Destructor bomb #22
Destructor bomb #22
Conversation
|
It may be possible to avoid using the extra bool field by prematurely running drop (manually) in This means we would have to do the following in fn close(mut self) {
// create some dummy values to place inside
// this is safe because nobody will read these
let mut sender = unsafe { mem::uninitialized() };
let mut receiver = unsafe { mem::uninitialized() };
// extract the internal sender/receiver so that we can drop them
mem::swap(&mut self.0, &mut sender);
mem::swap(&mut self.1, &mut receiver);
drop(sender);drop(receiver); // drop them
mem::forget(self); // Ensure destructors don't run
}The implementation of Sadly, we cannot move out of types implementing destructors, otherwise the above impl could just destructure and drop the components. Instead, we have to do some trickery. |
|
That is certainly another possibility. It keeps the Chan implementation simple, but perhaps your implementation of |
|
Just leave an elaborate comment and it should be fine. It's not inefficient; we do the same thing |
|
Cool. Do you wanna do a PR? |
The documentation tests were not correctly closing all of their channels, and with the newly introduced destructor bombs they fail horribly. This fixes the tests, but the result turns out to be exceptionally ugly, and we should definitely try to come up with some better examples that showcase the `chan_select!` macros without being horribly verbose about closing channels. cc: @laumann
Manishearth
force-pushed
the
destructo-bomb
branch
from
a1a63b7 to
20d8d68
Compare
|
Updated this one |
|
Before we merge this, I think we should make sure that it wont hinder @laumann's port of Servo too much (https://github.com/laumann/servo/tree/session-types). Obviously, destructor-bombs like these shouldn't have an impact on correctly designed programs, but because the Servo port is the main use case of this library so far, it'd be nice to actually see it work before we merge. |
|
In the Servo code I've taken great pains to properly close channels (and have considered it an error when this didn't happen). EDIT: But yes, I agree that it would be nice to see it working before we go all in... |
|
That can't stop the destructor from running. Moving it to compile time requires linear types, which Rust doesn't have (not counting humpty_dumpty, which is an approximation) |
|
The thing is, even with a protocol-complete marker, you can't force folks to reach that marker in highly concurrent code (we can't just wrap it in a function like above because the protocol may be enacted over many steps via structs and stuff, and branch off). |
|
Hi @setir, thanks for contributing 😄 That is definitely an interesting idea, and one that was somewhat suggested at our recent presentation of the library at WGP. As I understand it, your idea is somewhat similar to having a function like the following fn start_session<P: HasDual>(Fn(P) -> Eps, Fn(P::Dual) -> Eps)instead of the I agree that this would ensure that both protocols run to completion, but I believe the lack of flexibility would cause some problems for us. For instance, It would become much harder to set up more complex communication networks: How would you set up a network consisting of three processes all talking to each other using only |
|
@laumann: Let's merge this as well, shall we? |
Introduce destructor-bombs to improve the (runtime) safety of the library.