refactor recursive reentrance checks (#12349)

* refactor recursive reentrance checks

This commit makes a few changes related to recursive reentrance checks, instance
poisoning, etc.:

- Implements the more restrictive lift/lower rules described in WebAssembly/component-model#589 such that a component instance may not lower a function lifted by one of its ancestors, nor vice-versa.  Any such lower will result in a fused adapter which traps unconditionally, preventing guest-to-guest recursive reentrance without requiring data flow analysis.
    - Note that this required updating several WAST tests which were violating the new rule, including some in the `tests/component-model` Git submodule, which I've updated.
    - This is handled entirely in the `fact` module now; I've removed the `AlwaysTrap` case previously handled by `wasmtime-cranelift`.
- Removes `FLAG_MAY_ENTER` from `InstanceFlags`.  It is no longer needed for guest-to-guest calls due to the above, and for guest-to-host-to-guest calls we can rely on either `FLAG_NEEDS_POST_RETURN` for sync-lifted functions or the `GuestTask` call stack for async-lifted functions.
- Adds a `StoreOpaque::trapped` field which is set when _any_ instance belonging to that store traps, at which point the entire store is considered poisoned, meaning no instance belonging to it may be entered.  This prevents indeterminant concurrent task state left over from the trapping instance from leaking into other instances.

Note that this does _not_ include code to push and pop `GuestTask` instances for
guest-to-guest sync-to-sync calls, nor for host-to-guest calls using e.g. the
synchronous `Func::call` API, so certain intrinsics which expect a `GuestTask`
to be present such as `backpressure.inc` will still fail in such cases.  I'll
address that in a later PR.

Also note that I made a small change to `wasmtime-wit-bindgen`, adding a `Send`
bound on the `T` type parameter for `store | async` functions.  This allowed me
to recursively call `{Typed}Func::call_concurrent` from inside a host function,
and it doesn't have any downsides AFAICT.

Fixes #12128

* bless bindgen expansions

* bless disas tests

* address review feedback

* sync `trap.h` with `trap_encoding.rs`

...and add const assertions to `trap.rs` to help avoid future divergence.

Author: dicej

crates/c-api/include/wasmtime/trap.h

@@ -47,12 +47,6 @@ enum wasmtime_trap_code_enum {
   WASMTIME_TRAP_CODE_UNREACHABLE_CODE_REACHED,
   /// Execution has potentially run too long and may be interrupted.
   WASMTIME_TRAP_CODE_INTERRUPT,
-  /// When the `component-model` feature is enabled this trap represents a
-  /// function that was `canon lift`'d, then `canon lower`'d, then called.
-  /// This combination of creation of a function in the component model
-  /// generates a function that always traps and, when called, produces this
-  /// flavor of trap.
-  WASMTIME_TRAP_CODE_ALWAYS_TRAP_ADAPTER,
   /// Execution has run out of the configured fuel amount.
   WASMTIME_TRAP_CODE_OUT_OF_FUEL,
   /// Used to indicate that a trap was raised by atomic wait operations on non
@@ -74,9 +68,47 @@ enum wasmtime_trap_code_enum {
   /// Async-lifted export failed to produce a result by calling `task.return`
   /// before returning `STATUS_DONE` and/or after all host tasks completed.
   WASMTIME_TRAP_CODE_NO_ASYNC_RESULT,
+  /// We are suspending to a tag for which there is no active handler.
+  WASMTIME_TRAP_CODE_UNHANDLED_TAG,
+  /// Attempt to resume a continuation twice.
+  WASMTIME_TRAP_CODE_CONTINUATION_ALREADY_CONSUMED,
   /// A Pulley opcode was executed at runtime when the opcode was disabled at
   /// compile time.
   WASMTIME_TRAP_CODE_DISABLED_OPCODE,
+  /// Async event loop deadlocked; i.e. it cannot make further progress given
+  /// that all host tasks have completed and any/all host-owned stream/future
+  /// handles have been dropped.
+  WASMTIME_TRAP_CODE_ASYNC_DEADLOCK,
+  /// When the `component-model` feature is enabled this trap represents a
+  /// scenario where a component instance tried to call an import or intrinsic
+  /// when it wasn't allowed to, e.g. from a post-return function.
+  WASMTIME_TRAP_CODE_CANNOT_LEAVE_COMPONENT,
+  /// A synchronous task attempted to make a potentially blocking call prior
+  /// to returning.
+  WASMTIME_TRAP_CODE_CANNOT_BLOCK_SYNC_TASK,
+  /// A component tried to lift a `char` with an invalid bit pattern.
+  WASMTIME_TRAP_CODE_INVALID_CHAR,
+  /// Debug assertion generated for a fused adapter regarding the expected
+  /// completion of a string encoding operation.
+  WASMTIME_TRAP_CODE_DEBUG_ASSERT_STRING_ENCODING_FINISHED,
+  /// Debug assertion generated for a fused adapter regarding a string
+  /// encoding operation.
+  WASMTIME_TRAP_CODE_DEBUG_ASSERT_EQUAL_CODE_UNITS,
+  /// Debug assertion generated for a fused adapter regarding the alignment of
+  /// a pointer.
+  WASMTIME_TRAP_CODE_DEBUG_ASSERT_POINTER_ALIGNED,
+  /// Debug assertion generated for a fused adapter regarding the upper bits
+  /// of a 64-bit value.
+  WASMTIME_TRAP_CODE_DEBUG_ASSERT_UPPER_BITS_UNSET,
+  /// A component tried to lift or lower a string past the end of its memory.
+  WASMTIME_TRAP_CODE_STRING_OUT_OF_BOUNDS,
+  /// A component tried to lift or lower a list past the end of its memory.
+  WASMTIME_TRAP_CODE_LIST_OUT_OF_BOUNDS,
+  /// A component used an invalid discriminant when lowering a variant value.
+  WASMTIME_TRAP_CODE_INVALID_DISCRIMINANT,
+  /// A component passed an unaligned pointer when lifting or lowering a
+  /// value.
+  WASMTIME_TRAP_CODE_UNALIGNED_POINTER,
 };
 
 /**

crates/c-api/src/trap.rs

@@ -2,6 +2,46 @@ use crate::{wasm_frame_vec_t, wasm_instance_t, wasm_name_t, wasm_store_t};
 use std::cell::OnceCell;
 use wasmtime::{Error, Trap, WasmBacktrace, format_err};
 
+// Help ensure the Rust enum matches the C one.  If any of these assertions
+// fail, please update both this code and `trap.h` to sync them with
+// `trap_encoding.rs`.
+const _: () = {
+    assert!(Trap::StackOverflow as u8 == 0);
+    assert!(Trap::MemoryOutOfBounds as u8 == 1);
+    assert!(Trap::HeapMisaligned as u8 == 2);
+    assert!(Trap::TableOutOfBounds as u8 == 3);
+    assert!(Trap::IndirectCallToNull as u8 == 4);
+    assert!(Trap::BadSignature as u8 == 5);
+    assert!(Trap::IntegerOverflow as u8 == 6);
+    assert!(Trap::IntegerDivisionByZero as u8 == 7);
+    assert!(Trap::BadConversionToInteger as u8 == 8);
+    assert!(Trap::UnreachableCodeReached as u8 == 9);
+    assert!(Trap::Interrupt as u8 == 10);
+    assert!(Trap::OutOfFuel as u8 == 11);
+    assert!(Trap::AtomicWaitNonSharedMemory as u8 == 12);
+    assert!(Trap::NullReference as u8 == 13);
+    assert!(Trap::ArrayOutOfBounds as u8 == 14);
+    assert!(Trap::AllocationTooLarge as u8 == 15);
+    assert!(Trap::CastFailure as u8 == 16);
+    assert!(Trap::CannotEnterComponent as u8 == 17);
+    assert!(Trap::NoAsyncResult as u8 == 18);
+    assert!(Trap::UnhandledTag as u8 == 19);
+    assert!(Trap::ContinuationAlreadyConsumed as u8 == 20);
+    assert!(Trap::DisabledOpcode as u8 == 21);
+    assert!(Trap::AsyncDeadlock as u8 == 22);
+    assert!(Trap::CannotLeaveComponent as u8 == 23);
+    assert!(Trap::CannotBlockSyncTask as u8 == 24);
+    assert!(Trap::InvalidChar as u8 == 25);
+    assert!(Trap::DebugAssertStringEncodingFinished as u8 == 26);
+    assert!(Trap::DebugAssertEqualCodeUnits as u8 == 27);
+    assert!(Trap::DebugAssertPointerAligned as u8 == 28);
+    assert!(Trap::DebugAssertUpperBitsUnset as u8 == 29);
+    assert!(Trap::StringOutOfBounds as u8 == 30);
+    assert!(Trap::ListOutOfBounds as u8 == 31);
+    assert!(Trap::InvalidDiscriminant as u8 == 32);
+    assert!(Trap::UnalignedPointer as u8 == 33);
+};
+
 #[repr(C)]
 pub struct wasm_trap_t {
     pub(crate) error: Error,

crates/c-api/tests/trap.cc

@@ -60,7 +60,6 @@ TEST(Trap, Codes) {
   TEST_CODE(BAD_CONVERSION_TO_INTEGER);
   TEST_CODE(UNREACHABLE_CODE_REACHED);
   TEST_CODE(INTERRUPT);
-  TEST_CODE(ALWAYS_TRAP_ADAPTER);
   TEST_CODE(OUT_OF_FUEL);
   TEST_CODE(ATOMIC_WAIT_NON_SHARED_MEMORY);
   TEST_CODE(NULL_REFERENCE);

crates/component-macro/tests/expanded/char_concurrent.rs

@@ -191,12 +191,12 @@ pub mod foo {
             use wasmtime::component::__internal::Box;
             pub trait HostWithStore: wasmtime::component::HasData + Send {
                 /// A function that accepts a character
-                fn take_char<T>(
+                fn take_char<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: char,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
                 /// A function that returns a character
-                fn return_char<T>(
+                fn return_char<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = char> + Send;
             }

