Avoid unwind across extern "C" in thread_local::fast_local
#112292
Conversation
|
r? @m-ou-se (rustbot has picked a reviewer for you, use r? to override) |
rustbot
added
S-waiting-on-review
| /// fn` declared in a user crate). If the callback unwinds anyway, then | ||
| /// `rtabort` with a message about thread local panicking on drop. | ||
| #[inline] | ||
| pub fn abort_on_dtor_unwind(f: impl FnOnce()) { |
There was a problem hiding this comment.
This is here mostly because we need it and I'll use it in more places in the followup PR.
Noratrieb
added
the
beta-nominated
|
This change looks fine. @bors r+
Oh, me too. We should probably have a chat to make sure we're not doing double work or working against each other. ^^' |
bors
added
S-waiting-on-bors
|
(See also #110897
) |
Yeah, so my cleanup that I hope to have up later today is largely small-scale stuff compared to that. Mostly just better panic handling and avoiding cases where we do multiple TLS accesses (e.g. multiple I do have some comments I've been meaning to mention in that issue tho, I guess I'll do that |
m-ou-se
removed
the
beta-nominated
|
We discussed this in the libs meeting just now. Since this isn't a recent regression and this doesn't seem to result in actual issues today (other than just an abort), this doesn't seem like a good candidate for backporting. |
|
☀️ Test successful - checks-actions |
|
Finished benchmarking commit (8091736): comparison URL. Overall result: no relevant changes - no action needed@rustbot label: -perf-regression Instruction countThis benchmark run did not return any relevant results for this metric. Max RSS (memory usage)ResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
CyclesResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
Binary sizeThis benchmark run did not return any relevant results for this metric. Bootstrap: 647.317s -> 647.603s (0.04%) |
Noratrieb
added
the
beta-nominated
|
nominating for beta backport: #112285 (comment) |
|
m-ou-se
removed
the
beta-nominated
|
ah, didnt see that |
| STATE = 2; | ||
| $crate::ptr::drop_in_place(ptr); | ||
| } | ||
| $crate::thread::local_impl::abort_on_dtor_unwind(|| { |
There was a problem hiding this comment.
This can be removed again when we (finally) enable abort-on-unwind for all extern "C", right?
This is a minimal fix for #112285, in case we want a simple patch that can be easily to backported if that's desirable.
(Note: I have another broader cleanup which I've mostly omitted from here to avoid clutter, except for the
Cellchange, which isn't needed to fix UB, but simplifies safety comments).The only tier-1 target that this occurs on in a way that seems likely to cause problems in practice linux-gnu, although I believe some folks care about that platform somewhat 😉. I'm unsure how big of an issue this is. I've seen stuff like this behave quite badly, but there's a number of reasons to think this might actually be "fine in practice".
I've hedged my bets and assumed we'll backport this at least to beta but my feeling is that there's not enough evidence this is a problem worth backporting further than that.
More details
This issue seems to have existed since
thread_local!'sconstinit functionality was added. It occurs if you have aconst-initialized thread local for a type thatneeds_drop, the drop panics, and you're on a target with support for static thread locals. In this case, we will end up defining anextern "C"function in the user crate rather than in libstd, and because the user crate will not have#![feature(c_unwind)]enabled, their panic will not be caught by an auto-inserted abort guard.In practice, the actual situation where problems are likely1 is somewhat narrower.
On most targets with static thread locals, we manage the TLS dtor list by hand (for reentrancy reasons among others). In these cases, while the users code may panic, we're calling it inside our own
extern "C"(orextern "system") function, which seems to (at least in practice) catch the panic and convert it to an abort.However, on a few targets, most notably linux-gnu with recent glibc (but also fuchsia and redox), a tls dtor registration mechanism exists which we can actually use directly,
__cxa_thread_atexit_impl.This is the case that seems most likely to be a cause for concern, as now we're passing a function to the system library and panicking out of it in a case where there are may not be Rust frames above it on the call stack (since it's running thread shutdown), and even if there were, it may not be prepared to handle such unwinding. If that's the case, it'd be bad.
Is it? Dunno. The fact that it's a
__cxa_*function makes me think they probably have considered that the callback could throw but I have no evidence here and it doesn't seem to be written down anywhere, so it's just a guess. (I would not be surprised if someone comes into this thread to tell me how definitely-bad-news it is).That said, as I said, all this is actually UB! If this isn't a "technically UB but fine in practice", but all bets are off if this is the kind of thing we are telling LLVM about.
Footnotes
This is UB so take that with a grain of salt -- I'm absolutely making assumptions about how the UB will behave "in practice" here, which is almost certainly a mistake. ↩