1 use crate::prelude::*; 2 use crate::runtime::vm::const_expr::{ConstEvalContext, ConstExprEvaluator}; 3 use crate::runtime::vm::imports::Imports; 4 use crate::runtime::vm::instance::{Instance, InstanceHandle}; 5 use crate::runtime::vm::memory::Memory; 6 use crate::runtime::vm::mpk::ProtectionKey; 7 use crate::runtime::vm::table::Table; 8 use crate::runtime::vm::{CompiledModuleId, ModuleRuntimeInfo, VMFuncRef, VMGcRef, VMStore}; 9 use crate::store::{AutoAssertNoGc, InstanceId, StoreOpaque}; 10 use crate::vm::VMGlobalDefinition; 11 use core::ptr::NonNull; 12 use core::{mem, ptr}; 13 use wasmtime_environ::{ 14 DefinedMemoryIndex, DefinedTableIndex, HostPtr, InitMemory, MemoryInitialization, 15 MemoryInitializer, Module, PrimaryMap, SizeOverflow, TableInitialValue, Trap, Tunables, 16 VMOffsets, WasmHeapTopType, 17 }; 18 19 #[cfg(feature = "gc")] 20 use crate::runtime::vm::{GcHeap, GcRuntime}; 21 22 #[cfg(feature = "component-model")] 23 use wasmtime_environ::{ 24 StaticModuleIndex, 25 component::{Component, VMComponentOffsets}, 26 }; 27 28 mod on_demand; 29 pub use self::on_demand::OnDemandInstanceAllocator; 30 31 #[cfg(feature = "pooling-allocator")] 32 mod pooling; 33 #[cfg(feature = "pooling-allocator")] 34 pub use self::pooling::{ 35 InstanceLimits, PoolConcurrencyLimitError, PoolingInstanceAllocator, 36 PoolingInstanceAllocatorConfig, 37 }; 38 39 /// Represents a request for a new runtime instance. 40 pub struct InstanceAllocationRequest<'a> { 41 /// The instance id that this will be assigned within the store once the 42 /// allocation has finished. 43 pub id: InstanceId, 44 45 /// The info related to the compiled version of this module, 46 /// needed for instantiation: function metadata, JIT code 47 /// addresses, precomputed images for lazy memory and table 48 /// initialization, and the like. This Arc is cloned and held for 49 /// the lifetime of the instance. 50 pub runtime_info: &'a ModuleRuntimeInfo, 51 52 /// The imports to use for the instantiation. 53 pub imports: Imports<'a>, 54 55 /// A pointer to the "store" for this instance to be allocated. The store 56 /// correlates with the `Store` in wasmtime itself, and lots of contextual 57 /// information about the execution of wasm can be learned through the 58 /// store. 59 /// 60 /// Note that this is a raw pointer and has a static lifetime, both of which 61 /// are a bit of a lie. This is done purely so a store can learn about 62 /// itself when it gets called as a host function, and additionally so this 63 /// runtime can access internals as necessary (such as the 64 /// VMExternRefActivationsTable or the resource limiter methods). 65 /// 66 /// Note that this ends up being a self-pointer to the instance when stored. 67 /// The reason is that the instance itself is then stored within the store. 68 /// We use a number of `PhantomPinned` declarations to indicate this to the 69 /// compiler. More info on this in `wasmtime/src/store.rs` 70 pub store: StorePtr, 71 72 /// Indicates '--wmemcheck' flag. 73 #[cfg(feature = "wmemcheck")] 74 pub wmemcheck: bool, 75 76 /// Request that the instance's memories be protected by a specific 77 /// protection key. 78 #[cfg_attr( 79 not(feature = "pooling-allocator"), 80 expect( 81 dead_code, 82 reason = "easier to keep this field than remove it, not perf-critical to remove" 83 ) 84 )] 85 pub pkey: Option<ProtectionKey>, 86 87 /// Tunable configuration options the engine is using. 88 pub tunables: &'a Tunables, 89 } 90 91 /// A pointer to a Store. This Option<*mut dyn Store> is wrapped in a struct 92 /// so that the function to create a &mut dyn Store is a method on a member of 93 /// InstanceAllocationRequest, rather than on a &mut InstanceAllocationRequest 94 /// itself, because several use-sites require a split mut borrow on the 95 /// InstanceAllocationRequest. 96 pub struct StorePtr(Option<NonNull<dyn VMStore>>); 97 98 // We can't make `VMStore: Send + Sync` because that requires making all of 99 // Wastime's internals generic over the `Store`'s `T`. So instead, we take care 100 // in the whole VM layer to only use the `VMStore` in ways that are `Send`- and 101 // `Sync`-safe and we have to have these unsafe impls. 102 unsafe impl Send for StorePtr {} 103 unsafe impl Sync for StorePtr {} 104 105 impl StorePtr { 106 /// A pointer to no Store. 107 pub fn empty() -> Self { 108 Self(None) 109 } 110 111 /// A pointer to a Store. 112 pub fn new(ptr: NonNull<dyn VMStore>) -> Self { 113 Self(Some(ptr)) 114 } 115 116 /// The raw contents of this struct 117 pub fn as_raw(&self) -> Option<NonNull<dyn VMStore>> { 118 self.0 119 } 120 121 /// Use the StorePtr as a mut ref to the Store. 122 /// 123 /// Safety: must not be used outside the original lifetime of the borrow. 124 pub(crate) unsafe fn get(&mut self) -> Option<&mut dyn VMStore> { 125 let ptr = unsafe { self.0?.as_mut() }; 126 Some(ptr) 127 } 128 } 129 130 /// The index of a memory allocation within an `InstanceAllocator`. 131 #[derive(Clone, Copy, Debug, Eq, PartialEq, PartialOrd, Ord)] 132 pub struct MemoryAllocationIndex(u32); 133 134 impl Default for MemoryAllocationIndex { 135 fn default() -> Self { 136 // A default `MemoryAllocationIndex` that can be used with 137 // `InstanceAllocator`s that don't actually need indices. 138 MemoryAllocationIndex(u32::MAX) 139 } 140 } 141 142 impl MemoryAllocationIndex { 143 /// Get the underlying index of this `MemoryAllocationIndex`. 144 #[cfg(feature = "pooling-allocator")] 145 pub fn index(&self) -> usize { 146 self.0 as usize 147 } 148 } 149 150 /// The index of a table allocation within an `InstanceAllocator`. 151 #[derive(Clone, Copy, Debug, Eq, PartialEq, PartialOrd, Ord)] 152 pub struct TableAllocationIndex(u32); 153 154 impl Default for TableAllocationIndex { 155 fn default() -> Self { 156 // A default `TableAllocationIndex` that can be used with 157 // `InstanceAllocator`s that don't actually need indices. 158 TableAllocationIndex(u32::MAX) 159 } 160 } 161 162 impl TableAllocationIndex { 163 /// Get the underlying index of this `TableAllocationIndex`. 164 #[cfg(feature = "pooling-allocator")] 165 pub fn index(&self) -> usize { 166 self.0 as usize 167 } 168 } 169 170 /// The index of a table allocation within an `InstanceAllocator`. 171 #[derive(Clone, Copy, Debug, Eq, PartialEq, PartialOrd, Ord)] 172 pub struct GcHeapAllocationIndex(u32); 173 174 impl Default for GcHeapAllocationIndex { 175 fn default() -> Self { 176 // A default `GcHeapAllocationIndex` that can be used with 177 // `InstanceAllocator`s that don't actually need indices. 178 GcHeapAllocationIndex(u32::MAX) 179 } 180 } 181 182 impl GcHeapAllocationIndex { 183 /// Get the underlying index of this `GcHeapAllocationIndex`. 184 pub fn index(&self) -> usize { 185 self.0 as usize 186 } 187 } 188 189 /// Trait that represents the hooks needed to implement an instance allocator. 190 /// 191 /// Implement this trait when implementing new instance allocators, but don't 192 /// use this trait when you need an instance allocator. Instead use the 193 /// `InstanceAllocator` trait for that, which has additional helper methods and 194 /// a blanket implementation for all types that implement this trait. 195 /// 196 /// # Safety 197 /// 198 /// This trait is unsafe as it requires knowledge of Wasmtime's runtime 199 /// internals to implement correctly. 200 pub unsafe trait InstanceAllocatorImpl { 201 /// Validate whether a component (including all of its contained core 202 /// modules) is allocatable by this instance allocator. 203 #[cfg(feature = "component-model")] 204 fn validate_component_impl<'a>( 205 &self, 206 component: &Component, 207 offsets: &VMComponentOffsets<HostPtr>, 208 get_module: &'a dyn Fn(StaticModuleIndex) -> &'a Module, 209 ) -> Result<()>; 210 211 /// Validate whether a module is allocatable by this instance allocator. 212 fn validate_module_impl(&self, module: &Module, offsets: &VMOffsets<HostPtr>) -> Result<()>; 213 214 /// Validate whether a memory is allocatable by this instance allocator. 215 #[cfg(feature = "gc")] 216 fn validate_memory_impl(&self, memory: &wasmtime_environ::Memory) -> Result<()>; 217 218 /// Increment the count of concurrent component instances that are currently 219 /// allocated, if applicable. 