gnh1201/wasm-micro-runtime
1
0
Fork 0
mirror of https://github.com/bytecodealliance/wasm-micro-runtime.git synced 2025-09-06 18:01:08 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Merge a606c8689d into 6253bd1b52

Browse Source
This commit is contained in:
liang.he 2025-09-04 22:58:25 +00:00 committed by GitHub
commit 8d32f62f93
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 296 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/ISSUE_TEMPLATE/blank_issue.md vendored
View File

@ -1,5 +0,0 @@
---
name: Blank Issue
about: Create a blank issue.
title: ''
---

41
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@ -0,0 +1,41 @@
---
name: Bug report
about: Create a report to help us improve
title: "Add a placeholder for issue title. ex: [BUG]"
labels: bug
assignees: ""
---
**Is it a security vulnerability?**
If it results in a crash or hang, please refer to [a quick checklist](../../doc/security_need_to_know.md#is-this-bug-considered-a-security-vulnerability) to determine if it is a security vulnerability. If you are still unsure, please report it through [a security advisor](https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories) and allow the maintainer to make a decision. Thank you.
**Describe the bug**
A clear and concise description of what the bug is.
**Version**
Information like tags, release version, commits.
**To Reproduce**
Steps to reproduce the behavior:
1. Compile iwasm with flags like '...'
2. (Optional) Compile wamrc with flags like '....'
3. (Optional) Run wamrc with CLI options like '...' to generate .aot
4. Run iwasm with CLI options like '...'
5. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Actual Result**
What you've got.
**Desktop (please complete the following information):**
- Arch [e.g. x86_64, arm64, 32bit]
- Board [e.g. STM32F407]
- OS [e.g. Linux, Windows, macOS, FreeRTOS]
- Version [e.g. 22]
**Additional context**
Add any other context about the problem here.

1
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@ -0,0 +1 @@
blank_issues_enabled: true

20
.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View File

@ -0,0 +1,20 @@
---
name: Feature request
about: Suggest an idea for this project
title: 'Add a placeholder for issue title. ex: [RFC]'
labels: help wanted
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

28
.github/ISSUE_TEMPLATE/improvement.md vendored
View File

@ -1,28 +0,0 @@
---
name: Improvement
about: A feature request or code improvement.
title: ''
labels: ''
assignees: ''
---
Thanks for filing a feature request! Please fill out the TODOs below.
#### Feature
TODO: Brief description of the feature/improvement you'd like to see in WAMR
#### Benefit
TODO: What is the value of adding this in WAMR? What problems does it solve?
#### Implementation
TODO: Do you have an implementation plan, and/or ideas for data structures or
algorithms to use?
#### Alternatives
TODO: What are the alternative implementation approaches or alternative ways to
solve the problem that this feature would solve? How do these alternatives
compare to this proposal?

36
.github/ISSUE_TEMPLATE/report_bug.md vendored
View File

@ -1,36 +0,0 @@
---
name: WAMR bug or defect report
about: Report a bug or defect in WAMR
title: ''
---
Thanks for filing a bug or defect report! Please fill out the TODOs below.
### Subject of the issue
Describe the bug or defect here.
### Test case
Upload the related wasm file, wast file or the source files if you can.
### Your environment
* Host OS
* WAMR version, platform, cpu architecture, running mode, etc.
### Steps to reproduce
Tell us how to reproduce this bug or defect.
### Expected behavior
Tell us what should happen
### Actual behavior
Tell us what happens instead
### Extra Info
Anything else you'd like to add?

2
.github/workflows/compilation_on_zephyr.yml vendored
View File

@ -11,6 +11,7 @@ on:
- synchronize - synchronize
paths: paths:
- ".github/**" - ".github/**"
- "!.github/ISSUE_TEMPLATE/**"
- "build-scripts/**" - "build-scripts/**"
- "core/**" - "core/**"
- "!core/deps/**" - "!core/deps/**"
@ -27,6 +28,7 @@ on:
- "dev/**" - "dev/**"
paths: paths:
- ".github/**" - ".github/**"
- "!.github/ISSUE_TEMPLATE/**"
- "build-scripts/**" - "build-scripts/**"
- "core/**" - "core/**"
- "!core/deps/**" - "!core/deps/**"

2
doc/build_wamr.md
View File

@ -20,6 +20,8 @@ add_library(vmlib ${WAMR_RUNTIME_LIB_SOURCE})
The script `runtime_lib.cmake` defines a number of variables for configuring the WAMR runtime features. You can set these variables in your CMakeList.txt or pass the configurations from cmake command line. The script `runtime_lib.cmake` defines a number of variables for configuring the WAMR runtime features. You can set these variables in your CMakeList.txt or pass the configurations from cmake command line.
Please refer to [a full list of configuration options](./tired_support.md#appendix-all-compilation-flags).
### **Configure platform and architecture** ### **Configure platform and architecture**
- **WAMR_BUILD_PLATFORM**: set the target platform. It can be set to any platform name (folder name) under folder [core/shared/platform](../core/shared/platform). - **WAMR_BUILD_PLATFORM**: set the target platform. It can be set to any platform name (folder name) under folder [core/shared/platform](../core/shared/platform).

38
doc/security_need_to_know.md
View File

@ -15,10 +15,40 @@ It is commonly stated that a security issue is an issue that:
Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that the execution of Wasm modules is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand. Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that the execution of Wasm modules is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand.
Thus, we share most of the criteria for judging security issues with [the Bytecode Alliance](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#definition). ### Is this bug considered a security vulnerability?
For someone who finds a problem, if a bug **results in crash or hang**, please treat it as a security problem and report it to a security advisor. The maintainer will look into it and change its category if needed. It is better safe than sorry.
If the author of an issue(results in crash or hang) can go through the following checklist and answer all questions with "No", it is fine to mark it as a regular bug. If not, please report it as a security issue.
---
For those maintainers, please use the following guidelines to determine if a bug or advisory is a security issue:
Only bugs that affect [tier A platforms or features](./tired_support.md) should be considered.
Actions that differ from Wasm rules (like calculating wrong values) are not seen as security issues as long as they stay within the sandbox.
As embedded code, trusts inputs from the guest. By default, APIs and CLIs are following the principle of **caller guarantee**. If the caller provides incorrect parameters, it is not a security issue. For example, if a user passes an invalid file descriptor to `fd_read`, it is not a security issue.
While .aot files are trusted, .wasm files are not. Any unexpected behavior caused by a .wasm file is not a security issue. For example, if a .wasm file causes a runtime crash or hang, it is a security issue. However, if the same .wasm file causes a crash or hang when converted to an .aot file, it is not a security issue.
A denial-of-service (DoS) attack is a cyberattack that aims to make a computer or network resource unavailable to its users. If the service (runtime in this case) can recover and start another module or run another function within the same instance, it is not considered unavailable, and thus not a Denial of Service (DoS).
Another type of execution problem we usually do not classify as a security one is if it is caused by an infinite loop or incorrect recursive function call chain.
> [!NOTE] > [!NOTE]
> keep updating this document as the project evolves. > need a diagram or a cheat sheet for quick reference eventually.
### When a maintainer identify a problem that should be classified as a security vulnerability
Once a maintainer realizes an issue or PR describes a real or possible security vulnerability, act quickly to minimize exposure. Do not share technical details publicly on the issue or PR anymore. Maintainers should:
- Close or edit the public discussion. Thank the person who reported it and explain that security-related issues should go through the Security Advisory process. Close the public issue or pull request as soon as possible to prevent further public sharing. If details have already been shared, consider editing or asking GitHub staff to remove sensitive content.
- Create a Security Advisory. Invite the reporter to join as a collaborator or reporter. If the reporter is uncomfortable using GitHub Security Advisories, offer another private communication method, such as email.
- Follow the guidelines in [the security issue runbook](./security_issue_runbook.md) for the next steps.
## reporting a security issue ## reporting a security issue
@ -26,8 +56,4 @@ Follow the [same guidelines](https://bytecodealliance.org/security) as other pro
## managing a security issue ## managing a security issue
Before reporting an issue, particularly one related to crashing, consult [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability), _Report a security vulnerability_ if it qualifies.
Upon receiving an issue, thoroughly review [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability) to assess and _Report a security vulnerability_ if the issue is indeed a security vulnerability.
Once a security issue is confirmed, please refer to [the runbook](./security_issue_runbook.md) for the subsequent steps to take. Once a security issue is confirmed, please refer to [the runbook](./security_issue_runbook.md) for the subsequent steps to take.

198
doc/tiered_suppor.md Normal file
View File

@ -0,0 +1,198 @@
# Tiered Supported
**Tier definitions**
- **A — Production Ready:** fully tested and stable.
- **B — Almost Production Ready:** partially tested; close to production.
- **C — Experimental / Not Production Ready:** unfinished or volatile.
## Architecture Support
| Architecture | Tier |
| ------------ | ----- |
| **x86-64** | **A** |
| **x86-32** | **A** |
| AArch64 | B |
| ARC | B[^1] |
| ARM | B |
| RISCV32 | B |
| RISCV64 | B |
| THUMB | B |
| MIPS | C |
| XTENSA | C |
[^1]: will upgrade to **A** after further testing and validation.
## OS / Platform Support
| Platform | Tier |
| ------------------ | ----- |
| **NuttX** | **A** |
| **Ubuntu** | **A** |
| Android | B |
| macOS | B |
| Windows | B |
| Zephyr | B[^2] |
| AliOS-Things | C |
| Cosmopolitan | C |
| ESP-IDF (FreeRTOS) | C |
| FreeBSD | C |
| iOS | C |
| RT-Thread | C |
| RIOT | C |
| VxWorks | C |
[^2]: will upgrade to **A** after further testing and validation.
## WebAssembly Proposal Support
> Defaults below reflect the sample build configuration you provided (e.g., `WAMR_BUILD_*` values), not necessarily the release bundle. “Always-on” items are part of WAMRs baseline.
| WASM Proposal / Extension | Tier | Default |
| -------------------------------------- | ----------- | ------- |
| **Bulk Memory** | A | **On** |
| **Extended Constant Expressions** | A | Off |
| **Import/Export of Mutable Globals** | A | **On** |
| **Memory64** | A | Off |
| **Multi-value** | A | **On** |
| **Non-trapping float-to-int** | A | **On** |
| **Reference Types** | A | **On** |
| **Shared Memory (Threads)** | A | Off |
| **SIMD (128-bit)** | A | **On** |
| **Sign-extension Operators** | A | **On** |
| GC (Garbage Collection) | B | Off |
| Stringref | B | Off |
| Tail Calls | B | Off |
| Multi-memory | C | Off |
| Legacy Exception Handling | C | Off |
| Branch Hinting | Unsupported | |
| Custom Annotation Syntax (text format) | Unsupported | |
| Exception Handling (new spec) | Unsupported | |
| JS String Builtins | Unsupported | |
| Relaxed SIMD | Unsupported | |
# WAMR-Specific Feature Support
> Defaults below mirror your sample build output (e.g., “enabled/disabled” lines) and common WAMR options.
| WAMR Feature | Tier | Default |
| --------------------------------- | ---- | ------- |
| **AoT (wamrc)** | A | **On** |
| **AOT intrinsics** | A | **On** |
| **Fast Interpreter** | A | **Off** |
| **Interpreter (classic)** | A | **On** |
| **Libc builtin** | A | **On** |
| **Libc WASI** | A | **On** |
| **Quick AOT/JIT entries** | A | **On** |
| **Shrunk memory** | A | **On** |
| **Wakeup of blocking operations** | A | **On** |
| **WASM C API** | A | **On** |
| Fast JIT | B | Off |
| LLVM ORC JIT | B | Off |
| Memory profiling | B | Off |
| Module instance context[^7] | B | On |
| Multi-module | B | Off |
| Perf profiling | B | Off |
| Pthread | B | Off |
| Shared heap | B | Off |
| WASI threads | B | Off |
| WASI-NN (neural network APIs) | B | Off |
| Debug Interpreter | B | Off |
| Debug AOT | C | Off |
| Tier-up (Fast JIT → LLVM JIT) | C | Off |
---
# Appendix: All compilation flags
| Compilation flags | Tiered | Default | on Ubuntu |
| ------------------------------------------- | ------ | ------- | --------- |
| WAMR_APP_THREAD_STACK_SIZE_MAX | B | ND[^3] | |
| WAMR_BH_LOG | B | ND | |
| WAMR_BH_VPRINTF | B | ND | |
| WAMR_BUILD_ALLOC_WITH_USAGE | B | ND | |
