client_rust
client_rust copied to clipboard
Replace owning_ref
Owning ref is (1) seemingly unmaintained since last commit was 2 years ago and (2) unsound. Something else should probably be used.
True, this issue has popped up here in LibP2P and other crates which uses this prometheus client
Can I work on patching the issue ? @mxinden
The Owning_Ref
library is used at the following files:
Histogram relevant files use this module, they cannot be used due to Security reasons! This needs to be patched where the usage of Owning_Ref is dropped!
In other issues I see this being recommended. Haven't had a chance to look too deeply, but perhaps that is a suitable replacement?
Can I work on patching the issue ? @mxinden
Yes, for sure. Help is very much appreciated.
In other issues I see this being recommended. Haven't had a chance to look too deeply, but perhaps that is a suitable replacement?
Can you tell whether it suffers the same unsoundness issues that owning_ref
does?
We need owning_ref
in wrapper style metrics (e.g. Family
), which internally use a Mutex
though want to give users access to a reference of the underlying wrapped metric (e.g. Counter
). Given that this reference depends on the MutexGuard
, we need to ensure that the MutexGuard
lives long enough, i.e. throughout the lifetime of the reference of the wrapped metric. Without keeping the MutexGuard
alive, we invalidate the properties of the Mutex
itself, namely mutual exclusive access to the wrapped metric.
Thus far owning_ref
offered a way to ship both the MutexGuard
and the reference to the user, thus enforcing the lifetime bound.
Alternative approaches I can see:
- Use
parking_lot
and itsRwLockGuard::map
method. - Take a
FnOnce
to access the wrapped metric, instead of returning a reference to the wrapped metric. - Clone the wrapped metric on each access.
@mxinden I went through the solution parking_lot offers. I am unable to figure out how to deal with the MutexGuardedBuckets
and that is preventing me from fixing the solution. What should I do next?
For the record, fix is released with v0.18.0
.
https://github.com/prometheus/client_rust/pull/80