cranelift/tests/host_segfault.rs

// To handle out-of-bounds reads and writes we use segfaults right now. We only
// want to catch a subset of segfaults, however, rather than all segfaults
// happening everywhere. The purpose of this test is to ensure that we *don't*
// catch segfaults if it happens in a random place in the code, but we instead
// bail out of our segfault handler early.
//
// This is sort of hard to test for but the general idea here is that we confirm
// that execution made it to our `segfault` function by printing something, and
// then we also make sure that stderr is empty to confirm that no weird panics
// happened or anything like that.

use std::env;
use std::process::{Command, ExitStatus};
use wasmtime::*;

const VAR_NAME: &str = "__TEST_TO_RUN";
const CONFIRM: &str = "well at least we ran up to the segfault\n";

fn segfault() -> ! {
    unsafe {
        print!("{}", CONFIRM);
        *(0x4 as *mut i32) = 3;
        unreachable!()
    }
}

fn overrun_the_stack() -> usize {
    let mut a = [0u8; 1024];
    if a.as_mut_ptr() as usize == 1 {
        return 1;
    } else {
        return a.as_mut_ptr() as usize + overrun_the_stack();
    }
}

fn main() {
    // Skip this tests if it looks like we're in a cross-compiled situation and
    // we're emulating this test for a different platform. In that scenario
    // emulators (like QEMU) tend to not report signals the same way and such.
    if std::env::vars()
        .filter(|(k, _v)| k.starts_with("CARGO_TARGET") && k.ends_with("RUNNER"))
        .count()
        > 0
    {
        return;
    }

    let tests: &[(&str, fn())] = &[
        ("normal segfault", || segfault()),
        ("make instance then segfault", || {
            let store = Store::default();
            let module = Module::new(&store, "(module)").unwrap();
            let _instance = Instance::new(&module, &[]).unwrap();
            segfault();
        }),
        ("make instance then overrun the stack", || {
            let store = Store::default();
            let module = Module::new(&store, "(module)").unwrap();
            let _instance = Instance::new(&module, &[]).unwrap();
            println!("stack overrun: {}", overrun_the_stack());
        }),
        ("segfault in a host function", || {
            let store = Store::default();
            let module = Module::new(&store, r#"(import "" "" (func)) (start 0)"#).unwrap();
            let segfault = Func::wrap(&store, || segfault());
            Instance::new(&module, &[segfault.into()]).unwrap();
        }),
    ];
    match env::var(VAR_NAME) {
        Ok(s) => {
            let test = tests
                .iter()
                .find(|p| p.0 == s)
                .expect("failed to find test")
                .1;
            test();
        }
        Err(_) => {
            for (name, _test) in tests {
                runtest(name);
            }
        }
    }
}

fn runtest(name: &str) {
    let me = env::current_exe().unwrap();
    let mut cmd = Command::new(me);
    cmd.env(VAR_NAME, name);
    let output = cmd.output().expect("failed to spawn subprocess");
    let stdout = String::from_utf8_lossy(&output.stdout);
    let stderr = String::from_utf8_lossy(&output.stderr);
    let mut desc = format!("got status: {}", output.status);
    if !stdout.trim().is_empty() {
        desc.push_str("\nstdout: ----\n");
        desc.push_str("    ");
        desc.push_str(&stdout.replace("\n", "\n    "));
    }
    if !stderr.trim().is_empty() {
        desc.push_str("\nstderr: ----\n");
        desc.push_str("    ");
        desc.push_str(&stderr.replace("\n", "\n    "));
    }
    if is_segfault(&output.status) {
        assert!(
            stdout.ends_with(CONFIRM) && stderr.is_empty(),
            "failed to find confirmation in test `{}`\n{}",
            name,
            desc
        );
    } else if name.contains("overrun the stack") {
        assert!(
            stderr.contains("thread 'main' has overflowed its stack"),
            "bad stderr: {}",
            stderr
        );
    } else {
        panic!("\n\nexpected a segfault on `{}`\n{}\n\n", name, desc);
    }
}

#[cfg(unix)]
fn is_segfault(status: &ExitStatus) -> bool {
    use std::os::unix::prelude::*;

    match status.signal() {
        Some(libc::SIGSEGV) | Some(libc::SIGBUS) => true,
        _ => false,
    }
}

#[cfg(windows)]
fn is_segfault(status: &ExitStatus) -> bool {
    match status.code().map(|s| s as u32) {
        Some(0xc0000005) => true,
        _ => false,
    }
}
Add a test that segfault handlers ignore non-wasm segfaults (#941) This is the subject of #940 which while fixed is good to have a regression test for! 5 years ago			`// To handle out-of-bounds reads and writes we use segfaults right now. We only`
			`// want to catch a subset of segfaults, however, rather than all segfaults`
			`// happening everywhere. The purpose of this test is to ensure that we don't`
			`// catch segfaults if it happens in a random place in the code, but we instead`
			`// bail out of our segfault handler early.`
			`//`
			`// This is sort of hard to test for but the general idea here is that we confirm`
			// that execution made it to our `segfault` function by printing something, and
			`// then we also make sure that stderr is empty to confirm that no weird panics`
			`// happened or anything like that.`

			`use std::env;`
			`use std::process::{Command, ExitStatus};`
			`use wasmtime::*;`

			`const VAR_NAME: &str = "__TEST_TO_RUN";`
			`const CONFIRM: &str = "well at least we ran up to the segfault\n";`

			`fn segfault() -> ! {`
			`unsafe {`
			`print!("{}", CONFIRM);`
			`(0x4 as mut i32) = 3;`
			`unreachable!()`
			`}`
			`}`

Implement interrupting wasm code, reimplement stack overflow (#1490) * Implement interrupting wasm code, reimplement stack overflow This commit is a relatively large change for wasmtime with two main goals: * Primarily this enables interrupting executing wasm code with a trap, preventing infinite loops in wasm code. Note that resumption of the wasm code is not a goal of this commit. * Additionally this commit reimplements how we handle stack overflow to ensure that host functions always have a reasonable amount of stack to run on. This fixes an issue where we might longjmp out of a host function, skipping destructors. Lots of various odds and ends end up falling out in this commit once the two goals above were implemented. The strategy for implementing this was also lifted from Spidermonkey and existing functionality inside of Cranelift. I've tried to write up thorough documentation of how this all works in `crates/environ/src/cranelift.rs` where gnarly-ish bits are. A brief summary of how this works is that each function and each loop header now checks to see if they're interrupted. Interrupts and the stack overflow check are actually folded into one now, where function headers check to see if they've run out of stack and the sentinel value used to indicate an interrupt, checked in loop headers, tricks functions into thinking they're out of stack. An interrupt is basically just writing a value to a location which is read by JIT code. When interrupts are delivered and what triggers them has been left up to embedders of the `wasmtime` crate. The `wasmtime::Store` type has a method to acquire an `InterruptHandle`, where `InterruptHandle` is a `Send` and `Sync` type which can travel to other threads (or perhaps even a signal handler) to get notified from. It's intended that this provides a good degree of flexibility when interrupting wasm code. Note though that this does have a large caveat where interrupts don't work when you're interrupting host code, so if you've got a host import blocking for a long time an interrupt won't actually be received until the wasm starts running again. Some fallout included from this change is: * Unix signal handlers are no longer registered with `SA_ONSTACK`. Instead they run on the native stack the thread was already using. This is possible since stack overflow isn't handled by hitting the guard page, but rather it's explicitly checked for in wasm now. Native stack overflow will continue to abort the process as usual. * Unix sigaltstack management is now no longer necessary since we don't use it any more. * Windows no longer has any need to reset guard pages since we no longer try to recover from faults on guard pages. * On all targets probestack intrinsics are disabled since we use a different mechanism for catching stack overflow. * The C API has been updated with interrupts handles. An example has also been added which shows off how to interrupt a module. Closes #139 Closes #860 Closes #900 * Update comment about magical interrupt value * Store stack limit as a global value, not a closure * Run rustfmt * Handle review comments * Add a comment about SA_ONSTACK * Use `usize` for type of `INTERRUPTED` * Parse human-readable durations * Bring back sigaltstack handling Allows libstd to print out stack overflow on failure still. * Add parsing and emission of stack limit-via-preamble * Fix new example for new apis * Fix host segfault test in release mode * Fix new doc example 5 years ago			`fn overrun_the_stack() -> usize {`
			`let mut a = [0u8; 1024];`
			`if a.as_mut_ptr() as usize == 1 {`
			`return 1;`
			`} else {`
			`return a.as_mut_ptr() as usize + overrun_the_stack();`
			`}`
			`}`

