kobako 0.9.1 → 0.10.0

data/ext/kobako/src/runtime/instance_pre.rs

@@ -0,0 +1,97 @@
+//! Per-path cache of pre-instantiated wasmtime artifacts.
+//!
+//! The `Linker` wiring (the WASI preview1 import set plus the
+//! `__kobako_dispatch` host import) and its type-check against the
+//! compiled Module are identical for every `Kobako::Runtime` on the
+//! same Guest Binary — both host closures read all their state from
+//! the `Invocation` inside the calling Store, never from the Runtime.
+//! Caching the resolved `InstancePre` per path leaves only the
+//! `instantiate` call itself on the `Runtime.from_path` hot path.
+//!
+//! Concurrency: see `super::cache` — under Ruby's GVL the Mutex serves
+//! `Sync` bounds rather than real contention.
+
+use std::collections::HashMap;
+use std::path::{Path, PathBuf};
+use std::sync::{Mutex, OnceLock};
+
+use magnus::{Error as MagnusError, Ruby};
+use wasmtime::{Caller, InstancePre, Linker};
+use wasmtime_wasi::p1;
+
+use super::cache::{cached_module, shared_engine};
+use super::invocation::Invocation;
+use super::{dispatch, setup_err, trap};
+
+static INSTANCE_PRE_CACHE: OnceLock<Mutex<HashMap<PathBuf, InstancePre<Invocation>>>> =
+    OnceLock::new();
+
+/// Look up `path` in the per-path `InstancePre` cache, wiring the
+/// Linker and resolving the Module's imports on a miss. Compilation
+/// faults surface through `cached_module`; import-resolution faults
+/// raise `Kobako::SetupError` (docs/behavior.md E-41).
+pub(crate) fn cached_instance_pre(path: &Path) -> Result<InstancePre<Invocation>, MagnusError> {
+    let cache = INSTANCE_PRE_CACHE.get_or_init(|| Mutex::new(HashMap::new()));
+
+    if let Some(pre) = cache
+        .lock()
+        .expect("instance_pre cache mutex poisoned")
+        .get(path)
+        .cloned()
+    {
+        return Ok(pre);
+    }
+
+    let module = cached_module(path)?;
+    let linker = build_linker()?;
+    let ruby = Ruby::get().expect("Ruby thread");
+    let pre = linker
+        .instantiate_pre(&module)
+        .map_err(|e| trap::instantiate_err(&ruby, e))?;
+    cache
+        .lock()
+        .expect("instance_pre cache mutex poisoned")
+        .insert(path.to_path_buf(), pre.clone());
+    Ok(pre)
+}
+
+/// Build the host-import `Linker` every Guest Binary instantiates
+/// against.
+fn build_linker() -> Result<Linker<Invocation>, MagnusError> {
+    let ruby = Ruby::get().expect("Ruby thread");
+    let mut linker: Linker<Invocation> = Linker::new(shared_engine()?);
+
+    // Wire the wasmtime-wasi preview1 WASI imports. Routes guest fd 1/2
+    // to the MemoryOutputPipes set up before each run via
+    // `Runtime::eval`. The closure pulls a `&mut WasiP1Ctx` out of
+    // Invocation; the panic semantics live inside `Invocation::wasi_mut`
+    // so the wiring stays honest about its precondition.
+    p1::add_to_linker_sync(&mut linker, |state: &mut Invocation| state.wasi_mut())
+        .map_err(|e| setup_err(&ruby, format!("failed to set up the WASI runtime: {}", e)))?;
+
+    // `__kobako_dispatch` host import. Signature per docs/wire-codec.md
+    // § ABI Signatures:
+    //   (req_ptr: i32, req_len: i32) -> i64
+    // Decodes the Request bytes, dispatches via the Ruby-side
+    // dispatch Proc (bound per-Sandbox through `Runtime#on_dispatch=`),
+    // allocates a guest buffer through `__kobako_alloc`, writes
+    // the Response bytes there, and returns the packed
+    // `(ptr<<32)|len`. The dispatcher returns 0 on any wire-layer
+    // fault (including no Proc bound); see `dispatch::handle`.
+    linker
+        .func_wrap(
+            "env",
+            "__kobako_dispatch",
+            |mut caller: Caller<'_, Invocation>, req_ptr: i32, req_len: i32| -> i64 {
+                dispatch::handle(&mut caller, req_ptr, req_len)
+            },
+        )
+        .map_err(|e| {
+            setup_err(
+                &ruby,
+                format!("failed to set up the host callback bridge: {}", e),
+            )
+        })?;
+
+    Ok(linker)
+}

