Support platforms without 64-bit atomics (bytecodealliance#10134)

* Support platforms without 64-bit atomics

This commit enables Wasmtime to build on platforms without 64-bit atomic
instructions, such as Rust's `riscv32imac-unknown-none-elf` target.
There are only two users of 64-bit atomics right now which are epochs
and allocation of `StoreId`. This commit adds `#[cfg]` to epoch-related
infrastructure in the runtime to turn that all of if 64-bit atomics
aren't available. The thinking is that epochs more-or-less don't work
without 64-bit atomics so it's easier to just remove them entirely.

Allocation of `StoreId` is trickier though because it's so core to
Wasmtime and it basically can't be removed. I've opted to change the
allocator to 32-bit indices instead of 64-bit indices. Note that
`StoreId` requires unique IDs to be allocated for safety which means
that while a 64-bit integer won't overflow for a few thousand years a
32-bit integer will overflow in a few hours from quickly creating
stores. The rough hope though is that embeddings on platforms like this
aren't churning through stores. Regardless if this condition is
triggered it'll result in a panic rather than unsoundness, so we
hopefully have at least that going for us.

Closes bytecodealliance#8768

* Update component resources to not use `AtomicU64`

These aren't intended to be used in threaded contexts anyway and the use
of `AtomicXXX` is just to have interior mutability while still being
`Send` and `Sync`. Switch to using `AtomicU32` which is more portable.

* Use `RwLock<u64>` for `StoreId` instead.

* Fix compile

* Fix imports

Author: alexcrichton

.github/workflows/main.yml

@@ -570,6 +570,10 @@ jobs:
           apt_packages: gcc-powerpc64le-linux-gnu
           env:
             CARGO_TARGET_POWERPC64LE_UNKNOWN_LINUX_GNU_LINKER: powerpc64le-linux-gnu-gcc
+        # A no_std target without 64-bit atomics
+        - target: riscv32imac-unknown-none-elf
+          os: ubuntu-latest
+          test: cargo check -p wasmtime --no-default-features --features runtime,gc,component-model
     env: ${{ matrix.env || fromJSON('{}') }}
     steps:
     - uses: actions/checkout@v4

crates/environ/src/builtin.rs

@@ -40,6 +40,7 @@ macro_rules! foreach_builtin_function {
             // Invoked when fuel has run out while executing a function.
             out_of_gas(vmctx: vmctx) -> bool;
             // Invoked when we reach a new epoch.
+            #[cfg(target_has_atomic = "64")]
             new_epoch(vmctx: vmctx) -> u64;
             // Invoked before malloc returns.
             #[cfg(feature = "wmemcheck")]

crates/wasmtime/src/engine.rs

@@ -8,6 +8,7 @@ use crate::runtime::vm::GcRuntime;
 use crate::sync::OnceLock;
 use crate::Config;
 use alloc::sync::Arc;
+#[cfg(target_has_atomic = "64")]
 use core::sync::atomic::{AtomicU64, Ordering};
 #[cfg(any(feature = "cranelift", feature = "winch"))]
 use object::write::{Object, StandardSegment};
@@ -61,7 +62,7 @@ struct EngineInner {
     profiler: Box<dyn crate::profiling_agent::ProfilingAgent>,
     #[cfg(feature = "runtime")]
     signatures: TypeRegistry,
-    #[cfg(feature = "runtime")]
+    #[cfg(all(feature = "runtime", target_has_atomic = "64"))]
     epoch: AtomicU64,
 
