Skip to content

std: use nonpoison::Mutex for all internal mutexes #148689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

std: use nonpoison::Mutex for all internal mutexes #148689

wants to merge 1 commit into from

Conversation

@joboet
Copy link
Member

@joboet joboet commented Nov 8, 2025
edited
Loading

Under the hopefully reasonable assumption that std's code is bug-free, all of the mutexes switched here will never be poisoned. The only poisoning mutex left is the one used for output capturing, as that has subtle effects on what gets captured.

@rustbot
Copy link
Collaborator

rustbot commented Nov 8, 2025

r? @Mark-Simulacrum

rustbot has assigned @Mark-Simulacrum.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added O-unix Operating system: Unix-like S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Nov 8, 2025
joboet
joboet commented Nov 8, 2025
View reviewed changes
library/std/src/io/stdio.rs
Comment on lines +438 to +445
#[stable(feature = "catch_unwind", since = "1.9.0")]
impl UnwindSafe for Stdin {}

#[stable(feature = "catch_unwind", since = "1.9.0")]
impl RefUnwindSafe for Stdin {}

Copy link
Member Author

@joboet joboet Nov 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The manual implementation is necessary to avoid a situation like #146087.

@rust-log-analyzer

This comment has been minimized.

Sign in to view
@joboet joboet force-pushed the nonpoison-mutex-everywhere branch from c5f4eac to 77d3da4 Compare November 8, 2025 12:48
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@joboet joboet force-pushed the nonpoison-mutex-everywhere branch from 77d3da4 to d75cc3b Compare November 8, 2025 14:40
@bjorn3
Copy link
Member

bjorn3 commented Nov 8, 2025

If a panic happens anyway, do all these cases preserve correct internal state? If not, then we should actually keep propagating the panic through poisoning IMO.

@Mark-Simulacrum
Copy link
Member

Mark-Simulacrum commented Nov 9, 2025

Maybe worth starting with the ones that we always unwrap_or_else(|e| e.into_inner()) on anyway? That seems easy to land.

I think for the ones that we sometimes just unwrap() on I'd lean towards keeping poisoning for the same reason outlined by @bjorn3 -- I'm not that convinced we lack bugs, and it seems like a cheap (good!) defense against those.

@Mark-Simulacrum Mark-Simulacrum added I-libs-nominated Nominated for discussion during a libs team meeting. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Nov 9, 2025
@joboet
Copy link
Member Author

joboet commented Nov 9, 2025

If a panic happens anyway, do all these cases preserve correct internal state? If not, then we should actually keep propagating the panic through poisoning IMO.

They do.

I think for the ones that we sometimes just unwrap() on I'd lean towards keeping poisoning for the same reason outlined by @bjorn3 -- I'm not that convinced we lack bugs, and it seems like a cheap (good!) defense against those.

I think it's important to keep in mind that such bugs would still result in a panic, and would hence need to corrupt the internal state in a way that leads to unsoundness before this would make a meaningful difference.

@bjorn3
Copy link
Member

bjorn3 commented Nov 9, 2025

I think it's important to keep in mind that such bugs would still result in a panic

Only on the thread where the buggy method was called. If this thread is never joined, without poisoning the panic will never propagate to any other threads.

@joboet
Copy link
Member Author

joboet commented Nov 9, 2025
edited
Loading

I'd like to point out that T-libs-api wants to switch std::sync::Mutex to the non-poisoning variant at some point. I'd be very confused if std set such a public standard, but then didn't follow it internally. So while I am personally of the opinion that poisoning is far too cautious and rarely helpful, I think your pushback here illustrates the need for a larger discussion on std's policy.

@rustbot label +I-libs-api-nominated

@rustbot rustbot added the I-libs-api-nominated Nominated for discussion during a libs-api team meeting. label Nov 9, 2025
@Mark-Simulacrum
Copy link
Member

Mark-Simulacrum commented Nov 9, 2025

I'd be very confused if std set such a public standard, but then didn't follow it internally.

I think the default matters (and non-poison is probably the right default). But I'm not sure that means std can't use poisoned Mutexes anywhere -- that seems like a strange position to take. In ~95% of cases I'd tend to agree that they don't add value, but sometimes they do, and then we should aim to use them :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Mark-Simulacrum Mark-Simulacrum

Labels

I-libs-api-nominated Nominated for discussion during a libs-api team meeting. I-libs-nominated Nominated for discussion during a libs team meeting. O-unix Operating system: Unix-like T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@joboet @rustbot @rust-log-analyzer @bjorn3 @Mark-Simulacrum