1 use crate::Trap; 2 use crate::prelude::*; 3 use crate::runtime::vm::{self, ExportMemory, VMStore}; 4 use crate::store::{StoreInstanceId, StoreOpaque, StoreResourceLimiter}; 5 use crate::trampoline::generate_memory_export; 6 use crate::{AsContext, AsContextMut, Engine, MemoryType, StoreContext, StoreContextMut}; 7 use core::cell::UnsafeCell; 8 use core::fmt; 9 use core::slice; 10 use core::time::Duration; 11 use wasmtime_environ::DefinedMemoryIndex; 12 13 pub use crate::runtime::vm::WaitResult; 14 15 /// Error for out of bounds [`Memory`] access. 16 #[derive(Debug)] 17 #[non_exhaustive] 18 pub struct MemoryAccessError { 19 // Keep struct internals private for future extensibility. 20 _private: (), 21 } 22 23 impl fmt::Display for MemoryAccessError { 24 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 25 write!(f, "out of bounds memory access") 26 } 27 } 28 29 impl core::error::Error for MemoryAccessError {} 30 31 /// A WebAssembly linear memory. 32 /// 33 /// WebAssembly memories represent a contiguous array of bytes that have a size 34 /// that is always a multiple of the WebAssembly page size, currently 64 35 /// kilobytes. 36 /// 37 /// WebAssembly memory is used for global data (not to be confused with wasm 38 /// `global` items), statics in C/C++/Rust, shadow stack memory, etc. Accessing 39 /// wasm memory is generally quite fast. 40 /// 41 /// Memories, like other wasm items, are owned by a [`Store`](crate::Store). 42 /// 43 /// # `Memory` and Safety 44 /// 45 /// Linear memory is a lynchpin of safety for WebAssembly. In Wasmtime there are 46 /// safe methods of interacting with a [`Memory`]: 47 /// 48 /// * [`Memory::read`] 49 /// * [`Memory::write`] 50 /// * [`Memory::data`] 51 /// * [`Memory::data_mut`] 52 /// 53 /// Note that all of these consider the entire store context as borrowed for the 54 /// duration of the call or the duration of the returned slice. This largely 55 /// means that while the function is running you'll be unable to borrow anything 56 /// else from the store. This includes getting access to the `T` on 57 /// [`Store<T>`](crate::Store), but it also means that you can't recursively 58 /// call into WebAssembly for instance. 59 /// 60 /// If you'd like to dip your toes into handling [`Memory`] in a more raw 61 /// fashion (e.g. by using raw pointers or raw slices), then there's a few 62 /// important points to consider when doing so: 63 /// 64 /// * Any recursive calls into WebAssembly can possibly modify any byte of the 65 /// entire memory. This means that whenever wasm is called Rust can't have any 66 /// long-lived borrows live across the wasm function call. Slices like `&mut 67 /// [u8]` will be violated because they're not actually exclusive at that 68 /// point, and slices like `&[u8]` are also violated because their contents 69 /// may be mutated. 70 /// 71 /// * WebAssembly memories can grow, and growth may change the base pointer. 72 /// This means that even holding a raw pointer to memory over a wasm function 73 /// call is also incorrect. Anywhere in the function call the base address of 74 /// memory may change. Note that growth can also be requested from the 75 /// embedding API as well. 76 /// 77 /// As a general rule of thumb it's recommended to stick to the safe methods of 78 /// [`Memory`] if you can. It's not advised to use raw pointers or `unsafe` 79 /// operations because of how easy it is to accidentally get things wrong. 80 /// 81 /// Some examples of safely interacting with memory are: 82 /// 83 /// ```rust 84 /// use wasmtime::{Memory, Store, MemoryAccessError}; 85 /// 86 /// // Memory can be read and written safely with the `Memory::read` and 87 /// // `Memory::write` methods. 88 /// // An error is returned if the copy did not succeed. 89 /// fn safe_examples(mem: Memory, store: &mut Store<()>) -> Result<(), MemoryAccessError> { 90 /// let offset = 5; 91 /// mem.write(&mut *store, offset, b"hello")?; 92 /// let mut buffer = [0u8; 5]; 93 /// mem.read(&store, offset, &mut buffer)?; 94 /// assert_eq!(b"hello", &buffer); 95 /// 96 /// // Note that while this is safe care must be taken because the indexing 97 /// // here may panic if the memory isn't large enough. 98 /// assert_eq!(&mem.data(&store)[offset..offset + 5], b"hello"); 99 /// mem.data_mut(&mut *store)[offset..offset + 5].copy_from_slice(b"bye!!"); 100 /// 101 /// Ok(()) 102 /// } 103 /// ``` 104 /// 105 /// It's worth also, however, covering some examples of **incorrect**, 106 /// **unsafe** usages of `Memory`. Do not do these things! 107 /// 108 /// ```rust 109 /// # use anyhow::Result; 110 /// use wasmtime::{Memory, Store}; 111 /// 112 /// // NOTE: All code in this function is not safe to execute and may cause 113 /// // segfaults/undefined behavior at runtime. Do not copy/paste these examples 114 /// // into production code! 115 /// unsafe fn unsafe_examples(mem: Memory, store: &mut Store<()>) -> Result<()> { 116 /// // First and foremost, any borrow can be invalidated at any time via the 117 /// // `Memory::grow` function. This can relocate memory which causes any 118 /// // previous pointer to be possibly invalid now. 119 /// unsafe { 120 /// let pointer: &u8 = &*mem.data_ptr(&store); 121 /// mem.grow(&mut *store, 1)?; // invalidates `pointer`! 122 /// // println!("{}", *pointer); // FATAL: use-after-free 123 /// } 124 /// 125 /// // Note that the use-after-free also applies to slices, whether they're 126 /// // slices of bytes or strings. 127 /// unsafe { 128 /// let mem_slice = std::slice::from_raw_parts( 129 /// mem.data_ptr(&store), 130 /// mem.data_size(&store), 131 /// ); 132 /// let slice: &[u8] = &mem_slice[0x100..0x102]; 133 /// mem.grow(&mut *store, 1)?; // invalidates `slice`! 