Skip to content

Commit 559ac5d

Browse files
committed
Issue 122262: MAP_PRIVATE for more reliability on virtualised filesystems.
Adding support of quirky filesystems occuring in virtualised settings not having full POSIX support for memory mapped files. Example: current virtiofs with cache disabled, occuring in Incus/LXD or Kata Containers. Has been hitting various virtualised filesystems since 2016, depending on their levels of maturity at the time. The situation will perhaps improve when virtiofs DAX support patches will have made it into the qemu mainline. On a reliability level, using the MAP_PRIVATE sycall flag instead of the MAP_SHARED syscall flag for the mmap() system call does have some undefined behaviour when the caller update the memory mapping of the mmap()ed file, but MAP_SHARED does allow not only the calling process but other processes to modify the memory mapping. Thus, in the current context, using MAP_PRIVATE copy-on-write is marginally more reliable than MAP_SHARED. This discussion of reliability is orthogonal to the type system enforced safety policy of rust, which does not claim to handle memory modification of memory mapped files triggered through the operating system and not the running rust process.
1 parent 65cd843 commit 559ac5d

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

compiler/rustc_data_structures/src/memmap.rs

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,19 @@ impl Mmap {
1616
/// The given file must not be mutated (i.e., not written, not truncated, ...) until the mapping is closed.
1717
///
1818
/// However in practice most callers do not ensure this, so uses of this function are likely unsound.
19+
///
20+
/// The use of map_copy_read_only() is prefered to memmap2::Mmap::map() on the grounds that is
21+
/// uses the syscall flag MAP_PRIVATE instead of MAP_SHARED. Whereas MAP_PRIVATE has an
22+
/// undefined behaviour if the caller updates the mapping, MAP_SHARED allows other processes to
23+
/// update the mapping. MAP_PRIVATE is thus marginally more reliable.
24+
///
25+
/// However, for other reasons, such as virtualised filesystems that have quirks deviating from
26+
/// POSIX, using MAP_PRIVATE asks for less system level guarantees than MAP_SHARED. Thus, allowing
27+
/// rustc to run in such virtualised settings requires dopping MAP_SHARED for MAP_PRIVATE.
1928
#[inline]
2029
pub unsafe fn map(file: File) -> io::Result<Self> {
2130
// Safety: the caller must ensure that this is safe.
22-
unsafe { memmap2::Mmap::map(&file).map(Mmap) }
31+
unsafe { memmap2::MmapOptions::new().map_copy_read_only(&file).map(Mmap) }
2332
}
2433
}
2534

0 commit comments

Comments
 (0)