docs: auto-update for PR #2978 — fix(runtime): avoid aliasing &mut into guest memory (UB)

[meroreviewer]

Automatic Documentation Update

Opened automatically after PR #2978 merged.

Each block shows the documentation change as a diff (added lines in green, removed in red); expand "Why this changed" for the source rationale.

Documentation changes

architecture/crates/runtime.html — Remove read_guest_memory_slice_mut that caused aliasing UB; Add write_guest_memory_slice for safe copy-out into guest memory; Add check_guest_memory_bounds for bounds validation without copying; random_bytes fills a host-side buffer before copying to guest; All write call sites updated to use copy-out pattern; Rename bounds-check test to reflect new API

 }
 Limits are enforced at the host function boundary — each call checks remaining …
+Guest memory bounds are validated by check_guest_memory_bounds before any side
+effects are performed, ensuring that an invalid destination address causes an
+immediate abort rather than a partial write or silent corruption.
 Host Functions
 The runtime imports 50+ host functions into the WASM module. Each function is r…
+Guest Memory Write Safety
+All writes into guest (WASM linear) memory must go through
+write_guest_memory_slice(&self, slice: &sys::BufferMut, data: &[u8]). This
+method bounds-checks the destination buffer against total guest memory, then
+delegates the actual copy to Wasmer's safe MemoryView::write API. A &mut [u8]
+alias into guest memory must never be materialized while any immutable &[u8]
+view over the same backing store exists — doing so violates Rust's aliasing
+rules and constitutes undefined behaviour. The former internal helper
+read_guest_memory_slice_mut (which used data_unchecked_mut to produce such an
+alias) has been removed entirely. When a caller must verify that a guest buffer
+is writable before executing side effects, check_guest_memory_bounds(&self,
+slice: &sys::BufferMut) performs the bounds validation without copying any data.
 Identity & I/O
 context_id

 log_utf8
 Emit a UTF-8 log message (counted against max_logs)
+random_bytes
+Validate guest destination with check_guest_memory_bounds, fill a host-owned
+buffer via the RNG, then copy into guest memory via write_guest_memory_slice —
+no mutable alias into guest memory is created
 panic
 Abort execution with an error code

 Get the byte length of data in a register
 read_register
-Copy register contents into WASM linear memory
-Registers act as a transfer buffer between host and guest. Host functions write
-results into numbered registers; the guest reads them out. This avoids complex
-multi-return calling conventions.
+Copy register contents into WASM linear memory via write_guest_memory_slice —
+safe copy-out pattern, no mutable alias
+Registers act as a transfer buffer between host and guest. Host functions write
…

Why this changed (source: PR #2978)

read_guest_memory_slice_mut used data_unchecked_mut to produce a &mut [u8] into guest memory from a shared &self. Because read_guest_memory_slice can hand out immutable &[u8] views over the same backing store, the two references could coexist and alias, violating Rust's aliasing rules (undefined behaviour). The function (and its clippy::mut_from_ref suppression) is removed entirely.

New method write_guest_memory_slice(&self, slice: &sys::BufferMut, data: &[u8]) copies caller-owned bytes into guest memory via wasmer::MemoryView::write. It bounds-checks both that data fits within the guest buffer and that the guest buffer fits within total memory, then delegates the actual write to Wasmer's safe API. No mutable reference into guest memory is ever created.

New method check_guest_memory_bounds(&self, slice: &sys::BufferMut) validates that a guest buffer's address range lies entirely within guest memory without performing any copy. It is used by callers that must verify writability before executing side effects, so that the side effects are not performed if the destination is invalid.

Previously, random bytes were written directly into a &mut [u8] aliasing guest memory. Now check_guest_memory_bounds validates the destination first, a host-owned Vec<u8> is allocated and filled by the RNG, and then write_guest_memory_slice copies it into guest memory.

read_register, time_now, blob_close, and blob_read all replaced their read_guest_memory_slice_mut(...).copy_from_slice(data) patterns with calls to write_guest_memory_slice. blob_close specifically replaced a block that acquired and immediately dropped a mutable slice (solely for bounds checking) with a direct call to check_guest_memory_bounds.

Test test_read_guest_memory_slice_mut_out_of_bounds renamed to test_check_guest_memory_bounds_out_of_bounds and updated to call check_guest_memory_bounds instead of the removed read_guest_memory_slice_mut.

---

Generated by ai-reviewer update-docs. Nothing was auto-merged.

[meroreviewer]

🤖 AI Code Reviewer

Reviewed by 1 agents | Quality score: 85% | Review time: 135.0s

---

✅ No Issues Found

All agents reviewed the code and found no issues. LGTM! 🎉

---

_{🤖 Generated by AI Code Reviewer | Review ID: review-912b2c18}