Add a type-level distinction between aligned and possibly-unaligned Mmaps (#9639)

In the wasmtime codebase there are two kinds of mmaps: those that are always
backed by anonymous memory and are always aligned, and those that are possibly
file-backed and so the length might be unaligned. In
#9620 I accidentally mixed the
two up in a way that was a ticking time bomb.

To resolve this, add a type parameter to `Mmap` to distinguish between the
cases. All of wasmtime's users are clearly either one or the other, so it's
quite simple in the end.

Author: sunshowers

crates/wasmtime/src/runtime/vm/gc/enabled/drc.rs

@@ -46,8 +46,9 @@ use super::{VMArrayRef, VMGcObjectDataMut, VMStructRef};
 use crate::hash_set::HashSet;
 use crate::prelude::*;
 use crate::runtime::vm::{
-    ExternRefHostDataId, ExternRefHostDataTable, GarbageCollection, GcHeap, GcHeapObject,
-    GcProgress, GcRootsIter, GcRuntime, Mmap, TypedGcRef, VMExternRef, VMGcHeader, VMGcRef,
+    mmap::AlignedLength, ExternRefHostDataId, ExternRefHostDataTable, GarbageCollection, GcHeap,
+    GcHeapObject, GcProgress, GcRootsIter, GcRuntime, Mmap, TypedGcRef, VMExternRef, VMGcHeader,
+    VMGcRef,
 };
 use core::ops::{Deref, DerefMut, Range};
 use core::{
@@ -90,7 +91,7 @@ struct DrcHeap {
     // NB: this box shouldn't be strictly necessary, but it makes upholding the
     // safety invariants of the `vmctx_gc_heap_data` more obviously correct.
     activations_table: Box<VMGcRefActivationsTable>,
-    heap: Mmap,
+    heap: Mmap<AlignedLength>,
     free_list: FreeList,
 }
 

crates/wasmtime/src/runtime/vm/gc/enabled/null.rs

@@ -8,8 +8,9 @@ use super::*;
 use crate::{
     prelude::*,
     vm::{
-        ExternRefHostDataId, ExternRefHostDataTable, GarbageCollection, GcHeap, GcHeapObject,
-        GcProgress, GcRootsIter, Mmap, SendSyncUnsafeCell, TypedGcRef, VMGcHeader, VMGcRef,
+        mmap::AlignedLength, ExternRefHostDataId, ExternRefHostDataTable, GarbageCollection,
+        GcHeap, GcHeapObject, GcProgress, GcRootsIter, Mmap, SendSyncUnsafeCell, TypedGcRef,
+        VMGcHeader, VMGcRef,
     },
     GcHeapOutOfMemory,
 };
@@ -54,7 +55,7 @@ struct NullHeap {
     no_gc_count: usize,
 
     /// The actual GC heap.
-    heap: Mmap,
+    heap: Mmap<AlignedLength>,
 }
 
 /// The common header for all arrays in the null collector.

crates/wasmtime/src/runtime/vm/instance/allocator/pooling/memory_pool.rs

@@ -56,8 +56,8 @@ use super::{
 };
 use crate::runtime::vm::mpk::{self, ProtectionKey, ProtectionMask};
 use crate::runtime::vm::{
-    CompiledModuleId, InstanceAllocationRequest, InstanceLimits, Memory, MemoryImageSlot, Mmap,
-    MpkEnabled, PoolingInstanceAllocatorConfig,
+    mmap::AlignedLength, CompiledModuleId, InstanceAllocationRequest, InstanceLimits, Memory,
+    MemoryImageSlot, Mmap, MpkEnabled, PoolingInstanceAllocatorConfig,
 };
 use crate::{prelude::*, vm::round_usize_up_to_host_pages};
 use std::ffi::c_void;
@@ -101,7 +101,7 @@ struct Stripe {
 /// ```
 #[derive(Debug)]
 pub struct MemoryPool {
-    mapping: Mmap,
+    mapping: Mmap<AlignedLength>,
     /// This memory pool is stripe-aware. If using  memory protection keys, this
     /// will contain one stripe per available key; otherwise, a single stripe
     /// with an empty key.

crates/wasmtime/src/runtime/vm/instance/allocator/pooling/table_pool.rs

@@ -4,7 +4,8 @@ use super::{
 };
 use crate::prelude::*;
 use crate::runtime::vm::{
-    InstanceAllocationRequest, Mmap, PoolingInstanceAllocatorConfig, SendSyncPtr, Table,
+    mmap::AlignedLength, InstanceAllocationRequest, Mmap, PoolingInstanceAllocatorConfig,
+    SendSyncPtr, Table,
 };
 use crate::{runtime::vm::sys::vm::commit_pages, vm::round_usize_up_to_host_pages};
 use std::mem;
@@ -18,7 +19,7 @@ use wasmtime_environ::{Module, Tunables};
 #[derive(Debug)]
 pub struct TablePool {
     index_allocator: SimpleIndexAllocator,
-    mapping: Mmap,
+    mapping: Mmap<AlignedLength>,
     table_size: usize,
     max_total_tables: usize,
     tables_per_instance: usize,

crates/wasmtime/src/runtime/vm/instance/allocator/pooling/unix_stack_pool.rs

@@ -6,7 +6,9 @@ use super::{
 };
 use crate::prelude::*;
 use crate::runtime::vm::sys::vm::commit_pages;
-use crate::runtime::vm::{round_usize_up_to_host_pages, Mmap, PoolingInstanceAllocatorConfig};
+use crate::runtime::vm::{
+    mmap::AlignedLength, round_usize_up_to_host_pages, Mmap, PoolingInstanceAllocatorConfig,
+};
 
 /// Represents a pool of execution stacks (used for the async fiber implementation).
 ///
@@ -20,7 +22,7 @@ use crate::runtime::vm::{round_usize_up_to_host_pages, Mmap, PoolingInstanceAllo
 /// from the pool.
 #[derive(Debug)]
 pub struct StackPool {
-    mapping: Mmap,
+    mapping: Mmap<AlignedLength>,
     stack_size: usize,
     max_stacks: usize,
     page_size: usize,

crates/wasmtime/src/runtime/vm/memory/mmap.rs

@@ -3,15 +3,15 @@
 
 use crate::prelude::*;
 use crate::runtime::vm::memory::RuntimeLinearMemory;
-use crate::runtime::vm::mmap::Mmap;
+use crate::runtime::vm::mmap::{AlignedLength, Mmap};
 use crate::runtime::vm::{round_usize_up_to_host_pages, usize_is_multiple_of_host_page_size};
 use wasmtime_environ::Tunables;
 
 /// A linear memory instance.
 #[derive(Debug)]
 pub struct MmapMemory {
     // The underlying allocation.
-    mmap: Mmap,
+    mmap: Mmap<AlignedLength>,
 
     // The current length of this Wasm memory, in bytes.
     //

crates/wasmtime/src/runtime/vm/mmap.rs

@@ -7,41 +7,65 @@ use core::ops::Range;
 #[cfg(feature = "std")]
 use std::{fs::File, sync::Arc};
 
-/// A simple struct consisting of a page-aligned pointer to page-aligned
-/// and initially-zeroed memory and a length.
-#[derive(Debug)]
-pub struct Mmap {
-    sys: mmap::Mmap,
+/// A marker type for an [`Mmap`] where both the start address and length are a
+/// multiple of the host page size.
+///
+/// For more information, see the documentation on [`Mmap`].
+#[derive(Clone, Debug)]
+pub struct AlignedLength {}
+
+/// A type of [`Mmap`] where the start address is host page-aligned, but the
+/// length is possibly not a multiple of the host page size.
+///
+/// For more information, see the documentation on [`Mmap`].
+#[derive(Clone, Debug)]
+pub struct UnalignedLength {
     #[cfg(feature = "std")]
     file: Option<Arc<File>>,
 }
 
-impl Mmap {
+/// A platform-independent abstraction over memory-mapped data.
+///
+/// The type parameter can be one of:
+///
+/// * [`AlignedLength`]: Both the start address and length are page-aligned
+/// (i.e. a multiple of the host page size). This is always the result of an
+/// mmap backed by anonymous memory.
+///
+/// * [`UnalignedLength`]: The start address is host page-aligned, but the
+/// length is not necessarily page-aligned. This is usually backed by a file,
+/// but can also be backed by anonymous memory.
+///
+/// ## Notes
+///
+/// If the length of a file is not a multiple of the host page size, [POSIX does
+/// not specify any semantics][posix-mmap] for the rest of the last page. Linux
+/// [does say][linux-mmap] that the rest of the page is reserved and zeroed out,
+/// but for portability it's best to not assume anything about the rest of
+/// memory. `UnalignedLength` achieves a type-level distinction between an mmap
+/// that is backed purely by memory, and one that is possibly backed by a file.
+///
+/// Currently, the OS-specific `mmap` implementations in this crate do not make
+/// this this distinction -- alignment is managed at this platform-independent
+/// layer. It might make sense to add this distinction to the OS-specific
+/// implementations in the future.
+///
+/// [posix-mmap]: https://pubs.opengroup.org/onlinepubs/9799919799/functions/mmap.html
+/// [linux-mmap]: https://man7.org/linux/man-pages/man2/mmap.2.html#NOTES
+#[derive(Debug)]
+pub struct Mmap<T> {
+    sys: mmap::Mmap,
+    data: T,
+}
+
+impl Mmap<AlignedLength> {
     /// Create a new `Mmap` pointing to at least `size` bytes of page-aligned
     /// accessible memory.
     pub fn with_at_least(size: usize) -> Result<Self> {
         let rounded_size = crate::runtime::vm::round_usize_up_to_host_pages(size)?;
         Self::accessible_reserved(rounded_size, rounded_size)
     }
 
-    /// Creates a new `Mmap` by opening the file located at `path` and mapping
-    /// it into memory.
-    ///
-    /// The memory is mapped in read-only mode for the entire file. If portions
-    /// of the file need to be modified then the `region` crate can be use to
-    /// alter permissions of each page.
-    ///
-    /// The memory mapping and the length of the file within the mapping are
-    /// returned.
-    #[cfg(feature = "std")]
-    pub fn from_file(file: Arc<File>) -> Result<Self> {
-        let sys = mmap::Mmap::from_file(&file)?;
-        Ok(Mmap {
-            sys,
-            file: Some(file),
-        })
-    }
-
     /// Create a new `Mmap` pointing to `accessible_size` bytes of page-aligned
     /// accessible memory, within a reserved mapping of `mapping_size` bytes.
     /// `accessible_size` and `mapping_size` must be native page-size multiples.
@@ -58,22 +82,19 @@ impl Mmap {
         if mapping_size == 0 {
             Ok(Mmap {
                 sys: mmap::Mmap::new_empty(),
-                #[cfg(feature = "std")]
-                file: None,
+                data: AlignedLength {},
             })
         } else if accessible_size == mapping_size {
             Ok(Mmap {
                 sys: mmap::Mmap::new(mapping_size)
                     .context(format!("mmap failed to allocate {mapping_size:#x} bytes"))?,
-                #[cfg(feature = "std")]
-                file: None,
+                data: AlignedLength {},
             })
         } else {
             let mut result = Mmap {
                 sys: mmap::Mmap::reserve(mapping_size)
                     .context(format!("mmap failed to reserve {mapping_size:#x} bytes"))?,
-                #[cfg(feature = "std")]
-                file: None,
+                data: AlignedLength {},
             };
             if accessible_size > 0 {
                 result.make_accessible(0, accessible_size).context(format!(
@@ -84,6 +105,20 @@ impl Mmap {
         }
     }
 
+    /// Converts this `Mmap` into a `Mmap<UnalignedLength>`.
+    ///
+    /// `UnalignedLength` really means "_possibly_ unaligned length", so it can
+    /// be freely converted over at the cost of losing the alignment guarantee.
+    pub fn into_unaligned(self) -> Mmap<UnalignedLength> {
+        Mmap {
+            sys: self.sys,
+            data: UnalignedLength {
+                #[cfg(feature = "std")]
+                file: None,
+            },
+        }
+    }
+
     /// Make the memory starting at `start` and extending for `len` bytes
     /// accessible. `start` and `len` must be native page-size multiples and
     /// describe a range within `self`'s reserved memory.
@@ -101,7 +136,34 @@ impl Mmap {
 
         self.sys.make_accessible(start, len)
     }
+}
 
+#[cfg(feature = "std")]
+impl Mmap<UnalignedLength> {
+    /// Creates a new `Mmap` by opening the file located at `path` and mapping
+    /// it into memory.
+    ///
+    /// The memory is mapped in read-only mode for the entire file. If portions
+    /// of the file need to be modified then the `region` crate can be use to
+    /// alter permissions of each page.
+    ///
+    /// The memory mapping and the length of the file within the mapping are
+    /// returned.
+    pub fn from_file(file: Arc<File>) -> Result<Self> {
+        let sys = mmap::Mmap::from_file(&file)?;
+        Ok(Mmap {
+            sys,
+            data: UnalignedLength { file: Some(file) },
+        })
+    }
+
+    /// Returns the underlying file that this mmap is mapping, if present.
+    pub fn original_file(&self) -> Option<&Arc<File>> {
+        self.data.file.as_ref()
+    }
+}
+
+impl<T> Mmap<T> {
     /// Return the allocated memory as a slice of u8.
     ///
     /// # Safety
@@ -198,15 +260,16 @@ impl Mmap {
             .make_readonly(range)
             .context("failed to make memory readonly")
     }
-
-    /// Returns the underlying file that this mmap is mapping, if present.
-    #[cfg(feature = "std")]
-    pub fn original_file(&self) -> Option<&Arc<File>> {
-        self.file.as_ref()
-    }
 }
 
 fn _assert() {
     fn _assert_send_sync<T: Send + Sync>() {}
-    _assert_send_sync::<Mmap>();
+    _assert_send_sync::<Mmap<AlignedLength>>();
+    _assert_send_sync::<Mmap<UnalignedLength>>();
+}
+
+impl From<Mmap<AlignedLength>> for Mmap<UnalignedLength> {
+    fn from(mmap: Mmap<AlignedLength>) -> Mmap<UnalignedLength> {
+        mmap.into_unaligned()
+    }
 }

crates/wasmtime/src/runtime/vm/mmap_vec.rs

@@ -1,6 +1,6 @@
 use crate::prelude::*;
 #[cfg(feature = "signals-based-traps")]
-use crate::runtime::vm::Mmap;
+use crate::runtime::vm::{mmap::UnalignedLength, Mmap};
 use alloc::sync::Arc;
 use core::ops::{Deref, Range};
 #[cfg(feature = "std")]
@@ -29,7 +29,10 @@ pub enum MmapVec {
     Vec(Vec<u8>),
     #[doc(hidden)]
     #[cfg(feature = "signals-based-traps")]
-    Mmap { mmap: Mmap, len: usize },
+    Mmap {
+        mmap: Mmap<UnalignedLength>,
+        len: usize,
+    },
 }
 
 impl MmapVec {
@@ -39,7 +42,11 @@ impl MmapVec {
     /// smaller than the region mapped by the `Mmap`. The returned `MmapVec`
     /// will only have at most `size` bytes accessible.
     #[cfg(feature = "signals-based-traps")]
-    fn new_mmap(mmap: Mmap, len: usize) -> MmapVec {
+    fn new_mmap<M>(mmap: M, len: usize) -> MmapVec
+    where
+        M: Into<Mmap<UnalignedLength>>,
+    {
+        let mmap = mmap.into();
         assert!(len <= mmap.len());
         MmapVec::Mmap { mmap, len }
     }

crates/wasmtime/src/runtime/vm/sys/unix/mmap.rs

@@ -20,7 +20,7 @@ pub struct Mmap {
 cfg_if::cfg_if! {
     if #[cfg(any(target_os = "illumos", target_os = "linux"))] {
         // On illumos, by default, mmap reserves what it calls "swap space" ahead of time, so that
-        // memory accesses are guaranteed not to fail once mmap succeeds. NORESERVE is for cases
+        // memory accesses a`re guaranteed not to fail once mmap succeeds. NORESERVE is for cases
         // where that memory is never meant to be accessed -- e.g. memory that's used as guard
         // pages.
         //
@@ -135,6 +135,9 @@ impl Mmap {
 
     #[inline]
     pub fn len(&self) -> usize {
+        // Note: while the start of memory is host page-aligned, the length might
+        // not be, and in particular is not aligned for file-backed mmaps. Be
+        // careful!
         self.memory.as_ptr().len()
     }