Handling OutOfMemory in Write for Vec<u8>

jhorstmann · July 9, 2025, 9:19am

The io::ErrorKind has a variant for OutOfMemory, which is used in some io methods like read_to_end. The impl Write for Vec<u8> does not handle it though, but easily could by replacing reserve with try_reserve. I'm wondering whether that was a conscious decision, or whether a simple PR would be welcome? Or does such change need a more complex process?

latot · July 9, 2025, 3:26pm

Good question! I don't know, but I have some thoughts about it.

The only scenario where it would makes sense is a big vector with a lot of capacity, in most scenarios I think they do not need to be that big, and if you are failing with that could mostly means you don't have enough ram, when linux gets out of RAM/Virtual memory it gets all the system stalled, is a lot safer there crash than try to do something.

Still, do the try_reserve could also be used to panic out of it, but any error could cause the system to collapse.

alice · July 9, 2025, 3:30pm

I don't know whether the PR would be accepted, but the OutOfMemory error is typically used when a syscall returns ENOMEM from a failure to allocate in the kernel. Rust rarely attempts to handle other allocation errors.

latot · July 9, 2025, 3:46pm

that reminds me other thing, maybe connected, a lot of operations works with the assumption they will work.

Like math operations, variable assignation and that things, I also have not seen error handling in that aspects.

I think is because most of error handling is related to algorithms it self, an error in a low level is not something that they usually take care.

The vector case I think is on the middle point, I would like it to use try_reserve, because the use of Heap is on the implementation of Vec, still a gray area.

If we want that level of details, maybe would be better a new set of instructions with that level of security, and probs most operations will be filled as "try_".

Some times is easier to have other app/layer that checks everything is going right.

kingwingfly · July 9, 2025, 4:01pm

This is a tool to check “math operations, variable assignation and that things”. It is so cool and I cannot help to share with you when seeing

latot · July 9, 2025, 4:16pm

I love it! I want to test it rn! I'll open some projects and play with it!

That covers a lot of things!

I think the ones also @jhorstmann means is for example, what happens if you make a sum and for a hardware/kernel/external app it fails the operation at a very low level!

jhorstmann · July 9, 2025, 4:29pm

To clarify my suggestion with pointers to concrete code, BufRead::read_to_end converts a TryReserveError to ErrorKind::OutOfMemory:

    fn read_to_end(&mut self, buf: &mut Vec<u8>) -> io::Result<usize> {
        let inner_buf = self.buffer();
        buf.try_reserve(inner_buf.len())?;
        ...
    }

Vec::write currently does not try, the default allocation error handler would therefore panic.

    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
        self.extend_from_slice(buf);
        Ok(buf.len())
    }

The latter case would actually be much easier to hit, since Write is implemented for Vec with an arbitrary custom allocator (nightly/unstable feature), which might limit the maximum allocation size. So there would be no operating system wide out of memory involved.

kpreid · July 9, 2025, 5:15pm

read_to_end() was changed to report out of memory errors in this PR:

github.com/rust-lang/rust

Handle out of memory errors in io:Read::read_to_end()

master ← kornelski:read-to-oom

opened 02:05AM - 15 Nov 23 UTC

kornelski

+47 -7

#116570 got stuck due to a [procedural confusion](https://github.com/rust-lang/r…ust/pull/116570#issuecomment-1768271068). Retrying so that it can get FCP with the proper team now. cc @joshtriplett @BurntSushi ---- I'd like to propose handling of out-of-memory errors in the default implementation of `io::Read::read_to_end()` and `fs::read()`. These methods create/grow a `Vec` with a size that is external to the program, and could be arbitrarily large. Due to being I/O methods, they can already fail in a variety of ways, in theory even including `ENOMEM` from the OS too, so another failure case should not surprise anyone. While this may not help much Linux with overcommit, it's useful for other platforms like WASM. [Internals thread](https://internals.rust-lang.org/t/io-read-read-to-end-should-handle-oom/19662). I've added documentation that makes it explicit that the OOM handling is a nice-to-have, and not a guarantee of the trait. I haven't changed the implementation of `impl Read for &[u8]` and `VecDeque` out of caution, because in these cases users could assume `read` can't fail. This code uses `try_reserve()` + `extend_from_slice()` which is optimized since #117503.

There was some discussion of whether it makes sense to do this, mostly around whether the behavior should be documented as guaranteed. (It was documented as not guaranteed.) Consulting the meeting notes, I find that there were two previous PRs for Write:

github.com/rust-lang/rust

Handle out of memory error in Vec::write

master ← LenaWil2:vec_write_oom

opened 10:35PM - 14 Mar 20 UTC

LenaWil2

+34 -2

The Vec::write trait has the possibility to return errors, and Vec has the possi…bility to check for allocation errors through the unstable [try_reserve](https://github.com/rust-lang/rust/issues/48043) method. I think that it would be possible for the methods in the write trait to return the out of memory errors to make it possible for the user to handle them. I don't know if the change is big enough to open an issue for, if it's needed, please say so. I'm still new to the Rust STD. Potential issues: - [ ] If unwrap is called on the write, it may panic instead of abort, which is the intended behaviour. * Unless, of course, [`oom=panic`](https://github.com/rust-lang/rfcs/blob/master/text/2116-alloc-me-maybe.md#oompanic). - [ ] [try_reserve](https://github.com/rust-lang/rust/issues/48043) hasn't stabilized yet. - [ ] I didn't know which error to return, since the `Simple` error probably doesn't give enough information, and the `Custom` allocates memory. Solutions for the last problem: 1. Return a `Simple` error. * Problem: probably doesn't give enough information, since errors sometimes get passed around a lot. 2. Return a `Custom` error. * Problem: Allocates memory, which, if it fails, aborts, and makes change useless. 3. Try to allocate and return a `Custom` error, and if it fails, return an `Simple` error. * Problem: Non-deterministic, which you don't want to be as a standard library. 4. Same as 3, but always try to keep at least one pair of the two boxes needed to allocate one `Custom` error in thread local storage. * While slightly more deterministic than 3, it's ugly, still not 100% deterministic, and has a big overhead. 5. Same as 3, but add an `OOM` error to errorkind, so the user can check for this case. * Calling `source` on the error is still non-deterministic, but the user has an consistent way to check for errors. Currently this pull request uses solution 1.

github.com/rust-lang/rust

Use try_reserve and panic in Vec's io::Write

master ← kornelski:oomwrite

opened 12:33PM - 27 Apr 21 UTC

kornelski

+27 -2

`io::Write` is already fallible in principle, so it makes sense to be actually f…allible for `Vec` too. This enables use of fallible allocation for `Vec` without exposing the yet-undecided `TryAllocError`. I've changed original PR from returning `io::Error` to panicking, to de-risk the change for cases where `let _ = vec.write()` may have been used.

From the PR comments there, we find a concern for this that there is not for reading, which is that it would be possible to ignore the error (from a previously infallible function) and thus silently discard data. Thus, any new proposal to return OOM errors would need to address this concern in some way.

jhorstmann · July 9, 2025, 6:24pm

Thanks a lot for finding this previous discussions!

The current situation might be slightly changed, since try_reserve is stable and there is now even an impl From<TryReserveError> for io::Error, but the argument about users explicitly ignoring the result still stands.

Hmm, but I did not see such argument when &[u8]::read_to_end was changed, which was also infallible before.

But given this is easy to solve with a newtype wrapper, I probably won't try to reopen this discussion with another PR.

jdahlstrom · July 9, 2025, 6:31pm

However, you might like to open a discussion on internals.rust-lang.org to gauge interest.

system · October 7, 2025, 6:31pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Using most of a computers memory with a single Vec of unknown size help	3	423	January 12, 2023
How to allocate huge byte array safely	49	7591	January 12, 2023
Vec::with_capacity + read_to_end = overallocation help	13	1353	January 3, 2022
Why vec::push taking extremely long time? help	27	3789	January 12, 2023
Want to create HUGE Vec<_> that fits half the memory: got failAborted help	21	1725	January 12, 2023

Handling OutOfMemory in Write for Vec<u8>

Related topics