Add a test that segfault handlers ignore non-wasm segfaults (#941) This is the subject of #940 which while fixed is good to have a regression test for! 5 years ago			`fn main() {`
Add AArch64 tests to CI (#1526) * Add AArch64 tests to CI This commit enhances our CI with an AArch64 builder. Currently we have no physical hardware to run on so for now we run all tests in an emulator. The AArch64 build is cross-compiled from x86_64 from Linux. Tests all happen in release mode with a recent version of QEMU (recent version because it's so much faster, and in release mode because debug mode tests take quite a long time in an emulator). The goal here was not to get all tests passing on CI, but rather to get AArch64 running on CI and get it green at the same time. To achieve that goal many tests are now ignored on aarch64 platforms. Many tests fail due to unimplemented functionality in the aarch64 backend (#1521), and all wasmtime tests involving compilation are also disabled due to panicking attempting to generate generate instruction offset information for trap symbolication (#1523). Despite this, though, all Cranelift tests and other wasmtime tests should be runnin on AArch64 through QEMU with this PR. Additionally we'll have an AArch64 binary release of Wasmtime for Linux, although it won't be too useful just yet since it will panic on almost all wasm modules. * Review comments 5 years ago			`// Skip this tests if it looks like we're in a cross-compiled situation and`
			`// we're emulating this test for a different platform. In that scenario`
			`// emulators (like QEMU) tend to not report signals the same way and such.`
			`if std::env::vars()`
			`.filter(\|(k, _v)\| k.starts_with("CARGO_TARGET") && k.ends_with("RUNNER"))`
			`.count()`
			`> 0`
			`{`
			`return;`
			`}`

Add a test that segfault handlers ignore non-wasm segfaults (#941) This is the subject of #940 which while fixed is good to have a regression test for! 5 years ago			`let tests: &[(&str, fn())] = &[`
			`("normal segfault", \|\| segfault()),`
			`("make instance then segfault", \|\| {`
			`let store = Store::default();`
			`let module = Module::new(&store, "(module)").unwrap();`
			`let _instance = Instance::new(&module, &[]).unwrap();`
			`segfault();`
			`}),`
Implement interrupting wasm code, reimplement stack overflow (#1490) * Implement interrupting wasm code, reimplement stack overflow This commit is a relatively large change for wasmtime with two main goals: * Primarily this enables interrupting executing wasm code with a trap, preventing infinite loops in wasm code. Note that resumption of the wasm code is not a goal of this commit. * Additionally this commit reimplements how we handle stack overflow to ensure that host functions always have a reasonable amount of stack to run on. This fixes an issue where we might longjmp out of a host function, skipping destructors. Lots of various odds and ends end up falling out in this commit once the two goals above were implemented. The strategy for implementing this was also lifted from Spidermonkey and existing functionality inside of Cranelift. I've tried to write up thorough documentation of how this all works in `crates/environ/src/cranelift.rs` where gnarly-ish bits are. A brief summary of how this works is that each function and each loop header now checks to see if they're interrupted. Interrupts and the stack overflow check are actually folded into one now, where function headers check to see if they've run out of stack and the sentinel value used to indicate an interrupt, checked in loop headers, tricks functions into thinking they're out of stack. An interrupt is basically just writing a value to a location which is read by JIT code. When interrupts are delivered and what triggers them has been left up to embedders of the `wasmtime` crate. The `wasmtime::Store` type has a method to acquire an `InterruptHandle`, where `InterruptHandle` is a `Send` and `Sync` type which can travel to other threads (or perhaps even a signal handler) to get notified from. It's intended that this provides a good degree of flexibility when interrupting wasm code. Note though that this does have a large caveat where interrupts don't work when you're interrupting host code, so if you've got a host import blocking for a long time an interrupt won't actually be received until the wasm starts running again. Some fallout included from this change is: * Unix signal handlers are no longer registered with `SA_ONSTACK`. Instead they run on the native stack the thread was already using. This is possible since stack overflow isn't handled by hitting the guard page, but rather it's explicitly checked for in wasm now. Native stack overflow will continue to abort the process as usual. * Unix sigaltstack management is now no longer necessary since we don't use it any more. * Windows no longer has any need to reset guard pages since we no longer try to recover from faults on guard pages. * On all targets probestack intrinsics are disabled since we use a different mechanism for catching stack overflow. * The C API has been updated with interrupts handles. An example has also been added which shows off how to interrupt a module. Closes #139 Closes #860 Closes #900 * Update comment about magical interrupt value * Store stack limit as a global value, not a closure * Run rustfmt * Handle review comments * Add a comment about SA_ONSTACK * Use `usize` for type of `INTERRUPTED` * Parse human-readable durations * Bring back sigaltstack handling Allows libstd to print out stack overflow on failure still. * Add parsing and emission of stack limit-via-preamble * Fix new example for new apis * Fix host segfault test in release mode * Fix new doc example 5 years ago			`("make instance then overrun the stack", \|\| {`
			`let store = Store::default();`
			`let module = Module::new(&store, "(module)").unwrap();`
			`let _instance = Instance::new(&module, &[]).unwrap();`
			`println!("stack overrun: {}", overrun_the_stack());`
			`}),`
Don't try to handle non-wasmtime segfaults (#1577) This commit fixes an issue in Wasmtime where Wasmtime would accidentally "handle" non-wasm segfaults while executing host imports of wasm modules. If a host import segfaulted then Wasmtime would recognize that wasm code is on the stack, so it'd longjmp out of the wasm code. This papers over real bugs though in host code and erroneously classified segfaults as wasm traps. The fix here was to add a check to our wasm signal handler for if the faulting address falls in JIT code itself. Actually threading through all the right information for that check to happen is a bit tricky, though, so this involved some refactoring: * A closure parameter to `catch_traps` was added. This closure is responsible for classifying addresses as whether or not they fall in JIT code. Anything returning `false` means that the trap won't get handled and we'll forward to the next signal handler. * To avoid passing tons of context all over the place, the start function is now no longer automatically invoked by `InstanceHandle`. This avoids the need for passing all sorts of trap-handling contextual information like the maximum stack size and "is this a jit address" closure. Instead creators of `InstanceHandle` (like wasmtime) are now responsible for invoking the start function. * To avoid excessive use of `transmute` with lifetimes since the traphandler state now has a lifetime the per-instance custom signal handler is now replaced with a per-store custom signal handler. I'm not entirely certain the purpose of the custom signal handler, though, so I'd look for feedback on this part. A new test has been added which ensures that if a host function segfaults we don't accidentally try to handle it, and instead we correctly report the segfault. 5 years ago			`("segfault in a host function", \|\| {`
			`let store = Store::default();`
			`let module = Module::new(&store, r#"(import "" "" (func)) (start 0)"#).unwrap();`
			`let segfault = Func::wrap(&store, \|\| segfault());`
			`Instance::new(&module, &[segfault.into()]).unwrap();`
			`}),`
Add a test that segfault handlers ignore non-wasm segfaults (#941) This is the subject of #940 which while fixed is good to have a regression test for! 5 years ago			`];`
			`match env::var(VAR_NAME) {`
			`Ok(s) => {`
			`let test = tests`
			`.iter()`
			`.find(\|p\| p.0 == s)`
			`.expect("failed to find test")`
			`.1;`
			`test();`
			`}`
			`Err(_) => {`
			`for (name, _test) in tests {`
			`runtest(name);`
			`}`
			`}`
			`}`
			`}`

			`fn runtest(name: &str) {`
			`let me = env::current_exe().unwrap();`
			`let mut cmd = Command::new(me);`
			`cmd.env(VAR_NAME, name);`
			`let output = cmd.output().expect("failed to spawn subprocess");`
			`let stdout = String::from_utf8_lossy(&output.stdout);`
			`let stderr = String::from_utf8_lossy(&output.stderr);`
			`let mut desc = format!("got status: {}", output.status);`
			`if !stdout.trim().is_empty() {`
			`desc.push_str("\nstdout: ----\n");`
			`desc.push_str(" ");`
			`desc.push_str(&stdout.replace("\n", "\n "));`
			`}`
			`if !stderr.trim().is_empty() {`
			`desc.push_str("\nstderr: ----\n");`
			`desc.push_str(" ");`
			`desc.push_str(&stderr.replace("\n", "\n "));`
			`}`
			`if is_segfault(&output.status) {`
			`assert!(`
			`stdout.ends_with(CONFIRM) && stderr.is_empty(),`
			"failed to find confirmation in test `{}`\n{}",
			`name,`
			`desc`
			`);`
Implement interrupting wasm code, reimplement stack overflow (#1490) * Implement interrupting wasm code, reimplement stack overflow This commit is a relatively large change for wasmtime with two main goals: * Primarily this enables interrupting executing wasm code with a trap, preventing infinite loops in wasm code. Note that resumption of the wasm code is not a goal of this commit. * Additionally this commit reimplements how we handle stack overflow to ensure that host functions always have a reasonable amount of stack to run on. This fixes an issue where we might longjmp out of a host function, skipping destructors. Lots of various odds and ends end up falling out in this commit once the two goals above were implemented. The strategy for implementing this was also lifted from Spidermonkey and existing functionality inside of Cranelift. I've tried to write up thorough documentation of how this all works in `crates/environ/src/cranelift.rs` where gnarly-ish bits are. A brief summary of how this works is that each function and each loop header now checks to see if they're interrupted. Interrupts and the stack overflow check are actually folded into one now, where function headers check to see if they've run out of stack and the sentinel value used to indicate an interrupt, checked in loop headers, tricks functions into thinking they're out of stack. An interrupt is basically just writing a value to a location which is read by JIT code. When interrupts are delivered and what triggers them has been left up to embedders of the `wasmtime` crate. The `wasmtime::Store` type has a method to acquire an `InterruptHandle`, where `InterruptHandle` is a `Send` and `Sync` type which can travel to other threads (or perhaps even a signal handler) to get notified from. It's intended that this provides a good degree of flexibility when interrupting wasm code. Note though that this does have a large caveat where interrupts don't work when you're interrupting host code, so if you've got a host import blocking for a long time an interrupt won't actually be received until the wasm starts running again. Some fallout included from this change is: * Unix signal handlers are no longer registered with `SA_ONSTACK`. Instead they run on the native stack the thread was already using. This is possible since stack overflow isn't handled by hitting the guard page, but rather it's explicitly checked for in wasm now. Native stack overflow will continue to abort the process as usual. * Unix sigaltstack management is now no longer necessary since we don't use it any more. * Windows no longer has any need to reset guard pages since we no longer try to recover from faults on guard pages. * On all targets probestack intrinsics are disabled since we use a different mechanism for catching stack overflow. * The C API has been updated with interrupts handles. An example has also been added which shows off how to interrupt a module. Closes #139 Closes #860 Closes #900 * Update comment about magical interrupt value * Store stack limit as a global value, not a closure * Run rustfmt * Handle review comments * Add a comment about SA_ONSTACK * Use `usize` for type of `INTERRUPTED` * Parse human-readable durations * Bring back sigaltstack handling Allows libstd to print out stack overflow on failure still. * Add parsing and emission of stack limit-via-preamble * Fix new example for new apis * Fix host segfault test in release mode * Fix new doc example 5 years ago			`} else if name.contains("overrun the stack") {`
			`assert!(`
			`stderr.contains("thread 'main' has overflowed its stack"),`
			`"bad stderr: {}",`
			`stderr`
			`);`
Add a test that segfault handlers ignore non-wasm segfaults (#941) This is the subject of #940 which while fixed is good to have a regression test for! 5 years ago			`} else {`
			panic!("\n\nexpected a segfault on `{}`\n{}\n\n", name, desc);
			`}`
			`}`

			`#[cfg(unix)]`
			`fn is_segfault(status: &ExitStatus) -> bool {`
			`use std::os::unix::prelude::*;`

			`match status.signal() {`
			`Some(libc::SIGSEGV) \| Some(libc::SIGBUS) => true,`
			`_ => false,`
			`}`
			`}`

			`#[cfg(windows)]`
			`fn is_segfault(status: &ExitStatus) -> bool {`
			`match status.code().map(\|s\| s as u32) {`
			`Some(0xc0000005) => true,`
			`_ => false,`
			`}`
			`}`