Avoid allocating in pre_exec closure
#109
Conversation
Signed-off-by: Alisa Sireneva <[email protected]>
purplesyringa
force-pushed
the
pre-exec
branch
from
f748ab2 to
031b2f8
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly addresses a subtle but critical issue with memory allocation within a pre_exec closure, which could lead to deadlocks in a multi-threaded context. The fix is correct and effectively prevents this by using a non-allocating error conversion. My review includes a minor suggestion to improve code clarity and make the intent more explicit.
| Ok(rustix::process::set_parent_process_death_signal(Some( | ||
| rustix::process::Signal::TERM, | ||
| )) | ||
| .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e)) | ||
| ))?) |
There was a problem hiding this comment.
While the Ok(...?) pattern works correctly here because the success type is (), it can be a bit subtle. A more direct and idiomatic approach is to use map_err to handle the error conversion explicitly. This makes the intent of the code clearer to future readers.
rustix::process::set_parent_process_death_signal(Some(
rustix::process::Signal::TERM,
))
.map_err(Into::into)There was a problem hiding this comment.
consider: nuh-uh
There was a problem hiding this comment.
I kinda agree with this comment. That ? is carrying an awful lot of weight here, and it's not clear to me what implementation we're going to end up using or if it's going to allocate. A more explicit constructor (more explicit even than what the bot recommended) and comment that we're trying to avoid allocations would also be nice....
|
In balance, since What we really need here is some notion of "this API may allocate" as an annotation/effect on functions, then we could deny those in pre_exec. Or you know...rustix could have an allowlist of functions that are safe to call. Actually also we should try to add this pdeathsig as an extension to |
|
I'd love to see some variation on pdeathsig in I'm not opposed to using |
3 participants
Error::newallocates memory (see rust-lang/rust#148971). This is bad in multi-threaded programs, andcontainers-image-proxy-rsis a library which can be used in such. If the fork occurs while the allocator lock is held by another thread, deadlocks can occur, since there's no one left in the new process to unlock the mutex. I do not believe this is UB, and modern libc offer protections against this issue, but this isn't POSIX-compliant and should preferably be avoided.rustixprovides a non-allocatingimpl From<Errno> for std::io::Error, use it instead. This also ensures the correct error code is forwarded to the parent process, instead of the default-EINVAL.