Conversation
When we clean up these interfaces, it'd be nice to make these pseudo files rather than opening an actual file decriptor, so there are no system calls involved in creating a new WASI context.
This makes it possible to properly unwind within hostcalls, though panics that travel across the host/guest boundary will still not behave properly due to stack layout.
This makes almost all of the `Vmctx` methods into `&self`, so hostcalls won't have to go through as many contortions when using multiple parts of the context. To report dynamic borrowing errors, there is a new `TerminationDetails` variant.
|
Amazing work. Have you looked at how much overhead the hostcall wrapping adds at runtime to simple hostcalls? |
pchickey
left a comment
pchickey
left a comment
There was a problem hiding this comment.
great work on this! Really like how it turned out.
|
👍 |
This doesn't seem to make much of a dent in the benchmarking time, but it's the right thing to do
Also adds a privileged type for terminating from C
Also update cranelift, that already moved to faerie 0.10.
This was previously causing the Lucet sigstack to stay installed after an instance returns, as long as another instance was running.
awortman-fastly
left a comment
awortman-fastly
left a comment
There was a problem hiding this comment.
I really like how this reads 🎉
This patch renames these fields to emphasize that they are views into memory managed elsewhere, rather than a normal Rust-allocated structure. Also adds comments whenever we use `Box::leak()` to avoid normal Rust deallocation.
…ration Adapted new hostcalls to new interfaces
| /// ```ignore | ||
| /// #[$attr1] | ||
| /// #[$attr2] | ||
| /// ... // any number of attributes are supported; in most cases you will want `#[no_mangle]` |
There was a problem hiding this comment.
What would be a case where would not want #[no_mangle]?
There was a problem hiding this comment.
It's useful when we're defining hostcalls for a MockModuleBuilder, so hostcalls for different tests don't interfere with each other.
There was a problem hiding this comment.
Actually, these aren't technically hostcalls, but are the fake guest functions that go into the module
jedisct1
left a comment
jedisct1
left a comment
There was a problem hiding this comment.
This is a nice improvement, and the solution is very clean.
No apparent regression, even on macOS.
Great!
5 participants
This PR includes a few things developed while updating Terrarium to use newer versions of Lucet.
Termination and unwinding
We now use a combination of
panic!andcatch_unwindto ensure that any resources that were held at the time an instance is terminated (such asMutexes orFiles) are properly disposed of.Note that so far, this only works for the case where we are in at most one hostcall context. If we have a stack with
guest -> host -> guest -> host, the firsthostsegment will not be properly unwound.We believe this is a reasonable limitation at this point, but more work will be required to support unwinding across guest stacks.
lucet_hostcall_terminate!This replaces
Vmctx::terminate(), and is implemented in terms ofpanic!. As before, it allows the user to return anAnyvalue for the termination details. It must only be used within the scope of...lucet_hostcalls!This is a macro for defining hostcalls in Rust. In particular, it uses
catch_unwindto make sure that panics raised bylucet_hostcall_terminate!are properly caught, with the instance shutting down in a terminated state.Vmctxinterface reworkBecause so many resources are accessed through
Vmctx, practical applications quickly ran into limitations with borrow-checking. In particular, holding a mutable reference to the heap meant that one could not hold even an immutable reference to an embedder context, which is a big problem if one needed to copy data from one to the other. Even ifVmctx's resources were accessed via fields, allowing split borrows, we would still have similar borrowing issues if multiple embedder contexts are used.This PR uses
RefCells to instead enforce borrowing rules dynamically. In practice, the innocuous situations described above will work fine, but if the borrowing rules get violated, the instance will terminate using the machinery described above.The
Vmctxheap,globals, andget_embed_ctxinterfaces are now all subject to this dynamic borrowing. The latter is now a bit awkward to access from outside of a hostcall, as it returns anOption<Result<Ref<T>, BorrowError>>, so maybe we'll want morelucet_runtime::Errorvariants down the road.WASI stdio default
We're required to provide working file descriptors for stdio, but we now default to providing
/dev/null, with the option to inherit stdio. When we have a chance to write a properly Rusty system for managing WASI capabilities, we should turn these into virtual handles that mimic/dev/null's behavior, but currently we must have a real file descriptor there.The return of
--reserved-sizeforlucetcOverrides
--{min,max}-reserved-sizeif set, making them equal.