[R] Fix memory safety issues

[david-cortes]

fixes #7246
ref #9810
ref #9817

This PR fixes some remaining memory safety issues:

• Allocations from R interleaved with allocations from C++ that could leave leaked objects in case of R failures.
• Lengths using a type of insufficient width that might overflow.

[david-cortes]

Added them under the namespace that was introduced in #9816 to make a difference w.r.t. the exported functions. Not sure why they would need to have [[nodiscard]] though.

[trivialfis]

Thank you for the work on fixing the memory safety issue and demonstrating how to properly work with R in C. Left some comments in the hope that we can make the code easier to understand for new comers.

[trivialfis]

Unrelated to this PR. We will probably need to convert the indexing for tree dump into 1-based in the future.

[trivialfis]

Really appreciate it if you could help add some references and documents for R unwinding with C++. I found your comments in the LGBM issue, which is helpful for providing context. I have some familiarity with continuation-passing, but still trying to wrap my head around how this works.

https://cran.r-project.org/doc/manuals/r-patched/R-exts.html#Condition-handling-and-cleanup-code-1

[david-cortes]

That's the only documentation there is.

In case it helps: when a failure occurs, the long jump is triggered from the line that calls R_ContinueUnwind. By that point, all the C++ objects will have been destructed, since that line passes through the 'try' block. Upon throwing an R error, all the R allocations that happened during the .Call part are freed.

Simpler example of this usage can be found here: https://github.com/david-cortes/unwindprotect

[trivialfis]

Thank you for the explanation and the example usage. This has been most helpful.

[trivialfis]

seems unrelated once #9824 is merged. I will skip this part of review.

[david-cortes]

Forgot to mention: one is not supposed to call R C functions in parallel from different threads. It might not be a problem with regular objects, but for altrep'd classes a call to INTEGER could potentially trigger an R allocation.

[trivialfis]

would be great if there's a utility function/class that does this. But the longjmp and macros complicate things and I'm not sure if the following code is actually safe.

class SafeRasChar {
   std::int32_t cnt_{0}
  public:
    SEXP AsChar(SEXP str) {
        auto exp = PROTECT(Rf_asChar(str));
        cnt_ ++;
    }
    ~SafeRasChar () {
        UNPROTECT(cnt_);
    }
};

[david-cortes]

Yes, that's also an option, but be aware that it doesn't play along with rchk: kalibera/rchk#27

Since it seems rchk is not used in the CI jobs, maybe that's a good idea. I know DuckDB for example uses this type of pattern in their R interface.

[trivialfis]

but be aware that it doesn't play along with rchk

Thanks for the reference. Let's not complicate the cran submit process. ;-)

[trivialfis]

See the previous comment for a utility class.

[david-cortes]

Regarding your other comment:

Is it possible to return errors in a more linear fashion?

It would require modifying the macros R_API_BEGIN, R_API_END, CHECK_CALL; and then modifying functions to be mindful of whether they put objects before/after those. I guess that's more work than the current code here, but an example of how it could work otherwise can be found in lightgbm: https://github.com/microsoft/LightGBM/blob/master/R-package/src/lightgbm_R.cpp

If you want an easier and safer way, there's also Rcpp::exception, Rcpp::unwindProtect, etc. but that would involve having Rcpp as a dependency.

[david-cortes]

Then, there's also the possibility of passing R allocator functions to C++ functions, but this is perhaps a lot more involved and harder to remember:
https://cran.r-project.org/doc/manuals/r-release/R-exts.html#Memory-allocation

[david-cortes]

@trivialfis It looks like the CUDA job uses R 3.3, which is very old so doesn't have the unwind protection that was introduced in R 3.5, for example. Could you update those to R >= 4.3 for this and the following PRs?

[trivialfis]

Could you update those to R >= 4.3 for this and the following PRs?

I have merged the update into this branch and the test build has passed.