Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix cyclical reference in get_context_data #335

Closed
webmaster128 opened this issue May 18, 2020 · 13 comments · Fixed by #566
Closed

Fix cyclical reference in get_context_data #335

webmaster128 opened this issue May 18, 2020 · 13 comments · Fixed by #566
Labels
vm cosmwasm-vm crate

Comments

@webmaster128
Copy link
Member

webmaster128 commented May 18, 2020

As described here by @reuvenpo:

// NOTE: This is actually not really implemented safely at the moment. I did this as a
// nicer and less-terrible version of the previous solution to the following issue:
//
//                                                   +--->> Go pointer
//                                                   |
// Ctx ->> ContextData +-> iterators: Box<dyn Iterator + 'a> --+
//                     |                                       |
//                     +-> storage: impl Storage <<------------+
//                     |
//                     +-> querier: impl Querier
//
// ->  : Ownership
// ->> : Mutable borrow
//
// As you can see, there's a cyclical reference here... changing this function to return the same lifetime as it
// returns (and adjusting a few other functions to only have one lifetime instead of two) triggers an error
// elsewhere where we try to add iterators to the context. That's not legal according to Rust's rules, and it
// complains that we're trying to borrow ctx mutably twice. This needs a better solution because this function
// probably triggers unsoundness.
fn get_context_data<'a, 'b, S: Storage, Q: Querier>(

See also #331 (comment) and #331 (comment)

@webmaster128 webmaster128 added the vm cosmwasm-vm crate label May 18, 2020
@webmaster128
Copy link
Member Author

Would we win something by storing the iterators in impl Storage instead of ContextData? That should at least allow us to make the cycle smaller and push it to go-cosmwasm.

@reuvenpo
Copy link
Contributor

That might actually solve it, yeah. We'll have to play around with the implementation and see what the compiler thinks about it.

@ethanfrey
Copy link
Member

This is a valid concern if the DB we call into is Rust.

We currently check this on the cosmwasm-std side, as Rust does not allow any iterators to be open when writing to the storage. And the Go db doesn't care about this restriction (which is fine in cosmos-sdk as it is singlethreaded).

I think the first step would be to ensure the iterators get closed over FFI when they are dropped (from cosmwasm-std -> vm -> go-cosmwasm -> cosmos-sdk).

Then we can enforce this on the vm level, to defend against contracts not using cosmwasm-std.

After those (which should shore up any real problems), we can try to fix lifetimes so rust is happy. I did fight with this for some time and the fact that iterators depend on storage but are stored separately makes this intractable. I can ensure code-wise that I close them all before releasing storage, but with all the casting to *mut the compiler will never know

@webmaster128
Copy link
Member Author

If I understand correctly, the points raised by @ethanfrey are all valid but all mostly independent of the cyclic reference.

Rust does not allow any iterators to be open when writing to the storage

This is avoid iterator invalidation. Good to avoid the most dangerous usages in the std. In the VM, iterators are never cleared within a contract execution. So we definitely have open iterators while storage is written. Fingers crossed those open iterators are not used anymore.

And the Go db doesn't care about this restriction (which is fine in cosmos-sdk as it is singlethreaded).

Even in single threaded envirtonments we need to be clear if an iterator is invalidated when you write to the storage in the middle of an iteration (single threaded: next, next, delete, next, add, next …). This is very different in different environments. I don't know about Go/Cosmos SDK.

I think the first step would be to ensure the iterators get closed over FFI when they are dropped (from cosmwasm-std -> vm -> go-cosmwasm -> cosmos-sdk).

I.e. call import like db_destroy_iterator in the destructor of ExternalIterator? Sounds good. Nothing like this is done right now.

@reuvenpo
Copy link
Contributor

I don't think that there's a pressing need to add deletion of iterators from the contract itself. The way things currently work, iterators don't have a significant memory overhead, and it's faster to just collect them and close them all in one swoop after returning from the contract (which is what we do now, in CosmWasm/wasmvm#109) instead of passing through all that FFI every time.

On the subject of the cyclical reference, perhaps we can resolve this by boxing the Storage field in ContextData? The solution to this issue specifically isn't that hard, just takes care that we don't break anything else.

about the mutable references, Ethan is correct that we don't have to require a mutable reference (which is a unique reference) if mutating the Go objects is safe through an immutable (shared) reference. We could maybe change some of the &muts to &s.

