Change proc_exit to unwind the stack rather than exiting the host process. (#1646)

* Remove Cranelift's OutOfBounds trap, which is no longer used.

* Change proc_exit to unwind instead of exit the host process.

This implements the semantics in WebAssembly/WASI#235.

Fixes #783.
Fixes #993.

* Fix exit-status tests on Windows.

* Revert the wiggle changes and re-introduce the wasi-common implementations.

* Move `wasi_proc_exit` into the wasmtime-wasi crate.

* Revert the spec_testsuite change.

* Remove the old proc_exit implementations.

* Make `TrapReason` an implementation detail.

* Allow exit status 2 on Windows too.

* Fix a documentation link.

* Really fix a documentation link.

Author: sunfishcode

cranelift/codegen/src/ir/trapcode.rs

@@ -27,9 +27,6 @@ pub enum TrapCode {
     /// A `table_addr` instruction detected an out-of-bounds error.
     TableOutOfBounds,
 
-    /// Other bounds checking error.
-    OutOfBounds,
-
     /// Indirect call to a null table entry.
     IndirectCallToNull,
 
@@ -63,7 +60,6 @@ impl Display for TrapCode {
             StackOverflow => "stk_ovf",
             HeapOutOfBounds => "heap_oob",
             TableOutOfBounds => "table_oob",
-            OutOfBounds => "oob",
             IndirectCallToNull => "icall_null",
             BadSignature => "bad_sig",
             IntegerOverflow => "int_ovf",
@@ -86,7 +82,6 @@ impl FromStr for TrapCode {
             "stk_ovf" => Ok(StackOverflow),
             "heap_oob" => Ok(HeapOutOfBounds),
             "table_oob" => Ok(TableOutOfBounds),
-            "oob" => Ok(OutOfBounds),
             "icall_null" => Ok(IndirectCallToNull),
             "bad_sig" => Ok(BadSignature),
             "int_ovf" => Ok(IntegerOverflow),
@@ -106,11 +101,10 @@ mod tests {
     use alloc::string::ToString;
 
     // Everything but user-defined codes.
-    const CODES: [TrapCode; 11] = [
+    const CODES: [TrapCode; 10] = [
         TrapCode::StackOverflow,
         TrapCode::HeapOutOfBounds,
         TrapCode::TableOutOfBounds,
-        TrapCode::OutOfBounds,
         TrapCode::IndirectCallToNull,
         TrapCode::BadSignature,
         TrapCode::IntegerOverflow,

cranelift/filetests/filetests/parser/flags.clif

@@ -25,7 +25,7 @@ block201:
     return
 
 block202:
-    trap oob
+    trap heap_oob
 }
 ; check: v1 = ifcmp_imm v0, 17
 ; check: brif eq v1, block201
@@ -56,7 +56,7 @@ block201:
     return
 
 block202:
-    trap oob
+    trap heap_oob
 }
 ; check: v2 = ffcmp v0, v1
 ; check: brff eq v2, block201

cranelift/filetests/filetests/parser/tiny.clif

@@ -223,7 +223,7 @@ function %cond_traps(i32) {
 block0(v0: i32):
     trapz v0, stk_ovf
     v1 = ifcmp_imm v0, 5
-    trapif ugt v1, oob
+    trapif ugt v1, heap_oob
     v2 = bitcast.f32 v1
     v3 = ffcmp v2, v2
     trapff uno v3, int_ovf
@@ -233,7 +233,7 @@ block0(v0: i32):
 ; nextln: block0(v0: i32):
 ; nextln:     trapz v0, stk_ovf
 ; nextln:     v1 = ifcmp_imm v0, 5
-; nextln:     trapif ugt v1, oob
+; nextln:     trapif ugt v1, heap_oob
 ; nextln:     v2 = bitcast.f32 v1
 ; nextln:     v3 = ffcmp v2, v2
 ; nextln:     trapff uno v3, int_ovf

cranelift/filetests/filetests/regalloc/iterate.clif

@@ -139,7 +139,7 @@ block0(v0: i64):
     jump block4
 
 block4:
-    trap oob
+    trap heap_oob
 
 block2:
     v8 = load.i64 v5+8

cranelift/filetests/filetests/wasm/control.clif

@@ -54,7 +54,7 @@ block0(v0: i32):
     br_table v0, block4, jt0
 
 block4:
-    trap oob
+    trap heap_oob
 
 block1:
     return

crates/wasi-common/src/old/snapshot_0/hostcalls_impl/misc.rs

@@ -342,13 +342,6 @@ pub(crate) struct FdEventData<'a> {
     pub(crate) userdata: wasi::__wasi_userdata_t,
 }
 
-pub(crate) fn proc_exit(_wasi_ctx: &WasiCtx, _memory: &mut [u8], rval: wasi::__wasi_exitcode_t) {
-    trace!("proc_exit(rval={:?})", rval);
-    // TODO: Rather than call std::process::exit here, we should trigger a
-    // stack unwind similar to a trap.
-    std::process::exit(rval as i32);
-}
-
 pub(crate) fn proc_raise(
     _wasi_ctx: &WasiCtx,
     _memory: &mut [u8],

crates/wasi-common/src/snapshots/wasi_snapshot_preview1.rs

@@ -813,13 +813,10 @@ impl<'a> WasiSnapshotPreview1 for WasiCtx {
         Ok(nevents)
     }
 
-    // This is just a temporary to ignore the warning which becomes a hard error
-    // in the CI. Once we figure out non-returns in `wiggle`, this should be gone.
-    #[allow(unreachable_code)]
-    fn proc_exit(&self, rval: types::Exitcode) -> std::result::Result<(), ()> {
-        // TODO: Rather than call std::process::exit here, we should trigger a
-        // stack unwind similar to a trap.
-        std::process::exit(rval as i32);
+    fn proc_exit(&self, _rval: types::Exitcode) -> std::result::Result<(), ()> {
+        // proc_exit is special in that it's expected to unwind the stack, which
+        // typically requires runtime-specific logic.
+        unimplemented!("runtimes are expected to override this implementation")
     }
 
     fn proc_raise(&self, _sig: types::Signal) -> Result<()> {

crates/wasi-common/wig/src/hostcalls.rs

@@ -17,6 +17,13 @@ pub fn define(args: TokenStream) -> TokenStream {
 
     for module in doc.modules() {
         for func in module.funcs() {
+            // `proc_exit` is special; it's essentially an unwinding primitive,
+            // so we implement it in the runtime rather than use the implementation
+            // in wasi-common.
+            if func.name.as_str() == "proc_exit" {
+                continue;
+            }
+
             ret.extend(generate_wrappers(&func, old));
         }
     }

crates/wasi-common/wig/src/wasi.rs

@@ -46,6 +46,15 @@ pub fn define_struct(args: TokenStream) -> TokenStream {
             linker_add.push(quote! {
                 linker.define(#module_name, #name, self.#name_ident.clone())?;
             });
+            // `proc_exit` is special; it's essentially an unwinding primitive,
+            // so we implement it in the runtime rather than use the implementation
+            // in wasi-common.
+            if name == "proc_exit" {
+                ctor_externs.push(quote! {
+                    let #name_ident = wasmtime::Func::wrap(store, crate::wasi_proc_exit);
+                });
+                continue;
+            }
 
             let mut shim_arg_decls = Vec::new();
             let mut params = Vec::new();
@@ -291,6 +300,15 @@ pub fn define_struct_for_wiggle(args: TokenStream) -> TokenStream {
             linker_add.push(quote! {
                 linker.define(#module_name, #name, self.#name_ident.clone())?;
             });
+            // `proc_exit` is special; it's essentially an unwinding primitive,
+            // so we implement it in the runtime rather than use the implementation
+            // in wasi-common.
+            if name == "proc_exit" {
+                ctor_externs.push(quote! {
+                    let #name_ident = wasmtime::Func::wrap(store, crate::wasi_proc_exit);
+                });
+                continue;
+            }
 
             let mut shim_arg_decls = Vec::new();
             let mut params = Vec::new();

crates/wasi/src/lib.rs

@@ -1,3 +1,5 @@
+use wasmtime::Trap;
+
 pub mod old;
 
 pub use wasi_common::{WasiCtx, WasiCtxBuilder};
@@ -12,3 +14,17 @@ pub fn is_wasi_module(name: &str) -> bool {
     // trick.
     name.starts_with("wasi")
 }
+
+/// Implement the WASI `proc_exit` function. This function is implemented here
+/// instead of in wasi-common so that we can use the runtime to perform an
+/// unwind rather than exiting the host process.
+fn wasi_proc_exit(status: i32) -> Result<(), Trap> {
+    // Check that the status is within WASI's range.
+    if status >= 0 && status < 126 {
+        Err(Trap::i32_exit(status))
+    } else {
+        Err(Trap::new(
+            "exit with invalid exit status outside of [0..126)",
+        ))
+    }
+}