PCC: fully support dynamic and static memories in Wasmtime on x86-64 and aarch64. #7468
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…cts. Co-authored-by: Nick Fitzgerald <fitzgen@gmail.com>
Co-authored-by: Nick Fitzgerald <fitzgen@gmail.com>
Co-authored-by: Nick Fitzgerald <fitzgen@gmail.com>
…as needed. This commit also adds an integration test to Wasmtime that checks all dynamic and static memory cases on x86-64 and aarch64. Test expected-output changes are due to a change from `iadd_imm(x, -k)` to `isub(x, iconst(k))` in bounds-check code to facilitate facts on the computation.
github-actions
bot
added
cranelift
Subscribe to Label Action
This issue or pull request has been labeled: "cranelift", "cranelift:area:aarch64", "cranelift:area:machinst", "cranelift:area:x64", "isle"
Thus the following users have been cc'd because of the following labels:
To subscribe or unsubscribe from this label, edit the |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR completes the work to add proof-carrying-code validation to Wasm heap accesses in Wasmtime, for all bounds-check cases (dynamic and static, covering the 4 and 3 cases of the former and latter respectively), on x86-64 and aarch64.
The PR includes an integration test at the top level (
tests/pcc_memory.rs) that compiles a Wasm module with PCC enabled under a range of memory configurations. Ideally we'd use the existing Wasm filetest infrastructure for this; but it has its own Wasm environment definitions and PCC hasn't been plumbed through those (this would also mean we'd be testing a slightly different path of at least the memory-type setup than production Wasmtime).The test expectations change slightly because this PR had to change
iadd_imm(x, -k)toisub(x, iconst(k))in the generated bounds-checking code. Some of the backends (riscv64, s390x) seem to match iadd-of-negative better than isub-of-positive; but that's an orthogonal isel issue and can be fixed up.I hope to add fuzzing to exercise this further, but we at least have (theoretical) functional completeness with this PR. Hence, I think this fixes #6090.
Followup work on PCC could include use of PCC annotations to verify table accesses as well, and a strong-enforcing mode that disallows all non-
checkedmemory accesses (so we have to audit and allowlist constant pools and ABI code and the like, and ensure all lowered Wasm ops are covered). However I don't think this additional assurance level is necessary to turn on and benefit from Wasm-memory-bounds-checking PCC.The first half of this PR was
Co-authored-by: Nick Fitzgerald fitzgen@gmail.com