Issue 122262: MAP_PRIVATE for more reliability on virtualised filesystems.

g-yziquel · g-yziquel · commit 559ac5d71af0 · 2024-03-11T17:30:29.000Z
Adding support of quirky filesystems occuring in virtualised settings not
having full POSIX support for memory mapped files. Example: current virtiofs
with cache disabled, occuring in Incus/LXD or Kata Containers. Has been
hitting various virtualised filesystems since 2016, depending on their levels
of maturity at the time. The situation will perhaps improve when virtiofs DAX
support patches will have made it into the qemu mainline.

On a reliability level, using the MAP_PRIVATE sycall flag instead of the
MAP_SHARED syscall flag for the mmap() system call does have some undefined
behaviour when the caller update the memory mapping of the mmap()ed file, but
MAP_SHARED does allow not only the calling process but other processes to
modify the memory mapping. Thus, in the current context, using MAP_PRIVATE
copy-on-write is marginally more reliable than MAP_SHARED.

This discussion of reliability is orthogonal to the type system enforced safety
policy of rust, which does not claim to handle memory modification of memory
mapped files triggered through the operating system and not the running rust
process.
diff --git a/compiler/rustc_data_structures/src/memmap.rs b/compiler/rustc_data_structures/src/memmap.rs
@@ -16,10 +16,19 @@ impl Mmap {
     /// The given file must not be mutated (i.e., not written, not truncated, ...) until the mapping is closed.
     ///
     /// However in practice most callers do not ensure this, so uses of this function are likely unsound.
+    ///
+    /// The use of map_copy_read_only() is prefered to memmap2::Mmap::map() on the grounds that is
+    /// uses the syscall flag MAP_PRIVATE instead of MAP_SHARED. Whereas MAP_PRIVATE has an
+    /// undefined behaviour if the caller updates the mapping, MAP_SHARED allows other processes to
+    /// update the mapping. MAP_PRIVATE is thus marginally more reliable.
+    ///
+    /// However, for other reasons, such as virtualised filesystems that have quirks deviating from
+    /// POSIX, using MAP_PRIVATE asks for less system level guarantees than MAP_SHARED. Thus, allowing
+    /// rustc to run in such virtualised settings requires dopping MAP_SHARED for MAP_PRIVATE.
     #[inline]
     pub unsafe fn map(file: File) -> io::Result<Self> {
         // Safety: the caller must ensure that this is safe.
-        unsafe { memmap2::Mmap::map(&file).map(Mmap) }
+        unsafe { memmap2::MmapOptions::new().map_copy_read_only(&file).map(Mmap) }
     }
 }
 
