-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stdlib makes assumptions about errors returned by POSIX functions #94705
Comments
Cc @rust-lang/libs |
In general, we should be bubbling up errors that we can't otherwise handle. In this specific instance where we aren't returning |
@rustbot claim |
…sumption, r=Mark-Simulacrum promot debug_assert to assert Fixes rust-lang#94705
…sumption, r=Mark-Simulacrum promot debug_assert to assert Fixes rust-lang#94705
If someone can confirm if we should update all of these functions (promoting assert_debug to assert) then I'll go ahead and open a PR. |
Yeah I figured this might be a more general problem than just that one example. I think most of them should become unconditional asserts. It would be helpful if the assertion message included errno (or the returned error code for the pthread functions). It might be tempting to ignore failures of These are the special cases I noticed: rust/library/std/src/sys/unix/fs.rs Lines 558 to 559 in b97dc20
closedir() can return EINTR which should be treated like success. EIO is probably possible too from the underlying close() call and should probably be ignored. I think it's worth checking for EBADF (which would indicate an earlier violation of I/O safety). But it might also be fine to ignore all errors here, like File::drop does.
rust/library/std/src/sys/unix/thread.rs Lines 115 to 116 in b97dc20
It probably doesn't matter if sched_yield() fails, since it has no observable effects (and no one should call it anyway).
|
No strong opinion on what to do with them, but if we opt to not change the code for the reasons you mention, we should still add a comment explaining exactly that. |
This should be fixed in #94712 |
That fixes one instance of this problem; #94705 (comment) lists a couple more (and I am not sure if that list is exhaustive). |
#94705 (comment) lists a lot of these assertions, only 2 or 3 have been changed by the PRs so far I think? Not sure the issue is closed. |
Actually a lot of these links are dead. So the next step probably would be to figure out if there are cases of this left in the stdlib where we assume error lists are exhaustive. A quick search did uncover some:
And there are a whole bunch of debug-only assertions without further comment, listing just a few:
This list is by no means exhaustive. |
promote debug_assert to assert when possible and useful This PR fixed a very old issue rust-lang/rust#94705 to clarify and improve the POSIX error checking, and some of the checks are skipped because can have no benefit, but I'm sure that this can open some interesting discussion. Fixes rust-lang/rust#94705 cc: `@tavianator` cc: `@cuviper`
Split off from rust-lang/miri#1981 (comment)
For example, we assume that the return value of
pthread_rwlock_rdlock()
is either 0,EAGAIN
, orEDEADLK
:rust/library/std/src/sys/unix/rwlock.rs
Lines 51 to 54 in ac470e9
And that's kinda what POSIX documents: https://pubs.opengroup.org/onlinepubs/9699919799/functions/pthread_rwlock_rdlock.html
But the thing is, POSIX error sections are not exhaustive: https://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html#tag_15_03
And even the docs for that function mention "shall not return an error code of [EINTR]" rather than "shall not return any other error code". So unless there's limits documented elsewhere, I don't think it's sound to assume that there can't be another error code returned from these functions.
CC: @RalfJung
The text was updated successfully, but these errors were encountered: