-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Undefined behavior: the library panics across FFI boundary #354
Comments
See #290 and the first bullet in #288 (comment) |
Forgot it's no longer UB. Relying on UB even with test doesn't sound good to me. Once could build the crate with a slightly different compiler or even in non-test mode could cause issues. We literally can't be sure, that's pretty much what "undefined" means. |
Well yeah, it's not ideal for sure but I think we've explored all options in #288 and concluded this is the best. Or what would you suggest? You mentioned |
#[cfg(feature = "std")]
{
std::process::abort();
}
#[cfg(not(feature = "std"))]
{
loop {}
} |
Another no_std alternative: struct PanicOnDrop;
impl Drop for PanicOnDrop {
fn drop(&mut self) {
panic!("force abort by double panic");
}
}
let bomb = PanicOnDrop;
panic!("force abort by double panic"); However not sure how it translates on embedded and similar platforms. |
I believe the double panic is indeed a way to access I'm personally still too lazy to bother with this but feel free to open a PR. |
I'm not sure there's anything to fix here. |
I tend to agree with @elichai. I would ACK/accept a PR to use the double-panic bomb, since I think this behavior is still UB on the verison of rustc that mrustc supports (I think), and I appreciate that my "it's not UB on new stuff, and empirically the UB on old stuff has ok behavior" logic is not very sound. But I don't feel strongly enough about this that I would do the work myself. |
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
No problem, submitted the PR. |
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Actually I just found out that panic across FFI is still UB - it got reverted and as far as I can see it wasn't reintroduced since then. |
Wow!! Good find. |
Oh I just sad in #358 that we should let it go.... But that was before I saw the comment here that the change got reverted. To be honest, I don't know what to do. |
I see one, hopefully reasonable, way forward: have static
This behavior will be documented for no_std and consumers will be encouraged to provide their error handler. |
Wait, it's true that it got reverted, but only until |
@elichai even if it is defined as of Rust 1.57 (or whatever) I think that's too far in the future (at least two years before that comes under our MSRV, maybe longer because post-Rust-2018 there's are far fewer essential features we're missing), and we need to handle this properly here. I like @Kixunil's propasal. |
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI was UB in older Rust versions and thus because of MSRV it's safer to avoid it. This replaces the panic with print+abort on `std` and double panic on no-std. Closes rust-bitcoin#354
Panicking across FFI boundary is UB but the library does it anyway in
rustsecp256k1_v0_4_1_default_illegal_callback_fn
. This has to be changed toabort
. (infinite loop in non-std, I think)The text was updated successfully, but these errors were encountered: