Unbounded callback lifetimes cause rlua to be unsound

[kyren]

I'm going to write a very long explanation of this bug, because the root issue here is something that has come up again and again, and I need to document exactly what's going on.

tl;dr I might have an easy fix, but the internal types for callbacks inside rlua are problematic and they probably should change before 1.0. (Edit: I don't have an easy fix D:)

So, the internal type of callbacks in rlua is (basically) this:

type Callback<'cb> = Box<Fn(&'cb Lua, MultiValue<'cb>) -> Result<MultiValue<'cb> + Send>

There are a few different ways to create rust callbacks in rlua, but all of the APIs are basically variations on Lua::create_function:

pub fn create_function<'lua, 'cb, A, R, F>(&'lua self, f: F) -> Result<Function<'lua>>
where
    A: FromLuaMulti<'cb>,
    R: ToLuaMulti<'cb>,
    F: Fn(&'cb Lua, A) -> Result<R> + 'static + Send,

These functions take an F and produce the internal Callback type, which is then later used to create a Lua callback with lua_pushcclosure, but that part isn't terribly important. What is important here is the 'cb lifetime: all of the APIs that look like this have the 'cb lifetime as an unbounded user chosen lifetime, and this is deeply, deeply wrong. This has always been wrong, and this has been wrong since the very first versions of this crate.

Here's what the type of the internal callback should be:

type Callback = Box<for<'cb> Fn(&'cb Lua, MultiValue<'cb>) -> Result<MultiValue<'cb>> + Send>

which is to say that the internal callback should be a function that given any 'lua lifetime, it can take a Lua ref and arguments with the same 'lua lifetime and produce results with that same 'lua lifetime. This is the actual, logical requirement that we want to express on the callback, and though we can make this type just fine, problems start when we want to make our callback API. Let's see how we might change our create_function type to allow for the correct callback type:

pub fn create_function<'lua, A, R, F>(&'lua self, f: F) -> Result<Function<'lua>>
where
    A: for<'cb> FromLuaMulti<'cb>,
    R: for<'cb> ToLuaMulti<'cb>,
    F: for<'cb> Fn(&'cb Lua, A) -> Result<R> + 'static + Send,

Except, this will never work, because we have three separate for<'cb> HRTBs and there is no way to tell the rust compiler that we need to universally quantify all three trait bounds over a single lifetime.

What's especially frustrating is that it's actually totally possible to write the code that produces the correct callback type, but it's not currently possible to put that code into a function and name its type signature; observe.

You can see me struggling with this problem in a very old reddit post here. To proceed with the API and get around this otherwise very tricky or impossible to solve limitation, I picked an API that conveniently "lied" about the callback lifetimes, and I believed this was safe because all callbacks at the time were 'static anyway. Well, honestly I had a pretty poor understanding of the borrow checker at the time and I was very unsure of everything, but later on I became slightly more confident that my lie based interface was safe due to the 'static callback requirement. I now know this is wrong, and should have realized this sooner.

I lied a bit above, the real callback type inside rlua is actually not what I said above, there is actually a second lifetime parameter to make the callback itself non-'static for use in Lua::scope, so the real callback type is actually this:

type Callback<'cb, 'a> = Box<Fn(&'cb Lua, MultiValue<'cb>) -> Result<MultiValue<'cb>> + Send + 'a>

This is to facilitate the Scope callbacks having a non-'static lifetime, which if you understand how the argument lifetimes are lying there, you know this is obviously a problem. At the time I initially made the Scope interface I didn't really fully understand the implications of the misleading callback types that I was using. I later found out via #82 that the initial interface that I had written was of course unsound, and it was only after fixing that issue that I more fully understood the problem.

From a certain perspective, the misleading callback types are the root cause of #82, because the callback type requires this user chosen, unbounded 'cb lifetime and that makes writing a sound interface extremely difficult and easy to get wrong. I believe the solution for #82 is correct, but it is extremely delicate and intricate and confusing, and this is the LAST property that you want when writing rust code with unsafe.

So the reason that I'm writing about this problem now is not actually due to #82. Instead it is because I had a minor panic attack today over the following thought: "what if you convinced the borrow checker to pick 'static as the 'cb lifetime in rlua callbacks?".

Well, it turns out you can totally do this, and it's obvious that you can do this and I should have realized this sooner. Observe this monstrosity:

extern crate rlua;

use std::cell::RefCell;

use rlua::{Lua, Table};

fn main() {
    thread_local! {
        static BAD_TIME: RefCell<Option<Table<'static>>> = RefCell::new(None);
    }

    let lua = Lua::new();

    lua.create_function(|_, table: Table| {
        BAD_TIME.with(|bt| {
            *bt.borrow_mut() = Some(table);
        });
        Ok(())
    }).unwrap()
    .call::<_, ()>(lua.create_table().unwrap())
    .unwrap();

    // In debug, this will panic with a reference leak before getting to the next part but
    // it segfaults anyway.
    drop(lua);

    BAD_TIME.with(|bt| {
        println!(
            "you're gonna have a bad time: {}",
            bt.borrow().as_ref().unwrap().len().unwrap()
        );
    });
}

So the proper fix is honestly the same as the proper fix for #82, which is to fix the callback types, and thus also fix the callback API. However, without ATCs, it appears that the only way that I can do so is either macros (to write the voldemort function who's type I can't name), or possibly some other trait trick I'm not aware of, or possibly redesign ToLua / FromLua to not require ATCs, I'm not sure.

In the meantime, there's a hopefully simple fix for this issue, but I need to test it out first, and I'll be back in a moment.

[kyren]

I thought 0f5a9a3 would just barely fix it, but it doesn't :(

I forgot about Box::leak, which will always allow you to get a &'static T if T is 'static. This makes the fix unsound still.

I have tried for a few hours to come up with any other way to express callbacks that allows me to use the correct internal callback type and I can't come up with one. Either I'm defeated by lack of ATCs or not being able to do blanket trait impls on another trait. I'll keep trying, because this is now, afaict, an unfixable soundness issue (without drastic API changes and macros).

Edit: even if such a function didn't exist in the stdlib, it would be pretty ridiculous to say that it's unsound to make a &'static T for some 'static T, so this makes sense.

[kyren]

Okay, I've attacked this problem from a whole bunch of angles, time to brainstorm.

The first answer I came up with was to simply store a special Lua instance, stored in the extradata section, that is used for all of the callback Lua instances. This would allow closures to capture &Lua and the other argument types harmlessly and just entirely sidestep the problem. The problem with this approach, besides the fact that it's really gross and it encourages something which I actually want to be really hard (capturing LuaRef types and potentially causing a Lua gc based memory leak), is that I think it's... well it's pretty wrong in the presence of coroutines. I suppose it doesn't actually matter because rlua doesn't support Lua coroutines in a way where always using e.g. the main stack to call Lua would cause bugs, but it feels kind of weird? It would grow the "wrong" stack in the presence of coroutines, but maybe I'm worrying too much about this. The worse outcome is that you can accidentally capture parameters and cause memory leaks, but if we keep the same API otherwise you'd have to really really try, and you can already do that if you try hard enough. This might be a viable solution, but it doesn't genuinely remove the fact that the callback lifetimes lie, so if it's possible I'd like to actually fix that.

I could just simply require additional macro calls to create rust callback functions. This solution really sucks usability wise, but I know it works.

I could require that callbacks take MultiValue<'lua> args and return MultiValue<'lua>. This also really sucks usability wise, but I also know it works. This solution and the previous solution could be combined, so that the macro simply creates functions that take and return MultiValue.

I could remove the 'lua lifetime from ToLua / FromLua traits, sidestepping the problem in a different way. It would require some machinery around Lua to "adopt" references and check at runtime that they have the same main Lua state, but it might not be too bad. One downside is that if you mix Lua states, you would always be allowed to do stupid things by the type system like pass the wrong handle to the wrong state, but you can already do this and there's even an explicit test to make sure that it panics. The only change here really is that you will be able to do it in slightly more cases, but that is probably not a big deal because you can already do it in a huge number of cases.

I could actually find some way of expressing the trait bounds that works without lying, and without the use of macros. I can't come up with any way to do it after a few hours of looking at it (and this isn't even the first time I've looked), but that doesn't mean it doesn't exist.

I can't come up with any other solutions, but I'm convinced that I need to solve this pretty soon. There are other difficulties that I haven't mentioned also, like with the ToLua and FromLua traits as they are now, you run into exactly the same problem if the user of rlua ever needs to capture closures themselves with the right signature for callbacks, and this actually can come up. I've run into this before trying to store member callbacks through another trait (think a registered ECS Component type with script methods on it), and in order to solve it, I ended up requiring that the methods all took MultiValue<'lua> args and returned MultiValue<'lua>, which requires adding a lot of boilerplate to the callbacks themselves, or using macros (it was basically identical to the problem inside rlua, so it required the same sort of solution).

I think I'm leaning toward removing the lifetime from ToLua and FromLua and seeing if that's workable, but I don't know and I'm really tired, so I might need to step away and think about it in the background for a while. If that solution is workable, it also removes the difficulty of dealing with those traits in the same way outside the crate as well as inside that I ran into before with Component.

[kyren]

Arnavion on IRC helped me think through the HRTB problem, and they got really far, but it might just be impossible currently:

https://play.rust-lang.org/?version=stable&mode=debug&edition=2015&gist=2bdcbedae01d0a863260df76a169c295

It looks really promising, but uncomment line 69 if you want to see fireworks.

[Timidger]

Possibly a sucky solution, but one I offer since I've gotten down similar rabbit holes like you have in regards to wlroots-rs (though haven't programmed in Rust in a while, so feel free to disregard) and it can be really draining to struggle to understand just what exactly will solve the problem (if anything):

Just make it unsafe (for now) to construct a function, with a comment concisely describing how to use it safely.

If you eventually find a solution, great then replace it with that. If you can't then at least it's documented how to use the function and if there's a bug you know you should look for mis-uses of that first and then look for bugs in the rest of your unsafe code.

It's super sucky, but after dealing with so many headaches with wlroots-rs I'm feeling much more willing to punt some of the trickier problems on to the user of the library especially pre-1.0. That isn't acceptable for a 1.0 library, but this isn't a 1.0 library.

I think this is something Rust libraries need to encourage more, especially in the APIs that sacrifice ergonomics for safety (*cough* wlroots-rs *cough*) having an escape hatch that is clearly marked unsafe could lead to a better experience for the library user.

[kyren]

Possibly a sucky solution, but one I offer since I've gotten down similar rabbit holes like you have in regards to wlroots-rs (though haven't programmed in Rust in a while, so feel free to disregard) and it can be really draining to struggle to understand just what exactly will solve the problem (if anything):

Nah, the situation isn't THAT bad yet, like I said I could offer a completely safe interface by just having functions take MultiValue and do the arg / return conversion manually with Lua::pack_multi / Lua::unpack_multi, and certainly that's more useful than an unsafe interface. This problem is really solvable, I think I just need to take lifetimes out of the ToLua / FromLua traits.

Lua is very very unsafe and hard to deal with in C, the whole reason (for me) that this library is useful is because it's safe, I would rather give a slightly unergonomic API than an unsafe one. Unsafety is about as unergonomic as it gets, really.

After sleeping on this problem, I don't think it's actually going to be a big deal to solve.

Edit: After thinking about it more, I don't necessarily disagree with you in principle, I just think that in this specific case, an API that just used callbacks with MultiValue is not that unergonomic, so reducing a bit of annoying boilerplate in that case is not worth unsafety. Your experiences are probably much different, you probably mean "unergonomic" as in: totally restricts large amounts of what you might want to actually do. In a case like that, I would probably agree with you, and also agree that it's not a great place to be but it would be fine for pre-1.0. Luckily the worst case scenario here is not THAT bad.

[kyren]

Okay, so removing the lifetime from FromLua is not possible (which is kind of obvious), but that's actually fine. If you just remove the lifetime from ToLua (and make that work via reference "adoption"), it sort of works, see callback_sanity branch.

