Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rustc: Switch `extern` functions to abort by default on panic #55982

Merged
merged 1 commit into from Dec 13, 2018

Conversation

Projects
None yet
@alexcrichton
Copy link
Member

alexcrichton commented Nov 15, 2018

This was intended to land way back in 1.24, but it was backed out due to breakage which has long since been fixed. Prior to this PR a crate could panic and unwind past an extern fn boundary, but such behavior is UB. For example, this is undefined behavior:

extern fn foo() {
    panic!();
}

fn main() {
    foo();
}

This PR changes the behavior of generated code to be sound-by-default. If an extern fn is unwound (panicked through) then it immediately aborts the program. Put another way, no extern fn can unwind.

The implementation in this PR is pretty simple because an unstable #[unwind] attribute could already be used to tweak the unwinding behavior. As a result this PR basically just switches the default from #[unwind] to #[unwind(abort)] for all extern fn definitions.

Closes #52652

@rust-highfive

This comment has been minimized.

Copy link
Collaborator

rust-highfive commented Nov 15, 2018

r? @zackmdavis

(rust_highfive has picked a reviewer for you, use r? to override)

@zackmdavis

This comment has been minimized.

Copy link
Member

zackmdavis commented Nov 15, 2018

@bors r+

@bors

This comment has been minimized.

Copy link
Contributor

bors commented Nov 15, 2018

📌 Commit 6ea11fd has been approved by zackmdavis

@Mark-Simulacrum

This comment has been minimized.

Copy link
Member

Mark-Simulacrum commented Nov 15, 2018

FWIW I still personally feel like changing stable behavior without providing a stabilized way to get back the old behavior is not great, but I'm not going to block this myself, both because I think this is fairly rare and the new behavior seems overall later.

@pietroalbini

This comment has been minimized.

Copy link
Member

pietroalbini commented Nov 15, 2018

Maybe we should do a Crater run for this?

@alexcrichton

This comment has been minimized.

Copy link
Member Author

alexcrichton commented Nov 15, 2018

@bors: r-

Seems fine by me to hold off on a crater run happening!

@alexcrichton

This comment has been minimized.

Copy link
Member Author

alexcrichton commented Nov 15, 2018

@bors: try

@bors

This comment has been minimized.

Copy link
Contributor

bors commented Nov 15, 2018

⌛️ Trying commit 6ea11fd with merge 2e026d6...

bors added a commit that referenced this pull request Nov 15, 2018

Auto merge of #55982 - alexcrichton:panic-extern-abort, r=<try>
rustc: Switch `extern` functions to abort by default on panic

This was intended to land way back in 1.24, but it was backed out due to
breakage which has long since been fixed. An unstable `#[unwind]`
attribute can be used to tweak the behavior here, but this is currently
simply switching rustc's internal default to abort-by-default if an
`extern` function panics, making our codegen sound primarily (as
currently you can produce UB with safe code)

Closes #52652
@bors

This comment has been minimized.

Copy link
Contributor

bors commented Nov 16, 2018

☀️ Test successful - status-travis
State: approved= try=True

@alexcrichton

This comment has been minimized.

Copy link
Member Author

alexcrichton commented Nov 16, 2018

@craterbot run start=master#6b9b97bd9b704f85f0184f7a213cc4d62bd9654c end=try#2e026d6e5d7621634147ad4c8074f1d964dbb1be mode=build-and-test

@craterbot

This comment has been minimized.

Copy link
Collaborator

craterbot commented Nov 16, 2018

👌 Experiment pr-55982 created and queued.
🔍 You can check out the queue and this experiment's details.

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

@craterbot

This comment has been minimized.

Copy link
Collaborator

craterbot commented Nov 16, 2018

🚧 Experiment pr-55982 is now running on agent aws-2.

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

@craterbot

This comment has been minimized.

Copy link
Collaborator

craterbot commented Nov 18, 2018

🎉 Experiment pr-55982 is completed!
📰 Open the full report.

⚠️ If you notice any spurious failure please add them to the blacklist!
ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

@alexcrichton

This comment has been minimized.

Copy link
Member Author

alexcrichton commented Nov 20, 2018

From that report there are four legitimate-looking regressions

In testing I've also noticed that the compiler no longer emits nounwind attributes for extern functions. This appears to be a regression in #51041, first showing up in Rust 1.28.0.

I've now pushed a follow-up commit to fix the regression, now applying nounwind on extern function as intended.

@alexcrichton alexcrichton force-pushed the alexcrichton:panic-extern-abort branch from 6ea11fd to 95310d6 Nov 20, 2018

@rust-highfive

This comment has been minimized.

Copy link
Collaborator

rust-highfive commented Nov 20, 2018

The job x86_64-gnu-llvm-5.0 of your PR failed on Travis (raw log). Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log.
travis_time:end:2312b483:start=1542755280460092720,finish=1542755281902444787,duration=1442352067
$ git checkout -qf FETCH_HEAD
travis_fold:end:git.checkout

