mpk: limit the number of protection keys #7364
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If Wasmtime is ever embedded in an application that also uses memory protection keys, it could be useful to limit how many Wasmtime allocates and uses. This came up while examining `*.wast` tests: if there was no way limiting the number of keys used, then those tests configured a pool that reserved too much memory. This change takes that further to attempt to limit the initial number of keys allocated. The unfortunate side effect of using a `OnceLock` is that the `max` setting is only applicable on the first invocation, the one that sets the `OnceLock`.
This change stems from how slicing memory slots into MPK-protected regions limits the number of memories each store can access: e.g., with fifteen keys in use, a store only has access to a fifteenth of the available slots. If we simply multiple the number of memory slots needed to run the `*.wast` spec tests by fifteen, we run out of available memory. This limits the number of protection keys used to two, which still allows us to test the functionality without reserving too much memory.
abrown
commented
Oct 25, 2023
| @@ -180,7 +182,7 @@ fn feature_found_src(bytes: &[u8], name: &str) -> bool { | |||
| // specified maximum we can put a cap on the virtual address space reservations | |||
| // made. | |||
| fn lock_pooling() -> impl Drop { | |||
| const MAX_CONCURRENT_POOLING: u32 = 8; | |||
| const MAX_CONCURRENT_POOLING: u32 = 4; | |||
There was a problem hiding this comment.
Not sure about this?
There was a problem hiding this comment.
This makes some sense to me in that you doubled the number of memories which would halve the limit of concurrent tests because right now each test creates its own engine.
abrown
commented
Oct 25, 2023
abrown
commented
Oct 25, 2023
alexcrichton
approved these changes
Oct 25, 2023
| @@ -180,7 +182,7 @@ fn feature_found_src(bytes: &[u8], name: &str) -> bool { | |||
| // specified maximum we can put a cap on the virtual address space reservations | |||
| // made. | |||
| fn lock_pooling() -> impl Drop { | |||
| const MAX_CONCURRENT_POOLING: u32 = 8; | |||
| const MAX_CONCURRENT_POOLING: u32 = 4; | |||
There was a problem hiding this comment.
This makes some sense to me in that you doubled the number of memories which would halve the limit of concurrent tests because right now each test creates its own engine.
This addresses a review comment to slice the list of keys down to the `max` hint regardless of how many are allocated in the first invocation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change stems from how slicing memory slots into MPK-protected regions limits the number of memories each store can access: e.g., with fifteen keys in use, a store only has access to a fifteenth of the available slots. If we simply multiple the number of memory slots needed to run the
*.wastspec tests by fifteen, we run out of available memory. This limits the number of protection keys used to two, which still allows us to test the functionality without reserving too much memory.Also, if Wasmtime is ever embedded in an application that also uses memory protection keys, it could be useful to limit how many Wasmtime allocates and uses.. This change not only limits the number of protection keys used at runtime, but takes that
further to attempt to limit the initial number of keys allocated. The unfortunate side effect of using a
OnceLockis that themaxsetting is only applicable on the first invocation, the one that sets theOnceLock.