1 use crate::prelude::*; 2 use crate::runtime::vm::const_expr::{ConstEvalContext, ConstExprEvaluator}; 3 use crate::runtime::vm::imports::Imports; 4 use crate::runtime::vm::instance::{Instance, InstanceHandle}; 5 use crate::runtime::vm::memory::Memory; 6 use crate::runtime::vm::mpk::ProtectionKey; 7 use crate::runtime::vm::table::Table; 8 use crate::runtime::vm::{CompiledModuleId, ModuleRuntimeInfo}; 9 use crate::store::{Asyncness, InstanceId, StoreOpaque, StoreResourceLimiter}; 10 use crate::{OpaqueRootScope, Val}; 11 use core::future::Future; 12 use core::pin::Pin; 13 use core::{mem, ptr}; 14 use wasmtime_environ::{ 15 DefinedMemoryIndex, DefinedTableIndex, HostPtr, InitMemory, MemoryInitialization, 16 MemoryInitializer, Module, SizeOverflow, TableInitialValue, Trap, VMOffsets, 17 }; 18 19 #[cfg(feature = "gc")] 20 use crate::runtime::vm::{GcHeap, GcRuntime}; 21 22 #[cfg(feature = "component-model")] 23 use wasmtime_environ::{ 24 StaticModuleIndex, 25 component::{Component, VMComponentOffsets}, 26 }; 27 28 mod on_demand; 29 pub use self::on_demand::OnDemandInstanceAllocator; 30 31 #[cfg(feature = "pooling-allocator")] 32 mod pooling; 33 #[cfg(feature = "pooling-allocator")] 34 pub use self::pooling::{ 35 InstanceLimits, PoolConcurrencyLimitError, PoolingAllocatorMetrics, PoolingInstanceAllocator, 36 PoolingInstanceAllocatorConfig, 37 }; 38 39 /// Represents a request for a new runtime instance. 40 pub struct InstanceAllocationRequest<'a, 'b> { 41 /// The instance id that this will be assigned within the store once the 42 /// allocation has finished. 43 pub id: InstanceId, 44 45 /// The info related to the compiled version of this module, 46 /// needed for instantiation: function metadata, JIT code 47 /// addresses, precomputed images for lazy memory and table 48 /// initialization, and the like. This Arc is cloned and held for 49 /// the lifetime of the instance. 50 pub runtime_info: &'a ModuleRuntimeInfo, 51 52 /// The imports to use for the instantiation. 53 pub imports: Imports<'a>, 54 55 /// The store that this instance is being allocated into. 56 pub store: &'a StoreOpaque, 57 58 /// The store's resource limiter, if configured by the embedder. 59 pub limiter: Option<&'a mut StoreResourceLimiter<'b>>, 60 } 61 62 /// The index of a memory allocation within an `InstanceAllocator`. 63 #[derive(Clone, Copy, Debug, Eq, PartialEq, PartialOrd, Ord)] 64 pub struct MemoryAllocationIndex(u32); 65 66 impl Default for MemoryAllocationIndex { 67 fn default() -> Self { 68 // A default `MemoryAllocationIndex` that can be used with 69 // `InstanceAllocator`s that don't actually need indices. 70 MemoryAllocationIndex(u32::MAX) 71 } 72 } 73 74 impl MemoryAllocationIndex { 75 /// Get the underlying index of this `MemoryAllocationIndex`. 76 #[cfg(feature = "pooling-allocator")] 77 pub fn index(&self) -> usize { 78 self.0 as usize 79 } 80 } 81 82 /// The index of a table allocation within an `InstanceAllocator`. 83 #[derive(Clone, Copy, Debug, Eq, PartialEq, PartialOrd, Ord)] 84 pub struct TableAllocationIndex(u32); 85 86 impl Default for TableAllocationIndex { 87 fn default() -> Self { 88 // A default `TableAllocationIndex` that can be used with 89 // `InstanceAllocator`s that don't actually need indices. 90 TableAllocationIndex(u32::MAX) 91 } 92 } 93 94 impl TableAllocationIndex { 95 /// Get the underlying index of this `TableAllocationIndex`. 96 #[cfg(feature = "pooling-allocator")] 97 pub fn index(&self) -> usize { 98 self.0 as usize 99 } 100 } 101 102 /// The index of a table allocation within an `InstanceAllocator`. 103 #[derive(Clone, Copy, Debug, Eq, PartialEq, PartialOrd, Ord)] 104 pub struct GcHeapAllocationIndex(u32); 105 106 impl Default for GcHeapAllocationIndex { 107 fn default() -> Self { 108 // A default `GcHeapAllocationIndex` that can be used with 109 // `InstanceAllocator`s that don't actually need indices. 110 GcHeapAllocationIndex(u32::MAX) 111 } 112 } 113 114 impl GcHeapAllocationIndex { 115 /// Get the underlying index of this `GcHeapAllocationIndex`. 116 pub fn index(&self) -> usize { 117 self.0 as usize 118 } 119 } 120 121 /// Trait that represents the hooks needed to implement an instance allocator. 122 /// 123 /// Implement this trait when implementing new instance allocators, but don't 124 /// use this trait when you need an instance allocator. Instead use the 125 /// `InstanceAllocator` trait for that, which has additional helper methods and 126 /// a blanket implementation for all types that implement this trait. 127 /// 128 /// # Safety 129 /// 130 /// This trait is unsafe as it requires knowledge of Wasmtime's runtime 131 /// internals to implement correctly. 132 pub unsafe trait InstanceAllocator: Send + Sync { 133 /// Validate whether a component (including all of its contained core 134 /// modules) is allocatable by this instance allocator. 135 #[cfg(feature = "component-model")] 136 fn validate_component<'a>( 137 &self, 138 component: &Component, 139 offsets: &VMComponentOffsets<HostPtr>, 140 get_module: &'a dyn Fn(StaticModuleIndex) -> &'a Module, 141 ) -> Result<()>; 142 143 /// Validate whether a module is allocatable by this instance allocator. 144 fn validate_module(&self, module: &Module, offsets: &VMOffsets<HostPtr>) -> Result<()>; 145 146 /// Validate whether a memory is allocatable by this instance allocator. 147 #[cfg(feature = "gc")] 148 fn validate_memory(&self, memory: &wasmtime_environ::Memory) -> Result<()>; 149 150 /// Increment the count of concurrent component instances that are currently 151 /// allocated, if applicable. 152 /// 153 /// Not all instance allocators will have limits for the maximum number of 154 /// concurrent component instances that can be live at the same time, and 155 /// these allocators may implement this method with a no-op. 156 // 157 // Note: It would be nice to have an associated type that on construction 158 // does the increment and on drop does the decrement but there are two 159 // problems with this: 160 // 161 // 1. This trait's implementations are always used as trait objects, and 162 // associated types are not object safe. 163 // 164 // 2. We would want a parameterized `Drop` implementation so that we could 165 // pass in the `InstanceAllocator` on drop, but this doesn't exist in 166 // Rust. Therefore, we would be forced to add reference counting and 167 // stuff like that to keep a handle on the instance allocator from this 168 // theoretical type. That's a bummer. 169 #[cfg(feature = "component-model")] 170 fn increment_component_instance_count(&self) -> Result<()>; 171 172 /// The dual of `increment_component_instance_count`. 173 #[cfg(feature = "component-model")] 174 fn decrement_component_instance_count(&self); 175 176 /// Increment the count of concurrent core module instances that are 177 /// currently allocated, if applicable. 178 /// 179 /// Not all instance allocators will have limits for the maximum number of 180 /// concurrent core module instances that can be live at the same time, and 181 /// these allocators may implement this method with a no-op. 182 fn increment_core_instance_count(&self) -> Result<()>; 183 184 /// The dual of `increment_core_instance_count`. 185 fn decrement_core_instance_count(&self); 186 187 /// Allocate a memory for an instance. 188 /// 189 /// Returns `Err(OutOfMemory)` if boxing the future fails. The inner 190 /// `Result` covers other allocation errors (e.g. resource limits). 191 fn allocate_memory<'a, 'b: 'a, 'c: 'a>( 192 &'a self, 193 request: &'a mut InstanceAllocationRequest<'b, 'c>, 194 ty: &'a wasmtime_environ::Memory, 195 memory_index: Option<DefinedMemoryIndex>, 196 ) -> Pin<Box<dyn Future<Output = Result<(MemoryAllocationIndex, Memory)>> + Send + 'a>>; 197 198 /// Deallocate an instance's previously allocated memory. 199 /// 200 /// # Unsafety 201 /// 202 /// The memory must have previously been allocated by 203 /// `Self::allocate_memory`, be at the given index, and must currently be 204 /// allocated. It must never be used again. 205 unsafe fn deallocate_memory( 206 &self, 207 memory_index: Option<DefinedMemoryIndex>, 208 allocation_index: MemoryAllocationIndex, 209 memory: Memory, 210 ); 211 212 /// Allocate a table for an instance. 213 /// 214 /// Returns `Err(OutOfMemory)` if boxing the future fails. The inner 215 /// `Result` covers other allocation errors (e.g. resource limits). 216 fn allocate_table<'a, 'b: 'a, 'c: 'a>( 217 &'a self, 218 req: &'a mut InstanceAllocationRequest<'b, 'c>, 219 table: &'a wasmtime_environ::Table, 220 table_index: DefinedTableIndex, 221 ) -> Pin<Box<dyn Future<Output = Result<(TableAllocationIndex, Table)>> + Send + 'a>>; 222 223 /// Deallocate an instance's previously allocated table. 224 /// 225 /// # Unsafety 226 /// 227 /// The table must have previously been allocated by `Self::allocate_table`, 228 /// be at the given index, and must currently be allocated. It must never be 229 /// used again. 230 unsafe fn deallocate_table( 231 &self, 232 table_index: DefinedTableIndex, 233 allocation_index: TableAllocationIndex, 234 table: Table, 235 ); 236 237 /// Allocates a fiber stack for calling async functions on. 238 #[cfg(feature = "async")] 239 fn allocate_fiber_stack(&self) -> Result<wasmtime_fiber::FiberStack>; 240 241 /// Deallocates a fiber stack that was previously allocated with 242 /// `allocate_fiber_stack`. 243 /// 244 /// # Safety 245 /// 246 /// The provided stack is required to have been allocated with 247 /// `allocate_fiber_stack`. 248 #[cfg(feature = "async")] 249 unsafe fn deallocate_fiber_stack(&self, stack: wasmtime_fiber::FiberStack); 250 251 /// Allocate a GC heap for allocating Wasm GC objects within. 252 #[cfg(feature = "gc")] 253 fn allocate_gc_heap( 254 &self, 255 engine: &crate::Engine, 256 gc_runtime: &dyn GcRuntime, 257 memory_alloc_index: MemoryAllocationIndex, 258 memory: Memory, 259 ) -> Result<(GcHeapAllocationIndex, Box<dyn GcHeap>)>; 260 261 /// Deallocate a GC heap that was previously allocated with 262 /// `allocate_gc_heap`. 263 #[cfg(feature = "gc")] 264 #[must_use = "it is the caller's responsibility to deallocate the GC heap's underlying memory \ 265 storage after the GC heap is deallocated"] 266 fn deallocate_gc_heap( 267 &self, 268 allocation_index: GcHeapAllocationIndex, 269 gc_heap: Box<dyn GcHeap>, 270 ) -> (MemoryAllocationIndex, Memory); 271 272 /// Purges all lingering resources related to `module` from within this 273 /// allocator. 274 /// 275 /// Primarily present for the pooling allocator to remove mappings of 276 /// this module from slots in linear memory. 277 fn purge_module(&self, module: CompiledModuleId); 278 279 /// Use the next available protection key. 280 /// 281 /// The pooling allocator can use memory protection keys (MPK) for 282 /// compressing the guard regions protecting against OOB. Each 283 /// pool-allocated store needs its own key. 284 fn next_available_pkey(&self) -> Option<ProtectionKey>; 285 286 /// Restrict access to memory regions protected by `pkey`. 287 /// 288 /// This is useful for the pooling allocator, which can use memory 289 /// protection keys (MPK). Note: this may still allow access to other 290 /// protection keys, such as the default kernel key; see implementations of 291 /// this. 292 fn restrict_to_pkey(&self, pkey: ProtectionKey); 293 294 /// Allow access to memory regions protected by any protection key. 295 fn allow_all_pkeys(&self); 296 297 /// Returns `Some(&PoolingInstanceAllocator)` if this is one. 298 #[cfg(feature = "pooling-allocator")] 299 fn as_pooling(&self) -> Option<&PoolingInstanceAllocator> { 300 None 301 } 302 } 303 304 impl dyn InstanceAllocator + '_ { 305 /// Allocates a fresh `InstanceHandle` for the `req` given. 306 /// 307 /// This will allocate memories and tables internally from this allocator 308 /// and weave that altogether into a final and complete `InstanceHandle` 309 /// ready to be registered with a store. 310 /// 311 /// Note that the returned instance must still have `.initialize(..)` called 312 /// on it to complete the instantiation process. 313 /// 314 /// # Safety 315 /// 316 /// The `request` provided must be valid, e.g. the imports within are 317 /// correctly sized/typed for the instance being created. 318 pub(crate) async unsafe fn allocate_module( 319 &self, 320 mut request: InstanceAllocationRequest<'_, '_>, 321 ) -> Result<InstanceHandle> { 322 let module = request.runtime_info.env_module(); 323 324 if cfg!(debug_assertions) { 325 InstanceAllocator::validate_module(self, module, request.runtime_info.offsets()) 326 .expect("module should have already been validated before allocation"); 327 } 328 329 self.increment_core_instance_count()?; 330 331 let num_defined_memories = module.num_defined_memories(); 332 let num_defined_tables = module.num_defined_tables(); 333 334 let mut guard = DeallocateOnDrop { 335 run_deallocate: true, 336 memories: TryPrimaryMap::with_capacity(num_defined_memories)?, 337 tables: TryPrimaryMap::with_capacity(num_defined_tables)?, 338 allocator: self, 339 }; 340 341 self.allocate_memories(&mut request, &mut guard.memories) 342 .await?; 343 self.allocate_tables(&mut request, &mut guard.tables) 344 .await?; 345 guard.run_deallocate = false; 346 // SAFETY: memories/tables were just allocated from the store within 347 // `request` and this function's own contract requires that the 348 // imports are valid. 349 return unsafe { 350 Ok(Instance::new( 351 request, 352 mem::take(&mut guard.memories), 353 mem::take(&mut guard.tables), 354 )?) 355 }; 356 357 struct DeallocateOnDrop<'a> { 358 run_deallocate: bool, 359 memories: TryPrimaryMap<DefinedMemoryIndex, (MemoryAllocationIndex, Memory)>, 360 tables: TryPrimaryMap<DefinedTableIndex, (TableAllocationIndex, Table)>, 361 allocator: &'a (dyn InstanceAllocator + 'a), 362 } 363 364 impl Drop for DeallocateOnDrop<'_> { 365 fn drop(&mut self) { 366 if !self.run_deallocate { 367 return; 368 } 369 // SAFETY: these were previously allocated by this allocator 370 unsafe { 371 self.allocator.deallocate_memories(&mut self.memories); 372 self.allocator.deallocate_tables(&mut self.tables); 373 } 374 self.allocator.decrement_core_instance_count(); 375 } 376 } 377 } 378 379 /// Deallocates the provided instance. 380 /// 381 /// This will null-out the pointer within `handle` and otherwise reclaim 382 /// resources such as tables, memories, and the instance memory itself. 383 /// 384 /// # Unsafety 385 /// 386 /// The instance must have previously been allocated by `Self::allocate`. 387 pub(crate) unsafe fn deallocate_module(&self, handle: &mut InstanceHandle) { 388 // SAFETY: the contract of `deallocate_*` is itself a contract of this 389 // function, that the memories/tables were previously allocated from 390 // here. 391 unsafe { 392 self.deallocate_memories(handle.get_mut().memories_mut()); 393 self.deallocate_tables(handle.get_mut().tables_mut()); 394 } 395 396 self.decrement_core_instance_count(); 397 } 398 399 /// Allocate the memories for the given instance allocation request, pushing 400 /// them into `memories`. 401 async fn allocate_memories( 402 &self, 403 request: &mut InstanceAllocationRequest<'_, '_>, 404 memories: &mut TryPrimaryMap<DefinedMemoryIndex, (MemoryAllocationIndex, Memory)>, 405 ) -> Result<()> { 406 let module = request.runtime_info.env_module(); 407 408 if cfg!(debug_assertions) { 409 InstanceAllocator::validate_module(self, module, request.runtime_info.offsets()) 410 .expect("module should have already been validated before allocation"); 411 } 412 413 for (memory_index, ty) in module.memories.iter().skip(module.num_imported_memories) { 414 let memory_index = module 415 .defined_memory_index(memory_index) 416 .expect("should be a defined memory since we skipped imported ones"); 417 418 let memory = self 419 .allocate_memory(request, ty, Some(memory_index)) 420 .await?; 421 memories.push(memory)?; 422 } 423 424 Ok(()) 425 } 426 427 /// Deallocate all the memories in the given primary map. 428 /// 429 /// # Unsafety 430 /// 431 /// The memories must have previously been allocated by 432 /// `Self::allocate_memories`. 433 unsafe fn deallocate_memories( 434 &self, 435 memories: &mut TryPrimaryMap<DefinedMemoryIndex, (MemoryAllocationIndex, Memory)>, 436 ) { 437 for (memory_index, (allocation_index, memory)) in mem::take(memories) { 438 // Because deallocating memory is infallible, we don't need to worry 439 // about leaking subsequent memories if the first memory failed to 440 // deallocate. If deallocating memory ever becomes fallible, we will 441 // need to be careful here! 442 // 443 // SAFETY: the unsafe contract here is the same as the unsafe 444 // contract of this function, that the memories were previously 445 // allocated by this allocator. 446 unsafe { 447 self.deallocate_memory(Some(memory_index), allocation_index, memory); 448 } 449 } 450 } 451 452 /// Allocate tables for the given instance allocation request, pushing them 453 /// into `tables`. 454 async fn allocate_tables( 455 &self, 456 request: &mut InstanceAllocationRequest<'_, '_>, 457 tables: &mut TryPrimaryMap<DefinedTableIndex, (TableAllocationIndex, Table)>, 458 ) -> Result<()> { 459 let module = request.runtime_info.env_module(); 460 461 if cfg!(debug_assertions) { 462 InstanceAllocator::validate_module(self, module, request.runtime_info.offsets()) 463 .expect("module should have already been validated before allocation"); 464 } 465 466 for (index, table) in module.tables.iter().skip(module.num_imported_tables) { 467 let def_index = module 468 .defined_table_index(index) 469 .expect("should be a defined table since we skipped imported ones"); 470 471 let table = self.allocate_table(request, table, def_index).await?; 472 tables.push(table)?; 473 } 474 475 Ok(()) 476 } 477 478 /// Deallocate all the tables in the given primary map. 479 /// 480 /// # Unsafety 481 /// 482 /// The tables must have previously been allocated by 483 /// `Self::allocate_tables`. 484 unsafe fn deallocate_tables( 485 &self, 486 tables: &mut TryPrimaryMap<DefinedTableIndex, (TableAllocationIndex, Table)>, 487 ) { 488 for (table_index, (allocation_index, table)) in mem::take(tables) { 489 // SAFETY: the tables here were allocated from this allocator per 490 // the contract on this function itself. 491 unsafe { 492 self.deallocate_table(table_index, allocation_index, table); 493 } 494 } 495 } 496 } 497 498 fn check_table_init_bounds( 499 store: &mut StoreOpaque, 500 instance: InstanceId, 501 module: &Module, 502 context: &mut ConstEvalContext, 503 const_evaluator: &mut ConstExprEvaluator, 504 ) -> Result<()> { 505 let mut store = OpaqueRootScope::new(store); 506 507 for segment in module.table_initialization.segments.iter() { 508 let start = const_evaluator 509 .eval_int(&mut store, context, &segment.offset) 510 .expect("const expression should be valid"); 511 let start = usize::try_from(start.unwrap_i32().cast_unsigned()).unwrap(); 512 let end = start.checked_add(usize::try_from(segment.elements.len()).unwrap()); 513 514 let table = store.instance_mut(instance).get_table(segment.table_index); 515 match end { 516 Some(end) if end <= table.size() => { 517 // Initializer is in bounds 518 } 519 _ => { 520 bail!("table out of bounds: elements segment does not fit") 521 } 522 } 523 } 524 525 Ok(()) 526 } 527 528 async fn initialize_tables( 529 store: &mut StoreOpaque, 530 mut limiter: Option<&mut StoreResourceLimiter<'_>>, 531 context: &mut ConstEvalContext, 532 const_evaluator: &mut ConstExprEvaluator, 533 module: &Module, 534 ) -> Result<()> { 535 let mut store = OpaqueRootScope::new(store); 536 for (table, init) in module.table_initialization.initial_values.iter() { 537 match init { 538 // Tables are always initially null-initialized at this time 539 TableInitialValue::Null { precomputed: _ } => {} 540 541 TableInitialValue::Expr(expr) => { 542 let init = const_evaluator 543 .eval(&mut store, limiter.as_deref_mut(), context, expr) 544 .await?; 545 let idx = module.table_index(table); 546 let id = store.id(); 547 let table = store 548 .instance_mut(context.instance) 549 .get_exported_table(id, idx); 550 let size = table._size(&store); 551 table._fill(&mut store, 0, init.ref_().unwrap(), size)?; 552 } 553 } 554 } 555 556 // Note: if the module's table initializer state is in 557 // FuncTable mode, we will lazily initialize tables based on 558 // any statically-precomputed image of FuncIndexes, but there 559 // may still be "leftover segments" that could not be 560 // incorporated. So we have a unified handler here that 561 // iterates over all segments (Segments mode) or leftover 562 // segments (FuncTable mode) to initialize. 563 for segment in module.table_initialization.segments.iter() { 564 let start = const_evaluator 565 .eval_int(&mut store, context, &segment.offset) 566 .expect("const expression should be valid"); 567 let start = get_index( 568 start, 569 store.instance(context.instance).env_module().tables[segment.table_index].idx_type, 570 ); 571 Instance::table_init_segment( 572 &mut store, 573 limiter.as_deref_mut(), 574 context.asyncness, 575 context.instance, 576 const_evaluator, 577 segment.table_index, 578 &segment.elements, 579 start, 580 0, 581 segment.elements.len(), 582 ) 583 .await?; 584 } 585 586 Ok(()) 587 } 588 589 fn get_index(val: &Val, ty: wasmtime_environ::IndexType) -> u64 { 590 match ty { 591 wasmtime_environ::IndexType::I32 => val.unwrap_i32().cast_unsigned().into(), 592 wasmtime_environ::IndexType::I64 => val.unwrap_i64().cast_unsigned(), 593 } 594 } 595 596 fn get_memory_init_start( 597 store: &mut StoreOpaque, 598 init: &MemoryInitializer, 599 instance: InstanceId, 600 context: &mut ConstEvalContext, 601 const_evaluator: &mut ConstExprEvaluator, 602 ) -> Result<u64> { 603 let mut store = OpaqueRootScope::new(store); 604 const_evaluator 605 .eval_int(&mut store, context, &init.offset) 606 .map(|v| { 607 get_index( 608 v, 609 store.instance(instance).env_module().memories[init.memory_index].idx_type, 610 ) 611 }) 612 } 613 614 fn check_memory_init_bounds( 615 store: &mut StoreOpaque, 616 instance: InstanceId, 617 initializers: &[MemoryInitializer], 618 context: &mut ConstEvalContext, 619 const_evaluator: &mut ConstExprEvaluator, 620 ) -> Result<()> { 621 for init in initializers { 622 let memory = store.instance_mut(instance).get_memory(init.memory_index); 623 let start = get_memory_init_start(store, init, instance, context, const_evaluator)?; 624 let end = usize::try_from(start) 625 .ok() 626 .and_then(|start| start.checked_add(init.data.len())); 627 628 match end { 629 Some(end) if end <= memory.current_length() => { 630 // Initializer is in bounds 631 } 632 _ => { 633 bail!