Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Likely undefined behavior in PanickingAllocator #294

Open
jgallagher opened this issue Nov 1, 2021 · 6 comments
Open

Likely undefined behavior in PanickingAllocator #294

jgallagher opened this issue Nov 1, 2021 · 6 comments
Assignees
@JLockerman
Labels
bug Something isn't working

Comments

@jgallagher
Copy link

Apologies for the out-of-the-blue random bug report, but I've been interested in Rust OOM behavior for a while and ran across #285. I believe this introduces undefined behavior per the docs of GlobalAlloc:

The GlobalAlloc trait is an unsafe trait for a number of reasons, and implementors must ensure that they adhere to these contracts:

  • It’s undefined behavior if global allocators unwind. This restriction may be lifted in the future, but currently a panic from any of these functions may lead to memory unsafety.
    ...

The last time I experimented with panicking allocators, the effect was that many (but not all!) Drop implementations did not run during the stack unwind. There is also a more general and pernicious issue that existing unsafe code (including potentially in the Rust std lib) is not exception safe across allocation attempts; even if relevant drops are run, such code may introduce memory unsafety if unwound.
@jgallagher jgallagher added the bug Something isn't working label Nov 1, 2021
@JLockerman JLockerman self-assigned this Nov 3, 2021
@JLockerman
Copy link
Contributor

@jgallagher We really appreciate any comments! Especially for tricky code like this 😊

I had (incorrectly) thought that the nounwind marker on the allocator code had been removed in anticipation of oom=panic but this is not the case. Looks like we'll have to revert, and wait until the real version is more baked.

@JLockerman
Copy link
Contributor

Thank you for pointing this out!

@jgallagher
Copy link
Author

jgallagher commented Nov 3, 2021
edited
Loading

Sure thing; thanks for the gracious followup! :) FWIW in my case I ended up using fallible-collections and changing every call site that could allocate to use checked versions of methods, but it's not something I can really recommend:

a) AFAIK there's no good way to make sure you caught all allocation points
b) you still have to do something if allocation fails; obvious options are to move the errors into the API or to panic (except panicking itself allocates memory ☹️) - neither of these seem great
c) there are some gotchas with fallible-colllections's implementation of the RFC (e.g., vcombey/fallible_collections#22)

All in all a pretty unsatisfying solution. I'm anxiously awaiting oom=panic, personally 🤷‍♂️

@JLockerman
Copy link
Contributor

The oom=panic PR was recently merged.

@jfjoly
Copy link

jfjoly commented May 25, 2022

Waiting on upstream changes in rust

@JLockerman
Copy link
Contributor

The unstable flag was merged as mentioned above, it's released unstably as of 1.6.1, but is not yet stable (tracking issue) we can either wait until it hits stable, or switch to a nightly version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JLockerman JLockerman

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jgallagher @jfjoly @JLockerman