CABI: redefine reentrance rules in terms of component instance flag

Author: lukewagner

design/mvp/Concurrency.md

@@ -16,6 +16,7 @@ emojis. For an even higher-level introduction, see [these][wasmio-2024]
   * [Thread Built-ins](#thread-built-ins)
   * [Thread-Local Storage](#thread-local-storage)
   * [Blocking](#blocking)
+  * [Reentrance](#reentrance)
   * [Waitables and Waitable Sets](#waitables-and-waitable-sets)
   * [Streams and Futures](#streams-and-futures)
   * [Stream Readiness](#stream-readiness)
@@ -314,6 +315,7 @@ of the new subtask created for the import call. Thus, one reason for
 associating every thread with a "containing task" is to ensure that there is
 always a well-defined async call stack.
 
+TODO: maybe move this to 'Reentrance' section
 A semantically-observable use of the async call stack is to distinguish between
 hazardous **recursive reentrance**, in which a component instance is reentered
 when one of its tasks is already on the callstack, from business-as-usual
@@ -504,6 +506,10 @@ once the reason for blocking is addressed.
 The [Canonical ABI explainer] defines the above behavior more precisely; search
 for `may_block` to see all the relevant points.
 
+### Reentrance
+
+TODO
+
 ### Waitables and Waitable Sets
 
 When an `async`-typed function is called with the async ABI and the call
@@ -1379,9 +1385,6 @@ comes after:
   type to block during instantiation
 * add an `async` effect on `resource` type definitions allowing a resource
   type to block during its destructor
-* `recursive` function type attribute: allow a function to opt in to
-  recursive [reentrance], extending the ABI to link the inner and
-  outer activations
 * add a `strict-callback` option that adds extra trapping conditions to
   provide the semantic guarantees needed for engines to statically avoid
   fiber creation at component-to-component `async` call boundaries
@@ -1463,7 +1466,6 @@ comes after:
 [Binary Format]: Binary.md
 [WIT]: WIT.md
 [Blast Zone]: FutureFeatures.md#blast-zones
-[Reentrance]: Explainer.md#component-invariants
 [`start`]: Explainer.md#start-definitions
 
 [Store]: https://webassembly.github.io/spec/core/exec/runtime.html#syntax-store

design/mvp/Explainer.md

@@ -1726,10 +1726,10 @@ propagated once received.
 If `waitable-set.wait` is called from a synchronous- or `async callback`-lifted
 export, no other threads that were implicitly created by a separate
 synchronous- or `async callback`-lifted export call can start or progress in
-the current component instance until `waitable-set.wait` returns (thereby
-ensuring non-reentrance of the core wasm code). However, explicitly-created
-threads and threads implicitly created by non-`callback` `async`-lifted
-("stackful async") exports may start or progress at any time.
+the current component instance until `waitable-set.wait` returns (preserving
+[component invariant] #2). However, explicitly-created threads and threads
+implicitly created by non-`callback` `async`-lifted ("stackful async") exports
+may start or progress at any time.
 
 A `subtask` event notifies the supertask that its subtask is now in the given
 state (the meanings of which are described by the [concurrency explainer]).
@@ -2899,8 +2899,8 @@ definition. Thus, component functions form a "membrane" around the collection
 of core module instances contained by a component instance, allowing the
 Component Model to establish invariants that increase optimizability and
 composability in ways not otherwise possible in the shared-everything setting
-of Core WebAssembly. The Component Model proposes establishing the following
-two runtime invariants:
+of Core WebAssembly. The Component Model establishes the following runtime
+invariants:
 1. Components define a "lockdown" state that prevents continued execution
    after a trap. This both prevents continued execution with corrupt state and
    also allows more-aggressive compiler optimizations (e.g., store reordering).
@@ -2910,7 +2910,7 @@ two runtime invariants:
    implicitly checked at every execution step by component functions. Thus,
    after a trap, it's no longer possible to observe the internal state of a
    component instance.
-2. The Component Model disallows reentrance by trapping if a callee's
+2. (TODO) The Component Model disallows reentrance by trapping if a callee's
    component-instance is already on the stack when the call starts.
    (For details, see [`call_might_be_recursive`](CanonicalABI.md#component-instances)
    in the Canonical ABI explainer.) This default prevents obscure
@@ -3318,6 +3318,7 @@ For some use-case-focused, worked examples, see:
 [Resolved]: Concurrency.md#cancellation
 [Cancellation]: Concurrency.md#cancellation
 [Cancelled]: Concurrency.md#cancellation
+[Reentrance]: Concurrency.md#reentrance
 
 [Component Model Documentation]: https://component-model.bytecodealliance.org
 [`wizer`]: https://github.com/bytecodealliance/wizer

design/mvp/canonical-abi/definitions.py

@@ -188,6 +188,7 @@ class ComponentInstance:
   parent: Optional[ComponentInstance]
   handles: Table[ResourceHandle | Waitable | WaitableSet | ErrorContext]
   threads: Table[Thread]
+  may_enter: bool
   may_leave: bool
   backpressure: int
   num_waiting_to_enter: int
@@ -199,41 +200,36 @@ def __init__(self, store, parent = None):
     self.parent = parent
     self.handles = Table()
     self.threads = Table()
+    self.may_enter = True
     self.may_leave = True
     self.backpressure = 0
     self.num_waiting_to_enter = 0
     self.exclusive = None
 
-  def reflexive_ancestors(self) -> set[ComponentInstance]:
+  def enter_from(self, caller: Optional[ComponentInstance]):
+    for inst in self.entering(caller):
+      trap_if(not inst.may_enter)
+      inst.may_enter = False
+
+  def leave_to(self, caller: Optional[ComponentInstance]):
+    for inst in self.entering(caller):
+      assert(not inst.may_enter)
+      inst.may_enter = True
+
+  def entering(self, caller: Optional[ComponentInstance]):
+    if caller:
+      return self.self_and_ancestors() - caller.self_and_ancestors()
+    else:
+      return self.self_and_ancestors()
+
+  def self_and_ancestors(self) -> set[ComponentInstance]:
     s = set()
     inst = self
     while inst is not None:
       s.add(inst)
       inst = inst.parent
     return s
 
-  def is_reflexive_ancestor_of(self, other):
-    while other is not None:
-      if self is other:
-        return True
-      other = other.parent
-    return False
-
-class Supertask:
-  inst: Optional[ComponentInstance]
-  supertask: Optional[Supertask]
-
-def call_might_be_recursive(caller: Supertask, callee_inst: ComponentInstance):
-  if caller.inst is None:
-    while caller is not None:
-      if caller.inst and caller.inst.reflexive_ancestors() & callee_inst.reflexive_ancestors():
-        return True
-      caller = caller.supertask
-    return False
-  else:
-    return (caller.inst.is_reflexive_ancestor_of(callee_inst) or
-            callee_inst.is_reflexive_ancestor_of(caller.inst))
-
 ## Concurrency
 
 ### Stack Switching
@@ -415,9 +411,9 @@ def yield_to(self, cancellable, other: Thread) -> Cancelled:
 OnStart = Callable[[], list[any]]
 OnResolve = Callable[[Optional[list[any]]], None]
 OnCancel = Callable[[], None]
-FuncInst = Callable[[Supertask, OnStart, OnResolve], OnCancel]
+FuncInst = Callable[[OnStart, OnResolve, Optional[ComponentInstance]], OnCancel]
 
-class Task(Supertask):
+class Task:
   class State(Enum):
     INITIAL = 1
     STARTED = 2
@@ -428,19 +424,17 @@ class State(Enum):
   ft: FuncType
   opts: CanonicalOptions
   inst: ComponentInstance
-  supertask: Supertask
   on_start: OnStart
   on_resolve: OnResolve
   state: State
   num_borrows: int
   waiting_to_enter: Optional[Thread]
   threads: list[Thread]
 
-  def __init__(self, ft, opts, inst, supertask, on_start, on_resolve):
+  def __init__(self, ft, opts, inst, on_start, on_resolve):
     self.ft = ft
     self.opts = opts
     self.inst = inst
-    self.supertask = supertask
     self.on_start = on_start
     self.on_resolve = on_resolve
     self.state = Task.State.INITIAL
@@ -541,34 +535,42 @@ def cancel(self):
 
 class Store:
   waiting: list[Thread]
+  nesting_depth: int
 
   def __init__(self):
     self.waiting = []
+    self.nesting_depth = 0
 
-  def invoke(self, f: FuncInst, caller: Optional[Supertask], on_start, on_resolve) -> OnCancel:
-    host_caller = Supertask()
-    host_caller.inst = None
-    host_caller.supertask = caller
-    return f(host_caller, on_start, on_resolve)
+  def invoke(self, f: FuncInst, on_start: OnStart, on_resolve: OnResolve) -> OnCancel:
+    self.nesting_depth += 1
+    on_cancel = f(on_start, on_resolve, caller = None)
+    self.nesting_depth -= 1
+    return on_cancel
 
   def lift(self, f: CoreFuncInst, ft: FuncType, opts: CanonicalOptions, inst: ComponentInstance) -> FuncInst:
-    def func_inst(caller: Supertask, on_start: OnStart, on_resolve: OnResolve) -> OnCancel:
-      trap_if(call_might_be_recursive(caller, inst))
-      return canon_lift(f, ft, opts, inst, caller, on_start, on_resolve)
+    def func_inst(on_start: OnStart, on_resolve: OnResolve, caller: Optional[ComponentInstance]) -> OnCancel:
+      inst.enter_from(caller)
+      on_cancel = canon_lift(f, ft, opts, inst, on_start, on_resolve)
+      inst.leave_to(caller)
+      return on_cancel
     return func_inst
 
   def lower(self, f: FuncInst, ft: FuncType, opts: CanonicalOptions, inst: ComponentInstance) -> CoreFuncInst:
     def core_func_inst(args: list[CoreValType]) -> list[CoreValType]:
-      assert(current_instance() is inst)
+      assert(current_instance() is inst and self.nesting_depth > 0)
       return canon_lower(f, ft, opts, args)
     return core_func_inst
 
   def tick(self):
-    random.shuffle(self.waiting)
-    for thread in self.waiting:
-      if thread.ready():
-        thread.resume()
-        return
+    assert(self.nesting_depth == 0)
+    candidates = { t for t in self.waiting if t.ready() }
+    if candidates:
+      thread = random.choice(list(candidates))
+      self.nesting_depth += 1
+      thread.task.inst.enter_from(None)
+      thread.resume()
+      thread.task.inst.leave_to(None)
+      self.nesting_depth -= 1
 
 ## Lifting and Lowering Context
 
@@ -2072,7 +2074,7 @@ def lower_flat_values(cx, max_flat, vs, ts, out_param = None):
 
 ### `canon lift`
 
-def canon_lift(callee, ft, opts, inst, caller, on_start, on_resolve) -> OnCancel:
+def canon_lift(callee, ft, opts, inst, on_start, on_resolve) -> OnCancel:
   def thread_func():
     if not task.enter_implicit_thread():
       return
@@ -2128,7 +2130,7 @@ def thread_func():
     task.exit_implicit_thread()
     return
 
-  task = Task(ft, opts, inst, caller, on_start, on_resolve)
+  task = Task(ft, opts, inst, on_start, on_resolve)
   thread = Thread(task, thread_func)
   thread.resume()
   return task.request_cancellation
@@ -2198,7 +2200,7 @@ def on_resolve(result):
       nonlocal flat_results
       flat_results = lower_flat_values(cx, max_flat_results, result, ft.result_type(), flat_args)
 
-  subtask.on_cancel = callee(thread.task, on_start, on_resolve)
+  subtask.on_cancel = callee(on_start, on_resolve, caller = thread.task.inst)
   assert(ft.async_ or subtask.state == Subtask.State.RETURNED)
 
   if not opts.async_:
@@ -2244,17 +2246,13 @@ def canon_resource_drop(rt, i):
   trap_if(h.num_lends != 0)
   if h.own:
     assert(h.borrow_scope is None)
-    if inst is rt.impl:
-      if rt.dtor:
-        rt.dtor(h.rep)
-    else:
-      caller_opts = CanonicalOptions(async_ = False)
-      callee_opts = CanonicalOptions(async_ = rt.dtor_async, callback = rt.dtor_callback)
-      ft = FuncType([U32Type()],[], async_ = False)
-      dtor = rt.dtor or (lambda rep: [])
-      callee = inst.store.lift(dtor, ft, callee_opts, rt.impl)
-      caller = inst.store.lower(callee, ft, caller_opts, inst)
-      caller([h.rep])
+    caller_opts = CanonicalOptions(async_ = False)
+    callee_opts = CanonicalOptions(async_ = rt.dtor_async, callback = rt.dtor_callback)
+    ft = FuncType([U32Type()], [], async_ = False)
+    dtor = rt.dtor or (lambda rep: [])
+    callee = inst.store.lift(dtor, ft, callee_opts, rt.impl)
+    caller = inst.store.lower(callee, ft, caller_opts, inst)
+    caller([h.rep])
   else:
     h.borrow_scope.num_borrows -= 1
   return []