Fix folder names in primitives (#4358)

* sr-arithmetic -> arithmetic

* sr-sandbox -> sandbox

* primitives/sr-staking-primitives -> primitives/staking

* primitives/sr-version -> primitives/version

* primitives/block-builder/runtime-api -> primitives/block-builder

substrate/primitives/sandbox/Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "sp-sandbox"
+version = "2.0.0"
+authors = ["Parity Technologies <admin@parity.io>"]
+edition = "2018"
+
+[dependencies]
+wasmi = { version = "0.6.2", optional = true }
+primitives = { package = "sp-core", path = "../core", default-features = false }
+sp-std = { path = "../std", default-features = false }
+sp-io = { path = "../io", default-features = false }
+codec = { package = "parity-scale-codec", version = "1.0.0", default-features = false }
+
+[dev-dependencies]
+wabt = "0.9.2"
+assert_matches = "1.3.0"
+
+[features]
+default = ["std"]
+std = [
+	"wasmi",
+	"primitives/std",
+	"sp-std/std",
+	"codec/std",
+	"sp-io/std",
+]
+strict = []

substrate/primitives/sandbox/src/lib.rs

@@ -0,0 +1,208 @@
+// Copyright 2018-2019 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+//! This crate provides means to instantiate and execute wasm modules.
+//!
+//! It works even when the user of this library executes from
+//! inside the wasm VM. In this case the same VM is used for execution
+//! of both the sandbox owner and the sandboxed module, without compromising security
+//! and without the performance penalty of full wasm emulation inside wasm.
+//!
+//! This is achieved by using bindings to the wasm VM, which are published by the host API.
+//! This API is thin and consists of only a handful functions. It contains functions for instantiating
+//! modules and executing them, but doesn't contain functions for inspecting the module
+//! structure. The user of this library is supposed to read the wasm module.
+//!
+//! When this crate is used in the `std` environment all these functions are implemented by directly
+//! calling the wasm VM.
+//!
+//! Examples of possible use-cases for this library are not limited to the following:
+//!
+//! - implementing smart-contract runtimes that use wasm for contract code
+//! - executing a wasm substrate runtime inside of a wasm parachain
+
+#![warn(missing_docs)]
+#![cfg_attr(not(feature = "std"), no_std)]
+#![cfg_attr(not(feature = "std"), feature(core_intrinsics))]
+
+use sp_std::prelude::*;
+
+pub use primitives::sandbox::{TypedValue, ReturnValue, HostError};
+
+mod imp {
+	#[cfg(feature = "std")]
+	include!("../with_std.rs");
+
+	#[cfg(not(feature = "std"))]
+	include!("../without_std.rs");
+}
+
+/// Error that can occur while using this crate.
+#[derive(primitives::RuntimeDebug)]
+pub enum Error {
+	/// Module is not valid, couldn't be instantiated.
+	Module,
+
+	/// Access to a memory or table was made with an address or an index which is out of bounds.
+	///
+	/// Note that if wasm module makes an out-of-bounds access then trap will occur.
+	OutOfBounds,
+
+	/// Failed to invoke the start function or an exported function for some reason.
+	Execution,
+}
+
+impl From<Error> for HostError {
+	fn from(_e: Error) -> HostError {
+		HostError
+	}
+}
+
+/// Function pointer for specifying functions by the
+/// supervisor in [`EnvironmentDefinitionBuilder`].
+///
+/// [`EnvironmentDefinitionBuilder`]: struct.EnvironmentDefinitionBuilder.html
+pub type HostFuncType<T> = fn(&mut T, &[TypedValue]) -> Result<ReturnValue, HostError>;
+
+/// Reference to a sandboxed linear memory, that
+/// will be used by the guest module.
+///
+/// The memory can't be directly accessed by supervisor, but only
+/// through designated functions [`get`] and [`set`].
+///
+/// [`get`]: #method.get
+/// [`set`]: #method.set
+#[derive(Clone)]
+pub struct Memory {
+	inner: imp::Memory,
+}
+
+impl Memory {
+	/// Construct a new linear memory instance.
+	///
+	/// The memory allocated with initial number of pages specified by `initial`.
+	/// Minimal possible value for `initial` is 0 and maximum possible is `65536`.
+	/// (Since maximum addressable memory is 2<sup>32</sup> = 4GiB = 65536 * 64KiB).
+	///
+	/// It is possible to limit maximum number of pages this memory instance can have by specifying
+	/// `maximum`. If not specified, this memory instance would be able to allocate up to 4GiB.
+	///
+	/// Allocated memory is always zeroed.
+	pub fn new(initial: u32, maximum: Option<u32>) -> Result<Memory, Error> {
+		Ok(Memory {
+			inner: imp::Memory::new(initial, maximum)?,
+		})
+	}
+
+	/// Read a memory area at the address `ptr` with the size of the provided slice `buf`.
+	///
+	/// Returns `Err` if the range is out-of-bounds.
+	pub fn get(&self, ptr: u32, buf: &mut [u8]) -> Result<(), Error> {
+		self.inner.get(ptr, buf)
+	}
+
+	/// Write a memory area at the address `ptr` with contents of the provided slice `buf`.
+	///
+	/// Returns `Err` if the range is out-of-bounds.
+	pub fn set(&self, ptr: u32, value: &[u8]) -> Result<(), Error> {
+		self.inner.set(ptr, value)
+	}
+}
+
+/// Struct that can be used for defining an environment for a sandboxed module.
+///
+/// The sandboxed module can access only the entities which were defined and passed
+/// to the module at the instantiation time.
+pub struct EnvironmentDefinitionBuilder<T> {
+	inner: imp::EnvironmentDefinitionBuilder<T>,
+}
+
+impl<T> EnvironmentDefinitionBuilder<T> {
+	/// Construct a new `EnvironmentDefinitionBuilder`.
+	pub fn new() -> EnvironmentDefinitionBuilder<T> {
+		EnvironmentDefinitionBuilder {
+			inner: imp::EnvironmentDefinitionBuilder::new(),
+		}
+	}
+
+	/// Register a host function in this environment definition.
+	///
+	/// NOTE that there is no constraints on type of this function. An instance
+	/// can import function passed here with any signature it wants. It can even import
+	/// the same function (i.e. with same `module` and `field`) several times. It's up to
+	/// the user code to check or constrain the types of signatures.
+	pub fn add_host_func<N1, N2>(&mut self, module: N1, field: N2, f: HostFuncType<T>)
+	where
+		N1: Into<Vec<u8>>,
+		N2: Into<Vec<u8>>,
+	{
+		self.inner.add_host_func(module, field, f);
+	}
+
+	/// Register a memory in this environment definition.
+	pub fn add_memory<N1, N2>(&mut self, module: N1, field: N2, mem: Memory)
+	where
+		N1: Into<Vec<u8>>,
+		N2: Into<Vec<u8>>,
+	{
+		self.inner.add_memory(module, field, mem.inner);
+	}
+}
+
+/// Sandboxed instance of a wasm module.
+///
+/// This instance can be used for invoking exported functions.
+pub struct Instance<T> {
+	inner: imp::Instance<T>,
+}
+
+impl<T> Instance<T> {
+	/// Instantiate a module with the given [`EnvironmentDefinitionBuilder`]. It will
+	/// run the `start` function (if it is present in the module) with the given `state`.
+	///
+	/// Returns `Err(Error::Module)` if this module can't be instantiated with the given
+	/// environment. If execution of `start` function generated a trap, then `Err(Error::Execution)` will
+	/// be returned.
+	///
+	/// [`EnvironmentDefinitionBuilder`]: struct.EnvironmentDefinitionBuilder.html
+	pub fn new(code: &[u8], env_def_builder: &EnvironmentDefinitionBuilder<T>, state: &mut T)
+		-> Result<Instance<T>, Error>
+	{
+		Ok(Instance {
+			inner: imp::Instance::new(code, &env_def_builder.inner, state)?,
+		})
+	}
+
+	/// Invoke an exported function with the given name.
+	///
+	/// # Errors
+	///
+	/// Returns `Err(Error::Execution)` if:
+	///
+	/// - An export function name isn't a proper utf8 byte sequence,
+	/// - This module doesn't have an exported function with the given name,
+	/// - If types of the arguments passed to the function doesn't match function signature
+	///   then trap occurs (as if the exported function was called via call_indirect),
+	/// - Trap occured at the execution time.
+	pub fn invoke(
+		&mut self,
+		name: &str,
+		args: &[TypedValue],
+		state: &mut T,
+	) -> Result<ReturnValue, Error> {
+		self.inner.invoke(name, args, state)
+	}
+}

substrate/primitives/sandbox/with_std.rs

@@ -0,0 +1,485 @@
+// Copyright 2018-2019 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+use sp_std::collections::btree_map::BTreeMap;
+use sp_std::fmt;
+
+use wasmi::{
+	Externals, FuncInstance, FuncRef, GlobalDescriptor, GlobalRef, ImportResolver,
+	MemoryDescriptor, MemoryInstance, MemoryRef, Module, ModuleInstance, ModuleRef,
+	RuntimeArgs, RuntimeValue, Signature, TableDescriptor, TableRef, Trap, TrapKind
+};
+use wasmi::memory_units::Pages;
+use super::{Error, TypedValue, ReturnValue, HostFuncType, HostError};
+
+#[derive(Clone)]
+pub struct Memory {
+	memref: MemoryRef,
+}
+
+impl Memory {
+	pub fn new(initial: u32, maximum: Option<u32>) -> Result<Memory, Error> {
+		Ok(Memory {
+			memref: MemoryInstance::alloc(
+				Pages(initial as usize),
+				maximum.map(|m| Pages(m as usize)),
+			).map_err(|_| Error::Module)?,
+		})
+	}
+
+	pub fn get(&self, ptr: u32, buf: &mut [u8]) -> Result<(), Error> {
+		self.memref.get_into(ptr, buf).map_err(|_| Error::OutOfBounds)?;
+		Ok(())
+	}
+
+	pub fn set(&self, ptr: u32, value: &[u8]) -> Result<(), Error> {
+		self.memref.set(ptr, value).map_err(|_| Error::OutOfBounds)?;
+		Ok(())
+	}
+}
+
+struct HostFuncIndex(usize);
+
+struct DefinedHostFunctions<T> {
+	funcs: Vec<HostFuncType<T>>,
+}
+
+impl<T> Clone for DefinedHostFunctions<T> {
+	fn clone(&self) -> DefinedHostFunctions<T> {
+		DefinedHostFunctions {
+			funcs: self.funcs.clone(),
+		}
+	}
+}
+
+impl<T> DefinedHostFunctions<T> {
+	fn new() -> DefinedHostFunctions<T> {
+		DefinedHostFunctions {
+			funcs: Vec::new(),
+		}
+	}
+
+	fn define(&mut self, f: HostFuncType<T>) -> HostFuncIndex {
+		let idx = self.funcs.len();
+		self.funcs.push(f);
+		HostFuncIndex(idx)
+	}
+}
+
+#[derive(Debug)]
+struct DummyHostError;
+
+impl fmt::Display for DummyHostError {
+	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+		write!(f, "DummyHostError")
+	}
+}
+
+impl wasmi::HostError for DummyHostError {
+}
+
+fn from_runtime_value(v: RuntimeValue) -> TypedValue {
+	match v {
+		RuntimeValue::I32(v) => TypedValue::I32(v),
+		RuntimeValue::I64(v) => TypedValue::I64(v),
+		RuntimeValue::F32(v) => TypedValue::F32(v.to_bits() as i32),
+		RuntimeValue::F64(v) => TypedValue::F64(v.to_bits() as i64),
+	}
+}
+
+fn to_runtime_value(v: TypedValue) -> RuntimeValue {
+	use wasmi::nan_preserving_float::{F32, F64};
+	match v {
+		TypedValue::I32(v) => RuntimeValue::I32(v as i32),
+		TypedValue::I64(v) => RuntimeValue::I64(v as i64),
+		TypedValue::F32(v_bits) => RuntimeValue::F32(F32::from_bits(v_bits as u32)),
+		TypedValue::F64(v_bits) => RuntimeValue::F64(F64::from_bits(v_bits as u64)),
+	}
+}
+
+struct GuestExternals<'a, T: 'a> {
+	state: &'a mut T,
+	defined_host_functions: &'a DefinedHostFunctions<T>,
+}
+
+impl<'a, T> Externals for GuestExternals<'a, T> {
+	fn invoke_index(
+		&mut self,
+		index: usize,
+		args: RuntimeArgs,
+	) -> Result<Option<RuntimeValue>, Trap> {
+		let args = args.as_ref()
+			.iter()
+			.cloned()
+			.map(from_runtime_value)
+			.collect::<Vec<_>>();
+
+		let result = (self.defined_host_functions.funcs[index])(self.state, &args);
+		match result {
+			Ok(value) => Ok(match value {
+				ReturnValue::Value(v) => Some(to_runtime_value(v)),
+				ReturnValue::Unit => None,
+			}),
+			Err(HostError) => Err(TrapKind::Host(Box::new(DummyHostError)).into()),
+		}
+	}
+}
+
+enum ExternVal {
+	HostFunc(HostFuncIndex),
+	Memory(Memory),
+}
+
+pub struct EnvironmentDefinitionBuilder<T> {
+	map: BTreeMap<(Vec<u8>, Vec<u8>), ExternVal>,
+	defined_host_functions: DefinedHostFunctions<T>,
+}
+
+impl<T> EnvironmentDefinitionBuilder<T> {
+	pub fn new() -> EnvironmentDefinitionBuilder<T> {
+		EnvironmentDefinitionBuilder {
+			map: BTreeMap::new(),
+			defined_host_functions: DefinedHostFunctions::new(),
+		}
+	}
+
+	pub fn add_host_func<N1, N2>(&mut self, module: N1, field: N2, f: HostFuncType<T>)
+	where
+		N1: Into<Vec<u8>>,
+		N2: Into<Vec<u8>>,
+	{
+		let idx = self.defined_host_functions.define(f);
+		self.map
+			.insert((module.into(), field.into()), ExternVal::HostFunc(idx));
+	}
+
+	pub fn add_memory<N1, N2>(&mut self, module: N1, field: N2, mem: Memory)
+	where
+		N1: Into<Vec<u8>>,
+		N2: Into<Vec<u8>>,
+	{
+		self.map
+			.insert((module.into(), field.into()), ExternVal::Memory(mem));
+	}
+}
+
+impl<T> ImportResolver for EnvironmentDefinitionBuilder<T> {
+	fn resolve_func(
+		&self,
+		module_name: &str,
+		field_name: &str,
+		signature: &Signature,
+	) -> Result<FuncRef, wasmi::Error> {
+		let key = (
+			module_name.as_bytes().to_owned(),
+			field_name.as_bytes().to_owned(),
+		);
+		let externval = self.map.get(&key).ok_or_else(|| {
+			wasmi::Error::Instantiation(format!("Export {}:{} not found", module_name, field_name))
+		})?;
+		let host_func_idx = match *externval {
+			ExternVal::HostFunc(ref idx) => idx,
+			_ => {
+				return Err(wasmi::Error::Instantiation(format!(
+					"Export {}:{} is not a host func",
+					module_name, field_name
+				)))
+			}
+		};
+		Ok(FuncInstance::alloc_host(signature.clone(), host_func_idx.0))
+	}
+
+	fn resolve_global(
+		&self,
+		_module_name: &str,
+		_field_name: &str,
+		_global_type: &GlobalDescriptor,
+	) -> Result<GlobalRef, wasmi::Error> {
+		Err(wasmi::Error::Instantiation(format!(
+			"Importing globals is not supported yet"
+		)))
+	}
+
+	fn resolve_memory(
+		&self,
+		module_name: &str,
+		field_name: &str,
+		_memory_type: &MemoryDescriptor,
+	) -> Result<MemoryRef, wasmi::Error> {
+		let key = (
+			module_name.as_bytes().to_owned(),
+			field_name.as_bytes().to_owned(),
+		);
+		let externval = self.map.get(&key).ok_or_else(|| {
+			wasmi::Error::Instantiation(format!("Export {}:{} not found", module_name, field_name))
+		})?;
+		let memory = match *externval {
+			ExternVal::Memory(ref m) => m,
+			_ => {
+				return Err(wasmi::Error::Instantiation(format!(
+					"Export {}:{} is not a memory",
+					module_name, field_name
+				)))
+			}
+		};
+		Ok(memory.memref.clone())
+	}
+
+	fn resolve_table(
+		&self,
+		_module_name: &str,
+		_field_name: &str,
+		_table_type: &TableDescriptor,
+	) -> Result<TableRef, wasmi::Error> {
+		Err(wasmi::Error::Instantiation(format!(
+			"Importing tables is not supported yet"
+		)))
+	}
+}
+
+pub struct Instance<T> {
+	instance: ModuleRef,
+	defined_host_functions: DefinedHostFunctions<T>,
+	_marker: ::std::marker::PhantomData<T>,
+}
+
+impl<T> Instance<T> {
+	pub fn new(
+		code: &[u8],
+		env_def_builder: &EnvironmentDefinitionBuilder<T>,
+		state: &mut T,
+	) -> Result<Instance<T>, Error> {
+		let module = Module::from_buffer(code).map_err(|_| Error::Module)?;
+		let not_started_instance = ModuleInstance::new(&module, env_def_builder)
+			.map_err(|_| Error::Module)?;
+
+
+		let defined_host_functions = env_def_builder.defined_host_functions.clone();
+		let instance = {
+			let mut externals = GuestExternals {
+				state,
+				defined_host_functions: &defined_host_functions,
+			};
+			let instance = not_started_instance.run_start(&mut externals)
+				.map_err(|_| Error::Execution)?;
+			instance
+		};
+
+		Ok(Instance {
+			instance,
+			defined_host_functions,
+			_marker: ::std::marker::PhantomData::<T>,
+		})
+	}
+
+	pub fn invoke(
+		&mut self,
+		name: &str,
+		args: &[TypedValue],
+		state: &mut T,
+	) -> Result<ReturnValue, Error> {
+		let args = args.iter().cloned().map(Into::into).collect::<Vec<_>>();
+
+		let mut externals = GuestExternals {
+			state,
+			defined_host_functions: &self.defined_host_functions,
+		};
+		let result = self.instance
+			.invoke_export(&name, &args, &mut externals);
+
+		match result {
+			Ok(None) => Ok(ReturnValue::Unit),
+			Ok(Some(val)) => Ok(ReturnValue::Value(val.into())),
+			Err(_err) => Err(Error::Execution),
+		}
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use wabt;
+	use crate::{Error, TypedValue, ReturnValue, HostError, EnvironmentDefinitionBuilder, Instance};
+	use assert_matches::assert_matches;
+
+	fn execute_sandboxed(code: &[u8], args: &[TypedValue]) -> Result<ReturnValue, HostError> {
+		struct State {
+			counter: u32,
+		}
+
+		fn env_assert(_e: &mut State, args: &[TypedValue]) -> Result<ReturnValue, HostError> {
+			if args.len() != 1 {
+				return Err(HostError);
+			}
+			let condition = args[0].as_i32().ok_or_else(|| HostError)?;
+			if condition != 0 {
+				Ok(ReturnValue::Unit)
+			} else {
+				Err(HostError)
+			}
+		}
+		fn env_inc_counter(e: &mut State, args: &[TypedValue]) -> Result<ReturnValue, HostError> {
+			if args.len() != 1 {
+				return Err(HostError);
+			}
+			let inc_by = args[0].as_i32().ok_or_else(|| HostError)?;
+			e.counter += inc_by as u32;
+			Ok(ReturnValue::Value(TypedValue::I32(e.counter as i32)))
+		}
+		/// Function that takes one argument of any type and returns that value.
+		fn env_polymorphic_id(_e: &mut State, args: &[TypedValue]) -> Result<ReturnValue, HostError> {
+			if args.len() != 1 {
+				return Err(HostError);
+			}
+			Ok(ReturnValue::Value(args[0]))
+		}
+
+		let mut state = State { counter: 0 };
+
+		let mut env_builder = EnvironmentDefinitionBuilder::new();
+		env_builder.add_host_func("env", "assert", env_assert);
+		env_builder.add_host_func("env", "inc_counter", env_inc_counter);
+		env_builder.add_host_func("env", "polymorphic_id", env_polymorphic_id);
+
+		let mut instance = Instance::new(code, &env_builder, &mut state)?;
+		let result = instance.invoke("call", args, &mut state);
+
+		result.map_err(|_| HostError)
+	}
+
+	#[test]
+	fn invoke_args() {
+		let code = wabt::wat2wasm(r#"
+		(module
+			(import "env" "assert" (func $assert (param i32)))
+
+			(func (export "call") (param $x i32) (param $y i64)
+				;; assert that $x = 0x12345678
+				(call $assert
+					(i32.eq
+						(get_local $x)
+						(i32.const 0x12345678)
+					)
+				)
+
+				(call $assert
+					(i64.eq
+						(get_local $y)
+						(i64.const 0x1234567887654321)
+					)
+				)
+			)
+		)
+		"#).unwrap();
+
+		let result = execute_sandboxed(
+			&code,
+			&[
+				TypedValue::I32(0x12345678),
+				TypedValue::I64(0x1234567887654321),
+			]
+		);
+		assert!(result.is_ok());
+	}
+
+	#[test]
+	fn return_value() {
+		let code = wabt::wat2wasm(r#"
+		(module
+			(func (export "call") (param $x i32) (result i32)
+				(i32.add
+					(get_local $x)
+					(i32.const 1)
+				)
+			)
+		)
+		"#).unwrap();
+
+		let return_val = execute_sandboxed(
+			&code,
+			&[
+				TypedValue::I32(0x1336),
+			]
+		).unwrap();
+		assert_eq!(return_val, ReturnValue::Value(TypedValue::I32(0x1337)));
+	}
+
+	#[test]
+	fn signatures_dont_matter() {
+		let code = wabt::wat2wasm(r#"
+		(module
+			(import "env" "polymorphic_id" (func $id_i32 (param i32) (result i32)))
+			(import "env" "polymorphic_id" (func $id_i64 (param i64) (result i64)))
+			(import "env" "assert" (func $assert (param i32)))
+
+			(func (export "call")
+				;; assert that we can actually call the "same" function with different
+				;; signatures.
+				(call $assert
+					(i32.eq
+						(call $id_i32
+							(i32.const 0x012345678)
+						)
+						(i32.const 0x012345678)
+					)
+				)
+				(call $assert
+					(i64.eq
+						(call $id_i64
+							(i64.const 0x0123456789abcdef)
+						)
+						(i64.const 0x0123456789abcdef)
+					)
+				)
+			)
+		)
+		"#).unwrap();
+
+		let return_val = execute_sandboxed(&code, &[]).unwrap();
+		assert_eq!(return_val, ReturnValue::Unit);
+	}
+
+	#[test]
+	fn cant_return_unmatching_type() {
+		fn env_returns_i32(_e: &mut (), _args: &[TypedValue]) -> Result<ReturnValue, HostError> {
+			Ok(ReturnValue::Value(TypedValue::I32(42)))
+		}
+
+		let mut env_builder = EnvironmentDefinitionBuilder::new();
+		env_builder.add_host_func("env", "returns_i32", env_returns_i32);
+
+		let code = wabt::wat2wasm(r#"
+		(module
+			;; It's actually returns i32, but imported as if it returned i64
+			(import "env" "returns_i32" (func $returns_i32 (result i64)))
+
+			(func (export "call")
+				(drop
+					(call $returns_i32)
+				)
+			)
+		)
+		"#).unwrap();
+
+		// It succeeds since we are able to import functions with types we want.
+		let mut instance = Instance::new(&code, &env_builder, &mut ()).unwrap();
+
+		// But this fails since we imported a function that returns i32 as if it returned i64.
+		assert_matches!(
+			instance.invoke("call", &[], &mut ()),
+			Err(Error::Execution)
+		);
+	}
+}

substrate/primitives/sandbox/without_std.rs

@@ -0,0 +1,278 @@
+// Copyright 2018-2019 Parity Technologies (UK) Ltd.
+// This file is part of Substrate.
+
+// Substrate is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Substrate is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Substrate.  If not, see <http://www.gnu.org/licenses/>.
+
+use sp_std::{prelude::*, slice, marker, mem, vec, rc::Rc};
+use codec::{Decode, Encode};
+use primitives::sandbox as sandbox_primitives;
+use super::{Error, TypedValue, ReturnValue, HostFuncType};
+use sp_io::sandbox;
+
+mod ffi {
+	use sp_std::mem;
+	use super::HostFuncType;
+
+	/// Index into the default table that points to a `HostFuncType`.
+	pub type HostFuncIndex = usize;
+
+	/// Coerce `HostFuncIndex` to a callable host function pointer.
+	///
+	/// # Safety
+	///
+	/// This function should be only called with a `HostFuncIndex` that was previously registered
+	/// in the environment definition. Typically this should only
+	/// be called with an argument received in `dispatch_thunk`.
