Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit smol #83

Open
8573 opened this issue Sep 25, 2023 · 1 comment
Open

Audit smol #83

8573 opened this issue Sep 25, 2023 · 1 comment

Comments

@8573
Copy link
Contributor

8573 commented Sep 25, 2023

the upcoming dramatically simpler runtime, smol

...is still not nearly as popular as Tokio, but it does get 210k downloads per month by Lib.rs's count.

They are preparing to cut a 2.0 release.

Of its constituent crates,

  • these forbid unsafe code: smol, async-channel, async-net, blocking; and
  • these use unsafe code: async-executor, async-fs, async-io, async-lock, async-process, async-task, futures-lite, polling.
notgull added a commit to smol-rs/async-fs that referenced this issue Sep 26, 2023
This is a breaking change, but I think it's justified for two reasons:

- It removes all unsafe code from this crate.
- FromRawFd is superseded by From<OwnedFd>

cc rust-secure-code/safety-dance#83

Signed-off-by: John Nunley <[email protected]>
@notgull
Copy link

notgull commented Sep 26, 2023

To summarize:

  • async-executor uses two lines of unsafe code, both of which are extensively checked via preconditions in async-task
  • async-fs has two lines of unsafe that are mostly vestigial in the post-I/O-safety world, I've removed it in Remove FromRawFd/Handle implementations smol-rs/async-fs#26
  • async-io's unsafety mostly comes from wrapping polling's new IO-Safe interface.
  • async-lock's unsafety comes from implementing locks. In theory these could just be wrappers around spin and friends, in practice it would mean losing features and adding an unneeded dependency. So the unsafe here is justified I think. It could still use a once-over.
  • async-process is on the track to be forbid(unsafe_code) after the new async-io update.
  • async-task was previously audited.
  • futures-lite only has one line of unsafe code, for pinning futures to the stack.
  • polling is mostly just a wrapper around the system polling APIs, save for the IOCP and poll() backends.

If you need any help, please use me as a resource! I'm most available at the mailbox [email protected]

notgull added a commit to smol-rs/async-fs that referenced this issue Sep 27, 2023
This is a breaking change, but I think it's justified for two reasons:

- It removes all unsafe code from this crate.
- FromRawFd is superseded by From<OwnedFd>

cc rust-secure-code/safety-dance#83

Signed-off-by: John Nunley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants