Add zerocopy mapping for wasm binary #102
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
syntactically
force-pushed
the
lm/vm
branch
4 times, most recently
from
be10373 to
68bd34b
Compare
jsturtevant
reviewed
Jul 9, 2025
|
Rebased on main & updated some comments. |
jprendes
reviewed
Jul 9, 2025
syntactically
force-pushed
the
lm/vm
branch
4 times, most recently
from
dc4a36f to
9621011
Compare
jprendes
previously approved these changes
Jul 10, 2025
There was a problem hiding this comment.
Thank @syntactically!
I learned a lot reviewing this and the corresponding hyperlight core PR!
LGTM :-)
The core hyperlight libraries now have both version and git keys in Cargo.toml, allowing us to develop against upstream hyperlight HEAD. Signed-off-by: Lucy Menon <168595099+syntactically@users.noreply.github.com>
This makes wasmtime_init_traps actually register an exception handler, and adds handling for #UD to recognize it as a trap that should be forwraded to wasmtime. More traps will need to be added in the future in order to ensure correctness. Signed-off-by: Lucy Menon <168595099+syntactically@users.noreply.github.com>
This adds support for directly mapping a host buffer containing a wasm module/component into the guest, enabling the use of mmap() on the host to share a single module/component across multiple sandboxes. Signed-off-by: Lucy Menon <168595099+syntactically@users.noreply.github.com>
There is a big caveat here, which is that wasmtime's mprotect calls are ignored, so this sandbox is very unsound: a wasm module can take over the entire guest easily Signed-off-by: Lucy Menon <168595099+syntactically@users.noreply.github.com>
jprendes
approved these changes
Jul 10, 2025
This was referenced Jul 11, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This predominantly adds support for using the features from hyperlight-dev/hyperlight#696 to zerocopy map a wasm binary into the guest. Since this requires being able to modify guest page tables anyway, it also does the first pieces of setting up virtual memory in wasmtime, enough to get a view towards performance/etc. There is a major missing piece in that wasmtime_mprotect is not properly implemented, which means that wasm can escape to the guest relatively easily; I will make an issue to track getting that fixed.