Skip to content

feat: add a knob for reset stack#4813

Merged
alexcrichton merged 2 commits into
bytecodealliance:mainfrom
Duslia:feat/knob_for_reset_stack
Sep 1, 2022
Merged

feat: add a knob for reset stack#4813
alexcrichton merged 2 commits into
bytecodealliance:mainfrom
Duslia:feat/knob_for_reset_stack

Conversation

@Duslia
Copy link
Copy Markdown
Contributor

@Duslia Duslia commented Aug 30, 2022

This PR has been discussed in #4637. I add a knob for reset stack.

@github-actions github-actions Bot added wasmtime:api Related to the API of the `wasmtime` crate itself wasmtime:config Issues related to the configuration of Wasmtime labels Aug 30, 2022
@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch from d9f4f57 to 0020cac Compare August 30, 2022 03:38
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Aug 30, 2022

Subscribe to Label Action

cc @peterhuene

Details This issue or pull request has been labeled: "wasmtime:api", "wasmtime:config"

Thus the following users have been cc'd because of the following labels:

  • peterhuene: wasmtime:api

To subscribe or unsubscribe from this label, edit the .github/subscribe-to-label.json configuration file.

Learn more.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Aug 30, 2022

Label Messager: wasmtime:config

It looks like you are changing Wasmtime's configuration options. Make sure to
complete this check list:

  • If you added a new Config method, you wrote extensive documentation for
    it.

    Details

    Our documentation should be of the following form:

    Short, simple summary sentence.

More details. These details can be multiple paragraphs. There should be
information about not just the method, but its parameters and results as
well.

Is this method fallible? If so, when can it return an error?

Can this method panic? If so, when does it panic?

# Example

Optional example here.

  • If you added a new Config method, or modified an existing one, you
    ensured that this configuration is exercised by the fuzz targets.

    Details

    For example, if you expose a new strategy for allocating the next instance
    slot inside the pooling allocator, you should ensure that at least one of our
    fuzz targets exercises that new strategy.

    Often, all that is required of you is to ensure that there is a knob for this
    configuration option in wasmtime_fuzzing::Config (or one
    of its nested structs).

    Rarely, this may require authoring a new fuzz target to specifically test this
    configuration. See our docs on fuzzing for more details.

  • If you are enabling a configuration option by default, make sure that it
    has been fuzzed for at least two weeks before turning it on by default.

Details

To modify this label's message, edit the .github/label-messager/wasmtime-config.md file.

To add new label messages or remove existing label messages, edit the
.github/label-messager.json configuration file.

Learn more.

@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch from 0020cac to b736500 Compare August 30, 2022 07:34
bjorn3
bjorn3 reviewed Aug 30, 2022
View reviewed changes
Comment thread crates/wasmtime/src/config.rs Outdated
bjorn3
bjorn3 reviewed Aug 30, 2022
View reviewed changes
Comment thread crates/runtime/src/instance/allocator/pooling.rs
@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch 2 times, most recently from 0173e8d to d1fb240 Compare August 30, 2022 07:45
bjorn3
bjorn3 reviewed Aug 30, 2022
View reviewed changes
Comment thread .idea/workspace.xml Outdated
@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch 2 times, most recently from 03ea2cf to 391c309 Compare August 30, 2022 09:18
bjorn3
bjorn3 reviewed Aug 30, 2022
View reviewed changes
Comment thread crates/wasmtime/src/config.rs Outdated
@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch 4 times, most recently from 729fb4d to 38979f8 Compare August 30, 2022 10:27
alexcrichton
alexcrichton reviewed Aug 30, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@alexcrichton alexcrichton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this! Can you be sure to add some tests exercising this? Additionally can you update the fuzz configuration in crates/fuzzing/src/generators/config.rs to have a boolean to configure this flag?

While you're here, would you also be updating for perhaps updating the method names here? I originally thought that this wouldn't work on other platforms since it means that stacks are repeatedly called with commit_stack_pages which seems like it should error. In reality though Windows doesn't use this code path and additionally the Unix implementation of commit_stack_pages is a noop. In that case I think it's safe to remove commit_stack_pages entirely and otherwise rename decommit_stack_pages to something like reset_stack_pages_to_zero.

Actually though as I think more about this, I feel that there's a case to be made for removing this option entirely and simply not resetting stack pages back to zero. I don't think that the defense-in-depth argument holds a ton of water here because we make no attempt to reset the stack for non-async calls. If an alternate stack was always used then I think there's a case to be made for having this as an option since it would be turning off a uniformly off-by-default behavior, but otherwise as-is this option is only applicable with async support and the pooling instance allocator, both of which are already niche.

@cfallin I know in the past you've argued that this behavior should remain, so I'm curious if you still feel that way or if I could perhaps convince you of otherwise.

