Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Abort a process when FD ownership is violated #124130

Closed
wants to merge 1 commit into from

Conversation

the8472
Copy link
Member

@the8472 the8472 commented Apr 18, 2024

When an EBADF happens then something else already touched an FD in ways it is not allowed to. At that point things can already be arbitrarily bad, e.g. clobbered mmaps. Recovery is not possible.
All we can do is hasten the fire.

It could help with the investigation in #124105. Currently only Drop for Dir panics while OwnedFd closes silently. If we make OwnedFd fail loudly too then it should tell us whether the bug is specific to Dir or there's more general FD-clobbering going on.

When an EBADF happens then something else already touched an FD in ways it is not allowed to.
At that point things can already be arbitrarily bad, e.g. clobbered mmaps.
Recovery is not possible.
All we can do is hasten the fire.
@rustbot
Copy link
Collaborator

rustbot commented Apr 18, 2024

r? @cuviper

rustbot has assigned @cuviper.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Apr 18, 2024
@workingjubilee
Copy link
Member

@the8472 Does rtabort hit the panic handler? I forget. It would be preferable I think for us to make sure this actually triggers whatever Zed's crash reporting is. @ConradIrwin, does Zed use a panic handler for collecting the crash report, or another process, or...?

@ConradIrwin
Copy link

Thanks! We'll be able to see these as we listen for both rust panics in-process, and also pull in macOS crash reports (as described here https://github.com/zed-industries/zed/blob/main/docs/src/developing_zed__debugging_crashes.md)

@the8472
Copy link
Member Author

the8472 commented Apr 18, 2024

rtabort! writes to stderr and then hits libc::abort, it does not invoke the panic handler.

@ConradIrwin
Copy link

Well, we'll see the abort and be able to infer from the stack trace, but we don't ship stderr.

@workingjubilee
Copy link
Member

Is there a way to say "run the panic handler, then just die instead of unwinding"? I think there is, isn't there?

@workingjubilee
Copy link
Member

( I think I mean panic hook. )

@the8472
Copy link
Member Author

the8472 commented Apr 18, 2024

Alas, FUSE can inject EBADF so it's not a good idea to tear down the process in response to that, even if that's very questionable behavior by the filesystem.

@the8472
Copy link
Member Author

the8472 commented Apr 20, 2024

new PR: #124210

matthiaskrgr added a commit to matthiaskrgr/rust that referenced this pull request Apr 27, 2024
… r=Mark-Simulacrum

Abort a process when FD ownership is violated

When an owned FD has already been closed before it's dropped that means something else touched an FD in ways it is not allowed to. At that point things can already be arbitrarily bad, e.g. clobbered mmaps. Recovery is not possible.
All we can do is hasten the fire.

Unlike the previous attempt in rust-lang#124130 this shouldn't suffer from the possibility that FUSE filesystems can return arbitrary errors.
bors added a commit to rust-lang-ci/rust that referenced this pull request Apr 28, 2024
…=Mark-Simulacrum

Abort a process when FD ownership is violated

When an owned FD has already been closed before it's dropped that means something else touched an FD in ways it is not allowed to. At that point things can already be arbitrarily bad, e.g. clobbered mmaps. Recovery is not possible.
All we can do is hasten the fire.

Unlike the previous attempt in rust-lang#124130 this shouldn't suffer from the possibility that FUSE filesystems can return arbitrary errors.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants