67 lines
2.5 KiB
Rust
Raw Normal View History

rustc: Fill out remaining parts of C-unwind ABI This commit intends to fill out some of the remaining pieces of the C-unwind ABI. This has a number of other changes with it though to move this design space forward a bit. Notably contained within here is: * On `panic=unwind`, the `extern "C"` ABI is now considered as "may unwind". This fixes a longstanding soundness issue where if you `panic!()` in an `extern "C"` function defined in Rust that's actually UB because the LLVM representation for the function has the `nounwind` attribute, but then you unwind. * Whether or not a function unwinds now mainly considers the ABI of the function instead of first checking the panic strategy. This fixes a miscompile of `extern "C-unwind"` with `panic=abort` because that ABI can still unwind. * The aborting stub for non-unwinding ABIs with `panic=unwind` has been reimplemented. Previously this was done as a small tweak during MIR generation, but this has been moved to a separate and dedicated MIR pass. This new pass will, for appropriate functions and function calls, insert a `cleanup` landing pad for any function call that may unwind within a function that is itself not allowed to unwind. Note that this subtly changes some behavior from before where previously on an unwind which was caught-to-abort it would run active destructors in the function, and now it simply immediately aborts the process. * The `#[unwind]` attribute has been removed and all users in tests and such are now using `C-unwind` and `#![feature(c_unwind)]`. I think this is largely the last piece of the RFC to implement. Unfortunately I believe this is still not stabilizable as-is because activating the feature gate changes the behavior of the existing `extern "C"` ABI in a way that has no replacement. My thinking for how to enable this is that we add support for the `C-unwind` ABI on stable Rust first, and then after it hits stable we change the behavior of the `C` ABI. That way anyone straddling stable/beta/nightly can switch to `C-unwind` safely.
2021-06-08 11:23:58 -07:00
#![feature(c_unwind)]
#![allow(unused_assignments)]
rustc: Fill out remaining parts of C-unwind ABI This commit intends to fill out some of the remaining pieces of the C-unwind ABI. This has a number of other changes with it though to move this design space forward a bit. Notably contained within here is: * On `panic=unwind`, the `extern "C"` ABI is now considered as "may unwind". This fixes a longstanding soundness issue where if you `panic!()` in an `extern "C"` function defined in Rust that's actually UB because the LLVM representation for the function has the `nounwind` attribute, but then you unwind. * Whether or not a function unwinds now mainly considers the ABI of the function instead of first checking the panic strategy. This fixes a miscompile of `extern "C-unwind"` with `panic=abort` because that ABI can still unwind. * The aborting stub for non-unwinding ABIs with `panic=unwind` has been reimplemented. Previously this was done as a small tweak during MIR generation, but this has been moved to a separate and dedicated MIR pass. This new pass will, for appropriate functions and function calls, insert a `cleanup` landing pad for any function call that may unwind within a function that is itself not allowed to unwind. Note that this subtly changes some behavior from before where previously on an unwind which was caught-to-abort it would run active destructors in the function, and now it simply immediately aborts the process. * The `#[unwind]` attribute has been removed and all users in tests and such are now using `C-unwind` and `#![feature(c_unwind)]`. I think this is largely the last piece of the RFC to implement. Unfortunately I believe this is still not stabilizable as-is because activating the feature gate changes the behavior of the existing `extern "C"` ABI in a way that has no replacement. My thinking for how to enable this is that we add support for the `C-unwind` ABI on stable Rust first, and then after it hits stable we change the behavior of the `C` ABI. That way anyone straddling stable/beta/nightly can switch to `C-unwind` safely.
2021-06-08 11:23:58 -07:00
extern "C" fn might_abort(should_abort: bool) {
if should_abort {
println!("aborting...");
panic!("panics and aborts");
} else {
println!("Don't Panic");
}
}
fn main() -> Result<(), u8> {
let mut countdown = 10;
while countdown > 0 {
if countdown < 5 {
might_abort(false);
}
// See discussion (below the `Notes` section) on coverage results for the closing brace.
if countdown < 5 { might_abort(false); } // Counts for different regions on one line.
// For the following example, the closing brace is the last character on the line.
// This shows the character after the closing brace is highlighted, even if that next
// character is a newline.
if countdown < 5 { might_abort(false); }
countdown -= 1;
}
Ok(())
}
// Notes:
// 1. Compare this program and its coverage results to those of the similar tests
// `panic_unwind.rs` and `try_error_result.rs`.
// 2. This test confirms the coverage generated when a program includes `TerminatorKind::Abort`.
// 3. The test does not invoke the abort. By executing to a successful completion, the coverage
// results show where the program did and did not execute.
// 4. If the program actually aborted, the coverage counters would not be saved (which "works as
// intended"). Coverage results would show no executed coverage regions.
// 6. If `should_abort` is `true` and the program aborts, the program exits with a `132` status
// (on Linux at least).
/*
Expect the following coverage results:
```text
16| 11| while countdown > 0 {
17| 10| if countdown < 5 {
18| 4| might_abort(false);
19| 6| }
```
This is actually correct.
The condition `countdown < 5` executed 10 times (10 loop iterations).
It evaluated to `true` 4 times, and executed the `might_abort()` call.
It skipped the body of the `might_abort()` call 6 times. If an `if` does not include an explicit
`else`, the coverage implementation injects a counter, at the character immediately after the `if`s
closing brace, to count the "implicit" `else`. This is the only way to capture the coverage of the
non-true condition.
As another example of why this is important, say the condition was `countdown < 50`, which is always
`true`. In that case, we wouldn't have a test for what happens if `might_abort()` is not called.
The closing brace would have a count of `0`, highlighting the missed coverage.
*/