Relax panics in async/futures to traps/errors (#12688)

* Relax panics in async/futures to traps/errors

This commit is an admittance that I don't believe we're going to get
to a point where we are confident enough in the fuzzing of
component-model-async such that we could confidently say we're
exercising the vast majority of possible panics. Development of
component-model-async has shown a steady trickle of panics over the
course of the development of the feature, and this trend has been
persistent over time as well.

An attempt was made in #12119 to add a fuzzer dedicated to async events
but that didn't actually find anything in development and it has missed
a number of panics present before and discovered after its introduction.
Overall I do not know how to improve the fuzzer to the point that it
would find pretty much all of the existing async-related panics over
time.

To help address this concern of the `concurrent.rs` implementation this
commit goes through and replaces things like `unwrap()`, `assert!`,
`panic!`, and `unreachable!` with an error-producing form. The benefit
of this is that a bug in the implementation is less likely to result in
a panic and instead just results in a non-spec-compliant trap. The
downside of doing this though is that it can become unclear what errors
are "first class traps", or expected to be guest reachable, and which
are expected to be bugs in Wasmtime. To help address this I've performed
a few refactorings here as well.

* Some traps previously present as error strings are now promoted to
  using `Trap::Foo` instead. This has some refactoring of the Rust/C
  side as well to make it easier to define new variants. Tests were
  additionally added for any trap messages that weren't previously
  tested as being reachable.

* A new `bail_bug!` macro was added (internally) for Wasmtime. This is
  coupled with a concrete `WasmtimeBug` error type (exported as
  `wasmtime::WasmtimeBug`). The intention is that `bail!` continues to
  be "here's a string and I'm a bit too lazy to make a concrete error"
  while `bail_bug!` indicates "this is a bug in wasmtime please report
  this if you see it".

The rough vision is that if an error condition is reached, and the system
is not broken in such a way that panicking is required, then `bail_bug!`
can be used to indicate a bug in Wasmtime as opposed to panicking. This
reduces the real-world impact of hitting these scenarios by downgrading a
CVE-worthy `panic!` into a bug-worthy non-spec-compliant trap. Not all
panics are able to be transitioned to this as some are load bearing from
a safety perspective or similar (or indicate something equally broken),
but the vast majority of cases are suitable for "return a trap, lock
down the store, and let destructors take care of everything else".

This change additionally has resulted in API changes for `FutureReader`
and `StreamReader`. For example creation of these types now returns a
`Result` for when the `ResourceTable` is full, for example, instead of
panicking.

* Fix CI build

* Translate `WasmtimeBug` to panics in debug mode

* Review comments

* Refactor some stream methods for fewer panics

Author: alexcrichton

crates/c-api/include/wasmtime/trap.h

@@ -25,90 +25,112 @@ typedef uint8_t wasmtime_trap_code_t;
  */
 enum wasmtime_trap_code_enum {
   /// The current stack space was exhausted.
-  WASMTIME_TRAP_CODE_STACK_OVERFLOW,
+  WASMTIME_TRAP_CODE_STACK_OVERFLOW = 0,
   /// An out-of-bounds memory access.
-  WASMTIME_TRAP_CODE_MEMORY_OUT_OF_BOUNDS,
+  WASMTIME_TRAP_CODE_MEMORY_OUT_OF_BOUNDS = 1,
   /// A wasm atomic operation was presented with a not-naturally-aligned
   /// linear-memory address.
-  WASMTIME_TRAP_CODE_HEAP_MISALIGNED,
+  WASMTIME_TRAP_CODE_HEAP_MISALIGNED = 2,
   /// An out-of-bounds access to a table.
-  WASMTIME_TRAP_CODE_TABLE_OUT_OF_BOUNDS,
+  WASMTIME_TRAP_CODE_TABLE_OUT_OF_BOUNDS = 3,
   /// Indirect call to a null table entry.
-  WASMTIME_TRAP_CODE_INDIRECT_CALL_TO_NULL,
+  WASMTIME_TRAP_CODE_INDIRECT_CALL_TO_NULL = 4,
   /// Signature mismatch on indirect call.
-  WASMTIME_TRAP_CODE_BAD_SIGNATURE,
+  WASMTIME_TRAP_CODE_BAD_SIGNATURE = 5,
   /// An integer arithmetic operation caused an overflow.
-  WASMTIME_TRAP_CODE_INTEGER_OVERFLOW,
+  WASMTIME_TRAP_CODE_INTEGER_OVERFLOW = 6,
   /// An integer division by zero.
-  WASMTIME_TRAP_CODE_INTEGER_DIVISION_BY_ZERO,
+  WASMTIME_TRAP_CODE_INTEGER_DIVISION_BY_ZERO = 7,
   /// Failed float-to-int conversion.
-  WASMTIME_TRAP_CODE_BAD_CONVERSION_TO_INTEGER,
+  WASMTIME_TRAP_CODE_BAD_CONVERSION_TO_INTEGER = 8,
   /// Code that was supposed to have been unreachable was reached.
-  WASMTIME_TRAP_CODE_UNREACHABLE_CODE_REACHED,
+  WASMTIME_TRAP_CODE_UNREACHABLE_CODE_REACHED = 9,
   /// Execution has potentially run too long and may be interrupted.
-  WASMTIME_TRAP_CODE_INTERRUPT,
+  WASMTIME_TRAP_CODE_INTERRUPT = 10,
   /// Execution has run out of the configured fuel amount.
-  WASMTIME_TRAP_CODE_OUT_OF_FUEL,
+  WASMTIME_TRAP_CODE_OUT_OF_FUEL = 11,
   /// Used to indicate that a trap was raised by atomic wait operations on non
   /// shared memory.
-  WASMTIME_TRAP_CODE_ATOMIC_WAIT_NON_SHARED_MEMORY,
+  WASMTIME_TRAP_CODE_ATOMIC_WAIT_NON_SHARED_MEMORY = 12,
   /// Call to a null reference.
-  WASMTIME_TRAP_CODE_NULL_REFERENCE,
+  WASMTIME_TRAP_CODE_NULL_REFERENCE = 13,
   /// Attempt to access beyond the bounds of an array.
-  WASMTIME_TRAP_CODE_ARRAY_OUT_OF_BOUNDS,
+  WASMTIME_TRAP_CODE_ARRAY_OUT_OF_BOUNDS = 14,
   /// Attempted an allocation that was too large to succeed.
-  WASMTIME_TRAP_CODE_ALLOCATION_TOO_LARGE,
+  WASMTIME_TRAP_CODE_ALLOCATION_TOO_LARGE = 15,
   /// Attempted to cast a reference to a type that it is not an instance of.
-  WASMTIME_TRAP_CODE_CAST_FAILURE,
+  WASMTIME_TRAP_CODE_CAST_FAILURE = 16,
   /// When the `component-model` feature is enabled this trap represents a
   /// scenario where one component tried to call another component but it
   /// would have violated the reentrance rules of the component model,
   /// triggering a trap instead.
-  WASMTIME_TRAP_CODE_CANNOT_ENTER_COMPONENT,
+  WASMTIME_TRAP_CODE_CANNOT_ENTER_COMPONENT = 17,
   /// Async-lifted export failed to produce a result by calling `task.return`
   /// before returning `STATUS_DONE` and/or after all host tasks completed.
-  WASMTIME_TRAP_CODE_NO_ASYNC_RESULT,
+  WASMTIME_TRAP_CODE_NO_ASYNC_RESULT = 18,
   /// We are suspending to a tag for which there is no active handler.
-  WASMTIME_TRAP_CODE_UNHANDLED_TAG,
+  WASMTIME_TRAP_CODE_UNHANDLED_TAG = 19,
   /// Attempt to resume a continuation twice.
-  WASMTIME_TRAP_CODE_CONTINUATION_ALREADY_CONSUMED,
+  WASMTIME_TRAP_CODE_CONTINUATION_ALREADY_CONSUMED = 20,
   /// A Pulley opcode was executed at runtime when the opcode was disabled at
   /// compile time.
-  WASMTIME_TRAP_CODE_DISABLED_OPCODE,
+  WASMTIME_TRAP_CODE_DISABLED_OPCODE = 21,
   /// Async event loop deadlocked; i.e. it cannot make further progress given
   /// that all host tasks have completed and any/all host-owned stream/future
   /// handles have been dropped.
-  WASMTIME_TRAP_CODE_ASYNC_DEADLOCK,
+  WASMTIME_TRAP_CODE_ASYNC_DEADLOCK = 22,
   /// When the `component-model` feature is enabled this trap represents a
   /// scenario where a component instance tried to call an import or intrinsic
   /// when it wasn't allowed to, e.g. from a post-return function.
-  WASMTIME_TRAP_CODE_CANNOT_LEAVE_COMPONENT,
+  WASMTIME_TRAP_CODE_CANNOT_LEAVE_COMPONENT = 23,
   /// A synchronous task attempted to make a potentially blocking call prior
   /// to returning.
-  WASMTIME_TRAP_CODE_CANNOT_BLOCK_SYNC_TASK,
+  WASMTIME_TRAP_CODE_CANNOT_BLOCK_SYNC_TASK = 24,
   /// A component tried to lift a `char` with an invalid bit pattern.
-  WASMTIME_TRAP_CODE_INVALID_CHAR,
+  WASMTIME_TRAP_CODE_INVALID_CHAR = 25,
   /// Debug assertion generated for a fused adapter regarding the expected
   /// completion of a string encoding operation.
-  WASMTIME_TRAP_CODE_DEBUG_ASSERT_STRING_ENCODING_FINISHED,
+  WASMTIME_TRAP_CODE_DEBUG_ASSERT_STRING_ENCODING_FINISHED = 26,
   /// Debug assertion generated for a fused adapter regarding a string
   /// encoding operation.
-  WASMTIME_TRAP_CODE_DEBUG_ASSERT_EQUAL_CODE_UNITS,
+  WASMTIME_TRAP_CODE_DEBUG_ASSERT_EQUAL_CODE_UNITS = 27,
   /// Debug assertion generated for a fused adapter regarding the alignment of
   /// a pointer.
-  WASMTIME_TRAP_CODE_DEBUG_ASSERT_POINTER_ALIGNED,
+  WASMTIME_TRAP_CODE_DEBUG_ASSERT_POINTER_ALIGNED = 28,
   /// Debug assertion generated for a fused adapter regarding the upper bits
   /// of a 64-bit value.
-  WASMTIME_TRAP_CODE_DEBUG_ASSERT_UPPER_BITS_UNSET,
+  WASMTIME_TRAP_CODE_DEBUG_ASSERT_UPPER_BITS_UNSET = 29,
   /// A component tried to lift or lower a string past the end of its memory.
-  WASMTIME_TRAP_CODE_STRING_OUT_OF_BOUNDS,
+  WASMTIME_TRAP_CODE_STRING_OUT_OF_BOUNDS = 30,
   /// A component tried to lift or lower a list past the end of its memory.
-  WASMTIME_TRAP_CODE_LIST_OUT_OF_BOUNDS,
+  WASMTIME_TRAP_CODE_LIST_OUT_OF_BOUNDS = 31,
   /// A component used an invalid discriminant when lowering a variant value.
-  WASMTIME_TRAP_CODE_INVALID_DISCRIMINANT,
+  WASMTIME_TRAP_CODE_INVALID_DISCRIMINANT = 32,
   /// A component passed an unaligned pointer when lifting or lowering a
   /// value.
-  WASMTIME_TRAP_CODE_UNALIGNED_POINTER,
+  WASMTIME_TRAP_CODE_UNALIGNED_POINTER = 33,
+  /// `task.cancel` invoked in an invalid way.
+  WASMTIME_TRAP_CODE_TASK_CANCEL_NOT_CANCELLED = 34,
+  /// `task.cancel` or `task.return` called too many times
+  WASMTIME_TRAP_CODE_TASK_CANCEL_OR_RETURN_TWICE = 35,
+  /// `subtask.cancel` invoked after it already finished.
+  WASMTIME_TRAP_CODE_SUBTASK_CANCEL_AFTER_TERMINAL = 36,
+  /// `task.return` invoked with an invalid type.
+  WASMTIME_TRAP_CODE_TASK_RETURN_INVALID = 37,
+  /// `waitable-set.drop` invoked on a waitable set with waiters.
+  WASMTIME_TRAP_CODE_WAITABLE_SET_DROP_HAS_WAITERS = 38,
+  /// `subtask.drop` invoked on a subtask that hasn't resolved yet.
+  WASMTIME_TRAP_CODE_SUBTASK_DROP_NOT_RESOLVED = 39,
+  /// `thread.new-indirect` invoked with a function that has an invalid type.
+  WASMTIME_TRAP_CODE_THREAD_NEW_INDIRECT_INVALID_TYPE = 40,
+  /// `thread.new-indirect` invoked with an uninitialized function reference.
+  WASMTIME_TRAP_CODE_THREAD_NEW_INDIRECT_UNINITIALIZED = 41,
+  /// Backpressure-related intrinsics overflowed the built-in counter.
+  WASMTIME_TRAP_CODE_BACKPRESSURE_OVERFLOW = 42,
+  /// Invalid code returned from `callback` of `async`-lifted function.
+  WASMTIME_TRAP_CODE_UNSUPPORTED_CALLBACK_CODE = 43,
+  /// Cannot resume a thread which is not suspended.
+  WASMTIME_TRAP_CODE_CANNOT_RESUME_THREAD = 44,
 };
 
 /**

crates/c-api/src/trap.rs

@@ -40,6 +40,17 @@ const _: () = {
     assert!(Trap::ListOutOfBounds as u8 == 31);
     assert!(Trap::InvalidDiscriminant as u8 == 32);
     assert!(Trap::UnalignedPointer as u8 == 33);
+    assert!(Trap::TaskCancelNotCancelled as u8 == 34);
+    assert!(Trap::TaskCancelOrReturnTwice as u8 == 35);
+    assert!(Trap::SubtaskCancelAfterTerminal as u8 == 36);
+    assert!(Trap::TaskReturnInvalid as u8 == 37);
+    assert!(Trap::WaitableSetDropHasWaiters as u8 == 38);
+    assert!(Trap::SubtaskDropNotResolved as u8 == 39);
+    assert!(Trap::ThreadNewIndirectInvalidType as u8 == 40);
+    assert!(Trap::ThreadNewIndirectUninitialized as u8 == 41);
+    assert!(Trap::BackpressureOverflow as u8 == 42);
+    assert!(Trap::UnsupportedCallbackCode as u8 == 43);
+    assert!(Trap::CannotResumeThread as u8 == 44);
 };
 
 #[repr(C)]