1 use crate::prelude::*; 2 #[cfg(feature = "std")] 3 use crate::runtime::vm::open_file_for_mmap; 4 use crate::runtime::vm::{CompiledModuleId, MmapVec, ModuleMemoryImages, VMWasmCallFunction}; 5 use crate::sync::OnceLock; 6 use crate::{ 7 Engine, 8 code::EngineCode, 9 code_memory::CodeMemory, 10 instantiate::CompiledModule, 11 resources::ResourcesRequired, 12 types::{ExportType, ExternType, ImportType}, 13 }; 14 use alloc::sync::Arc; 15 use core::fmt; 16 use core::ops::Range; 17 use core::ptr::NonNull; 18 #[cfg(feature = "std")] 19 use std::{fs::File, path::Path}; 20 use wasmparser::{Parser, ValidPayload, Validator}; 21 #[cfg(feature = "debug")] 22 use wasmtime_environ::FrameTable; 23 use wasmtime_environ::{ 24 CompiledFunctionsTable, CompiledModuleInfo, EntityIndex, HostPtr, ModuleTypes, ObjectKind, 25 TypeTrace, VMOffsets, VMSharedTypeIndex, 26 }; 27 #[cfg(feature = "gc")] 28 use wasmtime_unwinder::ExceptionTable; 29 mod registry; 30 31 pub use registry::*; 32 33 /// A compiled WebAssembly module, ready to be instantiated. 34 /// 35 /// A `Module` is a compiled in-memory representation of an input WebAssembly 36 /// binary. A `Module` is then used to create an [`Instance`](crate::Instance) 37 /// through an instantiation process. You cannot call functions or fetch 38 /// globals, for example, on a `Module` because it's purely a code 39 /// representation. Instead you'll need to create an 40 /// [`Instance`](crate::Instance) to interact with the wasm module. 41 /// 42 /// A `Module` can be created by compiling WebAssembly code through APIs such as 43 /// [`Module::new`]. This would be a JIT-style use case where code is compiled 44 /// just before it's used. Alternatively a `Module` can be compiled in one 45 /// process and [`Module::serialize`] can be used to save it to storage. A later 46 /// call to [`Module::deserialize`] will quickly load the module to execute and 47 /// does not need to compile any code, representing a more AOT-style use case. 48 /// 49 /// Currently a `Module` does not implement any form of tiering or dynamic 50 /// optimization of compiled code. Creation of a `Module` via [`Module::new`] or 51 /// related APIs will perform the entire compilation step synchronously. When 52 /// finished no further compilation will happen at runtime or later during 53 /// execution of WebAssembly instances for example. 54 /// 55 /// Compilation of WebAssembly by default goes through Cranelift and is 56 /// recommended to be done once-per-module. The same WebAssembly binary need not 57 /// be compiled multiple times and can instead used an embedder-cached result of 58 /// the first call. 59 /// 60 /// `Module` is thread-safe and safe to share across threads. 61 /// 62 /// ## Modules and `Clone` 63 /// 64 /// Using `clone` on a `Module` is a cheap operation. It will not create an 65 /// entirely new module, but rather just a new reference to the existing module. 66 /// In other words it's a shallow copy, not a deep copy. 67 /// 68 /// ## Examples 69 /// 70 /// There are a number of ways you can create a `Module`, for example pulling 71 /// the bytes from a number of locations. One example is loading a module from 72 /// the filesystem: 73 /// 74 /// ```no_run 75 /// # use wasmtime::*; 76 /// # fn main() -> Result<()> { 77 /// let engine = Engine::default(); 78 /// let module = Module::from_file(&engine, "path/to/foo.wasm")?; 79 /// # Ok(()) 80 /// # } 81 /// ``` 82 /// 83 /// You can also load the wasm text format if more convenient too: 84 /// 85 /// ```no_run 86 /// # use wasmtime::*; 87 /// # fn main() -> Result<()> { 88 /// let engine = Engine::default(); 89 /// // Now we're using the WebAssembly text extension: `.wat`! 90 /// let module = Module::from_file(&engine, "path/to/foo.wat")?; 91 /// # Ok(()) 92 /// # } 93 /// ``` 94 /// 95 /// And if you've already got the bytes in-memory you can use the 96 /// [`Module::new`] constructor: 97 /// 98 /// ```no_run 99 /// # use wasmtime::*; 100 /// # fn main() -> Result<()> { 101 /// let engine = Engine::default(); 102 /// # let wasm_bytes: Vec<u8> = Vec::new(); 103 /// let module = Module::new(&engine, &wasm_bytes)?; 104 /// 105 /// // It also works with the text format! 106 /// let module = Module::new(&engine, "(module (func))")?; 107 /// # Ok(()) 108 /// # } 109 /// ``` 110 /// 111 /// Serializing and deserializing a module looks like: 112 /// 113 /// ```no_run 114 /// # use wasmtime::*; 115 /// # fn main() -> Result<()> { 116 /// let engine = Engine::default(); 117 /// # let wasm_bytes: Vec<u8> = Vec::new(); 118 /// let module = Module::new(&engine, &wasm_bytes)?; 119 /// let module_bytes = module.serialize()?; 120 /// 121 /// // ... can save `module_bytes` to disk or other storage ... 122 /// 123 /// // recreate the module from the serialized bytes. For the `unsafe` bits 124 /// // see the documentation of `deserialize`. 125 /// let module = unsafe { Module::deserialize(&engine, &module_bytes)? }; 126 /// # Ok(()) 127 /// # } 128 /// ``` 129 /// 130 /// [`Config`]: crate::Config 131 #[derive(Clone)] 132 pub struct Module { 133 inner: Arc<ModuleInner>, 134 } 135 136 struct ModuleInner { 137 engine: Engine, 138 /// The compiled artifacts for this module that will be instantiated and 139 /// executed. 140 module: CompiledModule, 141 142 /// Runtime information such as the underlying mmap, type information, etc. 143 /// 144 /// Note that this `Arc` is used to share information between compiled 145 /// modules within a component. For bare core wasm modules created with 146 /// `Module::new`, for example, this is a uniquely owned `Arc`. 147 code: Arc<EngineCode>, 148 149 /// A set of initialization images for memories, if any. 150 /// 151 /// Note that this is behind a `OnceCell` to lazily create this image. On 152 /// Linux where `memfd_create` may be used to create the backing memory 153 /// image this is a pretty expensive operation, so by deferring it this 154 /// improves memory usage for modules that are created but may not ever be 155 /// instantiated. 156 memory_images: OnceLock<Option<ModuleMemoryImages>>, 157 158 /// Flag indicating whether this module can be serialized or not. 159 #[cfg(any(feature = "cranelift", feature = "winch"))] 160 serializable: bool, 161 162 /// Runtime offset information for `VMContext`. 163 offsets: VMOffsets<HostPtr>, 164 } 165 166 impl fmt::Debug for Module { 167 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 168 f.debug_struct("Module") 169 .field("name", &self.name()) 170 .finish_non_exhaustive() 171 } 172 } 173 174 impl fmt::Debug for ModuleInner { 175 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 176 f.debug_struct("ModuleInner") 177 .field("name", &self.module.module().name.as_ref()) 178 .finish_non_exhaustive() 179 } 180 } 181 182 impl Module { 183 /// Creates a new WebAssembly `Module` from the given in-memory `bytes`. 184 /// 185 /// The `bytes` provided must be in one of the following formats: 186 /// 187 /// * A [binary-encoded][binary] WebAssembly module. This is always supported. 188 /// * A [text-encoded][text] instance of the WebAssembly text format. 189 /// This is only supported when the `wat` feature of this crate is enabled. 190 /// If this is supplied then the text format will be parsed before validation. 191 /// Note that the `wat` feature is enabled by default. 192 /// 193 /// The data for the wasm module must be loaded in-memory if it's present 194 /// elsewhere, for example on disk. This requires that the entire binary is 195 /// loaded into memory all at once, this API does not support streaming 196 /// compilation of a module. 197 /// 198 /// The WebAssembly binary will be decoded and validated. It will also be 199 /// compiled according to the configuration of the provided `engine`. 200 /// 201 /// # Errors 202 /// 203 /// This function may fail and return an error. Errors may include 204 /// situations such as: 205 /// 206 /// * The binary provided could not be decoded because it's not a valid 207 /// WebAssembly binary 208 /// * The WebAssembly binary may not validate (e.g. contains type errors) 209 /// * Implementation-specific limits were exceeded with a valid binary (for 210 /// example too many locals) 211 /// * The wasm binary may use features that are not enabled in the 212 /// configuration of `engine` 213 /// * If the `wat` feature is enabled and the input is text, then it may be 214 /// rejected if it fails to parse. 215 /// 216 /// The error returned should contain full information about why module 217 /// creation failed if one is returned. 218 /// 219 /// [binary]: https://webassembly.github.io/spec/core/binary/index.html 220 /// [text]: https://webassembly.github.io/spec/core/text/index.html 221 /// 222 /// # Examples 223 /// 224 /// The `new` function can be invoked with a in-memory array of bytes: 225 /// 226 /// ```no_run 227 /// # use wasmtime::*; 228 /// # fn main() -> Result<()> { 229 /// # let engine = Engine::default(); 230 /// # let wasm_bytes: Vec<u8> = Vec::new(); 231 /// let module = Module::new(&engine, &wasm_bytes)?; 232 /// # Ok(()) 233 /// # } 234 /// ``` 235 /// 236 /// Or you can also pass in a string to be parsed as the wasm text 237 /// format: 238 /// 239 /// ``` 240 /// # use wasmtime::*; 241 /// # fn main() -> Result<()> { 242 /// # let engine = Engine::default(); 243 /// let module = Module::new(&engine, "(module (func))")?; 244 /// # Ok(()) 245 /// # } 246 /// ``` 247 #[cfg(any(feature = "cranelift", feature = "winch"))] 248 pub fn new(engine: &Engine, bytes: impl AsRef<[u8]>) -> Result<Module> { 249 crate::CodeBuilder::new(engine) 250 .wasm_binary_or_text(bytes.as_ref(), None)? 251 .compile_module() 252 } 253 254 /// Creates a new WebAssembly `Module` from the contents of the given 255 /// `file` on disk. 256 /// 257 /// This is a convenience function that will read the `file` provided and 258 /// pass the bytes to the [`Module::new`] function. For more information 259 /// see [`Module::new`] 260 /// 261 /// # Examples 262 /// 263 /// ```no_run 264 /// # use wasmtime::*; 265 /// # fn main() -> Result<()> { 266 /// let engine = Engine::default(); 267 /// let module = Module::from_file(&engine, "./path/to/foo.wasm")?; 268 /// # Ok(()) 269 /// # } 270 /// ``` 271 /// 272 /// The `.wat` text format is also supported: 273 /// 274 /// ```no_run 275 /// # use wasmtime::*; 276 /// # fn main() -> Result<()> { 277 /// # let engine = Engine::default(); 278 /// let module = Module::from_file(&engine, "./path/to/foo.wat")?; 279 /// # Ok(()) 280 /// # } 281 /// ``` 282 #[cfg(all(feature = "std", any(feature = "cranelift", feature = "winch")))] 283 pub fn from_file(engine: &Engine, file: impl AsRef<Path>) -> Result<Module> { 284 crate::CodeBuilder::new(engine) 285 .wasm_binary_or_text_file(file.as_ref())? 286 .compile_module() 287 } 288 289 /// Creates a new WebAssembly `Module` from the given in-memory `binary` 290 /// data. 291 /// 292 /// This is similar to [`Module::new`] except that it requires that the 293 /// `binary` input is a WebAssembly binary, the text format is not supported 294 /// by this function. It's generally recommended to use [`Module::new`], but 295 /// if it's required to not support the text format this function can be 296 /// used instead. 297 /// 298 /// # Examples 299 /// 300 /// ``` 301 /// # use wasmtime::*; 302 /// # fn main() -> Result<()> { 303 /// # let engine = Engine::default(); 304 /// let wasm = b"\0asm\x01\0\0\0"; 305 /// let module = Module::from_binary(&engine, wasm)?; 306 /// # Ok(()) 307 /// # } 308 /// ``` 309 /// 310 /// Note that the text format is **not** accepted by this function: 311 /// 312 /// ``` 313 /// # use wasmtime::*; 314 /// # fn main() -> Result<()> { 315 /// # let engine = Engine::default(); 316 /// assert!(Module::from_binary(&engine, b"(module)").is_err()); 317 /// # Ok(()) 318 /// # } 319 /// ``` 320 #[cfg(any(feature = "cranelift", feature = "winch"))] 321 pub fn from_binary(engine: &Engine, binary: &[u8]) -> Result<Module> { 322 crate::CodeBuilder::new(engine) 323 .wasm_binary(binary, None)? 324 .compile_module() 325 } 326 327 /// Creates a new WebAssembly `Module` from the contents of the given `file` 328 /// on disk, but with assumptions that the file is from a trusted source. 329 /// The file should be a binary- or text-format WebAssembly module, or a 330 /// precompiled artifact generated by the same version of Wasmtime. 331 /// 332 /// # Unsafety 333 /// 334 /// All of the reasons that [`deserialize`] is `unsafe` apply to this 335 /// function as well. Arbitrary data loaded from a file may trick Wasmtime 336 /// into arbitrary code execution since the contents of the file are not 337 /// validated to be a valid precompiled module. 338 /// 339 /// [`deserialize`]: Module::deserialize 340 /// 341 /// Additionally though this function is also `unsafe` because the file 342 /// referenced must remain unchanged and a valid precompiled module for the 343 /// entire lifetime of the [`Module`] returned. Any changes to the file on 344 /// disk may change future instantiations of the module to be incorrect. 345 /// This is because the file is mapped into memory and lazily loaded pages 346 /// reflect the current state of the file, not necessarily the original 347 /// state of the file. 348 #[cfg(all(feature = "std", any(feature = "cranelift", feature = "winch")))] 349 pub unsafe fn from_trusted_file(engine: &Engine, file: impl AsRef<Path>) -> Result<Module> { 350 let open_file = open_file_for_mmap(file.as_ref())?; 351 let mmap = crate::runtime::vm::MmapVec::from_file(open_file)?; 352 if &mmap[0..4] == b"\x7fELF" { 353 let code = engine.load_code(mmap, ObjectKind::Module)?; 354 return Module::from_parts(engine, code, None); 355 } 356 357 crate::CodeBuilder::new(engine) 358 .wasm_binary_or_text(&mmap[..], Some(file.as_ref()))? 359 .compile_module() 360 } 361 362 /// Deserializes an in-memory compiled module previously created with 363 /// [`Module::serialize`] or [`Engine::precompile_module`]. 364 /// 365 /// This function will deserialize the binary blobs emitted by 366 /// [`Module::serialize`] and [`Engine::precompile_module`] back into an 367 /// in-memory [`Module`] that's ready to be instantiated. 368 /// 369 /// Note that the [`Module::deserialize_file`] method is more optimized than 370 /// this function, so if the serialized module is already present in a file 371 /// it's recommended to use that method instead. 372 /// 373 /// # Unsafety 374 /// 375 /// This function is marked as `unsafe` because if fed invalid input or used 376 /// improperly this could lead to memory safety vulnerabilities. This method 377 /// should not, for example, be exposed to arbitrary user input. 378 /// 379 /// The structure of the binary blob read here is only lightly validated 380 /// internally in `wasmtime`. This is intended to be an efficient 381 /// "rehydration" for a [`Module`] which has very few runtime checks beyond 382 /// deserialization. Arbitrary input could, for example, replace valid 383 /// compiled code with any other valid compiled code, meaning that this can 384 /// trivially be used to execute arbitrary code otherwise. 385 /// 386 /// For these reasons this function is `unsafe`. This function is only 387 /// designed to receive the previous input from [`Module::serialize`] and 388 /// [`Engine::precompile_module`]. If the exact output of those functions 389 /// (unmodified) is passed to this function then calls to this function can 390 /// be considered safe. It is the caller's responsibility to provide the 391 /// guarantee that only previously-serialized bytes are being passed in 392 /// here. 393 /// 394 /// Note that this function is designed to be safe receiving output from 395 /// *any* compiled version of `wasmtime` itself. This means that it is safe 396 /// to feed output from older versions of Wasmtime into this function, in 397 /// addition to newer versions of wasmtime (from the future!). These inputs 398 /// will deterministically and safely produce an `Err`. This function only 399 /// successfully accepts inputs from the same version of `wasmtime`, but the 400 /// safety guarantee only applies to externally-defined blobs of bytes, not 401 /// those defined by any version of wasmtime. (this means that if you cache 402 /// blobs across versions of wasmtime you can be safely guaranteed that 403 /// future versions of wasmtime will reject old cache entries). 404 pub unsafe fn deserialize(engine: &Engine, bytes: impl AsRef<[u8]>) -> Result<Module> { 405 let code = engine.load_code_bytes(bytes.as_ref(), ObjectKind::Module)?; 406 Module::from_parts(engine, code, None) 407 } 408 409 /// In-place deserialization of an in-memory compiled module previously 410 /// created with [`Module::serialize`] or [`Engine::precompile_module`]. 411 /// 412 /// See [`Self::deserialize`] for additional information; this method 413 /// works identically except that it will not create a copy of the provided 414 /// memory but will use it directly. 415 /// 416 /// # Unsafety 417 /// 418 /// All of the safety notes from [`Self::deserialize`] apply here as well 419 /// with the additional constraint that the code memory provide by `memory` 420 /// lives for as long as the module and is nevery externally modified for 421 /// the lifetime of the deserialized module. 422 pub unsafe fn deserialize_raw(engine: &Engine, memory: NonNull<[u8]>) -> Result<Module> { 423 // SAFETY: the contract required by `load_code_raw` is the same as this 424 // function. 425 let code = unsafe { engine.load_code_raw(memory, ObjectKind::Module)? }; 426 Module::from_parts(engine, code, None) 427 } 428 429 /// Same as [`deserialize`], except that the contents of `path` are read to 430 /// deserialize into a [`Module`]. 431 /// 432 /// This method is provided because it can be faster than [`deserialize`] 433 /// since the data doesn't need to be copied around, but rather the module 434 /// can be used directly from an mmap'd view of the file provided. 435 /// 436 /// [`deserialize`]: Module::deserialize 437 /// 438 /// # Unsafety 439 /// 440 /// All of the reasons that [`deserialize`] is `unsafe` applies to this 441 /// function as well. Arbitrary data loaded from a file may trick Wasmtime 442 /// into arbitrary code execution since the contents of the file are not 443 /// validated to be a valid precompiled module. 444 /// 445 /// Additionally though this function is also `unsafe` because the file 446 /// referenced must remain unchanged and a valid precompiled module for the 447 /// entire lifetime of the [`Module`] returned. Any changes to the file on 448 /// disk may change future instantiations of the module to be incorrect. 449 /// This is because the file is mapped into memory and lazily loaded pages 450 /// reflect the current state of the file, not necessarily the original 451 /// state of the file. 452 #[cfg(feature = "std")] 453 pub unsafe fn deserialize_file(engine: &Engine, path: impl AsRef<Path>) -> Result<Module> { 454 let file = open_file_for_mmap(path.as_ref())?; 455 // SAFETY: the contract of `deserialize_open_file` is the samea s this 456 // function. 457 unsafe { 458 Self::deserialize_open_file(engine, file) 459 .with_context(|| format!("failed deserialization for: {}", path.as_ref().display())) 460 } 461 } 462 463 /// Same as [`deserialize_file`], except that it takes an open `File` 464 /// instead of a path. 465 /// 466 /// This method is provided because it can be used instead of 467 /// [`deserialize_file`] in situations where `wasmtime` is running with 468 /// limited file system permissions. In that case a process 469 /// with file system access can pass already opened files to `wasmtime`. 470 /// 471 /// [`deserialize_file`]: Module::deserialize_file 472 /// 473 /// Note that the corresponding will be mapped as private writeable 474 /// (copy-on-write) and executable. For `windows` this means the file needs 475 /// to be opened with at least `FILE_GENERIC_READ | FILE_GENERIC_EXECUTE` 476 /// [`access_mode`]. 477 /// 478 /// [`access_mode`]: https://doc.rust-lang.org/std/os/windows/fs/trait.OpenOptionsExt.html#tymethod.access_mode 479 /// 480 /// # Unsafety 481 /// 482 /// All of the reasons that [`deserialize_file`] is `unsafe` applies to this 483 /// function as well. 484 #[cfg(feature = "std")] 485 pub unsafe fn deserialize_open_file(engine: &Engine, file: File) -> Result<Module> { 486 let code = engine.load_code_file(file, ObjectKind::Module)?; 487 Module::from_parts(engine, code, None) 488 } 489 490 /// Entrypoint for creating a `Module` for all above functions, both 491 /// of the AOT and jit-compiled categories. 492 /// 493 /// In all cases the compilation artifact, `code_memory`, is provided here. 494 /// The `info_and_types` argument is `None` when a module is being 495 /// deserialized from a precompiled artifact or it's `Some` if it was just 496 /// compiled and the values are already available. 497 pub(crate) fn from_parts( 498 engine: &Engine, 499 code_memory: Arc<CodeMemory>, 500 info_and_types: Option<(CompiledModuleInfo, CompiledFunctionsTable, ModuleTypes)>, 501 ) -> Result<Self> { 502 // Acquire this module's metadata and type information, deserializing 503 // it from the provided artifact if it wasn't otherwise provided 504 // already. 505 let (mut info, index, mut types) = match info_and_types { 506 Some((info, index, types)) => (info, index, types), 507 None => postcard::from_bytes(code_memory.wasmtime_info())?, 508 }; 509 510 // Register function type signatures into the engine for the lifetime 511 // of the `Module` that will be returned. This notably also builds up 512 // maps for trampolines to be used for this module when inserted into 513 // stores. 514 // 515 // Note that the unsafety here should be ok since the `trampolines` 516 // field should only point to valid trampoline function pointers 517 // within the text section. 518 let signatures = engine 519 .register_and_canonicalize_types(&mut types, core::iter::once(&mut info.module))?; 520 521 // Package up all our data into an `EngineCode` and delegate to the final 522 // step of module compilation. 523 let code = Arc::new(EngineCode::new(code_memory, signatures, types.into())); 524 let index = Arc::new(index); 525 Module::from_parts_raw(engine, code, info, index, true) 526 } 527 528 pub(crate) fn from_parts_raw( 529 engine: &Engine, 530 code: Arc<EngineCode>, 531 info: CompiledModuleInfo, 532 index: Arc<CompiledFunctionsTable>, 533 serializable: bool, 534 ) -> Result<Self> { 535 let module = CompiledModule::from_artifacts(code.clone(), info, index, engine.profiler())?; 536 537 // Validate the module can be used with the current instance allocator. 538 let offsets = VMOffsets::new(HostPtr, module.module()); 539 engine 540 .allocator() 541 .validate_module(module.module(), &offsets)?; 542 543 let _ = serializable; 544 545 Ok(Self { 546 inner: Arc::new(ModuleInner { 547 engine: engine.clone(), 548 code, 549 memory_images: OnceLock::new(), 550 module, 551 #[cfg(any(feature = "cranelift", feature = "winch"))] 552 serializable, 553 offsets, 554 }), 555 }) 556 } 557 558 /// Validates `binary` input data as a WebAssembly binary given the 559 /// configuration in `engine`. 560 /// 561 /// This function will perform a speedy validation of the `binary` input 562 /// WebAssembly module (which is in [binary form][binary], the text format 563 /// is not accepted by this function) and return either `Ok` or `Err` 564 /// depending on the results of validation. The `engine` argument indicates 565 /// configuration for WebAssembly features, for example, which are used to 566 /// indicate what should be valid and what shouldn't be. 567 /// 568 /// Validation automatically happens as part of [`Module::new`]. 569 /// 570 /// # Errors 571 /// 572 /// If validation fails for any reason (type check error, usage of a feature 573 /// that wasn't enabled, etc) then an error with a description of the 574 /// validation issue will be returned. 