-
Notifications
You must be signed in to change notification settings - Fork 12.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Abort a process when FD ownership is violated #124210
Conversation
This comment has been minimized.
This comment has been minimized.
When an EBADF happens then something else already touched an FD in ways it is not allowed to. At that point things can already be arbitrarily bad, e.g. clobbered mmaps. Recovery is not possible. All we can do is hasten the fire.
2e09bf1
to
38ded12
Compare
r? libs |
This comment has been minimized.
This comment has been minimized.
6d17874
to
67a004a
Compare
That comment seems outdated now? At least, this is using the |
67a004a
to
072c32d
Compare
@bors r+ |
… r=Mark-Simulacrum Abort a process when FD ownership is violated When an owned FD has already been closed before it's dropped that means something else touched an FD in ways it is not allowed to. At that point things can already be arbitrarily bad, e.g. clobbered mmaps. Recovery is not possible. All we can do is hasten the fire. Unlike the previous attempt in rust-lang#124130 this shouldn't suffer from the possibility that FUSE filesystems can return arbitrary errors.
…iaskrgr Rollup of 7 pull requests Successful merges: - rust-lang#123942 (`x vendor`) - rust-lang#124165 (add test for incremental ICE: slice-pattern-const.rs rust-lang#83085) - rust-lang#124210 (Abort a process when FD ownership is violated) - rust-lang#124242 (bootstrap: Describe build_steps modules) - rust-lang#124406 (Remove unused `[patch]` for clippy_lints) - rust-lang#124429 (bootstrap: Document `struct Builder` and its fields) - rust-lang#124447 (Unconditionally call `really_init` on GNU/Linux) r? `@ghost` `@rustbot` modify labels: rollup
Died in rollup: #124452 (comment) @bors r- |
uses the same machinery as assert_unsafe_precondition
I suppose it would be in the standard library.
The problem only arises under miri because otherwise we're using a standard library compiled without debug assertions. After thinking about this for a while our use case is sufficiently niche that doing anything about it in the standard library or Miri doesn't make sense. Thanks for humoring me! |
This check is based on |
huh? rust/library/std/src/sys/pal/unix/fs.rs Line 845 in a8773d5
rust/library/core/src/ub_checks.rs Line 86 in a8773d5
rust/library/core/src/intrinsics.rs Lines 2721 to 2723 in a8773d5
what am I missing? |
You're missing the line you cut off here: rust/library/core/src/intrinsics.rs Lines 2720 to 2723 in a8773d5
This is an intrinsic, the body is just the fallback when codegen backends don't overwrite it. Our backends do overwrite it, using the value of |
Oh, this probably is not specific to miri - it's just that we use nightly to run miri and stable otherwise, and this change hasn't yet hit stable. Does that sound right to you? |
The need for this type isn't specific to Miri; it is necessary on toolchains containing rust-lang/rust#124210 - it just so happens that today this is nightly only, and so is Miri.
The need for this type isn't specific to Miri; it is necessary on toolchains containing rust-lang/rust#124210 - it just so happens that today this is nightly only, and so is Miri.
The first work on This PR of course won't be on stable until 1.80 releases. Each PR is automatically attached to a GitHub milestone so you can see when it will hit stable. |
The need for this type isn't specific to Miri; it is necessary on toolchains containing rust-lang/rust#124210 - it just so happens that today this is nightly only, and so is Miri.
The need for this type isn't specific to Miri; it is necessary on toolchains containing rust-lang/rust#124210 - it just so happens that today this is nightly only, and so is Miri.
The need for this type isn't specific to Miri; it is necessary on toolchains containing rust-lang/rust#124210 - it just so happens that today this is nightly only, and so is Miri.
The need for this type isn't specific to Miri; it is necessary on toolchains containing rust-lang/rust#124210 - it just so happens that today this is nightly only, and so is Miri.
The need for this type isn't specific to Miri; it is necessary on toolchains containing rust-lang/rust#124210 - it just so happens that today this is nightly only, and so is Miri.
The need for this type isn't specific to Miri; it is necessary on toolchains containing rust-lang/rust#124210 - it just so happens that today this is nightly only, and so is Miri.
The need for this type isn't specific to Miri; it is necessary on toolchains containing rust-lang/rust#124210 - it just so happens that today this is nightly only, and so is Miri.
Fix HorizonOS build broken by rust-lang#124210 HorizonOS (for the Tier-3 target `armv6k-nintendo-3ds`) does not support `dirfd()`, as many other similar targets.
…iaskrgr Rollup of 6 pull requests Successful merges: - rust-lang#124461 (handle the targets that are missing in stage0) - rust-lang#124492 (Generalize `adjust_from_tcx` for `Allocation`) - rust-lang#124588 (Use `ObligationCtxt` in favor of `TraitEngine` in many more places) - rust-lang#124612 (Add support for inputing via stdin with run-make-support) - rust-lang#124613 (Allow fmt to run on rmake.rs test files) - rust-lang#124649 (Fix HorizonOS build broken by rust-lang#124210) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#124649 - Meziu:master, r=ChrisDenton Fix HorizonOS build broken by rust-lang#124210 HorizonOS (for the Tier-3 target `armv6k-nintendo-3ds`) does not support `dirfd()`, as many other similar targets.
Rust 1.80 contains rust-lang/rust#124210, causing tests which we skip under miri to segfault.
Rust 1.80 contains rust-lang/rust#124210, causing tests which we skip under miri to segfault.
Rust 1.80 contains rust-lang/rust#124210, causing tests which we skip under miri to segfault.
Rust 1.80 contains rust-lang/rust#124210, causing tests which we skip under miri to segfault.
Rust 1.80 contains rust-lang/rust#124210, causing tests which we skip under miri to segfault.
When an owned FD has already been closed before it's dropped that means something else touched an FD in ways it is not allowed to. At that point things can already be arbitrarily bad, e.g. clobbered mmaps. Recovery is not possible.
All we can do is hasten the fire.
Unlike the previous attempt in #124130 this shouldn't suffer from the possibility that FUSE filesystems can return arbitrary errors.