-
Notifications
You must be signed in to change notification settings - Fork 453
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #9117 from benesch/stack-guards
sql: avoid stack overflow on deeply nested ASTs
- Loading branch information
Showing
9 changed files
with
288 additions
and
69 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,204 @@ | ||
| // Copyright Materialize, Inc. and contributors. All rights reserved. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License in the LICENSE file at the | ||
| // root of this repository, or online at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| //! Stack management utilities. | ||
|
|
||
| use std::cell::RefCell; | ||
| use std::error::Error; | ||
| use std::fmt; | ||
|
|
||
| /// The red zone is the amount of stack space that must be available on the | ||
| /// current stack in order for [`maybe_grow`] to call the supplied closure | ||
| /// without allocating a new stack. | ||
| pub const STACK_RED_ZONE: usize = 32 << 10; // 32KiB | ||
|
|
||
| /// The size of any freshly allocated stacks. It was chosen to match the | ||
| /// default stack size for threads in Rust. | ||
| pub const STACK_SIZE: usize = 2 << 20; // 2MiB | ||
|
|
||
| /// Grows the stack if necessary before invoking `f`. | ||
| /// | ||
| /// This function is intended to be called at manually instrumented points in a | ||
| /// program where arbitrarily deep recursion is known to happen. This function | ||
| /// will check to see if it is within `STACK_RED_ZONE` bytes of the end of the | ||
| /// stack, and if so it will allocate a new stack of at least `STACK_SIZE` | ||
| /// bytes. | ||
| /// | ||
| /// The closure `f` is guaranteed to run on a stack with at least | ||
| /// `STACK_RED_ZONE` bytes, and it will be run on the current stack if there's | ||
| /// space available. | ||
| /// | ||
| /// It is generally better to use [`CheckedRecursion`] to enforce a limit on the | ||
| /// stack growth. Not all recursive code paths support returning errors, | ||
| /// however, in which case unconditionally growing the stack with this function | ||
| /// is still preferable to panicking. | ||
| pub fn maybe_grow<F, R>(f: F) -> R | ||
| where | ||
| F: FnOnce() -> R, | ||
| { | ||
| stacker::maybe_grow(STACK_RED_ZONE, STACK_SIZE, || f()) | ||
| } | ||
|
|
||
| /// A trait for types which support bounded recursion to prevent stack overflow. | ||
| /// | ||
| /// The rather odd design of this trait allows checked recursion to be added to | ||
| /// existing mutually recursive functions without threading an explicit `depth: | ||
| /// &mut usize` parameter through each function. As long as there is an | ||
| /// existing context structure, or if the mutually recursive functions are | ||
| /// methods on a context structure, the [`RecursionGuard`] can be embedded | ||
| /// inside this existing structure. | ||
| /// | ||
| /// # Examples | ||
| /// | ||
| /// Consider a simple expression evaluator: | ||
| /// | ||
| /// ``` | ||
| /// # use std::collections::HashMap; | ||
| /// | ||
| /// enum Expr { | ||
| /// Var { name: String }, | ||
| /// Add { left: Box<Expr>, right: Box<Expr> }, | ||
| /// } | ||
| /// | ||
| /// struct Evaluator { | ||
| /// vars: HashMap<String, i64>, | ||
| /// } | ||
| /// | ||
| /// impl Evaluator { | ||
| /// fn eval(&mut self, expr: &Expr) -> i64 { | ||
| /// match expr { | ||
| /// Expr::Var { name } => self.vars[name], | ||
| /// Expr::Add { left, right } => self.eval(left) + self.eval(right), | ||
| /// } | ||
| /// } | ||
| /// } | ||
| /// ``` | ||
| /// | ||
| /// Calling `eval` could overflow the stack and crash with a sufficiently large | ||
| /// `expr`. This is the situation `CheckedRecursion` is designed to solve, like | ||