+	pub unsafe fn coerce_host_index_to_func<T>(idx: HostFuncIndex) -> HostFuncType<T> {
+		// We need to ensure that sizes of a callable function pointer and host function index is
+		// indeed equal.
+		// We can't use `static_assertions` create because it makes compiler panic, fallback to runtime assert.
+		// const_assert!(mem::size_of::<HostFuncIndex>() == mem::size_of::<HostFuncType<T>>(),);
+		assert!(mem::size_of::<HostFuncIndex>() == mem::size_of::<HostFuncType<T>>());
+		mem::transmute::<HostFuncIndex, HostFuncType<T>>(idx)
+	}
+}
+
+struct MemoryHandle {
+	memory_idx: u32,
+}
+
+impl Drop for MemoryHandle {
+	fn drop(&mut self) {
+		sandbox::memory_teardown(self.memory_idx);
+	}
+}
+
+#[derive(Clone)]
+pub struct Memory {
+	// Handle to memory instance is wrapped to add reference-counting semantics
+	// to `Memory`.
+	handle: Rc<MemoryHandle>,
+}
+
+impl Memory {
+	pub fn new(initial: u32, maximum: Option<u32>) -> Result<Memory, Error> {
+		let maximum = if let Some(maximum) = maximum {
+			maximum
+		} else {
+			sandbox_primitives::MEM_UNLIMITED
+		};
+
+		match sandbox::memory_new(initial, maximum) {
+			sandbox_primitives::ERR_MODULE => Err(Error::Module),
+			memory_idx => Ok(Memory {
+				handle: Rc::new(MemoryHandle { memory_idx, }),
+			}),
+		}
+	}
+
+	pub fn get(&self, offset: u32, buf: &mut [u8]) -> Result<(), Error> {
+		let result = sandbox::memory_get(
+			self.handle.memory_idx,
+			offset,
+			buf.as_mut_ptr(),
+			buf.len() as u32,
+		);
+		match result {
+			sandbox_primitives::ERR_OK => Ok(()),
+			sandbox_primitives::ERR_OUT_OF_BOUNDS => Err(Error::OutOfBounds),
+			_ => unreachable!(),
+		}
+	}
+
+	pub fn set(&self, offset: u32, val: &[u8]) -> Result<(), Error> {
+		let result = sandbox::memory_set(
+			self.handle.memory_idx,
+			offset,
+			val.as_ptr() as _ ,
+			val.len() as u32,
+		);
+		match result {
+			sandbox_primitives::ERR_OK => Ok(()),
+			sandbox_primitives::ERR_OUT_OF_BOUNDS => Err(Error::OutOfBounds),
+			_ => unreachable!(),
+		}
+	}
+}
+
+pub struct EnvironmentDefinitionBuilder<T> {
+	env_def: sandbox_primitives::EnvironmentDefinition,
+	retained_memories: Vec<Memory>,
+	_marker: marker::PhantomData<T>,
+}
+
+impl<T> EnvironmentDefinitionBuilder<T> {
+	pub fn new() -> EnvironmentDefinitionBuilder<T> {
+		EnvironmentDefinitionBuilder {
+			env_def: sandbox_primitives::EnvironmentDefinition {
+				entries: Vec::new(),
+			},
+			retained_memories: Vec::new(),
+			_marker: marker::PhantomData::<T>,
+		}
+	}
+
+	fn add_entry<N1, N2>(
+		&mut self,
+		module: N1,
+		field: N2,
+		extern_entity: sandbox_primitives::ExternEntity,
+	) where
+		N1: Into<Vec<u8>>,
+		N2: Into<Vec<u8>>,
+	{
+		let entry = sandbox_primitives::Entry {
+			module_name: module.into(),
+			field_name: field.into(),
+			entity: extern_entity,
+		};
+		self.env_def.entries.push(entry);
+	}
+
+	pub fn add_host_func<N1, N2>(&mut self, module: N1, field: N2, f: HostFuncType<T>)
+	where
+		N1: Into<Vec<u8>>,
+		N2: Into<Vec<u8>>,
+	{
+		let f = sandbox_primitives::ExternEntity::Function(f as u32);
+		self.add_entry(module, field, f);
+	}
+
+	pub fn add_memory<N1, N2>(&mut self, module: N1, field: N2, mem: Memory)
+	where
+		N1: Into<Vec<u8>>,
+		N2: Into<Vec<u8>>,
+	{
+		// We need to retain memory to keep it alive while the EnvironmentDefinitionBuilder alive.
+		self.retained_memories.push(mem.clone());
+
+		let mem = sandbox_primitives::ExternEntity::Memory(mem.handle.memory_idx as u32);
+		self.add_entry(module, field, mem);
+	}
+}
+
+pub struct Instance<T> {
+	instance_idx: u32,
+	_retained_memories: Vec<Memory>,
+	_marker: marker::PhantomData<T>,
+}
+
+/// The primary responsibility of this thunk is to deserialize arguments and
+/// call the original function, specified by the index.
+extern "C" fn dispatch_thunk<T>(
+	serialized_args_ptr: *const u8,
+	serialized_args_len: usize,
+	state: usize,
+	f: ffi::HostFuncIndex,
+) -> u64 {
+	let serialized_args = unsafe {
+		if serialized_args_len == 0 {
+			&[]
+		} else {
+			slice::from_raw_parts(serialized_args_ptr, serialized_args_len)
+		}
+	};
+	let args = Vec::<TypedValue>::decode(&mut &serialized_args[..]).expect(
+		"serialized args should be provided by the runtime;
+			correctly serialized data should be deserializable;
+			qed",
+	);
+
+	unsafe {
+		// This should be safe since `coerce_host_index_to_func` is called with an argument
+		// received in an `dispatch_thunk` implementation, so `f` should point
+		// on a valid host function.
+		let f = ffi::coerce_host_index_to_func(f);
+
+		// This should be safe since mutable reference to T is passed upon the invocation.
+		let state = &mut *(state as *mut T);
+
+		// Pass control flow to the designated function.
+		let result = f(state, &args).encode();
+
+		// Leak the result vector and return the pointer to return data.
+		let result_ptr = result.as_ptr() as u64;
+		let result_len = result.len() as u64;
+		mem::forget(result);
+
+		(result_ptr << 32) | result_len
+	}
+}
+
+impl<T> Instance<T> {
+	pub fn new(
+		code: &[u8],
+		env_def_builder: &EnvironmentDefinitionBuilder<T>,
+		state: &mut T,
+	) -> Result<Instance<T>, Error> {
+		let serialized_env_def: Vec<u8> = env_def_builder.env_def.encode();
+		// It's very important to instantiate thunk with the right type.
+		let dispatch_thunk = dispatch_thunk::<T>;
+		let result = sandbox::instantiate(
+			dispatch_thunk as u32,
+			code,
+			&serialized_env_def,
+			state as *const T as _,
+		);
+
+		let instance_idx = match result {
+			sandbox_primitives::ERR_MODULE => return Err(Error::Module),
+			sandbox_primitives::ERR_EXECUTION => return Err(Error::Execution),
+			instance_idx => instance_idx,
+		};
+
+		// We need to retain memories to keep them alive while the Instance is alive.
+		let retained_memories = env_def_builder.retained_memories.clone();
+		Ok(Instance {
+			instance_idx,
+			_retained_memories: retained_memories,
+			_marker: marker::PhantomData::<T>,
+		})
+	}
+
+	pub fn invoke(
+		&mut self,
+		name: &str,
+		args: &[TypedValue],
+		state: &mut T,
+	) -> Result<ReturnValue, Error> {
+		let serialized_args = args.to_vec().encode();
+		let mut return_val = vec![0u8; sandbox_primitives::ReturnValue::ENCODED_MAX_SIZE];
+
+		let result = sandbox::invoke(
+			self.instance_idx,
+			name,
+			&serialized_args,
+			return_val.as_mut_ptr() as _,
+			return_val.len() as u32,
+			state as *const T as _,
+		);
+
+		match result {
+			sandbox_primitives::ERR_OK => {
+				let return_val = sandbox_primitives::ReturnValue::decode(&mut &return_val[..])
+					.map_err(|_| Error::Execution)?;
+				Ok(return_val)
+			}
+			sandbox_primitives::ERR_EXECUTION => Err(Error::Execution),
+			_ => unreachable!(),
+		}
+	}
+}
+
+impl<T> Drop for Instance<T> {
+	fn drop(&mut self) {
+		sandbox::instance_teardown(self.instance_idx);
+	}
+}