Undefined behavior: the library panics across FFI boundary #354
Comments
|
See #290 and the first bullet in #288 (comment) |
|
Forgot it's no longer UB. Relying on UB even with test doesn't sound good to me. Once could build the crate with a slightly different compiler or even in non-test mode could cause issues. We literally can't be sure, that's pretty much what "undefined" means. |
|
Well yeah, it's not ideal for sure but I think we've explored all options in #288 and concluded this is the best. Or what would you suggest? You mentioned |
#[cfg(feature = "std")]
{
std::process::abort();
}
#[cfg(not(feature = "std"))]
{
loop {}
} |
|
Another no_std alternative: struct PanicOnDrop;
impl Drop for PanicOnDrop {
fn drop(&mut self) {
panic!("force abort by double panic");
}
}
let bomb = PanicOnDrop;
panic!("force abort by double panic");However not sure how it translates on embedded and similar platforms. |
|
I believe the double panic is indeed a way to access I'm personally still too lazy to bother with this but feel free to open a PR. |
|
I'm not sure there's anything to fix here. |
|
I tend to agree with @elichai. I would ACK/accept a PR to use the double-panic bomb, since I think this behavior is still UB on the verison of rustc that mrustc supports (I think), and I appreciate that my "it's not UB on new stuff, and empirically the UB on old stuff has ok behavior" logic is not very sound. But I don't feel strongly enough about this that I would do the work myself. |
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
|
No problem, submitted the PR. |
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
|
Actually I just found out that panic across FFI is still UB - it got reverted and as far as I can see it wasn't reintroduced since then. |
|
Wow!! Good find. |
|
Oh I just sad in #358 that we should let it go.... But that was before I saw the comment here that the change got reverted. To be honest, I don't know what to do. |
|
I see one, hopefully reasonable, way forward: have static
This behavior will be documented for no_std and consumers will be encouraged to provide their error handler. |
Wait, it's true that it got reverted, but only until |
|
@elichai even if it is defined as of Rust 1.57 (or whatever) I think that's too far in the future (at least two years before that comes under our MSRV, maybe longer because post-Rust-2018 there's are far fewer essential features we're missing), and we need to handle this properly here. I like @Kixunil's propasal. |
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI boundary is UB but the library does it anyway in
rustsecp256k1_v0_4_1_default_illegal_callback_fn. This has to be changed toabort. (infinite loop in non-std, I think)The text was updated successfully, but these errors were encountered: