Implement the memory64 proposal in Wasmtime #3153
Conversation
I believe mmap has a flag that prevents overwriting already mapped memory. Combining this with MAP_FIXED would allow growing the heap without moving part of the time. |
github-actions
bot
added
cranelift
Subscribe to Label Actioncc @fitzgen, @peterhuene
This issue or pull request has been labeled: "cranelift", "cranelift:meta", "cranelift:wasm", "fuzzing", "wasmtime:c-api"
Thus the following users have been cc'd because of the following labels:
To subscribe or unsubscribe from this label, edit the |
|
Hm ok so I may need some assistance with that error. Currently we have: enum InstructionData {
HeapData(Opcode /* u16 */, Value /* u32 */, ir::Heap /* u32 */, imm: ir::immediates::Uimm32 /* u32 */),
// ...
}This results in a 16-byte enum size in total because the discriminant can be packed into the space preceding struct Before(u8, u16, u32, u32, u32);
// .. vs ..
struct After(u8, u16, u32, u32, u64);and there's a test asserting that this enum is 16-bytes in size. I'm having trouble figuring out how best to shrink this back to 16-bytes. Some things I've tried:
Do others have alternative ideas that could be implemented, or guidance on which of the above paths is the way to go here? |
|
load, store, etc also use 32bit offsets even though they can already be used with 64bit pointers. In cg_clif if the offset overflows the |
|
I may be misunderstanding the use of that immediate, but it looks to me like the field is actually used to denote the size of the access, not of the underlying heap (link), on the |
|
Heh unfortunately I think you've fallen into the same trap I've fallen into a number of times. The Put another way, because wasm memory offsets can be 64-bits (with memory64), and because we use this offset as the "access size", that's the motivation for increasing the bit-width of the access size. |
|
Hmm, I see; unexpected but I guess that usage makes sense. IMHO the best option here is probably a hybrid approach during translation: if the offset fits in 32 bits (which will be the case the overwhelming majority of the time, hopefully), do as we presently do; if larger, then emit an explicit add instruction to compute the |
|
I considered doing the I think it would work for the time being, but I wanted to explore possibilities to update the cranelift instruction. I think it makes sense to not inflate 16 bytes to 24 bytes, but I wasn't having much luck brainstorming possibilities of how to keep it under 16 bytes (unless we want to change heap indexes to u8 and disallow 256+ heaps (which I'm not sure why we'd want anyway) |
|
It would only be two checks for offsets >4GiB, no? I'd expect that most Wasm producers use offsets for things like structs and it would be very strange to have an offset that large, so in my thinking at least, it makes sense to treat this as a "needed for correctness but can be slow" corner. I may be misunderstanding the issue though? Re: heap count, I'd be hesitant about limiting to 256 heaps; we might bump our heads on that in the future multi-module / component world (e.g. heap per Wasm component, with 300 components in a very large dependency graph -- at least, that's not totally implausible). |
|
Hm nah that's a good point. We already incur a real bounds check on wasm32 for 2gb+ offsets so having an extra bounds check on wasm64 for 4gb+ bounds makes sense. I'll go ahead and implement that doing an addition with a overflow check if the offset doesn't fit in a u32 |
This commit implements the WebAssembly [memory64 proposal][proposal] in both Wasmtime and Cranelift. In terms of work done Cranelift ended up needing very little work here since most of it was already prepared for 64-bit memories at one point or another. Most of the work in Wasmtime is largely refactoring, changing a bunch of `u32` values to something else. A number of internal and public interfaces are changing as a result of this commit, for example: * Acessors on `wasmtime::Memory` that work with pages now all return `u64` unconditionally rather than `u32`. This makes it possible to accommodate 64-bit memories with this API, but we may also want to consider `usize` here at some point since the host can't grow past `usize`-limited pages anyway. * The `wasmtime::Limits` structure is removed in favor of minimum/maximum methods on table/memory types. * Many libcall intrinsics called by jit code now unconditionally take `u64` arguments instead of `u32`. Return values are `usize`, however, since the return value, if successful, is always bounded by host memory while arguments can come from any guest. * The `heap_addr` clif instruction now takes a 64-bit offset argument instead of a 32-bit one. It turns out that the legalization of `heap_addr` already worked with 64-bit offsets, so this change was fairly trivial to make. * The runtime implementation of mmap-based linear memories has changed to largely work in `usize` quantities in its API and in bytes instead of pages. This simplifies various aspects and reflects that mmap-memories are always bound by `usize` since that's what the host is using to address things, and additionally most calculations care about bytes rather than pages except for the very edge where we're going to/from wasm. Overall I've tried to minimize the amount of `as` casts as possible, using checked `try_from` and checked arithemtic with either error handling or explicit `unwrap()` calls to tell us about bugs in the future. Most locations have relatively obvious things to do with various implications on various hosts, and I think they should all be roughly of the right shape but time will tell. I mostly relied on the compiler complaining that various types weren't aligned to figure out type-casting, and I manually audited some of the more obvious locations. I suspect we have a number of hidden locations that will panic on 32-bit hosts if 64-bit modules try to run there, but otherwise I think we should be generally ok (famous last words). In any case I wouldn't want to enable this by default naturally until we've fuzzed it for some time. In terms of the actual underlying implementation, no one should expect memory64 to be all that fast. Right now it's implemented with "dynamic" heaps which have a few consequences: * All memory accesses are bounds-checked. I'm not sure how aggressively Cranelift tries to optimize out bounds checks, but I suspect not a ton since we haven't stressed this much historically. * Heaps are always precisely sized. This means that every call to `memory.grow` will incur a `memcpy` of memory from the old heap to the new. We probably want to at least look into `mremap` on Linux and otherwise try to implement schemes where dynamic heaps have some reserved pages to grow into to help amortize the cost of `memory.grow`. The memory64 spec test suite is scheduled to now run on CI, but as with all the other spec test suites it's really not all that comprehensive. I've tried adding more tests for basic things as I've had to implement guards for them, but I wouldn't really consider the testing adequate from just this PR itself. I did try to take care in one test to actually allocate a 4gb+ heap and then avoid running that in the pooling allocator or in emulation because otherwise that may fail or take excessively long. [proposal]: https://github.com/WebAssembly/memory64/blob/master/proposals/memory64/Overview.md
This commit updates the generation of addresses in wasm code to always use 32-bit offsets for `heap_addr`, and if the calculated offset is bigger than 32-bits we emit a manual add with an overflow check.
|
For reviewers, extra care when reviewing |
| @@ -2222,25 +2218,65 @@ fn prepare_addr<FE: FuncEnvironment + ?Sized>( | |||
| // offsets we're checking here are zero. This means that we'll hit the fast | |||
| // path and emit zero conditional traps for bounds checks | |||
| let adjusted_offset = if offset_guard_size == 0 { | |||
| u64::from(offset) + u64::from(access_size) | |||
| memarg.offset.saturating_add(u64::from(access_size)) | |||
There was a problem hiding this comment.
Good catch (avoiding wraparound). Could you add a comment re: the saturation here to note this is protecting against offset + access-size overflowing?
| // pessimized a fair amount. We can't pass the fixed-sized offset to | ||
| // the `heap_addr` instruction, so we need to fold the offset into the | ||
| // address itself. In doing so though we need to check for overflow | ||
| // because that would mean the address is out-of-bounds. |
There was a problem hiding this comment.
A comment here about why we decided not to expand heap_addr to take the u64 would help document our discussion :-)
|
@peterhuene oh I realize now I tagged you here without much context. Would you be ok reviewing the Wasmtime-specific pieces of this? If not no worries, I'm sure I can find another |
|
👍 I'll review it now. |
crates/runtime/src/memory.rs
Outdated
|
|
||
| /// Grow memory by the specified amount of wasm pages. | ||
| /// Grow memory to the specified amount of bytes. | ||
| /// | ||
| /// Returns `None` if memory can't be grown by the specified amount | ||
| /// of wasm pages. |
There was a problem hiding this comment.
I think this commit is now out of date as it's now taking a size rather than page delta?
crates/wasmtime/src/memory.rs
Outdated
| /// | ||
| /// Returns `None` if memory can't be grown by the specified amount | ||
| /// of wasm pages. | ||
| fn grow(&mut self, delta: u32) -> Option<u32>; | ||
| /// of wasm pages. Returns `Some` if memory was grown successfully. |
There was a problem hiding this comment.
Same comment as above re: mention of wasm pages.
|
Thanks @peterhuene! |
Accidentally forgotten from bytecodealliance#3153!
Accidentally forgotten from #3153!
