RR #2: Sha256 checksum for components (#12576)

arjunr2 · web-flow · commit b298f3756936 · 2026-02-13T21:11:58.000Z
* Add sha256 checksum for component for record/replay consistency

* Move sha2 crate as workspace dependency

* Run checksum digest only on recording configs

* Fix CI error and restructure from_binary
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -437,6 +437,7 @@ arbtest = "0.3.2"
 rayon = "1.5.3"
 regex = "1.9.1"
 pin-project-lite = "0.2.14"
+sha2 = { version = "0.10.2", default-features = false }
 
 # =============================================================================
 #
diff --git a/crates/cache/Cargo.toml b/crates/cache/Cargo.toml
@@ -19,7 +19,7 @@ directories-next = "2.0"
 log = { workspace = true }
 serde = { workspace = true }
 serde_derive = { workspace = true }
-sha2 = "0.10.2"
+sha2 = { workspace = true, features = ['std'] }
 toml = { workspace = true }
 zstd = { version = "0.13.0", default-features = false }
 wasmtime-environ = { workspace = true }
diff --git a/crates/environ/Cargo.toml b/crates/environ/Cargo.toml
@@ -39,6 +39,7 @@ wasmtime-component-util = { workspace = true, optional = true }
 wasmtime-core = { workspace = true }
 semver = { workspace = true, optional = true, features = ['serde'] }
 smallvec = { workspace = true, features = ['serde'] }
+sha2 = { workspace = true }
 
 [dev-dependencies]
 clap = { workspace = true, features = ['default'] }
@@ -85,3 +86,6 @@ std = [
   'indexmap/std',
   'wasmtime-core/std',
 ]
+rr = [
+  "component-model"
+]
diff --git a/crates/environ/src/compile/module_artifacts.rs b/crates/environ/src/compile/module_artifacts.rs
@@ -1,6 +1,7 @@
 //! Definitions of runtime structures and metadata which are serialized into ELF
 //! with `postcard` as part of a module's compilation process.
 
+use crate::WasmChecksum;
 use crate::error::{Result, bail};
 use crate::prelude::*;
 use crate::{
@@ -120,6 +121,7 @@ impl<'a> ObjectBuilder<'a> {
             data,
             data_align,
             passive_data,
+            wasm,
             ..
         } = translation;
 
@@ -220,6 +222,7 @@ impl<'a> ObjectBuilder<'a> {
                 has_wasm_debuginfo: self.tunables.parse_wasm_debuginfo,
                 dwarf,
             },
+            checksum: WasmChecksum::from_binary(wasm, self.tunables.recording),
         })
     }
 
diff --git a/crates/environ/src/component/artifacts.rs b/crates/environ/src/component/artifacts.rs
@@ -2,7 +2,7 @@
 //! which are serialized with `bincode` into output ELF files.
 
 use crate::{
-    CompiledFunctionsTable, CompiledModuleInfo, PrimaryMap, StaticModuleIndex,
+    CompiledFunctionsTable, CompiledModuleInfo, PrimaryMap, StaticModuleIndex, WasmChecksum,
     component::{Component, ComponentTypes, TypeComponentIndex},
 };
 use serde_derive::{Deserialize, Serialize};
@@ -20,6 +20,8 @@ pub struct ComponentArtifacts {
     pub types: ComponentTypes,
     /// Serialized metadata about all included core wasm modules.
     pub static_modules: PrimaryMap<StaticModuleIndex, CompiledModuleInfo>,
+    /// A checksum of the source Wasm binary from which the component was compiled.
+    pub checksum: WasmChecksum,
 }
 
 /// Runtime state that a component retains to support its operation.
diff --git a/crates/environ/src/module_artifacts.rs b/crates/environ/src/module_artifacts.rs
@@ -8,6 +8,8 @@ use core::{fmt, u32};
 use core::{iter, str};
 use cranelift_entity::{EntityRef, PrimaryMap};
 use serde_derive::{Deserialize, Serialize};
+#[cfg(feature = "rr")]
+use sha2::{Digest, Sha256};
 
 /// Description of where a function is located in the text section of a
 /// compiled image.
@@ -28,6 +30,42 @@ impl FunctionLoc {
     }
 }
 
+/// The checksum of a Wasm binary.
+///
+/// Allows for features requiring the exact same Wasm Module (e.g. deterministic replay)
+/// to verify that the binary used matches the one originally compiled.
+#[derive(Copy, Clone, Default, PartialEq, Eq, Ord, PartialOrd, Debug, Serialize, Deserialize)]
+pub struct WasmChecksum([u8; 32]);
+
+impl WasmChecksum {
+    /// Construct a [`WasmChecksum`] from the given wasm binary, used primarily for integrity
+    /// checks on compiled modules when recording configs are enabled. The checksum is not
+    /// computed when recording is disabled to prevent pessimization of non-recorded compilations.
+    #[cfg(feature = "rr")]
+    pub fn from_binary(bin: &[u8], recording: bool) -> WasmChecksum {
+        if recording {
+            WasmChecksum(Sha256::digest(bin).into())
+        } else {
+            WasmChecksum::default()
+        }
+    }
+
+    /// This method requires the `rr` feature to actual compute a checksum. Since the `rr`
+    /// feature is disabled, this only returns a default checksum value of all zeros.
+    #[cfg(not(feature = "rr"))]
+    pub fn from_binary(_: &[u8], _: bool) -> WasmChecksum {
+        WasmChecksum::default()
+    }
+}
+
+impl core::ops::Deref for WasmChecksum {
+    type Target = [u8; 32];
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
 /// A builder for a `CompiledFunctionsTable`.
 pub struct CompiledFunctionsTableBuilder {
     inner: CompiledFunctionsTable,
@@ -548,6 +586,9 @@ pub struct CompiledModuleInfo {
 
     /// Sorted list, by function index, of names we have for this module.
     pub func_names: Vec<FunctionName>,
+
+    /// Checksum of the source Wasm binary from which this module was compiled.
+    pub checksum: WasmChecksum,
 }
 
 /// The name of a function stored in the
diff --git a/crates/environ/src/tunables.rs b/crates/environ/src/tunables.rs
@@ -144,6 +144,10 @@ define_tunables! {
         /// Whether any component model feature related to concurrency is
         /// enabled.
         pub concurrency_support: bool,
+
+        /// Whether recording in RR is enabled or not. This is used primarily
+        /// to signal checksum computation for compiled artifacts.
+        pub recording: bool,
     }
 
     pub struct ConfigTunables {
@@ -220,6 +224,7 @@ impl Tunables {
             inlining_sum_size_threshold: 2000,
             debug_guest: false,
             concurrency_support: true,
+            recording: false,
         }
     }
 
diff --git a/crates/test-programs/Cargo.toml b/crates/test-programs/Cargo.toml
@@ -17,7 +17,7 @@ wit-bindgen = { workspace = true, features = ['default', 'async-spawn', 'inter-t
 libc = { workspace = true }
 futures = { workspace = true, default-features = false, features = ['alloc', 'async-await'] }
 url = { workspace = true }
-sha2 = "0.10.2"
+sha2 = { workspace = true, features = ['std'] }
 base64 = { workspace = true }
 wasip1 = { version = "1.0.0", default-features = true }
 wasip2 = "1.0.0"
diff --git a/crates/wasi-http/Cargo.toml b/crates/wasi-http/Cargo.toml
@@ -50,7 +50,7 @@ tracing-subscriber = { workspace = true }
 wasmtime = { workspace = true, features = ['default', 'anyhow'] }
 tokio = { workspace = true, features = ['fs', 'macros'] }
 futures = { workspace = true, default-features = false, features = ['alloc', 'async-await'] }
-sha2 = "0.10.2"
+sha2 = { workspace = true, features = ['std'] }
 base64 = { workspace = true }
 flate2 = { workspace = true }
 wasm-compose = { workspace = true }
diff --git a/crates/wasmtime/Cargo.toml b/crates/wasmtime/Cargo.toml
@@ -431,4 +431,7 @@ debug = [
 compile-time-builtins = ['anyhow', 'dep:wasm-compose', 'dep:tempfile']
 
 # Enable support for the common base infrastructure of record/replay
-rr = ["component-model"]
+rr = [
+  "component-model",
+  "wasmtime-environ/rr"
+]
diff --git a/crates/wasmtime/src/compile.rs b/crates/wasmtime/src/compile.rs
@@ -29,14 +29,14 @@ use crate::prelude::*;
 use std::{any::Any, borrow::Cow, collections::BTreeMap, mem, ops::Range};
 
 use call_graph::CallGraph;
-#[cfg(feature = "component-model")]
-use wasmtime_environ::component::Translator;
 use wasmtime_environ::{
     Abi, CompiledFunctionBody, CompiledFunctionsTable, CompiledFunctionsTableBuilder,
     CompiledModuleInfo, Compiler, DefinedFuncIndex, FilePos, FinishedObject, FuncKey,
     FunctionBodyData, InliningCompiler, IntraModuleInlining, ModuleEnvironment, ModuleTranslation,
     ModuleTypes, ModuleTypesBuilder, ObjectKind, PrimaryMap, StaticModuleIndex, Tunables,
 };
+#[cfg(feature = "component-model")]
+use wasmtime_environ::{WasmChecksum, component::Translator};
 
 mod call_graph;
 mod scc;
@@ -206,6 +206,7 @@ pub(crate) fn build_component_artifacts<T: FinishedObject>(
         ty,
         types,
         static_modules: compilation_artifacts.modules,
+        checksum: WasmChecksum::from_binary(binary, tunables.recording),
     };
     object.serialize_info(&artifacts);
 
diff --git a/crates/wasmtime/src/config.rs b/crates/wasmtime/src/config.rs
@@ -2397,6 +2397,11 @@ impl Config {
         // is missing this is disabled.
         tunables.concurrency_support = cfg!(feature = "component-model-async");
 
+        #[cfg(feature = "rr")]
+        {
+            tunables.recording = matches!(self.rr_config, RRConfig::Recording);
+        }
+
         // If no target is explicitly specified then further refine `tunables`
         // for the configuration of this host depending on what platform
         // features were found available at compile time. This means that anyone
diff --git a/crates/wasmtime/src/engine/serialization.rs b/crates/wasmtime/src/engine/serialization.rs
@@ -298,6 +298,7 @@ impl Metadata<'_> {
             inlining_small_callee_size,
             inlining_sum_size_threshold,
             concurrency_support,
+            recording,
 
             // This doesn't affect compilation, it's just a runtime setting.
             memory_reservation_for_growth: _,
@@ -383,6 +384,7 @@ impl Metadata<'_> {
             other.concurrency_support,
             "concurrency support",
         )?;
+        Self::check_bool(recording, other.recording, "RR recording support")?;
         Self::check_intra_module_inlining(inlining_intra_module, other.inlining_intra_module)?;
 
         Ok(())
diff --git a/crates/wasmtime/src/runtime/component/component.rs b/crates/wasmtime/src/runtime/component/component.rs
@@ -20,7 +20,7 @@ use wasmtime_environ::component::{
     GlobalInitializer, InstantiateModule, NameMapNoIntern, OptionsIndex, StaticModuleIndex,
     TrampolineIndex, TypeComponentIndex, TypeFuncIndex, UnsafeIntrinsic, VMComponentOffsets,
 };
-use wasmtime_environ::{Abi, CompiledFunctionsTable, FuncKey, TypeTrace};
+use wasmtime_environ::{Abi, CompiledFunctionsTable, FuncKey, TypeTrace, WasmChecksum};
 use wasmtime_environ::{FunctionLoc, HostPtr, ObjectKind, PrimaryMap};
 
 /// A compiled WebAssembly Component.
@@ -94,6 +94,9 @@ struct ComponentInner {
     /// `realloc`, to avoid the need to look up types in the registry and take
     /// locks when calling `realloc` via `TypedFunc::call_raw`.
     realloc_func_type: Arc<FuncType>,
+
+    /// The checksum of the source binary from which the module was compiled.
+    checksum: WasmChecksum,
 }
 
 pub(crate) struct AllCallFuncPointers {
@@ -407,6 +410,7 @@ impl Component {
             table: index,
             mut types,
             mut static_modules,
+            checksum,
         } = match artifacts {
             Some(artifacts) => artifacts,
             None => postcard::from_bytes(code_memory.wasmtime_info())?,
@@ -461,6 +465,7 @@ impl Component {
                 info,
                 index,
                 realloc_func_type,
+                checksum,
             }),
         })
     }
@@ -867,6 +872,15 @@ impl Component {
         &self.inner.realloc_func_type
     }
 
+    #[allow(
+        unused,
+        reason = "used only for verification with wasmtime `rr` feature \
+        and requires a lot of unnecessary gating across crates"
+    )]
+    pub(crate) fn checksum(&self) -> &WasmChecksum {
+        &self.inner.checksum
+    }
+
     /// Returns the `Export::LiftedFunction` metadata associated with `export`.
     ///
     /// # Panics
diff --git a/crates/wasmtime/src/runtime/module.rs b/crates/wasmtime/src/runtime/module.rs
@@ -22,7 +22,7 @@ use wasmparser::{Parser, ValidPayload, Validator};
 use wasmtime_environ::FrameTable;
 use wasmtime_environ::{
     CompiledFunctionsTable, CompiledModuleInfo, EntityIndex, HostPtr, ModuleTypes, ObjectKind,
-    TypeTrace, VMOffsets, VMSharedTypeIndex,
+    TypeTrace, VMOffsets, VMSharedTypeIndex, WasmChecksum,
 };
 #[cfg(feature = "gc")]
 use wasmtime_unwinder::ExceptionTable;
@@ -161,6 +161,9 @@ struct ModuleInner {
 
     /// Runtime offset information for `VMContext`.
     offsets: VMOffsets<HostPtr>,
+
+    /// The checksum of the source binary from which this module was compiled.
+    checksum: WasmChecksum,
 }
 
 impl fmt::Debug for Module {
@@ -532,6 +535,7 @@ impl Module {
         index: Arc<CompiledFunctionsTable>,
         serializable: bool,
     ) -> Result<Self> {
+        let checksum = info.checksum;
         let module = CompiledModule::from_artifacts(code.clone(), info, index, engine.profiler())?;
 
         // Validate the module can be used with the current instance allocator.
@@ -551,6 +555,7 @@ impl Module {
                 #[cfg(any(feature = "cranelift", feature = "winch"))]
                 serializable,
                 offsets,
+                checksum,
             }),
         })
     }
@@ -894,6 +899,15 @@ impl Module {
         &self.inner.engine
     }
 
+    #[allow(
+        unused,
+        reason = "used only for verification with wasmtime `rr` feature \
+        and requires a lot of unnecessary gating across crates"
+    )]
+    pub(crate) fn checksum(&self) -> &WasmChecksum {
+        &self.inner.checksum
+    }
+
     /// Returns a summary of the resources required to instantiate this
     /// [`Module`].
     ///

Original file line number	Diff line number	Diff line change
`@@ -437,6 +437,7 @@ arbtest = "0.3.2"`
`437`	`437`	`rayon = "1.5.3"`
`438`	`438`	`regex = "1.9.1"`
`439`	`439`	`pin-project-lite = "0.2.14"`
	`440`	`+sha2 = { version = "0.10.2", default-features = false }`
`440`	`441`
`441`	`442`	`# =============================================================================`
`442`	`443`	`#`
Original file line number	Diff line number	Diff line change
`@@ -144,6 +144,10 @@ define_tunables! {`
`144`	`144`	`/// Whether any component model feature related to concurrency is`
`145`	`145`	`/// enabled.`
`146`	`146`	`pub concurrency_support: bool,`
	`147`	`+`
	`148`	`+ /// Whether recording in RR is enabled or not. This is used primarily`
	`149`	`+ /// to signal checksum computation for compiled artifacts.`
	`150`	`+ pub recording: bool,`
`147`	`151`	`}`
`148`	`152`
`149`	`153`	`pub struct ConfigTunables {`
`@@ -220,6 +224,7 @@ impl Tunables {`
`220`	`224`	`inlining_sum_size_threshold: 2000,`
`221`	`225`	`debug_guest: false,`
`222`	`226`	`concurrency_support: true,`
	`227`	`+ recording: false,`
`223`	`228`	`}`
`224`	`229`	`}`
`225`	`230`