Fix soundness issue in scoped threads. #94644
Conversation
m-ou-se
added
A-runtime
rustbot
added
the
I-prioritize
|
r? @kennytm (rust-highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
m-ou-se
removed
the
I-prioritize
library/std/src/thread/mod.rs
Outdated
| // This is only relevant for threads that aren't join()ed, as | ||
| // join() will take the `result` and set it to None, such that | ||
| // there is nothing left to drop here. | ||
| // If this drop panics, that just results in an abort, because |
There was a problem hiding this comment.
Reading just this comment in isolation, I feel like it is dangerous to assume that all unwinding implementations would abort in absence of landing pads on the stack. I suspect there won't be any documented mandate for this sort of behavior anywhere.
There was a problem hiding this comment.
Maybe, but then that's a larger problem that Rust's regular threads (through std::thread::spawn) also have (and had, since like forever).
There was a problem hiding this comment.
It's easy to fix it for both cases by adding a catch_unwind and abort here though. I'll do that in a second commit.
There was a problem hiding this comment.
Added a second commit that fixes that issue for both scoped and regular threads. It now explicitly calls rtabort!() when dropping the thread result panics.
There was a problem hiding this comment.
(cc rust-lang/lang-team#97, which would make this a non-issue.)
|
I wonder if there's any way to write a regression test here. I think comparing drop order between data captured by the scope and the data that refers to this captured data shouldn't he too difficult. Something like this perhaps? struct MustDropFirst;
struct MustDropSecond<'scope>(&'scope MustDropFirst);
impl Drop for MustDropFirst { /* checks drop order between the two types */ }
impl Drop for MustDropSecond { /* checks drop order between the two types */ }
fn main() {
let data = MustDropFirst;
let r = &data;
scope(|s| {
s.spawn(move || {
MustDropSecond(r);
});
});
}The implementation LGTM either way, though. |
It's a bit tricky, because the bug doesn't mean it gets ordered in the opposite direction, but that there's no guarantee how it gets ordered. In practice, without sleeping or a significant amount of work, the thread most likely finishes dropping the result before the main thread wakes up, making the bug invisible. It's somewhat easy to test this with sleeping, but I'm not sure it's a great idea to have a unit test that sleeps. |
m-ou-se
force-pushed
the
scoped-threads-drop-soundness
branch
from
18f5719
to
b97d875
Compare
|
@nagisa I've added a test. (And verified it fails without the changes in this PR.) |
|
@bors r+ |
|
📌 Commit b97d875 has been approved by |
bors
added
S-waiting-on-bors
|
⌛ Testing commit b97d875 with merge a301059c353dee85b3a3e52923c8094a9d7a02d1... |
|
💔 Test failed - checks-actions |
bors
added
S-waiting-on-review
bors
added
S-waiting-on-bors
…ss, r=joshtriplett Fix soundness issue in scoped threads. This was discovered in rust-lang#94559 (comment) The `scope()` function returns when all threads are finished, but I accidentally considered a thread 'finished' before dropping their panic payload or ignored return value. So if a thread returned (or panics with) something that in its `Drop` implementation still uses borrowed stuff, it goes wrong. https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=2a1f19ac4676cdabe43e24e536ff9358
|
The job Click to see the possible cause of the failure (guessed by this bot) |
|
@bors retry |
…ss, r=joshtriplett Fix soundness issue in scoped threads. This was discovered in rust-lang#94559 (comment) The `scope()` function returns when all threads are finished, but I accidentally considered a thread 'finished' before dropping their panic payload or ignored return value. So if a thread returned (or panics with) something that in its `Drop` implementation still uses borrowed stuff, it goes wrong. https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=2a1f19ac4676cdabe43e24e536ff9358
…ss, r=joshtriplett Fix soundness issue in scoped threads. This was discovered in rust-lang#94559 (comment) The `scope()` function returns when all threads are finished, but I accidentally considered a thread 'finished' before dropping their panic payload or ignored return value. So if a thread returned (or panics with) something that in its `Drop` implementation still uses borrowed stuff, it goes wrong. https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=2a1f19ac4676cdabe43e24e536ff9358
…askrgr Rollup of 8 pull requests Successful merges: - rust-lang#94440 (Better error for normalization errors from parent crates that use `#![feature(generic_const_exprs)]`) - rust-lang#94587 (Document new recommended use of `FromIterator::from_iter`) - rust-lang#94644 (Fix soundness issue in scoped threads.) - rust-lang#94740 (Unify impl blocks by wrapping them into a div) - rust-lang#94753 (Improve rustdoc book) - rust-lang#94796 (Allow `cargo run` instead of `cargo run -p bootstrap`) - rust-lang#94805 (Revert accidental stabilization) - rust-lang#94809 (RustWrapper: add missing include) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
This was discovered in #94559 (comment)
The
scope()function returns when all threads are finished, but I accidentally considered a thread 'finished' before dropping their panic payload or ignored return value.So if a thread returned (or panics with) something that in its
Dropimplementation still uses borrowed stuff, it goes wrong.https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=2a1f19ac4676cdabe43e24e536ff9358