Enumerate types which are !UnwindSafe on purpose, fix the rest
#4657
Comments
|
I want to note that the standard library argues that its mutex should be UnwindSafe because it has poisoning, and our mutexes doesn't. |
|
The std Given that no other lock API, including Tokio's, has bothered to implement poisoning, I assume the conclusion is that bugs due to broken invariants in the state of a type, left by unwinding, are rare enough that it's not worth the inconvenience. If that's the case, then why should their handling with |
|
Maybe related, but when using |
|
|
|
Hi, is there any updates, especially about RwLock / Mutex's unwind safety, and Runtime's? Thanks! |
|
Other than #6189 (that you filed), no. |
|
@Darksonn Thank you all the same. As for the Mutex/RwLock, do you suggest we just use AssertUnwindSafe and/or make a PR to make it UnwindSafe, or is forbidden to use it across panic at all? P.S. My use case is like this: To develop https://github.com/fzyzcjy/flutter_rust_bridge, I need to have |
|
Unwind safety is just a lint to act as a speedbump when catching panics. 🤷♀️ If you are sure that your code is correct even if it panics, then go ahead and use AssertUnwindSafe. |
|
@Darksonn Thanks for the information! However, I am not sure, because I am not the user but the package developer... I am only sure that the usage scenario is above. |
Actually, this isn't true. You can still lock the mutex inside your closure and then panic while holding the lock. The MutexGuard wont be captured from the outer scope but it's still leaving your data in a potentially inconsistent state. I would guess that |
Tokio's API has a number of types that are
!UnwindSafeand/or!RefUnwindSafeeven though a lot of them are meant to be used concurrently from multiple threads/tasks which inherently will require them to survive unwinding anyway.Searching the issue tracker and PR history, it appears that this is likely not intentional for most of these types, as patches to add explicit
UnwindSafeimpls appear to always be accepted:tokio::net::UdpSocketis not marked as UnwindSafe #4336Of course, it is possible to just use
AssertUnwindSafe, as has been suggested before, but I don't think this is a tenable solution as it's easy to be overinclusive when it comes to futures (since you can just wrap a wholeasync {}block with it) and unintentionally assert unwind safety on a type that is!UnwindSafeon purpose, which could lead to logic errors, leaks or UB depending on the implementation of the API that's opting-out.However, I don't see any documentation in general on what types are intended to be
!UnwindSafeand which simply haven't been addressed yet, so I'm opening this issue to enumerate the ones I know of and seek discussion on either fixing them or explicitly leaving them as they are. I don't have time to create an exhaustive list, but I'm hoping that this issue can serve as a nexus for collecting this knowledge to make it easier to find in the future.tokio::syncmoduleThese types are all meant to be used concurrently, so
!UnwindSafeseems unintentional.I suspect it should be possible to fix most of them in one fell swoop by fixing the underlying primitives.
The guard types should probably also take into account whether the contained type is
RefUnwindSafe.BarrierMappedMutexGuardMutexMutexGuardNotifyOnceCellOwnedMutexGuardOwnedRwLockMappedWriteGuardOwnedRwLockReadGuardOwnedRwLockWriteGuardOwnedSemaphorePermitRwLockRwLockMappedWriteGuardRwLockReadGuardRwLockWriteGuardSemaphoreSemaphorePermitChannels
All channel types appear to be
!UnwindSafeas well, even ones likempsc::Senderwhich can be used from multiple threads concurrently.The text was updated successfully, but these errors were encountered: