Comments (17)
Related to this, we should probably also discuss safety of the various constructor methods for Mmap
and MmapMut
in the context of how memory maps interact with Rust's aliasing guarantees, c.f. https://users.rust-lang.org/t/how-unsafe-is-mmap/19635.
TLDR, if I create a unique or shared slice reference, I currently need to ensure via outside means that no other process modifies the underlying file with those changes propagating into my mapping, so that an &[u8]
becomes effectively mutably aliased.
While doing so, we could also stop allowing the missing_safety_doc
Clippy lint.
from memmap2-rs.
Yes, I'm also not sure what should happen when we open the same file twice. On the other hand, all memmap methods are unsafe for a reason.
from memmap2-rs.
You can't use the raw pointers without saying unsafe
. Thus, constructing a MmapRaw
is sound where constructing a Mmap
is not unless the caller can provide the necessary guarantees. It would be possible to make MmapRaw
accessors which provide a safe copying interface (without requiring those guarantees, using unsafe
soundly internally). I'd like a sound, safe mmap interface.
from memmap2-rs.
Hmm... I'm not the one who wrote this docs, so I don't have any comments here either.
I would have to test it myself and if this is true, I guess we can update the docs.
from memmap2-rs.
I agree SIGBUS
is not a memory safety issue. It is a non-safety-related caveat that should be documented. Performance implications of major page faults probably fall in that category also.
Yes, I'm also not sure what should happen when we open the same file twice.
I think it's necessary and sufficient that caller guarantees when creating a Mmap
or MmapMut
that the file isn't changing through any other means—other processes, direct use of this file descriptor (or another pointing to the same inode), or other MmapMut
instances. Then the safe Deref
/DeRefMut
implementations are sound.
On the other hand, all memmap methods are unsafe for a reason.
There are a couple safe ones (correctly, I think):
memmap2::map_anon
is fine because the memory can't change through external meansmemmap2::map_raw
is fine becauseMmapRaw
doesn't construct references.
If there were helpers on MmapRaw
which copied data into/out of the mapping by std::ptr::copy_nonoverlapping
on raw pointers, those could also be safe. They'd never construct a reference to something that can be mutated behind Rust's back. (I think it'd be good to add these and separate MmapRaw
into MmapRaw
+ MmapRawMut
.)
from memmap2-rs.
Honestly, I don't understand why we have MmapRaw
in the first place. All we have to do is to add as_ptr
/as_mut_ptr
to Mmap
/MmapMut
.
@diwic Hi. Could you clarify why you choose to create MmapRaw
instead of adding as_ptr
/as_mut_ptr
to Mmap
/MmapMut
?
from memmap2-rs.
I don't know the history, but I like the idea of being able to use mmap in a purely-safe way, so I like the idea of having ones that don't expose references (instead only having copying functions).
from memmap2-rs.
so I like the idea of having ones that don't expose references
Well, they expose raw pointers, which is also not safe.
from memmap2-rs.
Do I understand correctly, that you're suggesting to mark map_raw
as safe, because it technically safe (raw pointer dereference is up to the user). And map_anon
is safe, because no other process can access it?
from memmap2-rs.
Those already are marked as safe: map_raw, map_anon.
from memmap2-rs.
Ok... I guess I'm starting to understand the issue =)
Would you be interested in making a PR? I bet I will mess it up if I do it myself.
from memmap2-rs.
Sure!
from memmap2-rs.
It would be possible to make MmapRaw accessors which provide a safe copying interface (without requiring those guarantees, using unsafe soundly internally). I'd like a sound, safe mmap interface.
What would you see as the primary benefit of such an interface compared to say using fs::File
with read_at
and write_at
? Personally, I can see reduced system call overhead. Other than that, the point of mmap
appears to be the ability to access file content as if it was process memory and in Rust this seems to imply as a byte slice.
from memmap2-rs.
Yeah, just speed, primarily through reduced system call overhead. I saw an article suggesting userland memcpy
is faster than kernel memcpy
because of SIMD, but I think that's pretty minor in comparison.
from memmap2-rs.
Honestly, I don't understand why we have
MmapRaw
in the first place. All we have to do is to addas_ptr
/as_mut_ptr
toMmap
/MmapMut
.@diwic Hi. Could you clarify why you choose to create
MmapRaw
instead of addingas_ptr
/as_mut_ptr
toMmap
/MmapMut
?
So I use MmapRaw for https://github.com/diwic/shmem-ipc - between untrusted processes. So that means, that the other process could at any time change the data, so creating references at any point is potentially unsound. With Mmap / MmapMut it's extremely easy to create such references, it's just a deref away, the compiler could do it without you thinking about it - e g, the len()
function is only available by first creating a &[u8]
.
That was the reasoning. If you must avoid creating references to the shared data, then Mmap / MmapMut does not have a good API because it makes it too easy to do just that.
from memmap2-rs.
The docs for
MmapRaw::as_ptr()
andMmapRaw::as_mut_ptr()
both say:Safety
To safely dereference this pointer, you need to make sure that the file has not been truncated since the memory map was created.
However, this isn't true in the Rust sense of the word safety: if the file is truncated, the memory mapping itself is not changed. So accessing that memory will simply cause the process to be killed with SIGBUS(1) or equivalent. That's not actually a memory safety issue as no memory will actually be read or written.
To avoid confusion, I think it'd be good to keep this warning, but rename the section to something else and describe why truncation isn't directly a memory safety issue.
Even if that statement is true in Linux, I'm not sure it is correct for all supported platforms. E g, on Windows, it is recommended to use exceptions, and to which degree exceptions are safe or unsafe in Rust is beyond me...
from memmap2-rs.
@diwic Thanks for the explanation. I agree with this decision.
from memmap2-rs.
Related Issues (20)
- Migrate to `safer_owning_ref` HOT 1
- why does memmap2::Mmap::map need to be unsafe? HOT 4
- Implement AsRawFd, IntoRawFd, AsRawHandle, IntoRawHandle and Into<Stdio> for MMap HOT 2
- Composite memory maps currently impossible HOT 7
- mmap'd anon pages fail in io_uring IOSQE_BUFFER_SELECT usage HOT 2
- advise_writes_unsafely_to_part_of_map test fails on powerpc64le-unknown-linux-gnu HOT 2
- error[E0433]: failed to resolve: could not find `Advice` in `memmap2` HOT 1
- PermissionDenied, message: "Access is denied." at remove file after read on Github Action WIndows HOT 2
- Doesn't compile for freebsd HOT 3
- v0.9.2 build failed for android target. HOT 3
- Support for `MS_INVALIDATE`? HOT 8
- libc dependency is too loose HOT 11
- Implementing DerefMut for Mmap? HOT 3
- support non-slice based APIs HOT 2
- MAP_STACK is a no-op on linux HOT 3
- Contributing a migration from rustix to libc HOT 9
- MSRV and edition HOT 5
- Merging changes with memmapix HOT 24
- memmap2 `advise` is unsound HOT 8
- Interest is supporting mbind HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from memmap2-rs.