Review comments.

crates/runtime/src/memfd.rs

@@ -402,21 +402,30 @@ impl MemFdSlot {
         //
         // We map these inaccessible at first then mprotect() the
         // whole of the initial heap size to R+W below.
-        //
-        // Special case: we can skip if the last instantiation had no
-        // image. This means that the whole slot is filled with an
-        // anonymous mmap backing (and it will have already been
-        // cleared by the madvise). We may however need to
-        // mprotect(NONE) the space above `initial_size_bytes` if the
-        // last use of this slot left it larger. This also lets us
-        // skip an mmap the first time a MemFdSlot is used, because we
-        // require the caller to give us a fixed address in an
-        // already-mmaped-with-anon-memory region. This is important
-        // for the on-demand allocator.
         if self.image.is_some() {
-            self.map_anon_memory(rustix::io::ProtFlags::empty())
+            self.reset_with_anon_memory()
                 .map_err(|e| InstantiationError::Resource(e.into()))?;
         } else if initial_size_bytes < self.initial_size {
+            // Special case: we can skip if the last instantiation had
+            // no image. This means that the whole slot is filled with
+            // an anonymous mmap backing (and it will have already
+            // been cleared by the madvise). We may however need to
+            // mprotect(NONE) the space above `initial_size_bytes` if
+            // the last use of this slot left it larger. This also
+            // lets us skip an mmap the first time a MemFdSlot is
+            // used, because we require the caller to give us a fixed
+            // address in an already-mmaped-with-anon-memory
+            // region. This is important for the on-demand allocator.
+            //
+            // So we come in with:
+            // - anon-zero memory, R+W,  [0, self.initial_size)
+            // - anon-zero memory, none, [self.initial_size, self.static_size)
+            // and we want:
+            // - anon-zero memory, R+W,  [0, initial_size_bytes)
+            // - anon-zero memory, none, [initial_size_bytes, self.static_size)
+            //
+            // so given initial_size_bytes < self.initial_size we
+            // mprotect(NONE) the zone from the first to the second.
             self.set_protection(
                 initial_size_bytes,
                 self.initial_size,
@@ -428,6 +437,7 @@ impl MemFdSlot {
         // The initial memory image, if given. If not, we just get a
         // memory filled with zeroes.
         if let Some(image) = maybe_image {
+            assert!(image.offset.checked_add(image.len).unwrap() <= initial_size_bytes);
             if image.len > 0 {
                 let image = image.clone();
 
@@ -510,15 +520,14 @@ impl MemFdSlot {
         self.dirty
     }
 
-    /// Map anonymous zeroed memory across the whole slot, with the
+    /// Map anonymous zeroed memory across the whole slot,
-    /// given protections. Used both during instantiate and during
+    /// inaccessible. Used both during instantiate and during drop.
-    /// drop.
+    fn reset_with_anon_memory(&self) -> Result<()> {
-    fn map_anon_memory(&self, prot: rustix::io::ProtFlags) -> Result<()> {
         unsafe {
             let ptr = rustix::io::mmap_anonymous(
                 self.base as *mut c_void,
                 self.static_size,
-                prot,
+                rustix::io::ProtFlags::empty(),
                 rustix::io::MapFlags::PRIVATE | rustix::io::MapFlags::FIXED,
             )?;
             assert_eq!(ptr as usize, self.base);
@@ -560,7 +569,7 @@ impl Drop for MemFdSlot {
         // this MemFdSlot has indicated that it will clean up in some
         // other way.
         if self.clear_on_drop {
-            let _ = self.map_anon_memory(rustix::io::ProtFlags::empty());
+            let _ = self.reset_with_anon_memory();
         }
     }
 }