Remove Boxing and shrink the wasm default sizes on Linux

Signed-off-by: James Sturtevant <jsturtevant@gmail.com>

Author: jsturtevant

docs/end-user-overview-slides.md

@@ -261,18 +261,19 @@ resp = http_get("https://other.com/admin")
 
 Measured from `benchmark.py` (release build) — 5 cold / 10 warm rounds, averages shown.
 
+==========================================================================================
 Step                                    Wasm + Python Wasm + JavaScript      HyperlightJS
 -----------------------------------------------------------------------------------------
-Cold start (create + first run)              420.8 ms          409.2 ms          386.8 ms
-Warm run (no restore)                          0.2 ms            0.4 ms            0.1 ms
-Cold start + tool dispatch                   370.7 ms          384.1 ms          387.7 ms
-Warm tool dispatch (no restore)                0.4 ms            0.4 ms            0.1 ms
-Cold start + file I/O                        451.9 ms          443.5 ms          373.7 ms
-Warm file I/O (no restore)                     0.3 ms            0.5 ms            0.1 ms
-Snapshot                                     239.6 ms          215.3 ms          168.9 ms
-Restore                                       46.7 ms           43.5 ms           41.9 ms
-Restore + run                                  2.6 ms            3.3 ms            1.5 ms
-Restore + tool dispatch                        2.7 ms            3.2 ms            1.3 ms
+Cold start (create + first run)              143.9 ms          119.9 ms           96.7 ms
+Warm run (no restore)                          0.2 ms            0.3 ms            0.1 ms
+Cold start + tool dispatch                   138.1 ms          114.5 ms          105.4 ms
+Warm tool dispatch (no restore)                0.4 ms            0.3 ms            0.1 ms
+Cold start + file I/O                        125.7 ms          119.4 ms          101.8 ms
+Warm file I/O (no restore)                     0.3 ms            0.4 ms            0.1 ms
+Snapshot                                      59.1 ms           59.7 ms           20.5 ms
+Restore                                       11.4 ms           11.1 ms           11.5 ms
+Restore + run                                  1.5 ms            1.3 ms            0.7 ms
+Restore + tool dispatch                        1.3 ms            1.2 ms            0.6 ms
 
 
 ---

src/hyperlight_sandbox/src/lib.rs

@@ -10,7 +10,6 @@ pub mod runtime;
 pub mod test_utils;
 pub mod tools;
 
-use std::any::Any;
 use std::path::{Path, PathBuf};
 
 use anyhow::Result;
@@ -30,13 +29,13 @@ pub use tools::{ArgType, ToolRegistry, ToolSchema};
 #[cfg(windows)]
 pub const DEFAULT_HEAP_SIZE: u64 = 400 * 1024 * 1024;
 #[cfg(not(windows))]
-pub const DEFAULT_HEAP_SIZE: u64 = 200 * 1024 * 1024;
+pub const DEFAULT_HEAP_SIZE: u64 = 25 * 1024 * 1024;
 
 /// Default guest stack / scratch size in bytes (platform-dependent).
 #[cfg(windows)]
 pub const DEFAULT_STACK_SIZE: u64 = 200 * 1024 * 1024;
 #[cfg(not(windows))]
-pub const DEFAULT_STACK_SIZE: u64 = 100 * 1024 * 1024;
+pub const DEFAULT_STACK_SIZE: u64 = 35 * 1024 * 1024;
 
 /// Configuration for building a sandbox guest.
 #[derive(Debug, Clone)]
@@ -75,42 +74,31 @@ pub struct ExecutionResult {
 // Snapshot
 // ---------------------------------------------------------------------------
 
-#[derive(Clone)]
-pub struct Snapshot {
+pub struct Snapshot<T> {
     kind: &'static str,
-    runtime: std::sync::Arc<dyn Any + Send + Sync>,
+    snapshot: std::sync::Arc<T>,
 }
 
-impl Snapshot {
+impl<T> Clone for Snapshot<T> {
+    fn clone(&self) -> Self {
+        Self {
+            kind: self.kind,
+            snapshot: self.snapshot.clone(),
+        }
+    }
+}
+
+impl<T> Snapshot<T> {
     pub fn kind(&self) -> &'static str {
         self.kind
     }
 
-    pub fn new<T>(kind: &'static str, runtime: std::sync::Arc<T>) -> Self
-    where
-        T: Any + Send + Sync + 'static,
-    {
-        Self { kind, runtime }
+    pub fn new(kind: &'static str, snapshot: std::sync::Arc<T>) -> Self {
+        Self { kind, snapshot }
     }
 
-    pub fn restore<T>(
-        &self,
-        restore_runtime: impl FnOnce(std::sync::Arc<T>) -> Result<()>,
-        fs: &std::sync::Arc<std::sync::Mutex<CapFs>>,
-    ) -> Result<()>
-    where
-        T: Any + Send + Sync + 'static,
-    {
-        let runtime = self
-            .runtime
-            .clone()
-            .downcast::<T>()
-            .map_err(|_| anyhow::anyhow!("snapshot type mismatch (kind: {})", self.kind))?;
-        restore_runtime(runtime)?;
-        fs.lock()
-            .map_err(|_| anyhow::anyhow!("filesystem mutex poisoned during snapshot restore"))?
-            .clear_output_files();
-        Ok(())
+    pub fn snapshot(&self) -> &std::sync::Arc<T> {
+        &self.snapshot
     }
 }
 
@@ -119,48 +107,50 @@ impl Snapshot {
 // ---------------------------------------------------------------------------
 
 pub trait Guest: Sized {
+    type Sandbox: GuestSandbox;
     fn build(
         self,
         config: SandboxConfig,
         tools: ToolRegistry,
         network: std::sync::Arc<std::sync::Mutex<NetworkPermissions>>,
         fs: std::sync::Arc<std::sync::Mutex<CapFs>>,
-    ) -> Result<Box<dyn GuestSandbox>>;
+    ) -> Result<Self::Sandbox>;
 }
 
 pub trait GuestSandbox: Send {
+    type SnapshotData: Send + Sync + 'static;
     /// Execute guest code.
     ///
     /// Output files under `/output` are wiped before each execution.
     /// Input files are read-only and managed by the host.
     fn run(&mut self, code: &str) -> Result<ExecutionResult>;
     /// Capture a snapshot of the guest runtime state.
-    fn snapshot(&mut self) -> Result<Snapshot>;
+    fn snapshot(&mut self) -> Result<Snapshot<Self::SnapshotData>>;
     /// Restore a previously captured guest runtime state.
-    fn restore(&mut self, snapshot: &Snapshot) -> Result<()>;
+    fn restore(&mut self, snapshot: &Snapshot<Self::SnapshotData>) -> Result<()>;
 }
 
 // ---------------------------------------------------------------------------
 // Sandbox
 // ---------------------------------------------------------------------------
 
-pub struct Sandbox {
-    inner: Box<dyn GuestSandbox>,
+pub struct Sandbox<G: Guest> {
+    inner: G::Sandbox,
     network: std::sync::Arc<std::sync::Mutex<NetworkPermissions>>,
     fs: std::sync::Arc<std::sync::Mutex<CapFs>>,
 }
 
-impl Sandbox {
+impl<G: Guest> Sandbox<G> {
     /// Create a sandbox without filesystem access.
-    pub fn new<G: Guest>(guest: G, config: SandboxConfig, tools: ToolRegistry) -> Result<Self> {
+    pub fn new(guest: G, config: SandboxConfig, tools: ToolRegistry) -> Result<Self> {
         let network = std::sync::Arc::new(std::sync::Mutex::new(NetworkPermissions::new()));
         let fs = std::sync::Arc::new(std::sync::Mutex::new(CapFs::new()));
         let inner = guest.build(config, tools, network.clone(), fs.clone())?;
         Ok(Self { inner, network, fs })
     }
 
     /// Create a sandbox with a read-only input directory.
-    pub fn with_input<G: Guest>(
+    pub fn with_input(
         guest: G,
         config: SandboxConfig,
         tools: ToolRegistry,
@@ -173,10 +163,6 @@ impl Sandbox {
         Ok(Self { inner, network, fs })
     }
 
-    pub fn builder() -> SandboxBuilder<NoGuest> {
-        SandboxBuilder::default()
-    }
-
     /// Execute guest code.
     ///
     /// Output files under `/output` are cleared before each run. Input files
@@ -185,12 +171,17 @@ impl Sandbox {
         self.inner.run(code)
     }
 
-    pub fn snapshot(&mut self) -> Result<Snapshot> {
+    pub fn snapshot(&mut self) -> Result<Snapshot<<G::Sandbox as GuestSandbox>::SnapshotData>> {
         self.inner.snapshot()
     }
 
-    pub fn restore(&mut self, snapshot: &Snapshot) -> Result<()> {
-        self.inner.restore(snapshot)
+    pub fn restore(&mut self, snapshot: &Snapshot<<G::Sandbox as GuestSandbox>::SnapshotData>) -> Result<()> {
+        self.inner.restore(snapshot)?;
+        self.fs
+            .lock()
+            .map_err(|_| anyhow::anyhow!("filesystem mutex poisoned during snapshot restore"))?
+            .clear_output_files();
+        Ok(())
     }
 
     /// List filenames in the output directory (without reading contents).
@@ -231,7 +222,7 @@ pub struct NoGuest;
 /// Builder for constructing a [`Sandbox`].
 ///
 /// ```rust,ignore
-/// let sandbox = Sandbox::builder()
+/// let sandbox = SandboxBuilder::new()
 ///     .module_path("guest.aot")
 ///     .output_dir("/tmp/sandbox-out")
 ///     .guest(Wasm)
@@ -246,6 +237,12 @@ pub struct SandboxBuilder<G = NoGuest> {
     temp_output: bool,
 }
 
+impl SandboxBuilder<NoGuest> {
+    pub fn new() -> Self {
+        Self::default()
+    }
+}
+
 impl Default for SandboxBuilder<NoGuest> {
     fn default() -> Self {
         Self {
@@ -336,7 +333,7 @@ impl<G> SandboxBuilder<G>
 where
     G: Guest,
 {
-    pub fn build(self) -> Result<Sandbox> {
+    pub fn build(self) -> Result<Sandbox<G>> {
         let network = std::sync::Arc::new(std::sync::Mutex::new(NetworkPermissions::new()));
         let mut vfs = CapFs::new();
         if let Some(input_dir) = &self.input_dir {

src/javascript_sandbox/examples/basics.rs

@@ -7,7 +7,7 @@
 //! Network tests live in network_demo.rs.
 
 use hyperlight_javascript_sandbox::HyperlightJs;
-use hyperlight_sandbox::{Sandbox, ToolRegistry};
+use hyperlight_sandbox::{Sandbox, SandboxBuilder, ToolRegistry};
 use serde::Deserialize;
 
 fn separator(title: &str) {
@@ -54,7 +54,7 @@ fn main() {
         Ok(serde_json::json!(val))
     });
 
-    let mut sandbox = Sandbox::builder()
+    let mut sandbox = SandboxBuilder::new()
         .guest(HyperlightJs)
         .with_tools(tools)
         .build()

src/javascript_sandbox/examples/filesystem_demo.rs

@@ -1,7 +1,7 @@
 //! Filesystem capabilities demo for the JavaScript sandbox.
 
 use hyperlight_javascript_sandbox::HyperlightJs;
-use hyperlight_sandbox::{DirPerms, FilePerms, Sandbox};
+use hyperlight_sandbox::{DirPerms, FilePerms, Sandbox, SandboxBuilder};
 
 fn separator(label: &str) {
     println!("\n── {label} ──");
@@ -10,7 +10,7 @@ fn separator(label: &str) {
 fn main() {
     // ── 1: No filesystem ────────────────────────────────────────────
     separator("Test 1: No filesystem");
-    let mut sandbox = Sandbox::builder()
+    let mut sandbox = SandboxBuilder::new()
         .guest(HyperlightJs)
         .build()
         .expect("failed to create sandbox");
@@ -31,7 +31,7 @@ fn main() {
     let input_tmp = tempfile::tempdir().unwrap();
     std::fs::write(input_tmp.path().join("hello.txt"), b"hello from host").unwrap();
 
-    let mut sandbox = Sandbox::builder()
+    let mut sandbox = SandboxBuilder::new()
         .guest(HyperlightJs)
         .input_dir(input_tmp.path())
         .build()
@@ -50,7 +50,7 @@ fn main() {
 
     // ── 3: Temp output only ─────────────────────────────────────────
     separator("Test 3: Temp output only");
-    let mut sandbox = Sandbox::builder()
+    let mut sandbox = SandboxBuilder::new()
         .guest(HyperlightJs)
         .temp_output()
         .build()
@@ -74,7 +74,7 @@ fn main() {
     let input_tmp = tempfile::tempdir().unwrap();
     std::fs::write(input_tmp.path().join("data.json"), br#"{"n": 21}"#).unwrap();
 
-    let mut sandbox = Sandbox::builder()
+    let mut sandbox = SandboxBuilder::new()
         .guest(HyperlightJs)
         .input_dir(input_tmp.path())
         .temp_output()
@@ -112,7 +112,7 @@ console.log('doubled: ' + data.n * 2);
     let output_tmp = tempfile::tempdir().unwrap();
     std::fs::write(input_tmp.path().join("msg.txt"), b"shout").unwrap();
 
-    let mut sandbox = Sandbox::builder()
+    let mut sandbox = SandboxBuilder::new()
         .guest(HyperlightJs)
         .input_dir(input_tmp.path())
         .output_dir(
@@ -139,7 +139,7 @@ console.log('done');
 
     // ── 6: Output wiped between runs ────────────────────────────────
     separator("Test 6: Output is ephemeral");
-    let mut sandbox = Sandbox::builder()
+    let mut sandbox = SandboxBuilder::new()
         .guest(HyperlightJs)
         .temp_output()
         .build()
@@ -168,7 +168,7 @@ console.log('done');
     let input_tmp = tempfile::tempdir().unwrap();
     std::fs::write(input_tmp.path().join("readonly.txt"), b"do not modify").unwrap();
 
-    let mut sandbox = Sandbox::builder()
+    let mut sandbox = SandboxBuilder::new()
         .guest(HyperlightJs)
         .input_dir(input_tmp.path())
         .build()

src/javascript_sandbox/examples/network_demo.rs

@@ -1,7 +1,7 @@
 //! Network access demo for the HyperlightJS sandbox backend.
 
 use hyperlight_javascript_sandbox::HyperlightJs;
-use hyperlight_sandbox::Sandbox;
+use hyperlight_sandbox::{Sandbox, SandboxBuilder};
 
 fn separator(title: &str) {
     println!("\n{}", "═".repeat(60));
@@ -10,7 +10,7 @@ fn separator(title: &str) {
 }
 
 fn main() {
-    let mut sandbox = Sandbox::builder()
+    let mut sandbox = SandboxBuilder::new()
         .guest(HyperlightJs)
         .build()
         .expect("failed to create JS sandbox");