Initial implementation of resource types

[alexcrichton]

This commit is an initial implementation of resource types for the component model. The support added in this commit encompasses:

• wasmparser - parsing and validation of resource types
• wasmprinter - converting binary to text for resource types
• wast - parsing the text format for resource types
• wasm-encoder - writing the binary format for resource types

Other crates such as wit-component and wasm-compose saw a few small changes to continue compiling but do not have support added for resource types. WIT, for example, continues to not support resource types. That's planned to be added in a subsequent commit. This support is intended to be everything necessary for Wasmtime to start working on implementing resource types, and once that's ready I'll circle back to implement WIT support with host/guest/etc generators.

This is a substantial commit. The binary format for resources is pretty minor but the major feature it requires support for is the type-checking in validation. Resources effectively add an ML-module-style type system to the component model with abstract types. This required quite a lot of meticulous and careful plumbing throughout the validator along with a rewritten form of checking subtypes.

This commit in theory implements what should be all or at least a large bulk of what's specified for resources at the binary format layer. Without spec tests for formal spec wording it can't really be said how close to the current documentation it follows, but the intention was to follow it closely. Tests have been attempted to be added here in a number of interesting flavors but this implementation is highly likely to still have holes and/or bugs that break the guarantees of resources.

[alexcrichton]

In terms of tests one thing @elliottt and I wanted to add was fuzzing, but I'm not sure that's going to happen in the near future. The current strategy for components with wasm-smith based fuzzing and with core wasm modules I don't think would lend itself all that well to exercising many interesting cases of the resources implementation here. While still useful to stand up and at least fuzz a bit it probably would end up mostly just stressing validation in general as opposed to specifically resources.

[alexcrichton]

And now as I'm rereading the explainer I'm realizing unimplemented portions are:

• Labels such as [method]foo.bar
• Restrictions on outer aliases touch resource types or resource-using-types.
• Restrictions on more-fine-grained use of type indices and whether or not they're exported or imported.

[alexcrichton]

I'll also note that this implementation intentionally diverges from the currently-written explainer as explained here.

I also opened up WebAssembly/component-model#179 for a difference in this implementation with the explainer which is less so intentional and more so "fell out" of the implementation rules.

[elliottt]

Is this because of (import "" "" (func))?

[alexcrichton]

Indeed yeah, the error message is a bit more descriptive here but this was the substring I figured would be worth matching here. I tried to add some more tests to assert various other parts of the error message too.

[alexcrichton]

As a bit of a status update on this, I've been working recently on this bullet:

Restrictions on more-fine-grained use of type indices and whether or not they're exported or imported.

This motivated by the Explainer.md of the component model explicitly mentioning:

(component
  (import "R1" (type $R1 (sub resource)))
  (type $R2 (resource (rep i32)))
  (export $R2' "R2" (type $R2))
  (func $f1 (result (own $R1)) (canon lift ...))
  (func $f2 (result (own $R2)) (canon lift ...))
  (func $f2' (result (own $R2')) (canon lift ...))
  (export "f1" (func $f1))
  ;; (export "f2" (func $f2)) -- invalid
  (export "f2" (func $f2) (func (result (own $R2'))))
  (export "f2" (func $f2'))
)

Currently as-is with this PR this module is valid (including the "invalid" function) because of the way the "explicit in" checks work. Fixing this has proven to be much more difficult than I previously expected. This sort of logic requires tracking what's exported and what isn't at a per-index level rather than a per-resource-id level. For example in the above "invalid" function it depends on through what path $R2 is referenced rather than simply testing that $R2 was exported somewhere.

I've at this time attempted maybe 3 different methods of implementing this not only for resources but additionally other structural types such as (record) which are intended to be named rather than being allowed to be anonymous. So far all of them have met dead ends and have not produced a final solution. I'm struggling to figure out how best to balance all this and get something implemented to move on.

[alexcrichton]

I should mention another motivation for fixing this is to implement the first bullet:

Labels such as [method]foo.bar

which requires going from (own $foo) to the export/import-name of $foo to validate that the labels are correct. Currently that's not tracked in the validator.

[alexcrichton]

Ok after what feels like it should have been obvious in retrospect I've now pushed up a commit which validates that types are exported (or imported). The implementation is relatively simple at a high level, but I want to doubly-make-aware that the latest commit will invalidate many existing components, namely those created by wit-component which export instances. The old validator accepts them and the new validator will not.

[alexcrichton]

Ok thankfully as I expected implementing [method]foo.bar wasn't so bad. I haven't pushed it up yet though since there are some spec-level clarifications I'd like to sort out first:

• Static methods on resources don't have any validation on the resource name WebAssembly/component-model#182
• Should static methods and methods be allowed on nested resources? WebAssembly/component-model#183
• Should method kebab names be validated in instance creation? WebAssembly/component-model#184

[alexcrichton]

I've pushed up a new commit now which is in response to a problem that arose where a WIT-generated component didn't validate. The input WIT was:

interface foo {
  record baz {}

  record bar {
    baz: baz,
  }
}

default world the-world {
  import bar: interface {
    use self.foo.{bar}

    a: func() -> bar
  }
}

which generates a component along the lines of:

(component $C
  (import "foo" (instance $i
    (type $baz' (record))
    (export $baz "baz" (type (eq $baz')))
    (type $bar' (record (field "baz" $baz)))
    (export $bar "bar" (type (eq $bar')))
  ))
  (alias export $i "bar" (type $bar))
  (import "bar" (instance
    (alias outer $C $bar (type $bar'))
    (export $bar "bar" (type (eq $bar')))
    (export $f "a" (func (result $bar)))
  ))
)

the previous version of this PR, however, said the "bar" import was invalid because the type $bar referred to an unexported type, in the context of the instance type defined for "bar". That's true, but its something that should be explicitly allowed since the instance is only ever used in a context where the types are all exported.

To fix this I disabled validation of instance types entirely with respect to whether types are named/exported/etc. This seemed like the easiest way to fix the problem but I'll need to double-check with Luke to make sure that this is ok behavior since it seems like a bit of a big hammer.

[alexcrichton]

More updates! Digging into #986 led me to running the roundtrip-wit fuzzer on this PR, and it uncovered a few more issues. One was that types are now substituted during instantiation in addition to resource ids. This is exhibited by a new test added which previously didn't validate.

Otherwise some various miscellaenous fixes and such were applied to wit-component to ensure that all shapes of WIT documents generate valid components with respect to naming and such.

[peterhuene]

Really fantastic work here and I'm glad to see the replacement for the original subtype validation implementation, both out of necessity given the complexity of checking resource types and that the original implementation needed some (shall we say...)TLC.

I relied heavily on reading through the various long-form comments (thanks for adding them!), so most of the feedback here is just nits on spotted typos while trying to make sense of the changes.

[lukewagner]

Just looking at resources.wast and type-export-restrictions.wast: looks great, nice job capturing some interesting cases! I can't spot any tests that look wrong; only a few nits/ideas.

[elliottt]

This looks great!

[elliottt]

Did you want to make this change before merging this, or should this TODO be turned into an issue?

[alexcrichton]

I fiddled with this for a bit but I wasn't able to get it to work out well in terms of a small handful of casts were ideally all that's necessary, so I'll open an issue for this.

[alexcrichton]

Hm on second thought this probably isn't worth an issue, but I think it's fine to revisit at a later date if more issues arise. On another attempt to do this it feels like this adds unnecessary verbosity and more conversions, but I could also be getting the types wrong for sure.