feat: enforce syscall type-safety

This ensures nobody accidentally adds unsafe types to the syscall ABI.

Author: Stebalien

fvm/src/syscalls/bind.rs

@@ -1,6 +1,7 @@
 use std::mem;
 
 use fvm_shared::error::ErrorNumber;
+use fvm_shared::sys::SyscallSafe;
 use wasmtime::{Caller, Linker, Trap, WasmTy};
 
 use super::context::Memory;
@@ -50,14 +51,14 @@ pub(super) trait BindSyscall<Args, Ret, Func> {
 /// results that can be handled by wasmtime. See the documentation on `BindSyscall` for details.
 #[doc(hidden)]
 pub trait IntoSyscallResult: Sized {
-    type Value: Copy + Sized + 'static;
+    type Value: SyscallSafe;
     fn into(self) -> Result<Result<Self::Value, SyscallError>, Abort>;
 }
 
 // Implementations for syscalls that abort on error.
 impl<T> IntoSyscallResult for Result<T, Abort>
 where
-    T: Copy + Sized + 'static,
+    T: SyscallSafe,
 {
     type Value = T;
     fn into(self) -> Result<Result<Self::Value, SyscallError>, Abort> {
@@ -68,7 +69,7 @@ where
 // Implementations for normal syscalls.
 impl<T> IntoSyscallResult for kernel::Result<T>
 where
-    T: Copy + Sized + 'static,
+    T: SyscallSafe,
 {
     type Value = T;
     fn into(self) -> Result<Result<Self::Value, SyscallError>, Abort> {
@@ -135,7 +136,7 @@ macro_rules! impl_bind_syscalls {
             K: Kernel,
             Func: Fn(Context<'_, K> $(, $t)*) -> Ret + Send + Sync + 'static,
             Ret: IntoSyscallResult,
-           $($t: WasmTy,)*
+           $($t: WasmTy+SyscallSafe,)*
         {
             fn bind(
                 &mut self,

fvm/src/syscalls/vm.rs

@@ -1,5 +1,7 @@
 use fvm_shared::error::ExitCode;
+use fvm_shared::sys::SyscallSafe;
 use fvm_shared::version::NetworkVersion;
+use num_traits::FromPrimitive;
 
 use super::error::Abort;
 use super::Context;
@@ -11,6 +13,8 @@ use crate::Kernel;
 #[derive(Copy, Clone)]
 pub enum Never {}
 
+unsafe impl SyscallSafe for Never {}
+
 // NOTE: this won't clobber the last syscall error because it directly returns a "trap".
 pub fn abort(
     context: Context<'_, impl Kernel>,

shared/src/sys/mod.rs

@@ -43,3 +43,38 @@ impl<'a> TryFrom<&'a crate::econ::TokenAmount> for TokenAmount {
         })
     }
 }
+
+/// An unsafe trait to mark "syscall safe" types. These types must be safe to memcpy to and from
+/// WASM. This means:
+///
+/// 1. Repr C & packed alignment (no reordering, no padding).
+/// 2. Copy, Sized, and no pointers.
+/// 3. No floats (non-determinism).
+///
+/// # Safety
+///
+/// Incorrectly implementing this could lead to undefined behavior in types passed between wasm and
+/// rust.
+pub unsafe trait SyscallSafe: Copy + Sized + 'static {}
+
+macro_rules! assert_syscall_safe {
+    ($($t:ty,)*) => {
+        $(unsafe impl SyscallSafe for $t {})*
+    }
+}
+
+assert_syscall_safe! {
+    (),
+
+    u8, u16, u32, u64,
+    i8, i16, i32, i64,
+
+    TokenAmount,
+    out::actor::ResolveAddress,
+    out::ipld::IpldOpen,
+    out::ipld::IpldStat,
+    out::send::Send,
+    out::crypto::VerifyConsensusFault,
+}
+
+unsafe impl<T, const N: usize> SyscallSafe for [T; N] where T: SyscallSafe {}