Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Actually mark mmap and related functions as unsafe #559

Merged
merged 3 commits into from
Mar 20, 2017
Merged

Actually mark mmap and related functions as unsafe #559

merged 3 commits into from
Mar 20, 2017

Conversation

kevinmehall
Copy link
Contributor

The nix::sys::mman::mmap documentation says

Calls to mmap are inherently unsafe, so they must be made in an unsafe
block.

however, the function was not actually marked unsafe.

  • munmap should also be unsafe for obvious reasons.
  • madvise should be unsafe because of the MADV_DONTNEED flag.
  • mlock was already marked unsafe
  • munlock and msync don't strictly need to be unsafe despite
    taking pointers AFAICT, but are marked unsafe for consistency and in
    case they add additional flags in the future.

[breaking-change]

@kevinmehall
Actually mark mmap and related functions as unsafe
12d0b2c 
The nix::sys::mman::mmap documentation says

> Calls to mmap are inherently unsafe, so they must be made in an unsafe
block.

however, the function was not actually marked unsafe.

* `munmap` should also be `unsafe` for obvious reasons.
* `madvise` should be `unsafe` because of the MADV_DONTNEED flag.
* `mlock` was already marked `unsafe`
* `munlock` and `msync` don't strictly need to be `unsafe` despite
taking pointers AFAICT, but are marked `unsafe` for consistency and in
case they add additional flags in the future.
@kamalmarhubi
Copy link
Member

Thanks for the PR!

Re mmap and munmap, definitely agree they should be marked unsafe. Also agree madvise should be, as I didn't realise that madvise(MADV_DONTNEED) had this scary behaviour (emphasis mine):

After a successful MADV_DONTNEED operation, the semantics of memory access in the specified region are changed: subsequent accesses of pages in the range will succeed, but will result in either repopulating the memory contents from the up-to-date contents of the underlying mapped file (for shared file mappings, shared anonymous mappings, and shmem-based techniques such as System V shared memory segments) or zero-fill-on-demand pages for anonymous private mappings.

Could you explain why mlock needs to be unsafe? And what kind of things do you imagine could be added to munlock and msync to require marking them unsafe?

@kamalmarhubi
Copy link
Member

Oh and could you add a note to the changelog mentioning these changes? Thanks!

@kevinmehall
Copy link
Contributor Author

mlock was already marked unsafe before this PR (the only unsafe function in the module). I think mlock and munlock should be consistent -- these functions take raw pointers but can't break Rust memory safety with them as far as I can tell. I went with unsafe here, but could go either way.

msync takes a flags argument, and I can't tell what MS_INVALIDATE does well enough to determine whether it's safe. The flags could be expanded in the future to add additional operations that may be designed without Rust semantics in mind.

@kamalmarhubi
Copy link
Member

mlock was already marked unsafe before this PR (the only unsafe function in the module). I think mlock and munlock should be consistent -- these functions take raw pointers but can't break Rust memory safety with them as far as I can tell. I went with unsafe here, but could go either way.

I'd lean towards marking them safe, but maybe unsafe is safer initially. I'm not really all that familiar with semantics of this stuff.

msync takes a flags argument, and I can't tell what MS_INVALIDATE does well enough to determine whether it's safe.

Oh interesting. It sounds as though it could cause unsafety in another program that mapped an overlapping region of the same file. Marking it unsafe for now sounds right. We should ask someone with a better handle on what's considered unsafe / undefined eventually.

@kamalmarhubi
Copy link
Member

Summary: I'd be fine with marking these all as unsafe, since removing unsafe later is not a breaking change.

@kevinmehall
Copy link
Contributor Author

Ok, added a changelog entry.

@kamalmarhubi
Minor edit to changelog
902f281 
Add section headings, commenting out unused ones.
@kamalmarhubi
Copy link
Member

Thanks @kevinmehall!

@homu r+

@homu
Copy link
Contributor

homu commented Mar 19, 2017

📌 Commit 902f281 has been approved by kamalmarhubi

homu added a commit that referenced this pull request Mar 19, 2017
@homu
Auto merge of #559 - kevinmehall:mmap, r=kamalmarhubi
0eef651 
Actually mark mmap and related functions as `unsafe`

The nix::sys::mman::mmap documentation says

> Calls to mmap are inherently unsafe, so they must be made in an unsafe
block.

however, the function was not actually marked unsafe.

* `munmap` should also be `unsafe` for obvious reasons.
* `madvise` should be `unsafe` because of the `MADV_DONTNEED` flag.
* `mlock` was already marked `unsafe`
* `munlock` and `msync` don't strictly need to be `unsafe` despite
taking pointers AFAICT, but are marked `unsafe` for consistency and in
case they add additional flags in the future.

[breaking-change]
@homu
Copy link
Contributor

homu commented Mar 19, 2017

⌛ Testing commit 902f281 with merge 0eef651...

@homu
Copy link
Contributor

homu commented Mar 20, 2017

☀️ Test successful - status

@homu homu merged commit 902f281 into nix-rust:master Mar 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kevinmehall @kamalmarhubi @homu