lucet icon indicating copy to clipboard operation
lucet copied to clipboard

Published 20 hours ago verified publisher icon bytecodealliance

Move AsyncContext to field on Instance rather than field on State

Open benaubin opened this issue 3 years ago • 8 comments

Addresses #643. @pchickey

Here's the code diff versus main, prior to the revert of #626: https://github.com/bytecodealliance/lucet/compare/2a026708087ead515b63546c614cebe5e5ec0ff2...benaubin:custom-run-async-future

benaubin avatar Feb 26 '21 02:02 benaubin

Side note: it's kind of ironic that the Arc, which I originally introduced to remove unsafe/potentially unsound code, ended up causing an unsoundness issue.

benaubin avatar Feb 26 '21 03:02 benaubin

Rebased onto main. Squashed all the changes together to make it easier to cherry-pick onto #643.

benaubin avatar Feb 27 '21 02:02 benaubin

收到,谢谢! ----- 原始邮件 ----- 发件人:Ben Aubin [email protected] 收件人:bytecodealliance/lucet [email protected] 抄送人:Subscribed [email protected] 主题:Re: [bytecodealliance/lucet] Move AsyncContext to field on Instance rather than field on State (#644) 日期:2021年02月27日 10点55分

Rebased onto main, squashed the changes together, so I could cherry-pick onto #643.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

kaisa001 avatar Feb 27 '21 05:02 kaisa001

Translation: image

benaubin avatar Feb 27 '21 18:02 benaubin

As a quick update - the Lucet folks at Fastly have discussed this and we are keen on removing the asynchronous (signal-based) timeouts feature in favor of synchronous fuel-based timeouts. Our first reason is that making that change will make this code sound: all rust code that is safe ought to be sound, and the way in which this was unsound was surprising to us, the "experts", so how could anyone be confident? The second reason to get rid of asynchronous timeouts is that Wasmtime doesn't have them, and we don't think we want to add them there. Fastly and other Lucet users will need a migration path to Wasmtime and, if that feature can't ever migrate, we should get rid of it.

pchickey avatar Mar 01 '21 19:03 pchickey

@pchickey I agree with that rationale. Should there be a new issue to discuss replacing async signals? This PR sidesteps the signal safety issue entirely by moving the Arc to the instance, rather than State.

As a stopgap, forcing State to derive Copy will prevent any field from implementing Drop, preventing unsound behavior. Of course, that would require adjusting the Yielded state to remove Box

benaubin avatar Mar 01 '21 20:03 benaubin

On removing signals: I don't love gas/instruction counting as the sole criteria for stopping instances, because malicious guests can consume a much larger (orders of magnitude more) amount of CPU time (such as by forcing a large number of cache misses), versus benevolent guests.

Would it be sound to call a user-defined function for on_bound_expired? Then, it would be possible to check metrics like CPU time without having to pay a context switch each time.

Note: no matter what, signals will need to be handled by the instance. Especially SIGFPE/SIGSEGV, which could maybe be caused by a faulty guest, and should (probably) be handled with guest termination.

benaubin avatar Mar 01 '21 20:03 benaubin

Also, in case it helps review, here's the code diff versus the commit on main immediately prior to the revert of #626: https://github.com/bytecodealliance/lucet/compare/2a026708087ead515b63546c614cebe5e5ec0ff2...benaubin:custom-run-async-future

benaubin avatar Mar 01 '21 20:03 benaubin