polyplug 0.1.1

Universal high-performance zero-overhead cross-language plugin runtime
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283

#![allow(clippy::expect_used)]

//! Concurrent load + unload of the same and different bundles.
//!
//! The invariant under test is the epoch-reclamation guarantee: a reader that
//! pins the epoch and observes a handle concurrently with an unload must EITHER
//! resolve successfully — in which case the resolved interface stays alive for as
//! long as the reader holds its pin, even though the bundle was invalidated — OR
//! fail cleanly with `StaleHandle`/`PluginNotFound`. It must never produce a
//! use-after-free. Run under ThreadSanitizer (see `.github/workflows/nightly.yml`)
//! to also assert the registry's locking is race-free.

use core::sync::atomic::AtomicBool;
use core::sync::atomic::AtomicUsize;
use core::sync::atomic::Ordering;
use std::sync::Arc;
use std::sync::Barrier;

use polyplug::error::RegistryError;
use polyplug::runtime_store::RuntimeStore;
use polyplug_abi::{GuestContractHandle, GuestContractInterface, PluginDescriptor, Version};
use polyplug_utils::BundleId;
use polyplug_utils::GuestContractId;

use crate::fixtures::make_descriptor;

const RESOLVER_THREADS: usize = 6_usize;
const VERSION_V1: Version = Version {
    major: 1,
    minor: 0,
    patch: 0,
};

const UNLOAD_CONTRACT_ID: u64 = 0x7171_0000_0000_3000_u64;

static INTERFACE_UNLOAD: GuestContractInterface =
    make_interface!(GuestContractId::from_u64(UNLOAD_CONTRACT_ID), VERSION_V1);

const UNLOAD_BUNDLE_ID: u64 = 0xABCD_0002_u64;

const UNLOAD_ROUNDS: usize = 24_usize;

/// Exercises the resolve↔invalidate (resolve→dispatch) race: resolver threads
/// continuously `find` + `resolve` + read the interface while one thread
/// repeatedly invalidates (unloads) and re-registers the bundle.
///
/// The invariant under test is the epoch-reclamation guarantee: a reader that pins
/// the epoch and observes a handle concurrently with an unload must EITHER resolve
/// successfully — in which case the resolved interface stays alive for as long as the
/// reader holds its pin, even though the bundle was invalidated — OR fail cleanly with
/// `StaleHandle`/`PluginNotFound`. It must never produce a use-after-free. Run this
/// under ThreadSanitizer (see `.github/workflows/nightly.yml`) to also assert the
/// registry's locking is race-free.
#[test]
fn stress_concurrent_unload_with_resolvers() {
    let registry: Arc<RuntimeStore> = Arc::new(RuntimeStore::new());
    let descriptor: PluginDescriptor = make_descriptor("unload_plugin", "stress.unload.contract");
    // SAFETY: INTERFACE_UNLOAD is a static reference valid for the test lifetime.
    unsafe {
        registry
            .register_guest_contract(
                descriptor,
                &INTERFACE_UNLOAD,
                "stress.unload.contract".to_owned(),
                BundleId::from_u64(UNLOAD_BUNDLE_ID),
            )
            .expect("initial register must succeed");
    }

    let stop: Arc<AtomicBool> = Arc::new(AtomicBool::new(false));
    let ready: Arc<Barrier> = Arc::new(Barrier::new(RESOLVER_THREADS + 1_usize));
    let resolve_count: Arc<AtomicUsize> = Arc::new(AtomicUsize::new(0_usize));
    let mut resolver_handles: Vec<std::thread::JoinHandle<()>> =
        Vec::with_capacity(RESOLVER_THREADS);

