Panic safety in drop #14

bluss · 2015-08-20T21:07:38Z

@Stebalien discovered panic safety issue bluss/arrayvec#3 and it applies to smallvec as well.

My understanding is: SmallVec::drop first attempts to drop every element, then it inhibits the drop of the inner array. The panic safety issue is that a panic during drop of an element means the inhibition is never reached, so the inner data can be dropped again.

Testcase adapted from @Stebalien

    #[test]
    #[should_panic]
    fn test_drop_panic_smallvec() {
        // This test should only panic once, and not double panic,
        // which would mean a double drop
        struct DropPanic;

        impl Drop for DropPanic {
            fn drop(&mut self) {
                panic!("drop");
            }
        }

        let mut v = SmallVec::<[_; 1]>::new();
        v.push(DropPanic);
    }

A test for issue servo#14

The summary is: SmallVec::drop first attempts to drop every element, then it inhibits the drop of the inner array. The panic safety issue is that a panic during drop of an element means the inhibition is never reached, so the inner data can be dropped again. NoDrop acts as a panic guard; its drop will trigger on panic, so the inner array's drop will be inhibited even on panic during SmallVec::drop. Using NoDrop incurs the overhead of its enum tag and its drop flag. Fixes servo#14

A test for issue servo#14

The summary is: SmallVec::drop first attempts to drop every element, then it inhibits the drop of the inner array. The panic safety issue is that a panic during drop of an element means the inhibition is never reached, so the inner data can be dropped again. NoDrop acts as a panic guard; its drop will trigger on panic, so the inner array's drop will be inhibited even on panic during SmallVec::drop. Using NoDrop incurs the overhead of its enum tag and its drop flag. Fixes servo#14

bluss · 2015-08-20T21:16:27Z

bluss/arrayvec/pull/4 shows an alternative way to solve it, but it is fragile due to bug rust-lang/rust/issues/27906

bluss · 2015-08-20T21:17:19Z

I guess any way to solve it is fragile 😦 due to panic-on-drop semantics not being completely clear.

The summary is: SmallVec::drop first attempts to drop every element, then it inhibits the drop of the inner array. The panic safety issue is that a panic during drop of an element means the inhibition is never reached, so the inner data can be dropped again. If Drop is split betweeen SmallVec and SmallVecData, this issue is avoided because the SmallVecData drop will be called even in the panic case. This solution incurs the overhead of an additional drop flag on SmallVecData. Fixes servo#14

Fix panic safety issue in drop The summary is: SmallVec::drop first attempts to drop every element, then it inhibits the drop of the inner array. The panic safety issue is that a panic during drop of an element means the inhibition is never reached, so the inner data can be dropped again. If Drop is split betweeen SmallVec and SmallVecData, this issue is avoided because the SmallVecData drop will be called even in the panic case. This solution incurs the overhead of an additional drop flag on SmallVecData. Fixes #14

Add -Z panic-in-drop={unwind,abort} command-line option This PR changes `Drop` to abort if an unwinding panic attempts to escape it, making the process abort instead. This has several benefits: - The current behavior when unwinding out of `Drop` is very unintuitive and easy to miss: unwinding continues, but the remaining drops in scope are simply leaked. - A lot of unsafe code doesn't expect drops to unwind, which can lead to unsoundness: - servo/rust-smallvec#14 - bluss/arrayvec#3 - There is a code size and compilation time cost to this: LLVM needs to generate extra landing pads out of all calls in a drop implementation. This can compound when functions are inlined since unwinding will then continue on to process drops in the callee, which can itself unwind, etc. - Initial measurements show a 3% size reduction and up to 10% compilation time reduction on some crates (`syn`). One thing to note about `-Z panic-in-drop=abort` is that *all* crates must be built with this option for it to be sound since it makes the compiler assume that dropping `Box<dyn Any>` will never unwind. cc rust-lang/lang-team#97

bluss pushed a commit to bluss/rust-smallvec that referenced this issue Aug 20, 2015

Panic safety test for SmallVec::drop

134a8f7

A test for issue servo#14

bluss mentioned this issue Aug 20, 2015

Fix panic safety issue in drop #15

Merged

bluss added a commit to bluss/rust-smallvec that referenced this issue Aug 20, 2015

Panic safety test for SmallVec::drop

bff26fc

A test for issue servo#14

bors-servo closed this as completed in #15 Aug 21, 2015

Amanieu mentioned this issue Sep 8, 2021

Add -Z panic-in-drop={unwind,abort} command-line option rust-lang/rust#88759

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Panic safety in drop #14

Panic safety in drop #14

bluss commented Aug 20, 2015

bluss commented Aug 20, 2015

bluss commented Aug 20, 2015

Panic safety in drop #14

Panic safety in drop #14

Comments

bluss commented Aug 20, 2015

bluss commented Aug 20, 2015

bluss commented Aug 20, 2015