data/ext/kobako/src/runtime/invocation.rs

@@ -2,29 +2,28 @@
 //! [SPEC.md Single-Invocation Slot] (one `Invocation` per OS thread
 //! for the lifetime of one `Runtime::eval` / `Runtime::run` call).
 //!
-//! Owned by `StoreCell` (a `RefCell` shim wrapping `wasmtime::Store`)
-//! and threaded through every host import — the `__kobako_dispatch`
-//! dispatcher reads the bound dispatch Proc, while the run-path methods
-//! on `crate::runtime::Runtime` install fresh WASI context + pipes
-//! before every invocation (docs/behavior.md B-03 / B-04).
+//! Owned as the data of each per-invocation `wasmtime::Store`
+//! (docs/behavior.md B-49) and threaded through every host import —
+//! the `__kobako_dispatch` dispatcher reads the bound dispatch Proc,
+//! while the run-path methods on `crate::runtime::Runtime` install the
+//! invocation's WASI context + pipes at Store creation
+//! (docs/behavior.md B-03 / B-04).
 //!
 //! The slot also carries the per-invocation wall-clock deadline
 //! (docs/behavior.md B-01, E-19) and the per-invocation linear-memory
 //! delta cap `MemoryLimiter` (docs/behavior.md B-01, E-20). Both are
 //! read from the wasmtime `epoch_deadline_callback` / `ResourceLimiter`
-//! callbacks installed in `crate::runtime::Runtime::from_path`. The
+//! callbacks installed in `crate::runtime::Runtime::new_store`. The
 //! memory cap measures only the `memory.grow` delta past the linear-
-//! memory size captured at invocation entry — the mruby image's
-//! initial allocation and prior invocations' watermark are outside the
-//! budget.
+//! memory size captured at invocation entry — the image's initial
+//! allocation is outside the budget.
 //!
-//! [SPEC.md Single-Invocation Slot]: ../../../SPEC.md
+//! [SPEC.md Single-Invocation Slot]: ../../../../SPEC.md
 
-use std::cell::{Ref, RefCell, RefMut};
 use std::time::{Duration, Instant};
 
 use magnus::{value::Opaque, Value};
-use wasmtime::{ResourceLimiter, Store as WtStore};
+use wasmtime::ResourceLimiter;
 use wasmtime_wasi::p1::WasiP1Ctx;
 use wasmtime_wasi::p2::pipe::MemoryOutputPipe;
 
@@ -134,14 +133,14 @@ impl Invocation {
     }
 
     /// Return the current per-run deadline. Read from the epoch-deadline
-    /// callback installed by `crate::runtime::Runtime::from_path`.
+    /// callback installed by `crate::runtime::Runtime::new_store`.
     pub(super) fn deadline(&self) -> Option<Instant> {
         self.deadline
     }
 
     /// Mutable handle to the embedded `MemoryLimiter`. Required by
     /// the wasmtime `ResourceLimiter` callback wiring in
-    /// `crate::runtime::Runtime::from_path`
+    /// `crate::runtime::Runtime::new_store`
     /// (`store.limiter(|state| state.limiter_mut())`); kept private to
     /// the wasm submodule so the only public surface for arming the
     /// cap goes through `Invocation::arm_memory_cap` /
@@ -362,62 +361,6 @@ impl std::fmt::Display for TimeoutTrap {
 
 impl std::error::Error for TimeoutTrap {}
 
-/// Interior-mutability wrapper around `wasmtime::Store<Invocation>`.
-///
-/// Magnus requires `Send + Sync` for wrapped types. `wasmtime::Store` is not
-/// `Sync`, so we wrap it in a `RefCell`. `RefCell` alone is sufficient
-/// because magnus enforces single-threaded GVL access from Ruby; `Send` and
-/// `Sync` are asserted via the unsafe impls below.
-pub(super) struct StoreCell {
-    inner: RefCell<WtStore<Invocation>>,
-}
-
-impl StoreCell {
-    /// Wrap a freshly-built `wasmtime::Store<Invocation>` so it can be owned
-    /// by the magnus-wrapped `Runtime`.
-    pub(super) fn new(store: WtStore<Invocation>) -> Self {
-        Self {
-            inner: RefCell::new(store),
-        }
-    }
-
-    /// Immutable borrow of the wrapped Store. Panics if a `borrow_mut()`
-    /// is currently live — matches `RefCell::borrow` semantics.
-    pub(super) fn borrow(&self) -> Ref<'_, WtStore<Invocation>> {
-        self.inner.borrow()
-    }
-
-    /// Mutable borrow of the wrapped Store. Panics if any other borrow is
-    /// currently live — matches `RefCell::borrow_mut` semantics.
-    pub(super) fn borrow_mut(&self) -> RefMut<'_, WtStore<Invocation>> {
-        self.inner.borrow_mut()
-    }
-}
-
-// SAFETY: magnus requires `Send + Sync` on `#[magnus::wrap]` types. Both
-// claims hold under the GVL invariant:
-//
-//   * Send — `wasmtime::Store<Invocation>` is itself `Send` (verified
-//     upstream by wasmtime; see `wasmtime::Store`'s trait impls).
-//     `RefCell<T>: Send` whenever `T: Send`. The remaining stored state
-//     (`Invocation`) holds `Opaque<Value>` for the Ruby Server handle —
-//     `Opaque<Value>` is documented as `Send` by magnus precisely so
-//     wrapped objects can satisfy this bound.
-//
-//   * Sync — `RefCell` is *not* `Sync` in the general Rust sense
-//     (concurrent `borrow_mut` is UB). We assert `Sync` here because the
-//     GVL serialises every call into Ruby C and every entry into magnus-
-//     wrapped methods onto a single OS thread at a time: by the time the
-//     `Sync` bound matters, magnus has already established that only one
-//     thread can be inside the wrapper. Cross-thread mutation cannot
-//     occur. If a future magnus release adopts a thread model that
-//     permits concurrent access to wrapped objects, this assertion would
-//     have to revert and `StoreCell` would need to switch to
-//     `Mutex<wasmtime::Store<…>>` — but as of magnus 0.8 the contract
-//     holds.
-unsafe impl Send for StoreCell {}
-unsafe impl Sync for StoreCell {}
-
 #[cfg(test)]
 mod tests {
     //! Unit tests for `MemoryLimiter` — the per-invocation memory