Warn about safety of fetch_update
#101774
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @m-ou-se (or someone else) soon. Please see the contribution instructions for more information. |
rustbot
added
the
T-libs
|
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
rust-highfive
added
the
S-waiting-on-review
mcol
reviewed
Sep 14, 2022
Specifically as it relates to the ABA problem.
Riolku
force-pushed
the
atomic-update-aba
branch
from
fe1a2f3 to
3d28a1a
Compare
|
Thanks! @bors r+ |
bors
added
S-waiting-on-bors
Dylan-DPC
added a commit
to Dylan-DPC/rust
that referenced
this pull request
Oct 11, 2022
Warn about safety of `fetch_update`
Specifically as it relates to the ABA problem.
`fetch_update` is a useful function, and one that isn't provided by, say, C++. However, this does mean the function is magic. It is implemented in terms of `compare_exchange_weak`, and in particular, suffers from the ABA problem. See the following code, which is a naive implementation of `pop` in a lock-free queue:
```rust
fn pop(&self) -> Option<i32> {
self.front.fetch_update(Ordering::Relaxed, Ordering::Acquire, |front| {
if front == ptr::null_mut() {
None
}
else {
Some(unsafe { (*front).next })
}
}.ok()
}
```
This code is unsound if called from multiple threads because of the ABA problem. Specifically, suppose nodes are allocated with `Box`. Suppose the following sequence happens:
```
Initial: Queue is X -> Y.
Thread A: Starts popping, is pre-empted.
Thread B: Pops successfully, twice, leaving the queue empty.
Thread C: Pushes, and `Box` returns X (very common for allocators)
Thread A: Wakes up, sees the head is still X, and stores Y as the new head.
```
But `Y` is deallocated. This is undefined behaviour.
Adding a note about this problem to `fetch_update` should hopefully prevent users from being misled, and also, a link to this common problem is, in my opinion, an improvement to our docs on atomics.
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Oct 11, 2022
…iaskrgr Rollup of 11 pull requests Successful merges: - rust-lang#100387 (Check uniqueness of impl items by trait item when applicable.) - rust-lang#101727 (Stabilize map_first_last) - rust-lang#101774 (Warn about safety of `fetch_update`) - rust-lang#102227 (fs::get_path solarish version.) - rust-lang#102445 (Add `is_empty()` method to `core::ffi::CStr`.) - rust-lang#102612 (Migrate `codegen_ssa` to diagnostics structs - [Part 1]) - rust-lang#102685 (Interpret EH actions properly) - rust-lang#102869 (Add basename and dirname aliases) - rust-lang#102889 (rustc_hir: Less error-prone methods for accessing `PartialRes` resolution) - rust-lang#102893 (Fix ICE rust-lang#102878) - rust-lang#102912 (:arrow_up: rust-analyzer) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
Aaron1011
pushed a commit
to Aaron1011/rust
that referenced
this pull request
Jan 6, 2023
…iaskrgr Rollup of 11 pull requests Successful merges: - rust-lang#100387 (Check uniqueness of impl items by trait item when applicable.) - rust-lang#101727 (Stabilize map_first_last) - rust-lang#101774 (Warn about safety of `fetch_update`) - rust-lang#102227 (fs::get_path solarish version.) - rust-lang#102445 (Add `is_empty()` method to `core::ffi::CStr`.) - rust-lang#102612 (Migrate `codegen_ssa` to diagnostics structs - [Part 1]) - rust-lang#102685 (Interpret EH actions properly) - rust-lang#102869 (Add basename and dirname aliases) - rust-lang#102889 (rustc_hir: Less error-prone methods for accessing `PartialRes` resolution) - rust-lang#102893 (Fix ICE rust-lang#102878) - rust-lang#102912 (:arrow_up: rust-analyzer) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Specifically as it relates to the ABA problem.
fetch_updateis a useful function, and one that isn't provided by, say, C++. However, this does not mean the function is magic. It is implemented in terms ofcompare_exchange_weak, and in particular, suffers from the ABA problem. See the following code, which is a naive implementation ofpopin a lock-free queue:This code is unsound if called from multiple threads because of the ABA problem. Specifically, suppose nodes are allocated with
Box. Suppose the following sequence happens:But
Yis deallocated. This is undefined behaviour.Adding a note about this problem to
fetch_updateshould hopefully prevent users from being misled, and also, a link to this common problem is, in my opinion, an improvement to our docs on atomics.