Add docs for OOM-handling in Wasmtime (#13224)

* Expand the docs the `OutOfMemory` error

And use this as a place to document which portions of Wasmtime attempt to handle
OOM, how to enable `cfg(arc_try_new)` to handle more OOMs with a nightly rust
toolchain, and clarify that OOM handling is not tier 1.

* Add individual API docs for functions that will handle OOM

* Address review feedback

Author: fitzgen

crates/core/src/error/oom.rs

@@ -1,15 +1,95 @@
 use crate::error::{Error, OomOrDynError};
 use core::{fmt, mem, ptr::NonNull};
 
-/// Out-of-memory error.
+/// An out-of-memory (OOM) error.
 ///
 /// This error is the sentinel for allocation failure due to memory exhaustion.
 ///
-/// Constructing an [`Error`] from an `OutOfMemory` does not
-/// allocate.
+/// Constructing an [`Error`] from an `OutOfMemory` does not allocate.
 ///
 /// Allocation failure inside any `Error` method that must allocate
 /// (e.g. [`Error::context`]) will propagate an `OutOfMemory` error.
+///
+/// # Out-of-Memory Handling in Wasmtime
+///
+/// Wasmtime performs out-of-memory (OOM) error handling on a **best-effort
+/// basis**. OOM handling does not have [tier 1
+/// support](https://docs.wasmtime.dev/stability-tiers.html) at this time and,
+/// therefore, while failure to handle OOM at some allocation site may be
+/// considered a bug, and might be a potential denial-of-service vector, it
+/// would not be considered a security vulnerability.[^limits]
+///
+/// [^limits]: Note that unconstrained guest-controlled resource usage is still
+/// considered a vulnerability. Wasmtime has tier 1 support for limiting guest
+/// resources, but not for handling OOMs within those limits.
+///
+/// ## Where Wasmtime Attempts to Handle OOM
+///
+/// It is important to note that **not all portions of Wasmtime attempt to
+/// handle out-of-memory errors**. Notably, Wasmtime only ever attempts to
+/// handle OOM in the core *runtime* and never in the *compiler*. No attempt is
+/// made to handle allocation failure in the middle of compiling new `Module`s
+/// or `Component`s from Wasm to machine code (or Pulley bytecode). However,
+/// Wasmtime will attempt to handle OOM when running *pre-compiled* Wasm code
+/// (loaded via `Module::deserialize` or `Component::deserialize`).
+///
+/// Wasmtime's interfaces allow *you* to handle OOM in your own embedding's WASI
+/// implementations and host APIs, but Wasmtime's provided WASI implementations
+/// (e.g. `wasmtime_wasi_http`) will generally not attempt to handle OOM (as
+/// they often depend on third-party crates that do not attempt to handle OOM).
+///
+/// The API documentation for individual functions and methods that handle OOM
+/// should generally document this fact by listing `OutOfMemory` as one of the
+/// potential errors returned.
+///
+/// | **Where**                                       | **Handles OOM?**                |
+/// |-------------------------------------------------|---------------------------------|
+/// | **Compiler**                                    | **No**                          |
+/// |  `wasmtime::Module::new`                   | No                              |
+/// |  `wasmtime::Component::new`                | No                              |
+/// |  `wasmtime::CodeBuilder`                   | No                              |
+/// |  Other compilation APIs...                 | No                              |
+/// | **Runtime**                                     | **Yes**                         |
+/// |  `wasmtime::Store`                         | Yes                             |
+/// |  `wasmtime::Linker`                        | Yes                             |
+/// |  `wasmtime::Module::deserialize`           | Yes                             |
+/// |  `wasmtime::Instance`                      | Yes                             |
+/// |  `wasmtime::Func::call`                    | Yes                             |
+/// |  Component Model concurrency/async APIs    | Not yet                         |
+/// |  Other instantiation and execution APIs... | Yes                             |
+/// | **WASI Implementations and Host APIs**          | **Depends**                     |
+/// |  `wasmtime_wasi`                           | No                              |
+/// |  `wasmtime_wasi_http`                      | No                              |
+/// |  `wasmtime_wasi_*`                         | No                              |
+/// |  Your embedding's APIs                     | If *you* implement OOM handling |
+///
+/// If you encounter an unhandled OOM inside Wasmtime, and it is within a
+/// portion of code where it should be handled, then please [file an
+/// issue](https://github.com/bytecodealliance/wasmtime/issues/new/choose).
+///
+/// ## Handling More OOMs with Rust Nightly APIs
+///
+/// Rust's standard library provides fallible allocation APIs, or the necessary
+/// building blocks for making our own fallible allocation APIs, for some of its
+/// types and collections. For example, it provides `Vec::try_reserve` which can
+/// be used to build a fallible version of `Vec::push` and fallible `Box`
+/// allocation can be built upon raw allocations from the global allocator and
+/// `Box::from_raw`.
+///
+/// However, the standard library does not provide these things for all the
+/// types and collections that Wasmtime uses. Some of these APIs are completely
+/// missing (such as a fallible version of
+/// `std::collections::hash_map::VacantEntry::insert`) and some APIs exist but
+/// are feature-gated on unstable, nightly-only Rust features. The most relevant
+/// API from this latter category is
+/// [`Arc::try_new`](https://doc.rust-lang.org/nightly/std/sync/struct.Arc.html#method.try_new),
+/// as Wasmtime's runtime uses a number of `Arc`s under the covers.
+///
+/// If handling OOMs is important for your Wasmtime embedding, then you should
+/// compile Wasmtime from source using a Nightly Rust toolchain and with the
+/// `RUSTFLAGS="--cfg arc_try_new"` environment variable set. This unlocks
+/// Wasmtime's internal usage of `Arc::try_new`, making more OOM handling at
+/// more allocation sites possible.
 #[derive(Clone, Copy)]
 // NB: `OutOfMemory`'s representation must be the same as `OomOrDynError`
 // (and therefore also `Error`).

crates/wasmtime/src/engine.rs

@@ -101,6 +101,10 @@ impl Engine {
     /// For example, feature `reference_types` will need to set
     /// the compiler setting `unwind_info` to `true`, but explicitly
     /// disable these two compiler settings will cause errors.
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn new(config: &Config) -> Result<Engine> {
         let config = config.clone();
         let (mut tunables, features) = config.validate()?;

crates/wasmtime/src/lib.rs

@@ -520,7 +520,7 @@ pub use wasmtime_environ::{FuncIndex, StaticModuleIndex};
 #[cfg(feature = "anyhow")]
 pub use wasmtime_environ::anyhow;
 
-pub use self::error::{Error, Result, bail, ensure, format_err};
+pub use self::error::{Error, OutOfMemory, Result, bail, ensure, format_err};
 
 /// A re-exported instance of Wasmtime's `wasmparser` dependency.
 ///

crates/wasmtime/src/runtime/component/component.rs

@@ -206,6 +206,12 @@ impl Component {
     ///
     /// For more information see the [`Module::deserialize`] method.
     ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
+    ///
     /// # Unsafety
     ///
     /// The unsafety of this method is the same as that of the

crates/wasmtime/src/runtime/component/func.rs

@@ -91,6 +91,10 @@ impl Func {
     /// If the function does not actually take `Params` as its parameters or
     /// return `Return` then an error will be returned.
     ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
+    ///
     /// # Panics
     ///
     /// This function will panic if `self` is not owned by the `store`
@@ -223,6 +227,10 @@ impl Func {
     /// See [`TypedFunc::call`] for more information in addition to
     /// [`wasmtime::Func::call`](crate::Func::call).
     ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
+    ///
     /// # Panics
     ///
     /// Panics if `store` does not own this function.
@@ -240,6 +248,12 @@ impl Func {
 
     /// Exactly like [`Self::call`] except for use on async stores.
     ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
+    ///
     /// # Panics
     ///
     /// Panics if `store` does not own this function.

crates/wasmtime/src/runtime/component/func/typed.rs

@@ -140,6 +140,10 @@ where
     /// information to understand which part of the canonical ABI went wrong
     /// and what to inspect.
     ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
+    ///
     /// # Panics
     ///
     /// Panics if `store` does not own this function.
@@ -152,6 +156,12 @@ where
     /// Exactly like [`Self::call`], except for invoking WebAssembly
     /// [asynchronously](crate#async).
     ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
+    ///
     /// # Panics
     ///
     /// Panics if `store` does not own this function.

crates/wasmtime/src/runtime/component/instance.rs

@@ -182,6 +182,10 @@ impl Instance {
     /// Returns an error if `name` isn't a function export or if the export's
     /// type did not match `Params` or `Results`
     ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
+    ///
     /// # Panics
     ///
     /// Panics if `store` does not own this instance.
@@ -1159,6 +1163,12 @@ impl<T: 'static> InstancePre<T> {
     }
 
     /// Performs the instantiation process into the store specified.
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     //
     // TODO: needs more docs
     pub fn instantiate(&self, mut store: impl AsContextMut<Data = T>) -> Result<Instance> {
@@ -1175,6 +1185,12 @@ impl<T: 'static> InstancePre<T> {
     /// Performs the instantiation process into the store specified.
     ///
     /// Exactly like [`Self::instantiate`] except for use on async stores.
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     //
     // TODO: needs more docs
     #[cfg(feature = "async")]

crates/wasmtime/src/runtime/component/linker.rs

@@ -186,6 +186,12 @@ impl<T: 'static> Linker<T> {
 
     /// Returns the [`types::Component`] corresponding to `component` with resource
     /// types imported by it replaced using imports present in [`Self`].
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn substituted_component_type(&self, component: &Component) -> Result<types::Component> {
         let cx = self.typecheck(&component)?;
         Ok(types::Component::from(
@@ -215,6 +221,10 @@ impl<T: 'static> Linker<T> {
     /// Returns an error if this linker doesn't define a name that the
     /// `component` imports or if a name defined doesn't match the type of the
     /// item imported by the `component` provided.
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn instantiate_pre(&self, component: &Component) -> Result<InstancePre<T>> {
         let cx = self.typecheck(&component)?;
 
