Add discussion that concurrent access to the environment is unsafe #116888
Conversation
|
(rustbot has picked a reviewer for you, use r? to override) |
rustbot
added
S-waiting-on-review
This comment has been minimized.
This comment has been minimized.
The bug report rust-lang#27970 has existed for 8 years, the actual bug dates back to Rust pre-1.0. I documented it since it's in the interest of the user to be aware of it. The note can be removed once rust-lang#27970 is fixed.
library/std/src/env.rs
Outdated
| /// behavior, for example in combination with DNS lookups from | ||
| /// [`std::net::ToSocketAddrs`]. This is a bug | ||
| /// ([rust#27970](https://github.com/rust-lang/rust/issues/27970)) and will be | ||
| /// fixed in a future version of Rust. Additionally, extra care needs to be |
There was a problem hiding this comment.
this makes it sound like rust will fix the concurrent access problem, but it cannot. it should say that this function will probably become unsafe in the future.
There was a problem hiding this comment.
It also seems to me that get_var has the same problems, right? It's reading data that might be changed by concurrent C code.
There was a problem hiding this comment.
Since getenv is usually considered safe in a multithreaded C environment, but setenv/putenv is not, I do not think that it requires an extra note.
There was a problem hiding this comment.
Yeah, C code designed for multithreaded use will almost never write to the env.
library/std/src/env.rs
Outdated
| /// taken when auditing calls to unsafe external FFI functions to ensure that | ||
| /// any external environment accesses are properly synchronized with accesses | ||
| /// in Rust. Since Rust does not expose its environment lock directly, this | ||
| /// means that all accesses to the environment must go through Rust's [`var`]. |
There was a problem hiding this comment.
This is requesting something impossible in most cases. I'm not sure that's reasonable.
There was a problem hiding this comment.
Do you have a suggestion what to write there?
Yes, it's unreasonable, but that's the current state of the function AFAICT.
Mark-Simulacrum
added
S-waiting-on-author
|
@rustbot ready |
rustbot
added
S-waiting-on-review
|
@Mark-Simulacrum I don't see any actionable feedback, why is it "waiting-on-author"? |
I think at minimum we need to remove this implication, this isn't directly fixable in a future version of Rust. I'm going to also nominate for T-libs-api -- it's not clear to me if the framing here meets our current thinking. In particular,
My suspicion is that in hindsight these functions should have either not existed or not been safe. i.e., "ought to be safe" isn't accurate here -- usually we do not try to paper over platform unsoundness like this, especially if it's impossible (as is the case here). |
Mark-Simulacrum
added
the
I-libs-api-nominated
|
(It also seems like this is just extending existing documentation -- i.e., the documentation already calls out this is an underlying unsafe API) |
|
We discussed this in the libs-api meeting. What we would like to see happen is that this function gets turned into an unsafe function for the 2024 edition, but on older editions only emits a warning if not inside an As such the documentation should be written as if this was an unsafe function, clearly explaining the pre-conditions that must be upheld:
|
It was also brought up that this isn't quite true currently as the rust standard library calls libc functions that may themselves read from the environment. So either those std functions need to be changed to take the environment lock or else we also need to warn against using std functions that may call out to libc. |
Done. |
|
@bors r+ rollup |
bors
added
S-waiting-on-bors
…iaskrgr Rollup of 3 pull requests Successful merges: - rust-lang#116888 (Add discussion that concurrent access to the environment is unsafe) - rust-lang#118888 (Uplift `TypeAndMut` and `ClosureKind` to `rustc_type_ir`) - rust-lang#118929 (coverage: Tidy up early parts of the instrumentor pass) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#116888 - tbu-:pr_unsafe_env, r=Amanieu Add discussion that concurrent access to the environment is unsafe The bug report rust-lang#27970 has existed for 8 years, the actual bug dates back to Rust pre-1.0. I documented it since it's in the interest of the user to be aware of it. The note can be removed once rust-lang#27970 is fixed.
dtolnay
removed
the
I-libs-api-nominated
|
The suggested wording seems to imply that it is fine to call the functions in this module in parallel if you don't use any other ways to access the environment, presumably because these functions use some way to synchronize their accesses. It would be great if the text was more explicit about whether this is the case or not. |
You must also ensure that you don't call any Rust standard library function that reads from the environment (e.g. You must also not call into any C libraries that might read from the environment. Most C libraries do not document whether or in which functions they access the environment, and it can usually also change from version to version. In that way, you could say that your statement is technically correct. Practically speaking, since you cannot even guarantee what the Rust standard library does, you must only modify the environment variables when you're single-threaded.
I agree, and this is why I suggested removing the lock guarantees from the documentation: #125937. IMO unfortunately, this seems to be rejected. You could add a comment there if you think it's an improvement. |
The bug report #27970 has existed for 8 years, the actual bug dates back to Rust pre-1.0. I documented it since it's in the interest of the user to be aware of it. The note can be removed once #27970 is fixed.