Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

data-race safety #4

Closed
danburkert opened this issue Jul 15, 2015 · 4 comments
Closed

data-race safety #4

danburkert opened this issue Jul 15, 2015 · 4 comments

Comments

@danburkert
Copy link
Owner

The API exposed by Mmap is not data-race free. For example, if two processes or threads mmap the same file and proceed to read and write, the assumptions Rust makes about &mut [u8] are broken, and the behavior is undefined. It is probably impossible to statically verify that mmap usage is data-race free, however it is against all Rust conventions to expose an API not marked unsafe which can trigger undefined behavior.

Open questions:

  • What is the best way to limit the potential unsafety?
  • Are data races confined to just shared mmaps, or do anonymous maps expose data races?
  • What API changes should be made?
@xrl
Copy link

xrl commented Aug 3, 2015

What assumptions are broken? Seems fine to me. The mmaps of the same file have different lifetimes and the underlying semantics of how a mmap work are left to the user to consider.

@tomjakubowski
Copy link

What assumptions are broken? Seems fine to me. The mmaps of the same file have different lifetimes and the underlying semantics of how a mmap work are left to the user to consider.

The compiler assumes that data behind a &T, where T does not contain UnsafeCell, will not be changed for the lifetime of the reference. It also assumes that a &mut T has exclusive access to its memory. If either of these assumptions are violated, then your program has undefined behavior.

Are data races confined to just shared mmaps, or do anonymous maps expose data races?

A child process can observe writes to shared, anonymous mmaps created by its parent, so I suspect that sticking to anonymous maps isn't sufficient. Maybe anonymous, private mmaps are free from data races.

@danburkert danburkert mentioned this issue Aug 10, 2015
Closed
@danburkert
Copy link
Owner Author

@tomjakubowski is exactly right. My current plan is to remove the Deref and DerefMut impls on Mmap and replace it with a pair of methods:

unsafe fn as_slice(&self) -> &[u8];
unsafe fn as_mut_slice(&mut self) -> &[u8];

Additionally, I would like to add support for file locks (even if it is only advisory on POSIX systems) in order to have a runtime check of safety.

@danburkert danburkert mentioned this issue Aug 10, 2015
Closed
danburkert added a commit that referenced this issue Aug 10, 2015
@danburkert
make Mmap slice operations unsafe
10b7773 
cc #4
@danburkert danburkert mentioned this issue Aug 10, 2015
Merged
@danburkert
Copy link
Owner Author

I think this issue is fixed. The state of the world is: accessing memory from a Mmap requires an unsafe block, with the invariants clearly marked on the slicing methods (users should ensure that other processes or views are not accessing the memory concurrently). I'm going to punt on file locks, since that is outside the scope of this crate. If someone comes up with a good cross-platform flock interface, this could be used along with the Mmap constructors that take a File for additional runtime safety.

@BurntSushi BurntSushi mentioned this issue Nov 7, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@danburkert @tomjakubowski @xrl