* Implement the memory64 proposal in Wasmtime This commit implements the WebAssembly [memory64 proposal][proposal] in both Wasmtime and Cranelift. In terms of work done Cranelift ended up needing very little work here since most of it was already prepared for 64-bit memories at one point or another. Most of the work in Wasmtime is largely refactoring, changing a bunch of `u32` values to something else. A number of internal and public interfaces are changing as a result of this commit, for example: * Acessors on `wasmtime::Memory` that work with pages now all return `u64` unconditionally rather than `u32`. This makes it possible to accommodate 64-bit memories with this API, but we may also want to consider `usize` here at some point since the host can't grow past `usize`-limited pages anyway. * The `wasmtime::Limits` structure is removed in favor of minimum/maximum methods on table/memory types. * Many libcall intrinsics called by jit code now unconditionally take `u64` arguments instead of `u32`. Return values are `usize`, however, since the return value, if successful, is always bounded by host memory while arguments can come from any guest. * The `heap_addr` clif instruction now takes a 64-bit offset argument instead of a 32-bit one. It turns out that the legalization of `heap_addr` already worked with 64-bit offsets, so this change was fairly trivial to make. * The runtime implementation of mmap-based linear memories has changed to largely work in `usize` quantities in its API and in bytes instead of pages. This simplifies various aspects and reflects that mmap-memories are always bound by `usize` since that's what the host is using to address things, and additionally most calculations care about bytes rather than pages except for the very edge where we're going to/from wasm. Overall I've tried to minimize the amount of `as` casts as possible, using checked `try_from` and checked arithemtic with either error handling or explicit `unwrap()` calls to tell us about bugs in the future. Most locations have relatively obvious things to do with various implications on various hosts, and I think they should all be roughly of the right shape but time will tell. I mostly relied on the compiler complaining that various types weren't aligned to figure out type-casting, and I manually audited some of the more obvious locations. I suspect we have a number of hidden locations that will panic on 32-bit hosts if 64-bit modules try to run there, but otherwise I think we should be generally ok (famous last words). In any case I wouldn't want to enable this by default naturally until we've fuzzed it for some time. In terms of the actual underlying implementation, no one should expect memory64 to be all that fast. Right now it's implemented with "dynamic" heaps which have a few consequences: * All memory accesses are bounds-checked. I'm not sure how aggressively Cranelift tries to optimize out bounds checks, but I suspect not a ton since we haven't stressed this much historically. * Heaps are always precisely sized. This means that every call to `memory.grow` will incur a `memcpy` of memory from the old heap to the new. We probably want to at least look into `mremap` on Linux and otherwise try to implement schemes where dynamic heaps have some reserved pages to grow into to help amortize the cost of `memory.grow`. The memory64 spec test suite is scheduled to now run on CI, but as with all the other spec test suites it's really not all that comprehensive. I've tried adding more tests for basic things as I've had to implement guards for them, but I wouldn't really consider the testing adequate from just this PR itself. I did try to take care in one test to actually allocate a 4gb+ heap and then avoid running that in the pooling allocator or in emulation because otherwise that may fail or take excessively long. [proposal]: https://github.com/WebAssembly/memory64/blob/master/proposals/memory64/Overview.md * Fix some tests * More test fixes * Fix wasmtime tests * Fix doctests * Revert to 32-bit immediate offsets in `heap_addr` This commit updates the generation of addresses in wasm code to always use 32-bit offsets for `heap_addr`, and if the calculated offset is bigger than 32-bits we emit a manual add with an overflow check. * Disable memory64 for spectest fuzzing * Fix wrong offset being added to heap addr * More comments! * Clarify bytes/pages
Changes related to memory64 proposal implementation, for additional details see bytecodealliance/wasmtime#3153
* sc-executor-wasmtime: upgrade wasmtime to 0.30.0 Changes related to memory64 proposal implementation, for additional details see bytecodealliance/wasmtime#3153 * sc-executor-wasmtime: introduce parallel_compilation flag * typos
…codealliance/wasmtime#3153, in order to support 64-bit memory. This also fixes the definition of native functions wasmtime_memory_size and wasmtime_memory_grow, which previously incorrectly used a UInt32 instead of UInt64, and config functions taking a bool parameter, which were previously missing the MarshalAsAttribute (to marshal a Boolean as 1 byte instead of 4 bytes).
