Is life-before-main / `#[ctor]` safe?

[madsmtm]

Rust does not provide facilities for doing work before fn main(), but we can achieve it anyhow on a lot of platforms using linker tricks and global constructors, as done in ctor, inventory and the standard library itself.

Is this safe to do, or should it require unsafe? If so, what are the safety requirements that one needs to uphold inside a global constructor?

---

In isolation, this feature seems to be safe (?), but one reason to define it as unsafe could be to allow libraries to rely on never being used in a constructor themselves? Consider the following library:

static mut FOO: i32 = 0;

/// Do some "heavy" work to initialize `FOO`.
#[ctor]
fn setup_foo() {
    // SAFETY: `get_foo` is not running at the same time as this constructor, so an unsynchronized write is fine.
    unsafe { FOO = 42 };
}

/// Get the value from `FOO`.
pub fn get_foo() -> NonZero<i32> {
    // SAFETY: The constructor has run before `get_foo`
    let foo = unsafe { FOO };

    // SAFETY: The variable was initialized to a non-zero value.
    unsafe { NonZero::new_unchecked(foo) }
}

The safety comments here rely on:

1. The constructor not executing concurrently with anything else.
2. The constructor executing before get_foo.

But those assumptions are actually false, since the user may write:

#[ctor]
fn user_constructor() {
    std::thread::spawn(|| {
        get_foo();
    });
}

And, depending on linker ordering, user_constructor may be run first (unless we can somehow guarantee that setup_foo runs before user_constructor?), in which case the unsynchronized read+write is not actually okay, and the variable may not actually be initialized to a non-zero value.

The correct way to write it then would be:

static FOO: AtomicI32 = AtomicI32::new(0);

#[ctor]
fn setup_foo() {
    // Must use atomics.
    FOO.store(42, Ordering::Relaxed);
}

pub fn get_foo() -> NonZero<i32> {
    let foo = FOO.load(Ordering::Relaxed);

    // Must check that the variable is actually initialized.
    NonZero::new(foo).unwrap()
}

Though this does decrease the utility of #[ctor] by a fair margin as the performance improvements of using a global constructor decreases, and you'd probably just want to use OnceLock now instead.

One noteworthy tidbit is that when using dynamic libraries (e.g. linking libc or libX11), this is a non-issue, as constructors are executed in libraries first, so any global constructors that a dynamic library has are guaranteed to be executed before any code that depends on that dynamic library.

---

For context, I'm opening this because the ctor crate has made the #[ctor] attribute require unsafe, see mmastrac/rust-ctor#159, but deciding "running code before main is unsafe for xyz reason" is a decision that affects more than just ctor (e.g. it affects inventory as well), so I thought it might be something that t-opsem / the UCG has opinions on?

See also #397.

[RalfJung]

Yeah this area is prone with reentrancy issues. There's a reason that there is no official support for this. It is in the end up to you what you allow to happen inside global constructors and what promises you make to libraries. And it is easy for two crates using the underlying linker-based global ctor mechanism to be incompatible with each other, but there is little we can do about that on the Rust project side - if people reach outside the language to unsupported mechanisms, things may break. (The underlying linker directives are unsafe, right?) It would be a libs-api and a lang question to add official support.

[madsmtm]

It is in the end up to you what you allow to happen inside global constructors and what promises you make to libraries.

I guess part of my question here is "are global constructors unsound"? Stated differently, is there some interaction with the Rust AM or the standard library or similar where global constructors would be a problem? If I were to write an equivalent C function with __attribute__((constructor)), and then make that call a Rust method over FFI, would that be unsound?

The underlying linker directives are unsafe, right?

Yup, #[unsafe(link_section = "...")] (which your RFC made happen ofc ;) ).

[CAD97]

Theoretically, the system calling __attribute__((constructor)) functions would be no different than calling from FFI main. The actual concrete difference, imo, is to ask whether calling the lang start item after making other calls into AM operations is allowed.

My initial instinct would be to say that at the AM level, lang start is just a normal function that gets called by system convention, but that std is allowed to make the assumption that no Rust code is called before that, if it wants to (or IOW that it controls any before main code if it controls main).

[madsmtm]

My initial instinct would be to say that at the AM level, lang start is just a normal function that gets called by system convention

That's my instinct as well.

std is allowed to make the assumption that no Rust code is called before that, if it wants to (or IOW that it controls any before main code if it controls main).

Well, I think that the presence of the std docs on life-before-main in itself is a fairly strong hint that such usage isn't unsound, just likely to break in other ways. But definitely more of a t-libs question, and I should probably open a PR (after we figure out this issue) to document that std doesn't rely on no-code-before-main for soundness.

[mmastrac]

As the author of the ctor crate, I think the answer is very much "it depends". Basic, non-allocating low-level primitives like atomics? Sure. no_std, non-alloc code? Maybe. Can you prove that a given #[ctor] is safe? No — not without some sort of stdlib-level annotation or guarantee.

I do think there’s room for a more "official" feature with explicit stdlib cooperation. Even something as simple as a documented guarantee about which CRT initializer slots the runtime will use would be a meaningful improvement.

I’d genuinely love for this crate to die. Unfortunately, the initialization-ordering problem is extremely hairy, and I don’t see a way to guarantee that any particular use of #[ctor] or any similar API is safe in the general case. Even if I tried to allow-list a handful of APIs, I’d effectively be making policy decisions on behalf of the entire Rust ecosystem, and that’s not a role I want to take on.

What does seem reasonable is for downstream crates to wrap #[ctor] in narrowly-scoped ways that are provably safe for their specific use cases. That, in my view, is the best path toward pushing unsafety out of ctor itself.

[ChrisDenton]

Well, I think that the presence of the std docs on life-before-main in itself is a fairly strong hint that such usage isn't unsound, just likely to break in other ways. But definitely more of a t-libs question, and I should probably open a PR (after we figure out this issue) to document that std doesn't rely on no-code-before-main for soundness.

From the libs perspective, the current docs are the result of the last time this was discussed. In short it's supported on a "best effort basis". That does at least imply life before main can be used soundly.

[VorpalBlade]

Even something as simple as a documented guarantee about which CRT initializer slots the runtime will use would be a meaningful improvement.

@mmastrac This seems to be a Windows specific concept (a platform I know almost nothing about)? How would this work on / translate to ELF based platforms, or on Mac?

Does it make sense to make guarantees that aren't useful in a portable way? Wouldn't it just means those guarantees aren't very useful in practice or actively hinder the portability of crates relying on them.

[mmastrac]

Even something as simple as a documented guarantee about which CRT initializer slots the runtime will use would be a meaningful improvement.

@mmastrac This seems to be a Windows specific concept (a platform I know almost nothing about)? How would this work on / translate to ELF based platforms, or on Mac?

Does it make sense to make guarantees that aren't useful in a portable way? Wouldn't it just means those guarantees aren't very useful in practice or actively hinder the portability of crates relying on them.

Yeah, I used a Windows-ism there as shorthand - sorry. To be clearer, I mean guarantees about ordering in general, using platform-appropriate mechanisms.

For example, on ELF platforms this could be expressed via constructor priorities (e.g. __attribute__((constructor(N))) -> .init_array.N). On macOS the mechanism is different (e.g. __mod_init_func), and it’s admittedly less clear how strong or portable priority guarantees actually are there. †

Even more speculatively, this could take the form of a custom .rust.init.array (or similar) section that the runtime guarantees to execute after stdlib setup but before main, or other linker-script–level schenanigans that provide comparable guarantees (hand-wave gesture).

Some guarantees on some platforms is certainly more valuable than no guarantees at all.

† EDIT: confirmed, dyld doesn't support it (llvm/llvm-project#15363), but custom sections could be an option there.

[ChrisDenton]

I think this discussion is moving into RFC territory. I.e. adding actual support for running code before main and not just allowing third parties to do so.

[madsmtm]

Regardless, even if it was possible to consistently order #[ctor]s, that still wouldn't stop a user from just choosing a higher priority than the library they're using (unless you somehow defined that "priority > 100 requires unsafe" or smth).

I think the answer is very much "it depends". Basic, non-allocating low-level primitives like atomics? Sure. no_std, non-alloc code? Maybe. Can you prove that a given #[ctor] is safe? No — not without some sort of stdlib-level annotation or guarantee.

Hmm, but do you have examples of stuff that cannot be used safely in #[ctor]s? I'm not aware of any myself, and I struggle to imagine cases where soundness issue would occur (correctness issues and confusingness are another problem entirely).

Personally, I'm still not convinced that #[ctor] should be unsafe (or at least not the simpler version that just applies to fns). The user_constructor and the get_foo using atomics I showed above both seem like they're sound (assuming the Rust AM is fine with doing stuff before lang_start).

[ChrisDenton]

This is platform specific behaviour. At the very least it would need to only be provided on systems that are confirmed to be safe. But even then people make safety assumptions about main that #[ctor] can break. For example, that there are no other threads running.

[madsmtm]

Right, std::env::set_var is supposed to be safe to use at the top of main.

[bjorn3]

Even more speculatively, this could take the form of a custom .rust.init.array (or similar) section that the runtime guarantees to execute after stdlib setup but before main, or other linker-script–level schenanigans that provide comparable guarantees (hand-wave gesture).

That is going to be tricky to implement for dylibs.

[mmastrac]

Hmm, but do you have examples of stuff that cannot be used safely in #[ctor]s? I'm not aware of any myself, and I struggle to imagine cases where soundness issue would occur (correctness issues and confusingness are another problem entirely).

I haven't checked if this is the case for ages, but println! was unsound for quite some time. This may have been fixed, but it was the original inspiration for the crate many, many years ago. 😄