Comment thread crates/wasmtime/src/config.rs Outdated
Comment thread crates/wasmtime/src/config.rs Outdated
Comment thread crates/wasmtime/src/config.rs Outdated
@cfallin
Copy link
Copy Markdown
Member

cfallin commented Aug 30, 2022

Actually though as I think more about this, I feel that there's a case to be made for removing this option entirely and simply not resetting stack pages back to zero. I don't think that the defense-in-depth argument holds a ton of water here because we make no attempt to reset the stack for non-async calls. If an alternate stack was always used then I think there's a case to be made for having this as an option since it would be turning off a uniformly off-by-default behavior, but otherwise as-is this option is only applicable with async support and the pooling instance allocator, both of which are already niche.

@cfallin I know in the past you've argued that this behavior should remain, so I'm curious if you still feel that way or if I could perhaps convince you of otherwise.

I think it's pretty important to keep this behavior, for a few reasons:

  • Depending on regalloc and stack frame management code to be correct in order to not leak stale data from other instances feels way too risky to me. Yes, any regalloc bug could create a read gadget that reads anything in the address space... but having sensitive data from another instance immediately on our stack, in stack slots that haven't yet been overwritten, increases risk by a very significant amount. It just seems like too much to me to remove that layer of safety (zero out the sensitive data under the nose of the new instance) in cases where we are otherwise very careful about isolation.

  • Because of that, I want the option to run with zeroed stacks for new instances. However, I don't care too much if it's the default or not; there are a number of config options that folks running wasmtime in high-performance, high-security settings will want to consider anyway, and this is just one more such setting. But the option shouldn't go away, IMHO.

  • And actually I agree that the inconsistency between async and sync cases should be addressed, but in the opposite direction: it would be great if someday we could have the option to execute sync Wasm calls on a fresh zeroed stack as well! But almost certainly not by default because that's more of a significant penalty (async needs some separate stack whereas sync can run on the host stack otherwise).

@alexcrichton
Copy link
Copy Markdown
Member

alexcrichton commented Aug 30, 2022

That sounds reasonable to me. @Duslia would you be ok implementing this new option, but flipping the defaults? Instead the option would enable the zeroing behavior that is currently the default today, and by default Wasmtime wouldn't zero stacks async stacks.

@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch 5 times, most recently from c8e507a to 761abd5 Compare August 31, 2022 10:36
@Duslia Duslia changed the title feat: add a knob for reset stack [WIP]feat: add a knob for reset stack Aug 31, 2022
@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch 3 times, most recently from cd101cc to f956e73 Compare August 31, 2022 13:02
@Duslia
Copy link
Copy Markdown
Contributor Author

Duslia commented Aug 31, 2022

I will add some tests tomorrow.

alexcrichton
alexcrichton reviewed Aug 31, 2022
View reviewed changes
Comment thread crates/wasmtime/src/config.rs Outdated
#[cfg(not(feature = "async"))]
let stack_size = 0;

let _ = self.async_stack_zeroing;
Copy link
Copy Markdown
Member

@alexcrichton alexcrichton Aug 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's ok to drop this as it's always used by the snippet below

alexcrichton
alexcrichton reviewed Aug 31, 2022
View reviewed changes
Comment thread crates/wasmtime/src/config.rs Outdated
Comment on lines +352 to +353
/// deallocation will simply release the stack back to the pool. During the deallocation
/// process Wasmtime will by default reset the contents of the stack back to zero.
Copy link
Copy Markdown
Member

@alexcrichton alexcrichton Aug 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This last sentence will need an update since this PR is also changing the defaults.

@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch 4 times, most recently from 4748a11 to 71fa050 Compare September 1, 2022 08:17
@github-actions github-actions Bot added the fuzzing Issues related to our fuzzing infrastructure label Sep 1, 2022
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 1, 2022

Subscribe to Label Action

cc @fitzgen

Details This issue or pull request has been labeled: "fuzzing"

Thus the following users have been cc'd because of the following labels:

  • fitzgen: fuzzing

To subscribe or unsubscribe from this label, edit the .github/subscribe-to-label.json configuration file.

Learn more.

@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch 2 times, most recently from fdb39fe to 78a1981 Compare September 1, 2022 09:29
@Duslia Duslia changed the title [WIP]feat: add a knob for reset stack feat: add a knob for reset stack Sep 1, 2022
@Duslia Duslia force-pushed the feat/knob_for_reset_stack branch from 78a1981 to 1260c76 Compare September 1, 2022 09:45
@alexcrichton alexcrichton enabled auto-merge (squash) September 1, 2022 15:26
@alexcrichton
Copy link
Copy Markdown
Member

alexcrichton commented Sep 1, 2022

I pushed up some tweaks to the wording here but otherwise this looks good to me, thanks!

@alexcrichton alexcrichton merged commit bca4dae into bytecodealliance:main Sep 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexcrichton alexcrichton alexcrichton approved these changes

+1 more reviewer

@bjorn3 bjorn3 bjorn3 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

fuzzing Issues related to our fuzzing infrastructure wasmtime:api Related to the API of the `wasmtime` crate itself wasmtime:config Issues related to the configuration of Wasmtime

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Duslia @cfallin @alexcrichton @bjorn3