crates/component-macro/tests/expanded/conventions_concurrent.rs

@@ -224,47 +224,47 @@ pub mod foo {
                 );
             };
             pub trait HostWithStore: wasmtime::component::HasData + Send {
-                fn kebab_case<T>(
+                fn kebab_case<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn foo<T>(
+                fn foo<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: LudicrousSpeed,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn function_with_dashes<T>(
+                fn function_with_dashes<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn function_with_no_weird_characters<T>(
+                fn function_with_no_weird_characters<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn apple<T>(
+                fn apple<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn apple_pear<T>(
+                fn apple_pear<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn apple_pear_grape<T>(
+                fn apple_pear_grape<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn a0<T>(
+                fn a0<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
                 /// Comment out identifiers that collide when mapped to snake_case, for now; see
                 ///  https://github.com/WebAssembly/component-model/issues/118
                 /// APPLE: func()
                 /// APPLE-pear-GRAPE: func()
                 /// apple-PEAR-grape: func()
-                fn is_xml<T>(
+                fn is_xml<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn explicit<T>(
+                fn explicit<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn explicit_kebab<T>(
+                fn explicit_kebab<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
                 /// Identifiers with the same name as keywords are quoted.
-                fn bool<T>(
+                fn bool<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
             }

crates/component-macro/tests/expanded/dead-code_concurrent.rs

@@ -206,7 +206,7 @@ pub mod a {
                 );
             };
             pub trait HostWithStore: wasmtime::component::HasData + Send {
-                fn f<T>(
+                fn f<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = LiveType> + Send;
             }

crates/component-macro/tests/expanded/direct-import_concurrent.rs

@@ -99,7 +99,7 @@ pub struct FooIndices {}
 /// [`Linker`]: wasmtime::component::Linker
 pub struct Foo {}
 pub trait FooImportsWithStore: wasmtime::component::HasData + Send {
-    fn foo<T>(
+    fn foo<T: Send>(
         accessor: &wasmtime::component::Accessor<T, Self>,
     ) -> impl ::core::future::Future<Output = ()> + Send;
 }

crates/component-macro/tests/expanded/flags_concurrent.rs

@@ -304,31 +304,31 @@ pub mod foo {
                 assert!(4 == < Flag64 as wasmtime::component::ComponentType >::ALIGN32);
             };
             pub trait HostWithStore: wasmtime::component::HasData + Send {
-                fn roundtrip_flag1<T>(
+                fn roundtrip_flag1<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: Flag1,
                 ) -> impl ::core::future::Future<Output = Flag1> + Send;
-                fn roundtrip_flag2<T>(
+                fn roundtrip_flag2<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: Flag2,
                 ) -> impl ::core::future::Future<Output = Flag2> + Send;
-                fn roundtrip_flag4<T>(
+                fn roundtrip_flag4<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: Flag4,
                 ) -> impl ::core::future::Future<Output = Flag4> + Send;
-                fn roundtrip_flag8<T>(
+                fn roundtrip_flag8<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: Flag8,
                 ) -> impl ::core::future::Future<Output = Flag8> + Send;
-                fn roundtrip_flag16<T>(
+                fn roundtrip_flag16<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: Flag16,
                 ) -> impl ::core::future::Future<Output = Flag16> + Send;
-                fn roundtrip_flag32<T>(
+                fn roundtrip_flag32<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: Flag32,
                 ) -> impl ::core::future::Future<Output = Flag32> + Send;
-                fn roundtrip_flag64<T>(
+                fn roundtrip_flag64<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: Flag64,
                 ) -> impl ::core::future::Future<Output = Flag64> + Send;

crates/component-macro/tests/expanded/floats_concurrent.rs

@@ -192,18 +192,18 @@ pub mod foo {
             #[allow(unused_imports)]
             use wasmtime::component::__internal::Box;
             pub trait HostWithStore: wasmtime::component::HasData + Send {
-                fn f32_param<T>(
+                fn f32_param<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: f32,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn f64_param<T>(
+                fn f64_param<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                     x: f64,
                 ) -> impl ::core::future::Future<Output = ()> + Send;
-                fn f32_result<T>(
+                fn f32_result<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = f32> + Send;
-                fn f64_result<T>(
+                fn f64_result<T: Send>(
                     accessor: &wasmtime::component::Accessor<T, Self>,
                 ) -> impl ::core::future::Future<Output = f64> + Send;
             }

crates/component-macro/tests/expanded/host-world_concurrent.rs

@@ -99,7 +99,7 @@ pub struct Host_Indices {}
 /// [`Linker`]: wasmtime::component::Linker
 pub struct Host_ {}
 pub trait Host_ImportsWithStore: wasmtime::component::HasData + Send {
-    fn foo<T>(
+    fn foo<T: Send>(
         accessor: &wasmtime::component::Accessor<T, Self>,
     ) -> impl ::core::future::Future<Output = ()> + Send;
 }