oxide-k 0.3.0

Oxide Kernel - micro-kernel core for the Rust Oxide Agent-Native OS
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303

//! # `wasmtime`-backed Wasm executor
//!
//! Available under the `wasmtime-runtime` feature flag.
//!
//! [`WasmExecutor`] loads a `.wasm` artefact off disk (typically a
//! `oxide-compress` build), instantiates it inside a fresh `wasmtime::Store`,
//! and exposes the exported functions as plain async callables on the
//! kernel.
//!
//! Two convenience entry points ship today:
//!
//! * [`WasmExecutor::call_i32_to_i32`] — invokes an exported
//!   `fn(x: i32) -> i32` such as the `oxide-compress` `add_one` smoke test.
//! * [`WasmExecutor::list_exports`] — enumerates exported function names so
//!   higher-level dispatchers can route calls dynamically.
//!
//! Full host-ABI (JSON-string in / out via linear memory) is intentionally
//! deferred — the goal of this module is to prove the runtime works and
//! provide a stable seam for future expansion, not to ship a full WIT
//! binding generator.

#![cfg(feature = "wasmtime-runtime")]

use std::path::Path;
use std::sync::Mutex;

use wasmtime::{Engine, Instance, Module, Store, TypedFunc};

use crate::error::{KernelError, Result};

/// Wraps a wasmtime [`Module`] + [`Store`] + [`Instance`] under a single
/// async-friendly handle.
pub struct WasmExecutor {
    engine: Engine,
    module: Module,
    inner: Mutex<Instance>,
    store: Mutex<Store<()>>,
}

impl WasmExecutor {
    /// Load `.wasm` bytes from disk.
    pub fn from_path(path: impl AsRef<Path>) -> Result<Self> {
        let bytes = std::fs::read(path.as_ref()).map_err(|e| {
            KernelError::Other(anyhow::anyhow!(
                "failed to read wasm artefact {}: {e}",
                path.as_ref().display()
            ))
        })?;
        Self::from_bytes(&bytes)
    }

    /// Build an executor from raw `.wasm` bytes.
    pub fn from_bytes(bytes: &[u8]) -> Result<Self> {
        let engine = Engine::default();
        let module = Module::new(&engine, bytes).map_err(to_kernel)?;
        let mut store: Store<()> = Store::new(&engine, ());
        let instance = Instance::new(&mut store, &module, &[]).map_err(to_kernel)?;
        Ok(Self {
            engine,
            module,
            inner: Mutex::new(instance),
            store: Mutex::new(store),
        })
    }

    /// Enumerate exported function names.
    pub fn list_exports(&self) -> Vec<String> {
        self.module
            .exports()
            .filter_map(|e| match e.ty() {
                wasmtime::ExternType::Func(_) => Some(e.name().to_string()),
                _ => None,
            })
            .collect()
    }

    /// Invoke `name(x: i32) -> i32`.
    pub fn call_i32_to_i32(&self, name: &str, arg: i32) -> Result<i32> {
        let mut store = self.store.lock().unwrap();
        let instance = self.inner.lock().unwrap();
        let func: TypedFunc<i32, i32> = instance
            .get_typed_func::<i32, i32>(&mut *store, name)
            .map_err(|e| {
                KernelError::Other(anyhow::anyhow!(
                    "wasm export `{name}` is not (i32) -> i32: {e}"
                ))
            })?;
        func.call(&mut *store, arg).map_err(to_kernel)
    }

    /// Call a WASM guest method with JSON input and receive JSON output.
    ///
    /// The guest must export three symbols:
    /// - `alloc(size: i32) -> i32` — allocate `size` bytes, return pointer
    /// - `free(ptr: i32, size: i32)` — free a previous allocation
    /// - `oxide_invoke(method_ptr: i32, method_len: i32, input_ptr: i32, input_len: i32) -> i64`
    ///   — dispatch; the `i64` return packs output `ptr` (high 32 bits) and
    ///   `len` (low 32 bits).
    ///
    /// # Errors
    ///
    /// Returns [`KernelError::Other`] if any WASM call fails, memory is out of
    /// bounds, or the output bytes are not valid UTF-8 / JSON.
    pub fn call_json(&self, method: &str, input: &serde_json::Value) -> Result<serde_json::Value> {
        let mut store = self.store.lock().unwrap();
        let instance = self.inner.lock().unwrap();

