Lambda support in VM: Wolfgang's PR plus some simplifications (removing mask, clarifying ops)

[brmataptos]

Description

This PR started with a cherry-pick commit of Wolfgang's draft PR 15171 = commit #d85b919.

On top of that, I

• Remove the Mask feature since it complicates review,
• Extend and rename the opcodes to make them more general and clear
  • Any function value can have arguments bound to it in advance,
    not requiring a defined function handle except in LdFunction[Generic].
• Tried to avoid unnecessary changes, but may have accidentally done so.
  • It took me a while to realize that we do indeed need a type parameter to
    EarlyBind and Invoke because of the way the verifier works today.
• add some semantics comment to file_format.rs which I'd worked out previously.

The current operations are:
- LdFunction, LdFunctionGeneric = generate a closure from a defined function
- EarlyBind = bind more arguments to any closure
- Invoke = call a closure with final arguments

As noted by Wolfgang in his commit, we are still lacking:

• function value representation and interpreter
• function value serialization and deserialization
• some connections with front-end

How Has This Been Tested?

Added tests for feature gating. Should be safe to merge.

Key Areas to Review

Did I lose any verifier support when modfiying Wolfgang's opcodes?

[trunk-io]

⏱️ 1h 30m total CI duration on this PR

Job	Cumulative Duration	Recent Runs
rust-move-tests	13m	🟩
rust-move-tests	12m	🟩
rust-move-tests	12m	🟩
rust-move-tests	12m	🟥
rust-move-tests	12m	🟥
rust-cargo-deny	10m	🟩 🟩 🟩 🟩 🟩 (+1 more)
check-dynamic-deps	9m	🟩 🟩 🟩 🟩 🟩 (+1 more)
rust-move-tests	4m	🟥
general-lints	3m	🟩 🟩 🟩 🟩 🟩 (+1 more)
semgrep/ci	2m	🟩 🟩 🟩 🟩 🟩 (+1 more)
file_change_determinator	1m	🟩 🟩 🟩 🟩 🟩 (+1 more)
permission-check	21s	🟩 🟩 🟩 🟩 🟩 (+1 more)
permission-check	16s	🟩 🟩 🟩 🟩 🟩 (+1 more)
check-branch-prefix	1s	🟩

🚨 1 job on the last run was significantly faster/slower than expected

Job	Duration	vs 7d avg	Delta
check-dynamic-deps	5m	1m

_{settings ⋅ feedback ⋅ docs ⋅ learn more about trunk.io}

[brmataptos]

• [move-compiler-v2, VM] add bytecode generator for lambdas #15485
• Lambda support in VM: Wolfgang's PR plus some simplifications (removing mask, clarifying ops) #15387 👈 (View in Graphite)
• [move-compiler-v2] clean up a few remaining issues in lambda parser/front-end code #15365
• [move-compiler-v2] add parser code for lambda types #14792
• [compiler-v2] add test cases for lambda #14791
• [move-compiler-v2] fix #14633: fix error messages for lambdas, identify change points for more complete lambda implementation #14742
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[runtian-zhou]

I will need some more time to double check the bytecode verification logics.

[runtian-zhou]

I would rename it to CallFunctionPointer just to align with the Call instruction we had previously?

[brmataptos]

I don't think that is useful, as it is not really a pointer. I'd be tempted to rename it Apply as a nod to Lisp's nomenclature, but I don't think it really matters here. Does Invoke confuse you?

[brmataptos]

Leaving it.

[runtian-zhou]

I think it's better to use named struct instead of tuple here.

Also for the AbilitySet, I suppose we will need some subtyping rules here in the type checking phase?

[brmataptos]

Changing to a struct causes a lot of little changes, hope other reviewers don't mind all the changed code.

Already have it in functions invoke_function and early_bind_function in move-bytecode-verifier/src/type_safety.rs. Do we need more?

[brmataptos]

Using a struct-style enum variant here causes those mysterious Clippy problems. I think it's related to one of the derive macros on SignatureToken declaration (probably dearbitrary::Dearbitrary) lacking handling of struct-style enum variant. In the interest of moving faster, I'm going back to the tuple-style enum variant instead, rather than trying to fix that 3d-party code. :-)

[runtian-zhou]

Are you planning to fix this part for this PR?

[brmataptos]

Coming in a later PR.

[brmataptos]

later

[runtian-zhou]

With the instructions proposed, we will require closures to have their type arguments being fully provided at LdFunction time, not at invocation time. Is this an intentional design? Asking this because the current dynamic dispatch code (for dispatchable fungible asset) actually performs type binding at call time.

[georgemitenkov]

Why? LdFunction does not need to load until use? We store idx/name in a function value, and only when we call Invoke we resolve that index/name and load the function?

[brmataptos]

The SignatureIndex here is a static type, and is needed for verifier to allow the stack depth checker to know how many parameters/results are being popped/pushed on the stack, since the stack depth analysis is independent of the type analysis in the verifier (if these 2 analyses were combined, then this need not be included in the instruction, as it should be easy to derive from context; I really don't know why there are bunch of independent passes in the verifier).

Execution will have to look at the function value (1) to get the early-bound parameters to pass, and (2) to get the FunctionHandle/FunctionInstantiation to (a) get its type to figure out the number and type of parameters needed to pop off the stack for this call, and (b) determine which function is being called.

The dynamic types will have to be checked at some point, either when the value is created (LdFunction/EarlyBind/Deserialization) or called (InvokeFunction). If we think it will be called at least once, then earlier type-checking would make sense, but if pulling the function data into cache is the slow part of type checking, we might want to do it at Call time.

[brmataptos]

Marking this replied for bookkeeping.

[runtian-zhou]

I don't think we need it here? It's a good question however. MoveTypeLayout is used for ser/de in the VM so it would be dependent on our implementation there?

[georgemitenkov]

We do not need it here (function values cannot be constants), but we do need it otherwise. I have a PR adding it: #15442

[brmataptos]

It's possible that we could allow function values as constants in the future. But yeah, maybe not worth it now.

[georgemitenkov]

Well, for structs it is also possible but we did not do it yet, so None is a way to go :)

[runtian-zhou]

Would it make more sense to bind by mask? i.e: EarlyBindFunction will only bind one argument at a time and the u8 will be used to specify which argument to bind. This would allow more flexibility?

[brmataptos]

Any function generated for the body of an lambda expression can order free variables before lambda parameters so that it is natural to early-bind the k first parameters. If the user wants to use an existing function with parameters in the wrong order, the user can add a wrapper function as necessary.

The mask idea and the code Wolfgang and I had written to deal with more arbitrary permutations of early/late-bound parameters was very "clever" and therefore hard to review and really an unnecessary security risk.

[brmataptos]

replied already

[runtian-zhou]

What is this invocation mode?

[brmataptos]

For LAMBDA MVP, we are playing it very safe and disallowing any call to module m if there is any dynamic call on the stack. This is enforced by a VM state flag conservative_invocation_mode, which is set if we are in a dynamic call.

This is because dynamic calls violate the static dependency guarantees. After we have the MVP implemented we will see how far we can prove dynamic safety, e.g., using access specifiers.

There was an error here in that the dynamic call also needs to always check that its module is not already on the stack. Fixed.

[runtian-zhou]

I don't think this is a necessary change nor this is safe. Acquire list is only a local concept for now. Imagine a public move function that has acquire list, you can easily create another move module that invokes this function. In that module, the acquire list would be empty. In this sense you would be able to bypass the constraints here easily.

[brmataptos]

We disallow both reentrancy and nonempty acquires lists for now, so it's definitely safe, if a bit limited. Your foreign move module can't call back into this one, since you're already on the stack.

In the future we can add more general access_specifiers to functions and function types, and check that the dynamic call doesn't exceed the accesses of the caller. I'd rather work that out first, but people are anxious about an MVP deadline.

[brmataptos]

I was being overly cautious here. You're right, as long as we disallow all dynamic reentrancy we can ignore the acquires list of the function here.

Let's discuss post-MVP approaches to loosen constraints later.

[runtian-zhou]

The strategy I was taking previously is indeed making invoke instruction to be a nil-op but check re-entrancy at runime.

[brmataptos]

Not sure what you mean by "nil-op" here. Did you mean what I have done here?

[georgemitenkov]

Can we add an error message here? i.e., PartialVMError::new(StatusCode::TYPE_MISMATCH).with_message(...)

[brmataptos]

Done, although:

Do you realize that most type mismatches will show up below, which has no message. Printing the types might be interesting, if we had Display for SignatureToken.

[georgemitenkov]

Well, we can use debug and format via "{:?}"? Any extra information is better than a status code. Imagine you have debug a type mismatch - there are so many places it can come from, it is difficult to bisect, error messages allows us to pinpoint the location (if they are propagated correctly 😄)

Below is some old code I do not know who wrote, but I would love to see error messages as well there.

[georgemitenkov]

Why this change? Bad rebase?

[brmataptos]

Not sure what happened to the /// but the backquotes make sense here. Not going to rewrite the whole file, though.

[georgemitenkov]

I would prefer to have less changed lines in diff, but up to you

[georgemitenkov]

nit: personally, I am not a fan of "", if the type name changes, comment can easily be outdated. if the tokenorif the [SignatureToken]` can be better?

[brmataptos]

The comment style I used matches the rest of the file (see lines 1363, 1428, 1446, 1453, 1460, 1467). If we want to change this, we should do them all. Changing just 1 detracts from readability.

Suggest an off-line rustdoc style discussion and global style fix. But not in this PR.

[georgemitenkov]

I disagree: off-line discussions will lead to nothing because no one will do the scan across all aptos-core to fix wrong/outdated comments or their style. We should fix these things incrementally as we touch the code.

For this specific issue, I am fine with keeping `` for now. But this is bad in my opinion, and leads to things like:

/// `InterpreterImpl` instances can execute Move functions.
///
/// An `Interpreter` instance is a stand alone execution context for a function.
/// It mimics execution on a single thread, with an call stack and an operand stack.
pub(crate) struct InterpreterImpl { ... 

[brmataptos]

Anyone who cares can do the scan and fix. It's much easier to review a style cleanup as an independent PR.

[georgemitenkov]

We do not need it here (function values cannot be constants), but we do need it otherwise. I have a PR adding it: #15442

[brmataptos]

Addressed comments, thanks.

[brmataptos]

Done, although:

Do you realize that most type mismatches will show up below, which has no message. Printing the types might be interesting, if we had Display for SignatureToken.

[brmataptos]

Leaving it.

[brmataptos]

Not sure what happened to the /// but the backquotes make sense here. Not going to rewrite the whole file, though.

[brmataptos]

It's possible that we could allow function values as constants in the future. But yeah, maybe not worth it now.

[brmataptos]

replied already

[brmataptos]

For LAMBDA MVP, we are playing it very safe and disallowing any call to module m if there is any dynamic call on the stack. This is enforced by a VM state flag conservative_invocation_mode, which is set if we are in a dynamic call.

This is because dynamic calls violate the static dependency guarantees. After we have the MVP implemented we will see how far we can prove dynamic safety, e.g., using access specifiers.

There was an error here in that the dynamic call also needs to always check that its module is not already on the stack. Fixed.

[brmataptos]

I was being overly cautious here. You're right, as long as we disallow all dynamic reentrancy we can ignore the acquires list of the function here.

Let's discuss post-MVP approaches to loosen constraints later.

[brmataptos]

Not sure what you mean by "nil-op" here. Did you mean what I have done here?

[brmataptos]

@georgemitenkov I've added feature gating and tests to verify that it's being done. I see some is done in e2e-tests but I can't do it there because the compiler doesn't have complete codegen yet. I've added a test in third_party/move/move-bytecode-verifier/bytecode-verifier-tests/src/unit_tests/feature_function-values_tests.rs which manually constructs the bytecode file. Fun!

PTAL.

[georgemitenkov]

Full pass. Do we have a way to test the verifier changes? I saw tests for feature verification, but I do not know where we test other passes.

[georgemitenkov]

Can you return None here (one less TODO)? We do not expect function value constant any time soon. Let's also add a unit test for that?

[georgemitenkov]

Should be Function(..)?

[georgemitenkov]

can we rename this ty to tok? It is annoying that we have tags, tokens and types and sometimes even layouts all as types....

[georgemitenkov]

Function(..)?

[georgemitenkov]

I don't think this adds much value. Display implementation is the same, only adds 2 spaces. And having multiple conversions into string is just confusing.

[brmataptos]

I didn't want to change all existing outputs to look different and make review difficult. This is used for ability display just for functions.

[georgemitenkov]

Add debug formats of types "{:?}, expected_ty, ..." Otherwise the message is useless?

[georgemitenkov]

I am not sure this works? Before you do &closure_ty != expected_ty, but that compares abilities by equality as well? I think with match you can compare args/return types by equality, and check subset here.

[georgemitenkov]

This is duplicated with early bind, can we factor the above into a helper function?

[georgemitenkov]

Can we make the message more detailed? What is received count, what is the expected, etc.

[georgemitenkov]

nit: you can use if matches!(Some(...) if condition) { .. }

[georgemitenkov]

@brmataptos tests are failing? I see these on CI:

2024-12-09T04:44:56.0568444Z thread 'garbage_inputs' panicked at third_party/move/move-binary-format/serializer-tests/tests/serializer_tests.rs:45:14:
2024-12-09T04:44:56.0569258Z deserialization should work: PartialVMError { major_status: UNKNOWN_OPCODE, sub_status: None, message: None, exec_state: None, indices: [], offsets: [] }