Clear affine slots when dropping a Module (#5321)

* Clear affine slots when dropping a `Module` This commit implements a resource usage optimization for Wasmtime with the pooling instance allocator by ensuring that when a `Module` is dropped its backing virtual memory mappings are all removed. Currently when a `Module` is dropped it releases a strong reference to its internal memory image but the memory image may stick around in individual pooling instance allocator slots. When using the `Random` allocation strategy, for example, this means that the memory images could stick around for a long time. While not a pressing issue this has resource usage implications for Wasmtime. Namely removing a `Module` does not guarantee the memfd, if in use for a memory image, is closed and deallocated within the kernel. Unfortunately simply closing the memfd is not sufficient as well as the mappings into the address space additionally all need to be removed for the kernel to release the resources for the memfd. This means that to release all kernel-level resources for a `Module` all slots which have the memory image mapped in must have the slot reset. This problem isn't particularly present when using the `NextAvailable` allocation strategy since the number of lingering memfds is proportional to the maximum concurrent size of wasm instances. With the `Random` and `ReuseAffinity` strategies, however, it's much more prominent because the number of lingering memfds can reach the total number of slots available. This can appear as a leak of kernel-level memory which can cause other system instability. To fix this issue this commit adds necessary instrumentation to `Drop for Module` to purge all references to the module in the pooling instance allocator. All index allocation strategies now maintain affinity tracking to ensure that regardless of the strategy in use a module that is dropped will remove all its memory mappings. A new allocation method was added to the index allocator for allocating an index without setting affinity and only allocating affine slots. This is used to iterate over all the affine slots without holding the global index lock for an unnecessarily long time while mappings are removed. * Review comments
2022-11-28 08:58:02 -06:00
parent 240ff2b854
commit 951bdcb2cf
5 changed files with 288 additions and 223 deletions
--- a/crates/runtime/src/instance/allocator/pooling.rs
+++ b/crates/runtime/src/instance/allocator/pooling.rs
@@ -12,7 +12,7 @@ use super::{
    InstantiationError,
 };
 use crate::{instance::Instance, Memory, Mmap, Table};
-use crate::{MemoryImageSlot, ModuleRuntimeInfo, Store};
+use crate::{CompiledModuleId, MemoryImageSlot, ModuleRuntimeInfo, Store};
 use anyhow::{anyhow, bail, Context, Result};
 use libc::c_void;
 use std::convert::TryFrom;
@@ -560,6 +560,22 @@ impl InstancePool {

        bail!("{}", message)
    }
+
+    fn purge_module(&self, module: CompiledModuleId) {
+        // Purging everything related to `module` primarily means clearing out
+        // all of its memory images present in the virtual address space. Go
+        // through the index allocator for slots affine to `module` and reset
+        // them, freeing up the index when we're done.
+        //
+        // Note that this is only called when the specified `module` won't be
+        // allocated further (the module is being dropped) so this shouldn't hit
+        // any sort of infinite loop since this should be the final operation
+        // working with `module`.
+        while let Some(index) = self.index_allocator.alloc_affine_and_clear_affinity(module) {
+            self.memories.clear_images(index.0);
+            self.index_allocator.free(index);
+        }
+    }
 }

 /// Represents a pool of WebAssembly linear memories.
@@ -740,6 +756,26 @@ impl MemoryPool {
        let idx = instance_index * self.max_memories + (memory_index.as_u32() as usize);
        *self.image_slots[idx].lock().unwrap() = Some(slot);
    }
+
+    /// Resets all the images for the instance index slot specified to clear out
+    /// any prior mappings.
+    ///
+    /// This is used when a `Module` is dropped at the `wasmtime` layer to clear
+    /// out any remaining mappings and ensure that its memfd backing, if any, is
+    /// removed from the address space to avoid lingering references to it.
+    fn clear_images(&self, instance_index: usize) {
+        for i in 0..self.max_memories {
+            let index = DefinedMemoryIndex::from_u32(i as u32);
+
+            // Clear the image from the slot and, if successful, return it back
+            // to our state. Note that on failure here the whole slot will get
+            // paved over with an anonymous mapping.
+            let mut slot = self.take_memory_image_slot(instance_index, index);
+            if slot.remove_image().is_ok() {
+                self.return_memory_image_slot(instance_index, index, slot);
+            }
+        }
+    }
 }

 impl Drop for MemoryPool {
@@ -1116,6 +1152,10 @@ unsafe impl InstanceAllocator for PoolingInstanceAllocator {
    unsafe fn deallocate_fiber_stack(&self, _stack: &wasmtime_fiber::FiberStack) {
        // A no-op as we don't own the fiber stack on Windows
    }
+
+    fn purge_module(&self, module: CompiledModuleId) {
+        self.instances.purge_module(module);
+    }
 }

 #[cfg(test)]