("memory out of bounds: data segment does not fit") 634 } 635 } 636 } 637 638 Ok(()) 639 } 640 641 fn initialize_memories( 642 store: &mut StoreOpaque, 643 context: &mut ConstEvalContext, 644 const_evaluator: &mut ConstExprEvaluator, 645 module: &Module, 646 ) -> Result<()> { 647 // Delegates to the `init_memory` method which is sort of a duplicate of 648 // `instance.memory_init_segment` but is used at compile-time in other 649 // contexts so is shared here to have only one method of memory 650 // initialization. 651 // 652 // This call to `init_memory` notably implements all the bells and whistles 653 // so errors only happen if an out-of-bounds segment is found, in which case 654 // a trap is returned. 655 656 struct InitMemoryAtInstantiation<'a> { 657 module: &'a Module, 658 store: &'a mut StoreOpaque, 659 context: &'a mut ConstEvalContext, 660 const_evaluator: &'a mut ConstExprEvaluator, 661 } 662 663 impl InitMemory for InitMemoryAtInstantiation<'_> { 664 fn memory_size_in_bytes( 665 &mut self, 666 memory: wasmtime_environ::MemoryIndex, 667 ) -> Result<u64, SizeOverflow> { 668 let len = self 669 .store 670 .instance(self.context.instance) 671 .get_memory(memory) 672 .current_length(); 673 let len = u64::try_from(len).unwrap(); 674 Ok(len) 675 } 676 677 fn eval_offset( 678 &mut self, 679 memory: wasmtime_environ::MemoryIndex, 680 expr: &wasmtime_environ::ConstExpr, 681 ) -> Option<u64> { 682 let mut store = OpaqueRootScope::new(&mut *self.store); 683 let val = self 684 .const_evaluator 685 .eval_int(&mut store, self.context, expr) 686 .expect("const expression should be valid"); 687 Some(get_index( 688 val, 689 store.instance(self.context.instance).env_module().memories[memory].idx_type, 690 )) 691 } 692 693 fn write( 694 &mut self, 695 memory_index: wasmtime_environ::MemoryIndex, 696 init: &wasmtime_environ::StaticMemoryInitializer, 697 ) -> bool { 698 // If this initializer applies to a defined memory but that memory 699 // doesn't need initialization, due to something like copy-on-write 700 // pre-initializing it via mmap magic, then this initializer can be 701 // skipped entirely. 702 let instance = self.store.instance_mut(self.context.instance); 703 if let Some(memory_index) = self.module.defined_memory_index(memory_index) { 704 if !instance.memories[memory_index].1.needs_init() { 705 return true; 706 } 707 } 708 let memory = instance.get_memory(memory_index); 709 710 unsafe { 711 let src = instance.wasm_data(init.data.clone()); 712 let offset = usize::try_from(init.offset).unwrap(); 713 let dst = memory.base.as_ptr().add(offset); 714 715 assert!(offset + src.len() <= memory.current_length()); 716 717 // FIXME audit whether this is safe in the presence of shared 718 // memory 719 // (https://github.com/bytecodealliance/wasmtime/issues/4203). 720 ptr::copy_nonoverlapping(src.as_ptr(), dst, src.len()) 721 } 722 true 723 } 724 } 725 726 let ok = module 727 .memory_initialization 728 .init_memory(&mut InitMemoryAtInstantiation { 729 module, 730 store, 731 context, 732 const_evaluator, 733 }); 734 if !ok { 735 return Err(Trap::MemoryOutOfBounds.into()); 736 } 737 738 Ok(()) 739 } 740 741 fn check_init_bounds( 742 store: &mut StoreOpaque, 743 instance: InstanceId, 744 context: &mut ConstEvalContext, 745 const_evaluator: &mut ConstExprEvaluator, 746 module: &Module, 747 ) -> Result<()> { 748 check_table_init_bounds(store, instance, module, context, const_evaluator)?; 749 750 match &module.memory_initialization { 751 MemoryInitialization::Segmented(initializers) => { 752 check_memory_init_bounds(store, instance, initializers, context, const_evaluator)?; 753 } 754 // Statically validated already to have everything in-bounds. 755 MemoryInitialization::Static { .. } => {} 756 } 757 758 Ok(()) 759 } 760 761 async fn initialize_globals( 762 store: &mut StoreOpaque, 763 mut limiter: Option<&mut StoreResourceLimiter<'_>>, 764 context: &mut ConstEvalContext, 765 const_evaluator: &mut ConstExprEvaluator, 766 module: &Module, 767 ) -> Result<()> { 768 assert!(core::ptr::eq( 769 &**store.instance(context.instance).env_module(), 770 module 771 )); 772 773 let mut store = OpaqueRootScope::new(store); 774 775 for (index, init) in module.global_initializers.iter() { 776 // Attempt a simple, synchronous evaluation before hitting the 777 // general-purpose `.await` point below. This benchmarks ~15% faster in 778 // instantiation vs just falling through to `.await` below. 779 let val = if let Some(val) = const_evaluator.try_simple(init) { 780 val 781 } else { 782 const_evaluator 783 .eval(&mut store, limiter.as_deref_mut(), context, init) 784 .await? 785 }; 786 787 let id = store.id(); 788 let index = module.global_index(index); 789 let mut instance = store.instance_mut(context.instance); 790 791 #[cfg(feature = "wmemcheck")] 792 if index.as_u32() == 0 793 && module.globals[index].wasm_ty == wasmtime_environ::WasmValType::I32 794 { 795 if let Some(wmemcheck) = instance.as_mut().wmemcheck_state_mut() { 796 let size = usize::try_from(val.unwrap_i32()).unwrap(); 797 wmemcheck.set_stack_size(size); 798 } 799 } 800 801 let global = instance.as_mut().get_exported_global(id, index); 802 803 // Note that mutability is bypassed here because this is, by definition, 804 // initialization of globals meaning that if it's an immutable global 805 // this is the one and only write. 806 // 807 // SAFETY: this is a valid module so `val` should have the correct type 808 // for this global, and it's safe to write to a global for the first 809 // time as-is happening here. 810 unsafe { 811 global.set_unchecked(&mut store, &val)?; 812 } 813 } 814 Ok(()) 815 } 816 817 pub async fn initialize_instance( 818 store: &mut StoreOpaque, 819 mut limiter: Option<&mut StoreResourceLimiter<'_>>, 820 instance: InstanceId, 821 module: &Module, 822 is_bulk_memory: bool, 823 asyncness: Asyncness, 824 ) -> Result<()> { 825 let mut context = ConstEvalContext::new(instance, asyncness); 826 let mut const_evaluator = ConstExprEvaluator::default(); 827 828 // If bulk memory is not enabled, bounds check the data and element segments before 829 // making any changes. With bulk memory enabled, initializers are processed 830 // in-order and side effects are observed up to the point of an out-of-bounds 831 // initializer, so the early checking is not desired. 832 if !is_bulk_memory { 833 check_init_bounds(store, instance, &mut context, &mut const_evaluator, module)?; 834 } 835 836 initialize_globals( 837 store, 838 limiter.as_deref_mut(), 839 &mut context, 840 &mut const_evaluator, 841 module, 842 ) 843 .await?; 844 initialize_tables( 845 store, 846 limiter.as_deref_mut(), 847 &mut context, 848 &mut const_evaluator, 849 module, 850 ) 851 .await?; 852 initialize_memories(store, &mut context, &mut const_evaluator, &module)?; 853 854 Ok(()) 855 } 856 857 #[cfg(test)] 858 mod tests { 859 use super::*; 860 861 #[test] 862 fn allocator_traits_are_object_safe() { 863 fn _instance_allocator(_: &dyn InstanceAllocator) {} 864 } 865 } 866