Cap hard memory limit at 4GB

[gumb0]

No description provided.

[codecov]

Codecov Report

Merging #748 (207741f) into master (0b41654) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master     #748   +/-   ##
=======================================
  Coverage   99.26%   99.26%           
=======================================
  Files          74       74           
  Lines       11448    11462   +14     
=======================================
+ Hits        11364    11378   +14     
  Misses         84       84           

Flag	Coverage Δ
rust	99.86% <ø> (ø)
spectests	90.55% <50.00%> (-0.11%)	⬇️
unittests	99.22% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
lib/fizzy/instantiate.cpp	100.00% <100.00%> (ø)
lib/fizzy/parser.cpp	100.00% <100.00%> (ø)
test/unittests/execute_test.cpp	100.00% <100.00%> (ø)
test/unittests/instantiate_test.cpp	100.00% <100.00%> (ø)
tools/wasi/wasi.cpp	57.30% <100.00%> (ø)

[chfast]

The "Rename MemoryPagesValidationLimit -> MemoryPagesMaxLimit" commit should go first.

[chfast]

I'm still considering using 0xffffffff limit value for "unlimited". Not sure this change helps. Maybe it is better to report hard limit in parser?

[gumb0]

I'm still considering using 0xffffffff limit value for "unlimited".

What would it mean? Given that spec limits it at 4GB.

Not sure this change helps.

It helps to simplify memory.grow (otherwise you would need to check both instantiate hard limit and spec hard limit there).

Maybe it is better to report hard limit in parser?

What does this mean, pass it to parser instead of instantiate?

[chfast]

What would it mean? Given that spec limits it at 4GB.

Using 0xffffffff for the case where max value is omitted in limits.

What does this mean, pass it to parser instead of instantiate?

Make modules with max higher than 4GB invalid.

[gumb0]

What would it mean? Given that spec limits it at 4GB.

Using 0xffffffff for the case where max value is omitted in limits.

This doesn't seem related, it's about replacing optional in Limits with magic value, isn't it?

What does this mean, pass it to parser instead of instantiate?

Make modules with max higher than 4GB invalid.

They are already invalid of course

fizzy/lib/fizzy/parser.cpp

Lines 260 to 262 in 56ffca7

	if ((limits.min > MemoryPagesValidationLimit) ||
	(limits.max.has_value() && *limits.max > MemoryPagesValidationLimit))
	throw validation_error{"maximum memory page limit exceeded"};

But modules with min/max higher than Fizzy's hard limit are not invalid, because we pass this limit to instantiate only.
(I think it's more spec-compliant to consider them valid, and fail only when allocation would go over the Fizzy's limit)

[axic]

Sorry for being late to the party. I think we should make the "max" and the "default" variable following the same scheme, either MemoryPagesMaxLimit/MemoryPagesDefaultLimit, or MaxMemoryPagesLimit/DefaultMemoryPagesLimit.

@chfast @gumb0 what do you think?

[gumb0]

Sounds good, I would change to MaxMemoryPagesLimit/DefaultMemoryPagesLimit.

[chfast]

Fine to me too.

[axic]

@gumb0 Is this now properly covered by spectests or you are planning to submit some cases?

[gumb0]

It's not covered and can't be, as "hard memory limit" is not defined in any precise way in the spec, it's just an internal limit which can be arbitrary set by implementations.

[chfast]

It is not easy to find, but you can get this information from codecov. You need to go to single commit view -> Files, and then only select "spectests" flag.

https://codecov.io/gh/wasmx/fizzy/src/7d7bbfce98e8fca2927e539807beb8ffb4e8bac4/lib/fizzy/instantiate.cpp

[axic]

It is not easy to find, but you can get this information from codecov.

I know, I went through that and listed the 10% missing cases in the chat last week. But that is only reflected if we upgrade out spectest branch, and we haven't done that in this PR :)

[axic]

What is the goal here? According to the other test, 65536 total is acceptable. Why don't we add something like instantiate with 0 and enlarge to 65536.

[gumb0]

What is the goal here?

To test the check at high values of hard limit.

According to the other test, 65536 total is acceptable. Why don't we add something like instantiate with 0 and enlarge to 65536.

It would allocate 4GB, but I think we want to keep unit tests light-weight.
(there is a spec test that does this)

[axic]

Well perhaps leave a comment then here that we should test for increasing by 65535 but don't want to spend too much time in unittests (to allocate 4gb) as spectests covers it.

[gumb0]

Actually I checked and there're no spec tests that allocate 4GB, only one that sets the upper limit to 4GB (but doesn't allocate anything).

[axic]

It is hard to test for it when VMs are allowed to return an error.

[gumb0]

Added a comment here.

[axic]

I'm fine with this, though not 100% convinced our test cases are the best.