"Alice Ryhl" <alicer...@google.com> writes: > On Mon, May 05, 2025 at 11:55:33AM +0200, Andreas Hindborg wrote: >> "Alice Ryhl" <alicer...@google.com> writes: >> >> > On Fri, May 02, 2025 at 02:16:35PM +0200, Andreas Hindborg wrote: >> > It would be a use-after-free to >> > access it during module teardown. For example, what if I access this >> > static during its own destructor? Or during the destructor of another >> > module parameter? >> >> Yes, that is a problem. >> >> We can get around it for now by just not calling `free` for now. We only >> support simple types that do not need drop. I think we would have to >> seal the `ModuleParam` trait for this. >> >> For a proper solution, we could >> - Require a token to read the parameter. >> - Synchronize on a module private field and return an option from the >> parameter getter. This would require module exit to run before param >> free. I think this is the case, but I did not check. >> - Use a `Revocable` and revoke the parameter in `free`. >> >> Any other ideas or comments on the outlined solutions? > > I think the simplest you can do right now is > > trait ModuleParam: Copy
Cool 👍 > > so that it can't contain any non-trivial values. That way you don't need > Drop either. > > Long term, I think we need a way to detect whether it's safe to access > module globals. The exact same problem applies to the existing global > for the module itself - except it's worse there because we can't access > that one during init either. Yep. Best regards, Andreas Hindborg
