panic! -> abort #80
panic! -> abort #80
Conversation
|
@homunkulus try |
|
r+ from me Want to add this to the CI though to ensure there are no references to the panic symbol? |
|
@alexcrichton sure thing |
|
Hmm, so, with these changes, But, without these changes, if I build |
Actually just the changes in this PR are not enough to remove all the panics. I'm going to homu try this so you can see the errors. |
|
@homunkulus try |
|
💔 Test failed - status-travis |
|
Panics are also inserted for |
|
Hmm, does that means that we have to create wrappers around primitives that |
|
Ideally |
|
@homunkulus try |
1 similar comment
|
@homunkulus try |
|
☀️ Test successful - status-appveyor, status-travis |
|
@alexcrichton I added a few |
|
Hm yeah that works for release mode, but for debug mode the symbols would stick around? |
|
I changed all the division and modulo operations with macros that abort on bad inputs. This makes the LTO work with the dev profile iff the debug-assertions are turned off ... If we want LTO to work with debug assertions on, we'll have to change all the operations that may overflow with an abort on overflow version |
|
@homunkulus try |
|
☀️ Test successful - status-appveyor, status-travis |
| @@ -25,4 +25,7 @@ compiler-rt = { path = "compiler-rt" } | |||
| c = [] | |||
| weak = ["rlibc/weak"] | |||
|
|
|||
| [profile.dev] | |||
| debug-assertions = false | |||
There was a problem hiding this comment.
It seems desirable to leave this on, right? It's caught bugs in overflows and such?
| let b = $b; | ||
|
|
||
| if b == 0 { | ||
| intrinsics::abort() |
There was a problem hiding this comment.
You may want to make these ::core::intrinsics::... to avoid imports in the other modules.
What's the error message if debug assertions are turned on? |
Building |
is:
is and so on. |
|
Oh those just need to be wrapping ops, right? Or explicitly |
I don't know if these have helped catch bugs but we do have seen debug assertions related to overflows while testing the intrinsics.
I prefer checked + abort. Although not as nice as panics, that way still tells you there's overflow going on so you can look at the offending code and decide if overflowing makes sense. OTOH, silent overflows sound like a bad default. |
|
Yeah I agree that we probably want to catch overflows as much as possible. Want to try out the checked + abort strategy? |
|
Hmm, would it make sense to change all the arithmetic operations to checked+abort? |
|
Hmm, it seems like the I changed the contents of the macros to |
I think to get rid of references to the panic symbol, yeah.
Oh gah it looks like this is a bug in the standard library, they still use the standard |
The implementation of pub fn overflowing_div(self, rhs: Self) -> (Self, bool) {
if self == Self::min_value() && rhs == -1 {
(self, true)
} else {
unsafe {
(self / rhs, false)
}
}
}but we can't change the |
|
Hm ok, perhaps a suite of checked ops could be added to this crate? |
|
Note that this should likely be fixed upstream as well |
|
Ugh, I've been using macros to do the checked.unwrap_or(abort) thing but pretty much every single operation has to be replaced by that macro, which in results in very verbose code. I think that we instead should use newtypes with abort on bad inputs/overflow semantics to avoid obfuscating the code. But that's going to require a bunch of boilerplate instead. Can we punt fixing debug (-debug-assertions) + LTO and land this PR as it's (modulo nits)? |
|
Hm so disabling debug assertions here won't actually work for everyone else. That is, the top-level project decides this, not the crate itself. Put another way this won't fix #79 (the intention, right?) because the I'd probably recommend keeping the same form of style here and avoiding macros. It's already kinda hard to follow with macros generating functions :(. Perhaps some new types could be added whose operators (like |
Oh, yes. I'm aware. That what actually just for testing this on the debug-assertion-less scenario.
No, this won't totally fix #79. But it does fix the LTO + release case which is, I think, the combination that most people care about. @FenrirWolf, are you mostly interested in profile.release + LTO? Or is profile.dev + LTO also important to you?
Certainly that's a better fix and I've also suggested it above. What I wanted to do is fix profile.release + LTO now and then implement the newtype approach to fix the general case. |
|
@japaric I haven't been using profile.dev + LTO since that combination was producing an LLVM error for a long time. Though now that you've reminded me, I just checked to see if that error still happens on the latest nightly, and it doesn't. So that's cool. Either way, I've mainly been using profile.release + LTO. I can technically go without that too if need be. |
|
@japaric ok if this is targeted at fixing the release + LTO case, sounds good to me! Let's go ahead and land to then fixup the debug case later |
closes #79
both prevent LLVM from optimizing away the intrinsics but the former doesn't produce an `intrinsics` binary that segfaults
|
@alexcrichton r? |
|
r+ |
|
☀️ Test successful - status-appveyor, status-travis |
closes #79