@webmaster128
Copy link
Member Author

We probably need to address this in some way for the Wasmer upgrade, where struct ContextData<'a, S: Storage, Q: Querier> should be stored as something like

// must implement Clone
pub struct Env<S: Storage, Q: Querier> {
    pub memory: wasmer::Memory,
    pub context_data: Arc<RwLock<ContextData<S, Q>>>,
}

instead of *mut c_void.

I tried implementing

//                                                                     +--->> Go pointer
//                                                                     |
// Ctx ->> ContextData +-> storage: impl Storage <<-> iterators: Box<dyn Iterator + 'a> --+
//                     |
//                     +-> querier: impl Querier
//
// ->  : Ownership
// ->> : Mutable borrow

to move all the circular reference to impl Storage. However, if I understand https://users.rust-lang.org/t/access-to-implicit-lifetime-of-containing-object-aka-self-lifetime/18917 correctly, a Storage can never store references to itself without adding an explicit lifetime 'a to Storage, ContextData, Env and Instance.

Now I wonder if what we try to do is fundamentally broken: access an iterator from multiple import calls, which creates lifetime reqirements for iterators and storage that are almost impossible to get right.

@ethanfrey
Copy link
Member

Now I wonder if what we try to do is fundamentally broken: access an iterator from multiple import calls, which creates lifetime reqirements for iterators and storage that are almost impossible to get right.

Here we have to lie to the compiler. We know the storage lives the entire ContextData, and if we make sure to clean up Iterators first (dynamically or upon cleanup), we can logically view this is right. I did some tricks with lying about lifetimes (transcribe?)

@webmaster128
Copy link
Member Author

webmaster128 commented Oct 6, 2020

The types of this struct is broken right now:

struct ContextData<'a, S: Storage, Q: Querier> {
    gas_state: GasState,
    storage: Option<S>,
    storage_readonly: bool,
    querier: Option<Q>,
    /// A non-owning link to the wasmer instance
    wasmer_instance: Option<NonNull<WasmerInstance>>,
    #[cfg(feature = "iterator")]
    iterators: HashMap<u32, Box<dyn StorageIterator + 'a>>,
    #[cfg(not(feature = "iterator"))]
    iterators: PhantomData<&'a mut ()>,
}
  1. The lifetime annotation ContextData<'a, means that an instance of ContextData can own references of lifetime 'a. As a consequence, it must not outlive 'a.
  2. ContextData owns a Storage
  3. The storage must outlive the iterators

i.e. 'a >= lifetime of ContextData instance = lifetime of Storage instance >= 'a.

The only way I see to get this right is having the same lifetime for all of those three. But since ContextData is created before the store is passed in, I don't think that can easily be done. However, now that we don't need Instance::from_wasmer anymore, I wonder if we can pass a storage reference into the ContextData when it is created.

@webmaster128
Copy link
Member Author

I wonder if we can pass a storage reference into the ContextData when it is created.

Nope, at not that easy since the context must be created with Send+Sync only:

error[E0061]: this function takes 3 arguments but 1 argument was supplied
   --> packages/vm/src/context.rs:92:9
    |
92  |           create_unmanaged_context_data::<S, Q>(gas_limit),
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ --------- supplied 1 argument
    |           |
    |           expected 3 arguments
...
97  | / fn create_unmanaged_context_data<S, Q>(storage: S, querier: Q, gas_limit: u64) -> *mut c_void
98  | | where
99  | |     S: Storage,
100 | |     Q: Querier,
    | |_______________- defined here

error[E0277]: `S` cannot be sent between threads safely
  --> packages/vm/src/instance.rs:84:30
   |
84 |         let mut import_obj = imports! { move || { setup_context::<S, Q>( storage, querier, gas_limit) }, "env" => {}, };
   |                              ^^^^^^^^^^^---------------------------------------------------------------^^^^^^^^^^^^^^^^
   |                              |          |
   |                              |          within this `[closure@packages/vm/src/instance.rs:84:41: 84:104 storage:S, querier:Q, gas_limit:u64]`
   |                              `S` cannot be sent between threads safely
   | 
  ::: $HOME/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmer-runtime-core-0.17.0/src/import.rs:80:63
   |
80 |         F: Fn() -> (*mut c_void, fn(*mut c_void)) + 'static + Send + Sync,
   |                                                               ---- required by this bound in `ImportObject::new_with_data`
   |
   = note: required because it appears within the type `[closure@packages/vm/src/instance.rs:84:41: 84:104 storage:S, querier:Q, gas_limit:u64]`
   = note: this error originates in a macro (in Nightly builds, run with -Z macro-backtrace for more info)
help: consider further restricting this bound
   |
60 |     S: Storage + std::marker::Send,
   |                ^^^^^^^^^^^^^^^^^^^

error[E0277]: `Q` cannot be sent between threads safely
  --> packages/vm/src/instance.rs:84:30
   |
84 |         let mut import_obj = imports! { move || { setup_context::<S, Q>( storage, querier, gas_limit) }, "env" => {}, };
   |                              ^^^^^^^^^^^---------------------------------------------------------------^^^^^^^^^^^^^^^^
   |                              |          |
   |                              |          within this `[closure@packages/vm/src/instance.rs:84:41: 84:104 storage:S, querier:Q, gas_limit:u64]`
   |                              `Q` cannot be sent between threads safely
   | 
  ::: $HOME/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmer-runtime-core-0.17.0/src/import.rs:80:63
   |
80 |         F: Fn() -> (*mut c_void, fn(*mut c_void)) + 'static + Send + Sync,
   |                                                               ---- required by this bound in `ImportObject::new_with_data`
   |
   = note: required because it appears within the type `[closure@packages/vm/src/instance.rs:84:41: 84:104 storage:S, querier:Q, gas_limit:u64]`
   = note: this error originates in a macro (in Nightly builds, run with -Z macro-backtrace for more info)
help: consider further restricting this bound
   |
62 |     Q: Querier + std::marker::Send,
   |                ^^^^^^^^^^^^^^^^^^^

error[E0277]: `S` cannot be shared between threads safely
  --> packages/vm/src/instance.rs:84:30
   |
84 |         let mut import_obj = imports! { move || { setup_context::<S, Q>( storage, querier, gas_limit) }, "env" => {}, };
   |                              ^^^^^^^^^^^---------------------------------------------------------------^^^^^^^^^^^^^^^^
   |                              |          |
   |                              |          within this `[closure@packages/vm/src/instance.rs:84:41: 84:104 storage:S, querier:Q, gas_limit:u64]`
   |                              `S` cannot be shared between threads safely
   | 
  ::: $HOME/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmer-runtime-core-0.17.0/src/import.rs:80:70
   |
80 |         F: Fn() -> (*mut c_void, fn(*mut c_void)) + 'static + Send + Sync,
   |                                                                      ---- required by this bound in `ImportObject::new_with_data`
   |
   = note: required because it appears within the type `[closure@packages/vm/src/instance.rs:84:41: 84:104 storage:S, querier:Q, gas_limit:u64]`
   = note: this error originates in a macro (in Nightly builds, run with -Z macro-backtrace for more info)
help: consider further restricting this bound
   |
60 |     S: Storage + Sync,
   |                ^^^^^^

error[E0277]: `Q` cannot be shared between threads safely
  --> packages/vm/src/instance.rs:84:30
   |
84 |         let mut import_obj = imports! { move || { setup_context::<S, Q>( storage, querier, gas_limit) }, "env" => {}, };
   |                              ^^^^^^^^^^^---------------------------------------------------------------^^^^^^^^^^^^^^^^
   |                              |          |
   |                              |          within this `[closure@packages/vm/src/instance.rs:84:41: 84:104 storage:S, querier:Q, gas_limit:u64]`
   |                              `Q` cannot be shared between threads safely
   | 
  ::: $HOME/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmer-runtime-core-0.17.0/src/import.rs:80:70
   |
80 |         F: Fn() -> (*mut c_void, fn(*mut c_void)) + 'static + Send + Sync,
   |                                                                      ---- required by this bound in `ImportObject::new_with_data`
   |
   = note: required because it appears within the type `[closure@packages/vm/src/instance.rs:84:41: 84:104 storage:S, querier:Q, gas_limit:u64]`
   = note: this error originates in a macro (in Nightly builds, run with -Z macro-backtrace for more info)
help: consider further restricting this bound
   |
62 |     Q: Querier + Sync,
   |                ^^^^^^

@ethanfrey
Copy link
Member

These issues are with the Wasmer Reborn branch, correct? Not on 0.11?

@webmaster128
Copy link
Member Author

The issues exist on 0.11/master. The work on Wasmer Reborn forces us to think about this because there is no raw pointer operation anymore we can use to forget about all the problems.

@webmaster128
Copy link
Member Author

Ideally we create a struct that owns a Storage and it's iterators. This would reduce the scope of the problem to a size that you can reason about. Those two threads describe the problem and possible solutions for such a wrapper:

@ethanfrey
Copy link
Member

ethanfrey commented Oct 6, 2020

This looks like an interesting crate that may help the storage/iterator issue (linked from the second answer above):

https://crates.io/crates/ouroboros

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vm cosmwasm-vm crate
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants