Skip to content

Remove unsoundness of widening store borrows #11481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 21, 2025
Merged

Remove unsoundness of widening store borrows #11481

merged 2 commits into from
Aug 21, 2025

Conversation

@alexcrichton
Copy link
Member

@alexcrichton alexcrichton commented Aug 20, 2025

This commit removes preexisting unsoundness in Wasmtime where a
&mut StoreOpaque borrow was "widened" into encompassing the limiter on
the T in StoreInner<T>, for example, by using the self-pointer
located in an instance or the store. This fix is done by threading
&mut StoreOpaque as a parameter separately from a
StoreResourceLimiter. This means that various callers now take a new
Option<&mut StoreResourceLimiter<'_>> parameter in various locations.

Closes #11409

@alexcrichton alexcrichton requested a review from a team as a code owner August 20, 2025 21:47
@alexcrichton alexcrichton requested review from dicej and removed request for a team August 20, 2025 21:47
@alexcrichton
Copy link
Member Author

alexcrichton commented Aug 20, 2025

Currently built on #11480, which is in turn built on #11470, so the first three commits aren't part of this PR

dicej
dicej approved these changes Aug 20, 2025
View reviewed changes
crates/wasmtime/src/runtime/component/instance.rs
);
store.on_fiber(|store| self.instantiate_impl(store)).await?
pub async fn instantiate_async(&self, store: impl AsContextMut<Data = T>) -> Result<Instance> {
self._instantiate(store).await
Copy link
Contributor

@dicej dicej Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we not need an assert!(store.0.async_support()) here anymore?

Copy link
Member Author

@alexcrichton alexcrichton Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A good question! That's part of the previous commits and Nick was also curious here, with some rationale in my response over there

fitzgen
fitzgen approved these changes Aug 20, 2025
View reviewed changes
Copy link
Member

@fitzgen fitzgen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@alexcrichton
Remove unsoundness of widening store borrows
193283a 
This commit removes preexisting unsoundness in Wasmtime where a
`&mut StoreOpaque` borrow was "widened" into encompassing the limiter on
the `T` in `StoreInner<T>`, for example, by using the self-pointer
located in an instance or the store. This fix is done by threading
`&mut StoreOpaque` as a parameter separately from a
`StoreResourceLimiter`. This means that various callers now take a new
`Option<&mut StoreResourceLimiter<'_>>` parameter in various locations.

Closes bytecodealliance#11409
@alexcrichton
Fix gc-less build
1288134
@alexcrichton alexcrichton force-pushed the remove-unsound-widening-borrows branch from 20ee87b to 1288134 Compare August 21, 2025 01:11
@alexcrichton alexcrichton enabled auto-merge August 21, 2025 01:11
@alexcrichton alexcrichton added this pull request to the merge queue Aug 21, 2025
Merged via the queue into bytecodealliance:main with commit 155ea7f Aug 21, 2025
44 checks passed
@alexcrichton alexcrichton deleted the remove-unsound-widening-borrows branch August 21, 2025 01:45
bongjunj pushed a commit to prosyslab/wasmtime that referenced this pull request Oct 20, 2025
@alexcrichton @bongjunj
Remove unsoundness of widening store borrows (bytecodealliance#11481)
7b7a55e 
* Remove unsoundness of widening store borrows

This commit removes preexisting unsoundness in Wasmtime where a
`&mut StoreOpaque` borrow was "widened" into encompassing the limiter on
the `T` in `StoreInner<T>`, for example, by using the self-pointer
located in an instance or the store. This fix is done by threading
`&mut StoreOpaque` as a parameter separately from a
`StoreResourceLimiter`. This means that various callers now take a new
`Option<&mut StoreResourceLimiter<'_>>` parameter in various locations.

Closes bytecodealliance#11409

* Fix gc-less build
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fitzgen fitzgen fitzgen approved these changes

@dicej dicej dicej approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implementation of GC is not sound with resource limiters

3 participants

@alexcrichton @fitzgen @dicej