Change entry point to 🛡️ against 💥 💥-payloads #86034
Conversation
rust-highfive
added
the
S-waiting-on-review
nagisa
added
the
T-libs
library/std/src/rt.rs
Outdated
| // a liberty of running the drop in an environment that looks as if a panic is already | ||
| // in progress. This way any panics in the user code that we will run shortly will | ||
| // become double-panic aborts. | ||
| panic_count::increase(); |
There was a problem hiding this comment.
Maybe it would be safer to add a drop bomb that aborts the process when unwinding above the catch_unwind(main) call? That would also ensure an abort when C++ unwinds into rust code. We define that as UB anyway, but just in case.
There was a problem hiding this comment.
There are multiple implementation approaches that could be taken here, indeed. Each has their own considerations.
I don't think the choice should be made based on behaviour in case UB is invoked, however. This code handling a super niche corner-case in the first place; I think the simplicity of the implementation is probably outweighs in benefit the better UB resiliency.
That said, a drop-guard would allow to guard against panics in rt::init and rt::cleanup, which is quite desirable, yes.
There was a problem hiding this comment.
Alas, the drop guard approach does not work. That's because there isn't any catch pads the unwinding implementation could find, and thus you get the same old UB as if we did nothing at all.
I did adjust the implementation to use another catch_unwind, however, which should handle the issues with user code and certain runtime functions panicking.
nagisa
force-pushed
the
nagisa/rt-soundness
branch
from
b6992c5 to
9644171
Compare
This comment has been minimized.
This comment has been minimized.
nagisa
force-pushed
the
nagisa/rt-soundness
branch
2 times, most recently
from
4b6a50b to
d815cbc
Compare
|
This PR guards against two things: 1. panics from rt::init/rt::cleanup, 2. panics from dropping a user-defined panic payload. Maybe it's good to separate how those are handled. For 1, we don't need to worry about dropping the payload, since we don't throw non-string payloads in the standard library ( For 2, we should make sure the drop happens before Regardless, this PR is already a big improvement over the current situation. So |
nagisa
force-pushed
the
nagisa/rt-soundness
branch
from
d815cbc to
86dd639
Compare
I think this already holds true – we don't particularly worry much about the runtime panics, as they are bugs in libstd's implementation and the fix would be to not panic in the first place.
I adjusted the abort message to focus more on the panic-payload panics and less on the runtime side of the things. Ideally in absence of bugs in the libstd's implementation the only ways users will end up seeing the message is by panicking in the payload. |
nagisa
force-pushed
the
nagisa/rt-soundness
branch
from
86dd639 to
594e403
Compare
|
@bors r=m-ou-se |
|
📌 Commit 594e4030b30749d496904438579f2e4ce6194563 has been approved by |
bors
added
S-waiting-on-bors
library/std/src/rt.rs
Outdated
| Err(e) => { | ||
| mem::forget(e); | ||
| panic_count::increase(); // guard against rtprintpanic! panicking. | ||
| rtprintpanic!("drop of the panic payload panicked"); // or a runtime bug has occurred! |
There was a problem hiding this comment.
I think this can be really confusing when the standard library does somehow produce a panic outside of main. If you want to separate these cases and have a message that's specific to the panic payload drop, that'd be good, but it should really just be a separate catch_unwind. I'm afraid that like this, it's going to cause someone a lot of confusion and cost them a lot of time to debug a panic at some point.
There was a problem hiding this comment.
Well, IMO a backtrace would have revealed the problem regardless, but adjusted this anyway. That said, lang_start_internal has become a big pile of yucky assembly with this :(
|
@bors r- |
bors
added
S-waiting-on-author
nagisa
force-pushed
the
nagisa/rt-soundness
branch
from
594e403 to
968d4c1
Compare
|
This is ready for a re-review. |
library/std/src/rt.rs
Outdated
| ) | ||
| unsafe { | ||
| // SAFETY: Err variant can't exist by definition. | ||
| Result::<_, !>::unwrap_unchecked(lang_start_internal( |
There was a problem hiding this comment.
There is a Result::into_ok for this: https://doc.rust-lang.org/nightly/std/result/enum.Result.html#method.into_ok
(I suppose you could also use that directly instead of the ?s above, to avoid changing the return type to Result.)
nagisa
force-pushed
the
nagisa/rt-soundness
branch
from
968d4c1 to
d5a8bbb
Compare
This comment has been minimized.
This comment has been minimized.
nagisa
force-pushed
the
nagisa/rt-soundness
branch
from
d5a8bbb to
ba87c46
Compare
library/std/src/lib.rs
Outdated
| #![feature(alloc_error_handler)] | ||
| #![feature(alloc_layout_extra)] | ||
| #![feature(allocator_api)] | ||
| #![feature(allocator_internals)] | ||
| #![feature(alloc_error_handler)] | ||
| #![feature(alloc_layout_extra)] |
There was a problem hiding this comment.
I don't necessarily mind sorting the features here (though it might cause unnecessary merge conflicts), but these ones specifically were already sorted correctly. The _ comes before a.
There was a problem hiding this comment.
Ah, probably a locale thing:
$ LANG=C sort thing
#![feature(alloc_error_handler)]
#![feature(alloc_layout_extra)]
#![feature(allocator_api)]
#![feature(allocator_internals)]
$ LANG=en_GB.UTF-8 sort thing
#![feature(allocator_api)]
#![feature(allocator_internals)]
#![feature(alloc_error_handler)]
#![feature(alloc_layout_extra)]
rustfmt uses the first one for imports though, so let's follow that one.
nagisa
force-pushed
the
nagisa/rt-soundness
branch
from
ba87c46 to
52a6701
Compare
|
@bors r+ |
bors
added
the
S-waiting-on-bors
|
⌛ Testing commit 9c9a0da with merge 400e7a1735c8350220fb96f51959d155c13eaabe... |
|
💔 Test failed - checks-actions |
bors
added
S-waiting-on-review
|
Looks like a timeout in communication with the builders. @bors retry |
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-actions |
Tested on commit rust-lang/rust@6b354a1. Direct link to PR: <rust-lang/rust#86034> 💔 miri on windows: test-pass → test-fail (cc @oli-obk @eddyb @RalfJung). 💔 miri on linux: test-pass → test-fail (cc @oli-obk @eddyb @RalfJung).
ghost
mentioned this pull request
Update backtraces (rust-lang/rust#86034 changed them.) cc rust-lang/rust#86474
|
While doing performance triage, I noticed a number of rustc benchmarks regressing their max-rss immediately after this PR: token-stream-stress by up to 10%, and many others in the 4% to 6% range. @nagisa , Was this an expected outcome here? Do you have a hypothesis as to what might have caused it? |
|
I can't say it was expected. If I were to guess, it'd be because of different codegen unit distribution, perhaps. |
|
Yes, looking at the self profile results for the regressed benchmarks all have 1-2 additional LLVM modules being codegen'd. A simple Put up #88988 with a potential fix. |
|
Per results in #88988, that indeed seems to be sufficient to resolve the extra work this added. Spot checking a few benchmarks it removes the extra LLVM modules getting codegen'd so seems like mostly avoids the extra work introduced by this PR. There's potential followup work here around removing some other extra bits that end up getting codegen'd into "empty main" binaries (e.g., the re-throwing of panics in __rust_begin_short_backtrace around the black_box), but those seem likely to have somewhat diminishing returns and are further work rather than direct fixes for a regression. In the mean time, marking this as triaged. @rustbot label +perf-regression-triaged |
rustbot
added
the
perf-regression-triaged
Avoid codegen for Result::into_ok in lang_start This extra codegen seems to be the cause for the regressions in max-rss on rust-lang#86034. While LLVM will certainly optimize the dead code away, avoiding it's generation in the first place seems good, particularly when it is so simple. rust-lang#86034 produced this [diff](https://gist.github.com/Mark-Simulacrum/95c7599883093af3b960c35ffadf4dab#file-86034-diff) for a simple `fn main() {}`. With this PR, that diff [becomes limited to just a few extra IR instructions](https://gist.github.com/Mark-Simulacrum/95c7599883093af3b960c35ffadf4dab#file-88988-from-pre-diff) -- no extra functions. Note that these are pre-optimization; LLVM surely will eliminate this during optimization. However, that optimization can end up generating more work and bump memory usage, and this eliminates that.
Guard against panic payloads panicking within entrypoints, where it is
UB to do so.
Note that there are a number of tradeoffs to consider. For instance, I
considered guarding against accidental panics inside the
rt::initandrt::cleanupcode as well, as it is not all that obvious these may notpanic, but doing so would mean that we initialize certain thread-local
slots unconditionally, which has its own problems.
Fixes #86030
r? @m-ou-se