220 /// 221 /// Not all instance allocators will have limits for the maximum number of 222 /// concurrent component instances that can be live at the same time, and 223 /// these allocators may implement this method with a no-op. 224 // 225 // Note: It would be nice to have an associated type that on construction 226 // does the increment and on drop does the decrement but there are two 227 // problems with this: 228 // 229 // 1. This trait's implementations are always used as trait objects, and 230 // associated types are not object safe. 231 // 232 // 2. We would want a parameterized `Drop` implementation so that we could 233 // pass in the `InstanceAllocatorImpl` on drop, but this doesn't exist in 234 // Rust. Therefore, we would be forced to add reference counting and 235 // stuff like that to keep a handle on the instance allocator from this 236 // theoretical type. That's a bummer. 237 #[cfg(feature = "component-model")] 238 fn increment_component_instance_count(&self) -> Result<()>; 239 240 /// The dual of `increment_component_instance_count`. 241 #[cfg(feature = "component-model")] 242 fn decrement_component_instance_count(&self); 243 244 /// Increment the count of concurrent core module instances that are 245 /// currently allocated, if applicable. 246 /// 247 /// Not all instance allocators will have limits for the maximum number of 248 /// concurrent core module instances that can be live at the same time, and 249 /// these allocators may implement this method with a no-op. 250 fn increment_core_instance_count(&self) -> Result<()>; 251 252 /// The dual of `increment_core_instance_count`. 253 fn decrement_core_instance_count(&self); 254 255 /// Allocate a memory for an instance. 256 fn allocate_memory( 257 &self, 258 request: &mut InstanceAllocationRequest, 259 ty: &wasmtime_environ::Memory, 260 tunables: &Tunables, 261 memory_index: Option<DefinedMemoryIndex>, 262 ) -> Result<(MemoryAllocationIndex, Memory)>; 263 264 /// Deallocate an instance's previously allocated memory. 265 /// 266 /// # Unsafety 267 /// 268 /// The memory must have previously been allocated by 269 /// `Self::allocate_memory`, be at the given index, and must currently be 270 /// allocated. It must never be used again. 271 unsafe fn deallocate_memory( 272 &self, 273 memory_index: Option<DefinedMemoryIndex>, 274 allocation_index: MemoryAllocationIndex, 275 memory: Memory, 276 ); 277 278 /// Allocate a table for an instance. 279 fn allocate_table( 280 &self, 281 req: &mut InstanceAllocationRequest, 282 table: &wasmtime_environ::Table, 283 tunables: &Tunables, 284 table_index: DefinedTableIndex, 285 ) -> Result<(TableAllocationIndex, Table)>; 286 287 /// Deallocate an instance's previously allocated table. 288 /// 289 /// # Unsafety 290 /// 291 /// The table must have previously been allocated by `Self::allocate_table`, 292 /// be at the given index, and must currently be allocated. It must never be 293 /// used again. 294 unsafe fn deallocate_table( 295 &self, 296 table_index: DefinedTableIndex, 297 allocation_index: TableAllocationIndex, 298 table: Table, 299 ); 300 301 /// Allocates a fiber stack for calling async functions on. 302 #[cfg(feature = "async")] 303 fn allocate_fiber_stack(&self) -> Result<wasmtime_fiber::FiberStack>; 304 305 /// Deallocates a fiber stack that was previously allocated with 306 /// `allocate_fiber_stack`. 307 /// 308 /// # Safety 309 /// 310 /// The provided stack is required to have been allocated with 311 /// `allocate_fiber_stack`. 312 #[cfg(feature = "async")] 313 unsafe fn deallocate_fiber_stack(&self, stack: wasmtime_fiber::FiberStack); 314 315 /// Allocate a GC heap for allocating Wasm GC objects within. 316 #[cfg(feature = "gc")] 317 fn allocate_gc_heap( 318 &self, 319 engine: &crate::Engine, 320 gc_runtime: &dyn GcRuntime, 321 memory_alloc_index: MemoryAllocationIndex, 322 memory: Memory, 323 ) -> Result<(GcHeapAllocationIndex, Box<dyn GcHeap>)>; 324 325 /// Deallocate a GC heap that was previously allocated with 326 /// `allocate_gc_heap`. 327 #[cfg(feature = "gc")] 328 #[must_use = "it is the caller's responsibility to deallocate the GC heap's underlying memory \ 329 storage after the GC heap is deallocated"] 330 fn deallocate_gc_heap( 331 &self, 332 allocation_index: GcHeapAllocationIndex, 333 gc_heap: Box<dyn GcHeap>, 334 ) -> (MemoryAllocationIndex, Memory); 335 336 /// Purges all lingering resources related to `module` from within this 337 /// allocator. 338 /// 339 /// Primarily present for the pooling allocator to remove mappings of 340 /// this module from slots in linear memory. 341 fn purge_module(&self, module: CompiledModuleId); 342 343 /// Use the next available protection key. 344 /// 345 /// The pooling allocator can use memory protection keys (MPK) for 346 /// compressing the guard regions protecting against OOB. Each 347 /// pool-allocated store needs its own key. 348 fn next_available_pkey(&self) -> Option<ProtectionKey>; 349 350 /// Restrict access to memory regions protected by `pkey`. 351 /// 352 /// This is useful for the pooling allocator, which can use memory 353 /// protection keys (MPK). Note: this may still allow access to other 354 /// protection keys, such as the default kernel key; see implementations of 355 /// this. 356 fn restrict_to_pkey(&self, pkey: ProtectionKey); 357 358 /// Allow access to memory regions protected by any protection key. 359 fn allow_all_pkeys(&self); 360 } 361 362 /// A thing that can allocate instances. 363 /// 364 /// Don't implement this trait directly, instead implement 365 /// `InstanceAllocatorImpl` and you'll get this trait for free via a blanket 366 /// impl. 367 pub trait InstanceAllocator: InstanceAllocatorImpl { 368 /// Validate whether a component (including all of its contained core 369 /// modules) is allocatable with this instance allocator. 370 #[cfg(feature = "component-model")] 371 fn validate_component<'a>( 372 &self, 373 component: &Component, 374 offsets: &VMComponentOffsets<HostPtr>, 375 get_module: &'a dyn Fn(StaticModuleIndex) -> &'a Module, 376 ) -> Result<()> { 377 InstanceAllocatorImpl::validate_component_impl(self, component, offsets, get_module) 378 } 379 380 /// Validate whether a core module is allocatable with this instance 381 /// allocator. 382 fn validate_module(&self, module: &Module, offsets: &VMOffsets<HostPtr>) -> Result<()> { 383 InstanceAllocatorImpl::validate_module_impl(self, module, offsets) 384 } 385 386 /// Validate whether a memory is allocatable with this instance allocator. 387 #[cfg(feature = "gc")] 388 fn validate_memory(&self, memory: &wasmtime_environ::Memory) -> Result<()> { 389 InstanceAllocatorImpl::validate_memory_impl(self, memory) 390 } 391 392 /// Allocates a fresh `InstanceHandle` for the `req` given. 393 /// 394 /// This will allocate memories and tables internally from this allocator 395 /// and weave that altogether into a final and complete `InstanceHandle` 396 /// ready to be registered with a store. 397 /// 398 /// Note that the returned instance must still have `.initialize(..)` called 399 /// on it to complete the instantiation process. 400 /// 401 /// # Safety 402 /// 403 /// The `request` provided must be valid, e.g. the imports within are 404 /// correctly sized/typed for the instance being created. 405 unsafe fn allocate_module( 406 &self, 407 mut request: InstanceAllocationRequest, 408 ) -> Result<InstanceHandle> { 409 let module = request.runtime_info.env_module(); 410 411 #[cfg(debug_assertions)] 412 InstanceAllocatorImpl::validate_module_impl(self, module, request.runtime_info.offsets()) 413 .expect("module should have already been validated before allocation"); 414 415 self.increment_core_instance_count()?; 416 417 let num_defined_memories = module.num_defined_memories(); 418 let mut memories = PrimaryMap::with_capacity(num_defined_memories); 419 420 let num_defined_tables = module.num_defined_tables(); 421 let mut tables = PrimaryMap::with_capacity(num_defined_tables); 422 423 match (|| { 424 self.allocate_memories(&mut request, &mut memories)?; 425 self.allocate_tables(&mut request, &mut tables)?; 426 Ok(()) 427 })() { 428 // SAFETY: memories/tables were just allocated from the store within 429 // `request` and this function's own contract requires that the 430 // imports are valid. 431 Ok(_) => unsafe { Ok(Instance::new(request, memories, tables, &module.memories)) }, 432 Err(e) => { 433 // SAFETY: these were previously allocated by this allocator 434 unsafe { 435 self.deallocate_memories(&mut memories); 436 self.deallocate_tables(&mut tables); 437 } 438 self.decrement_core_instance_count(); 439 Err(e) 440 } 441 } 442 } 443 444 /// Deallocates the provided instance. 445 /// 446 /// This will null-out the pointer within `handle` and otherwise reclaim 447 /// resources such as tables, memories, and the instance memory itself. 448 /// 449 /// # Unsafety 450 /// 451 /// The instance must have previously been allocated by `Self::allocate`. 452 unsafe fn deallocate_module(&self, handle: &mut InstanceHandle) { 453 // SAFETY: the contract of `deallocate_*` is itself a contract of this 454 // function, that the memories/tables were previously allocated from 455 // here. 456 unsafe { 457 self.deallocate_memories(handle.get_mut().memories_mut()); 458 self.deallocate_tables(handle.get_mut().tables_mut()); 459 } 460 461 self.decrement_core_instance_count(); 462 } 463 464 /// Allocate the memories for the given instance allocation request, pushing 465 /// them into `memories`. 466 fn allocate_memories( 467 &self, 468 request: &mut InstanceAllocationRequest, 469 memories: &mut PrimaryMap<DefinedMemoryIndex, (MemoryAllocationIndex, Memory)>, 470 ) -> Result<()> { 471 let module = request.runtime_info.env_module(); 472 473 #[cfg(debug_assertions)] 474 InstanceAllocatorImpl::validate_module_impl(self, module, request.runtime_info.offsets()) 475 .expect("module should have already been validated before allocation"); 476 477 for (memory_index, ty) in module.memories.iter().skip(module.num_imported_memories) { 478 let memory_index = module 479 .defined_memory_index(memory_index) 480 .expect("should be a defined memory since we skipped imported ones"); 481 482 let memory = self.allocate_memory(request, ty, request.tunables, Some(memory_index))?; 483 memories.push(memory); 484 } 485 486 Ok(()) 487 } 488 489 /// Deallocate all the memories in the given primary map. 490 /// 491 /// # Unsafety 492 /// 493 /// The memories must have previously been allocated by 494 /// `Self::allocate_memories`. 495 unsafe fn deallocate_memories( 496 &self, 497 memories: &mut PrimaryMap<DefinedMemoryIndex, (MemoryAllocationIndex, Memory)>, 498 ) { 499 for (memory_index, (allocation_index, memory)) in mem::take(memories) { 500 // Because deallocating memory is infallible, we don't need to worry 501 // about leaking subsequent memories if the first memory failed to 502 // deallocate. If deallocating memory ever becomes fallible, we will 503 // need to be careful here! 504 // 505 // SAFETY: the unsafe contract here is the same as the unsafe 506 // contract of this function, that the memories were previously 507 // allocated by this allocator. 508 unsafe { 509 self.deallocate_memory(Some(memory_index), allocation_index, memory); 510 } 511 } 512 } 513 514 /// Allocate tables for the given instance allocation request, pushing them 515 /// into `tables`. 516 fn allocate_tables( 517 &self, 518 request: &mut InstanceAllocationRequest, 519 tables: &mut PrimaryMap<DefinedTableIndex, (TableAllocationIndex, Table)>, 520 ) -> Result<()> { 521 let module = request.runtime_info.env_module(); 522 523 #[cfg(debug_assertions)] 524 InstanceAllocatorImpl::validate_module_impl(self, module, request.runtime_info.offsets()) 525 .expect("module should have already been validated before allocation"); 526 527 for (index, table) in module.tables.iter().skip(module.num_imported_tables) { 528 let def_index = module 529 .defined_table_index(index) 530 .expect("should be a defined table since we skipped imported ones"); 531 532 let table = self.allocate_table(request, table, request.tunables, def_index)?; 533 tables.push(table); 534 } 535 536 Ok(()) 537 } 538 539 /// Deallocate all the tables in the given primary map. 540 /// 541 /// # Unsafety 542 /// 543 /// The tables must have previously been allocated by 544 /// `Self::allocate_tables`. 545 unsafe fn deallocate_tables( 546 &self, 547 tables: &mut PrimaryMap<DefinedTableIndex, (TableAllocationIndex, Table)>, 548 ) { 549 for (table_index, (allocation_index, table)) in mem::take(tables) { 550 // SAFETY: the tables here were allocated from this allocator per 551 // the contract on this function itself. 552 unsafe { 553 self.deallocate_table(table_index, allocation_index, table); 554 } 555 } 556 } 557 } 558 559 // Every `InstanceAllocatorImpl` is an `InstanceAllocator` when used 560 // correctly. Also, no one is allowed to override this trait's methods, they 561 // must use the defaults. This blanket impl provides both of those things. 562 impl<T: InstanceAllocatorImpl> InstanceAllocator for T {} 563 564 fn check_table_init_bounds( 565 store: &mut StoreOpaque, 566 instance: InstanceId, 567 module: &Module, 568 ) -> Result<()> { 569 let mut const_evaluator = ConstExprEvaluator::default(); 570 571 for segment in module.table_initialization.segments.iter() { 572 let mut context = ConstEvalContext::new(instance); 573 let start = unsafe { 574 const_evaluator 575 .eval(store, &mut context, &segment.offset) 576 .expect("const expression should be valid") 577 }; 578 let start = usize::try_from(start.get_u32()).unwrap(); 579 let end = start.checked_add(usize::try_from(segment.elements.len()).unwrap()); 580 581 let table = store.instance_mut(instance).get_table(segment.table_index); 582 match end { 583 Some(end) if end <= table.size() => { 584 // Initializer is in bounds 585 } 586 _ => { 587 bail!("table out of bounds: elements segment does not fit") 588 } 589 } 590 } 591 592 Ok(()) 593 } 594 595 fn initialize_tables( 596 store: &mut StoreOpaque, 597 context: &mut ConstEvalContext, 598 const_evaluator: &mut ConstExprEvaluator, 599 module: &Module, 600 ) -> Result<()> { 601 for (table, init) in module.table_initialization.initial_values.iter() { 602 match init { 603 // Tables are always initially null-initialized at this time 604 TableInitialValue::Null { precomputed: _ } => {} 605 606 TableInitialValue::Expr(expr) => { 607 let raw = unsafe { 608 const_evaluator 609 .eval(store, context, expr) 610 .expect("const expression should be valid") 611 }; 612 let idx = module.table_index(table); 613 match module.tables[idx].ref_type.heap_type.top() { 614 WasmHeapTopType::Extern => { 615 store.gc_store_mut()?; 616 let (gc_store, instance) = 617 store.optional_gc_store_and_instance_mut(context.instance); 618 let gc_store = gc_store.unwrap(); 619 let table = instance.get_defined_table(table); 620 let gc_ref = VMGcRef::from_raw_u32(raw.get_externref()); 621 let items = (0..table.size()) 622 .map(|_| gc_ref.as_ref().map(|r| gc_store.clone_gc_ref(r))); 623 table.init_gc_refs(0, items)?; 624 } 625 626 WasmHeapTopType::Any => { 627 store.gc_store_mut()?; 628 let (gc_store, instance) = 629 store.optional_gc_store_and_instance_mut(context.instance); 630 let gc_store = gc_store.unwrap(); 631 let table = instance.get_defined_table(table); 632 let gc_ref = VMGcRef::from_raw_u32(raw.get_anyref()); 633 let items = (0..table.size()) 634 .map(|_| gc_ref.as_ref().map(|r| gc_store.clone_gc_ref(r))); 635 table.init_gc_refs(0, items)?; 636 } 637 638 WasmHeapTopType::Exn => { 639 store.gc_store_mut()?; 640 let (gc_store, instance) = 641 store.optional_gc_store_and_instance_mut(context.instance); 642 let gc_store = gc_store.unwrap(); 643 let table = instance.get_defined_table(table); 644 let gc_ref = VMGcRef::from_raw_u32(raw.get_exnref()); 645 let items = (0..table.size()) 646 .map(|_| gc_ref.as_ref().map(|r| gc_store.clone_gc_ref(r))); 647 table.init_gc_refs(0, items)?; 648 } 649 650 WasmHeapTopType::Func => { 651 let table = store 652 .instance_mut(context.instance) 653 .get_defined_table(table); 654 let funcref = NonNull::new(raw.get_funcref().cast::<VMFuncRef>()); 655 let items = (0..table.size()).map(|_| funcref); 656 table.init_func(0, items)?; 657 } 658 659 WasmHeapTopType::Cont => todo!(), // FIXME: #10248 stack switching support. 660 } 661 } 662 } 663 } 664 665 // Note: if the module's table initializer state is in 666 // FuncTable mode, we will lazily initialize tables based on 667 // any statically-precomputed image of FuncIndexes, but there 668 // may still be "leftover segments" that could not be 669 // incorporated. So we have a unified handler here that 670 // iterates over all segments (Segments mode) or leftover 671 // segments (FuncTable mode) to initialize. 672 for segment in module.table_initialization.segments.iter() { 673 let start = unsafe { 674 const_evaluator 675 .eval(store, context, &segment.offset) 676 .expect("const expression should be valid") 677 }; 678 Instance::table_init_segment( 679 store, 680 context.instance, 681 const_evaluator, 682 segment.table_index, 683 &segment.elements, 684 start.get_u64(), 685 0, 686 segment.elements.len(), 687 )?; 688 } 689 690 Ok(()) 691 } 692 693 fn get_memory_init_start( 694 store: &mut StoreOpaque, 695 init: &MemoryInitializer, 696 instance: InstanceId, 697 ) -> Result<u64> { 698 let mut context = ConstEvalContext::new(instance); 699 let mut const_evaluator = ConstExprEvaluator::default(); 700 unsafe { const_evaluator.eval(store, &mut context, &init.offset) }.map(|v| { 701 match store.instance(instance).env_module().memories[init.memory_index].idx_type { 702 wasmtime_environ::IndexType::I32 => v.get_u32().into(), 703 wasmtime_environ::IndexType::I64 => v.get_u64(), 704 } 705 }) 706 } 707 708 fn check_memory_init_bounds( 709 store: &mut StoreOpaque, 710 instance: InstanceId, 711 initializers: &[MemoryInitializer], 712 ) -> Result<()> { 713 for init in initializers { 714 let memory = store.instance_mut(instance).get_memory(init.memory_index); 715 let start = get_memory_init_start(store, init, instance)?; 716 let end = usize::try_from(start) 717 .ok() 718 .and_then(|start| start.checked_add(init.data.len())); 719 720 match end { 721 Some(end) if end <= memory.current_length() => { 722 // Initializer is in bounds 723 } 724 _ => { 725 bail!("memory out of bounds: data segment does not fit") 726 } 727 } 728 } 729 730 Ok(()) 731 } 732 733 fn initialize_memories( 734 store: &mut StoreOpaque, 735 context: &mut ConstEvalContext, 736 const_evaluator: &mut ConstExprEvaluator, 737 module: &Module, 738 ) -> Result<()> { 739 // Delegates to the `init_memory` method which is sort of a duplicate of 740 // `instance.memory_init_segment` but is used at compile-time in other 741 // contexts so is shared here to have only one method of memory 742 // initialization. 743 // 744 // This call to `init_memory` notably implements all the bells and whistles 745 // so errors only happen if an out-of-bounds segment is found, in which case 746 // a trap is returned. 747 748 struct InitMemoryAtInstantiation<'a> { 749 module: &'a Module, 750 store: &'a mut StoreOpaque, 751 context: &'a mut ConstEvalContext, 752 const_evaluator: &'a mut ConstExprEvaluator, 753 } 754 755 impl InitMemory for InitMemoryAtInstantiation<'_> { 756 fn memory_size_in_bytes( 757 &mut self, 758 memory: wasmtime_environ::MemoryIndex, 759 ) -> Result<u64, SizeOverflow> { 760 let len = self 761 .store 762 .instance(self.context.instance) 763 .get_memory(memory) 764 .current_length(); 765 let len = u64::try_from(len).unwrap(); 766 Ok(len) 767 } 768 769 fn eval_offset( 770 &mut self, 771 memory: wasmtime_environ::MemoryIndex, 772 expr: &wasmtime_environ::ConstExpr, 773 ) -> Option<u64> { 774 let val = unsafe { self.const_evaluator.eval(self.store, self.context, expr) } 775 .expect("const expression should be valid"); 776 Some( 777 match self 778 .store 779 .instance(self.context.instance) 780 .env_module() 781 .memories[memory] 782 .idx_type 783 { 784 wasmtime_environ::IndexType::I32 => val.get_u32().into(), 785 wasmtime_environ::IndexType::I64 => val.get_u64(), 786 }, 787 ) 788 } 789 790 fn write( 791 &mut self, 792 memory_index: wasmtime_environ::MemoryIndex, 793 init: &wasmtime_environ::StaticMemoryInitializer, 794 ) -> bool { 795 // If this initializer applies to a defined memory but that memory 796 // doesn't need initialization, due to something like copy-on-write 797 // pre-initializing it via mmap magic, then this initializer can be 798 // skipped entirely. 799 let instance = self.store.instance_mut(self.context.instance); 800 if let Some(memory_index) = self.module.defined_memory_index(memory_index) { 801 if !instance.memories[memory_index].1.needs_init() { 802 return true; 803 } 804 } 805 let memory = instance.get_memory(memory_index); 806 807 unsafe { 808 let src = instance.wasm_data(init.data.clone()); 809 let offset = usize::try_from(init.offset).unwrap(); 810 let dst = memory.base.as_ptr().add(offset); 811 812 assert!(offset + src.len() <= memory.current_length()); 813 814 // FIXME audit whether this is safe in the presence of shared 815 // memory 816 // (https://github.com/bytecodealliance/wasmtime/issues/4203). 817 ptr::copy_nonoverlapping(src.as_ptr(), dst, src.len()) 818 } 819 true 820 } 821 } 822 823 let ok = module 824 .memory_initialization 825 .init_memory(&mut InitMemoryAtInstantiation { 826 module, 827 store, 828 context, 829 const_evaluator, 830 }); 831 if !ok { 832 return Err(Trap::MemoryOutOfBounds.into()); 833 } 834 835 Ok(()) 836 } 837 838 fn check_init_bounds(store: &mut StoreOpaque, instance: InstanceId, module: &Module) -> Result<()> { 839 check_table_init_bounds(store, instance, module)?; 840 841 match &module.memory_initialization { 842 MemoryInitialization::Segmented(initializers) => { 843 check_memory_init_bounds(store, instance, initializers)?; 844 } 845 // Statically validated already to have everything in-bounds. 846 MemoryInitialization::Static { .. } => {} 847 } 848 849 Ok(()) 850 } 851 852 fn initialize_globals( 853 store: &mut StoreOpaque, 854 context: &mut ConstEvalContext, 855 const_evaluator: &mut ConstExprEvaluator, 856 module: &Module, 857 ) -> Result<()> { 858 assert!(core::ptr::eq( 859 &**store.instance(context.instance).env_module(), 860 module 861 )); 862 863 let mut store = AutoAssertNoGc::new(store); 864 865 for (index, init) in module.global_initializers.iter() { 866 let raw = unsafe { 867 const_evaluator 868 .eval(&mut store, context, init) 869 .expect("should be a valid const expr") 870 }; 871 872 let instance = store.instance_mut(context.instance); 873 let to = instance.global_ptr(index); 874 let wasm_ty = module.globals[module.global_index(index)].wasm_ty; 875 876 #[cfg(feature = "wmemcheck")] 877 if index.as_u32() == 0 && wasm_ty == wasmtime_environ::WasmValType::I32 { 878 if let Some(wmemcheck) = instance.wmemcheck_state_mut() { 879 let size = usize::try_from(raw.get_i32()).unwrap(); 880 wmemcheck.set_stack_size(size); 881 } 882 } 883 884 // This write is safe because we know we have the correct module for 885 // this instance and its vmctx due to the assert above. 886 unsafe { 887 to.write(VMGlobalDefinition::from_val_raw(&mut store, wasm_ty, raw)?); 888 }; 889 } 890 Ok(()) 891 } 892 893 pub fn initialize_instance( 894 store: &mut StoreOpaque, 895 instance: InstanceId, 896 module: &Module, 897 is_bulk_memory: bool, 898 ) -> Result<()> { 899 // If bulk memory is not enabled, bounds check the data and element segments before 900 // making any changes. With bulk memory enabled, initializers are processed 901 // in-order and side effects are observed up to the point of an out-of-bounds 902 // initializer, so the early checking is not desired. 903 if !is_bulk_memory { 904 check_init_bounds(store, instance, module)?; 905 } 906 907 let mut context = ConstEvalContext::new(instance); 908 let mut const_evaluator = ConstExprEvaluator::default(); 909 910 initialize_globals(store, &mut context, &mut const_evaluator, module)?; 911 initialize_tables(store, &mut context, &mut const_evaluator, module)?; 912 initialize_memories(store, &mut context, &mut const_evaluator, &module)?; 913 914 Ok(()) 915 } 916 917 #[cfg(test)] 918 mod tests { 919 use super::*; 920 921 #[test] 922 fn allocator_traits_are_object_safe() { 923 fn _instance_allocator(_: &dyn InstanceAllocatorImpl) {} 924 fn _instance_allocator_ext(_: &dyn InstanceAllocator) {} 925 } 926 } 927