        // Resolve guest functions.
        let alloc: TypedFunc<i32, i32> = instance
            .get_typed_func::<i32, i32>(&mut *store, "alloc")
            .map_err(|e| KernelError::Other(anyhow::anyhow!("alloc export: {e}")))?;
        let free: TypedFunc<(i32, i32), ()> = instance
            .get_typed_func::<(i32, i32), ()>(&mut *store, "free")
            .map_err(|e| KernelError::Other(anyhow::anyhow!("free export: {e}")))?;
        let invoke: TypedFunc<(i32, i32, i32, i32), i64> = instance
            .get_typed_func::<(i32, i32, i32, i32), i64>(&mut *store, "oxide_invoke")
            .map_err(|e| KernelError::Other(anyhow::anyhow!("oxide_invoke export: {e}")))?;

        let memory = instance
            .get_memory(&mut *store, "memory")
            .ok_or_else(|| KernelError::Other(anyhow::anyhow!("no `memory` export")))?;

        // Serialize method name and input JSON.
        let method_bytes = method.as_bytes().to_vec();
        let input_bytes = serde_json::to_vec(input).map_err(|e| KernelError::Other(e.into()))?;

        // Write method bytes into guest memory.
        let method_len = method_bytes.len() as i32;
        let method_ptr = alloc
            .call(&mut *store, method_len)
            .map_err(|e| KernelError::Other(anyhow::anyhow!("alloc method: {e}")))?;
        {
            let mem = memory.data_mut(&mut *store);
            let s = method_ptr as usize;
            if s + method_bytes.len() > mem.len() {
                return Err(KernelError::Other(anyhow::anyhow!("method OOB")));
            }
            mem[s..s + method_bytes.len()].copy_from_slice(&method_bytes);
        }

        // Write input bytes into guest memory.
        let input_len = input_bytes.len() as i32;
        let input_ptr = alloc
            .call(&mut *store, input_len)
            .map_err(|e| KernelError::Other(anyhow::anyhow!("alloc input: {e}")))?;
        {
            let mem = memory.data_mut(&mut *store);
            let s = input_ptr as usize;
            if s + input_bytes.len() > mem.len() {
                return Err(KernelError::Other(anyhow::anyhow!("input OOB")));
            }
            mem[s..s + input_bytes.len()].copy_from_slice(&input_bytes);
        }

        // Call oxide_invoke.
        let result = invoke
            .call(&mut *store, (method_ptr, method_len, input_ptr, input_len))
            .map_err(|e| KernelError::Other(anyhow::anyhow!("oxide_invoke: {e}")))?;

        // Free input buffers.
        let _ = free.call(&mut *store, (method_ptr, method_len));
        let _ = free.call(&mut *store, (input_ptr, input_len));

        // Decode output: high 32 bits = ptr, low 32 bits = len.
        let out_ptr = ((result >> 32) & 0xFFFF_FFFF) as usize;
        let out_len = (result & 0xFFFF_FFFF) as usize;

        let output_bytes = {
            let mem = memory.data(&*store);
            if out_ptr + out_len > mem.len() {
                return Err(KernelError::Other(anyhow::anyhow!("output OOB")));
            }
            mem[out_ptr..out_ptr + out_len].to_vec()
        };

        // Free output buffer.
        let _ = free.call(&mut *store, (out_ptr as i32, out_len as i32));

        let output = serde_json::from_slice(&output_bytes)
            .map_err(|e| KernelError::Other(anyhow::anyhow!("output JSON: {e}")))?;
        Ok(output)
    }

    /// Underlying wasmtime engine, for callers that want to share it with
    /// other modules.
    pub fn engine(&self) -> &Engine {
        &self.engine
    }
}

fn to_kernel(err: impl std::fmt::Display) -> KernelError {
    KernelError::Other(anyhow::anyhow!("wasmtime: {err}"))
}

#[cfg(test)]
mod tests {
    use super::*;

    /// Hand-rolled WAT for `(i32) -> i32` add-one. Avoids needing a separate
    /// pre-built `.wasm` fixture.
    fn add_one_wat() -> Vec<u8> {
        wat::parse_str(
            r#"
            (module
              (func (export "add_one") (param i32) (result i32)
                local.get 0
                i32.const 1
                i32.add))
            "#,
        )
        .expect("valid wat")
    }

