Increase TypeId's hash from 64 bits to 128 bits.
#608
Comments
thomcc
added
major-change
|
This issue is not meant to be used for technical discussion. There is a Zulip stream for that. Use this issue to leave procedural comments, such as volunteering to review, indicating that you second the proposal (or third, etc), or raising a concern that you would like to be addressed. cc @rust-lang/compiler @rust-lang/compiler-contributors |
|
@rustbot second |
rustbot
added
the
final-comment-period
|
@rustbot label -final-comment-period +major-change-accepted |
rustbot
added
major-change-accepted
|
this was accepted and is in the process of being implemented+landed |
…apkin Use 128 bits for TypeId hash Preliminary/Draft impl of rust-lang/compiler-team#608 Prior art (probably incomplete list) - rust-lang#75923 - rust-lang#95845
Use 128 bits for TypeId hash Preliminary/Draft impl of rust-lang/compiler-team#608 Prior art (probably incomplete list) - rust-lang/rust#75923 - rust-lang/rust#95845
This is only true if the hash function is designed to be collision resistant. If the hash function is not collision-resistant then you can't infer anything about the probability of collision. Note in particular that SipHash is NOT collision-resistant if the attacker knows the key. |
That presupposes an attacker instead of natural collisions. Afaik malicious inputs are currently outside rustc's threat model. If that ever changes then this can be revisited. |
OK, first, do we agree that the argument about birthday bounds in the initial comment is not sound, at least? The SipHash paper says "We comment that SipHash is not meant to be, and (obviously) is not, collision resistant." No qualifications regarding malicious vs. natural collisions. SipHash wasn't designed to be used as a substitute for equality checks of the full hashed value; it was designed for a very narrow purpose that isn't what TypeId uses it for (AFAICT). I cannot find any claim regarding the "natural" collision resistance of SipHash with a public key, nor do I know a way to distinguish "natural" from "malicious" inputs for collisions.
I do think malicious inputs are necessarily inside a realistic threat model for the Rust toolchain. rustc enforces the fix for CVE-2021-42574, for example. Also, Cargo has removed malicious-looking crates in https://blog.rust-lang.org/inside-rust/2023/09/01/crates-io-malware-postmortem.html. Even without prior history, it is easy to come up with scenarios where TypeId collisions could be detrimental. In summary, we do not know much about the likelihood of TypeId collisions, before or after this change, nor do we have significant evidence that this is an improvement. |
|
Since this MCP is already approved and merged I'd recommend starting a new issue in the rust repo or a zulip thread if you want to have an extended discussion about this. A lot of people are subscribed to this repo and will get unnecessary notifications. |
|
OK, I'll take that to mean you agree that the original argument isn't sound. There is already rust-lang/rust#10389 about the unsoundness of TypeId so there's no need to file a separate issue. |
Proposal
Increase the size of
TypeId's hash from 64 bits to 128 bits.With a 64 bit hash, the probability of collision is 1 in
2^32(due to the birthday bound) -- 1 in roughly 4 billion. This is a number low enough that it seems very likely that some program in the wild has experienced aTypeIdcollision. My suspicion is that the fact that idiomatic Rust does not heavily useTypeIdorAny(at least, in code paths which commonly occur -- it's much more frequently used in error handling) is an explanation for why it has never been detected in the wild.A 128 bit hash increases the probability of collision to 1 in
2^64, which is considerably larger -- 1 in roughly 18 quintillion. This is high enough that its very likely that we could store all types of all compilations of all Rust programs to date without collisions.Note that this approach does not remove the possibility of a collision, just makes it very unlikely. However, it also does not preclude solving this problem in a better way in the future. The goal is just to reduce the likelihood of issues that occur in practice from "could happen" to "almost certainly will not happen". This allows programs and libraries which depends on
Any/TypeIdin their designs to use it with more confidence.(A preliminary/draft implementation is available at rust-lang/rust#109953)
P.S. Not sure if MCP is correct for this. It does seem like a t-compiler implementation detail, rather than something public-facing like an RFC.
Mentors or Reviewers
N/A
Process
The main points of the Major Change Process are as follows:
@rustbot second.-C flag, then full team check-off is required.@rfcbot fcp mergeon either the MCP or the PR.You can read more about Major Change Proposals on forge.
Comments
This issue is not meant to be used for technical discussion. There is a Zulip stream for that. Use this issue to leave procedural comments, such as volunteering to review, indicating that you second the proposal (or third, etc), or raising a concern that you would like to be addressed.
The text was updated successfully, but these errors were encountered: