wasmtime: clarify Memory::{read,write} behavior with out-of-bounds ranges

This documents that we will never do partial reads/writes, and expands our
existing tests to assert this.

crates/wasmtime/src/memory.rs

@@ -304,8 +304,8 @@ impl Memory {
     ///
     /// The entire buffer will be filled.
     ///
-    /// If offset + buffer length exceed the current memory capacity,
-    /// a [`MemoryAccessError`] is returned.
+    /// If offset + buffer length exceed the current memory capacity, then the
+    /// buffer is left untouched and a [`MemoryAccessError`] is returned.
     pub fn read(&self, offset: usize, buffer: &mut [u8]) -> Result<(), MemoryAccessError> {
         unsafe {
             let slice = self
@@ -320,8 +320,9 @@ impl Memory {
 
     /// Safely writes contents of a buffer to this memory at the given offset.
     ///
-    /// If the offset + buffer length exceed current memory capacity, a
-    /// [`MemoryAccessError`] is returned.
+    /// If the offset + buffer length exceed current memory capacity, then none
+    /// of the buffer is written to memory and a [`MemoryAccessError`] is
+    /// returned.
     pub fn write(&self, offset: usize, buffer: &[u8]) -> Result<(), MemoryAccessError> {
         unsafe {
             self.data_unchecked_mut()

tests/all/externals.rs

@@ -363,11 +363,18 @@ fn read_write_memory_via_api() {
 
     let res = mem.write(mem.data_size() - value.len() + 1, value);
     assert!(res.is_err());
+    assert_ne!(
+        unsafe { mem.data_unchecked()[mem.data_size() - value.len() + 1] },
+        value[0],
+        "no data is written",
+    );
 
     // Out of bounds read.
 
+    buffer[0] = 0x42;
     let res = mem.read(mem.data_size() - buffer.len() + 1, &mut buffer);
     assert!(res.is_err());
+    assert_eq!(buffer[0], 0x42, "no data is read");
 
     // Read offset overflow.
     let res = mem.read(usize::MAX, &mut buffer);