47d6db0be8
* Reel in unsafety around `InstanceHandle` This commit is an attempt, or at least is targeted at being a start, at reeling in the unsafety around the `InstanceHandle` type. Currently this type represents a sort of moral `Rc<Instance>` but is a bit more specialized since the underlying memory is allocated through mmap. Additionally, though, `InstanceHandle` exposes a fundamental flaw in its safety by safetly allowing mutable access so long as you have `&mut InstanceHandle`. This type, however, is trivially created by simply cloning a `InstanceHandle` to get an owned reference. This means that `&mut InstanceHandle` does not actually provide any guarantees about uniqueness, so there's no more safety than `&InstanceHandle` itself. This commit removes all `&mut self` APIs from `InstanceHandle`, additionally removing some where `&self` was `unsafe` and `&mut self` was safe (since it was trivial to subvert this "safety"). In doing so interior mutability patterns are now used much more extensively through structures such as `Table` and `Memory`. Additionally a number of methods were refactored to be a bit clearer and use helper functions where possible. This is a relatively large commit unfortunately, but it snowballed very quickly into touching quite a few places. My hope though is that this will prevent developers working on wasmtime internals as well as developers still yet to migrate to the `wasmtime` crate from falling into trivial unsafe traps by accidentally using `&mut` when they can't. All existing users relying on `&mut` will need to migrate to some form of interior mutability, such as using `RefCell` or `Cell`. This commit also additionally marks `InstanceHandle::new` as an `unsafe` function. The rationale for this is that the `&mut`-safety is only the beginning for the safety of `InstanceHandle`. In general the wasmtime internals are extremely unsafe and haven't been audited for appropriate usage of `unsafe`. Until that's done it's hoped that we can warn users with this `unsafe` constructor and otherwise push users to the `wasmtime` crate which we know is safe. * Fix windows build * Wrap up mutable memory state in one structure Rather than having separate fields * Use `Cell::set`, not `Cell::replace`, where possible * Add a helper function for offsets from VMContext * Fix a typo from merging * rustfmt * Use try_from, not as * Tweak style of some setters
wasi-common
A Bytecode Alliance project
A library providing a common implementation of WASI hostcalls for re-use in any WASI-enabled runtime.
The wasi-common crate will ultimately serve as a library providing a common implementation of
WASI hostcalls for re-use in any WASI (and potentially non-WASI) runtimes
such as Wasmtime and Lucet.
The library is an adaption of lucet-wasi crate from the Lucet project, and it is currently based on 40ae1df git revision.
Please note that the library requires Rust compiler version at least 1.37.0.
Supported syscalls
*nix
In our *nix implementation, we currently support the entire WASI API with the exception of socket hostcalls:
sock_recvsock_sendsock_shutdown
We expect these to be implemented when network access is standardised.
We also currently do not support the proc_raise hostcall, as it is expected to
be dropped entirely from WASI.
Windows
In our Windows implementation, we currently support the minimal subset of WASI API which allows for running the very basic "Hello world!" style WASM apps. More coming shortly, so stay tuned!
Development hints
When testing the crate, you may want to enable and run full wasm32 integration testsuite. This
requires wasm32-wasi target installed which can be done as follows using rustup
rustup target add wasm32-wasi
Now, you should be able to run the integration testsuite by running cargo test on the
test-programs package with test_programs feature enabled:
cargo test --features test_programs --package test-programs
Third-Party Code
Significant parts of our hostcall implementations are derived from the C implementations in
cloudabi-utils. See LICENSE.cloudabi-utils for license information.