WASIp2 component support for wasmtime

[t4chib4ne]

Adds WASIp2 component support for wasmtime by checking whether the given WebAssembly is a module or a component and then calling the appropriate functions.
The calls are nothing fancy just a very basic setup giving the WebAssembly component full access to the WASIp2 implementation of wasmtime.

Closes #1871

Still a Draft because of:

• WAT to WASM needs to be tested for components
• Need for a WASIp2 equivalent of wasi_config_preopen_dir ⇒ calling this function for a WASIp2 config also works
• Checking whether WASIp2 components have some sort of default export ⇒ calling wasi:cli/run@0.2.0#run should be fine as wasmtime will call the highest version available (e.g. wasi:cli/run@0.2.3#run)

Summary by Sourcery

Enable WASIp2 component support in wasmtime by detecting if the input is a module or component and invoking the appropriate execution path with dynamically loaded Wasmtime APIs and WASIp2 configuration

New Features:

• Support execution of WASIp2 WebAssembly components in wasmtime

Enhancements:

• Detect whether a WebAssembly file is a module or component and dispatch to the respective execution path
• Extract module and component execution logic into separate libwasmtime_run_module and libwasmtime_run_component functions
• Dynamically load additional Wasmtime C API symbols required for component instantiation and execution
• Configure WASIp2 for components with inherited standard I/O and argument forwarding

Documentation:

• Update wasm-wasi-example to use ENTRYPOINT instead of CMD

Summary by Sourcery

Enable WASIp2 component support in the wasmtime handler by detecting WebAssembly encoding and dispatching to separate execution paths for modules and components, dynamically loading required Wasmtime C API symbols, and configuring WASIp2 contexts with inherited I/O, arguments, environment, and preopened directories.

New Features:

• Support execution of WASIp2 WebAssembly components in the wasmtime handler.

Enhancements:

• Detect WebAssembly encoding via new wasm_interpret_header and dispatch to module or component runner.
• Extract module and component execution logic into dedicated libwasmtime_run_module and libwasmtime_run_component functions.
• Dynamically load all required Wasmtime C API symbols through libwasmtime_load_symbol for flexible symbol resolution at runtime.
• Configure WASIp2 contexts for components with inherited standard I/O, environment, argument forwarding, and preopened directory permissions.

Documentation:

• Update wasm-wasi-example to use ENTRYPOINT instead of CMD for WebAssembly executables.

[sourcery-ai]

Reviewer's Guide

This PR extends the Wasmtime handler to detect whether a Wasm input is a module or component, refactors symbol loading into a helper and macro, extracts module execution into its own function, adds a new WASIp2 component execution path, and updates includes and documentation accordingly.

File-Level Changes

Change	Details	Files
Add header interpretation and dispatch logic	Introduce wasm_interpret_header to classify binaries In libwasmtime_exec, branch on WASM_ENC_MODULE vs WASM_ENC_COMPONENT Replace monolithic exec flow with calls to run_module or run_component	src/libcrun/handlers/wasmtime.c src/libcrun/handlers/handler-utils.c src/libcrun/handlers/handler-utils.h
Factor dynamic symbol loading into helper and macro	Create libwasmtime_load_symbol wrapper around dlsym with error checking Define WASMTIME_COMMON_SYMBOLS macro for shared Wasmtime APIs	src/libcrun/handlers/wasmtime.c
Refactor module execution into libwasmtime_run_module	Extract existing module setup and invocation into its own function Load symbols via helper and common macro Enhance WASI config with explicit preopen_dir permissions	src/libcrun/handlers/wasmtime.c
Implement WASIp2 component execution path	Add libwasmtime_run_component for instantiating and running components Load WASIp2-specific symbols and configure stdin/stdout/stderr, env, args, preopen_dir Link, instantiate, retrieve and call the 'wasi:cli/run' function	src/libcrun/handlers/wasmtime.c
Update includes and documentation	Include <string.h> where needed and remove unused headers Switch example from CMD to ENTRYPOINT in wasm-wasi-example.md	src/libcrun/handlers/wasmtime.c src/libcrun/handlers/handler-utils.c docs/wasm-wasi-example.md

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#1871	Enable crun to run WASIp2 WebAssembly components using wasmtime.	✅
#1871	Detect whether a WebAssembly file is a module or a component and dispatch to the correct execution path.	✅
#1871	Update documentation to reflect correct usage for WASM containers (e.g., using ENTRYPOINT instead of CMD).	✅

Possibly linked issues

• Running WASIp2 Components with crun+wasmtime supported? #1871: The PR adds support for WASIp2 components by detecting and executing them separately, directly resolving the issue where crun failed to run WASIp2 components.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[t4chib4ne]

So I wanted to implement the wasi_config_preopen_dir for WASIp2 by first trying to write something to the filesystem with WASIp1 which resulted in a permission denied error.
The reason is that in the current code wasi_config_preopen_dir is called without its arguments to set the permissions for the dir so the module does not have any permissions.

