-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
std::thread::JoinGuard (and scoped) are unsound because of reference cycles #24292
Comments
Seems pretty bad, nominating. |
Sigh. Good point! This seems very similar to the dropck rules, I suspect we can address it in a similar fashion to how we addressed cc @pnkfelix UPDATE: Spelled out what I meant a bit more. |
I don't think this is so bad, because I can't really think of this happening accidentally. I think the best way to fix this would be to add a |
triage: P-backcompat-libs (1.0) I definitely think we need to address this for 1.0. I'm still not sure the best way to do it. |
Issue rust-lang#24292 demonstrates that the `scoped` API as currently offered can be memory-unsafe: the `JoinGuard` can be moved into a context that will fail to execute destructors prior to the stack frame being popped (for example, by creating an `Rc` cycle). This commit reverts the APIs to `unstable` status while a long-term solution is worked out. (There are several possible ways to address this issue; it's not a fundamental problem with the `scoped` idea, but rather an indication that Rust doesn't currently provide a good way to ensure that destructors are run within a particular stack frame.)
Issue rust-lang#24292 demonstrates that the `scoped` API as currently offered can be memory-unsafe: the `JoinGuard` can be moved into a context that will fail to execute destructors prior to the stack frame being popped (for example, by creating an `Rc` cycle). This commit reverts the APIs to `unstable` status while a long-term solution is worked out. (There are several possible ways to address this issue; it's not a fundamental problem with the `scoped` idea, but rather an indication that Rust doesn't currently provide a good way to ensure that destructors are run within a particular stack frame.) [breaking-change]
From a pragmatic perspective, I like the idea of |
This doesn't seem like innate unsoundness so much as a way to turn one form of unsoundness (the ability to cause a leak) into a worse form of unsoundness (the ability to cause a crash). Have there been any previous efforts to eliminate the uncollectability of reference cycles? |
@joshtriplett raw memory leaks explicitly do not qualify as unsound, or at least, "unsafe", under Rust's use of the term, as explicitly discussed here: http://doc.rust-lang.org/1.0.0-beta/reference.html#behaviour-not-considered-unsafe There is further detailed discussion on an internals thread here: http://internals.rust-lang.org/t/are-memory-leaks-considered-to-violate-memory-safety/1674 I point this out merely to establish that is not a gradient; it is a firm boolean condition, marking a line beyond which one risks undefined behavior. In any case, a garbage collector is part of our future goals for Rust. That, when used, will allow cycles using |
@reem and @nikomatsakis proposed different solutions for solving this on IRC @reem's solution: make @nikomatsakis's solution: create a new |
I changed my mind about the "make |
Note that a hypothetical |
@reem (well there might be some other bound we come up with in the future that is more flexible than |
Well making I think we do want to introduce |
After thinking about this for a bit, I think that dealing with
Each of these can definitely be classified as a bug in its own right, but it goes to show that a targeted solution at |
Yeah I'm a bit confused that std::thread::JoinGuard is getting the blame here. It seems to me that the real problem is that Rc+RefCell enables writing mem::forget in safe code: fn safe_forget<T>(data: T) {
use std::rc::Rc;
use std::cell::RefCell;
struct Leak<T> {
cycle: RefCell<Option<Rc<Rc<Leak<T>>>>>,
data: T,
}
let e = Rc::new(Leak {
cycle: RefCell::new(None),
data: data,
});
*e.cycle.borrow_mut() = Some(Rc::new(e.clone())); // Create a cycle
}
fn main() {
struct Foo<'a>(&'a mut i32);
impl<'a> Drop for Foo<'a> {
fn drop(&mut self) {
*self.0 += 1;
}
}
let mut data = 0;
{
let foo = Foo(&mut data);
safe_forget(foo);
}
data += 1; // super make sure there's no outstanding borrows
println!("{:?}", data); // prints 1, should print 2
} Planned features like |
Crate crossbeam implements scoped threads. |
This converts `map`, `unordered_map`, `Pool::map` and `Pool::unordered_map` to take a `crossbeam::Scope` argument, instead of using the API of the old `thread::scoped` to return a guard (where the destructor was required to run to ensure safety, something not guaranteed). See rust-lang/rust#24292 for more discussion of the issues with that API.
Guys, do you realise how ridiculous this looks? Let's see: "Hi, I read about this amazing scoped threads feature in Rust, but... I can't actually find it? What's the deal?" "Oh, that... The thing is... [wiggle squirm] We actually dropped it like half a year ago... But it's just temporary! We have ideas for a replacement! In fact, if you spend half a day wading through discussions on issues and pull requests, perhaps you will ultimately stumble upon a crate far away called Crossbeam that indeed implements a viable replacement, stuffed in along with various other experimental features... And surely something along these lines will someday somehow end up in the standard library again in some form (even though nothing actually seems to be happening regarding that right now)... So you see, it's all temporary! No need to even mention it in existing literature!" "Riiiiiight.... [slowly backing away] You know, I think I'll actually look for some other language... But you kids keep having fun!" |
You don't need crossbeam. This is an old thread, the state of scoped threads has moved past this since then. https://crates.io/crates/scoped_threadpool gives you the functionality. That's it. It's in an external crate which works and is sound, there's no pressing need to include it in the standard library. |
@antrik please try to be a bit more substantial and less sarcastic with your criticism. This kind of comment isn't particularly welcome here. |
Pools are nice; yet crossbeam::Scope seems a more straightforward replacement for the old functionality?... Anyway, debating this actually serves to demonstrate the existing confusion and lack of communication regarding this situation; creating an unacceptable story for any newcomer. thread::scoped() is prominently featured in a major piece of Rust advocacy (the mentioned blog post), without any hint that it's gone, or where to look for replacements; nor am I aware of any other clear communication regarding this, that people looking for thread::scoped() are likely to find -- and nobody seems to be willing to even acknowledge that there is a communication problem... If my post wasn't substantial in illustrating how this feels to people outside the bubble, I really don't know what would be. |
Sure, that's a straightforward thing to propose. You could have just done that. Your initial comment didn't complain about the communication error, it just ranted unconstructively without anything really helpful. @alexcrichton could you update the blog post with a note about scoped threads being moved out of the standard library to scoped_threadpool and Crossbeam? |
Thanks. I was frustrated that the last person who suggested updating the post was brushed off, so I tried to illustrate why this is serious problem... Sorry that I failed to make my motivation clear. Note though that updating this blog post only solves part of the problem. The Why Rust? "report" for example only vaguely hints at changes; and there might be other mentions out there as well -- so it would be helpful to have some kind of "landing page" for people looking for thread::scoped(). (Ideally right in the standard library documentation where it used to live -- though I guess that might be technically impossible after it has been dropped for good?...) |
We could add a dummy documentation page or something. Or just add a note in the thread module. Not sure what to do in this case, @steveklabnik As for Why Rust I think the author was informed about this later, not sure if he changed anything. |
I'm not aware of anyone being brushed off, but I think editing the post is a great idea. Merged. I wouldn't be a fan of adding dummy doc pages. Sent from my iPhone
|
I'll update the Why Rust? report. (I used both scoped_threadpool and crossbeam::scope in my presentation at OSCON Amsterdam last week; they're great.) (In the future, please feel free to contact me directly about these things, rather than just mention me obliquely!) |
You can use a reference cycle to leak a
JoinGuard
and then the scoped thread can access freed memory:The text was updated successfully, but these errors were encountered: