Replace setjmp/longjmp usage in Wasmtime

Since Wasmtime's inception it's used the `setjmp` and `longjmp`
functions in C to implement handling of traps. While this solution was
easy to implement, relatively portable, and performant enough, there are
a number of downsides that have evolved over time to make this an
unattractive approach in the long run:

* Using `setjmp` fundamentally requires using C because Rust does not
  understand a function that returns twice. It's fundamentally unsound
  to invoke `setjmp` in Rust meaning that Wasmtime has forever needed a
  C compiler configured and set up to build. This notably means that
  `cargo check` cannot check other targets easily.

* Using `longjmp` means that Rust function frames are unwound on the
  stack without running destructors. This is a dangerous operation of
  which we get no protection from the compiler about. Both frames
  entering wasm and frames exiting wasm are all skipped. Absolutely
  minimizing this has been beneficial for portability to platforms such
  as Pulley.

* Currently the no_std implementation of Wasmtime requires embedders to
  provide `wasmtime_{setjmp,longjmp}` which is a thorn in the side of
  what is otherwise a mostly entirely independent implementation of
  Wasmtime.

* There is a performance floor to using `setjmp` and `longjmp`. Calling
  `setjmp` requires using C but Wasmtime is otherwise written in Rust
  meaning that there's a Rust->C->Rust->Wasm boundary which
  fundamentally can't be inlined without cross-language LTO which is
  difficult to configure.

* With the implementation of the WebAssembly exceptions proposal
  Wasmtime now has two means of unwinding the stack. Ideally Wasmtime
  would only have one, and the more general one is the method of
  exceptions.

* Jumping out of a signal handler on Unix is tricky business. While
  we've made it work it's generally most robust of the signal handler
  simply returns which it now does.

With all of that in mind the purpose of this commit is to replace the
setjmp/longjmp mechanism of handling traps with the recently implemented
support for exceptions in Cranelift. That is intended to resolve all of
the above points in one swoop.

One point in particular though that's nice about setjmp/longjmp is that
unwinding the stack on a trap is an O(1) operation. For situations such
as stack overflow that's a particularly nice property to have as we can
guarantee embedders that traps are a constant time (albeit somewhat
expensive with signals) operation. Exceptions naively require unwinding
the entire stack, and although frame pointers mean we're just traversing
a linked list I wanted to preserve the O(1) property here nonetheless.
To achieve this a solution is implemented where the array-to-wasm
(host-to-wasm) trampolines setup state in `VMStoreContext` so looking up
the current trap handler frame is an O(1) operation. Namely the sp/fp/pc
values for a `Handler` are stored inline.

Implementing this feature required supporting
relocations-to-offsets-in-functions which was not previously supported
by Wasmtime. This required Cranelift refactorings such as bytecodealliance#11570, bytecodealliance#11585,
and bytecodealliance#11576. This then additionally required some more refactoring in
this commit which was difficult to split out as it otherwise wouldn't be
tested.

Apart from the relocation-related business much of this change is about
updating the platform signal handlers to use exceptions instead of
longjmp to return. For example on Unix this means updating the
`ucontext_t` with register values that the handler specifies. Windows
involves updating similar contexts, and macOS mach ports ended up not
needing too many changes.

In terms of overall performance the relevant benchmark from this
repository, compared to before this commit, is:

    sync/no-hook/core - host-to-wasm - typed - nop
			    time:   [10.552 ns 10.561 ns 10.571 ns]
			    change: [−7.5238% −7.4011% −7.2786%] (p = 0.00 < 0.05)
			    Performance has improved.

Closes bytecodealliance#3927
cc bytecodealliance#10923

prtest:full

Author: alexcrichton

.github/workflows/main.yml

@@ -318,7 +318,7 @@ jobs:
   micro_checks:
     name: Check ${{matrix.name}}
     strategy:
-      fail-fast: true
+      fail-fast: ${{ github.event_name != 'pull_request' }}
       matrix:
         include:
           - name: wasmtime
@@ -504,7 +504,7 @@ jobs:
     name: "Platform: ${{ matrix.target }}"
     runs-on: ${{ matrix.os }}
     strategy:
-      fail-fast: true
+      fail-fast: ${{ github.event_name != 'pull_request' }}
       matrix:
         include:
         - target: x86_64-unknown-freebsd
@@ -627,7 +627,7 @@ jobs:
     if: needs.determine.outputs.test-capi
 
     strategy:
-      fail-fast: true
+      fail-fast: ${{ github.event_name != 'pull_request' }}
       matrix:
         os: [ubuntu-24.04, macos-15, windows-2025]
 

cranelift/codegen/src/isa/aarch64/abi.rs

@@ -1097,10 +1097,13 @@ impl ABIMachineSpec for AArch64MachineDeps {
     }
 
     fn get_regs_clobbered_by_call(call_conv: isa::CallConv, is_exception: bool) -> PRegSet {
-        match call_conv {
-            isa::CallConv::Winch => WINCH_CLOBBERS,
-            isa::CallConv::Tail if is_exception => ALL_CLOBBERS,
-            _ => DEFAULT_AAPCS_CLOBBERS,
+        match (call_conv, is_exception) {
+            (isa::CallConv::Tail, true) => ALL_CLOBBERS,
+            (isa::CallConv::Winch, true) => ALL_CLOBBERS,
+            (isa::CallConv::Winch, false) => WINCH_CLOBBERS,
+            (isa::CallConv::SystemV, _) => DEFAULT_AAPCS_CLOBBERS,
+            (_, false) => DEFAULT_AAPCS_CLOBBERS,
+            (_, true) => panic!("unimplemented clobbers for exn abi of {call_conv:?}"),
         }
     }
 

cranelift/codegen/src/isa/call_conv.rs

@@ -84,7 +84,7 @@ impl CallConv {
     /// Does this calling convention support exceptions?
     pub fn supports_exceptions(&self) -> bool {
         match self {
-            CallConv::Tail | CallConv::SystemV => true,
+            CallConv::Tail | CallConv::SystemV | CallConv::Winch => true,
             _ => false,
         }
     }

cranelift/codegen/src/isa/pulley_shared/inst.isle

@@ -709,9 +709,9 @@
 
 ;; Helper for creating `MInst.LoadExtName*` instructions.
 (decl load_ext_name (BoxExternalName i64 RelocDistance) XReg)
-(rule 1 (load_ext_name name offset (RelocDistance.Near))
+(rule (load_ext_name name offset (RelocDistance.Near))
   (load_ext_name_near name offset))
-(rule 0 (load_ext_name name offset (RelocDistance.Far))
+(rule (load_ext_name name offset (RelocDistance.Far))
   (load_ext_name_far name offset))
 
 ;;;; Helpers for Emitting Calls ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

cranelift/codegen/src/isa/x64/abi.rs

@@ -887,11 +887,13 @@ impl ABIMachineSpec for X64ABIMachineSpec {
         call_conv_of_callee: isa::CallConv,
         is_exception: bool,
     ) -> PRegSet {
-        match call_conv_of_callee {
-            CallConv::Winch => ALL_CLOBBERS,
-            CallConv::WindowsFastcall => WINDOWS_CLOBBERS,
-            CallConv::Tail if is_exception => ALL_CLOBBERS,
-            _ => SYSV_CLOBBERS,
+        match (call_conv_of_callee, is_exception) {
+            (isa::CallConv::Tail, true) => ALL_CLOBBERS,
+            (isa::CallConv::Winch, _) => ALL_CLOBBERS,
+            (isa::CallConv::SystemV, _) => SYSV_CLOBBERS,
+            (isa::CallConv::WindowsFastcall, false) => WINDOWS_CLOBBERS,
+            (_, false) => SYSV_CLOBBERS,
+            (call_conv, true) => panic!("unimplemented clobbers for exn abi of {call_conv:?}"),
         }
     }
 

crates/cranelift/src/compiler.rs

@@ -373,9 +373,13 @@ impl wasmtime_environ::Compiler for Compiler {
         let array_call_sig = array_call_signature(isa);
 
         let mut compiler = self.function_compiler();
-        let func = ir::Function::with_name_signature(Default::default(), array_call_sig);
+        let func = ir::Function::with_name_signature(key_to_name(key), array_call_sig);
         let (mut builder, block0) = compiler.builder(func);
 
+        let try_call_block = builder.create_block();
+        builder.ins().jump(try_call_block, []);
+        builder.switch_to_block(try_call_block);
+
         let (vmctx, caller_vmctx, values_vec_ptr, values_vec_len) = {
             let params = builder.func.dfg.block_params(block0);
             (params[0], params[1], params[2], params[3])
@@ -391,41 +395,95 @@ impl wasmtime_environ::Compiler for Compiler {
         args.insert(0, caller_vmctx);
         args.insert(0, vmctx);
 
-        // Just before we enter Wasm, save our stack pointer.
+        // Just before we enter Wasm, save our context information.
         //
         // Assert that we were really given a core Wasm vmctx, since that's
         // what we are assuming with our offsets below.
         self.debug_assert_vmctx_kind(&mut builder, vmctx, wasmtime_environ::VMCONTEXT_MAGIC);
         let offsets = VMOffsets::new(isa.pointer_bytes(), &translation.module);
         let vm_store_context_offset = offsets.ptr.vmctx_store_context();
-        save_last_wasm_entry_fp(
+        save_last_wasm_entry_context(
             &mut builder,
             pointer_type,
             &offsets.ptr,
             vm_store_context_offset.into(),
             vmctx,
+            try_call_block,
         );
 
+        // Create the invocation of wasm, which is notably done with a
+        // `try_call` with an exception handler that's used to handle traps.
+        let normal_return = builder.create_block();
+        let exceptional_return = builder.create_block();
+        let normal_return_values = wasm_call_sig
+            .returns
+            .iter()
+            .map(|ty| {
+                builder
+                    .func
+                    .dfg
+                    .append_block_param(normal_return, ty.value_type)
+            })
+            .collect::<Vec<_>>();
+
         // Then call the Wasm function with those arguments.
         let callee_key = FuncKey::DefinedWasmFunction(module_index, def_func_index);
-        let call = declare_and_call(&mut builder, wasm_call_sig, callee_key, &args);
-        let results = builder.func.dfg.inst_results(call).to_vec();
+        let signature = builder.func.import_signature(wasm_call_sig.clone());
+        let callee = {
+            let (namespace, index) = callee_key.into_raw_parts();
+            let name = ir::ExternalName::User(
+                builder
+                    .func
+                    .declare_imported_user_function(ir::UserExternalName { namespace, index }),
+            );
+            builder.func.dfg.ext_funcs.push(ir::ExtFuncData {
+                name,
+                signature,
+                colocated: true,
+            })
+        };
 
-        // Then store the results back into the array.
+        let dfg = &mut builder.func.dfg;
+        let exception_table = dfg.exception_tables.push(ir::ExceptionTableData::new(
+            signature,
+            ir::BlockCall::new(
+                normal_return,
+                (0..wasm_call_sig.returns.len())
+                    .map(|i| ir::BlockArg::TryCallRet(i.try_into().unwrap())),
+                &mut dfg.value_lists,
+            ),
+            [ir::ExceptionTableItem::Default(ir::BlockCall::new(
+                exceptional_return,
+                None,
+                &mut dfg.value_lists,
+            ))],
+        ));
+        builder.ins().try_call(callee, &args, exception_table);
+
+        builder.seal_block(try_call_block);
+        builder.seal_block(normal_return);
+        builder.seal_block(exceptional_return);
+
+        // On the normal return path store all the results in the array we were
+        // provided and return "true" for "returned successfully".
+        builder.switch_to_block(normal_return);
         self.store_values_to_array(
             &mut builder,
             wasm_func_ty.returns(),
-            &results,
+            &normal_return_values,
             values_vec_ptr,
             values_vec_len,
         );
-
-        // At this time wasm functions always signal traps with longjmp or some
-        // similar sort of routine, so if we got this far that means that the
-        // function did not trap, so return a "true" value here to indicate that
-        // to satisfy the ABI of the array-call signature.
         let true_return = builder.ins().iconst(ir::types::I8, 1);
         builder.ins().return_(&[true_return]);
+
+        // On the exceptional return path just return "false" for "did not
+        // succeed". Note that register restoration is part of the `try_call`
+        // and handler implementation.
+        builder.switch_to_block(exceptional_return);
+        let false_return = builder.ins().iconst(ir::types::I8, 0);
+        builder.ins().return_(&[false_return]);
+
         builder.finalize();
 
         Ok(CompiledFunctionBody {
@@ -448,7 +506,7 @@ impl wasmtime_environ::Compiler for Compiler {
         let array_call_sig = array_call_signature(isa);
 
         let mut compiler = self.function_compiler();
-        let func = ir::Function::with_name_signature(Default::default(), wasm_call_sig);
+        let func = ir::Function::with_name_signature(key_to_name(key), wasm_call_sig);
         let (mut builder, block0) = compiler.builder(func);
 
         let args = builder.func.dfg.block_params(block0).to_vec();
@@ -702,7 +760,7 @@ impl wasmtime_environ::Compiler for Compiler {
         let host_sig = sigs.host_signature(builtin_func_index);
 
         let mut compiler = self.function_compiler();
-        let func = ir::Function::with_name_signature(Default::default(), wasm_sig.clone());
+        let func = ir::Function::with_name_signature(key_to_name(key), wasm_sig.clone());
         let (mut builder, block0) = compiler.builder(func);
         let vmctx = builder.block_params(block0)[0];
 
@@ -724,7 +782,7 @@ impl wasmtime_environ::Compiler for Compiler {
         let call = self.call_builtin(&mut builder, vmctx, &args, builtin_func_index, host_sig);
         let results = builder.func.dfg.inst_results(call).to_vec();
 
-        // Libcalls do not explicitly `longjmp` for example but instead return a
+        // Libcalls do not explicitly jump/raise on traps but instead return a
         // code indicating whether they trapped or not. This means that it's the
         // responsibility of the trampoline to check for an trapping return
         // value and raise a trap as appropriate. With the `results` above check
@@ -1127,9 +1185,9 @@ impl Compiler {
     /// This helper is used when the host returns back to WebAssembly. The host
     /// returns a `bool` indicating whether the call succeeded. If the call
     /// failed then Cranelift needs to unwind back to the original invocation
-    /// point. The unwind right now is then implemented in Wasmtime with a
-    /// `longjmp`, but one day this might be implemented differently with an
-    /// unwind inside of Cranelift.
+    /// point. The unwind right now is then implemented in Wasmtime with an
+    /// exceptional resume, one day this might be implemented differently with
+    /// an unwind inside of Cranelift.
     ///
     /// Additionally in the future for pulley this will emit a special trap
     /// opcode for Pulley itself to cease interpretation and exit the
@@ -1402,33 +1460,13 @@ fn clif_to_env_exception_tables<'a>(
     builder.add_func(CodeOffset::try_from(range.start).unwrap(), call_sites)
 }
 
-fn declare_and_call(
-    builder: &mut FunctionBuilder,
-    signature: ir::Signature,
-    callee_key: FuncKey,
-    args: &[ir::Value],
-) -> ir::Inst {
-    let (namespace, index) = callee_key.into_raw_parts();
-    let name = ir::ExternalName::User(
-        builder
-            .func
-            .declare_imported_user_function(ir::UserExternalName { namespace, index }),
-    );
-    let signature = builder.func.import_signature(signature);
-    let callee = builder.func.dfg.ext_funcs.push(ir::ExtFuncData {
-        name,
-        signature,
-        colocated: true,
-    });
-    builder.ins().call(callee, &args)
-}
-
-fn save_last_wasm_entry_fp(
+fn save_last_wasm_entry_context(
     builder: &mut FunctionBuilder,
     pointer_type: ir::Type,
     ptr_size: &impl PtrSize,
     vm_store_context_offset: u32,
     vmctx: Value,
+    block: ir::Block,
 ) {
     // First we need to get the `VMStoreContext`.
     let vm_store_context = builder.ins().load(
@@ -1438,14 +1476,33 @@ fn save_last_wasm_entry_fp(
         i32::try_from(vm_store_context_offset).unwrap(),
     );
 
-    // Then store our current stack pointer into the appropriate slot.
+    // Save the current fp/sp of the entry trampoline into the `VMStoreContext`.
     let fp = builder.ins().get_frame_pointer(pointer_type);
     builder.ins().store(
         MemFlags::trusted(),
         fp,
         vm_store_context,
         ptr_size.vmstore_context_last_wasm_entry_fp(),
     );
+    let sp = builder.ins().get_stack_pointer(pointer_type);
+    builder.ins().store(
+        MemFlags::trusted(),
+        sp,
+        vm_store_context,
+        ptr_size.vmstore_context_last_wasm_entry_sp(),
+    );
+
+    // Also save the address of this function's exception handler. This is used
+    // as a resumption point for traps, for example.
+    let trap_handler = builder
+        .ins()
+        .get_exception_handler_address(pointer_type, block, 0);
+    builder.ins().store(
+        MemFlags::trusted(),
+        trap_handler,
+        vm_store_context,
+        ptr_size.vmstore_context_last_wasm_entry_trap_handler(),
+    );
 }
 
 fn save_last_wasm_exit_fp_and_pc(
@@ -1474,3 +1531,8 @@ fn save_last_wasm_exit_fp_and_pc(
         ptr.vmstore_context_last_wasm_exit_pc(),
     );
 }
+
+fn key_to_name(key: FuncKey) -> ir::UserFuncName {
+    let (namespace, index) = key.into_raw_parts();
+    ir::UserFuncName::User(ir::UserExternalName { namespace, index })
+}

crates/cranelift/src/lib.rs

@@ -302,7 +302,7 @@ fn mach_reloc_to_reloc(
             // in the Wasm-to-Cranelift translator.
             panic!("unexpected libcall {libcall:?}");
         }
-        _ => panic!("unrecognized external name"),
+        _ => panic!("unrecognized external name {target:?}"),
     };
     Relocation {
         reloc: kind,

crates/environ/src/vmoffsets.rs

@@ -218,14 +218,24 @@ pub trait PtrSize {
         self.vmstore_context_last_wasm_exit_trampoline_fp() + self.size()
     }
 
+    /// Return the offset of the `last_wasm_entry_sp` field of `VMStoreContext`.
+    fn vmstore_context_last_wasm_entry_sp(&self) -> u8 {
+        self.vmstore_context_last_wasm_exit_pc() + self.size()
+    }
+
     /// Return the offset of the `last_wasm_entry_fp` field of `VMStoreContext`.
     fn vmstore_context_last_wasm_entry_fp(&self) -> u8 {
-        self.vmstore_context_last_wasm_exit_pc() + self.size()
+        self.vmstore_context_last_wasm_entry_sp() + self.size()
+    }
+
+    /// Return the offset of the `last_wasm_entry_trap_handler` field of `VMStoreContext`.
+    fn vmstore_context_last_wasm_entry_trap_handler(&self) -> u8 {
+        self.vmstore_context_last_wasm_entry_fp() + self.size()
     }
 
     /// Return the offset of the `stack_chain` field of `VMStoreContext`.
     fn vmstore_context_stack_chain(&self) -> u8 {
-        self.vmstore_context_last_wasm_entry_fp() + self.size()
+        self.vmstore_context_last_wasm_entry_trap_handler() + self.size()
     }
 
     // Offsets within `VMMemoryDefinition`

crates/wasmtime/build.rs

@@ -85,12 +85,13 @@ fn build_c_helpers() {
     build.define("VERSIONED_SUFFIX", Some(versioned_suffix!()));
     if std::env::var("CARGO_FEATURE_DEBUG_BUILTINS").is_ok() {
         build.define("FEATURE_DEBUG_BUILTINS", None);
-    }
-
-    // On MinGW targets work around a bug in the MinGW compiler described at
-    // https://github.com/bytecodealliance/wasmtime/pull/9688#issuecomment-2573367719
-    if cfg("windows") && cfg_is("target_env", "gnu") {
-        build.define("__USE_MINGW_SETJMP_NON_SEH", None);
+    } else if cfg("windows") {
+        // If debug builtins are disabled and this target is for Windows then
+        // there's no need to build the C helpers file.
+        //
+        // TODO: should skip this on Unix targets as well but needs a solution
+        // for `wasmtime_using_libunwind`.
+        return;
     }
 
     println!("cargo:rerun-if-changed=src/runtime/vm/helpers.c");