575 /// 576 /// [binary]: https://webassembly.github.io/spec/core/binary/index.html 577 pub fn validate(engine: &Engine, binary: &[u8]) -> Result<()> { 578 let mut validator = Validator::new_with_features(engine.features()); 579 580 let mut functions = Vec::new(); 581 for payload in Parser::new(0).parse_all(binary) { 582 let payload = payload?; 583 if let ValidPayload::Func(a, b) = validator.payload(&payload)? { 584 functions.push((a, b)); 585 } 586 if let wasmparser::Payload::Version { encoding, .. } = &payload { 587 if let wasmparser::Encoding::Component = encoding { 588 bail!("component passed to module validation"); 589 } 590 } 591 } 592 593 engine.run_maybe_parallel(functions, |(validator, body)| { 594 // FIXME: it would be best here to use a rayon-specific parallel 595 // iterator that maintains state-per-thread to share the function 596 // validator allocations (`Default::default` here) across multiple 597 // functions. 598 validator.into_validator(Default::default()).validate(&body) 599 })?; 600 Ok(()) 601 } 602 603 /// Serializes this module to a vector of bytes. 604 /// 605 /// This function is similar to the [`Engine::precompile_module`] method 606 /// where it produces an artifact of Wasmtime which is suitable to later 607 /// pass into [`Module::deserialize`]. If a module is never instantiated 608 /// then it's recommended to use [`Engine::precompile_module`] instead of 609 /// this method, but if a module is both instantiated and serialized then 610 /// this method can be useful to get the serialized version without 611 /// compiling twice. 612 #[cfg(any(feature = "cranelift", feature = "winch"))] 613 pub fn serialize(&self) -> Result<Vec<u8>> { 614 // The current representation of compiled modules within a compiled 615 // component means that it cannot be serialized. The mmap returned here 616 // is the mmap for the entire component and while it contains all 617 // necessary data to deserialize this particular module it's all 618 // embedded within component-specific information. 619 // 620 // It's not the hardest thing in the world to support this but it's 621 // expected that there's not much of a use case at this time. In theory 622 // all that needs to be done is to edit the `.wasmtime.info` section 623 // to contains this module's metadata instead of the metadata for the 624 // whole component. The metadata itself is fairly trivially 625 // recreateable here it's more that there's no easy one-off API for 626 // editing the sections of an ELF object to use here. 627 // 628 // Overall for now this simply always returns an error in this 629 // situation. If you're reading this and feel that the situation should 630 // be different please feel free to open an issue. 631 if !self.inner.serializable { 632 bail!("cannot serialize a module exported from a component"); 633 } 634 Ok(self.engine_code().image().to_vec()) 635 } 636 637 pub(crate) fn compiled_module(&self) -> &CompiledModule { 638 &self.inner.module 639 } 640 641 pub(crate) fn engine_code(&self) -> &Arc<EngineCode> { 642 &self.inner.code 643 } 644 645 pub(crate) fn env_module(&self) -> &Arc<wasmtime_environ::Module> { 646 self.compiled_module().module() 647 } 648 649 pub(crate) fn types(&self) -> &ModuleTypes { 650 self.inner.code.module_types() 651 } 652 653 #[cfg(any(feature = "component-model", feature = "gc-drc"))] 654 pub(crate) fn signatures(&self) -> &crate::type_registry::TypeCollection { 655 self.inner.code.signatures() 656 } 657 658 /// Returns identifier/name that this [`Module`] has. This name 659 /// is used in traps/backtrace details. 660 /// 661 /// Note that most LLVM/clang/Rust-produced modules do not have a name 662 /// associated with them, but other wasm tooling can be used to inject or 663 /// add a name. 664 /// 665 /// # Examples 666 /// 667 /// ``` 668 /// # use wasmtime::*; 669 /// # fn main() -> Result<()> { 670 /// # let engine = Engine::default(); 671 /// let module = Module::new(&engine, "(module $foo)")?; 672 /// assert_eq!(module.name(), Some("foo")); 673 /// 674 /// let module = Module::new(&engine, "(module)")?; 675 /// assert_eq!(module.name(), None); 676 /// 677 /// # Ok(()) 678 /// # } 679 /// ``` 680 pub fn name(&self) -> Option<&str> { 681 let module = self.compiled_module().module(); 682 let name = module.name?; 683 Some(&module.strings[name]) 684 } 685 686 /// Returns the list of imports that this [`Module`] has and must be 687 /// satisfied. 688 /// 689 /// This function returns the list of imports that the wasm module has, but 690 /// only the types of each import. The type of each import is used to 691 /// typecheck the [`Instance::new`](crate::Instance::new) method's `imports` 692 /// argument. The arguments to that function must match up 1-to-1 with the 693 /// entries in the array returned here. 694 /// 695 /// The imports returned reflect the order of the imports in the wasm module 696 /// itself, and note that no form of deduplication happens. 697 /// 698 /// # Examples 699 /// 700 /// Modules with no imports return an empty list here: 701 /// 702 /// ``` 703 /// # use wasmtime::*; 704 /// # fn main() -> Result<()> { 705 /// # let engine = Engine::default(); 706 /// let module = Module::new(&engine, "(module)")?; 707 /// assert_eq!(module.imports().len(), 0); 708 /// # Ok(()) 709 /// # } 710 /// ``` 711 /// 712 /// and modules with imports will have a non-empty list: 713 /// 714 /// ``` 715 /// # use wasmtime::*; 716 /// # fn main() -> Result<()> { 717 /// # let engine = Engine::default(); 718 /// let wat = r#" 719 /// (module 720 /// (import "host" "foo" (func)) 721 /// ) 722 /// "#; 723 /// let module = Module::new(&engine, wat)?; 724 /// assert_eq!(module.imports().len(), 1); 725 /// let import = module.imports().next().unwrap(); 726 /// assert_eq!(import.module(), "host"); 727 /// assert_eq!(import.name(), "foo"); 728 /// match import.ty() { 729 /// ExternType::Func(_) => { /* ... */ } 730 /// _ => panic!("unexpected import type!"), 731 /// } 732 /// # Ok(()) 733 /// # } 734 /// ``` 735 pub fn imports<'module>( 736 &'module self, 737 ) -> impl ExactSizeIterator<Item = ImportType<'module>> + 'module { 738 let module = self.compiled_module().module(); 739 let types = self.types(); 740 let engine = self.engine(); 741 module 742 .imports() 743 .map(move |(imp_mod, imp_field, ty)| { 744 debug_assert!(ty.is_canonicalized_for_runtime_usage()); 745 ImportType::new(imp_mod, imp_field, ty, types, engine) 746 }) 747 .collect::<Vec<_>>() 748 .into_iter() 749 } 750 751 /// Returns the list of exports that this [`Module`] has and will be 752 /// available after instantiation. 753 /// 754 /// This function will return the type of each item that will be returned 755 /// from [`Instance::exports`](crate::Instance::exports). Each entry in this 756 /// list corresponds 1-to-1 with that list, and the entries here will 757 /// indicate the name of the export along with the type of the export. 758 /// 759 /// # Examples 760 /// 761 /// Modules might not have any exports: 762 /// 763 /// ``` 764 /// # use wasmtime::*; 765 /// # fn main() -> Result<()> { 766 /// # let engine = Engine::default(); 767 /// let module = Module::new(&engine, "(module)")?; 768 /// assert!(module.exports().next().is_none()); 769 /// # Ok(()) 770 /// # } 771 /// ``` 772 /// 773 /// When the exports are not empty, you can inspect each export: 774 /// 775 /// ``` 776 /// # use wasmtime::*; 777 /// # fn main() -> Result<()> { 778 /// # let engine = Engine::default(); 779 /// let wat = r#" 780 /// (module 781 /// (func (export "foo")) 782 /// (memory (export "memory") 1) 783 /// ) 784 /// "#; 785 /// let module = Module::new(&engine, wat)?; 786 /// assert_eq!(module.exports().len(), 2); 787 /// 788 /// let mut exports = module.exports(); 789 /// let foo = exports.next().unwrap(); 790 /// assert_eq!(foo.name(), "foo"); 791 /// match foo.ty() { 792 /// ExternType::Func(_) => { /* ... */ } 793 /// _ => panic!("unexpected export type!"), 794 /// } 795 /// 796 /// let memory = exports.next().unwrap(); 797 /// assert_eq!(memory.name(), "memory"); 798 /// match memory.ty() { 799 /// ExternType::Memory(_) => { /* ... */ } 800 /// _ => panic!("unexpected export type!"), 801 /// } 802 /// # Ok(()) 803 /// # } 804 /// ``` 805 pub fn exports<'module>( 806 &'module self, 807 ) -> impl ExactSizeIterator<Item = ExportType<'module>> + 'module { 808 let module = self.compiled_module().module(); 809 let types = self.types(); 810 let engine = self.engine(); 811 module.exports.iter().map(move |(name, entity_index)| { 812 ExportType::new( 813 &module.strings[name], 814 module.type_of(*entity_index), 815 types, 816 engine, 817 ) 818 }) 819 } 820 821 /// Looks up an export in this [`Module`] by name. 822 /// 823 /// This function will return the type of an export with the given name. 824 /// 825 /// # Examples 826 /// 827 /// There may be no export with that name: 828 /// 829 /// ``` 830 /// # use wasmtime::*; 831 /// # fn main() -> Result<()> { 832 /// # let engine = Engine::default(); 833 /// let module = Module::new(&engine, "(module)")?; 834 /// assert!(module.get_export("foo").is_none()); 835 /// # Ok(()) 836 /// # } 837 /// ``` 838 /// 839 /// When there is an export with that name, it is returned: 840 /// 841 /// ``` 842 /// # use wasmtime::*; 843 /// # fn main() -> Result<()> { 844 /// # let engine = Engine::default(); 845 /// let wat = r#" 846 /// (module 847 /// (func (export "foo")) 848 /// (memory (export "memory") 1) 849 /// ) 850 /// "#; 851 /// let module = Module::new(&engine, wat)?; 852 /// let foo = module.get_export("foo"); 853 /// assert!(foo.is_some()); 854 /// 855 /// let foo = foo.unwrap(); 856 /// match foo { 857 /// ExternType::Func(_) => { /* ... */ } 858 /// _ => panic!("unexpected export type!"), 859 /// } 860 /// 861 /// # Ok(()) 862 /// # } 863 /// ``` 864 pub fn get_export(&self, name: &str) -> Option<ExternType> { 865 let module = self.compiled_module().module(); 866 let name = module.strings.get_atom(name)?; 867 let entity_index = module.exports.get(&name)?; 868 Some(ExternType::from_wasmtime( 869 self.engine(), 870 self.types(), 871 &module.type_of(*entity_index), 872 )) 873 } 874 875 /// Looks up an export in this [`Module`] by name to get its index. 876 /// 877 /// This function will return the index of an export with the given name. This can be useful 878 /// to avoid the cost of looking up the export by name multiple times. Instead the 879 /// [`ModuleExport`] can be stored and used to look up the export on the 880 /// [`Instance`](crate::Instance) later. 881 pub fn get_export_index(&self, name: &str) -> Option<ModuleExport> { 882 let compiled_module = self.compiled_module(); 883 let module = compiled_module.module(); 884 let name = module.strings.get_atom(name)?; 885 let entity = *module.exports.get(&name)?; 886 Some(ModuleExport { 887 module: self.id(), 888 entity, 889 }) 890 } 891 892 /// Returns the [`Engine`] that this [`Module`] was compiled by. 893 pub fn engine(&self) -> &Engine { 894 &self.inner.engine 895 } 896 897 /// Returns a summary of the resources required to instantiate this 898 /// [`Module`]. 899 /// 900 /// Potential uses of the returned information: 901 /// 902 /// * Determining whether your pooling allocator configuration supports 903 /// instantiating this module. 904 /// 905 /// * Deciding how many of which `Module` you want to instantiate within a 906 /// fixed amount of resources, e.g. determining whether to create 5 907 /// instances of module X or 10 instances of module Y. 908 /// 909 /// # Example 910 /// 911 /// ``` 912 /// # fn main() -> wasmtime::Result<()> { 913 /// use wasmtime::{Config, Engine, Module}; 914 /// 915 /// let mut config = Config::new(); 916 /// config.wasm_multi_memory(true); 917 /// let engine = Engine::new(&config)?; 918 /// 919 /// let module = Module::new(&engine, r#" 920 /// (module 921 /// ;; Import a memory. Doesn't count towards required resources. 922 /// (import "a" "b" (memory 10)) 923 /// ;; Define two local memories. These count towards the required 924 /// ;; resources. 925 /// (memory 1) 926 /// (memory 6) 927 /// ) 928 /// "#)?; 929 /// 930 /// let resources = module.resources_required(); 931 /// 932 /// // Instantiating the module will require allocating two memories, and 933 /// // the maximum initial memory size is six Wasm pages. 934 /// assert_eq!(resources.num_memories, 2); 935 /// assert_eq!(resources.max_initial_memory_size, Some(6)); 936 /// 937 /// // The module doesn't need any tables. 938 /// assert_eq!(resources.num_tables, 0); 939 /// assert_eq!(resources.max_initial_table_size, None); 940 /// # Ok(()) } 941 /// ``` 942 pub fn resources_required(&self) -> ResourcesRequired { 943 let em = self.env_module(); 944 let num_memories = u32::try_from(em.num_defined_memories()).unwrap(); 945 let max_initial_memory_size = em 946 .memories 947 .values() 948 .skip(em.num_imported_memories) 949 .map(|memory| memory.limits.min) 950 .max(); 951 let num_tables = u32::try_from(em.num_defined_tables()).unwrap(); 952 let max_initial_table_size = em 953 .tables 954 .values() 955 .skip(em.num_imported_tables) 956 .map(|table| table.limits.min) 957 .max(); 958 ResourcesRequired { 959 num_memories, 960 max_initial_memory_size, 961 num_tables, 962 max_initial_table_size, 963 } 964 } 965 966 /// Returns the range of bytes in memory where this module's compilation 967 /// image resides. 968 /// 969 /// The compilation image for a module contains executable code, data, debug 970 /// information, etc. This is roughly the same as the `Module::serialize` 971 /// but not the exact same. 972 /// 973 /// The range of memory reported here is exposed to allow low-level 974 /// manipulation of the memory in platform-specific manners such as using 975 /// `mlock` to force the contents to be paged in immediately or keep them 976 /// paged in after they're loaded. 977 /// 978 /// It is not safe to modify the memory in this range, nor is it safe to 979 /// modify the protections of memory in this range. 980 /// 981 /// Note that depending on the engine configuration, this image 982 /// range may not actually be the code that is directly executed. 983 pub fn image_range(&self) -> Range<*const u8> { 984 self.engine_code().image().as_ptr_range() 985 } 986 987 /// Force initialization of copy-on-write images to happen here-and-now 988 /// instead of when they're requested during first instantiation. 989 /// 990 /// When [copy-on-write memory 991 /// initialization](crate::Config::memory_init_cow) is enabled then Wasmtime 992 /// will lazily create the initialization image for a module. This method 993 /// can be used to explicitly dictate when this initialization happens. 994 /// 995 /// Note that this largely only matters on Linux when memfd is used. 996 /// Otherwise the copy-on-write image typically comes from disk and in that 997 /// situation the creation of the image is trivial as the image is always 998 /// sourced from disk. On Linux, though, when memfd is used a memfd is 999 /// created and the initialization image is written to it. 1000 /// 1001 /// Also note that this method is not required to be called, it's available 1002 /// as a performance optimization if required but is otherwise handled 1003 /// automatically. 1004 pub fn initialize_copy_on_write_image(&self) -> Result<()> { 1005 self.memory_images()?; 1006 Ok(()) 1007 } 1008 1009 /// Get the map from `.text` section offsets to Wasm binary offsets for this 1010 /// module. 1011 /// 1012 /// Each entry is a (`.text` section offset, Wasm binary offset) pair. 1013 /// 1014 /// Entries are yielded in order of `.text` section offset. 1015 /// 1016 /// Some entries are missing a Wasm binary offset. This is for code that is 1017 /// not associated with any single location in the Wasm binary, or for when 1018 /// source information was optimized away. 1019 /// 1020 /// Not every module has an address map, since address map generation can be 1021 /// turned off on `Config`. 1022 /// 1023 /// There is not an entry for every `.text` section offset. Every offset 1024 /// after an entry's offset, but before the next entry's offset, is 1025 /// considered to map to the same Wasm binary offset as the original 1026 /// entry. For example, the address map will not contain the following 1027 /// sequence of entries: 1028 /// 1029 /// ```ignore 1030 /// [ 1031 /// // ... 1032 /// (10, Some(42)), 1033 /// (11, Some(42)), 1034 /// (12, Some(42)), 1035 /// (13, Some(43)), 1036 /// // ... 1037 /// ] 1038 /// ``` 1039 /// 1040 /// Instead, it will drop the entries for offsets `11` and `12` since they 1041 /// are the same as the entry for offset `10`: 1042 /// 1043 /// ```ignore 1044 /// [ 1045 /// // ... 1046 /// (10, Some(42)), 1047 /// (13, Some(43)), 1048 /// // ... 1049 /// ] 1050 /// ``` 1051 pub fn address_map<'a>(&'a self) -> Option<impl Iterator<Item = (usize, Option<u32>)> + 'a> { 1052 Some( 1053 wasmtime_environ::iterate_address_map(self.engine_code().address_map_data())? 1054 .map(|(offset, file_pos)| (offset as usize, file_pos.file_offset())), 1055 ) 1056 } 1057 1058 /// Get this module's code object's `.text` section, containing its compiled 1059 /// executable code. 1060 pub fn text(&self) -> &[u8] { 1061 self.engine_code().text() 1062 } 1063 1064 /// Get information about functions in this module's `.text` section: their 1065 /// index, name, and offset+length. 1066 /// 1067 /// Results are yielded in a ModuleFunction struct. 1068 pub fn functions<'a>(&'a self) -> impl ExactSizeIterator<Item = ModuleFunction> + 'a { 1069 let module = self.compiled_module(); 1070 self.env_module().defined_func_indices().map(|idx| { 1071 let loc = module.func_loc(idx); 1072 let idx = module.module().func_index(idx); 1073 ModuleFunction { 1074 index: idx, 1075 name: module.func_name(idx).map(|n| n.to_string()), 1076 offset: loc.start as usize, 1077 len: loc.length as usize, 1078 } 1079 }) 1080 } 1081 1082 pub(crate) fn id(&self) -> CompiledModuleId { 1083 self.inner.module.unique_id() 1084 } 1085 1086 pub(crate) fn offsets(&self) -> &VMOffsets<HostPtr> { 1087 &self.inner.offsets 1088 } 1089 1090 /// Return the address, in memory, of the trampoline that allows Wasm to 1091 /// call a array function of the given signature. 1092 /// 1093 /// Note that unlike all other code-pointer-returning functions, 1094 /// this *can* be present on `Module` (without a `StoreCode`) 1095 /// because we can execute the `EngineCode` for trampolines that 1096 /// leave the store to call the host. 1097 pub(crate) fn wasm_to_array_trampoline( 1098 &self, 1099 signature: VMSharedTypeIndex, 1100 ) -> Option<NonNull<VMWasmCallFunction>> { 1101 log::trace!("Looking up trampoline for {signature:?}"); 1102 let trampoline_shared_ty = self.inner.engine.signatures().trampoline_type(signature); 1103 let trampoline_module_ty = self 1104 .inner 1105 .code 1106 .signatures() 1107 .trampoline_type(trampoline_shared_ty)?; 1108 debug_assert!( 1109 self.inner 1110 .engine 1111 .signatures() 1112 .borrow( 1113 self.inner 1114 .code 1115 .signatures() 1116 .shared_type(trampoline_module_ty) 1117 .unwrap() 1118 ) 1119 .unwrap() 1120 .unwrap_func() 1121 .is_trampoline_type() 1122 ); 1123 1124 let ptr = self 1125 .compiled_module() 1126 .wasm_to_array_trampoline(trampoline_module_ty) 1127 .expect("always have a trampoline for the trampoline type") 1128 .as_ptr() 1129 .cast::<VMWasmCallFunction>() 1130 .cast_mut(); 1131 Some(NonNull::new(ptr).unwrap()) 1132 } 1133 1134 pub(crate) fn memory_images(&self) -> Result<Option<&ModuleMemoryImages>> { 1135 let images = self 1136 .inner 1137 .memory_images 1138 .get_or_try_init(|| memory_images(&self.inner))? 1139 .as_ref(); 1140 Ok(images) 1141 } 1142 1143 /// Obtain an exception-table parser on this module's exception metadata. 1144 #[cfg(feature = "gc")] 1145 pub(crate) fn exception_table<'a>(&'a self) -> ExceptionTable<'a> { 1146 ExceptionTable::parse(self.inner.code.exception_tables()) 1147 .expect("Exception tables were validated on module load") 1148 } 1149 1150 /// Obtain a frame-table parser on this module's frame state slot 1151 /// (debug instrumentation) metadata. 1152 #[cfg(feature = "debug")] 1153 pub(crate) fn frame_table<'a>(&'a self) -> Option<FrameTable<'a>> { 1154 let data = self.inner.code.frame_tables(); 1155 if data.is_empty() { 1156 None 1157 } else { 1158 let orig_text = self.inner.code.text(); 1159 Some( 1160 FrameTable::parse(data, orig_text) 1161 .expect("Frame tables were validated on module load"), 1162 ) 1163 } 1164 } 1165 1166 /// Is this `Module` the same as another? 1167 /// 1168 /// Ordinarily, module identity does not matter: a Wasmtime user 1169 /// will create or obtain a module from some source and 1170 /// instantiate it, and any two `Module` objects created from the 1171 /// same source module are interchangeable. However, introspecting 1172 /// module identity may be useful when examining Wasm VM state, 1173 /// e.g. via debug APIs. It is guaranteed that `Module::same` 1174 /// returns true for `Module` objects that reference the same 1175 /// underlying module (e.g., one created via a `clone` of the 1176 /// other). 1177 #[inline] 1178 pub fn same(a: &Module, b: &Module) -> bool { 1179 Arc::ptr_eq(&a.inner, &b.inner) 1180 } 1181 } 1182 1183 /// Describes a function for a given module. 1184 pub struct ModuleFunction { 1185 pub index: wasmtime_environ::FuncIndex, 1186 pub name: Option<String>, 1187 pub offset: usize, 1188 pub len: usize, 1189 } 1190 1191 impl Drop for ModuleInner { 1192 fn drop(&mut self) { 1193 // When a `Module` is being dropped that means that it's no longer 1194 // present in any `Store` and it's additionally not longer held by any 1195 // embedder. Take this opportunity to purge any lingering instantiations 1196 // within a pooling instance allocator, if applicable. 1197 self.engine 1198 .allocator() 1199 .purge_module(self.module.unique_id()); 1200 } 1201 } 1202 1203 /// Describes the location of an export in a module. 1204 #[derive(Copy, Clone)] 1205 pub struct ModuleExport { 1206 /// The module that this export is defined in. 1207 pub(crate) module: CompiledModuleId, 1208 /// A raw index into the wasm module. 1209 pub(crate) entity: EntityIndex, 1210 } 1211 1212 fn _assert_send_sync() { 1213 fn _assert<T: Send + Sync>() {} 1214 _assert::<Module>(); 1215 } 1216 1217 /// Helper method to construct a `ModuleMemoryImages` for an associated 1218 /// `CompiledModule`. 1219 fn memory_images(inner: &Arc<ModuleInner>) -> Result<Option<ModuleMemoryImages>> { 1220 // If initialization via copy-on-write is explicitly disabled in 1221 // configuration then this path is skipped entirely. 1222 if !inner.engine.tunables().memory_init_cow { 1223 return Ok(None); 1224 } 1225 1226 // ... otherwise logic is delegated to the `ModuleMemoryImages::new` 1227 // constructor. 1228 ModuleMemoryImages::new( 1229 &inner.engine, 1230 inner.module.module(), 1231 inner.code.module_memory_image_source(), 1232 ) 1233 } 1234 1235 impl crate::vm::ModuleMemoryImageSource for CodeMemory { 1236 fn wasm_data(&self) -> &[u8] { 1237 <Self>::wasm_data(self) 1238 } 1239 1240 fn mmap(&self) -> Option<&MmapVec> { 1241 Some(<Self>::mmap(self)) 1242 } 1243 } 1244 1245 #[cfg(test)] 1246 mod tests { 1247 use crate::{CodeBuilder, Engine, Module}; 1248 use wasmtime_environ::MemoryInitialization; 1249 1250 #[test] 1251 fn cow_on_by_default() { 1252 let engine = Engine::default(); 1253 let module = Module::new( 1254 &engine, 1255 r#" 1256 (module 1257 (memory 1) 1258 (data (i32.const 100) "abcd") 1259 ) 1260 "#, 1261 ) 1262 .unwrap(); 1263 1264 let init = &module.env_module().memory_initialization; 1265 assert!(matches!(init, MemoryInitialization::Static { .. })); 1266 } 1267 1268 #[test] 1269 #[cfg_attr(miri, ignore)] 1270 fn image_range_is_whole_image() { 1271 let wat = r#" 1272 (module 1273 (memory 1) 1274 (data (i32.const 0) "1234") 1275 (func (export "f") (param i32) (result i32) 1276 local.get 0)) 1277 "#; 1278 let engine = Engine::default(); 1279 let mut builder = CodeBuilder::new(&engine); 1280 builder.wasm_binary_or_text(wat.as_bytes(), None).unwrap(); 1281 let bytes = builder.compile_module_serialized().unwrap(); 1282 1283 let module = unsafe { Module::deserialize(&engine, &bytes).unwrap() }; 1284 let image_range = module.image_range(); 1285 let len = image_range.end.addr() - image_range.start.addr(); 1286 // Length may be strictly greater if it becomes page-aligned. 1287 assert!(len >= bytes.len()); 1288 } 1289 } 1290