Add a "bounded runtime" mode to guest execution.

This modifies the instruction-counting mechanism to track an
instruction-count bound as well; and when a bound is set, the Wasm guest
will make a hostcall to yield back to the host context.

This is all placed under the `run_async()` function, so bounded-execution
yields manifest as futures that are immediately ready to continue execution.
This should give an executor main loop a chance to do other work at regular
intervals.

Author: cfallin

lucet-module/src/runtime.rs

@@ -4,6 +4,24 @@
 #[repr(align(8))]
 pub struct InstanceRuntimeData {
     pub globals_ptr: *mut i64,
-    pub instruction_count: u64,
+    /// `instruction_count_bound + instruction_count_adj` gives the total
+    /// instructions executed. We deconstruct the count into a signed adjustment
+    /// and a "bound" because we want to be able to set a runtime bound beyond
+    /// which we yield to the caller. We do this by beginning execution with
+    /// `instruction_count_adj` set to some negative value and
+    /// `instruction_count_bound` adjusted upward in compensation.
+    /// `instruction_count_adj` is incremented as execution proceeds; on each
+    /// increment, the Wasm code checks the carry flag. If the value crosses
+    /// zero (becomes positive), then we have exceeded the bound and we must
+    /// yield. At any point, the `adj` value can be adjusted downward by
+    /// transferring the count to the `bound`.
+    ///
+    /// Note that the bound-yield is only triggered if the `adj` value
+    /// transitions from negative to non-negative; in other words, it is
+    /// edge-triggered, not level-triggered. So entering code that has been
+    /// instrumented for instruction counting with `adj` >= 0 will result in no
+    /// bound ever triggered (until 2^64 instructions execute).
+    pub instruction_count_adj: i64,
+    pub instruction_count_bound: i64,
     pub stack_limit: u64,
 }

lucet-runtime/include/lucet_vmctx.h

@@ -42,4 +42,10 @@ void *lucet_vmctx_get_func_from_idx(struct lucet_vmctx const *ctx, uint32_t tabl
 // Mostly for tests - this conversion is builtin to lucetc
 int64_t *lucet_vmctx_get_globals(struct lucet_vmctx const *ctx);
 
+// Yield that is meant to be inserted by compiler instrumentation, transparent
+// to Wasm code execution. It is intended to be invoked periodically (e.g.,
+// every N instructions) to bound runtime of any particular execution slice of
+// Wasm code.
+void lucet_vmctx_yield_at_bound_expiration(struct lucet_vmctx const *ctx);
+
 #endif // LUCET_VMCTX_H

lucet-runtime/lucet-runtime-internals/src/future.rs

@@ -1,10 +1,11 @@
 use crate::error::Error;
-use crate::instance::{InstanceHandle, RunResult, State, TerminationDetails};
+use crate::instance::{InstanceHandle, InternalRunResult, RunResult, State, TerminationDetails};
 use crate::val::{UntypedRetVal, Val};
 use crate::vmctx::{Vmctx, VmctxInternal};
 use std::any::Any;
 use std::future::Future;
 use std::pin::Pin;
+use std::task::{Context, Poll};
 
 /// This is the same type defined by the `futures` library, but we don't need the rest of the
 /// library for this purpose.
@@ -75,23 +76,44 @@ impl Vmctx {
         // Wrap the computation in `YieldedFuture` so that
         // `Instance::run_async` can catch and run it.  We will get the
         // `ResumeVal` we applied to `f` above.
-        self.yield_impl::<YieldedFuture, ResumeVal>(YieldedFuture(f), false);
+        self.yield_impl::<YieldedFuture, ResumeVal>(YieldedFuture(f), false, false);
         let ResumeVal(v) = self.take_resumed_val();
         // We may now downcast and unbox the returned Box<dyn Any> into an `R`
         // again.
         *v.downcast().expect("run_async broke invariant")
     }
 }
 
-/// This struct needs to be exposed publicly in order for the signature of a
-/// "block_in_place" function to be writable, a concession we must make because
-/// Rust does not have rank 2 types. To prevent the user from inspecting or
-/// constructing the inside of this type, it is completely opaque.
-pub struct Bounce<'a>(BounceInner<'a>);
-
-enum BounceInner<'a> {
+enum Bounce<'a> {
     Done(UntypedRetVal),
     More(BoxFuture<'a, ResumeVal>),
+    BoundExpired,
+}
+
+/// A simple future that yields once. We use this to yield when a runtime bound is reached.
+///
+/// Inspired by Tokio's `yield_now()`.
+struct YieldNow {
+    yielded: bool,
+}
+
+impl YieldNow {
+    fn new() -> Self {
+        Self { yielded: false }
+    }
+}
+
+impl Future for YieldNow {
+    type Output = ();
+    fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<()> {
+        if self.yielded {
+            Poll::Ready(())
+        } else {
+            self.yielded = true;
+            cx.waker().wake_by_ref();
+            Poll::Pending
+        }
+    }
 }
 
 impl InstanceHandle {
@@ -101,51 +123,20 @@ impl InstanceHandle {
     /// that use `Vmctx::block_on` and provides the trampoline that `.await`s those futures on
     /// behalf of the guest.
     ///
+    /// If `runtime_bound` is provided, it will also pause the Wasm execution and yield a future
+    /// that resumes it after (approximately) that many Wasm opcodes have executed.
+    ///
     /// # `Vmctx` Restrictions
     ///
     /// This method permits the use of `Vmctx::block_on`, but disallows all other uses of `Vmctx::
     /// yield_val_expecting_val` and family (`Vmctx::yield_`, `Vmctx::yield_expecting_val`,
     /// `Vmctx::yield_val`).
-    ///
-    /// # Blocking thread
-    ///
-    /// The `wrap_blocking` argument is a function that is called with a closure that runs the Wasm
-    /// program. Since Wasm may execute for an arbitrarily long time without `await`ing, we need to
-    /// make sure that it runs on a thread that is allowed to block.
-    ///
-    /// This argument is designed with [`tokio::task::block_in_place`][tokio] in mind. The odd type
-    /// is a concession to the fact that we don't have rank 2 types in Rust, and so must fall back
-    /// to trait objects in order to be able to take an argument that is itself a function that
-    /// takes a closure.
-    ///
-    /// In order to provide an appropriate function, you may have to wrap the library function in
-    /// another closure so that the types are compatible. For example:
-    ///
-    /// ```no_run
-    /// # async fn f() {
-    /// # let instance: lucet_runtime_internals::instance::InstanceHandle = unimplemented!();
-    /// fn block_in_place<F, R>(f: F) -> R
-    /// where
-    ///     F: FnOnce() -> R,
-    /// {
-    ///     // ...
-    ///     # f()
-    /// }
-    ///
-    /// instance.run_async("entrypoint", &[], |f| block_in_place(f)).await.unwrap();
-    /// # }
-    /// ```
-    ///
-    /// [tokio]: https://docs.rs/tokio/0.2.21/tokio/task/fn.block_in_place.html
-    pub async fn run_async<'a, F>(
+    pub async fn run_async<'a>(
         &'a mut self,
         entrypoint: &'a str,
         args: &'a [Val],
-        wrap_blocking: F,
-    ) -> Result<UntypedRetVal, Error>
-    where
-        F: for<'b> Fn(&mut (dyn FnMut() -> Result<Bounce<'b>, Error>)) -> Result<Bounce<'b>, Error>,
-    {
+        runtime_bound: Option<u64>,
+    ) -> Result<UntypedRetVal, Error> {
         if self.is_yielded() {
             return Err(Error::Unsupported(
                 "cannot run_async a yielded instance".to_owned(),
@@ -156,37 +147,40 @@ impl InstanceHandle {
         let mut resume_val: Option<ResumeVal> = None;
         loop {
             // Run the WebAssembly program
-            let bounce = wrap_blocking(&mut || {
+            let bounce = {
                 let run_result = if self.is_yielded() {
                     // A previous iteration of the loop stored the ResumeVal in
                     // `resume_val`, send it back to the guest ctx and continue
                     // running:
-                    self.resume_with_val_impl(
+                    let result = self.resume_with_val_impl(
                         resume_val
                             .take()
                             .expect("is_yielded implies resume_value is some"),
                         true,
+                    )?;
+                    Ok(InternalRunResult::Normal(result))
+                } else if self.is_bound_expired() {
+                    self.resume_bounded(
+                        runtime_bound.expect("should have bound if guest had expired bound"),
                     )
                 } else {
                     // This is the first iteration, call the entrypoint:
                     let func = self.module.get_export_func(entrypoint)?;
-                    self.run_func(func, args, true)
+                    self.run_func(func, args, true, runtime_bound)
                 };
                 match run_result? {
-                    RunResult::Returned(rval) => {
+                    InternalRunResult::Normal(RunResult::Returned(rval)) => {
                         // Finished running, return UntypedReturnValue
-                        return Ok(Bounce(BounceInner::Done(rval)));
+                        Ok(Bounce::Done(rval))
                     }
-                    RunResult::Yielded(yval) => {
+                    InternalRunResult::Normal(RunResult::Yielded(yval)) => {
                         // Check if the yield came from Vmctx::block_on:
                         if yval.is::<YieldedFuture>() {
                             let YieldedFuture(future) = *yval.downcast::<YieldedFuture>().unwrap();
                             // Rehydrate the lifetime from `'static` to `'a`, which
                             // is morally the same lifetime as was passed into
                             // `Vmctx::block_on`.
-                            Ok(Bounce(BounceInner::More(
-                                future as BoxFuture<'a, ResumeVal>,
-                            )))
+                            Ok(Bounce::More(future as BoxFuture<'a, ResumeVal>))
                         } else {
                             // Any other yielded value is not supported - die with an error.
                             Err(Error::Unsupported(
@@ -195,17 +189,22 @@ impl InstanceHandle {
                             ))
                         }
                     }
+                    InternalRunResult::BoundExpired => Ok(Bounce::BoundExpired),
                 }
-            })?;
+            }?;
             match bounce {
-                Bounce(BounceInner::Done(rval)) => return Ok(rval),
-                Bounce(BounceInner::More(fut)) => {
+                Bounce::Done(rval) => return Ok(rval),
+                Bounce::More(fut) => {
                     // await on the computation. Store its result in
                     // `resume_val`.
                     resume_val = Some(fut.await);
                     // Now we want to `Instance::resume_with_val` and start
                     // this cycle over.
                 }
+                Bounce::BoundExpired => {
+                    // Await on a simple future that yields once then is ready.
+                    YieldNow::new().await
+                }
             }
         }
     }