Skip to content

std: don't leak the thread closure if destroying the thread attributes fails #148026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 3, 2025
Merged

std: don't leak the thread closure if destroying the thread attributes fails #148026

merged 1 commit into from
Nov 3, 2025
+13 −15

Conversation

@joboet
Copy link
Member

@joboet joboet commented Oct 23, 2025

The comment about double-free is wrong – we can safely drop both the thread attributes and the thread closure. Here, I've used DropGuard for the attributes and moved the Box::into_raw to just before the pthread_create.

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Oct 23, 2025
@rustbot
Copy link
Collaborator

rustbot commented Oct 23, 2025

r? @Mark-Simulacrum

rustbot has assigned @Mark-Simulacrum.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

hkBst
hkBst suggested changes Oct 23, 2025
View reviewed changes
library/std/src/sys/thread/unix.rs
Comment on lines +59 to +61
let mut attr = DropGuard::new(&mut attr, |attr| {
assert_eq!(libc::pthread_attr_destroy(attr.as_mut_ptr()), 0)
});
Copy link
Member

@hkBst hkBst Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps you could add a comment here to explain the relevant considerations of using DropGuard here?

Copy link
Member

@hkBst hkBst Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing I notice is that before, libc::pthread_attr_destroy(attr.as_mut_ptr()) is not called for #[cfg(any(target_os = "espidf", target_os = "nuttx"))], but with this change it will/could be. Is that intended?

Copy link
Member Author

@joboet joboet Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that is very much intended. The leakage of the current version is a bug. And do you really think that this needs documentation? The DropGuard just makes sure that the attribute structure is destroyed, which is pretty self-explanatory to me.

Copy link
Member

@hkBst hkBst Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The what is clear enough, but the why could use some expanding. If it was completely straightforward, then this bug wouldn't have needed fixing, so I do think explaining why the DropGuard is needed would be good.

Copy link
Member

@Mark-Simulacrum Mark-Simulacrum Nov 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, this is fine as-is. The bug existed precisely because the resources (Box and attr) weren't guarded appropriately with DropGuard or equivalent. That's fixed now.

Mark-Simulacrum
Mark-Simulacrum reviewed Nov 2, 2025
View reviewed changes
library/std/src/sys/thread/unix.rs
// Round up to the nearest page and try again.
let page_size = os::page_size();
let stack_size =
(stack_size + page_size - 1) & (-(page_size as isize - 1) as usize - 1);
Copy link
Member

@Mark-Simulacrum Mark-Simulacrum Nov 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I wonder if we can make this be stack_size.next_multiple_of(page_size)? I'm not sure why we need to handwrite the code... I guess maybe it's a bit slower since LLVM doesn't know page_size is a multiple of 2, but that seems unimportant in this context?

(Obviously pre-existing...)

@Mark-Simulacrum
Copy link
Member

Mark-Simulacrum commented Nov 2, 2025

@bors r+

@bors
Copy link
Collaborator

bors commented Nov 2, 2025

📌 Commit a7f08de has been approved by Mark-Simulacrum

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Nov 2, 2025
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this pull request Nov 2, 2025
@matthiaskrgr
Rollup merge of rust-lang#148026 - joboet:dont-leak-thread-closure, r…
c1ab7e9 
…=Mark-Simulacrum

std: don't leak the thread closure if destroying the thread attributes fails

The comment about double-free is wrong – we can safely drop both the thread attributes and the thread closure. Here, I've used `DropGuard` for the attributes and moved the `Box::into_raw` to just before the `pthread_create`.
This was referenced Nov 2, 2025
Closed
Merged
bors added a commit that referenced this pull request Nov 2, 2025
@bors
Auto merge of #148412 - matthiaskrgr:rollup-59a302x, r=matthiaskrgr
c5dabe8 
Rollup of 7 pull requests

Successful merges:

 - #146573 (Constify Range functions)
 - #146699 (Add `is_ascii` function optimized for LoongArch64 for [u8])
 - #148026 (std: don't leak the thread closure if destroying the thread attributes fails)
 - #148135 (Ignore unix socket related tests for VxWorks)
 - #148211 (clippy fixes and code simplification)
 - #148395 (Generalize branch references)
 - #148405 (Fix suggestion when there were a colon already in generics)

r? `@ghost`
`@rustbot` modify labels: rollup
@bors bors merged commit 2afb64e into rust-lang:master Nov 3, 2025
11 checks passed
@rustbot rustbot added this to the 1.93.0 milestone Nov 3, 2025
rust-timer added a commit that referenced this pull request Nov 3, 2025
@rust-timer
Unrolled build for #148026
56d8b4b 
Rollup merge of #148026 - joboet:dont-leak-thread-closure, r=Mark-Simulacrum

std: don't leak the thread closure if destroying the thread attributes fails

The comment about double-free is wrong – we can safely drop both the thread attributes and the thread closure. Here, I've used `DropGuard` for the attributes and moved the `Box::into_raw` to just before the `pthread_create`.
github-actions bot pushed a commit to rust-lang/rust-analyzer that referenced this pull request Nov 3, 2025
@bors
Auto merge of #148412 - matthiaskrgr:rollup-59a302x, r=matthiaskrgr
3214048 
Rollup of 7 pull requests

Successful merges:

 - rust-lang/rust#146573 (Constify Range functions)
 - rust-lang/rust#146699 (Add `is_ascii` function optimized for LoongArch64 for [u8])
 - rust-lang/rust#148026 (std: don't leak the thread closure if destroying the thread attributes fails)
 - rust-lang/rust#148135 (Ignore unix socket related tests for VxWorks)
 - rust-lang/rust#148211 (clippy fixes and code simplification)
 - rust-lang/rust#148395 (Generalize branch references)
 - rust-lang/rust#148405 (Fix suggestion when there were a colon already in generics)

r? `@ghost`
`@rustbot` modify labels: rollup
github-actions bot pushed a commit to rust-lang/rustc-dev-guide that referenced this pull request Nov 3, 2025
@bors
Auto merge of #148412 - matthiaskrgr:rollup-59a302x, r=matthiaskrgr
d867ed0 
Rollup of 7 pull requests

Successful merges:

 - rust-lang/rust#146573 (Constify Range functions)
 - rust-lang/rust#146699 (Add `is_ascii` function optimized for LoongArch64 for [u8])
 - rust-lang/rust#148026 (std: don't leak the thread closure if destroying the thread attributes fails)
 - rust-lang/rust#148135 (Ignore unix socket related tests for VxWorks)
 - rust-lang/rust#148211 (clippy fixes and code simplification)
 - rust-lang/rust#148395 (Generalize branch references)
 - rust-lang/rust#148405 (Fix suggestion when there were a colon already in generics)

r? `@ghost`
`@rustbot` modify labels: rollup
github-actions bot pushed a commit to rust-lang/miri that referenced this pull request Nov 3, 2025
@bors
Auto merge of #148412 - matthiaskrgr:rollup-59a302x, r=matthiaskrgr
deb7e87 
Rollup of 7 pull requests

Successful merges:

 - rust-lang/rust#146573 (Constify Range functions)
 - rust-lang/rust#146699 (Add `is_ascii` function optimized for LoongArch64 for [u8])
 - rust-lang/rust#148026 (std: don't leak the thread closure if destroying the thread attributes fails)
 - rust-lang/rust#148135 (Ignore unix socket related tests for VxWorks)
 - rust-lang/rust#148211 (clippy fixes and code simplification)
 - rust-lang/rust#148395 (Generalize branch references)
 - rust-lang/rust#148405 (Fix suggestion when there were a colon already in generics)

r? `@ghost`
`@rustbot` modify labels: rollup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mark-Simulacrum Mark-Simulacrum Mark-Simulacrum left review comments

+1 more reviewer

@hkBst hkBst hkBst requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Mark-Simulacrum Mark-Simulacrum

Labels

S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

1.93.0

Development

Successfully merging this pull request may close these issues.

5 participants

@joboet @rustbot @Mark-Simulacrum @bors @hkBst