add version info to modules

version information is comprised of both the current crate version and
the current git commit hash (if available).

the current git commit hash is only used in release builds to avoid
too much furstration in typical development workflows using tools like
"git commit --amend" or "git rebase", or just making non-conflicting
spot changes to only one of lucetc or lucet-runtime

Author: awortman-fastly

Cargo.lock

@@ -2,6 +2,7 @@
 
 use lucet_module::{
     FunctionSpec, Module, ModuleData, SerializedModule, TableElement, TrapManifest, TrapSite,
+    VersionInfo,
 };
 
 use byteorder::{LittleEndian, ReadBytesExt};
@@ -102,7 +103,10 @@ impl<'a> ArtifactSummary<'a> {
                 .unwrap();
             let mut rdr = Cursor::new(buffer);
 
+            let version = VersionInfo::read_from(&mut rdr).unwrap();
+
             SerializedModule {
+                version,
                 module_data_ptr: rdr.read_u64::<LittleEndian>().unwrap(),
                 module_data_len: rdr.read_u64::<LittleEndian>().unwrap(),
                 tables_ptr: rdr.read_u64::<LittleEndian>().unwrap(),
@@ -211,6 +215,7 @@ fn load_module<'b, 'a: 'b>(
         )
     };
     Module {
+        version: serialized_module.version.clone(),
         module_data,
         tables,
         function_manifest,

lucet-analyze/src/main.rs

@@ -20,3 +20,4 @@ num-traits = "0.2"
 minisign = "0.5.11"
 object = "0.12"
 byteorder = "1.3"
+memoffset = "0.5.1"

lucet-module/Cargo.toml

@@ -17,6 +17,7 @@ mod signature;
 mod tables;
 mod traps;
 mod types;
+mod version_info;
 
 pub use crate::error::Error;
 pub use crate::functions::{
@@ -32,6 +33,7 @@ pub use crate::signature::{ModuleSignature, PublicKey};
 pub use crate::tables::TableElement;
 pub use crate::traps::{TrapCode, TrapManifest, TrapSite};
 pub use crate::types::{Signature, ValueType};
+pub use crate::version_info::VersionInfo;
 
 /// Owned variants of the module data types, useful for serialization and testing.
 pub mod owned {

lucet-module/src/lib.rs

@@ -1,12 +1,14 @@
 use crate::functions::FunctionSpec;
 use crate::module_data::ModuleData;
 use crate::tables::TableElement;
+use crate::version_info::VersionInfo;
 
 pub const LUCET_MODULE_SYM: &str = "lucet_module";
 
 /// Module is the exposed structure that contains all the data backing a Lucet-compiled object.
 #[derive(Debug)]
 pub struct Module<'a> {
+    pub version: VersionInfo,
     pub module_data: ModuleData<'a>,
     pub tables: &'a [&'a [TableElement]],
     pub function_manifest: &'a [FunctionSpec],
@@ -18,6 +20,7 @@ pub struct Module<'a> {
 #[repr(C)]
 #[derive(Debug)]
 pub struct SerializedModule {
+    pub version: VersionInfo,
     pub module_data_ptr: u64,
     pub module_data_len: u64,
     pub tables_ptr: u64,

lucet-module/src/module.rs

@@ -1,8 +1,9 @@
 use crate::error::Error::{self, IOError, ModuleSignatureError};
-use crate::module::LUCET_MODULE_SYM;
+use crate::module::{SerializedModule, LUCET_MODULE_SYM};
 use crate::module_data::MODULE_DATA_SYM;
 use crate::ModuleData;
 use byteorder::{ByteOrder, LittleEndian};
+use memoffset::offset_of;
 pub use minisign::{PublicKey, SecretKey};
 use minisign::{SignatureBones, SignatureBox};
 use object::*;
@@ -94,12 +95,15 @@ impl RawModuleAndData {
                 format!("`{}` symbol not present", MODULE_DATA_SYM),
             ))?;
 
-        let module_data_len =
-            LittleEndian::read_u64(&obj_bin[(native_data_symbol_data.offset + 8)..]) as usize;
+        let module_data_len = LittleEndian::read_u64(
+            &obj_bin[(native_data_symbol_data.offset
+                + offset_of!(SerializedModule, module_data_len))..],
+        ) as usize;
 
         Ok(RawModuleAndData {
             obj_bin,
-            module_data_offset: module_data_symbol_data.offset,
+            module_data_offset: module_data_symbol_data.offset
+                + offset_of!(SerializedModule, module_data_ptr),
             module_data_len: module_data_len,
         })
     }

lucet-module/src/signature.rs

@@ -0,0 +1,92 @@
+use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
+use std::cmp::min;
+use std::fmt;
+use std::io;
+
+/// VersionInfo is information about a Lucet module to allow the Lucet runtime to determine if or
+/// how the module can be loaded, if so requested. The information here describes implementation
+/// details in runtime support for `lucetc`-produced modules, and nothing higher level.
+#[repr(C)]
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct VersionInfo {
+    major: u16,
+    minor: u16,
+    patch: u16,
+    reserved: u16,
+    version_hash: [u8; 8],
+}
+
+impl fmt::Display for VersionInfo {
+    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
+        write!(fmt, "{}.{}.{}", self.major, self.minor, self.patch)?;
+        if u64::from_ne_bytes(self.version_hash) != 0 {
+            write!(
+                fmt,
+                "-{}",
+                std::str::from_utf8(&self.version_hash).unwrap_or("INVALID")
+            )?;
+        }
+        Ok(())
+    }
+}
+
+impl VersionInfo {
+    pub fn write_to<W: WriteBytesExt>(&self, w: &mut W) -> io::Result<()> {
+        w.write_u16::<LittleEndian>(self.major)?;
+        w.write_u16::<LittleEndian>(self.minor)?;
+        w.write_u16::<LittleEndian>(self.patch)?;
+        w.write_u16::<LittleEndian>(self.reserved)?;
+        w.write(&self.version_hash).and_then(|written| {
+            if written != self.version_hash.len() {
+                Err(io::Error::new(
+                    io::ErrorKind::Other,
+                    "unable to write full version hash",
+                ))
+            } else {
+                Ok(())
+            }
+        })
+    }
+
+    pub fn read_from<R: ReadBytesExt>(r: &mut R) -> io::Result<Self> {
+        let mut version_hash = [0u8; 8];
+        Ok(VersionInfo {
+            major: r.read_u16::<LittleEndian>()?,
+            minor: r.read_u16::<LittleEndian>()?,
+            patch: r.read_u16::<LittleEndian>()?,
+            reserved: r.read_u16::<LittleEndian>()?,
+            version_hash: {
+                r.read_exact(&mut version_hash)?;
+                version_hash
+            },
+        })
+    }
+
+    pub fn valid(&self) -> bool {
+        self.reserved == 0x8000
+    }
+
+    pub fn current(current_hash: &'static [u8]) -> Self {
+        let mut version_hash = [0u8; 8];
+
+        for i in 0..min(version_hash.len(), current_hash.len()) {
+            version_hash[i] = current_hash[i];
+        }
+
+        // The reasoning for this is as follows:
+        // `SerializedModule`, in version before version information was introduced, began with a
+        // pointer - `module_data_ptr`. This pointer would be relocated to somewhere in user space
+        // for the embedder of `lucet-runtime`. On x86_64, hopefully, that's userland code in some
+        // OS, meaning the pointer will be a pointer to user memory, and will be below
+        // 0x8000_0000_0000_0000. By setting `reserved` to `0x8000`, we set what would be the
+        // highest bit in `module_data_ptr` in an old `lucet-runtime` and guarantee a segmentation
+        // fault when loading these newer modules with version information.
+        VersionInfo {
+            major: env!("CARGO_PKG_VERSION_MAJOR").parse().unwrap(),
+            minor: env!("CARGO_PKG_VERSION_MINOR").parse().unwrap(),
+            patch: env!("CARGO_PKG_VERSION_PATCH").parse().unwrap(),
+            reserved: 0x8000u16,
+            version_hash,
+        }
+    }
+}

lucet-module/src/version_info.rs

@@ -1,3 +1,7 @@
+use std::env;
+use std::fs::File;
+use std::path::Path;
+
 use cc;
 
 fn main() {
@@ -14,4 +18,28 @@ fn main() {
     cc::Build::new()
         .file("src/context/tests/c_child.c")
         .compile("context_tests_c_child");
+
+    let commit_file_path = Path::new(&env::var("OUT_DIR").unwrap()).join("commit_hash");
+    // in debug builds we only need the file to exist, but in release builds this will be used and
+    // requires mutability.
+    #[allow(unused_variables, unused_mut)]
+    let mut f = File::create(&commit_file_path).unwrap();
+
+    // This is about the closest not-additional-feature-flag way to detect release builds.
+    // In debug builds, leave the `commit_hash` file empty to allow looser version checking and
+    // avoid impacting development workflows too much.
+    #[cfg(not(debug_assertions))]
+    {
+        use std::io::Write;
+        use std::process::Command;
+
+        let last_commit_hash = Command::new("git")
+            .args(&["log", "-n", "1", "--pretty=format:%H"])
+            .output()
+            .ok();
+
+        if let Some(last_commit_hash) = last_commit_hash {
+            f.write_all(&last_commit_hash.stdout).unwrap();
+        }
+    }
 }

lucet-runtime/lucet-runtime-internals/build.rs

@@ -4,7 +4,7 @@ use libc::c_void;
 use libloading::Library;
 use lucet_module::{
     FunctionHandle, FunctionIndex, FunctionPointer, FunctionSpec, ModuleData, ModuleSignature,
-    PublicKey, SerializedModule, Signature, LUCET_MODULE_SYM,
+    PublicKey, SerializedModule, Signature, VersionInfo, LUCET_MODULE_SYM,
 };
 use std::ffi::CStr;
 use std::mem::MaybeUninit;
@@ -61,6 +61,21 @@ impl DlModule {
         let serialized_module: &SerializedModule =
             unsafe { serialized_module_ptr.as_ref().unwrap() };
 
+        let version = serialized_module.version.clone();
+
+        let runtime_version =
+            VersionInfo::current(include_str!(concat!(env!("OUT_DIR"), "/commit_hash")).as_bytes());
+
+        if !version.valid() {
+            return Err(lucet_incorrect_module!("reserved bit is not set. This module is likely too old for this lucet-runtime to load."));
+        } else if version != runtime_version {
+            return Err(lucet_incorrect_module!(
+                "version mismatch. module has version {}, while this runtime is version {}",
+                version,
+                runtime_version,
+            ));
+        }
+
         // Deserialize the slice into ModuleData, which will hold refs into the loaded
         // shared object file in `module_data_slice`. Both of these get a 'static lifetime because
         // Rust doesn't have a safe way to describe that their lifetime matches the containing
@@ -115,6 +130,7 @@ impl DlModule {
             lib,
             fbase,
             module: lucet_module::Module {
+                version,
                 module_data,
                 tables,
                 function_manifest,

lucet-runtime/lucet-runtime-internals/src/module/dl.rs

@@ -0,0 +1,16 @@
+use lucet_runtime::{DlModule, Error};
+
+#[test]
+pub fn reject_old_modules() {
+    let err = DlModule::load("./tests/version_checks/old_module.so")
+        .err()
+        .unwrap();
+
+    if let Error::ModuleError(e) = err {
+        let msg = format!("{}", e);
+        assert!(msg.contains("reserved bit is not set"));
+        assert!(msg.contains("module is likely too old"));
+    } else {
+        panic!("unexpected error loading module: {}", err);
+    }
+}