Crack down on mutability and ownership of vm::Instance
#10943
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit represents more effort to bring safety to `vm::Instance` and, eventually, `ComponentInstance`. This is specifically addressing two points of safety around `vm::Instance`: * Previously ownership of this was murky where `InstanceHandle` sort of represented ownership but sort of didn't either through the `InstanceHandle::clone` method. Now `InstanceHandle` has a destructor for instances and no longer has `clone`, so there's one exclusive owner of an instance. * Previously `&mut Instance` was liberally passed around, but this is not sound because certain fields cannot be mutated (e.g. runtime offset information). While not a perfect solution this PR switches to using `Pin<&mut Instance>` everywhere instead. This prevents safe access to `&mut Instance` and we hand-write accessors to individual fields. Notably we omit mutable access to the `runtime_info` field. This naturally involved a lot of refactoring internally, but notably this started bringing up preexisting issues around how there are locations in the codebase that simultaneously have `&mut Instance` and `&mut StoreOpaque` which is technically not sound due to being able to get back to the instance from the store. Some issues here were address by passing around indices more often such as in instance initialization and const-expr evaluation. Note that all proxy methods on `InstanceHandle` are also all removed now and there's now only two: `get` and `get_mut`. This reflects how `InstanceHandle` should in general no longer be used and instead `Instance` itself, and some pointer-to thereof, should be exclusively used. cc bytecodealliance#10933
|
I'll also note that ownership-wise this brings core wasm in line with components, where components have |
|
While I have no reason to believe that's a flaky test failure I'm neverthless curious. If it's flaky that's quite worrisome. If it's not flaky that's also worrisome... |
|
Ok spurious failures should be fixed by #10947 |
alexcrichton
added a commit
to alexcrichton/wasmtime
that referenced
this pull request
Jun 13, 2025
This commit is the continuation of bytecodealliance#10943 for component instances. The allocation/vmctx infrastructure was additionally refactored to be shared for both core and component instances since they behave the exact same way anyway. This further enables sharing various methods like `vmctx_plus_offset` which are pretty unsafe internally. Like bytecodealliance#10943 this necessitated removal of `Index` implementations because `IndexMut` is not compatible with the returned type being `Pin<&mut T>` so they were replaced by inherent `get` and `get_mut` methods on the component instance id type. Closes bytecodealliance#10933
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jun 14, 2025
This commit is the continuation of #10943 for component instances. The allocation/vmctx infrastructure was additionally refactored to be shared for both core and component instances since they behave the exact same way anyway. This further enables sharing various methods like `vmctx_plus_offset` which are pretty unsafe internally. Like #10943 this necessitated removal of `Index` implementations because `IndexMut` is not compatible with the returned type being `Pin<&mut T>` so they were replaced by inherent `get` and `get_mut` methods on the component instance id type. Closes #10933
alexcrichton
added a commit
to alexcrichton/wasmtime
that referenced
this pull request
Jun 16, 2025
This commit fixes another issue we've discovered in the wasip3 prototyping repository about a code pattern in wasm which Miri flags as un-sound. Specifically what happened was: * Invocation of WebAssembly went through `VMFuncRef::array_call` which takes a `&self` parameter. * Inside of WebAssembly though a `ref.func` instruction, or anything else that references the original exported function, will re-initialize the `VMFuncRef` which writes the `&self` up the stack, which is not sound. Fixing this required changing the signature of `array_call` from `&self` to `me: NonNull<VMFuncRef>`, and the signature was already `unsafe` so this is a new unsafe contract for that signature. In fixing this, however, it was discovered that a mistake was made in bytecodealliance#10943 where some internal functions for re-initializing a `VMFuncRef` relied on the previous signature of `&mut self` but that PR switche to `&self`. This PR corrects these signatures to `Pin<&mut Self>` and then plumbs around the necessary changes, notably causing some refactoring in component-related bits.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jun 17, 2025
This commit fixes another issue we've discovered in the wasip3 prototyping repository about a code pattern in wasm which Miri flags as un-sound. Specifically what happened was: * Invocation of WebAssembly went through `VMFuncRef::array_call` which takes a `&self` parameter. * Inside of WebAssembly though a `ref.func` instruction, or anything else that references the original exported function, will re-initialize the `VMFuncRef` which writes the `&self` up the stack, which is not sound. Fixing this required changing the signature of `array_call` from `&self` to `me: NonNull<VMFuncRef>`, and the signature was already `unsafe` so this is a new unsafe contract for that signature. In fixing this, however, it was discovered that a mistake was made in #10943 where some internal functions for re-initializing a `VMFuncRef` relied on the previous signature of `&mut self` but that PR switche to `&self`. This PR corrects these signatures to `Pin<&mut Self>` and then plumbs around the necessary changes, notably causing some refactoring in component-related bits.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit represents more effort to bring safety to
vm::Instanceand, eventually,ComponentInstance. This is specifically addressing two points of safety aroundvm::Instance:Previously ownership of this was murky where
InstanceHandlesort of represented ownership but sort of didn't either through theInstanceHandle::clonemethod. NowInstanceHandlehas a destructor for instances and no longer hasclone, so there's one exclusive owner of an instance.Previously
&mut Instancewas liberally passed around, but this is not sound because certain fields cannot be mutated (e.g. runtime offset information). While not a perfect solution this PR switches to usingPin<&mut Instance>everywhere instead. This prevents safe access to&mut Instanceand we hand-write accessors to individual fields. Notably we omit mutable access to theruntime_infofield.This naturally involved a lot of refactoring internally, but notably this started bringing up preexisting issues around how there are locations in the codebase that simultaneously have
&mut Instanceand&mut StoreOpaquewhich is technically not sound due to being able to get back to the instance from the store. Some issues here were address by passing around indices more often such as in instance initialization and const-expr evaluation.Note that all proxy methods on
InstanceHandleare also all removed now and there's now only two:getandget_mut. This reflects howInstanceHandleshould in general no longer be used and insteadInstanceitself, and some pointer-to thereof, should be exclusively used.cc #10933