Skip to content

Fix another case of Miri unsoundness #11056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 17, 2025
Merged

Fix another case of Miri unsoundness #11056

merged 1 commit into from
Jun 17, 2025

Conversation

alexcrichton
Copy link
Member

This commit fixes another issue we've discovered in the wasip3 prototyping repository about a code pattern in wasm which Miri flags as un-sound. Specifically what happened was:

  • Invocation of WebAssembly went through VMFuncRef::array_call which takes a &self parameter.

  • Inside of WebAssembly though a ref.func instruction, or anything else that references the original exported function, will re-initialize the VMFuncRef which writes the &self up the stack, which is not sound.

Fixing this required changing the signature of array_call from &self to me: NonNull<VMFuncRef>, and the signature was already unsafe so this is a new unsafe contract for that signature.

In fixing this, however, it was discovered that a mistake was made in #10943 where some internal functions for re-initializing a VMFuncRef relied on the previous signature of &mut self but that PR switche to &self. This PR corrects these signatures to Pin<&mut Self> and then plumbs around the necessary changes, notably causing some refactoring in component-related bits.

@alexcrichton
Fix another case of Miri unsoundness
340f9e5 
This commit fixes another issue we've discovered in the wasip3
prototyping repository about a code pattern in wasm which Miri flags as
un-sound. Specifically what happened was:

* Invocation of WebAssembly went through `VMFuncRef::array_call` which
  takes a `&self` parameter.

* Inside of WebAssembly though a `ref.func` instruction, or anything
  else that references the original exported function, will
  re-initialize the `VMFuncRef` which writes the `&self` up the stack,
  which is not sound.

Fixing this required changing the signature of `array_call` from `&self`
to `me: NonNull<VMFuncRef>`, and the signature was already `unsafe` so
this is a new unsafe contract for that signature.

In fixing this, however, it was discovered that a mistake was made
in bytecodealliance#10943 where some internal functions for re-initializing a
`VMFuncRef` relied on the previous signature of `&mut self` but that PR
switche to `&self`. This PR corrects these signatures to `Pin<&mut Self>`
and then plumbs around the necessary changes, notably causing some
refactoring in component-related bits.
@alexcrichton alexcrichton requested a review from a team as a code owner June 16, 2025 22:16
@alexcrichton alexcrichton requested review from fitzgen and removed request for a team June 16, 2025 22:16
@github-actions github-actions bot added the wasmtime:api Related to the API of the `wasmtime` crate itself label Jun 17, 2025
fitzgen
fitzgen approved these changes Jun 17, 2025
View reviewed changes
Copy link
Member

@fitzgen fitzgen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@fitzgen fitzgen added this pull request to the merge queue Jun 17, 2025
Merged via the queue into bytecodealliance:main with commit 078bc37 Jun 17, 2025
41 checks passed
@alexcrichton alexcrichton deleted the fix-miri-unsoundness branch June 17, 2025 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fitzgen fitzgen fitzgen approved these changes

Assignees
No one assigned
Labels
wasmtime:api Related to the API of the `wasmtime` crate itself
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alexcrichton @fitzgen