T0b1/wasmtime
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewrite for recursive safety

Browse Source 
This commit rewrites the runtime crate to provide safety in the face
of recursive calls to the guest. The basic principle is that
`GuestMemory` is now a trait which dynamically returns the
pointer/length pair. This also has an implicit contract (hence the
`unsafe` trait) that the pointer/length pair point to a valid list of
bytes in host memory "until something is reentrant".

After this changes the various suite of `Guest*` types were rewritten.
`GuestRef` and `GuestRefMut` were both removed since they cannot safely
exist. The `GuestPtrMut` type was removed for simplicity, and the final
`GuestPtr` type subsumes `GuestString` and `GuestArray`. This means
that there's only one guest pointer type, `GuestPtr<'a, T>`, where `'a`
is the borrow into host memory, basically borrowing the `GuestMemory`
trait object itself.

Some core utilities are exposed on `GuestPtr`, but they're all 100%
safe. Unsafety is now entirely contained within a few small locations:

* Implementations of the `GuestType` for primitive types (e.g. `i8`,
  `u8`, etc) use `unsafe` to read/write memory. The `unsafe` trait of
  `GuestMemory` though should prove that they're safe.

* `GuestPtr<'_, str>` has a method which validates utf-8 contents, and
  this requires `unsafe` internally to read all the bytes. This is
  guaranteed to be safe however given the contract of `GuestMemory`.

And that's it! Everything else is a bunch of safe combinators all built
up on the various utilities provided by `GuestPtr`. The general idioms
are roughly the same as before, with various tweaks here and there. A
summary of expected idioms are:

* For small values you'd `.read()` or `.write()` very quickly. You'd
  pass around the type itself.

* For strings, you'd pass `GuestPtr<'_, str>` down to the point where
  it's actually consumed. At that moment you'd either decide to copy it
  out (a safe operation) or you'd get a raw view to the string (an
  unsafe operation) and assert that you won't call back into wasm while
  you're holding that pointer.

* Arrays are similar to strings, passing around `GuestPtr<'_, [T]>`.
  Arrays also have a `iter()` method which yields an iterator of
  `GuestPtr<'_, T>` for convenience.

Overall there's still a lot of missing documentation on the runtime
crate specifically around the safety of the `GuestMemory` trait as well
as how the utilities/methods are expected to be used. Additionally
there's utilities which aren't currently implemented which would be easy
to implement. For example there's no method to copy out a string or a
slice, although that would be pretty easy to add.

In any case I'm curious to get feedback on this approach and see what
y'all think!
This commit is contained in:
Alex Crichton
2020-03-04 10:21:34 -08:00
parent 3764204250
commit ca9f33b6d9
28 changed files with 751 additions and 2013 deletions
Download Patch File Download Diff File Expand all files Collapse all files

