We have reports of runtime panics (linkerd/linkerd2#7748) that sound a
lot like rust-lang/rust#86470. We don't have any evidence that these
panics originate in h2, but there is one use of Instant::sub that
could panic in this way.
Even though this is almost definitely a bug in Rust, it seems most
prudent to actively avoid the uses of Instant that are prone to this
bug. These fixes should ultimately be made in the standard library, but
this change lets us avoid this problem while we wait for those fixes.
This change replaces uses of Instant::elapsed and Instant::sub with
calls to Instant::saturating_duration_since to prevent this class of
panic.
We have reports of runtime panics (linkerd/linkerd2#7748) that sound a lot like rust-lang/rust#86470. We don't have any evidence that these panics originate in h2, but there is one use of
Instant::subthat could panic in this way.Even though this is almost definitely a bug in Rust, it seems most prudent to actively avoid the uses of
Instantthat are prone to this bug. These fixes should ultimately be made in the standard library, but this change lets us avoid this problem while we wait for those fixes.This change replaces uses of
Instant::elapsedandInstant::subwith calls toInstant::saturating_duration_sinceto prevent this class of panic.See also hyperium/hyper#2746