-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make the VTab interface safe #416
Open
sourcefrog
wants to merge
13
commits into
duckdb:main
Choose a base branch
from
sourcefrog:safe-vtab
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This will prevent the macro generating a warning in edition 2024
Contrary to the previous docs, the instances passed to these functions are *not* initialized by the caller. Rather, the called function is responsible for writing into uninitialized memory.
Rather than passing a pointer to a block of uninitialized memory, which can easily lead to UB, these functions now just return Rust objects. This improves duckdb#414 by reducing the amount of unsafe code needed from extensions.
BindInfo and InitInfo will be dropped in the usual way when freed by duckdb core. Any necessary destructors can be in Drop impls.
It's not completely clear but it looks like the engine could run the table fn from multiple threads, so requiring this seems safer
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
With this PR, simple table function extensions no longer need any unsafe code, and so are easier to implement and less likely to crash the process.
This partially solves #414.
I have not yet converted every interface to be safe, but if you like the general approach then I could go on to update everything in
crates/duckdb/src/vtab/function.rs
.This is an API break for Rust extensions. In my opinion it's worth it because the existing API is easy to misuse and it would be better for callers to use a safe interface. It would not be impossible to preserve the existing unsafe interface, but I think it would leave a fair amount of complexity both in the implementation and in the user-facing API.
Rather than passing a pointer to a block of uninitialized memory, which can easily lead to UB, the setup functions now just return Rust objects.
The
Free
trait is no longer required, as the Rust type will now just be dropped. If extensions want custom behavior on drop, such as closing a connection, they can do that fromimpl Drop
.It looks like the core DuckDB engine will, in at least some cases, run the table function from multiple threads, so to make that safe I've made the references always shareable. Extensions can use mutexes or atomic types internally as desired.
This builds on and goes further than #415.