201
tests/structs.rs
View File

@@ -1,5 +1,5 @@
use proptest::prelude::*;
use wiggle_runtime::{GuestError, GuestPtr};
use wiggle_runtime::{GuestError, GuestMemory, GuestPtr};
use wiggle_test::{impl_errno, HostMemory, MemArea, WasiCtx};
wiggle::from_witx!({
@@ -15,21 +15,21 @@ impl structs::Structs for WasiCtx {
}
fn sum_of_pair_of_ptrs(&self, an_pair: &types::PairIntPtrs) -> Result<i64, types::Errno> {
let first = *an_pair
let first = an_pair
.first
.as_ref()
.read()
.expect("dereferencing GuestPtr should succeed");
let second = *an_pair
let second = an_pair
.second
.as_ref()
.read()
.expect("dereferncing GuestPtr should succeed");
Ok(first as i64 + second as i64)
}
fn sum_of_int_and_ptr(&self, an_pair: &types::PairIntAndPtr) -> Result<i64, types::Errno> {
let first = *an_pair
let first = an_pair
.first
.as_ref()
.read()
.expect("dereferencing GuestPtr should succeed");
let second = an_pair.second as i64;
Ok(first as i64 + second)
@@ -78,33 +78,29 @@ impl SumOfPairExercise {
}
pub fn test(&self) {
let mut ctx = WasiCtx::new();
let mut host_memory = HostMemory::new();
let mut guest_memory = host_memory.guest_memory();
let ctx = WasiCtx::new();
let host_memory = HostMemory::new();
*guest_memory
.ptr_mut(self.input_loc.ptr)
.expect("input ptr")
.as_ref_mut()
.expect("input ref_mut") = self.input.first;
*guest_memory
.ptr_mut(self.input_loc.ptr + 4)
.expect("input ptr")
.as_ref_mut()
.expect("input ref_mut") = self.input.second;
host_memory
.ptr(self.input_loc.ptr)
.write(self.input.first)
.expect("input ref_mut");
host_memory
.ptr(self.input_loc.ptr + 4)
.write(self.input.second)
.expect("input ref_mut");
let sum_err = structs::sum_of_pair(
&mut ctx,
&mut guest_memory,
&ctx,
&host_memory,
self.input_loc.ptr as i32,
self.return_loc.ptr as i32,
);
assert_eq!(sum_err, types::Errno::Ok.into(), "sum errno");
let return_val: i64 = *guest_memory
let return_val: i64 = host_memory
.ptr(self.return_loc.ptr)
.expect("return ptr")
.as_ref()
.read()
.expect("return ref");
assert_eq!(
@@ -170,45 +166,39 @@ impl SumPairPtrsExercise {
.boxed()
}
pub fn test(&self) {
let mut ctx = WasiCtx::new();
let mut host_memory = HostMemory::new();
let mut guest_memory = host_memory.guest_memory();
let ctx = WasiCtx::new();
let host_memory = HostMemory::new();
*guest_memory
.ptr_mut(self.input_first_loc.ptr)
.expect("input_first ptr")
.as_ref_mut()
.expect("input_first ref") = self.input_first;
*guest_memory
.ptr_mut(self.input_second_loc.ptr)
.expect("input_second ptr")
.as_ref_mut()
.expect("input_second ref") = self.input_second;
host_memory
.ptr(self.input_first_loc.ptr)
.write(self.input_first)
.expect("input_first ref");
host_memory
.ptr(self.input_second_loc.ptr)
.write(self.input_second)
.expect("input_second ref");
*guest_memory
.ptr_mut(self.input_struct_loc.ptr)
.expect("input_struct ptr")
.as_ref_mut()
.expect("input_struct ref") = self.input_first_loc.ptr;
*guest_memory
.ptr_mut(self.input_struct_loc.ptr + 4)
.expect("input_struct ptr")
.as_ref_mut()
.expect("input_struct ref") = self.input_second_loc.ptr;
host_memory
.ptr(self.input_struct_loc.ptr)
.write(self.input_first_loc.ptr)
.expect("input_struct ref");
host_memory
.ptr(self.input_struct_loc.ptr + 4)
.write(self.input_second_loc.ptr)
.expect("input_struct ref");
let res = structs::sum_of_pair_of_ptrs(
&mut ctx,
&mut guest_memory,
&ctx,
&host_memory,
self.input_struct_loc.ptr as i32,
self.return_loc.ptr as i32,
);
assert_eq!(res, types::Errno::Ok.into(), "sum of pair of ptrs errno");
let doubled: i64 = *guest_memory
let doubled: i64 = host_memory
.ptr(self.return_loc.ptr)
.expect("return ptr")
.as_ref()
.read()
.expect("return ref");
assert_eq!(
@@ -264,39 +254,34 @@ impl SumIntAndPtrExercise {
.boxed()
}
pub fn test(&self) {
let mut ctx = WasiCtx::new();
let mut host_memory = HostMemory::new();
let mut guest_memory = host_memory.guest_memory();
let ctx = WasiCtx::new();
let host_memory = HostMemory::new();
*guest_memory
.ptr_mut(self.input_first_loc.ptr)
.expect("input_first ptr")
.as_ref_mut()
.expect("input_first ref") = self.input_first;
*guest_memory
.ptr_mut(self.input_struct_loc.ptr)
.expect("input_struct ptr")
.as_ref_mut()
.expect("input_struct ref") = self.input_first_loc.ptr;
*guest_memory
.ptr_mut(self.input_struct_loc.ptr + 4)
.expect("input_struct ptr")
.as_ref_mut()
.expect("input_struct ref") = self.input_second;
host_memory
.ptr(self.input_first_loc.ptr)
.write(self.input_first)
.expect("input_first ref");
host_memory
.ptr(self.input_struct_loc.ptr)
.write(self.input_first_loc.ptr)
.expect("input_struct ref");
host_memory
.ptr(self.input_struct_loc.ptr + 4)
.write(self.input_second)
.expect("input_struct ref");
let res = structs::sum_of_int_and_ptr(
&mut ctx,
&mut guest_memory,
&ctx,
&host_memory,
self.input_struct_loc.ptr as i32,
self.return_loc.ptr as i32,
);
assert_eq!(res, types::Errno::Ok.into(), "sum of int and ptr errno");
let doubled: i64 = *guest_memory
let doubled: i64 = host_memory
.ptr(self.return_loc.ptr)
.expect("return ptr")
.as_ref()
.read()
.expect("return ref");
assert_eq!(
@@ -326,19 +311,16 @@ impl ReturnPairInts {
}
pub fn test(&self) {
let mut ctx = WasiCtx::new();
let mut host_memory = HostMemory::new();
let mut guest_memory = host_memory.guest_memory();
let ctx = WasiCtx::new();
let host_memory = HostMemory::new();
let err =
structs::return_pair_ints(&mut ctx, &mut guest_memory, self.return_loc.ptr as i32);
let err = structs::return_pair_ints(&ctx, &host_memory, self.return_loc.ptr as i32);
assert_eq!(err, types::Errno::Ok.into(), "return struct errno");
let return_struct: types::PairInts = *guest_memory
let return_struct: types::PairInts = host_memory
.ptr(self.return_loc.ptr)
.expect("return ptr")
.as_ref()
.read()
.expect("return ref");
assert_eq!(
@@ -398,24 +380,21 @@ impl ReturnPairPtrsExercise {
.boxed()
}
pub fn test(&self) {
let mut ctx = WasiCtx::new();
let mut host_memory = HostMemory::new();
let mut guest_memory = host_memory.guest_memory();
let ctx = WasiCtx::new();
let host_memory = HostMemory::new();
*guest_memory
.ptr_mut(self.input_first_loc.ptr)
.expect("input_first ptr")
.as_ref_mut()
.expect("input_first ref") = self.input_first;
*guest_memory
.ptr_mut(self.input_second_loc.ptr)
.expect("input_second ptr")
.as_ref_mut()
.expect("input_second ref") = self.input_second;
host_memory
.ptr(self.input_first_loc.ptr)
.write(self.input_first)
.expect("input_first ref");
host_memory
.ptr(self.input_second_loc.ptr)
.write(self.input_second)
.expect("input_second ref");
let res = structs::return_pair_of_ptrs(
&mut ctx,
&mut guest_memory,
&ctx,
&host_memory,
self.input_first_loc.ptr as i32,
self.input_second_loc.ptr as i32,
self.return_loc.ptr as i32,
@@ -423,28 +402,20 @@ impl ReturnPairPtrsExercise {
assert_eq!(res, types::Errno::Ok.into(), "return pair of ptrs errno");
let ptr_pair_int_ptrs: GuestPtr<types::PairIntPtrs<'_>> =
guest_memory.ptr(self.return_loc.ptr).expect("return ptr");
let ret_first_ptr: GuestPtr<i32> = ptr_pair_int_ptrs
.cast::<GuestPtr<i32>>(0u32)
.expect("extract ptr to first element in struct")
.read()
.expect("read ptr to first element in struct");
let ret_second_ptr: GuestPtr<i32> = ptr_pair_int_ptrs
.cast::<GuestPtr<i32>>(4u32)
.expect("extract ptr to second element in struct")
.read()
.expect("read ptr to second element in struct");
let ptr_pair_int_ptrs: types::PairIntPtrs<'_> =
host_memory.ptr(self.return_loc.ptr).read().expect("failed to read return location");
let ret_first_ptr = ptr_pair_int_ptrs.first;
let ret_second_ptr = ptr_pair_int_ptrs.second;
assert_eq!(
self.input_first,
*ret_first_ptr
.as_ref()
ret_first_ptr
.read()
.expect("deref extracted ptr to first element")
);
assert_eq!(
self.input_second,
*ret_second_ptr
.as_ref()
ret_second_ptr
.read()
.expect("deref extracted ptr to second element")
);
}