Review feedback.

cfallin · cfallin · commit 3c48653a259a · 2025-08-12T14:43:09.000-07:00
diff --git a/crates/wasmtime/src/runtime/store.rs b/crates/wasmtime/src/runtime/store.rs
@@ -1311,6 +1311,26 @@ impl StoreOpaque {
         self.instances[id].handle.get_mut()
     }
 
+    /// Accessor from a raw `vmctx` to `&vm::Instance`.
+    ///
+    /// # Safety
+    ///
+    /// The `vmctx` pointer must be a valid vmctx from an active
+    /// instance that belongs to this store.
+    #[inline]
+    pub unsafe fn instance_from_vmctx(&self, vmctx: NonNull<VMContext>) -> &vm::Instance {
+        // SAFETY: The validity of this `byte_sub` relies on `vmctx`
+        // being a valid allocation which is itself a contract of this
+        // function. Likewise, the `.as_ref()` converts a valid `*mut
+        // Instance` to a `&Instance`.
+        unsafe {
+            vmctx
+                .byte_sub(mem::size_of::<vm::Instance>())
+                .cast::<vm::Instance>()
+                .as_ref()
+        }
+    }
+
     /// Access multiple instances specified via `ids`.
     ///
     /// # Panics
diff --git a/crates/wasmtime/src/runtime/vm/throw.rs b/crates/wasmtime/src/runtime/vm/throw.rs
@@ -5,7 +5,7 @@ use core::ptr::NonNull;
 use wasmtime_environ::{TagIndex, Trap};
 use wasmtime_unwinder::{Frame, ThrowAction};
 
-use super::{InstanceAndStore, VMContext, VMExnRef};
+use super::{VMContext, VMExnRef};
 use crate::{
     store::AutoAssertNoGc,
     vm::{TrapReason, catch_unwind_and_record_trap, raise_preexisting_trap},
@@ -70,15 +70,21 @@ pub unsafe fn throw(nogc: &mut AutoAssertNoGc, exnref: VMExnRef) -> ! {
                     let frame_vmctx =
                         NonNull::new(frame_vmctx as *mut VMContext).expect("null vmctx in frame");
 
+                    // SAFETY: we use `instance_from_vmctx` to get an
+                    // `&Instance` from a raw vmctx we read off the
+                    // stack frame. That method's safety requirements
+                    // are that the `vmctx` is a valid vmctx belonging
+                    // to an instance in the store (`nogc`). This is
+                    // satisfied because every Wasm frame in this
+                    // activation must belong to an instance in this
+                    // store: we do not permit cross-store calls
+                    // without exiting through host code.
                     let (handler_tag_instance, handler_tag_index) = unsafe {
-                        InstanceAndStore::from_vmctx(frame_vmctx, |instance| {
-                            let (instance, store) = instance.unpack_mut();
-                            let tag = instance.get_exported_tag(
-                                store.id(),
-                                TagIndex::from_u32(module_local_tag_index),
-                            );
-                            tag.to_raw_indices()
-                        })
+                        let store_id = nogc.id();
+                        let instance = nogc.instance_from_vmctx(frame_vmctx);
+                        let tag = instance
+                            .get_exported_tag(store_id, TagIndex::from_u32(module_local_tag_index));
+                        tag.to_raw_indices()
                     };
                     log::trace!(
                         "-> handler's tag {module_local_tag_index:?} resolves to instance {handler_tag_instance:?} defined-tag {handler_tag_index:?}"
