wasmerio · lachlansneff · Jan 21, 2019 · Jan 18, 2019 · Jan 18, 2019 · Jan 18, 2019
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/lib/clif-backend/Cargo.toml b/lib/clif-backend/Cargo.toml
@@ -14,3 +14,8 @@ hashbrown = "0.1"
 target-lexicon = "0.2.0"
 wasmparser = "0.23.0"
 byteorder = "1"
+nix = "0.12.0"
+# We depend on libffi for now.
+# This will be removed asap.
+libffi = "0.6.4"
+
diff --git a/lib/clif-backend/src/call/mod.rs b/lib/clif-backend/src/call/mod.rs
@@ -0,0 +1,138 @@
+mod recovery;
+mod sighandler;
+
+pub use self::recovery::HandlerData;
+
+use crate::call::recovery::call_protected;
+use hashbrown::HashSet;
+use libffi::high::{arg as libffi_arg, call as libffi_call, CodePtr};
+use std::iter;
+use wasmer_runtime::{
+    backend::{ProtectedCaller, Token},
+    error::RuntimeResult,
+    export::Context,
+    module::{ExportIndex, ModuleInner},
+    types::{FuncIndex, FuncSig, LocalOrImport, Type, Value},
+    vm::{self, ImportBacking},
+};
+
+pub struct Caller {
+    func_export_set: HashSet<FuncIndex>,
+    handler_data: HandlerData,
+}
+
+impl Caller {
+    pub fn new(module: &ModuleInner, handler_data: HandlerData) -> Self {
+        let mut func_export_set = HashSet::new();
+        for export_index in module.exports.values() {
+            if let ExportIndex::Func(func_index) = export_index {
+                func_export_set.insert(*func_index);
+            }
+        }
+        if let Some(start_func_index) = module.start_func {
+            func_export_set.insert(start_func_index);
+        }
+
+        Self {
+            func_export_set,
+            handler_data,
+        }
+    }
+}
+
+impl ProtectedCaller for Caller {
+    fn call(
+        &self,
+        module: &ModuleInner,
+        func_index: FuncIndex,
+        params: &[Value],
+        returns: &mut [Value],
+        import_backing: &ImportBacking,
+        vmctx: *mut vm::Ctx,
+        _: Token,
+    ) -> RuntimeResult<()> {
+        let (func_ptr, ctx, signature) = get_func_from_index(&module, import_backing, func_index);
+
+        let vmctx_ptr = match ctx {
+            Context::External(external_vmctx) => external_vmctx,
+            Context::Internal => vmctx,
+        };
+
+        assert!(self.func_export_set.contains(&func_index));
+
+        assert!(
+            returns.len() == signature.returns.len() && signature.returns.len() <= 1,
+            "multi-value returns not yet supported"
+        );
+
+        assert!(signature.check_sig(params), "incorrect signature");
+
+        let libffi_args: Vec<_> = params
+            .iter()
+            .map(|val| match val {
+                Value::I32(ref x) => libffi_arg(x),
+                Value::I64(ref x) => libffi_arg(x),
+                Value::F32(ref x) => libffi_arg(x),
+                Value::F64(ref x) => libffi_arg(x),
+            })
+            .chain(iter::once(libffi_arg(&vmctx_ptr)))
+            .collect();
+
+        let code_ptr = CodePtr::from_ptr(func_ptr as _);
+
+        call_protected(&self.handler_data, || {
+            // Only supports zero or one return values for now.
+            // To support multiple returns, we will have to
+            // generate trampolines instead of using libffi.
+            match signature.returns.first() {
+                Some(ty) => {
+                    let val = match ty {
+                        Type::I32 => Value::I32(unsafe { libffi_call(code_ptr, &libffi_args) }),
+                        Type::I64 => Value::I64(unsafe { libffi_call(code_ptr, &libffi_args) }),
+                        Type::F32 => Value::F32(unsafe { libffi_call(code_ptr, &libffi_args) }),
+                        Type::F64 => Value::F64(unsafe { libffi_call(code_ptr, &libffi_args) }),
+                    };
+                    returns[0] = val;
+                }
+                // call with no returns
+                None => unsafe {
+                    libffi_call::<()>(code_ptr, &libffi_args);
+                },
+            }
+        })
+    }
+}
+
+fn get_func_from_index<'a>(
+    module: &'a ModuleInner,
+    import_backing: &ImportBacking,
+    func_index: FuncIndex,
+) -> (*const vm::Func, Context, &'a FuncSig) {
+    let sig_index = *module
+        .func_assoc
+        .get(func_index)
+        .expect("broken invariant, incorrect func index");
+
+    let (func_ptr, ctx) = match func_index.local_or_import(module) {
+        LocalOrImport::Local(local_func_index) => (
+            module
+                .func_resolver
+                .get(&module, local_func_index)
+                .expect("broken invariant, func resolver not synced with module.exports")
+                .cast()
+                .as_ptr() as *const _,
+            Context::Internal,
+        ),
+        LocalOrImport::Import(imported_func_index) => {
+            let imported_func = import_backing.imported_func(imported_func_index);
+            (
+                imported_func.func as *const _,
+                Context::External(imported_func.vmctx),
+            )
+        }
+    };
+
+    let signature = module.sig_registry.lookup_func_sig(sig_index);
+
+    (func_ptr, ctx, signature)
+}
diff --git a/lib/clif-backend/src/call/recovery.rs b/lib/clif-backend/src/call/recovery.rs
@@ -0,0 +1,189 @@
+//! When a WebAssembly module triggers any traps, we perform recovery here.
+//!
+//! This module uses TLS (thread-local storage) to track recovery information. Since the four signals we're handling
+//! are very special, the async signal unsafety of Rust's TLS implementation generally does not affect the correctness here
+//! unless you have memory unsafety elsewhere in your code.
+
+use crate::call::sighandler::install_sighandler;
+use crate::relocation::{TrapData, TrapSink};
+use cranelift_codegen::ir::TrapCode;
+use nix::libc::{c_void, siginfo_t};
+use nix::sys::signal::{Signal, SIGBUS, SIGFPE, SIGILL, SIGSEGV};
+use std::cell::{Cell, UnsafeCell};
+use std::ptr;
+use std::sync::Once;
+use wasmer_runtime::{
+    error::{RuntimeError, RuntimeResult},
+    structures::TypedIndex,
+    types::{MemoryIndex, TableIndex},
+};
+
+extern "C" {
+    pub fn setjmp(env: *mut ::nix::libc::c_void) -> ::nix::libc::c_int;
+    fn longjmp(env: *mut ::nix::libc::c_void, val: ::nix::libc::c_int) -> !;
+}
+
+const SETJMP_BUFFER_LEN: usize = 27;
+pub static SIGHANDLER_INIT: Once = Once::new();
+
+thread_local! {
+    pub static SETJMP_BUFFER: UnsafeCell<[::nix::libc::c_int; SETJMP_BUFFER_LEN]> = UnsafeCell::new([0; SETJMP_BUFFER_LEN]);
+    pub static CAUGHT_ADDRESSES: Cell<(*const c_void, *const c_void)> = Cell::new((ptr::null(), ptr::null()));
+    pub static CURRENT_EXECUTABLE_BUFFER: Cell<*const c_void> = Cell::new(ptr::null());
+}
+
+pub struct HandlerData {
+    trap_data: TrapSink,
+    buffer_ptr: *const c_void,
+    buffer_size: usize,
+}
+
+impl HandlerData {
+    pub fn new(trap_data: TrapSink, buffer_ptr: *const c_void, buffer_size: usize) -> Self {
+        Self {
+            trap_data,
+            buffer_ptr,
+            buffer_size,
+        }
+    }
+
+    pub fn lookup(&self, ip: *const c_void) -> Option<TrapData> {
+        let ip = ip as usize;
+        let buffer_ptr = self.buffer_ptr as usize;
+
+        if buffer_ptr <= ip && ip < buffer_ptr + self.buffer_size {
+            let offset = ip - buffer_ptr;
+            self.trap_data.lookup(offset)
+        } else {
+            None
+        }
+    }
+}
+
+pub fn call_protected<T>(handler_data: &HandlerData, f: impl FnOnce() -> T) -> RuntimeResult<T> {
+    unsafe {
+        let jmp_buf = SETJMP_BUFFER.with(|buf| buf.get());
+        let prev_jmp_buf = *jmp_buf;
+
+        SIGHANDLER_INIT.call_once(|| {
+            install_sighandler();
+        });
+
+        let signum = setjmp(jmp_buf as *mut ::nix::libc::c_void);
+        if signum != 0 {
+            *jmp_buf = prev_jmp_buf;
+            let (faulting_addr, _) = CAUGHT_ADDRESSES.with(|cell| cell.get());
+
+            if let Some(TrapData {
+                trapcode,
+                srcloc: _,
+            }) = handler_data.lookup(faulting_addr)
+            {
+                Err(match Signal::from_c_int(signum) {
+                    Ok(SIGILL) => match trapcode {
+                        TrapCode::BadSignature => RuntimeError::IndirectCallSignature {
+                            table: TableIndex::new(0),
+                        },
+                        TrapCode::IndirectCallToNull => RuntimeError::IndirectCallToNull {
+                            table: TableIndex::new(0),
+                        },
+                        TrapCode::HeapOutOfBounds => {
+                            let addr =
+                                (faulting_addr as usize) - (handler_data.buffer_ptr as usize);
+                            if addr <= handler_data.buffer_size {
+                                // in the memory
+                                RuntimeError::OutOfBoundsAccess {
+                                    memory: MemoryIndex::new(0),
+                                    addr: addr as u32,
+                                }
+                            } else {
+                                // if there's an invalid access outside of the memory, including guard pages
+                                // just kill the process.
+                                panic!("invalid memory access, way out of bounds")
+                            }
+                        }
+                        TrapCode::TableOutOfBounds => RuntimeError::TableOutOfBounds {
+                            table: TableIndex::new(0),
+                        },
+                        _ => RuntimeError::Unknown {
+                            msg: "unknown trap".to_string(),
+                        },
+                    },
+                    Ok(SIGSEGV) | Ok(SIGBUS) => {
+                        let addr = (faulting_addr as usize) - (handler_data.buffer_ptr as usize);
+                        if addr <= handler_data.buffer_size {
+                            // in the memory
+                            RuntimeError::OutOfBoundsAccess {
+                                memory: MemoryIndex::new(0),
+                                addr: addr as u32,
+                            }
+                        } else {
+                            // if there's an invalid access outside of the memory, including guard pages
+                            // just kill the process.
+                            panic!("invalid memory access, way out of bounds")
+                        }
+                    }
+                    Ok(SIGFPE) => RuntimeError::IllegalArithmeticOperation,
+                    _ => unimplemented!(),
+                }
+                .into())
+            } else {
+                let signal = match Signal::from_c_int(signum) {
+                    Ok(SIGFPE) => "floating-point exception",
+                    Ok(SIGILL) => "illegal instruction",
+                    Ok(SIGSEGV) => "segmentation violation",
+                    Ok(SIGBUS) => "bus error",
+                    Err(_) => "error while getting the Signal",
+                    _ => "unkown trapped signal",
+                };
+                // When the trap-handler is fully implemented, this will return more information.
+                Err(RuntimeError::Unknown {
+                    msg: format!("trap at {:p} - {}", faulting_addr, signal),
+                }
+                .into())
+            }
+        } else {
+            let ret = f(); // TODO: Switch stack?
+            *jmp_buf = prev_jmp_buf;
+            Ok(ret)
+        }
+    }
+}
+
+/// Unwinds to last protected_call.
+pub unsafe fn do_unwind(signum: i32, siginfo: *mut siginfo_t, ucontext: *const c_void) -> ! {
+    // Since do_unwind is only expected to get called from WebAssembly code which doesn't hold any host resources (locks etc.)
+    // itself, accessing TLS here is safe. In case any other code calls this, it often indicates a memory safety bug and you should
+    // temporarily disable the signal handlers to debug it.
+
+    let jmp_buf = SETJMP_BUFFER.with(|buf| buf.get());
+    if *jmp_buf == [0; SETJMP_BUFFER_LEN] {
+        ::std::process::abort();
+    }
+
+    CAUGHT_ADDRESSES.with(|cell| cell.set(get_faulting_addr_and_ip(siginfo, ucontext)));
+
+    longjmp(jmp_buf as *mut ::nix::libc::c_void, signum)
+}
+
+#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
+unsafe fn get_faulting_addr_and_ip(
+    siginfo: *mut siginfo_t,
+    _ucontext: *const c_void,
+) -> (*const c_void, *const c_void) {
+    (ptr::null(), ptr::null())
+}
+
+#[cfg(all(target_os = "macos", target_arch = "x86_64"))]
+unsafe fn get_faulting_addr_and_ip(
+    siginfo: *mut siginfo_t,
+    _ucontext: *const c_void,
+) -> (*const c_void, *const c_void) {
+    ((*siginfo).si_addr, ptr::null())
+}
+
+#[cfg(not(any(
+    all(target_os = "macos", target_arch = "x86_64"),
+    all(target_os = "linux", target_arch = "x86_64"),
+)))]
+compile_error!("This crate doesn't yet support compiling on operating systems other than linux and macos and architectures other than x86_64");
diff --git a/lib/runtime/src/sighandler.rs → lib/clif-backend/src/call/sighandler.rs b/lib/runtime/src/sighandler.rs → lib/clif-backend/src/call/sighandler.rs
@@ -1,10 +1,8 @@
-//! We install signal handlers to handle WebAssembly traps within
-//! our Rust code. Otherwise we will have errors that stop the Rust process
-//! such as `process didn't exit successfully: ... (signal: 8, SIGFPE: erroneous arithmetic operation)`
+//! Installing signal handlers allows us to handle traps and out-of-bounds memory
+//! accesses that occur when runniing webassembly.
 //!
-//! Please read more about this here: https://github.com/CraneStation/wasmtime/issues/15
 //! This code is inspired by: https://github.com/pepyakin/wasmtime/commit/625a2b6c0815b21996e111da51b9664feb174622
-use crate::recovery;
+use crate::call::recovery;
 use nix::libc::{c_void, siginfo_t};
 use nix::sys::signal::{
     sigaction, SaFlags, SigAction, SigHandler, SigSet, SIGBUS, SIGFPE, SIGILL, SIGSEGV,
@@ -25,9 +23,9 @@ pub unsafe fn install_sighandler() {
 extern "C" fn signal_trap_handler(
     signum: ::nix::libc::c_int,
     siginfo: *mut siginfo_t,
-    _ucontext: *mut c_void,
+    ucontext: *mut c_void,
 ) {
     unsafe {
-        recovery::do_unwind(signum, siginfo);
+        recovery::do_unwind(signum, siginfo, ucontext);
     }
 }