try_ methods to handle capacity overflow #617
Conversation
|
Thanks for the PR! I wouldn't deprecate the methods, just like the methods on |
|
@seanmonstar The problem is that it's pretty easy to trigger panic through external HTTP call. The max value is very small, so in my opinion, code should be considered vulnerable, and it's just unsafe to use non-failable methods. When max value is 64 or 32 bits, it becomes too hard to expose it through the network. |
|
I'd vote for deprecation as well, because |
|
I appreciate the reasoning, but I still feel it should not be deprecated.
What I mentioned in the original issue would be fair: add a section |
|
The main difference with std containers is that their limitations are only memory allocator and the amount of memory managed by OS. This leads to an inability to detect if allocation fails at the moment. With modern 64-bit systems and typically enough memory, we don't need to think much about allocation failures. So standard containers won't panic, they may lead to OOM termination.
Yes, if it's not an attack. I don't think optimizing for happy-path scenarios is a good idea for such a fundamental library
it's good that hyper has this limit for HTTP/1, but I think
For sure, I didn't mean rust |
|
I do appreciate the desire to make things "safer" for more people. While I still don't agree with the arguments, how about this: you could separate the contribution into two steps. There's no disagreement about adding the The second part, deprecating the other methods, can be separated into an issue, to have the discussion. That way, the first part is available to people more quickly. What do you think? |
|
Ok. I'll do it. Please check the issue from chrono, where a similar panicking design was used - chronotope/chrono#815. The author did a good job describing why using panicking operations is not a good option. Let's continue the discussion in a separate PR.
Actually, there are not many options. I started with a few functions with assertions on |
glebpom
force-pushed
the
failable-headers-allocations
branch
from
1066bcf
to
54a1525
Compare
|
hi @seanmonstar, could you please review it? |
|
@seanmonstar is there anything else to address in this PR? |
|
Sorry, just gave CI another run. |
| /// This method differs from `reserve` by allowing types that may not be | ||
| /// valid `HeaderName`s to passed as the key (such as `String`). If they | ||
| /// do not parse as a valid `HeaderName`, this returns an | ||
| /// `InvalidHeaderName` error. |
There was a problem hiding this comment.
This error message looks like it was meant for a different method :)
| /// | ||
| /// It may return `MaxSizeReached` error if size exceeds the maximum | ||
| /// `HeaderMap` capacity | ||
| pub fn try_entry<K>(&mut self, key: K) -> Result<Entry<'_, T>, Error> |
There was a problem hiding this comment.
Oh I just realized this changes the type of the returned error, which is a breaking change. We could include the change as part of the bump to 1.0, but not as a patch to the 0.2.x branch.
| danger: danger, | ||
| }) | ||
| ) | ||
| self.try_reserve_one()?; |
There was a problem hiding this comment.
Huh, re-reading the implementation, this surprised me. It seems like entry() isn't meant to allocate, unless you call .or_insert(). Or if it is, then or_insert() shouldn't allocate. Either one or the other, but probably not both... Thoughts?
(I know it was this way before, but since we're adding methods to have fallible allocation, I think it makes sense to figure this out before exposing a method that isn't needed.)
|
I'm sorry I let this slip. I've resolved the merge conflicts, and also a type change that was needed since 1.0 already shipped, and put it in #682. |
This PR keeps old methods for backward compatibility, but deprecates them
PR in hyper - hyperium/hyper#3270
Closes #603