    for _thread_idx in 0_usize..RESOLVER_THREADS {
        let reg_clone: Arc<RuntimeStore> = Arc::clone(&registry);
        let stop_clone: Arc<AtomicBool> = Arc::clone(&stop);
        let ready_clone: Arc<Barrier> = Arc::clone(&ready);
        let resolve_counter: Arc<AtomicUsize> = Arc::clone(&resolve_count);
        let resolver_handle: std::thread::JoinHandle<()> = std::thread::spawn(move || {
            ready_clone.wait();
            // Guarantee at least one successful resolve before honoring `stop`
            // (mirrors the swap test): the unload loop ends on a re-register, so
            // the contract is present once the loop stops and every resolver can
            // make progress before exiting.
            let mut local_resolves: usize = 0_usize;
            loop {
                // Pin the epoch across find→resolve→deref so the resolved interface
                // stays alive across the deref even though another thread unloads the
                // bundle concurrently — under true unload the superseded interface is
                // epoch-reclaimed only after every pinned reader has unpinned.
                let _epoch_guard: crossbeam_epoch::Guard = crossbeam_epoch::pin();
                let handle_result: Result<GuestContractHandle, RegistryError> = reg_clone
                    .find_guest_contract(GuestContractId::from_u64(UNLOAD_CONTRACT_ID), 0_u32);
                if let Ok(found) = handle_result {
                    let resolve_result: Result<*const GuestContractInterface, RegistryError> =
                        reg_clone.resolve_guest_contract(found);
                    if let Ok(interface_ptr) = resolve_result {
                        // SAFETY: the epoch guard pinned above keeps the resolved
                        // interface alive across this deref even after a concurrent
                        // unload on another thread.
                        let contract_id: GuestContractId = unsafe { (*interface_ptr).contract_id };
                        assert_eq!(contract_id.id(), UNLOAD_CONTRACT_ID);
                        resolve_counter.fetch_add(1_usize, Ordering::Relaxed);
                        local_resolves += 1_usize;
                    }
                }
                if stop_clone.load(Ordering::Relaxed) && local_resolves >= 1_usize {
                    break;
                }
            }
        });
        resolver_handles.push(resolver_handle);
    }

    ready.wait();

    for _round in 0_usize..UNLOAD_ROUNDS {
        registry
            .invalidate_bundle(BundleId::from_u64(UNLOAD_BUNDLE_ID))
            .expect("invalidate must succeed");
        let descriptor: PluginDescriptor =
            make_descriptor("unload_plugin", "stress.unload.contract");
        // SAFETY: INTERFACE_UNLOAD is a static reference valid for the test lifetime.
        unsafe {
            registry
                .register_guest_contract(
                    descriptor,
                    &INTERFACE_UNLOAD,
                    "stress.unload.contract".to_owned(),
                    BundleId::from_u64(UNLOAD_BUNDLE_ID),
                )
                .expect("re-register must succeed");
        }
    }

    stop.store(true, Ordering::Relaxed);
    for handle in resolver_handles {
        handle.join().expect("resolver thread must not panic");
    }

    let resolved_total: usize = resolve_count.load(Ordering::Relaxed);
    assert!(
        resolved_total > 0_usize,
        "resolver threads must observe at least one resolve"
    );
}

// ─── Multi-writer load/unload churn ───────────────────────────────────────────

const MW_CONTRACT_ID: u64 = 0x7171_0000_0000_6000_u64;
const MW_BUNDLE_ID: u64 = 0xABCD_0000_0000_0006_u64;

static INTERFACE_MW: GuestContractInterface =
    make_interface!(GuestContractId::from_u64(MW_CONTRACT_ID), VERSION_V1);

/// Several writer threads concurrently churn the SAME bundle — each loops
/// `invalidate` then `register` — while resolver threads read. This drives the
/// retire/reclaim path under genuine multi-writer contention (the single-writer
/// `stress_concurrent_unload_with_resolvers` only ever has one thread mutating).
///
/// Writers tolerate `DuplicateProvider` (another writer re-registered first) and a
/// zero-removed `invalidate` (another writer already unloaded) — those are
/// expected outcomes of the race, not failures. The invariants are: no writer or
/// resolver panics or hits a use-after-free, every resolved interface that a
/// pinned reader observes is intact (its contract id is correct), and after the
/// churn quiesces the contract is in a consistent resolvable state.
#[test]
fn concurrent_load_unload_same_bundle_multiwriter_no_uaf() {
    const WRITERS: usize = 4_usize;
    const RESOLVERS: usize = 4_usize;
    const ROUNDS_PER_WRITER: usize = 200_usize;

    let registry: Arc<RuntimeStore> = Arc::new(RuntimeStore::new());
    // SAFETY: INTERFACE_MW is 'static, valid for the test lifetime.
    unsafe {
        registry
            .register_guest_contract(
                make_descriptor("mw_plugin", "mw.contract"),
                &INTERFACE_MW,
                "mw.contract".to_owned(),
                BundleId::from_u64(MW_BUNDLE_ID),
            )
            .expect("initial register must succeed");
    }

    let ready: Arc<Barrier> = Arc::new(Barrier::new(WRITERS + RESOLVERS));
    let stop: Arc<AtomicBool> = Arc::new(AtomicBool::new(false));
    let resolve_count: Arc<AtomicUsize> = Arc::new(AtomicUsize::new(0_usize));

    let mut writer_handles: Vec<std::thread::JoinHandle<()>> = Vec::with_capacity(WRITERS);
    for _ in 0_usize..WRITERS {
        let reg: Arc<RuntimeStore> = Arc::clone(&registry);
        let ready_clone: Arc<Barrier> = Arc::clone(&ready);
        writer_handles.push(std::thread::spawn(move || {
            ready_clone.wait();
            for _ in 0_usize..ROUNDS_PER_WRITER {
                // A zero-removed invalidate is fine — another writer beat us to it.
                let _: Result<u32, RegistryError> =
                    reg.invalidate_bundle(BundleId::from_u64(MW_BUNDLE_ID));
                // SAFETY: INTERFACE_MW is 'static, valid for the test lifetime.
                let result: Result<GuestContractHandle, RegistryError> = unsafe {
                    reg.register_guest_contract(
                        make_descriptor("mw_plugin", "mw.contract"),
                        &INTERFACE_MW,
                        "mw.contract".to_owned(),
                        BundleId::from_u64(MW_BUNDLE_ID),
                    )
                };
                // DuplicateProvider means another writer re-registered first — an
                // expected race outcome, not a failure. Anything else is a bug.
                if let Err(err) = result
                    && !matches!(err, RegistryError::DuplicateProvider { .. })
                {
                    panic!("unexpected registry error during churn: {err:?}");
                }
            }
        }));
    }

    let mut resolver_handles: Vec<std::thread::JoinHandle<()>> = Vec::with_capacity(RESOLVERS);
    for _ in 0_usize..RESOLVERS {
        let reg: Arc<RuntimeStore> = Arc::clone(&registry);
        let ready_clone: Arc<Barrier> = Arc::clone(&ready);
        let stop_clone: Arc<AtomicBool> = Arc::clone(&stop);
        let counter: Arc<AtomicUsize> = Arc::clone(&resolve_count);
        resolver_handles.push(std::thread::spawn(move || {
            ready_clone.wait();
            while !stop_clone.load(Ordering::Relaxed) {
                // Pin the epoch across find→resolve→deref so a resolved interface
                // stays alive across the deref even as writers invalidate and
                // re-register concurrently — the superseded interface is
                // epoch-reclaimed only after every pinned reader has unpinned.
                let _epoch_guard: crossbeam_epoch::Guard = crossbeam_epoch::pin();
                if let Ok(found) =
                    reg.find_guest_contract(GuestContractId::from_u64(MW_CONTRACT_ID), 0_u32)
                    && let Ok(interface_ptr) = reg.resolve_guest_contract(found)
                {
                    // SAFETY: the epoch guard pinned above keeps the resolved
                    // interface alive across this deref despite concurrent churn.
                    let contract_id: GuestContractId = unsafe { (*interface_ptr).contract_id };
                    assert_eq!(
                        contract_id.id(),
                        MW_CONTRACT_ID,
                        "a resolved interface must always be the churned contract, never torn"
                    );
                    counter.fetch_add(1_usize, Ordering::Relaxed);
                }
            }
        }));
    }

    for handle in writer_handles {
        handle.join().expect("writer thread must not panic");
    }
    stop.store(true, Ordering::Relaxed);
    for handle in resolver_handles {
        handle.join().expect("resolver thread must not panic");
    }

    // After the churn, drive the bundle to a known-present state and assert it
    // resolves — the multi-writer race must leave the registry consistent.
    let _: Result<u32, RegistryError> =
        registry.invalidate_bundle(BundleId::from_u64(MW_BUNDLE_ID));
    // SAFETY: INTERFACE_MW is 'static, valid for the test lifetime.
    unsafe {
        registry
            .register_guest_contract(
                make_descriptor("mw_plugin", "mw.contract"),
                &INTERFACE_MW,
                "mw.contract".to_owned(),
                BundleId::from_u64(MW_BUNDLE_ID),
            )
            .expect("final re-register must succeed");
    }
    assert!(
        registry
            .find_guest_contract(GuestContractId::from_u64(MW_CONTRACT_ID), 0_u32)
            .is_ok(),
        "contract must resolve after multi-writer churn settles"
    );
}