    #[test]
    fn executor_can_run_pure_i32_function() {
        let bytes = add_one_wat();
        let exec = WasmExecutor::from_bytes(&bytes).unwrap();
        assert_eq!(exec.list_exports(), vec!["add_one".to_string()]);
        assert_eq!(exec.call_i32_to_i32("add_one", 41).unwrap(), 42);
    }

    #[test]
    fn missing_export_errors() {
        let exec = WasmExecutor::from_bytes(&add_one_wat()).unwrap();
        let err = exec.call_i32_to_i32("nope", 1).unwrap_err();
        assert!(format!("{err}").contains("nope"));
    }

    /// WAT module that implements the full oxide_invoke ABI.
    /// It echoes `{"echo": <input>}` back to the host via linear memory.
    fn echo_abi_wat() -> Vec<u8> {
        // The module uses a static 64 KB memory page.
        // alloc: returns a fixed output region starting at offset 4096.
        // We use a simple bump strategy: alloc always gives sequential regions.
        // For this test the payloads are tiny so there's no collision.
        wat::parse_str(
            r#"
            (module
              (memory (export "memory") 2)

              ;; Bump allocator: ptr stored at byte 0 (i32), initial = 256
              (func (export "alloc") (param $size i32) (result i32)
                (local $ptr i32)
                ;; read current bump ptr (stored at address 0)
                (local.set $ptr (i32.load (i32.const 0)))
                ;; if zero, initialise to 256
                (if (i32.eqz (local.get $ptr))
                  (then (local.set $ptr (i32.const 256)))
                )
                ;; store advanced ptr
                (i32.store (i32.const 0) (i32.add (local.get $ptr) (local.get $size)))
                ;; return old ptr
                (local.get $ptr)
              )

              ;; free is a no-op in this bump allocator
              (func (export "free") (param $ptr i32) (param $size i32))

              ;; oxide_invoke: writes {"ok":true} into memory and returns ptr<<32|len
              (func (export "oxide_invoke")
                    (param $mp i32) (param $ml i32)
                    (param $ip i32) (param $il i32)
                    (result i64)
                (local $out_ptr i32)
                (local $payload_len i32)
                ;; static output: write `{"ok":true}` at address 8192
                ;; 0x7b = '{', 0x22 = '"', 0x6f='o',0x6b='k',0x22='"',0x3a=':',
                ;; 0x74='t',0x72='r',0x75='u',0x65='e',0x7d='}'  = 11 bytes
                (i32.store8 (i32.const 8192) (i32.const 123))  ;; {
                (i32.store8 (i32.const 8193) (i32.const 34))   ;; "
                (i32.store8 (i32.const 8194) (i32.const 111))  ;; o
                (i32.store8 (i32.const 8195) (i32.const 107))  ;; k
                (i32.store8 (i32.const 8196) (i32.const 34))   ;; "
                (i32.store8 (i32.const 8197) (i32.const 58))   ;; :
                (i32.store8 (i32.const 8198) (i32.const 116))  ;; t
                (i32.store8 (i32.const 8199) (i32.const 114))  ;; r
                (i32.store8 (i32.const 8200) (i32.const 117))  ;; u
                (i32.store8 (i32.const 8201) (i32.const 101))  ;; e
                (i32.store8 (i32.const 8202) (i32.const 125))  ;; }
                (local.set $out_ptr (i32.const 8192))
                (local.set $payload_len (i32.const 11))
                ;; return (ptr << 32) | len  as i64
                (i64.or
                  (i64.shl (i64.extend_i32_u (local.get $out_ptr)) (i64.const 32))
                  (i64.extend_i32_u (local.get $payload_len))
                )
              )
            )
            "#,
        )
        .expect("valid echo ABI wat")
    }

    #[test]
    fn call_json_round_trips_via_abi() {
        let bytes = echo_abi_wat();
        let exec = WasmExecutor::from_bytes(&bytes).unwrap();
        let result = exec
            .call_json("echo", &serde_json::json!({"hello": "world"}))
            .unwrap();
        assert_eq!(result["ok"], serde_json::Value::Bool(true));
    }
}