@@ -279,6 +289,10 @@ impl<T: 'static> Linker<T> {
     /// `component` requires or if it is of the wrong type. Additionally this
     /// can return an error if something goes wrong during instantiation such as
     /// a runtime trap or a runtime limit being exceeded.
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn instantiate(
         &self,
         mut store: impl AsContextMut<Data = T>,
@@ -300,6 +314,10 @@ impl<T: 'static> Linker<T> {
     /// `component` requires or if it is of the wrong type. Additionally this
     /// can return an error if something goes wrong during instantiation such as
     /// a runtime trap or a runtime limit being exceeded.
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     #[cfg(feature = "async")]
     pub async fn instantiate_async(
         &self,
@@ -318,6 +336,12 @@ impl<T: 'static> Linker<T> {
     ///
     /// By default a [`Linker`] will error when unknown imports are encountered when instantiating a [`Component`].
     /// This changes this behavior from an instant error to a trap that will happen if the import is called.
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn define_unknown_imports_as_traps(&mut self, component: &Component) -> Result<()> {
         use wasmtime_environ::component::ComponentTypes;
         use wasmtime_environ::component::TypeDef;
@@ -433,6 +457,12 @@ impl<T: 'static> LinkerInstance<'_, T> {
     /// guest, see the [`func_wrap_async`] method.
     ///
     /// [`func_wrap_async`]: LinkerInstance::func_wrap_async
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     //
     // TODO: needs more words and examples
     pub fn func_wrap<F, Params, Return>(&mut self, name: &str, func: F) -> Result<()>
@@ -656,6 +686,12 @@ impl<T: 'static> LinkerInstance<'_, T> {
     /// # Ok(())
     /// # }
     /// ```
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn func_new(
         &mut self,
         name: &str,
@@ -724,6 +760,12 @@ impl<T: 'static> LinkerInstance<'_, T> {
     /// This can be used to provide a core wasm [`Module`] as an import to a
     /// component. The [`Module`] provided is saved within the linker for the
     /// specified `name` in this instance.
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn module(&mut self, name: &str, module: &Module) -> Result<()> {
         self.insert(name, Definition::Module(module.clone()))?;
         Ok(())
@@ -751,6 +793,10 @@ impl<T: 'static> LinkerInstance<'_, T> {
     /// The provided `dtor` closure returns an error if something goes wrong
     /// when a guest calls the `dtor` to drop a `Resource<T>` such as
     /// a runtime trap or a runtime limit being exceeded.
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn resource(
         &mut self,
         name: &str,

crates/wasmtime/src/runtime/component/resources/any.rs

@@ -72,6 +72,10 @@ impl ResourceAny {
     /// This method will return an error if `resource` has already been "taken"
     /// and has ownership transferred elsewhere which can happen in situations
     /// such as when it's already lowered into a component.
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn try_from_resource<T: 'static>(
         resource: Resource<T>,
         store: impl AsContextMut,
@@ -80,6 +84,12 @@ impl ResourceAny {
     }
 
     /// See [`Resource::try_from_resource_any`]
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn try_into_resource<T: 'static>(self, store: impl AsContextMut) -> Result<Resource<T>> {
         Resource::try_from_resource_any(self, store)
     }
@@ -146,6 +156,12 @@ impl ResourceAny {
     /// properly cleaned up. For owned resources this may execute the
     /// guest-defined destructor if applicable (or the host-defined destructor
     /// if one was specified).
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     pub fn resource_drop(self, mut store: impl AsContextMut) -> Result<()> {
         let mut store = store.as_context_mut();
         store.0.validate_sync_call()?;
@@ -154,6 +170,12 @@ impl ResourceAny {
 
     /// Same as [`ResourceAny::resource_drop`] except for use with async stores
     /// to execute the destructor [asynchronously](crate#async).
+    ///
+    /// # Errors
+    ///
+    /// This function will return an [`OutOfMemory`][crate::OutOfMemory] error when
+    /// memory allocation fails. See the `OutOfMemory` type's documentation for
+    /// details on Wasmtime's out-of-memory handling.
     #[cfg(feature = "async")]
     pub async fn resource_drop_async(self, mut store: impl AsContextMut<Data: Send>) -> Result<()> {
         let mut store = store.as_context_mut();