Raise unsafe_op_in_unsafe_fn further in Wasmtime (#11322)

* Raise `unsafe_op_in_unsafe_fn` further in Wasmtime

Now it's at `wasmtime::runtime`, not just `wasmtime::runtime::vm`.

* Review comments

Author: alexcrichton

crates/wasmtime/src/runtime.rs

@@ -25,6 +25,10 @@
 // explanation of why truncation shouldn't be happening at runtime. This
 // situation should be pretty rare though.
 #![warn(clippy::cast_possible_truncation)]
+#![warn(
+    unsafe_op_in_unsafe_fn,
+    reason = "opt-in until the crate opts-in as a whole -- #11180"
+)]
 
 #[macro_use]
 pub(crate) mod func;

crates/wasmtime/src/runtime/code_memory.rs

@@ -394,12 +394,14 @@ impl CodeMemory {
         {
             let text = self.text();
             let unwind_info = &self.mmap[self.unwind.clone()];
-            let registration = crate::runtime::vm::UnwindRegistration::new(
-                text.as_ptr(),
-                unwind_info.as_ptr(),
-                unwind_info.len(),
-            )
-            .context("failed to create unwind info registration")?;
+            let registration = unsafe {
+                crate::runtime::vm::UnwindRegistration::new(
+                    text.as_ptr(),
+                    unwind_info.as_ptr(),
+                    unwind_info.len(),
+                )
+                .context("failed to create unwind info registration")?
+            };
             self.unwind_registration = Some(registration);
             return Ok(());
         }

crates/wasmtime/src/runtime/component/component.rs

@@ -223,7 +223,9 @@ impl Component {
     /// lives for as long as the module and is nevery externally modified for
     /// the lifetime of the deserialized module.
     pub unsafe fn deserialize_raw(engine: &Engine, memory: NonNull<[u8]>) -> Result<Component> {
-        let code = engine.load_code_raw(memory, ObjectKind::Component)?;
+        // SAFETY: the contract required by `load_code_raw` is the same as this
+        // function.
+        let code = unsafe { engine.load_code_raw(memory, ObjectKind::Component)? };
         Component::from_parts(engine, code, None)
     }
 

crates/wasmtime/src/runtime/component/concurrent.rs

@@ -1,5 +1,3 @@
-#![deny(unsafe_op_in_unsafe_fn)]
-
 //! Runtime support for the Component Model Async ABI.
 //!
 //! This module and its submodules provide host runtime support for Component

crates/wasmtime/src/runtime/component/func/host.rs

@@ -255,19 +255,21 @@ where
     Params: Lift,
     Return: Lower + 'static,
 {
-    let options = Options::new(
-        store.0.store_opaque().id(),
-        NonNull::new(memory),
-        NonNull::new(realloc),
-        string_encoding,
-        async_,
-        None,
-    );
+    let options = unsafe {
+        Options::new(
+            store.0.store_opaque().id(),
+            NonNull::new(memory),
+            NonNull::new(realloc),
+            string_encoding,
+            async_,
+            None,
+        )
+    };
 
     // Perform a dynamic check that this instance can indeed be left. Exiting
     // the component is disallowed, for example, when the `realloc` function
     // calls a canonical import.
-    if !flags.may_leave() {
+    if unsafe { !flags.may_leave() } {
         bail!("cannot leave component instance");
     }
 
@@ -279,7 +281,7 @@ where
     if async_ {
         #[cfg(feature = "component-model-async")]
         {
-            let mut storage = Storage::<'_, Params, u32>::new_async::<Return>(storage);
+            let mut storage = unsafe { Storage::<'_, Params, u32>::new_async::<Return>(storage) };
 
             // Lift the parameters, either from flat storage or from linear
             // memory.
@@ -309,10 +311,14 @@ where
             let mut lower_result = {
                 let types = types.clone();
                 move |store: StoreContextMut<T>, instance: Instance, ret: Return| {
-                    flags.set_may_leave(false);
+                    unsafe {
+                        flags.set_may_leave(false);
+                    }
                     let mut lower = LowerContext::new(store, &options, &types, instance);
                     ret.linear_lower_to_memory(&mut lower, result_tys, retptr)?;
-                    flags.set_may_leave(true);
+                    unsafe {
+                        flags.set_may_leave(true);
+                    }
                     lower.exit_call()?;
                     Ok(())
                 }
@@ -349,7 +355,7 @@ where
             );
         }
     } else {
-        let mut storage = Storage::<'_, Params, Return>::new_sync(storage);
+        let mut storage = unsafe { Storage::<'_, Params, Return>::new_sync(storage) };
         let mut lift = LiftContext::new(store.0.store_opaque_mut(), &options, instance);
         lift.enter_call();
         let params = storage.lift_params(&mut lift, param_tys)?;
@@ -362,10 +368,14 @@ where
             }
         };
 
-        flags.set_may_leave(false);
+        unsafe {
+            flags.set_may_leave(false);
+        }
         let mut lower = LowerContext::new(store, &options, &types, instance);
         storage.lower_results(&mut lower, result_tys, ret)?;
-        flags.set_may_leave(true);
+        unsafe {
+            flags.set_may_leave(true);
+        }
         lower.exit_call()?;
     }
 
@@ -691,17 +701,19 @@ unsafe fn call_host_and_handle_result<T>(
 where
     T: 'static,
 {
-    let cx = VMComponentContext::from_opaque(cx);
-    ComponentInstance::from_vmctx(cx, |store, instance| {
-        let mut store = store.unchecked_context_mut();
-
-        crate::runtime::vm::catch_unwind_and_record_trap(|| {
-            store.0.call_hook(CallHook::CallingHost)?;
-            let res = func(store.as_context_mut(), instance);
-            store.0.call_hook(CallHook::ReturningFromHost)?;
-            res
+    let cx = unsafe { VMComponentContext::from_opaque(cx) };
+    unsafe {
+        ComponentInstance::from_vmctx(cx, |store, instance| {
+            let mut store = store.unchecked_context_mut();
+
+            crate::runtime::vm::catch_unwind_and_record_trap(|| {
+                store.0.call_hook(CallHook::CallingHost)?;
+                let res = func(store.as_context_mut(), instance);
+                store.0.call_hook(CallHook::ReturningFromHost)?;
+                res
+            })
         })
-    })
+    }
 }
 
 unsafe fn call_host_dynamic<T, F>(
@@ -729,19 +741,21 @@ where
         + 'static,
     T: 'static,
 {
-    let options = Options::new(
-        store.0.store_opaque().id(),
-        NonNull::new(memory),
-        NonNull::new(realloc),
-        string_encoding,
-        async_,
-        None,
-    );
+    let options = unsafe {
+        Options::new(
+            store.0.store_opaque().id(),
+            NonNull::new(memory),
+            NonNull::new(realloc),
+            string_encoding,
+            async_,
+            None,
+        )
+    };
 
     // Perform a dynamic check that this instance can indeed be left. Exiting
     // the component is disallowed, for example, when the `realloc` function
     // calls a canonical import.
-    if !flags.may_leave() {
+    if unsafe { !flags.may_leave() } {
         bail!("cannot leave component instance");
     }
 
@@ -759,14 +773,16 @@ where
         MAX_FLAT_PARAMS
     };
 
-    let ret_index = dynamic_params_load(
-        &mut lift,
-        &types,
-        storage,
-        param_tys,
-        &mut params_and_results,
-        max_flat,
-    )?;
+    let ret_index = unsafe {
+        dynamic_params_load(
+            &mut lift,
+            &types,
+            storage,
+            param_tys,
+            &mut params_and_results,
+            max_flat,
+        )?
+    };
     let result_start = params_and_results.len();
     for _ in 0..result_tys.types.len() {
         params_and_results.push(Val::Bool(false));
@@ -778,7 +794,7 @@ where
             let retptr = if result_tys.types.len() == 0 {
                 0
             } else {
-                let retptr = storage[ret_index].assume_init();
+                let retptr = unsafe { storage[ret_index].assume_init() };
                 let mut lower =
                     LowerContext::new(store.as_context_mut(), &options, &types, instance);
                 validate_inbounds_dynamic(&result_tys.abi, lower.as_slice_mut(), &retptr)?
@@ -799,7 +815,9 @@ where
                     let result_vals = &result_vals[result_start..];
                     assert_eq!(result_vals.len(), result_tys.types.len());
 
-                    flags.set_may_leave(false);
+                    unsafe {
+                        flags.set_may_leave(false);
+                    }
 
                     let mut lower = LowerContext::new(store, &options, &types, instance);
                     let mut ptr = retptr;
@@ -808,7 +826,9 @@ where
                         val.store(&mut lower, *ty, offset)?;
                     }
 
