Anyone have good examples of common Rust *runtime* footguns? - ThreadSky

alilleybrinker.com • 35 days ago

Anyone have good examples of common Rust *runtime* footguns?

It's tough because I feel like Rust footguns are "I can't get it to compile" rather than "it compiles and then does something monstrously wrong."

Comments

matheus23.com•34 days ago

Generated async function state machine enums becoming so large they blow the stack. 🥲

I think there have been optimizations that improved this situation in the past year or so. Not sure how much this is still an issue.

alilleybrinker.com•34 days ago

You can of course box-up futures within the state machine, or similarly move data that would be owned by the future up to the heap if that happens. You *do* still control what ends up on the stack in the generated Future type.

matheus23.com•34 days ago

big objects*

matheus23.com•34 days ago

Yeah. The problem with that one was mostly it's really hard to diagnose the issue as a beginner.
My mind went "huh. Endless recursion?" and then "huh but objects on the stack?" but then it ends up being some object the compiler can barely name.

alilleybrinker.com•34 days ago

That's totally fair.

If you're using Tokio as your executor, tokio-console is very useful and can help catch big futures that may be a risk for future stack limit problems. It'll flag futures over a threshold size.

https://github.com/tokio-rs/console

mattkeeter.com•35 days ago

Async cancellation safety is a huge sharp edge that’s underdocumented

mattkeeter.com•35 days ago

To the point where if you ever use a tokio mutex, it’s probably wrong!

jamesmunns.com•35 days ago

How so?

alilleybrinker.com•35 days ago

See: https://sunshowers.io/posts/nextest-process-per-test/#appendix

mattkeeter.com•35 days ago

That's actually a different kind of cancellation; I'm thinking about async cancellation due to futures being dropped.

If you're using a Tokio mutex to maintain invariants, those invariants can be violated if a future is dropped at a yield point while the lock is held.

Here's an example!

jamesmunns.com•35 days ago

Huh, this doesn't read as surprising to me, but it's definitely a trip hazard.

without.boats•34 days ago

This is also true if you early return or panic with any non-poisoning mutex (or a poisoning mutex where you ignore the poison like literally everyone does)

alilleybrinker.com•35 days ago

Aha! To put another way: you should never hold a mutex over an await, but there's no compile check to stop you from doing that? Do I have that right?

piss.beauty•35 days ago

gotta uncapitalize std::Time for it to compile but i see now

licenser.net•34 days ago

Blocking code in async functions that create deadlock (I look at you dashmap 😭, still love the crate)

rseymour.bsky.social•35 days ago

Throwing an IP string without a port into a socketaddr and thinking it will parse(). Ever using unwrap or expect or bracket indexing where you aren’t ready for a panic (obvious)

alilleybrinker.com•35 days ago

Yeah, indexing panicking is one of those decisions where I can absolutely see why they went that way, and also think it was probably wrong. Indexing *should* behave like get().

myrrlyn.net•35 days ago

indexing would have to have been designed with a lot of information we didn’t know until much later for that to work

steveklabnik.com•34 days ago

Also I feel like it would be decent if ? existed and was able to convert to Result, making the ergonomics reasonable

rseymour.bsky.social•34 days ago

Ooh I’d never thought of that syntactic idea

westonpace.bsky.social•35 days ago

Also, large stack allocated objects (I/O buffers, etc.) giving you a stack overflow.

alilleybrinker.com•35 days ago

The challenges with in-place construction also mean it's easy to try to just allocate something on the heap and have it actually start on the stack and... oops, overflow

westonpace.bsky.social•35 days ago

How about using `const COUNTER: AtomicU64` instead of `static COUNTER: AtomicU64`?

alilleybrinker.com•35 days ago

Say more! I haven't hit this one and will admit I use `const` or `static` so rarely I forget their edge cases

westonpace.bsky.social•35 days ago

I wanted a quick and dirty counter during some debugging / profiling. Turns out with `const` the compiler is free to make multiple copies of the variable. So the spots that increment the counter are incrementing one instance and the spots that read the counter were reading another instance.

westonpace.bsky.social•35 days ago

The end result was it was always printing "0" so it didn't take too long to figure out something was off and a quick google search provided the answer (at which point I kicked myself for using const). More a curiosity than a valid annoyance.

alilleybrinker.com•35 days ago

Aha! So it's the "items.const.behavior" rule from the reference: https://doc.rust-lang.org/reference/items/constant-items.html#r-items.const.behavior

westonpace.bsky.social•35 days ago

Yep. That's the one!

qfoiluks.bsky.social•35 days ago

None of the top of my mind.

alice-i-cecile.bsky.social•34 days ago

Array indexing panicking on out of bounds and as casts for integers losing precision are two of my Rust bête noires.

utopia-defer.red•35 days ago

closest i can come up with is server code handling web stuff and even then, that's not really run-time as you mean it, is it

utopia-defer.red•35 days ago

i'm thinking async patterns for accessing a resource/checking auth

alilleybrinker.com•35 days ago

Oho, say more? I'm not generally writing backend server code beyond toy stuff with Axum, so I'm unfamiliar with the challenges

utopia-defer.red•35 days ago

intercepting routes for some request/response, e.g. check a db (or, worse, mutate) and not intelligently managing parallel access to a shared resource.

afaik all the big frameworks are designed to handle this failure mode but i mention it because i think this still counts as a run time footgun?

alilleybrinker.com•35 days ago

Oh yeah for sure, this makes total sense.

I know Dropshot in Rust explicitly *doesn't* do "global handlers" that other frameworks commonly support to do things like this automatically, which is an interesting choice! https://docs.rs/dropshot/latest/dropshot/#what-about-generic-handlers-that-run-on-all-requests

omnisci3nce.bsky.social•34 days ago

This is basically why I chose to use dropshot. It feels way less complex to me to just use plain old functions

piss.beauty•35 days ago

as in, the big frameworks automatically handle coalescing concurrent identical requests? or something else

we have a home rolled solution for this at the moment and I'd love if we didn't need it

alilleybrinker.com•35 days ago

I think he means more like this (https://docs.rs/axum/latest/axum/#sharing-state-with-handlers), managing shared state across request and response in a way that doesn't lock up the thing each request needs (like the database).

I could be wrong though!

chc4.bsky.social•35 days ago

RefCell panics, drop not being guaranteed to run, writing unsafe code in general, no guaranteed TCE? feel like its also usually a surprise to people that rust doesn't prevent deadlocks

alilleybrinker.com•35 days ago

1. RefCell panics; yeah I think people miss that RefCell is "I swear to uphold the borrow checker rules myself" and not an "I can do what I want" card.
2. No "Drop" guarantee": yeah... I still wish Rust could make linear types work

ari.gf•34 days ago

accidentally blocking in async functions, leaking a handle to a tokio task or a thread, async cancellation deadlocks

lpalmieri.com•35 days ago

Mismatched versions of crates that rely on static globals to work correctly.

Opentelemetry is a notorious offender.

jamesmunns.com•35 days ago

I wonder how well advised it would be to have them set the "links" value of cargo to ensure that only one version appears in the dep graph. We do that for some embedded things to avoid spooky issues.

It's a big hammer of a flag though.

im.fckn.gay•35 days ago

Moving all the static globals into a seperate crate would already help quite a lot.

by putting the implementation of the statics alongside a public API of global functions inside of its own crate, you can semver the statics independently. which gets rid of a lot of breakage ime.

lpalmieri.com•34 days ago

I explored the idea in an RFC a while ago: https://github.com/rust-lang/rfcs/pull/3251

alilleybrinker.com•35 days ago

Oho I was familiar with the "we forget to re-export a dependency whose type we publicly rely on" compile-time footgun, but didn't realize there was a runtime flavor with statics.

Oh no

lokathor.bsky.social•34 days ago

if you `no_mangle` the static does it at least avoid accidental multiple versions with a compile/link error?

lpalmieri.com•34 days ago

It's possible, but nobody does it because it's too crude.
See https://github.com/rust-lang/rfcs/pull/3251

elias.sh•34 days ago

Does blocking in Async context count? Like doing blocking I/O inside Tokio runtime

matheus23.com•34 days ago

Now combine this with drop impls. Dropping a UDP socket can block for 1s in some cases we found.

alilleybrinker.com•34 days ago

Yeah, async drop is a difficult problem. I think @without.boats's post "Asynchronous clean-up" from Feb 2024 is quite good for explaining the challenges: https://without.boats/blog/asynchronous-clean-up/

elias.sh•33 days ago

Async in general is hard, when you know what to do and expect, you can watch over common failures. But most people are used to JavaScript or Go and only find out in prod (or in code review if the company has at least one experienced Rust dev)

elias.sh•33 days ago

I was expecting the solution would be to use different libs. But your message makes me think you have to live with it, is it in the std lib? (I imagine you can move the socket to a thread that is allowed to block for the clean up, but still it feels bad)

matheus23.com•33 days ago

It's the libc close call that blocks for this long.
The solution for us was to use spawn_blocking *if* we detect that the current thread is a Tokio runtime thread.

alilleybrinker.com•34 days ago

Yup!

j-shelby-j.bsky.social•33 days ago

A dependency panicking when you assume it never will. Regex crate got me with that.

Casting with “as T” can panic as well.

barretts.club•33 days ago

`as T` requires `T` to be one of these types: https://doc.rust-lang.org/reference/expressions/operator-expr.html#type-cast-expressions

barretts.club•33 days ago

there is no listed path to a panic here. if you're experiencing panics with these limited coercion casts, please report it asap! https://github.com/rust-lang/rust/issues

alilleybrinker.com•33 days ago

Can it? The reference doesn’t appear to document a case where it does, and I don’t recall seeing one when I did my guide to coercions in Rust either. https://doc.rust-lang.org/reference/expressions/operator-expr.html?highlight=Cast#type-cast-expressions

alilleybrinker.com•33 days ago

Coercion guide https://www.possiblerust.com/guide/what-can-coerce-and-where-in-rust

nekotachi.bsky.social•33 days ago

wow this article has adhd

8 paragraph tangent about what it means that rust doesn't have a standard.

alilleybrinker.com•33 days ago

Uh, I wrote the article.

Also, it’s explicitly an aside. It literally says “aside.” You can skip it

nekotachi.bsky.social•33 days ago

Also, I don't mean this as a bad thing, i mean like...

I have adhd and this is something I would do.

Character limit discourages nuance, sorry.

nekotachi.bsky.social•33 days ago

It literally does not say "aside"

nekotachi.bsky.social•33 days ago

I'm pretty sure it can't.

what it *does* do is truncate, which can also be problematic.

Comments

Posting Rules

Reply