     /// One-time check of whether the compiler's settings, if present, are
@@ -130,7 +131,7 @@ impl Engine {
                 profiler: config.build_profiler()?,
                 #[cfg(feature = "runtime")]
                 signatures: TypeRegistry::new(),
-                #[cfg(feature = "runtime")]
+                #[cfg(all(feature = "runtime", target_has_atomic = "64"))]
                 epoch: AtomicU64::new(0),
                 #[cfg(any(feature = "cranelift", feature = "winch"))]
                 compatible_with_native_host: OnceLock::new(),
@@ -318,6 +319,9 @@ impl Engine {
         if !cfg!(has_virtual_memory) && self.tunables().memory_init_cow {
             return Err("virtual memory disabled at compile time -- cannot enable CoW".into());
         }
+        if !cfg!(target_has_atomic = "64") && self.tunables().epoch_interruption {
+            return Err("epochs currently require 64-bit atomics".into());
+        }
         Ok(())
     }
 
@@ -692,10 +696,12 @@ impl Engine {
         self.config().custom_code_memory.as_ref()
     }
 
+    #[cfg(target_has_atomic = "64")]
     pub(crate) fn epoch_counter(&self) -> &AtomicU64 {
         &self.inner.epoch
     }
 
+    #[cfg(target_has_atomic = "64")]
     pub(crate) fn current_epoch(&self) -> u64 {
         self.epoch_counter().load(Ordering::Relaxed)
     }
@@ -725,6 +731,7 @@ impl Engine {
     /// This method is signal-safe: it does not make any syscalls, and
     /// performs only an atomic increment to the epoch value in
     /// memory.
+    #[cfg(target_has_atomic = "64")]
     pub fn increment_epoch(&self) {
         self.inner.epoch.fetch_add(1, Ordering::Relaxed);
     }

crates/wasmtime/src/runtime/component/resources.rs

@@ -11,7 +11,7 @@ use core::fmt;
 use core::marker;
 use core::mem::MaybeUninit;
 use core::ptr::NonNull;
-use core::sync::atomic::{AtomicU64, Ordering::Relaxed};
+use core::sync::atomic::{AtomicU32, Ordering::Relaxed};
 use wasmtime_environ::component::{
     CanonicalAbiInfo, ComponentTypes, DefinedResourceIndex, InterfaceType, ResourceIndex,
     TypeResourceTableIndex,
@@ -248,12 +248,18 @@ pub struct Resource<T> {
 ///   borrow tracking associated with it. The low 32-bits of the value are
 ///   the table index and the upper 32-bits are the generation.
 ///
-/// Note that this is an `AtomicU64` but it's not intended to actually be
-/// used in conjunction with threads as generally a `Store<T>` lives on one
-/// thread at a time. The `AtomicU64` here is used to ensure that this type
-/// is `Send + Sync` when captured as a reference to make async programming
-/// more ergonomic.
-struct AtomicResourceState(AtomicU64);
+/// Note that this is two `AtomicU32` fields but it's not intended to actually
+/// be used in conjunction with threads as generally a `Store<T>` lives on one
+/// thread at a time. The pair of `AtomicU32` here is used to ensure that this
+/// type is `Send + Sync` when captured as a reference to make async
+/// programming more ergonomic.
+///
+/// Also note that two `AtomicU32` here are used instead of `AtomicU64` to be
+/// more portable to platforms without 64-bit atomics.
+struct AtomicResourceState {
+    index: AtomicU32,
+    generation: AtomicU32,
+}
 
 #[derive(Debug, PartialEq, Eq, Copy, Clone)]
 enum ResourceState {
@@ -264,39 +270,52 @@ enum ResourceState {
 }
 
 impl AtomicResourceState {
-    const BORROW: Self = Self(AtomicU64::new(ResourceState::BORROW));
-    const NOT_IN_TABLE: Self = Self(AtomicU64::new(ResourceState::NOT_IN_TABLE));
+    const BORROW: Self = AtomicResourceState::new(ResourceState::Borrow);
+    const NOT_IN_TABLE: Self = AtomicResourceState::new(ResourceState::NotInTable);
+
+    const fn new(state: ResourceState) -> AtomicResourceState {
+        let (index, generation) = state.encode();
+        Self {
+            index: AtomicU32::new(index),
+            generation: AtomicU32::new(generation),
+        }
+    }
 
     fn get(&self) -> ResourceState {
-        ResourceState::decode(self.0.load(Relaxed))
+        ResourceState::decode(self.index.load(Relaxed), self.generation.load(Relaxed))
     }
 
     fn swap(&self, state: ResourceState) -> ResourceState {
-        ResourceState::decode(self.0.swap(state.encode(), Relaxed))
+        let (index, generation) = state.encode();
+        let index_prev = self.index.load(Relaxed);
+        self.index.store(index, Relaxed);
+        let generation_prev = self.generation.load(Relaxed);
+        self.generation.store(generation, Relaxed);
+        ResourceState::decode(index_prev, generation_prev)
     }
 }
 
 impl ResourceState {
     // See comments on `state` above for info about these values.
-    const BORROW: u64 = u64::MAX;
-    const NOT_IN_TABLE: u64 = u64::MAX - 1;
-    const TAKEN: u64 = u64::MAX - 2;
+    const BORROW: u32 = u32::MAX;
+    const NOT_IN_TABLE: u32 = u32::MAX - 1;
+    const TAKEN: u32 = u32::MAX - 2;
 
-    fn decode(bits: u64) -> ResourceState {
-        match bits {
+    fn decode(idx: u32, generation: u32) -> ResourceState {
+        match generation {
             Self::BORROW => Self::Borrow,
             Self::NOT_IN_TABLE => Self::NotInTable,
             Self::TAKEN => Self::Taken,
-            other => Self::Index(HostResourceIndex(other)),
+            _ => Self::Index(HostResourceIndex::new(idx, generation)),
         }
     }
 
-    fn encode(&self) -> u64 {
+    const fn encode(&self) -> (u32, u32) {
         match self {
-            Self::Borrow => Self::BORROW,
-            Self::NotInTable => Self::NOT_IN_TABLE,
-            Self::Taken => Self::TAKEN,
-            Self::Index(index) => index.0,
+            Self::Borrow => (0, Self::BORROW),
+            Self::NotInTable => (0, Self::NOT_IN_TABLE),
+            Self::Taken => (0, Self::TAKEN),
+            Self::Index(index) => (index.index(), index.generation()),
         }
     }
 }
@@ -359,12 +378,12 @@ impl HostResourceIndex {
         HostResourceIndex(u64::from(idx) | (u64::from(generation) << 32))
     }
 
-    fn index(&self) -> u32 {
-        u32::try_from(self.0 & 0xffffffff).unwrap()
+    const fn index(&self) -> u32 {
+        (self.0 & 0xffffffff) as u32
     }
 
-    fn generation(&self) -> u32 {
-        u32::try_from(self.0 >> 32).unwrap()
+    const fn generation(&self) -> u32 {
+        (self.0 >> 32) as u32
     }
 }
 

crates/wasmtime/src/runtime/store.rs

@@ -222,6 +222,7 @@ pub struct StoreInner<T> {
 
     limiter: Option<ResourceLimiterInner<T>>,
     call_hook: Option<CallHookInner<T>>,
+    #[cfg(target_has_atomic = "64")]
     epoch_deadline_behavior:
         Option<Box<dyn FnMut(StoreContextMut<T>) -> Result<UpdateDeadline> + Send + Sync>>,
     // for comments about `ManuallyDrop`, see `Store::into_data`
@@ -614,6 +615,7 @@ impl<T> Store<T> {
             },
             limiter: None,
             call_hook: None,
+            #[cfg(target_has_atomic = "64")]
             epoch_deadline_behavior: None,
             data: ManuallyDrop::new(data),
         });
@@ -995,6 +997,7 @@ impl<T> Store<T> {
     /// See documentation on
     /// [`Config::epoch_interruption()`](crate::Config::epoch_interruption)
     /// for an introduction to epoch-based interruption.
+    #[cfg(target_has_atomic = "64")]
     pub fn set_epoch_deadline(&mut self, ticks_beyond_current: u64) {
         self.inner.set_epoch_deadline(ticks_beyond_current);
     }
@@ -1025,6 +1028,7 @@ impl<T> Store<T> {
     /// See documentation on
     /// [`Config::epoch_interruption()`](crate::Config::epoch_interruption)
     /// for an introduction to epoch-based interruption.
+    #[cfg(target_has_atomic = "64")]
     pub fn epoch_deadline_trap(&mut self) {
         self.inner.epoch_deadline_trap();
     }
@@ -1056,6 +1060,7 @@ impl<T> Store<T> {
     /// See documentation on
     /// [`Config::epoch_interruption()`](crate::Config::epoch_interruption)
     /// for an introduction to epoch-based interruption.
+    #[cfg(target_has_atomic = "64")]
     pub fn epoch_deadline_callback(
         &mut self,
         callback: impl FnMut(StoreContextMut<T>) -> Result<UpdateDeadline> + Send + Sync + 'static,
@@ -1086,7 +1091,7 @@ impl<T> Store<T> {
     /// See documentation on
     /// [`Config::epoch_interruption()`](crate::Config::epoch_interruption)
     /// for an introduction to epoch-based interruption.
-    #[cfg(feature = "async")]
+    #[cfg(all(feature = "async", target_has_atomic = "64"))]
     pub fn epoch_deadline_async_yield_and_update(&mut self, delta: u64) {
         self.inner.epoch_deadline_async_yield_and_update(delta);
     }
@@ -1184,13 +1189,15 @@ impl<'a, T> StoreContextMut<'a, T> {
     /// Sets the epoch deadline to a certain number of ticks in the future.
     ///
     /// For more information see [`Store::set_epoch_deadline`].
+    #[cfg(target_has_atomic = "64")]
     pub fn set_epoch_deadline(&mut self, ticks_beyond_current: u64) {
         self.0.set_epoch_deadline(ticks_beyond_current);
     }
 
     /// Configures epoch-deadline expiration to trap.
     ///
     /// For more information see [`Store::epoch_deadline_trap`].
+    #[cfg(target_has_atomic = "64")]
     pub fn epoch_deadline_trap(&mut self) {
         self.0.epoch_deadline_trap();
     }
@@ -1200,7 +1207,7 @@ impl<'a, T> StoreContextMut<'a, T> {
     ///
     /// For more information see
     /// [`Store::epoch_deadline_async_yield_and_update`].
-    #[cfg(feature = "async")]
+    #[cfg(all(feature = "async", target_has_atomic = "64"))]
     pub fn epoch_deadline_async_yield_and_update(&mut self, delta: u64) {
         self.0.epoch_deadline_async_yield_and_update(delta);
     }
@@ -1920,7 +1927,7 @@ impl StoreOpaque {
     ///
     /// This only works on async futures and stores, and assumes that we're
     /// executing on a fiber. This will yield execution back to the caller once.
-    #[cfg(feature = "async")]
+    #[cfg(all(feature = "async", target_has_atomic = "64"))]
     fn async_yield_impl(&mut self) -> Result<()> {
         use crate::runtime::vm::Yield;
 
@@ -2688,6 +2695,7 @@ unsafe impl<T> crate::runtime::vm::VMStore for StoreInner<T> {
         Ok(())
     }
 
+    #[cfg(target_has_atomic = "64")]
     fn new_epoch(&mut self) -> Result<u64, anyhow::Error> {
         // Temporarily take the configured behavior to avoid mutably borrowing
         // multiple times.
@@ -2769,6 +2777,7 @@ unsafe impl<T> crate::runtime::vm::VMStore for StoreInner<T> {
 }
 
 impl<T> StoreInner<T> {
+    #[cfg(target_has_atomic = "64")]
     pub(crate) fn set_epoch_deadline(&mut self, delta: u64) {
         // Set a new deadline based on the "epoch deadline delta".
         //
@@ -2783,10 +2792,12 @@ impl<T> StoreInner<T> {
         *epoch_deadline = self.engine().current_epoch() + delta;
     }
 
+    #[cfg(target_has_atomic = "64")]
     fn epoch_deadline_trap(&mut self) {
         self.epoch_deadline_behavior = None;
     }
 
+    #[cfg(target_has_atomic = "64")]
     fn epoch_deadline_callback(
         &mut self,
         callback: Box<dyn FnMut(StoreContextMut<T>) -> Result<UpdateDeadline> + Send + Sync>,

crates/wasmtime/src/runtime/store/data.rs

@@ -5,7 +5,6 @@ use core::fmt;
 use core::marker;
 use core::num::NonZeroU64;
 use core::ops::{Index, IndexMut};
-use core::sync::atomic::{AtomicU64, Ordering::Relaxed};
 
 // This is defined here, in a private submodule, so we can explicitly reexport
 // it only as `pub(crate)`. This avoids a ton of
@@ -210,22 +209,46 @@ impl StoreId {
     /// Allocates a new unique identifier for a store that has never before been
     /// used in this process.
     pub fn allocate() -> StoreId {
-        static NEXT_ID: AtomicU64 = AtomicU64::new(0);
-
-        // Only allow 2^63 stores at which point we start panicking to prevent
-        // overflow.
+        // When 64-bit atomics are allowed then allow 2^63 stores at which point
+        // we start panicking to prevent overflow.
         //
         // If a store is created once per microsecond then this will last the
         // current process for 584,540 years before overflowing.
-        //
-        // Also note the usage of `Relaxed` ordering here which should be ok
-        // since we're only looking for atomicity on this counter and this
-        // otherwise isn't used to synchronize memory stored anywhere else.
-        let id = NEXT_ID.fetch_add(1, Relaxed);
-        if id & (1 << 63) != 0 {
-            NEXT_ID.store(1 << 63, Relaxed);
-            panic!("store id allocator overflow");
-        }
+        const OVERFLOW_THRESHOLD: u64 = 1 << 63;
+
+        #[cfg(target_has_atomic = "64")]
+        let id = {
+            use core::sync::atomic::{AtomicU64, Ordering::Relaxed};
+
+            // Note the usage of `Relaxed` ordering here which should be ok
+            // since we're only looking for atomicity on this counter and this
+            // otherwise isn't used to synchronize memory stored anywhere else.
+            static NEXT_ID: AtomicU64 = AtomicU64::new(0);
+            let id = NEXT_ID.fetch_add(1, Relaxed);
+            if id > OVERFLOW_THRESHOLD {
+                NEXT_ID.store(OVERFLOW_THRESHOLD, Relaxed);
+                panic!("store id allocator overflow");
+            }
+            id
+        };
+
+        // When 64-bit atomics are not allowed use a `RwLock<u64>`. This is
+        // already used elsewhere in Wasmtime and currently has the
+        // implementation of panic-on-contention, but it's at least no worse
+        // than what wasmtime had before and is at least correct and UB-free.
+        #[cfg(not(target_has_atomic = "64"))]
+        let id = {
+            use crate::sync::RwLock;
+            static NEXT_ID: RwLock<u64> = RwLock::new(0);
+
+            let mut lock = NEXT_ID.write();
+            if *lock > OVERFLOW_THRESHOLD {
+                panic!("store id allocator overflow");
+            }
+            let ret = *lock;
+            *lock += 1;
+            ret
+        };
 
         StoreId(NonZeroU64::new(id + 1).unwrap())
     }

crates/wasmtime/src/runtime/vm.rs

@@ -178,6 +178,7 @@ pub unsafe trait VMStore {
     /// Callback invoked whenever an instance observes a new epoch
     /// number. Cannot fail; cooperative epoch-based yielding is
     /// completely semantically transparent. Returns the new deadline.
+    #[cfg(target_has_atomic = "64")]
     fn new_epoch(&mut self) -> Result<u64, Error>;
 
     /// Callback invoked whenever an instance needs to trigger a GC.