-                    flags.set_may_leave(true);
+                    unsafe {
+                        flags.set_may_leave(true);
+                    }
 
                     lower.exit_call()?;
 
@@ -842,7 +862,9 @@ where
             instance.poll_and_block(store.0.traitobj_mut(), future, caller_instance)?;
         let result_vals = &result_vals[result_start..];
 
-        flags.set_may_leave(false);
+        unsafe {
+            flags.set_may_leave(false);
+        }
 
         let mut cx = LowerContext::new(store, &options, &types, instance);
         if let Some(cnt) = result_tys.abi.flat_count(MAX_FLAT_RESULTS) {
@@ -852,15 +874,17 @@ where
             }
             assert!(dst.next().is_none());
         } else {
-            let ret_ptr = storage[ret_index].assume_init_ref();
+            let ret_ptr = unsafe { storage[ret_index].assume_init_ref() };
             let mut ptr = validate_inbounds_dynamic(&result_tys.abi, cx.as_slice_mut(), ret_ptr)?;
             for (val, ty) in result_vals.iter().zip(result_tys.types.iter()) {
                 let offset = types.canonical_abi(ty).next_field32_size(&mut ptr);
                 val.store(&mut cx, *ty, offset)?;
             }
         }
 
-        flags.set_may_leave(true);
+        unsafe {
+            flags.set_may_leave(true);
+        }
 
         cx.exit_call()?;
     }

crates/wasmtime/src/runtime/component/func/typed.rs

@@ -2404,8 +2404,8 @@ pub unsafe fn lower_payload<P, T>(
     let typed = typed_payload(payload);
     lower(typed)?;
 
-    let typed_len = storage_as_slice(typed).len();
-    let payload = storage_as_slice_mut(payload);
+    let typed_len = unsafe { storage_as_slice(typed).len() };
+    let payload = unsafe { storage_as_slice_mut(payload) };
     for slot in payload[typed_len..].iter_mut() {
         slot.write(ValRaw::u64(0));
     }

crates/wasmtime/src/runtime/component/storage.rs

@@ -12,20 +12,24 @@ fn assert_raw_slice_compat<T>() {
 pub unsafe fn storage_as_slice<T>(storage: &T) -> &[ValRaw] {
     assert_raw_slice_compat::<T>();
 
-    slice::from_raw_parts(
-        (storage as *const T).cast(),
-        mem::size_of_val(storage) / mem::size_of::<ValRaw>(),
-    )
+    unsafe {
+        slice::from_raw_parts(
+            (storage as *const T).cast(),
+            mem::size_of_val(storage) / mem::size_of::<ValRaw>(),
+        )
+    }
 }
 
 /// Same as `storage_as_slice`, but mutable.
 pub unsafe fn storage_as_slice_mut<T>(storage: &mut MaybeUninit<T>) -> &mut [MaybeUninit<ValRaw>] {
     assert_raw_slice_compat::<T>();
 
-    slice::from_raw_parts_mut(
-        (storage as *mut MaybeUninit<T>).cast(),
-        mem::size_of_val(storage) / mem::size_of::<ValRaw>(),
-    )
+    unsafe {
+        slice::from_raw_parts_mut(
+            (storage as *mut MaybeUninit<T>).cast(),
+            mem::size_of_val(storage) / mem::size_of::<ValRaw>(),
+        )
+    }
 }
 
 /// Same as `storage_as_slice`, but in reverse and mutable.
@@ -44,7 +48,7 @@ pub unsafe fn slice_to_storage_mut<T>(slice: &mut [MaybeUninit<ValRaw>]) -> &mut
         mem::size_of_val(slice)
     );
 
-    &mut *slice.as_mut_ptr().cast()
+    unsafe { &mut *slice.as_mut_ptr().cast() }
 }
 
 /// Same as `storage_as_slice`, but in reverse
@@ -61,5 +65,5 @@ pub unsafe fn slice_to_storage<T>(slice: &[ValRaw]) -> &T {
         mem::size_of_val(slice)
     );
 
-    &*slice.as_ptr().cast()
+    unsafe { &*slice.as_ptr().cast() }
 }

crates/wasmtime/src/runtime/fiber.rs

@@ -1,5 +1,3 @@
-#![deny(unsafe_op_in_unsafe_fn)]
-
 use crate::prelude::*;
 use crate::store::{Executor, StoreId, StoreInner, StoreOpaque};
 use crate::vm::mpk::{self, ProtectionMask};