Debug: add some infrastructure for catching traps, and handle traps properly in Pulley.

This is a followup to #11895 where I had disabled a test that failed to
emit a debug event for a hostcall-generated trap on a divide-by-zero in
Pulley. This PR allows that test to pass, and brings Pulley back to
parity with native Cranelift in debug support currently.

This was a bit of a "start to pull the thread and the entire finished
mechanism materializes" PR; happy to consider ways to split it up if
needed. In short, disabling signal-based traps on a Pulley configuration
still relies on Pulley opcodes (e.g., divide) actually trapping, in a
way that looks more like a "native ISA trap"; so I had to start to build
out the actual trap-handling mechanisms. In any case, this will all be
needed for followup work soon that will handle traps on native platforms
(redirecting from signals by injecting calls), so this is not a
distraction.

This PR includes, ranked in decreasing order of "may scare other
Wasmtime maintainers" score:

- A raw `NonNull<dyn VMStore>` in the `CallThreadState`, with a long
  comment about provenance and mut-borrow exclusivity. This is needed
  right now to allow the interpreter to invoke the debug event handler,
  but will soon be needed when injecting hostcalls on signals, because a
  signal context also has no state available from the Wasm code other
  than what is in TLS. Hence, we need a way to get the store back from
  the Wasm when we do something that is "morally a hostcall" at a
  trapping instruction.

  I do believe this is sound, or at least close to it if not (please
  scrutinize carefully!); the basic idea is that the Wasm acts as an
  opaque blob in the middle, and the pointer comes out of it one way or
  another (the normal way, as the first arg to a hostcall, or the weird
  way, via TLS and the CallThreadState during a trap).
  Exclusive ownership is still clear at any given point and only one
  `&mut` ever exists in the current frame at a time. That said, I
  haven't tested with miri yet.

  This does require careful thought about the Wasm compilation, too; we
  need the moral equivalent of a `&mut self` reborrow as-if we were
  making a hostcall on each trapping instruction. It turns out that we
  already treat them as memory-fence instructions, so nothing loaded
  from the store can be moved or cached across them, and I've added a
  comment now about how this is load-bearing.

- Updates to `CallThreadState`'s "exit state", normally set by the exit
  trampoline, that we now also set when we invoke a debug event handler
  during a trap context[^1] so that `Store::debug_frames` properly sees
  the current activation. This is a little more awkward than it could be
  because we store the *trampoline* FP, not last Wasm FP, and there is
  no trampoline frame in this case, so I've added a flag and some
  conditionals. I'm happy to refactor instead to go (back) to storing
  the last Wasm FP instead, with the extra load in the exit trampoline
  to compute that.

- A whole bunch of plumbing, creating a large but mechanical diff, in
  the code translator to actually add debug tags on all traps and calls
  to `raise`. It turns out that once I got all of the above working in
  Pulley, the test disagreed about current Wasm PC between native and
  Pulley, and Pulley was right; native was getting it wrong because the
  `raise` libcall was sunk to the bottom in a cold block and, without
  tags, we scanned backward to pick up the last Wasm PC in the function.
  This new plumbing and addition of tags in all the appropriate places
  fixes that.

[^1]: I keep saying "during a trap context" here, but to avoid any
      signal-safety scares, note that when this is done for native
      signals in a followup PR, we will inject a hostcall by modifying
      stack/register state and returning from the actual signal context,
      so it really is as-if we did a hostcall from a trapping
      instruction.

Author: cfallin

cranelift/codegen/src/inst_predicates.rs

@@ -150,6 +150,12 @@ pub fn has_memory_fence_semantics(op: Opcode) -> bool {
         | Opcode::Debugtrap
         | Opcode::SequencePoint => true,
         Opcode::Call | Opcode::CallIndirect | Opcode::TryCall | Opcode::TryCallIndirect => true,
+        // N.B.: this is *load-bearing for borrow safety and
+        // provenance in Wasmtime*. A trapping op can potentially
+        // cause an implicit hostcall, and that hostcall implicitly
+        // mutably borrows Wasmtime's Store. So we can't allow alias
+        // anslysis to cross trapping opcodes; they are implicitly
+        // as-if they called the host.
         op if op.can_trap() => true,
         _ => false,
     }

crates/cranelift/src/bounds_checks.rs

@@ -22,7 +22,7 @@
 use crate::{
     Reachability,
     func_environ::FuncEnvironment,
-    translate::{HeapData, TargetEnvironment},
+    translate::{FuncTranslationStacks, HeapData, TargetEnvironment},
 };
 use Reachability::*;
 use cranelift_codegen::{
@@ -84,12 +84,15 @@ pub fn bounds_check_and_compute_addr(
     index: ir::Value,
     bounds_check: BoundsCheck,
     trap: ir::TrapCode,
+    stacks: &FuncTranslationStacks,
 ) -> Reachability<ir::Value> {
     match bounds_check {
         BoundsCheck::StaticOffset {
             offset,
             access_size,
-        } => bounds_check_field_access(builder, env, heap, index, offset, access_size, trap),
+        } => {
+            bounds_check_field_access(builder, env, heap, index, offset, access_size, trap, stacks)
+        }
 
         #[cfg(feature = "gc")]
         BoundsCheck::StaticObjectField {
@@ -113,6 +116,7 @@ pub fn bounds_check_and_compute_addr(
                     0,
                     object_size,
                     trap,
+                    stacks,
                 ) {
                     Reachable(v) => v,
                     u @ Unreachable => return u,
@@ -123,7 +127,7 @@ pub fn bounds_check_and_compute_addr(
             }
 
             // Otherwise, bounds check just this one field's access.
-            bounds_check_field_access(builder, env, heap, index, offset, access_size, trap)
+            bounds_check_field_access(builder, env, heap, index, offset, access_size, trap, stacks)
         }
 
         // Compute the index of the end of the object, bounds check that and get
@@ -148,6 +152,7 @@ pub fn bounds_check_and_compute_addr(
                 0,
                 0,
                 trap,
+                stacks,
             ) {
                 Reachable(v) => v,
                 u @ Unreachable => return u,
@@ -177,6 +182,7 @@ fn bounds_check_field_access(
     offset: u32,
     access_size: u8,
     trap: ir::TrapCode,
+    stacks: &FuncTranslationStacks,
 ) -> Reachability<ir::Value> {
     let pointer_bit_width = u16::try_from(env.pointer_type().bits()).unwrap();
     let bound_gv = heap.bound;
@@ -298,7 +304,7 @@ fn bounds_check_field_access(
         // max_memory_size`, since we will end up being out-of-bounds regardless
         // of the given `index`.
         env.before_unconditionally_trapping_memory_access(builder);
-        env.trap(builder, trap);
+        env.trap(builder, trap, stacks);
         return Unreachable;
     }
 
@@ -308,7 +314,7 @@ fn bounds_check_field_access(
     // native pointer type anyway, so this is an unconditional trap.
     if pointer_bit_width < 64 && offset_and_size >= (1 << pointer_bit_width) {
         env.before_unconditionally_trapping_memory_access(builder);
-        env.trap(builder, trap);
+        env.trap(builder, trap, stacks);
         return Unreachable;
     }
 
@@ -430,6 +436,7 @@ fn bounds_check_field_access(
             AddrPcc::static32(heap.pcc_memory_type, memory_reservation),
             oob,
             trap,
+            stacks,
         ));
     }
 
@@ -464,6 +471,7 @@ fn bounds_check_field_access(
             AddrPcc::dynamic(heap.pcc_memory_type, bound_gv),
             oob,
             trap,
+            stacks,
         ));
     }
 
@@ -513,6 +521,7 @@ fn bounds_check_field_access(
             AddrPcc::dynamic(heap.pcc_memory_type, bound_gv),
             oob,
             trap,
+            stacks,
         ));
     }
 
@@ -558,6 +567,7 @@ fn bounds_check_field_access(
             AddrPcc::dynamic(heap.pcc_memory_type, bound_gv),
             oob,
             trap,
+            stacks,
         ));
     }
 
@@ -575,7 +585,7 @@ fn bounds_check_field_access(
         builder.func.dfg.facts[access_size_val] =
             Some(Fact::constant(pointer_bit_width, offset_and_size));
     }
-    let adjusted_index = env.uadd_overflow_trap(builder, index, access_size_val, trap);
+    let adjusted_index = env.uadd_overflow_trap(builder, index, access_size_val, trap, stacks);
     if pcc {
         builder.func.dfg.facts[adjusted_index] = Some(Fact::value_offset(
             pointer_bit_width,
@@ -603,6 +613,7 @@ fn bounds_check_field_access(
         AddrPcc::dynamic(heap.pcc_memory_type, bound_gv),
         oob,
         trap,
+        stacks,
     ))
 }
 
@@ -756,9 +767,10 @@ fn explicit_check_oob_condition_and_compute_addr(
     // in bounds (and therefore we can proceed).
     oob_condition: ir::Value,
     trap: ir::TrapCode,
+    stacks: &FuncTranslationStacks,
 ) -> ir::Value {
     if let OobBehavior::ExplicitTrap = oob_behavior {
-        env.trapnz(builder, oob_condition, trap);
+        env.trapnz(builder, oob_condition, trap, stacks);
     }
     let addr_ty = env.pointer_type();