| WAMR_BUILD_ALLOC_WITH_USER_DATA | B | ND | |
| WAMR_BUILD_AOT | A | ND | 1 |
| WAMR_BUILD_AOT_INTRINSICS | A | 1[^4] | |
| WAMR_BUILD_AOT_STACK_FRAME | A | ND | |
| WAMR_BUILD_AOT_VALIDATOR | B | ND | |
| WAMR_BUILD_BULK_MEMORY | A | 1 | |
| WAMR_BUILD_COPY_CALL_STACK | B | ND | |
| WAMR_BUILD_CUSTOM_NAME_SECTION | B | ND | |
| WAMR_BUILD_DEBUG_AOT | C | ND | |
| WAMR_BUILD_DEBUG_INTERP | B | ND | |
| WAMR_BUILD_DUMP_CALL_STACK | B | ND | |
| WAMR_BUILD_DYNAMIC_AOT_DEBUG | C | ND | |
| WAMR_BUILD_EXCE_HANDLING | C | 0 | |
| WAMR_BUILD_EXTENDED_CONST_EXPR | A | 0 | |
| WAMR_BUILD_FAST_INTERP | A | ND | 1 |
| WAMR_BUILD_FAST_JIT | B | ND | |
| WAMR_BUILD_FAST_JIT_DUMP | B | ND | |
| WAMR_BUILD_GC | B | 0 | |
| WAMR_BUILD_GC_HEAP_VERIFY | B | ND | |
| WAMR_BUILD_GLOBAL_HEAP_POOL | A | ND | |
| WAMR_BUILD_GLOBAL_HEAP_SIZE | A | ND | |
| WAMR_BUILD_INSTRUCTION_METERING | C | ND | |
| WAMR_BUILD_INTERP | A | ND | 1 |
| WAMR_BUILD_INVOKE_NATIVE_GENERAL | B | ND | |
| WAMR_BUILD_JIT | B | ND | |
| WAMR_BUILD_LAZY_JIT | B | 1[^5] | |
| WAMR_BUILD_LIBC_BUILTIN | A | ND | 1 |
| WAMR_BUILD_LIBC_EMCC | C | ND | |
| WAMR_BUILD_LIBC_UVWASI | C | ND | |
| WAMR_BUILD_LIBC_WASI | A | ND | 1 |
| WAMR_BUILD_LIB_PTHREAD | B | ND | |
| WAMR_BUILD_LIB_PTHREAD_SEMAPHORE | B | ND | |
| WAMR_BUILD_LIB_RATS | C | ND | |
| WAMR_BUILD_LIB_WASI_THREADS | B | ND | |
| WAMR_BUILD_LINUX_PERF | B | ND | |
| WAMR_BUILD_LOAD_CUSTOM_SECTION | A | ND | |
| WAMR_BUILD_MEMORY64 | A | 0 | |
| WAMR_BUILD_MEMORY_PROFILING | B | ND | |
| WAMR_BUILD_MINI_LOADER | B | ND | |
| WAMR_BUILD_MODULE_INST_CONTEXT | B | ND | 1 |
| WAMR_BUILD_MULTI_MEMORY | C | 0 | |
| WAMR_BUILD_MULTI_MODULE | B | ND | |
| WAMR_BUILD_PERF_PROFILING | B | ND | |
| WAMR_BUILD_PLATFORM | - | ND | linux |
| WAMR_BUILD_QUICK_AOT_ENTRY | A | 1[^6] | |
| WAMR_BUILD_REF_TYPES | A | ND | 1 |
| WAMR_BUILD_SANITIZER | B | ND | |
| WAMR_BUILD_SGX_IPFS | C | ND | |
| WAMR_BUILD_SHARED_HEAP | A | ND | |
| WAMR_BUILD_SHARED_MEMORY | A | 0 | 1 |
| WAMR_BUILD_SHRUNK_MEMORY | A | ND | 1 |
| WAMR_BUILD_SIMD | A | ND | 1 |
| WAMR_BUILD_SIMDE | A | ND | 1 |
| WAMR_BUILD_SPEC_TEST | A | ND | |
| WAMR_BUILD_STACK_GUARD_SIZE | B | ND | |
| WAMR_BUILD_STATIC_PGO | B | ND | |
| WAMR_BUILD_STRINGREF | B | 0 | |
| WAMR_BUILD_TAIL_CALL | A | 0 | 1 |
| WAMR_BUILD_TARGET | - | ND | X86-64 |
| WAMR_BUILD_THREAD_MGR | A | ND | |
| WAMR_BUILD_WAMR_COMPILER | A | ND | |
| WAMR_BUILD_WASI_EPHEMERAL_NN | B | ND | |
| WAMR_BUILD_WASI_NN | B | ND | |
| WAMR_BUILD_WASI_NN_ENABLE_EXTERNAL_DELEGATE | B | ND | |
| WAMR_BUILD_WASI_NN_ENABLE_GPU | B | ND | |
| WAMR_BUILD_WASI_NN_EXTERNAL_DELEGATE_PATH | B | ND | |
| WAMR_BUILD_WASI_NN_LLAMACPP | B | ND | |
| WAMR_BUILD_WASI_NN_ONNX | B | ND | |
| WAMR_BUILD_WASI_NN_OPENVINO | B | ND | |
| WAMR_BUILD_WASI_NN_TFLITE | B | ND | |
| WAMR_BUILD_WASI_TEST | B | ND | |
| WAMR_BUILD_WASM_CACHE | B | ND | |
| WAMR_CONFIGURABLE_BOUNDS_CHECKS | C | ND | |
| WAMR_DISABLE_APP_ENTRY | A | ND | |
| WAMR_DISABLE_HW_BOUND_CHECK | A | ND | |
| WAMR_DISABLE_STACK_HW_BOUND_CHECK | A | ND | |
| WAMR_DISABLE_WAKEUP_BLOCKING_OP | B | ND | |
| WAMR_DISABLE_WRITE_GS_BASE | B | ND | |
| WAMR_TEST_GC | B | ND | |
[^3]: _ND_ represents _not defined_
[^4]: active if `WAMR_BUILD_AOT` is 1
[^5]: active if `WAMR_BUILD_FAST_JIT` or `WAMR_BUILD_JIT1` is 1
[^6]: active if `WAMR_BUILD_AOT` or `WAMR_BUILD_JIT` is 1
[^7]: required by Libc WASI