* Add support for enabling the Memory64 proposal, which was added to the Wasmtime C API with bytecodealliance/wasmtime#3182. Additionally, add tests to verify the new APIs added with #166 are able to access a memory beyond the 4 GiB area. * Follow-Up: Adjust the API to match the new C API introduced with bytecodealliance/wasmtime#3153, in order to support 64-bit memory. This also fixes the definition of native functions wasmtime_memory_size and wasmtime_memory_grow, which previously incorrectly used a UInt32 instead of UInt64, and config functions taking a bool parameter, which were previously missing the MarshalAsAttribute (to marshal a Boolean as 1 byte instead of 4 bytes). * Follow-Up: Validate the arguments. * Simplify. * Simplify.
This commit implements the table64 extention in both Wasmtime and Cranelift. Most of the work was changing a bunch of u32 values to u64/usize. The decisions were made in align with the PR bytecodealliance#3153 which implemented the memory64 propsal itself. One significant change was the introduction of `IndexType` and `Limits` which streamline and unify the handling of limits for both memories and tables. The spec and fuzzing tests related to table64 are re-enabled which provides a good coverage of the feature.
This commit implements the table64 extention in both Wasmtime and Cranelift. Most of the work was changing a bunch of u32 values to u64/usize. The decisions were made in align with the PR #3153 which implemented the memory64 propsal itself. One significant change was the introduction of `IndexType` and `Limits` which streamline and unify the handling of limits for both memories and tables. The spec and fuzzing tests related to table64 are re-enabled which provides a good coverage of the feature.
This commit implements the WebAssembly memory64 proposal in
both Wasmtime and Cranelift. In terms of work done Cranelift ended up
needing very little work here since most of it was already prepared for
64-bit memories at one point or another. Most of the work in Wasmtime is
largely refactoring, changing a bunch of
u32values to something else.A number of internal and public interfaces are changing as a result of
this commit, for example:
Acessors on
wasmtime::Memorythat work with pages now all returnu64unconditionally rather thanu32. This makes it possible toaccommodate 64-bit memories with this API, but we may also want to
consider
usizehere at some point since the host can't grow pastusize-limited pages anyway.The
wasmtime::Limitsstructure is removed in favor ofminimum/maximum methods on table/memory types.
Many libcall intrinsics called by jit code now unconditionally take
u64arguments instead ofu32. Return values areusize, however,since the return value, if successful, is always bounded by host
memory while arguments can come from any guest.
The
heap_addrclif instruction now takes a 64-bit offset argumentinstead of a 32-bit one. It turns out that the legalization of
heap_addralready worked with 64-bit offsets, so this change wasfairly trivial to make.
The runtime implementation of mmap-based linear memories has changed
to largely work in
usizequantities in its API and in bytes insteadof pages. This simplifies various aspects and reflects that
mmap-memories are always bound by
usizesince that's what the hostis using to address things, and additionally most calculations care
about bytes rather than pages except for the very edge where we're
going to/from wasm.
Overall I've tried to minimize the amount of
ascasts as possible,using checked
try_fromand checked arithemtic with either errorhandling or explicit
unwrap()calls to tell us about bugs in thefuture. Most locations have relatively obvious things to do with various
implications on various hosts, and I think they should all be roughly of
the right shape but time will tell. I mostly relied on the compiler
complaining that various types weren't aligned to figure out
type-casting, and I manually audited some of the more obvious locations.
I suspect we have a number of hidden locations that will panic on 32-bit
hosts if 64-bit modules try to run there, but otherwise I think we
should be generally ok (famous last words). In any case I wouldn't want
to enable this by default naturally until we've fuzzed it for some time.
In terms of the actual underlying implementation, no one should expect
memory64 to be all that fast. Right now it's implemented with
"dynamic" heaps which have a few consequences:
All memory accesses are bounds-checked. I'm not sure how aggressively
Cranelift tries to optimize out bounds checks, but I suspect not a ton
since we haven't stressed this much historically.
Heaps are always precisely sized. This means that every call to
memory.growwill incur amemcpyof memory from the old heap to thenew. We probably want to at least look into
mremapon Linux andotherwise try to implement schemes where dynamic heaps have some
reserved pages to grow into to help amortize the cost of
memory.grow.The memory64 spec test suite is scheduled to now run on CI, but as with
all the other spec test suites it's really not all that comprehensive.
I've tried adding more tests for basic things as I've had to implement
guards for them, but I wouldn't really consider the testing adequate
from just this PR itself. I did try to take care in one test to actually
allocate a 4gb+ heap and then avoid running that in the pooling
allocator or in emulation because otherwise that may fail or take
excessively long.