Implement interrupting wasm code, reimplement stack overflow

This commit is a relatively large change for wasmtime with two main
goals:

* Primarily this enables interrupting executing wasm code with a trap,
  preventing infinite loops in wasm code. Note that resumption of the
  wasm code is not a goal of this commit.

* Additionally this commit reimplements how we handle stack overflow to
  ensure that host functions always have a reasonable amount of stack to
  run on. This fixes an issue where we might longjmp out of a host
  function, skipping destructors.

Lots of various odds and ends end up falling out in this commit once the
two goals above were implemented. The strategy for implementing this was
also lifted from Spidermonkey and existing functionality inside of
Cranelift. I've tried to write up thorough documentation of how this all
works in `crates/environ/src/cranelift.rs` where gnarly-ish bits are.

A brief summary of how this works is that each function and each loop
header now checks to see if they're interrupted. Interrupts and the
stack overflow check are actually folded into one now, where function
headers check to see if they've run out of stack and the sentinel value
used to indicate an interrupt, checked in loop headers, tricks functions
into thinking they're out of stack. An interrupt is basically just
writing a value to a location which is read by JIT code.

When interrupts are delivered and what triggers them has been left up to
embedders of the `wasmtime` crate. The `wasmtime::Store` type has a
method to acquire an `InterruptHandle`, where `InterruptHandle` is a
`Send` and `Sync` type which can travel to other threads (or perhaps
even a signal handler) to get notified from. It's intended that this
provides a good degree of flexibility when interrupting wasm code. Note
though that this does have a large caveat where interrupts don't work
when you're interrupting host code, so if you've got a host import
blocking for a long time an interrupt won't actually be received until
the wasm starts running again.

Some fallout included from this change is:

* Unix signal handlers are no longer registered with `SA_ONSTACK`.
  Instead they run on the native stack the thread was already using.
  This is possible since stack overflow isn't handled by hitting the
  guard page, but rather it's explicitly checked for in wasm now. Native
  stack overflow will continue to abort the process as usual.

* Unix sigaltstack management is now no longer necessary since we don't
  use it any more.

* Windows no longer has any need to reset guard pages since we no longer
  try to recover from faults on guard pages.

* On all targets probestack intrinsics are disabled since we use a
  different mechanism for catching stack overflow.

* The C API has been updated with interrupts handles. An example has
  also been added which shows off how to interrupt a module.

Closes #139
Closes #860
Closes #900

Author: alexcrichton

cranelift/codegen/src/ir/function.rs

@@ -4,6 +4,7 @@
 //! instructions.
 
 use crate::binemit::CodeOffset;
+use crate::cursor::EncCursor;
 use crate::entity::{PrimaryMap, SecondaryMap};
 use crate::ir;
 use crate::ir::{
@@ -96,6 +97,18 @@ pub struct Function {
     /// are saved in the frame. This information is created during the prologue and epilogue
     /// passes.
     pub frame_layout: Option<FrameLayout>,
+
+    /// An optional closure which calculates the stack limit for this function
+    /// from the arguments of the function.
+    ///
+    /// When configured a stack check will be emitted in the prologue of this
+    /// function, trapping if the stack check fails. This closure, if specified,
+    /// can be then used to infer the stack limit from provided arguments as an
+    /// alternative to using `ArgumentPurpose::StackLimit`.
+    ///
+    /// The first argument is the cursor we're encoding the prologue too, and
+    /// the second argument is a scratch register location if necessary.
+    pub stack_limit_from_arguments: Option<fn(&mut EncCursor, ir::ValueLoc) -> ir::Value>,
 }
 
 impl Function {
@@ -120,6 +133,7 @@ impl Function {
             srclocs: SecondaryMap::new(),
             prologue_end: None,
             frame_layout: None,
+            stack_limit_from_arguments: None,
         }
     }
 
@@ -141,6 +155,7 @@ impl Function {
         self.srclocs.clear();
         self.prologue_end = None;
         self.frame_layout = None;
+        self.stack_limit_from_arguments = None;
     }
 
     /// Create a new empty, anonymous function with a Fast calling convention.

cranelift/codegen/src/isa/x86/abi.rs

@@ -641,17 +641,33 @@ fn insert_common_prologue(
     isa: &dyn TargetIsa,
 ) -> Option<CFAState> {
     let word_size = isa.pointer_bytes() as isize;
-    if stack_size > 0 {
-        // Check if there is a special stack limit parameter. If so insert stack check.
-        if let Some(stack_limit_arg) = pos.func.special_param(ArgumentPurpose::StackLimit) {
-            // Total stack size is the size of all stack area used by the function, including
-            // pushed CSRs, frame pointer.
-            // Also, the size of a return address, implicitly pushed by a x86 `call` instruction,
-            // also should be accounted for.
-            // TODO: Check if the function body actually contains a `call` instruction.
-            let total_stack_size = (csrs.iter(GPR).len() + 1 + 1) as i64 * word_size as i64;
-
-            insert_stack_check(pos, total_stack_size, stack_limit_arg);
+
+    // If this is a leaf function with zero stack, then there's no need to
+    // insert a stack check since it can't overflow anything and
+    // forward-progress is guarantee so long as loop are handled anyway.
+    //
+    // If this has a stack size it could stack overflow, or if it isn't a leaf
+    // it could be part of a long call chain which we need to check anyway.
+    //
+    // First we look for the stack limit as a special argument to the function,
+    // and failing that we see if a custom stack limit factory has been provided
+    // which will be used to likely calculate the stack limit from the arguments
+    // or perhaps constants.
+    if stack_size > 0 || !pos.func.is_leaf() {
+        let scratch = ir::ValueLoc::Reg(RU::rax as RegUnit);
+        let stack_limit_arg = match pos.func.special_param(ArgumentPurpose::StackLimit) {
+            Some(arg) => {
+                let copy = pos.ins().copy(arg);
+                pos.func.locations[copy] = scratch;
+                Some(copy)
+            }
+            None => pos
+                .func
+                .stack_limit_from_arguments
+                .map(|closure| closure(pos, scratch)),
+        };
+        if let Some(stack_limit_arg) = stack_limit_arg {
+            insert_stack_check(pos, stack_size, stack_limit_arg);
         }
     }
 
@@ -804,11 +820,36 @@ fn insert_common_prologue(
 fn insert_stack_check(pos: &mut EncCursor, stack_size: i64, stack_limit_arg: ir::Value) {
     use crate::ir::condcodes::IntCC;
 
+    // Our stack pointer, after subtracting `stack_size`, must not be below
+    // `stack_limit_arg`. To do this we're going to add `stack_size` to
+    // `stack_limit_arg` and see if the stack pointer is below that. The
+    // `stack_size + stack_limit_arg` computation might overflow, however, due
+    // to how stack limits may be loaded and set externally to trigger a trap.
+    //
+    // To handle this we'll need an extra comparison to see if the stack
+    // pointer is already below `stack_limit_arg`. Most of the time this
+    // isn't necessary though since the stack limit which triggers a trap is
+    // likely a sentinel somewhere around `usize::max_value()`. In that case
+    // only conditionally emit this pre-flight check. That way most functions
+    // only have the one comparison, but are also guaranteed that if we add
+    // `stack_size` to `stack_limit_arg` is won't overflow.
+    //
+    // This does mean that code generators which use this stack check
+    // functionality need to ensure that values stored into the stack limit
+    // will never overflow if this threshold is added.
+    if stack_size >= 32 * 1024 {
+        let cflags = pos.ins().ifcmp_sp(stack_limit_arg);
+        pos.func.locations[cflags] = ir::ValueLoc::Reg(RU::rflags as RegUnit);
+        pos.ins().trapif(
+            IntCC::UnsignedGreaterThanOrEqual,
+            cflags,
+            ir::TrapCode::StackOverflow,
+        );
+    }
+
     // Copy `stack_limit_arg` into a %rax and use it for calculating
     // a SP threshold.
-    let stack_limit_copy = pos.ins().copy(stack_limit_arg);
-    pos.func.locations[stack_limit_copy] = ir::ValueLoc::Reg(RU::rax as RegUnit);
-    let sp_threshold = pos.ins().iadd_imm(stack_limit_copy, stack_size);
+    let sp_threshold = pos.ins().iadd_imm(stack_limit_arg, stack_size);
     pos.func.locations[sp_threshold] = ir::ValueLoc::Reg(RU::rax as RegUnit);
 
     // If the stack pointer currently reaches the SP threshold or below it then after opening

cranelift/filetests/filetests/isa/x86/prologue-epilogue.clif

@@ -1,6 +1,7 @@
 test compile
 set opt_level=speed_and_size
 set is_pic
+set enable_probestack=false
 target x86_64 haswell
 
 ; An empty function.
@@ -244,7 +245,7 @@ block0(v0: i64):
 ; nextln: 
 ; nextln: block0(v0: i64 [%rdi], v4: i64 [%rbp]):
 ; nextln:     v1 = copy v0
-; nextln:     v2 = iadd_imm v1, 16
+; nextln:     v2 = iadd_imm v1, 176
 ; nextln:     v3 = ifcmp_sp v2
 ; nextln:     trapif uge v3, stk_ovf
 ; nextln:     x86_push v4
@@ -254,3 +255,28 @@ block0(v0: i64):
 ; nextln:     v5 = x86_pop.i64
 ; nextln:     return v5
 ; nextln: }
+
+function %big_stack_limit(i64 stack_limit) {
+    ss0 = explicit_slot 40000
+block0(v0: i64):
+    return
+}
+
+; check: function %big_stack_limit(i64 stack_limit [%rdi], i64 fp [%rbp]) -> i64 fp [%rbp] fast {
+; nextln:     ss0 = explicit_slot 40000, offset -40016
+; nextln:     ss1 = incoming_arg 16, offset -16
+; nextln: 
+; nextln: block0(v0: i64 [%rdi], v5: i64 [%rbp]):
+; nextln:     v1 = copy v0
+; nextln:     v2 = ifcmp_sp v1
+; nextln:     trapif uge v2, stk_ovf
+; nextln:     v3 = iadd_imm v1, 0x9c40
+; nextln:     v4 = ifcmp_sp v3
+; nextln:     trapif uge v4, stk_ovf
+; nextln:     x86_push v5
+; nextln:     copy_special %rsp -> %rbp
+; nextln:     adjust_sp_down_imm 0x9c40
+; nextln:     adjust_sp_up_imm 0x9c40
+; nextln:     v6 = x86_pop.i64
+; nextln:     return v6
+; nextln: }

cranelift/reader/src/run_command.rs

@@ -12,7 +12,8 @@ use std::fmt::{Display, Formatter, Result};
 
 /// A run command appearing in a test file.
 ///
-/// For parsing, see [Parser::parse_run_command].
+/// For parsing, see
+/// [Parser::parse_run_command](crate::parser::Parser::parse_run_command).
 #[derive(PartialEq, Debug)]
 pub enum RunCommand {
     /// Invoke a function and print its result.
@@ -66,6 +67,8 @@ impl Display for Invocation {
 
 /// Represent a data value. Where [Value] is an SSA reference, [DataValue] is the type + value
 /// that would be referred to by a [Value].
+///
+/// [Value]: cranelift_codegen::ir::Value
 #[allow(missing_docs)]
 #[derive(Clone, Debug, PartialEq)]
 pub enum DataValue {

crates/api/src/func.rs

@@ -175,6 +175,7 @@ macro_rules! getters {
             // ... and then once we've passed the typechecks we can hand out our
             // object since our `transmute` below should be safe!
             let f = self.wasmtime_function();
+            let max_wasm_stack = self.store.engine().config().max_wasm_stack;
             Ok(move |$($args: $args),*| -> Result<R, Trap> {
                 unsafe {
                     let fnptr = mem::transmute::<
@@ -187,7 +188,7 @@ macro_rules! getters {
                     >(f.address);
                     let mut ret = None;
                     $(let $args = $args.into_abi();)*
-                    wasmtime_runtime::catch_traps(f.vmctx, || {
+                    wasmtime_runtime::catch_traps(f.vmctx, max_wasm_stack, || {
                         ret = Some(fnptr(f.vmctx, ptr::null_mut(), $($args,)*));
                     }).map_err(Trap::from_jit)?;
                     Ok(ret.unwrap())
@@ -525,14 +526,18 @@ impl Func {
 
         // Call the trampoline.
         if let Err(error) = unsafe {
-            wasmtime_runtime::catch_traps(self.export.vmctx, || {
-                (self.trampoline)(
-                    self.export.vmctx,
-                    ptr::null_mut(),
-                    self.export.address,
-                    values_vec.as_mut_ptr(),
-                )
-            })
+            wasmtime_runtime::catch_traps(
+                self.export.vmctx,
+                self.store.engine().config().max_wasm_stack,
+                || {
+                    (self.trampoline)(
+                        self.export.vmctx,
+                        ptr::null_mut(),
+                        self.export.address,
+                        values_vec.as_mut_ptr(),
+                    )
+                },
+            )
         } {
             return Err(Trap::from_jit(error).into());
         }

crates/api/src/instance.rs

@@ -32,6 +32,7 @@ fn instantiate(
                 &mut resolver,
                 sig_registry,
                 config.memory_creator.as_ref().map(|a| a as _),
+                config.max_wasm_stack,
             )
             .map_err(|e| -> Error {
                 match e {