Is this by choice or a bug?

[giuseppe]

@flouthoc PTAL

[giuseppe]

some nits, also could you use wasmtime: $DESCRIPTION for your commits instead of [wasmtime], otherwise LGTM

[t4chib4ne]

Thanks for taking a look, hope I didn't oversee anything!

The only thing keeping this PR as a draft is that I would like to give both WASM modules and components the ability to read & write to the working directory. But the previous implementation did not allow this.

Are there any security concerns or can this feature simply be added?

[flouthoc]

What is e in rbe here ?

[t4chib4ne]

This part of the code was just copied. The e seems to be a glibc extension which sets the O_CLOEXEC flag on the descriptor. This flag causes the fd to be automatically closed upon calling one of the exec functions.

A few lines later the fd is actually closed by hand and none the exec functions are visibly being called. As e is not standards compliant maybe it should be removed?

Sources: fopen(3) and open(2) man pages

[flouthoc]

As e is not standards compliant maybe it should be removed?

Yes if it's not necessary I think we should remove it, wdyt @giuseppe

[t4chib4ne]

Some extra info: Closing the fd manually later does not prevent all issues O_CLOEXEC tries to solve. The glibc man page states that it is a glibc extension so I figured it would not be standards compliant but musl and FreeBSDs libc actually also implement the e in fopen.

Sources: musl and FreeBSDs libc

[flouthoc]

I think we can remove it if it is not required, I see similar comment later from review bot #1877 (comment)

[t4chib4ne]

After reading other parts of the code for quite some time, I think it is safe to say e is not required. This is also encouraged by the fact that right before the fopen we are always in a single threaded context thus the mentioned leak in open(2) is not possible.

[t4chib4ne]

I just found this commit 0f0d5be which adds e to a lot of fopen calls. Also in wasmtime.
Even though I said removing the flag should be fine I am not 100% sure. Thus I would like to add the e flag back

[flouthoc]

Could you write it in commit message or here, about why is this change needed ?

[t4chib4ne]

Oh, sorry forgot to mention it ...

After adding the pass through of argv to the component I wanted to try it out. Upon running podman run mywasm-image:latest arg1 arg2 podman would replace CMD (the wasm binary) with arg1 which of course does not work. Changing to ENTRYPOINT resolves this.

[flouthoc]

This looks like a breaking change. I think adding this message to commit logs can help us revisit this and fix this if needed.

cc @giuseppe

[t4chib4ne]

Adding this to the commit logs should be possible but I don't really see where this is a breaking change? Without the changes of this PR a wasm module runs into the same problem. IIRC this is also the same behavior a non-wasm container would show.

[t4chib4ne]

Is the message in ce7d656 OK?

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consider extracting the repeated dlsym() lookups into a helper utility that takes an array of symbol names and returns function pointers, reducing duplicate code.
• Relying on matching the literal error string “component passed to module validation” for component detection is brittle; consider using a dedicated component detection API or inspecting the Wasm magic/header instead.
• When a symbol lookup fails, include the specific missing symbol name in the error output to make debugging dynamic loading issues easier.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider extracting the repeated dlsym() lookups into a helper utility that takes an array of symbol names and returns function pointers, reducing duplicate code.
- Relying on matching the literal error string “component passed to module validation” for component detection is brittle; consider using a dedicated component detection API or inspecting the Wasm magic/header instead.
- When a symbol lookup fails, include the specific missing symbol name in the error output to make debugging dynamic loading issues easier.

## Individual Comments

### Comment 1
<location> `src/libcrun/handlers/wasmtime.c:91` </location>
<code_context>
+
+  wasm_byte_vec_t wasm;
+  // Load and parse container entrypoint
+  FILE *file = fopen (pathname, "rbe");
+  if (! file)
+    error (EXIT_FAILURE, 0, "error loading entrypoint");
</code_context>

<issue_to_address>
**issue:** The use of 'rbe' as the fopen mode is non-standard and may cause portability issues.

Use 'rb' for reading binary files unless 'rbe' is required and confirmed to be supported across all target platforms.
</issue_to_address>

### Comment 2
<location> `src/libcrun/handlers/wasmtime.c:107` </location>
<code_context>
+  // If entrypoint contains a webassembly text format
+  // compile it on the fly and convert to equivalent
+  // binary format.
+  if (has_suffix (pathname, "wat") > 0)
+    {
+      wasmtime_error_t *err = wasmtime_wat2wasm ((char *) wasm.data, file_size, &wasm_bytes);
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Suffix check for 'wat' may match unintended filenames.

This check may incorrectly match filenames like 'mywat' or 'format'. Use '.wat' as the suffix to ensure only intended files are processed.

```suggestion
  if (has_suffix (pathname, ".wat") > 0)
```
</issue_to_address>

### Comment 3
<location> `src/libcrun/handlers/wasmtime.c:129` </location>
<code_context>
+      wasmtime_error_message (err, &error_message);
+      wasmtime_error_delete (err);
+
+      if (strcmp ((char *) error_message.data, "component passed to module validation") != 0)
+        error (EXIT_FAILURE, 0, "failed to validate module: %.*s", (int) error_message.size, error_message.data);
+
</code_context>

<issue_to_address>
**suggestion (bug_risk):** String comparison for error message is brittle and may break with upstream changes.

Consider using an error code or a more stable identifier instead of matching the error message string, to avoid breakage from upstream changes.

Suggested implementation:

```c
      wasmtime_error_message (err, &error_message);

      // Use a more robust check for the error type.
      // If wasmtime_error_as_exit_status is available, use it.
      int exit_status = 0;
      bool is_component_error = false;
#ifdef WASMTIME_HAS_ERROR_EXIT_STATUS
      if (wasmtime_error_as_exit_status(err, &exit_status)) {
        // Check for a specific exit status if known for component error.
        if (exit_status == WASMTIME_COMPONENT_VALIDATION_ERROR_CODE) {
          is_component_error = true;
        }
      }
#endif
      // Fallback: check for substring in error message.
      if (!is_component_error) {
        if (memmem(error_message.data, error_message.size, "component passed to module validation", strlen("component passed to module validation")) == NULL)
          error (EXIT_FAILURE, 0, "failed to validate module: %.*s", (int) error_message.size, error_message.data);
      }

      wasmtime_error_delete (err);

```

- You may need to define `WASMTIME_HAS_ERROR_EXIT_STATUS` and `WASMTIME_COMPONENT_VALIDATION_ERROR_CODE` if the wasmtime API provides such error codes. If not, you can remove the conditional and rely on the substring check.
- If you have a helper function for error type checking, use that instead of the inline logic.
- Make sure to include the necessary headers for `memmem` if not already present.
</issue_to_address>

### Comment 4
<location> `src/libcrun/handlers/wasmtime.c:278` </location>
<code_context>
   wasi_config_inherit_stdout (wasi_config);
   wasi_config_inherit_stderr (wasi_config);
-  wasi_config_preopen_dir (wasi_config, ".", ".");
+  wasi_config_preopen_dir (
+      wasi_config,
+      ".",
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Hardcoded permissions for preopened directory may be overly permissive.

Evaluate if both read and write permissions are required, or if access can be restricted to enhance security.

Suggested implementation:

```c
      WASMTIME_WASI_DIR_PERMS_READ,
      WASMTIME_WASI_FILE_PERMS_READ);

```

If your application requires write access, you can revert to the original permissions. Otherwise, this change will restrict access to read-only, improving security.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[t4chib4ne]

I marked the PR as a draft again because I don't want to trigger CI all the time. There is also a bigger change in the works which cleans up all of the dlsym calls into three macros to reduce repetition. Part of it has also accidentally been committed to 3777fba which I'll cleanup soon.

Edit: Seems like CI still get triggered ... and it's now just one macro.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• The symbol loading boilerplate is duplicated heavily between the module and component paths—consider refactoring common symbol initialisation (and WASI/WASIp2 config setup) into shared helper functions to reduce code duplication.
• Rather than calling exit() deep within the handler when errors occur, propagate errors back to the caller (e.g. by returning an error code) so that higher-level logic can perform any necessary cleanup.
• You’ve hardcoded the CLI interface version to "wasi:cli/run@0.2.0"; consider making this configurable or querying the highest supported version dynamically to avoid stale bindings as newer WASI CLI versions are released.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The symbol loading boilerplate is duplicated heavily between the module and component paths—consider refactoring common symbol initialisation (and WASI/WASIp2 config setup) into shared helper functions to reduce code duplication.
- Rather than calling exit() deep within the handler when errors occur, propagate errors back to the caller (e.g. by returning an error code) so that higher-level logic can perform any necessary cleanup.
- You’ve hardcoded the CLI interface version to "wasi:cli/run@0.2.0"; consider making this configurable or querying the highest supported version dynamically to avoid stale bindings as newer WASI CLI versions are released.

## Individual Comments

### Comment 1
<location> `src/libcrun/handlers/wasmtime.c:86-88` </location>
<code_context>
+  FILE *file = fopen (pathname, "rb");
+  if (! file)
+    error (EXIT_FAILURE, 0, "error loading entrypoint");
+  if (fseek (file, 0L, SEEK_END))
+    error (EXIT_FAILURE, 0, "error fully loading entrypoint");
+  size_t file_size = ftell (file);
+  wasm_byte_vec_new_uninitialized (&wasm, file_size);
+  if (fseek (file, 0L, SEEK_SET))
</code_context>

<issue_to_address>
**issue (bug_risk):** Potential issue with ftell error handling.

Check that file_size is not (size_t)-1 after ftell to prevent passing an invalid size to wasm_byte_vec_new_uninitialized.
</issue_to_address>

### Comment 2
<location> `src/libcrun/handlers/wasmtime.c:92` </location>
<code_context>
+  wasm_byte_vec_new_uninitialized (&wasm, file_size);
+  if (fseek (file, 0L, SEEK_SET))
+    error (EXIT_FAILURE, 0, "error resetting entrypoint");
+  if (fread (wasm.data, file_size, 1, file) != 1)
+    error (EXIT_FAILURE, 0, "error reading entrypoint");
+  fclose (file);
</code_context>

<issue_to_address>
**issue (bug_risk):** No cleanup on fread failure.

The wasm buffer should be freed if fread fails to prevent a memory leak.
</issue_to_address>

### Comment 3
<location> `src/libcrun/handlers/wasmtime.c:47` </location>
<code_context>
 #endif

 #if HAVE_DLOPEN && HAVE_WASMTIME
+static void *
+libwasmtime_load_symbol (void *cookie, char *const symbol);
+
</code_context>

<issue_to_address>
**issue (complexity):** Consider refactoring the repeated dlsym symbol loading into an X-macro and struct-based helper to centralize and simplify symbol management.

Here’s one way to collapse almost all of the “declare + dlsym” boilerplate into an X-macro and a small helper.  This keeps exactly the same semantics and error‐handling but cuts your dozens of nearly‐identical lines down to just a single list plus two small macros:

```c
// 1) Define your list of symbols once:
#define WASMTIME_SYM_LIST(V)                    \
  V(wasm_engine_new)                            \
  V(wasm_engine_delete)                         \
  V(wasmtime_store_new)                         \
  V(wasmtime_store_delete)                      \
  V(wasmtime_store_context)                     \
  V(wasmtime_linker_new)                        \
  V(wasmtime_linker_define_wasi)                \
  V(wasmtime_module_new)                        \
  V(wasmtime_component_new)                     \
  V(wasmtime_wat2wasm)                          \
  V(wasm_byte_vec_new_uninitialized)            \
  V(wasm_byte_vec_delete)                       \
  V(wasmtime_error_message)                     \
  V(wasmtime_error_delete)                      \
  /* …add only the rest once here… */           \
  V(wasmtime_func_call)                         \
  V(wasmtime_component_func_call)               \
  V(wasi_config_new)                            \
  V(wasi_config_set_argv)                       \
  V(wasi_config_inherit_env)                    \
  V(wasi_config_inherit_stdin)                  \
  /* etc… */

// 2) Expand it into declarations in a struct:
typedef struct {
#define DECL_FN(name)    typeof(name) * name;
  WASMTIME_SYM_LIST(DECL_FN)
#undef DECL_FN
} wasmtime_syms_t;

// 3) Provide a loader that loops once over the list:
static void load_wasmtime_syms(void *cookie, wasmtime_syms_t *s) {
#define LOAD_FN(name)                                                               \
  do {                                                                              \
    s->name = dlsym(cookie, #name);                                                 \
    if (s->name == NULL)                                                            \
      error(EXIT_FAILURE, 0, "could not find `%s` in libwasmtime.so", #name);       \
  } while(0);

  WASMTIME_SYM_LIST(LOAD_FN)
#undef LOAD_FN
}

// 4) In your run_module / run_component, just do:
static void
libwasmtime_run_module(void *cookie, char *const argv[], wasm_engine_t *engine, wasm_byte_vec_t *wasm)
{
  wasmtime_syms_t s;
  load_wasmtime_syms(cookie, &s);
  // …then use s.wasmtime_store_new, s.wasmtime_store_delete, etc…
}

// 5) Same for run_component.
```

Benefits:

- You keep one single list of symbols (`WASMTIME_SYM_LIST`) rather than dozens of copy-pasted dlsym calls.
- Adding/removing a symbol is now a one-liner in that list.
- The loader macro handles failures uniformly.
- You keep all functionality exactly the same.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[TomSweeneyRedHat]

@t4chib4ne the tests are not happy. @giuseppe is that expected?

[t4chib4ne]

@t4chib4ne the tests are not happy. @giuseppe is that expected?

I saw that but they failed because of a failed provisioning of the test environment due to an outage.
Either I just can't find the button or I am not allowed to manually trigger the tests.