However, not all the examples compile, and I'm not sure if I can fix it! 🙃

It's kind of terrible in other ways, too. For example, there's no good safe way of converting MultiValue other than "adopting" all of the values inside it, which will be horribly slow (unless some real optimizer magic happens). That's probably fixable, but the lifetimes in callbacks are a still bit of a mess.

This is getting annoying! Time to bring out the big guns.

I have another solution to this problem that I've had in my back pocket for a while, but I've been avoiding it until I tested it in luster. If it works, it will fix this problem and make a few things which are currently only logical errors into type errors, but it's a big change. The idea is that you have pretty much the API that exists now, but most of the API is wrapped in a Lua::scope like callback with a context parameter branded with a unique, invariant lifetime.

It's probably not that useful to look at luster to see this API in action because not enough of the interpreter really exists yet, so here is a rough sketch of what it looks like.

I need a better names than LuaState and access, I might just go with Context and with_context for now. Edit: Since it subsumes scope, it should probably just be called 'scope' again. But I'm putting the cart before the horse, because I still need to try it out and make sure the whole thing will actually work.

[kyren]

Right now my current plan is something like this.

Basically everywhere there is currently &Lua will be replaced by Context. Context will be Copy, LuaRef will hold a Context, ToLua / FromLua will take a Context, callbacks will be passed a Context, etc. The top level call to the API will be Lua::scope, which will be passed a Scope, which could also be Copy, and would deref to Context. Scope would hold just the part of the API for scoped data, like the current Scope, and would only currently be passed as a callback parameter on Lua::scope, just like now.

The logic behind splitting things into Context and Scope is 1) that Scope requires multiple lifetimes and it makes a noisy, difficult default, and 2) as soon as you enter a into a static callback you have no sensible scope, so there would have to be some default 'static scope of some kind and thus nothing general could rely on it anyway. It might be sensible to have just scoped methods receive the same scope as their first parameter, rather than a plain context, if that's possible.

I know this is a lot to follow and I keep updating it with more craziness. I don't know who all is that interested in all the messy API design here, but talking it through in this issue helps me think about it so I'm going to keep doing it.

[Timidger]

I'm interested, at least so far as it affects Way Cooler 😊.

Already I do weird stuff with the Lua scope, so these changes will probably affect me. These changes sound for the better though, and similar to how I dealt with unsafe in wlroots-rs (using handles with scoped callbacks instead of the object directly, forcing the return types to fit in that scope if they are non copy).

Got a branch where you're working on this?

[kyren]

I'm glad you're interested! I'll happily keep you up to date then if only so I have somebody checking my thought process.

I'll push what I'm working on to a branch later today, I think it might actually require building the API from scratch in parallel because there are a lot of parts and they all require changing at once, so it's taken me a while to get started.

[lemarcuspoilus]

Wow. I just read that issue and the letters are dancing all around because of all the technicalities and I somewhat understand what you wanna do.

I see that you want to make all Lua registration/execution right in a scope (like if it was the only method), but assuming it gets all removed when the scope ends, would that prevent Lua or a Context to be stored within a struct? What I mean is, if I'd make an application structure containing a Lua field, then I initialize the Lua instance in a constructor (Application::new() for instance) with some functions and all before returning the instance, would this mean I will loose all those functions when I get to execute some Lua code by calling the application? I can give you an example if you need.

removed unnecessary code and explanation, please see the edit history

If I understood your solution to the callbacks properly, I think this would solve the problem for complex code bases relying on a long living Lua context to be available when needed (including a script for a game object). If I didn't then I'll discover it when a beta solution may be compiled! I'm still impressed by how important these little details matter to you!

[kyren]

would that prevent Lua or a Context to be stored within a struct?

It would prevent a Context being stored in a type that was passed into Lua, or moved outside of the outer call to Lua::scope, that's all. The top-level Lua would be a regular 'static type like always, and would continue to hold the internal Lua state, and you can do whatever you want with it.

Maybe it'll be easier to understand when I push to the contextify branch, it's maybe not as big of a change as you're thinking.

The whole thing with channels there would not be necessary and wouldn't give you any extra power, because you wouldn't be able to pass 'lua types through the channel anyway.

I'm still impressed by how important these little details matter to you!

I mean a soundness hole is a soundness hole, imo, so it's not really little.