-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Convert actix-service to use RefCell instead of UnsafeCell #113
Conversation
FYI just submit issue about windows mingw build: numworks/setup-msys2#29 |
Disabled mingw builders temporarily on master. |
I'm good with this approach. Might be nice to encapsulate this module elsewhere if we do decide to go this way. |
Looks good! I like the abstraction of |
This not only removes unsafe code, this is also an important soundness fix. Is there anything that's holding up the merge? It'd be nice to get this landed and released sooner rather than later. The approach looks good to me. |
It’s still in draft and needs some perf measurements done so we can know the impact of any regression. Also, my focus is on v3 release blockers which this isn’t. It could be a patch release later. |
Sorry for delaying on this, I was dragged in some other works, but will try to push this further during next week. |
No. The commit message merely reads "add custom cell". I suspect the reason was performance - I believe it is possible to increment one counter instead of two on every access, if you place certain additional restrictions on the usage patterns. I believe this was the intent, although I cannot know for sure. I do not expect this to have any meaningful effect on performance outside of microbenchmarks. The counters are not atomic and are placed on the same L1 cache line. The cost of performing two increments instead of one should be so trivial as not to be worth considering compared to even an L2 cache access. Or that's the theory, at least. |
Codecov Report
@@ Coverage Diff @@
## master #113 +/- ##
==========================================
+ Coverage 61.59% 61.73% +0.14%
==========================================
Files 80 81 +1
Lines 5028 5070 +42
==========================================
+ Hits 3097 3130 +33
- Misses 1931 1940 +9
Continue to review full report at Codecov.
|
@dunnock this looks complete to me, any reason to keep this in draft? This fixes a long-standing memory safety issue that allows obtaining several mutable references to the same data and get arbitrary memory corruption from there (PoC that fails MIRI). Moreover, benchmarks demonstrating lack of performance impact are included. I'm surprised that 6 months later this is still not merged. |
Adding this to v3 blockers list so I don't forget about it again. |
Last time I've tried to convert wekk ago I run into issues with let mut b = b.get_mut();
let fut = (&mut b.2)(res, &mut b.1); Probably will need to split that tuple in the first place... |
There is a simpler patch to fix the soundness holes that replaces all occurrences of Actix cell with Any reason not to go with that right now to fix the memory issue? We can always think of a fancier solution later. |
Closing this since #158 merged. Appreciate everyones input on this important fix. |
Cool, thanks for taking lead on this! |
Hi, this is first PoC implementation for gathering feedback to make sure I am on the right path.
For smooth conversion I have added AXCell, which is similar to former Cell but using RefCell under the hood. Also added couple of concurrency tests with delays on first and second service to validate that there are no 2 mutable borrows which would lead to panic with RefCell.
By benchmarks pipeline with new AndThen performing similar to UnsafeCell baseline implementation:
Pls let me know if using this approach is ok?