-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
try_ methods to handle capacity overflow #617
base: master
Are you sure you want to change the base?
Conversation
Thanks for the PR! I wouldn't deprecate the methods, just like the methods on |
@seanmonstar The problem is that it's pretty easy to trigger panic through external HTTP call. The max value is very small, so in my opinion, code should be considered vulnerable, and it's just unsafe to use non-failable methods. When max value is 64 or 32 bits, it becomes too hard to expose it through the network. |
I'd vote for deprecation as well, because |
I appreciate the reasoning, but I still feel it should not be deprecated.
What I mentioned in the original issue would be fair: add a section |
The main difference with std containers is that their limitations are only memory allocator and the amount of memory managed by OS. This leads to an inability to detect if allocation fails at the moment. With modern 64-bit systems and typically enough memory, we don't need to think much about allocation failures. So standard containers won't panic, they may lead to OOM termination.
Yes, if it's not an attack. I don't think optimizing for happy-path scenarios is a good idea for such a fundamental library
it's good that hyper has this limit for HTTP/1, but I think
For sure, I didn't mean rust |
I do appreciate the desire to make things "safer" for more people. While I still don't agree with the arguments, how about this: you could separate the contribution into two steps. There's no disagreement about adding the The second part, deprecating the other methods, can be separated into an issue, to have the discussion. That way, the first part is available to people more quickly. What do you think? |
Ok. I'll do it. Please check the issue from chrono, where a similar panicking design was used - chronotope/chrono#815. The author did a good job describing why using panicking operations is not a good option. Let's continue the discussion in a separate PR.
Actually, there are not many options. I started with a few functions with assertions on |
1066bcf
to
54a1525
Compare
hi @seanmonstar, could you please review it? |
@seanmonstar is there anything else to address in this PR? |
Sorry, just gave CI another run. |
/// This method differs from `reserve` by allowing types that may not be | ||
/// valid `HeaderName`s to passed as the key (such as `String`). If they | ||
/// do not parse as a valid `HeaderName`, this returns an | ||
/// `InvalidHeaderName` error. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error message looks like it was meant for a different method :)
/// | ||
/// It may return `MaxSizeReached` error if size exceeds the maximum | ||
/// `HeaderMap` capacity | ||
pub fn try_entry<K>(&mut self, key: K) -> Result<Entry<'_, T>, Error> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I just realized this changes the type of the returned error, which is a breaking change. We could include the change as part of the bump to 1.0, but not as a patch to the 0.2.x branch.
danger: danger, | ||
}) | ||
) | ||
self.try_reserve_one()?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Huh, re-reading the implementation, this surprised me. It seems like entry()
isn't meant to allocate, unless you call .or_insert()
. Or if it is, then or_insert()
shouldn't allocate. Either one or the other, but probably not both... Thoughts?
(I know it was this way before, but since we're adding methods to have fallible allocation, I think it makes sense to figure this out before exposing a method that isn't needed.)
I'm sorry I let this slip. I've resolved the merge conflicts, and also a type change that was needed since 1.0 already shipped, and put it in #682. |
This PR keeps old methods for backward compatibility, but deprecates them
PR in hyper - hyperium/hyper#3270
Closes #603