| /// so: | ||
| /// | ||
| /// ``` | ||
| /// # use std::collections::HashMap; | ||
| /// # enum Expr { | ||
| /// # Var { name: String }, | ||
| /// # Add { left: Box<Expr>, right: Box<Expr> }, | ||
| /// # } | ||
| /// use ore::stack::{CheckedRecursion, RecursionGuard, RecursionLimitError}; | ||
| /// | ||
| /// struct Evaluator { | ||
| /// vars: HashMap<String, i64>, | ||
| /// recursion_guard: RecursionGuard, | ||
| /// } | ||
| /// | ||
| /// impl Evaluator { | ||
| /// fn eval(&mut self, expr: &Expr) -> Result<i64, RecursionLimitError> { | ||
| /// // ADDED: call to `self.checked_recur`. | ||
| /// self.checked_recur_mut(|e| match expr { | ||
| /// Expr::Var { name } => Ok(e.vars[name]), | ||
| /// Expr::Add { left, right } => Ok(e.eval(left)? + e.eval(right)?), | ||
| /// }) | ||
| /// } | ||
| /// } | ||
| /// | ||
| /// impl CheckedRecursion for Evaluator { | ||
| /// fn recursion_guard(&self) -> &RecursionGuard { | ||
| /// &self.recursion_guard | ||
| /// } | ||
| /// } | ||
| /// ``` | ||
| pub trait CheckedRecursion { | ||
| /// Extracts a reference to the recursion guard embedded within the type. | ||
| fn recursion_guard(&self) -> &RecursionGuard; | ||
|
|
||
| /// Checks whether it is safe to recur and calls `f` if so. | ||
| /// | ||
| /// If the recursion limit for the recursion guard returned by | ||
| /// [`CheckedRecursion::recursion_guard`] has been reached, returns a | ||
| /// `RecursionLimitError`. Otherwise, it will call `f`, possibly growing the | ||
| /// stack if necessary. | ||
| /// | ||
| /// Calls to this function must be manually inserted at any point that | ||
| /// mutual recursion occurs. | ||
| fn checked_recur<F, T, E>(&self, f: F) -> Result<T, E> | ||
| where | ||
| F: FnOnce(&Self) -> Result<T, E>, | ||
| E: From<RecursionLimitError>, | ||
| { | ||
| self.recursion_guard().descend()?; | ||
| let out = maybe_grow(|| f(self)); | ||
| self.recursion_guard().ascend(); | ||
| out | ||
| } | ||
|
|
||
| /// Like [`CheckedRecursion::checked_recur`], but operates on a mutable | ||
| /// reference to `Self`. | ||
| fn checked_recur_mut<F, T, E>(&mut self, f: F) -> Result<T, E> | ||
| where | ||
| F: FnOnce(&mut Self) -> Result<T, E>, | ||
| E: From<RecursionLimitError>, | ||
| { | ||
| self.recursion_guard().descend()?; | ||
| let out = maybe_grow(|| f(self)); | ||
| self.recursion_guard().ascend(); | ||
| out | ||
| } | ||
| } | ||
|
|
||
| /// Tracks recursion depth. | ||
| /// | ||
| /// See the [`CheckedRecursion`] trait for usage instructions. | ||
| #[derive(Default, Debug, Clone)] | ||
| pub struct RecursionGuard { | ||
| depth: RefCell<usize>, | ||
| limit: usize, | ||
| } | ||
|
|
||
| impl RecursionGuard { | ||
| /// Constructs a new recursion guard with the specified recursion | ||
| /// limit. | ||
| pub fn with_limit(limit: usize) -> RecursionGuard { | ||
| RecursionGuard { | ||
| depth: RefCell::new(0), | ||
| limit, | ||
| } | ||
| } | ||
|
|
||
| fn descend(&self) -> Result<(), RecursionLimitError> { | ||
| let mut depth = self.depth.borrow_mut(); | ||
| if *depth < self.limit { | ||
| *depth += 1; | ||
| Ok(()) | ||
| } else { | ||
| Err(RecursionLimitError) | ||
| } | ||
| } | ||
|
|
||
| fn ascend(&self) { | ||
| *self.depth.borrow_mut() -= 1; | ||
| } | ||
| } | ||
|
|
||
| /// A [`RecursionGuard`]'s recursion limit was reached. | ||
| #[derive(Clone, Debug)] | ||
| pub struct RecursionLimitError; | ||
|
|
||
| impl fmt::Display for RecursionLimitError { | ||
| fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { | ||
| f.write_str("recursion limit exceeded") | ||
| } | ||
| } | ||
|
|
||
| impl Error for RecursionLimitError {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.