memory (i.e., [`Memory`]), but can be 779 /// used concurrently by multiple agents. Because these agents may execute in 780 /// different threads, [`SharedMemory`] must be thread-safe. 781 /// 782 /// When the [threads proposal is enabled](crate::Config::wasm_threads) and the 783 /// [the creation of shared memories is enabled](crate::Config::shared_memory), 784 /// there are multiple ways to construct shared memory: 785 /// 1. for imported shared memory, e.g., `(import "env" "memory" (memory 1 1 786 /// shared))`, the user must supply a [`SharedMemory`] with the 787 /// externally-created memory as an import to the instance--e.g., 788 /// `shared_memory.into()`. 789 /// 2. for private or exported shared memory, e.g., `(export "env" "memory" 790 /// (memory 1 1 shared))`, Wasmtime will create the memory internally during 791 /// instantiation--access using `Instance::get_shared_memory()`. 792 /// 793 /// [threads proposal]: 794 /// https://github.com/WebAssembly/threads/blob/master/proposals/threads/Overview.md 795 /// 796 /// # Examples 797 /// 798 /// ``` 799 /// # use wasmtime::*; 800 /// # fn main() -> Result<()> { 801 /// let mut config = Config::new(); 802 /// config.wasm_threads(true); 803 /// config.shared_memory(true); 804 /// # if Engine::new(&config).is_err() { return Ok(()); } 805 /// let engine = Engine::new(&config)?; 806 /// let mut store = Store::new(&engine, ()); 807 /// 808 /// let shared_memory = SharedMemory::new(&engine, MemoryType::shared(1, 2))?; 809 /// let module = Module::new(&engine, r#"(module (memory (import "" "") 1 2 shared))"#)?; 810 /// let instance = Instance::new(&mut store, &module, &[shared_memory.into()])?; 811 /// // ... 812 /// # Ok(()) 813 /// # } 814 /// ``` 815 #[derive(Clone)] 816 pub struct SharedMemory { 817 vm: crate::runtime::vm::SharedMemory, 818 engine: Engine, 819 } 820 821 impl SharedMemory { 822 /// Construct a [`SharedMemory`] by providing both the `minimum` and 823 /// `maximum` number of 64K-sized pages. This call allocates the necessary 824 /// pages on the system. 825 #[cfg(feature = "threads")] 826 pub fn new(engine: &Engine, ty: MemoryType) -> Result<Self> { 827 if !ty.is_shared() { 828 bail!("shared memory must have the `shared` flag enabled on its memory type") 829 } 830 debug_assert!(ty.maximum().is_some()); 831 832 let ty = ty.wasmtime_memory(); 833 let memory = crate::runtime::vm::SharedMemory::new(engine, ty)?; 834 835 Ok(Self { 836 vm: memory, 837 engine: engine.clone(), 838 }) 839 } 840 841 /// Return the type of the shared memory. 842 pub fn ty(&self) -> MemoryType { 843 MemoryType::from_wasmtime_memory(&self.vm.ty()) 844 } 845 846 /// Returns the size, in WebAssembly pages, of this wasm memory. 847 pub fn size(&self) -> u64 { 848 let byte_size = u64::try_from(self.data_size()).unwrap(); 849 let page_size = self.page_size(); 850 byte_size / page_size 851 } 852 853 /// Returns the size of a page, in bytes, for this memory. 854 /// 855 /// By default this is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or `65536`) 856 /// but [the custom-page-sizes proposal] allows opting into a page size of 857 /// `1`. Future extensions might allow any power of two as a page size. 858 /// 859 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 860 pub fn page_size(&self) -> u64 { 861 self.ty().page_size() 862 } 863 864 /// Returns the byte length of this memory. 865 /// 866 /// The returned value will be a multiple of the wasm page size, 64k. 867 /// 868 /// For more information and examples see the documentation on the 869 /// [`Memory`] type. 870 pub fn data_size(&self) -> usize { 871 self.vm.byte_size() 872 } 873 874 /// Return access to the available portion of the shared memory. 875 /// 876 /// The slice returned represents the region of accessible memory at the 877 /// time that this function was called. The contents of the returned slice 878 /// will reflect concurrent modifications happening on other threads. 879 /// 880 /// # Safety 881 /// 882 /// The returned slice is valid for the entire duration of the lifetime of 883 /// this instance of [`SharedMemory`]. The base pointer of a shared memory 884 /// does not change. This [`SharedMemory`] may grow further after this 885 /// function has been called, but the slice returned will not grow. 886 /// 887 /// Concurrent modifications may be happening to the data returned on other 888 /// threads. The `UnsafeCell<u8>` represents that safe access to the 889 /// contents of the slice is not possible through normal loads and stores. 890 /// 891 /// The memory returned must be accessed safely through the `Atomic*` types 892 /// in the [`std::sync::atomic`] module. Casting to those types must 893 /// currently be done unsafely. 894 pub fn data(&self) -> &[UnsafeCell<u8>] { 895 unsafe { 896 let definition = self.vm.vmmemory_ptr().as_ref(); 897 slice::from_raw_parts(definition.base.as_ptr().cast(), definition.current_length()) 898 } 899 } 900 901 /// Grows this WebAssembly memory by `delta` pages. 902 /// 903 /// This will attempt to add `delta` more pages of memory on to the end of 904 /// this `Memory` instance. If successful this may relocate the memory and 905 /// cause [`Memory::data_ptr`] to return a new value. Additionally any 906 /// unsafely constructed slices into this memory may no longer be valid. 907 /// 908 /// On success returns the number of pages this memory previously had 909 /// before the growth succeeded. 910 /// 911 /// # Errors 912 /// 913 /// Returns an error if memory could not be grown, for example if it exceeds 914 /// the maximum limits of this memory. A 915 /// [`ResourceLimiter`](crate::ResourceLimiter) is another example of 916 /// preventing a memory to grow. 917 pub fn grow(&self, delta: u64) -> Result<u64> { 918 match self.vm.grow(delta)? { 919 Some((old_size, _new_size)) => { 920 // For shared memory, the `VMMemoryDefinition` is updated inside 921 // the locked region. 922 Ok(u64::try_from(old_size).unwrap() / self.page_size()) 923 } 924 None => bail!("failed to grow memory by `{delta}`"), 925 } 926 } 927 928 /// Equivalent of the WebAssembly `memory.atomic.notify` instruction for 929 /// this shared memory. 930 /// 931 /// This method allows embedders to notify threads blocked on the specified 932 /// `addr`, an index into wasm linear memory. Threads could include 933 /// wasm threads blocked on a `memory.atomic.wait*` instruction or embedder 934 /// threads blocked on [`SharedMemory::atomic_wait32`], for example. 935 /// 936 /// The `count` argument is the number of threads to wake up. 937 /// 938 /// This function returns the number of threads awoken. 939 /// 940 /// # Errors 941 /// 942 /// This function will return an error if `addr` is not within bounds or 943 /// not aligned to a 4-byte boundary. 944 pub fn atomic_notify(&self, addr: u64, count: u32) -> Result<u32, Trap> { 945 self.vm.atomic_notify(addr, count) 946 } 947 948 /// Equivalent of the WebAssembly `memory.atomic.wait32` instruction for 949 /// this shared memory. 950 /// 951 /// This method allows embedders to block the current thread until notified 952 /// via the `memory.atomic.notify` instruction or the 953 /// [`SharedMemory::atomic_notify`] method, enabling synchronization with 954 /// the wasm guest as desired. 955 /// 956 /// The `expected` argument is the expected 32-bit value to be stored at 957 /// the byte address `addr` specified. The `addr` specified is an index 958 /// into this linear memory. 959 /// 960 /// The optional `timeout` argument is the maximum amount of time to block 961 /// the current thread. If not specified the thread may sleep indefinitely. 962 /// 963 /// This function returns one of three possible values: 964 /// 965 /// * `WaitResult::Ok` - this function, loaded the value at `addr`, found 966 /// it was equal to `expected`, and then blocked (all as one atomic 967 /// operation). The thread was then awoken with a `memory.atomic.notify` 968 /// instruction or the [`SharedMemory::atomic_notify`] method. 969 /// * `WaitResult::Mismatch` - the value at `addr` was loaded but was not 970 /// equal to `expected` so the thread did not block and immediately 971 /// returned. 972 /// * `WaitResult::TimedOut` - all the steps of `Ok` happened, except this 973 /// thread was woken up due to a timeout. 974 /// 975 /// This function will not return due to spurious wakeups. 976 /// 977 /// # Errors 978 /// 979 /// This function will return an error if `addr` is not within bounds or 980 /// not aligned to a 4-byte boundary. 981 pub fn atomic_wait32( 982 &self, 983 addr: u64, 984 expected: u32, 985 timeout: Option<Duration>, 986 ) -> Result<WaitResult, Trap> { 987 self.vm.atomic_wait32(addr, expected, timeout) 988 } 989 990 /// Equivalent of the WebAssembly `memory.atomic.wait64` instruction for 991 /// this shared memory. 992 /// 993 /// For more information see [`SharedMemory::atomic_wait32`]. 994 /// 995 /// # Errors 996 /// 997 /// Returns the same error as [`SharedMemory::atomic_wait32`] except that 998 /// the specified address must be 8-byte aligned instead of 4-byte aligned. 999 pub fn atomic_wait64( 1000 &self, 1001 addr: u64, 1002 expected: u64, 1003 timeout: Option<Duration>, 1004 ) -> Result<WaitResult, Trap> { 1005 self.vm.atomic_wait64(addr, expected, timeout) 1006 } 1007 1008 /// Return a reference to the [`Engine`] used to configure the shared 1009 /// memory. 1010 pub(crate) fn engine(&self) -> &Engine { 1011 &self.engine 1012 } 1013 1014 /// Construct a single-memory instance to provide a way to import 1015 /// [`SharedMemory`] into other modules. 1016 pub(crate) fn vmimport(&self, store: &mut StoreOpaque) -> crate::runtime::vm::VMMemoryImport { 1017 // Note `vm::assert_ready` shouldn't panic here because this isn't 1018 // actually allocating any new memory (also no limiter), so resource 1019 // limiting shouldn't kick in. 1020 let memory = vm::assert_ready(generate_memory_export( 1021 store, 1022 None, 1023 &self.ty(), 1024 Some(&self.vm), 1025 )) 1026 .unwrap(); 1027 match memory { 1028 ExportMemory::Unshared(_) => unreachable!(), 1029 ExportMemory::Shared(_shared, vmimport) => vmimport, 1030 } 1031 } 1032 1033 /// Creates a [`SharedMemory`] from its constituent parts. 1034 pub(crate) fn from_raw(vm: crate::runtime::vm::SharedMemory, engine: Engine) -> Self { 1035 SharedMemory { vm, engine } 1036 } 1037 } 1038 1039 impl fmt::Debug for SharedMemory { 1040 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 1041 f.debug_struct("SharedMemory").finish_non_exhaustive() 1042 } 1043 } 1044 1045 #[cfg(test)] 1046 mod tests { 1047 use crate::*; 1048 1049 // Assert that creating a memory via `Memory::new` respects the limits/tunables 1050 // in `Config`. 1051 #[test] 1052 fn respect_tunables() { 1053 let mut cfg = Config::new(); 1054 cfg.memory_reservation(0).memory_guard_size(0); 1055 let mut store = Store::new(&Engine::new(&cfg).unwrap(), ()); 1056 let ty = MemoryType::new(1, None); 1057 let mem = Memory::new(&mut store, ty).unwrap(); 1058 let store = store.as_context(); 1059 let tunables = store.engine().tunables(); 1060 assert_eq!(tunables.memory_guard_size, 0); 1061 assert!( 1062 !mem.wasmtime_ty(store.0) 1063 .can_elide_bounds_check(tunables, 12) 1064 ); 1065 } 1066 1067 #[test] 1068 fn hash_key_is_stable_across_duplicate_store_data_entries() -> Result<()> { 1069 let mut store = Store::<()>::default(); 1070 let module = Module::new( 1071 store.engine(), 1072 r#" 1073 (module 1074 (memory (export "m") 1 1) 1075 ) 1076 "#, 1077 )?; 1078 let instance = Instance::new(&mut store, &module, &[])?; 1079 1080 // Each time we `get_memory`, we call `Memory::from_wasmtime` which adds 1081 // a new entry to `StoreData`, so `g1` and `g2` will have different 1082 // indices into `StoreData`. 1083 let m1 = instance.get_memory(&mut store, "m").unwrap(); 1084 let m2 = instance.get_memory(&mut store, "m").unwrap(); 1085 1086 // That said, they really point to the same memory. 1087 assert_eq!(m1.data(&store)[0], 0); 1088 assert_eq!(m2.data(&store)[0], 0); 1089 m1.data_mut(&mut store)[0] = 42; 1090 assert_eq!(m1.data(&mut store)[0], 42); 1091 assert_eq!(m2.data(&mut store)[0], 42); 1092 1093 // And therefore their hash keys are the same. 1094 assert!(m1.hash_key(&store.as_context().0) == m2.hash_key(&store.as_context().0)); 1095 1096 // But the hash keys are different from different memories. 1097 let instance2 = Instance::new(&mut store, &module, &[])?; 1098 let m3 = instance2.get_memory(&mut store, "m").unwrap(); 1099 assert!(m1.hash_key(&store.as_context().0) != m3.hash_key(&store.as_context().0)); 1100 1101 Ok(()) 1102 } 1103 } 1104