134 /// // println!("{:?}", slice); // FATAL: use-after-free 135 /// } 136 /// 137 /// // The `Memory` type may be stored in other locations, so if you hand 138 /// // off access to the `Store` then those locations may also call 139 /// // `Memory::grow` or similar, so it's not enough to just audit code for 140 /// // calls to `Memory::grow`. 141 /// unsafe { 142 /// let pointer: &u8 = &*mem.data_ptr(&store); 143 /// some_other_function(store); // may invalidate `pointer` through use of `store` 144 /// // println!("{:?}", pointer); // FATAL: maybe a use-after-free 145 /// } 146 /// 147 /// // An especially subtle aspect of accessing a wasm instance's memory is 148 /// // that you need to be extremely careful about aliasing. Anyone at any 149 /// // time can call `data_unchecked()` or `data_unchecked_mut()`, which 150 /// // means you can easily have aliasing mutable references: 151 /// unsafe { 152 /// let ref1: &u8 = &*mem.data_ptr(&store).add(0x100); 153 /// let ref2: &mut u8 = &mut *mem.data_ptr(&store).add(0x100); 154 /// // *ref2 = *ref1; // FATAL: violates Rust's aliasing rules 155 /// } 156 /// 157 /// Ok(()) 158 /// } 159 /// # fn some_other_function(store: &mut Store<()>) {} 160 /// ``` 161 /// 162 /// Overall there's some general rules of thumb when unsafely working with 163 /// `Memory` and getting raw pointers inside of it: 164 /// 165 /// * If you never have a "long lived" pointer into memory, you're likely in the 166 /// clear. Care still needs to be taken in threaded scenarios or when/where 167 /// data is read, but you'll be shielded from many classes of issues. 168 /// * Long-lived pointers must always respect Rust'a aliasing rules. It's ok for 169 /// shared borrows to overlap with each other, but mutable borrows must 170 /// overlap with nothing. 171 /// * Long-lived pointers are only valid if they're not invalidated for their 172 /// lifetime. This means that [`Store`](crate::Store) isn't used to reenter 173 /// wasm or the memory itself is never grown or otherwise modified/aliased. 174 /// 175 /// At this point it's worth reiterating again that unsafely working with 176 /// `Memory` is pretty tricky and not recommended! It's highly recommended to 177 /// use the safe methods to interact with [`Memory`] whenever possible. 178 /// 179 /// ## `Memory` Safety and Threads 180 /// 181 /// Currently the `wasmtime` crate does not implement the wasm threads proposal, 182 /// but it is planned to do so. It may be interesting to readers to see how this 183 /// affects memory safety and what was previously just discussed as well. 184 /// 185 /// Once threads are added into the mix, all of the above rules still apply. 186 /// There's an additional consideration that all reads and writes can happen 187 /// concurrently, though. This effectively means that any borrow into wasm 188 /// memory are virtually never safe to have. 189 /// 190 /// Mutable pointers are fundamentally unsafe to have in a concurrent scenario 191 /// in the face of arbitrary wasm code. Only if you dynamically know for sure 192 /// that wasm won't access a region would it be safe to construct a mutable 193 /// pointer. Additionally even shared pointers are largely unsafe because their 194 /// underlying contents may change, so unless `UnsafeCell` in one form or 195 /// another is used everywhere there's no safety. 196 /// 197 /// One important point about concurrency is that while [`Memory::grow`] can 198 /// happen concurrently it will never relocate the base pointer. Shared 199 /// memories must always have a maximum size and they will be preallocated such 200 /// that growth will never relocate the base pointer. The current size of the 201 /// memory may still change over time though. 202 /// 203 /// Overall the general rule of thumb for shared memories is that you must 204 /// atomically read and write everything. Nothing can be borrowed and everything 205 /// must be eagerly copied out. This means that [`Memory::data`] and 206 /// [`Memory::data_mut`] won't work in the future (they'll probably return an 207 /// error) for shared memories when they're implemented. When possible it's 208 /// recommended to use [`Memory::read`] and [`Memory::write`] which will still 209 /// be provided. 210 #[derive(Copy, Clone, Debug)] 211 #[repr(C)] // here for the C API 212 pub struct Memory { 213 /// The internal store instance that this memory belongs to. 214 instance: StoreInstanceId, 215 /// The index of the memory, within `instance` above, that this memory 216 /// refers to. 217 index: DefinedMemoryIndex, 218 } 219 220 // Double-check that the C representation in `extern.h` matches our in-Rust 221 // representation here in terms of size/alignment/etc. 222 const _: () = { 223 #[repr(C)] 224 struct Tmp(u64, u32); 225 #[repr(C)] 226 struct C(Tmp, u32); 227 assert!(core::mem::size_of::<C>() == core::mem::size_of::<Memory>()); 228 assert!(core::mem::align_of::<C>() == core::mem::align_of::<Memory>()); 229 assert!(core::mem::offset_of!(Memory, instance) == 0); 230 }; 231 232 impl Memory { 233 /// Creates a new WebAssembly memory given the configuration of `ty`. 234 /// 235 /// The `store` argument will be the owner of the returned [`Memory`]. All 236 /// WebAssembly memory is initialized to zero. 237 /// 238 /// # Panics 239 /// 240 /// This function will panic if the [`Store`](`crate::Store`) has a 241 /// [`ResourceLimiterAsync`](`crate::ResourceLimiterAsync`) (see also: 242 /// [`Store::limiter_async`](`crate::Store::limiter_async`)). When 243 /// using an async resource limiter, use [`Memory::new_async`] instead. 244 /// 245 /// # Examples 246 /// 247 /// ``` 248 /// # use wasmtime::*; 249 /// # fn main() -> anyhow::Result<()> { 250 /// let engine = Engine::default(); 251 /// let mut store = Store::new(&engine, ()); 252 /// 253 /// let memory_ty = MemoryType::new(1, None); 254 /// let memory = Memory::new(&mut store, memory_ty)?; 255 /// 256 /// let module = Module::new(&engine, "(module (memory (import \"\" \"\") 1))")?; 257 /// let instance = Instance::new(&mut store, &module, &[memory.into()])?; 258 /// // ... 259 /// # Ok(()) 260 /// # } 261 /// ``` 262 pub fn new(mut store: impl AsContextMut, ty: MemoryType) -> Result<Memory> { 263 let (mut limiter, store) = store.as_context_mut().0.resource_limiter_and_store_opaque(); 264 vm::one_poll(Self::_new(store, limiter.as_mut(), ty)) 265 .expect("must use `new_async` when async resource limiters are in use") 266 } 267 268 /// Async variant of [`Memory::new`]. You must use this variant with 269 /// [`Store`](`crate::Store`)s which have a 270 /// [`ResourceLimiterAsync`](`crate::ResourceLimiterAsync`). 271 /// 272 /// # Panics 273 /// 274 /// This function will panic when used with a non-async 275 /// [`Store`](`crate::Store`). 276 #[cfg(feature = "async")] 277 pub async fn new_async(mut store: impl AsContextMut, ty: MemoryType) -> Result<Memory> { 278 let (mut limiter, store) = store.as_context_mut().0.resource_limiter_and_store_opaque(); 279 Self::_new(store, limiter.as_mut(), ty).await 280 } 281 282 /// Helper function for attaching the memory to a "frankenstein" instance 283 async fn _new( 284 store: &mut StoreOpaque, 285 limiter: Option<&mut StoreResourceLimiter<'_>>, 286 ty: MemoryType, 287 ) -> Result<Memory> { 288 if ty.is_shared() { 289 bail!("shared memories must be created through `SharedMemory`") 290 } 291 Ok(generate_memory_export(store, limiter, &ty, None) 292 .await? 293 .unshared() 294 .unwrap()) 295 } 296 297 /// Returns the underlying type of this memory. 298 /// 299 /// # Panics 300 /// 301 /// Panics if this memory doesn't belong to `store`. 302 /// 303 /// # Examples 304 /// 305 /// ``` 306 /// # use wasmtime::*; 307 /// # fn main() -> anyhow::Result<()> { 308 /// let engine = Engine::default(); 309 /// let mut store = Store::new(&engine, ()); 310 /// let module = Module::new(&engine, "(module (memory (export \"mem\") 1))")?; 311 /// let instance = Instance::new(&mut store, &module, &[])?; 312 /// let memory = instance.get_memory(&mut store, "mem").unwrap(); 313 /// let ty = memory.ty(&store); 314 /// assert_eq!(ty.minimum(), 1); 315 /// # Ok(()) 316 /// # } 317 /// ``` 318 pub fn ty(&self, store: impl AsContext) -> MemoryType { 319 let store = store.as_context(); 320 MemoryType::from_wasmtime_memory(self.wasmtime_ty(store.0)) 321 } 322 323 /// Safely reads memory contents at the given offset into a buffer. 324 /// 325 /// The entire buffer will be filled. 326 /// 327 /// If `offset + buffer.len()` exceed the current memory capacity, then the 328 /// buffer is left untouched and a [`MemoryAccessError`] is returned. 329 /// 330 /// # Panics 331 /// 332 /// Panics if this memory doesn't belong to `store`. 333 pub fn read( 334 &self, 335 store: impl AsContext, 336 offset: usize, 337 buffer: &mut [u8], 338 ) -> Result<(), MemoryAccessError> { 339 let store = store.as_context(); 340 let slice = self 341 .data(&store) 342 .get(offset..) 343 .and_then(|s| s.get(..buffer.len())) 344 .ok_or(MemoryAccessError { _private: () })?; 345 buffer.copy_from_slice(slice); 346 Ok(()) 347 } 348 349 /// Safely writes contents of a buffer to this memory at the given offset. 350 /// 351 /// If the `offset + buffer.len()` exceeds the current memory capacity, then 352 /// none of the buffer is written to memory and a [`MemoryAccessError`] is 353 /// returned. 354 /// 355 /// # Panics 356 /// 357 /// Panics if this memory doesn't belong to `store`. 358 pub fn write( 359 &self, 360 mut store: impl AsContextMut, 361 offset: usize, 362 buffer: &[u8], 363 ) -> Result<(), MemoryAccessError> { 364 let mut context = store.as_context_mut(); 365 self.data_mut(&mut context) 366 .get_mut(offset..) 367 .and_then(|s| s.get_mut(..buffer.len())) 368 .ok_or(MemoryAccessError { _private: () })? 369 .copy_from_slice(buffer); 370 Ok(()) 371 } 372 373 /// Returns this memory as a native Rust slice. 374 /// 375 /// Note that this method will consider the entire store context provided as 376 /// borrowed for the duration of the lifetime of the returned slice. 377 /// 378 /// # Panics 379 /// 380 /// Panics if this memory doesn't belong to `store`. 381 pub fn data<'a, T: 'static>(&self, store: impl Into<StoreContext<'a, T>>) -> &'a [u8] { 382 unsafe { 383 let store = store.into(); 384 let definition = store[self.instance].memory(self.index); 385 debug_assert!(!self.ty(store).is_shared()); 386 slice::from_raw_parts(definition.base.as_ptr(), definition.current_length()) 387 } 388 } 389 390 /// Returns this memory as a native Rust mutable slice. 391 /// 392 /// Note that this method will consider the entire store context provided as 393 /// borrowed for the duration of the lifetime of the returned slice. 394 /// 395 /// # Panics 396 /// 397 /// Panics if this memory doesn't belong to `store`. 398 pub fn data_mut<'a, T: 'static>( 399 &self, 400 store: impl Into<StoreContextMut<'a, T>>, 401 ) -> &'a mut [u8] { 402 unsafe { 403 let store = store.into(); 404 let definition = store[self.instance].memory(self.index); 405 debug_assert!(!self.ty(store).is_shared()); 406 slice::from_raw_parts_mut(definition.base.as_ptr(), definition.current_length()) 407 } 408 } 409 410 /// Same as [`Memory::data_mut`], but also returns the `T` from the 411 /// [`StoreContextMut`]. 412 /// 413 /// This method can be used when you want to simultaneously work with the 414 /// `T` in the store as well as the memory behind this [`Memory`]. Using 415 /// [`Memory::data_mut`] would consider the entire store borrowed, whereas 416 /// this method allows the Rust compiler to see that the borrow of this 417 /// memory and the borrow of `T` are disjoint. 418 /// 419 /// # Panics 420 /// 421 /// Panics if this memory doesn't belong to `store`. 422 pub fn data_and_store_mut<'a, T: 'static>( 423 &self, 424 store: impl Into<StoreContextMut<'a, T>>, 425 ) -> (&'a mut [u8], &'a mut T) { 426 // Note the unsafety here. Our goal is to simultaneously borrow the 427 // memory and custom data from `store`, and the store it's connected 428 // to. Rust will not let us do that, however, because we must call two 429 // separate methods (both of which borrow the whole `store`) and one of 430 // our borrows is mutable (the custom data). 431 // 432 // This operation, however, is safe because these borrows do not overlap 433 // and in the process of borrowing them mutability doesn't actually 434 // touch anything. This is akin to mutably borrowing two indices in an 435 // array, which is safe so long as the indices are separate. 436 unsafe { 437 let mut store = store.into(); 438 let data = &mut *(store.data_mut() as *mut T); 439 (self.data_mut(store), data) 440 } 441 } 442 443 /// Returns the base pointer, in the host's address space, that the memory 444 /// is located at. 445 /// 446 /// For more information and examples see the documentation on the 447 /// [`Memory`] type. 448 /// 449 /// # Panics 450 /// 451 /// Panics if this memory doesn't belong to `store`. 452 pub fn data_ptr(&self, store: impl AsContext) -> *mut u8 { 453 store.as_context()[self.instance] 454 .memory(self.index) 455 .base 456 .as_ptr() 457 } 458 459 /// Returns the byte length of this memory. 460 /// 461 /// WebAssembly memories are made up of a whole number of pages, so the byte 462 /// size returned will always be a multiple of this memory's page size. Note 463 /// that different Wasm memories may have different page sizes. You can get 464 /// a memory's page size via the [`Memory::page_size`] method. 465 /// 466 /// By default the page size is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or 467 /// `65536`) but [the custom-page-sizes proposal] allows a memory to opt 468 /// into a page size of `1`. Future extensions might allow any power of two 469 /// as a page size. 470 /// 471 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 472 /// 473 /// For more information and examples see the documentation on the 474 /// [`Memory`] type. 475 /// 476 /// # Panics 477 /// 478 /// Panics if this memory doesn't belong to `store`. 479 pub fn data_size(&self, store: impl AsContext) -> usize { 480 self.internal_data_size(store.as_context().0) 481 } 482 483 pub(crate) fn internal_data_size(&self, store: &StoreOpaque) -> usize { 484 store[self.instance].memory(self.index).current_length() 485 } 486 487 /// Returns the size, in units of pages, of this Wasm memory. 488 /// 489 /// WebAssembly memories are made up of a whole number of pages, so the byte 490 /// size returned will always be a multiple of this memory's page size. Note 491 /// that different Wasm memories may have different page sizes. You can get 492 /// a memory's page size via the [`Memory::page_size`] method. 493 /// 494 /// By default the page size is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or 495 /// `65536`) but [the custom-page-sizes proposal] allows a memory to opt 496 /// into a page size of `1`. Future extensions might allow any power of two 497 /// as a page size. 498 /// 499 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 500 /// 501 /// # Panics 502 /// 503 /// Panics if this memory doesn't belong to `store`. 504 pub fn size(&self, store: impl AsContext) -> u64 { 505 self.internal_size(store.as_context().0) 506 } 507 508 pub(crate) fn internal_size(&self, store: &StoreOpaque) -> u64 { 509 let byte_size = self.internal_data_size(store); 510 let page_size = usize::try_from(self._page_size(store)).unwrap(); 511 u64::try_from(byte_size / page_size).unwrap() 512 } 513 514 /// Returns the size of a page, in bytes, for this memory. 515 /// 516 /// WebAssembly memories are made up of a whole number of pages, so the byte 517 /// size (as returned by [`Memory::data_size`]) will always be a multiple of 518 /// their page size. Different Wasm memories may have different page sizes. 519 /// 520 /// By default this is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or `65536`) 521 /// but [the custom-page-sizes proposal] allows opting into a page size of 522 /// `1`. Future extensions might allow any power of two as a page size. 523 /// 524 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 525 pub fn page_size(&self, store: impl AsContext) -> u64 { 526 self._page_size(store.as_context().0) 527 } 528 529 pub(crate) fn _page_size(&self, store: &StoreOpaque) -> u64 { 530 self.wasmtime_ty(store).page_size() 531 } 532 533 /// Returns the log2 of this memory's page size, in bytes. 534 /// 535 /// WebAssembly memories are made up of a whole number of pages, so the byte 536 /// size (as returned by [`Memory::data_size`]) will always be a multiple of 537 /// their page size. Different Wasm memories may have different page sizes. 538 /// 539 /// By default the page size is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or 540 /// `65536`) but [the custom-page-sizes proposal] allows opting into a page 541 /// size of `1`. Future extensions might allow any power of two as a page 542 /// size. 543 /// 544 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 545 pub fn page_size_log2(&self, store: impl AsContext) -> u8 { 546 self._page_size_log2(store.as_context().0) 547 } 548 549 pub(crate) fn _page_size_log2(&self, store: &StoreOpaque) -> u8 { 550 self.wasmtime_ty(store).page_size_log2 551 } 552 553 /// Grows this WebAssembly memory by `delta` pages. 554 /// 555 /// This will attempt to add `delta` more pages of memory on to the end of 556 /// this `Memory` instance. If successful this may relocate the memory and 557 /// cause [`Memory::data_ptr`] to return a new value. Additionally any 558 /// unsafely constructed slices into this memory may no longer be valid. 559 /// 560 /// On success returns the number of pages this memory previously had 561 /// before the growth succeeded. 562 /// 563 /// Note that, by default, a WebAssembly memory's page size is 64KiB (aka 564 /// 65536 or 2<sup>16</sup>). The [custom-page-sizes proposal] allows Wasm 565 /// memories to opt into a page size of one byte (and this may be further 566 /// relaxed to any power of two in a future extension). 567 /// 568 /// [custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 569 /// 570 /// # Errors 571 /// 572 /// Returns an error if memory could not be grown, for example if it exceeds 573 /// the maximum limits of this memory. A 574 /// [`ResourceLimiter`](crate::ResourceLimiter) is another example of 575 /// preventing a memory to grow. 576 /// 577 /// # Panics 578 /// 579 /// Panics if this memory doesn't belong to `store`. 580 /// 581 /// This function will panic if the [`Store`](`crate::Store`) has a 582 /// [`ResourceLimiterAsync`](`crate::ResourceLimiterAsync`) (see also: 583 /// [`Store::limiter_async`](`crate::Store::limiter_async`). When using an 584 /// async resource limiter, use [`Memory::grow_async`] instead. 585 /// 586 /// # Examples 587 /// 588 /// ``` 589 /// # use wasmtime::*; 590 /// # fn main() -> anyhow::Result<()> { 591 /// let engine = Engine::default(); 592 /// let mut store = Store::new(&engine, ()); 593 /// let module = Module::new(&engine, "(module (memory (export \"mem\") 1 2))")?; 594 /// let instance = Instance::new(&mut store, &module, &[])?; 595 /// let memory = instance.get_memory(&mut store, "mem").unwrap(); 596 /// 597 /// assert_eq!(memory.size(&store), 1); 598 /// assert_eq!(memory.grow(&mut store, 1)?, 1); 599 /// assert_eq!(memory.size(&store), 2); 600 /// assert!(memory.grow(&mut store, 1).is_err()); 601 /// assert_eq!(memory.size(&store), 2); 602 /// assert_eq!(memory.grow(&mut store, 0)?, 2); 603 /// # Ok(()) 604 /// # } 605 /// ``` 606 pub fn grow(&self, mut store: impl AsContextMut, delta: u64) -> Result<u64> { 607 let store = store.as_context_mut().0; 608 let (mut limiter, store) = store.resource_limiter_and_store_opaque(); 609 vm::one_poll(self._grow(store, limiter.as_mut(), delta)) 610 .expect("must use `grow_async` if an async resource limiter is used") 611 } 612 613 /// Async variant of [`Memory::grow`]. Required when using a 614 /// [`ResourceLimiterAsync`](`crate::ResourceLimiterAsync`). 615 /// 616 /// # Panics 617 /// 618 /// This function will panic when used with a non-async 619 /// [`Store`](`crate::Store`). 620 #[cfg(feature = "async")] 621 pub async fn grow_async(&self, mut store: impl AsContextMut, delta: u64) -> Result<u64> { 622 let store = store.as_context_mut(); 623 let (mut limiter, store) = store.0.resource_limiter_and_store_opaque(); 624 self._grow(store, limiter.as_mut(), delta).await 625 } 626 627 async fn _grow( 628 &self, 629 store: &mut StoreOpaque, 630 limiter: Option<&mut StoreResourceLimiter<'_>>, 631 delta: u64, 632 ) -> Result<u64> { 633 let result = self 634 .instance 635 .get_mut(store) 636 .memory_grow(limiter, self.index, delta) 637 .await?; 638 match result { 639 Some(size) => { 640 let page_size = self.wasmtime_ty(store).page_size(); 641 Ok(u64::try_from(size).unwrap() / page_size) 642 } 643 None => bail!("failed to grow memory by `{delta}`"), 644 } 645 } 646 647 /// Creates a new memory from its raw component parts. 648 /// 649 /// # Safety 650 /// 651 /// The caller must ensure that the memory pointed to by `instance` and 652 /// `index` is not a shared memory. For that `SharedMemory` must be used 653 /// instead. 654 pub(crate) unsafe fn from_raw(instance: StoreInstanceId, index: DefinedMemoryIndex) -> Memory { 655 Memory { instance, index } 656 } 657 658 pub(crate) fn wasmtime_ty<'a>(&self, store: &'a StoreOpaque) -> &'a wasmtime_environ::Memory { 659 let module = store[self.instance].env_module(); 660 let index = module.memory_index(self.index); 661 &module.memories[index] 662 } 663 664 pub(crate) fn vmimport(&self, store: &StoreOpaque) -> crate::runtime::vm::VMMemoryImport { 665 store[self.instance].get_defined_memory_vmimport(self.index) 666 } 667 668 pub(crate) fn comes_from_same_store(&self, store: &StoreOpaque) -> bool { 669 store.id() == self.instance.store_id() 670 } 671 672 /// Get a stable hash key for this memory. 673 /// 674 /// Even if the same underlying memory definition is added to the 675 /// `StoreData` multiple times and becomes multiple `wasmtime::Memory`s, 676 /// this hash key will be consistent across all of these memories. 677 #[cfg(feature = "coredump")] 678 pub(crate) fn hash_key(&self, store: &StoreOpaque) -> impl core::hash::Hash + Eq + use<> { 679 store[self.instance].memory_ptr(self.index).as_ptr().addr() 680 } 681 } 682 683 /// A linear memory. This trait provides an interface for raw memory buffers 684 /// which are used by wasmtime, e.g. inside ['Memory']. Such buffers are in 685 /// principle not thread safe. By implementing this trait together with 686 /// MemoryCreator, one can supply wasmtime with custom allocated host managed 687 /// memory. 688 /// 689 /// # Safety 690 /// 691 /// The memory should be page aligned and a multiple of page size. 692 /// To prevent possible silent overflows, the memory should be protected by a 693 /// guard page. Additionally the safety concerns explained in ['Memory'], for 694 /// accessing the memory apply here as well. 695 /// 696 /// Note that this is a relatively advanced feature and it is recommended to be 697 /// familiar with wasmtime runtime code to use it. 698 pub unsafe trait LinearMemory: Send + Sync + 'static { 699 /// Returns the number of allocated bytes which are accessible at this time. 700 fn byte_size(&self) -> usize; 701 702 /// Returns byte capacity of this linear memory's current allocation. 703 /// 704 /// Growth up to this value should not relocate the linear memory base 705 /// pointer. 706 fn byte_capacity(&self) -> usize; 707 708 /// Grows this memory to have the `new_size`, in bytes, specified. 709 /// 710 /// Returns `Err` if memory can't be grown by the specified amount 711 /// of bytes. The error may be downcastable to `std::io::Error`. 712 /// Returns `Ok` if memory was grown successfully. 713 fn grow_to(&mut self, new_size: usize) -> Result<()>; 714 715 /// Return the allocated memory as a mutable pointer to u8. 716 fn as_ptr(&self) -> *mut u8; 717 } 718 719 /// A memory creator. Can be used to provide a memory creator 720 /// to wasmtime which supplies host managed memory. 721 /// 722 /// # Safety 723 /// 724 /// This trait is unsafe, as the memory safety depends on proper implementation 725 /// of memory management. Memories created by the MemoryCreator should always be 726 /// treated as owned by wasmtime instance, and any modification of them outside 727 /// of wasmtime invoked routines is unsafe and may lead to corruption. 728 /// 729 /// Note that this is a relatively advanced feature and it is recommended to be 730 /// familiar with Wasmtime runtime code to use it. 731 pub unsafe trait MemoryCreator: Send + Sync { 732 /// Create a new `LinearMemory` object from the specified parameters. 733 /// 734 /// The type of memory being created is specified by `ty` which indicates 735 /// both the minimum and maximum size, in wasm pages. The minimum and 736 /// maximum sizes, in bytes, are also specified as parameters to avoid 737 /// integer conversion if desired. 738 /// 739 /// The `reserved_size_in_bytes` value indicates the expected size of the 740 /// reservation that is to be made for this memory. If this value is `None` 741 /// than the implementation is free to allocate memory as it sees fit. If 742 /// the value is `Some`, however, then the implementation is expected to 743 /// reserve that many bytes for the memory's allocation, plus the guard 744 /// size at the end. Note that this reservation need only be a virtual 745 /// memory reservation, physical memory does not need to be allocated 746 /// immediately. In this case `grow` should never move the base pointer and 747 /// the maximum size of `ty` is guaranteed to fit within 748 /// `reserved_size_in_bytes`. 749 /// 750 /// The `guard_size_in_bytes` parameter indicates how many bytes of space, 751 /// after the memory allocation, is expected to be unmapped. JIT code will 752 /// elide bounds checks based on the `guard_size_in_bytes` provided, so for 753 /// JIT code to work correctly the memory returned will need to be properly 754 /// guarded with `guard_size_in_bytes` bytes left unmapped after the base 755 /// allocation. 756 /// 757 /// Note that the `reserved_size_in_bytes` and `guard_size_in_bytes` options 758 /// are tuned from the various [`Config`](crate::Config) methods about 759 /// memory sizes/guards. Additionally these two values are guaranteed to be 760 /// multiples of the system page size. 761 /// 762 /// Memory created from this method should be zero filled. 763 fn new_memory( 764 &self, 765 ty: MemoryType, 766 minimum: usize, 767 maximum: Option<usize>, 768 reserved_size_in_bytes: Option<usize>, 769 guard_size_in_bytes: usize, 770 ) -> Result<Box<dyn LinearMemory>, String>; 771 } 772 773 /// A constructor for externally-created shared memory. 774 /// 775 /// The [threads proposal] adds the concept of "shared memory" to WebAssembly. 776 /// This is much the same as a Wasm linear memory (i.e., [`Memory`]), but can be 777 /// used concurrently by multiple agents. Because these agents may execute in 778 /// different threads, [`SharedMemory`] must be thread-safe. 779 /// 780 /// When the [threads proposal is enabled](crate::Config::wasm_threads) and the 781 /// [the creation of shared memories is enabled](crate::Config::shared_memory), 782 /// there are multiple ways to construct shared memory: 783 /// 1. for imported shared memory, e.g., `(import "env" "memory" (memory 1 1 784 /// shared))`, the user must supply a [`SharedMemory`] with the 785 /// externally-created memory as an import to the instance--e.g., 786 /// `shared_memory.into()`. 787 /// 2. for private or exported shared memory, e.g., `(export "env" "memory" 788 /// (memory 1 1 shared))`, Wasmtime will create the memory internally during 789 /// instantiation--access using `Instance::get_shared_memory()`. 790 /// 791 /// [threads proposal]: 792 /// https://github.com/WebAssembly/threads/blob/master/proposals/threads/Overview.md 793 /// 794 /// # Examples 795 /// 796 /// ``` 797 /// # use wasmtime::*; 798 /// # fn main() -> anyhow::Result<()> { 799 /// let mut config = Config::new(); 800 /// config.wasm_threads(true); 801 /// config.shared_memory(true); 802 /// # if Engine::new(&config).is_err() { return Ok(()); } 803 /// let engine = Engine::new(&config)?; 804 /// let mut store = Store::new(&engine, ()); 805 /// 806 /// let shared_memory = SharedMemory::new(&engine, MemoryType::shared(1, 2))?; 807 /// let module = Module::new(&engine, r#"(module (memory (import "" "") 1 2 shared))"#)?; 808 /// let instance = Instance::new(&mut store, &module, &[shared_memory.into()])?; 809 /// // ... 810 /// # Ok(()) 811 /// # } 812 /// ``` 813 #[derive(Clone)] 814 pub struct SharedMemory { 815 vm: crate::runtime::vm::SharedMemory, 816 engine: Engine, 817 } 818 819 impl SharedMemory { 820 /// Construct a [`SharedMemory`] by providing both the `minimum` and 821 /// `maximum` number of 64K-sized pages. This call allocates the necessary 822 /// pages on the system. 823 #[cfg(feature = "threads")] 824 pub fn new(engine: &Engine, ty: MemoryType) -> Result<Self> { 825 if !ty.is_shared() { 826 bail!("shared memory must have the `shared` flag enabled on its memory type") 827 } 828 debug_assert!(ty.maximum().is_some()); 829 830 let ty = ty.wasmtime_memory(); 831 let memory = crate::runtime::vm::SharedMemory::new(engine, ty)?; 832 833 Ok(Self { 834 vm: memory, 835 engine: engine.clone(), 836 }) 837 } 838 839 /// Return the type of the shared memory. 840 pub fn ty(&self) -> MemoryType { 841 MemoryType::from_wasmtime_memory(&self.vm.ty()) 842 } 843 844 /// Returns the size, in WebAssembly pages, of this wasm memory. 845 pub fn size(&self) -> u64 { 846 let byte_size = u64::try_from(self.data_size()).unwrap(); 847 let page_size = self.page_size(); 848 byte_size / page_size 849 } 850 851 /// Returns the size of a page, in bytes, for this memory. 852 /// 853 /// By default this is 64KiB (aka `0x10000`, `2**16`, `1<<16`, or `65536`) 854 /// but [the custom-page-sizes proposal] allows opting into a page size of 855 /// `1`. Future extensions might allow any power of two as a page size. 856 /// 857 /// [the custom-page-sizes proposal]: https://github.com/WebAssembly/custom-page-sizes 858 pub fn page_size(&self) -> u64 { 859 self.ty().page_size() 860 } 861 862 /// Returns the byte length of this memory. 863 /// 864 /// The returned value will be a multiple of the wasm page size, 64k. 865 /// 866 /// For more information and examples see the documentation on the 867 /// [`Memory`] type. 868 pub fn data_size(&self) -> usize { 869 self.vm.byte_size() 870 } 871 872 /// Return access to the available portion of the shared memory. 873 /// 874 /// The slice returned represents the region of accessible memory at the 875 /// time that this function was called. The contents of the returned slice 876 /// will reflect concurrent modifications happening on other threads. 877 /// 878 /// # Safety 879 /// 880 /// The returned slice is valid for the entire duration of the lifetime of 881 /// this instance of [`SharedMemory`]. The base pointer of a shared memory 882 /// does not change. This [`SharedMemory`] may grow further after this 883 /// function has been called, but the slice returned will not grow. 884 /// 885 /// Concurrent modifications may be happening to the data returned on other 886 /// threads. The `UnsafeCell<u8>` represents that safe access to the 887 /// contents of the slice is not possible through normal loads and stores. 888 /// 889 /// The memory returned must be accessed safely through the `Atomic*` types 890 /// in the [`std::sync::atomic`] module. Casting to those types must 891 /// currently be done unsafely. 892 pub fn data(&self) -> &[UnsafeCell<u8>] { 893 unsafe { 894 let definition = self.vm.vmmemory_ptr().as_ref(); 895 slice::from_raw_parts(definition.base.as_ptr().cast(), definition.current_length()) 896 } 897 } 898 899 /// Grows this WebAssembly memory by `delta` pages. 900 /// 901 /// This will attempt to add `delta` more pages of memory on to the end of 902 /// this `Memory` instance. If successful this may relocate the memory and 903 /// cause [`Memory::data_ptr`] to return a new value. Additionally any 904 /// unsafely constructed slices into this memory may no longer be valid. 905 /// 906 /// On success returns the number of pages this memory previously had 907 /// before the growth succeeded. 908 /// 909 /// # Errors 910 /// 911 /// Returns an error if memory could not be grown, for example if it exceeds 912 /// the maximum limits of this memory. A 913 /// [`ResourceLimiter`](crate::ResourceLimiter) is another example of 914 /// preventing a memory to grow. 915 pub fn grow(&self, delta: u64) -> Result<u64> { 916 match self.vm.grow(delta)? { 917 Some((old_size, _new_size)) => { 918 // For shared memory, the `VMMemoryDefinition` is updated inside 919 // the locked region. 920 Ok(u64::try_from(old_size).unwrap() / self.page_size()) 921 } 922 None => bail!("failed to grow memory by `{delta}`"), 923 } 924 } 925 926 /// Equivalent of the WebAssembly `memory.atomic.notify` instruction for 927 /// this shared memory. 928 /// 929 /// This method allows embedders to notify threads blocked on the specified 930 /// `addr`, an index into wasm linear memory. Threads could include 931 /// wasm threads blocked on a `memory.atomic.wait*` instruction or embedder 932 /// threads blocked on [`SharedMemory::atomic_wait32`], for example. 933 /// 934 /// The `count` argument is the number of threads to wake up. 935 /// 936 /// This function returns the number of threads awoken. 937 /// 938 /// # Errors 939 /// 940 /// This function will return an error if `addr` is not within bounds or 941 /// not aligned to a 4-byte boundary. 942 pub fn atomic_notify(&self, addr: u64, count: u32) -> Result<u32, Trap> { 943 self.vm.atomic_notify(addr, count) 944 } 945 946 /// Equivalent of the WebAssembly `memory.atomic.wait32` instruction for 947 /// this shared memory. 948 /// 949 /// This method allows embedders to block the current thread until notified 950 /// via the `memory.atomic.notify` instruction or the 951 /// [`SharedMemory::atomic_notify`] method, enabling synchronization with 952 /// the wasm guest as desired. 953 /// 954 /// The `expected` argument is the expected 32-bit value to be stored at 955 /// the byte address `addr` specified. The `addr` specified is an index 956 /// into this linear memory. 957 /// 958 /// The optional `timeout` argument is the maximum amount of time to block 959 /// the current thread. If not specified the thread may sleep indefinitely. 960 /// 961 /// This function returns one of three possible values: 962 /// 963 /// * `WaitResult::Ok` - this function, loaded the value at `addr`, found 964 /// it was equal to `expected`, and then blocked (all as one atomic 965 /// operation). The thread was then awoken with a `memory.atomic.notify` 966 /// instruction or the [`SharedMemory::atomic_notify`] method. 967 /// * `WaitResult::Mismatch` - the value at `addr` was loaded but was not 968 /// equal to `expected` so the thread did not block and immediately 969 /// returned. 970 /// * `WaitResult::TimedOut` - all the steps of `Ok` happened, except this 971 /// thread was woken up due to a timeout. 972 /// 973 /// This function will not return due to spurious wakeups. 974 /// 975 /// # Errors 976 /// 977 /// This function will return an error if `addr` is not within bounds or 978 /// not aligned to a 4-byte boundary. 979 pub fn atomic_wait32( 980 &self, 981 addr: u64, 982 expected: u32, 983 timeout: Option<Duration>, 984 ) -> Result<WaitResult, Trap> { 985 self.vm.atomic_wait32(addr, expected, timeout) 986 } 987 988 /// Equivalent of the WebAssembly `memory.atomic.wait64` instruction for 989 /// this shared memory. 990 /// 991 /// For more information see [`SharedMemory::atomic_wait32`]. 992 /// 993 /// # Errors 994 /// 995 /// Returns the same error as [`SharedMemory::atomic_wait32`] except that 996 /// the specified address must be 8-byte aligned instead of 4-byte aligned. 997 pub fn atomic_wait64( 998 &self, 999 addr: u64, 1000 expected: u64, 1001 timeout: Option<Duration>, 1002 ) -> Result<WaitResult, Trap> { 1003 self.vm.atomic_wait64(addr, expected, timeout) 1004 } 1005 1006 /// Return a reference to the [`Engine`] used to configure the shared 1007 /// memory. 1008 pub(crate) fn engine(&self) -> &Engine { 1009 &self.engine 1010 } 1011 1012 /// Construct a single-memory instance to provide a way to import 1013 /// [`SharedMemory`] into other modules. 1014 pub(crate) fn vmimport(&self, store: &mut StoreOpaque) -> crate::runtime::vm::VMMemoryImport { 1015 // Note `vm::assert_ready` shouldn't panic here because this isn't 1016 // actually allocating any new memory (also no limiter), so resource 1017 // limiting shouldn't kick in. 1018 let memory = vm::assert_ready(generate_memory_export( 1019 store, 1020 None, 1021 &self.ty(), 1022 Some(&self.vm), 1023 )) 1024 .unwrap(); 1025 match memory { 1026 ExportMemory::Unshared(_) => unreachable!(), 1027 ExportMemory::Shared(_shared, vmimport) => vmimport, 1028 } 1029 } 1030 1031 /// Creates a [`SharedMemory`] from its constituent parts. 1032 pub(crate) fn from_raw(vm: crate::runtime::vm::SharedMemory, engine: Engine) -> Self { 1033 SharedMemory { vm, engine } 1034 } 1035 } 1036 1037 impl fmt::Debug for SharedMemory { 1038 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 1039 f.debug_struct("SharedMemory").finish_non_exhaustive() 1040 } 1041 } 1042 1043 #[cfg(test)] 1044 mod tests { 1045 use crate::*; 1046 1047 // Assert that creating a memory via `Memory::new` respects the limits/tunables 1048 // in `Config`. 1049 #[test] 1050 fn respect_tunables() { 1051 let mut cfg = Config::new(); 1052 cfg.memory_reservation(0).memory_guard_size(0); 1053 let mut store = Store::new(&Engine::new(&cfg).unwrap(), ()); 1054 let ty = MemoryType::new(1, None); 1055 let mem = Memory::new(&mut store, ty).unwrap(); 1056 let store = store.as_context(); 1057 let tunables = store.engine().tunables(); 1058 assert_eq!(tunables.memory_guard_size, 0); 1059 assert!( 1060 !mem.wasmtime_ty(store.0) 1061 .can_elide_bounds_check(tunables, 12) 1062 ); 1063 } 1064 1065 #[test] 1066 fn hash_key_is_stable_across_duplicate_store_data_entries() -> Result<()> { 1067 let mut store = Store::<()>::default(); 1068 let module = Module::new( 1069 store.engine(), 1070 r#" 1071 (module 1072 (memory (export "m") 1 1) 1073 ) 1074 "#, 1075 )?; 1076 let instance = Instance::new(&mut store, &module, &[])?; 1077 1078 // Each time we `get_memory`, we call `Memory::from_wasmtime` which adds 1079 // a new entry to `StoreData`, so `g1` and `g2` will have different 1080 // indices into `StoreData`. 1081 let m1 = instance.get_memory(&mut store, "m").unwrap(); 1082 let m2 = instance.get_memory(&mut store, "m").unwrap(); 1083 1084 // That said, they really point to the same memory. 1085 assert_eq!(m1.data(&store)[0], 0); 1086 assert_eq!(m2.data(&store)[0], 0); 1087 m1.data_mut(&mut store)[0] = 42; 1088 assert_eq!(m1.data(&mut store)[0], 42); 1089 assert_eq!(m2.data(&mut store)[0], 42); 1090 1091 // And therefore their hash keys are the same. 1092 assert!(m1.hash_key(&store.as_context().0) == m2.hash_key(&store.as_context().0)); 1093 1094 // But the hash keys are different from different memories. 1095 let instance2 = Instance::new(&mut store, &module, &[])?; 1096 let m3 = instance2.get_memory(&mut store, "m").unwrap(); 1097 assert!(m1.hash_key(&store.as_context().0) != m3.hash_key(&store.as_context().0)); 1098 1099 Ok(()) 1100 } 1101 } 1102