Encrypted environment variables have been removed for security reasons.
See https://docs.travis-ci.com/user/pull-requests/#Pull-Requests-and-Security-Restrictions
$ export SCCACHE_BUCKET=rust-lang-ci-sccache2
$ export SCCACHE_REGION=us-west-1
Setting environment variables from .travis.yml
$ export IMAGE=x86_64-gnu-llvm-5.0
---
[00:17:49]    Compiling rustc_codegen_ssa v0.0.0 (/checkout/src/librustc_codegen_ssa)
[00:18:03] error[E0061]: this function takes 2 parameters but 1 parameter was supplied
[00:18:03]    --> librustc_codegen_llvm/attributes.rs:199:5
[00:18:03]     |
[00:18:03] 64  |   fn unwind(val: &'ll Value, can_unwind: bool) {
[00:18:03]     |   -------------------------------------------- defined here
[00:18:03] ...
[00:18:03] 199 | /     unwind(if cx.tcx.sess.panic_strategy() != PanicStrategy::Unwind {
[00:18:03] 200 | |         // In panic=abort mode we assume nothing can unwind anywhere, so
[00:18:03] 201 | |         // optimize based on this!
[00:18:03] ...   |
[00:18:03] 228 | |         true
[00:18:03] 229 | |     });
[00:18:03]     | |______^ expected 2 parameters
---
145100 ./obj/build/x86_64-unknown-linux-gnu/stage0-sysroot/lib/rustlib
145096 ./obj/build/x86_64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/x86_64-unknown-linux-gnu
145092 ./obj/build/x86_64-unknown-linux-gnu/stage0-sysroot/lib/rustlib/x86_64-unknown-linux-gnu/lib
134664 ./obj/build/bootstrap/debug/incremental/bootstrap-zemjd6kcyh2u
134660 ./obj/build/bootstrap/debug/incremental/bootstrap-zemjd6kcyh2u/s-f6v028rh0j-1jh577i-2q1xp1m83q6vz
107888 ./obj/build/x86_64-unknown-linux-gnu/stage0/lib/rustlib/x86_64-unknown-linux-gnu/codegen-backends
104700 ./src/tools/lldb
93748 ./src/tools/clang/test
89976 ./src/llvm-emscripten/test/CodeGen

I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact @TimNN. (Feature Requests)

@alexcrichton alexcrichton force-pushed the alexcrichton:panic-extern-abort branch from 95310d6 to 07aafac Nov 20, 2018

rustc: Switch `extern` functions to abort by default on panic
This was intended to land way back in 1.24, but it was backed out due to
breakage which has long since been fixed. An unstable `#[unwind]`
attribute can be used to tweak the behavior here, but this is currently
simply switching rustc's internal default to abort-by-default if an
`extern` function panics, making our codegen sound primarily (as
currently you can produce UB with safe code)

Closes #52652

@alexcrichton alexcrichton force-pushed the alexcrichton:panic-extern-abort branch from c3fc942 to 1091eee Dec 12, 2018

@alexcrichton

This comment has been minimized.

Copy link
Member Author

alexcrichton commented Dec 12, 2018

@bors: r=zackmdavis

@bors

This comment has been minimized.

Copy link
Contributor

bors commented Dec 12, 2018

📌 Commit 1091eee has been approved by zackmdavis

@bors

This comment has been minimized.

Copy link
Contributor

bors commented Dec 12, 2018

⌛️ Testing commit 1091eee with merge 5316104...

bors added a commit that referenced this pull request Dec 12, 2018

Auto merge of #55982 - alexcrichton:panic-extern-abort, r=zackmdavis
rustc: Switch `extern` functions to abort by default on panic

This was intended to land way back in 1.24, but it was backed out due to
breakage which has long since been fixed. An unstable `#[unwind]`
attribute can be used to tweak the behavior here, but this is currently
simply switching rustc's internal default to abort-by-default if an
`extern` function panics, making our codegen sound primarily (as
currently you can produce UB with safe code)

Closes #52652
@bors

This comment has been minimized.

Copy link
Contributor

bors commented Dec 12, 2018

☀️ Test successful - status-appveyor, status-travis
Approved by: zackmdavis
Pushing 5316104 to master...

@bors

This comment has been minimized.

Copy link
Contributor

bors commented Dec 12, 2018

👀 Test was successful, but fast-forwarding failed: 422 Update is not a fast forward

@alexcrichton

This comment has been minimized.

Copy link
Member Author

alexcrichton commented Dec 12, 2018

@bors: retry

@bors

This comment has been minimized.

Copy link
Contributor

bors commented Dec 13, 2018

⌛️ Testing commit 1091eee with merge 2f35a10...

bors added a commit that referenced this pull request Dec 13, 2018

Auto merge of #55982 - alexcrichton:panic-extern-abort, r=zackmdavis
rustc: Switch `extern` functions to abort by default on panic

This was intended to land way back in 1.24, but it was backed out due to
breakage which has long since been fixed. An unstable `#[unwind]`
attribute can be used to tweak the behavior here, but this is currently
simply switching rustc's internal default to abort-by-default if an
`extern` function panics, making our codegen sound primarily (as
currently you can produce UB with safe code)

Closes #52652
@bors

This comment has been minimized.

Copy link
Contributor

bors commented Dec 13, 2018

☀️ Test successful - status-appveyor, status-travis
Approved by: zackmdavis
Pushing 2f35a10 to master...

@bors bors merged commit 1091eee into rust-lang:master Dec 13, 2018

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
homu Test successful
Details
@SimonSapin

This comment has been minimized.

Copy link
Contributor

SimonSapin commented Dec 13, 2018

but this is currently simply switching rustc's internal default to abort-by-default

This sounds like the default is unchanged, and this PR doesn’t do anything without #[unwind]. But that’s not what the test case changes suggest. @alexcrichton Could you clarify the PR description, for the eventual release notes?

@alexcrichton alexcrichton deleted the alexcrichton:panic-extern-abort branch Dec 13, 2018

@alexcrichton

This comment has been minimized.

Copy link
Member Author

alexcrichton commented Dec 13, 2018

Sure! @SimonSapin does this clear things up?


This was intended to land way back in 1.24, but it was backed out due to breakage which has long since been fixed. Prior to this PR a crate could panic and unwind past an extern fn boundary, but such behavior is UB. For example, this is undefined behavior:

extern fn foo() {
    panic!();
}

fn main() {
    foo();
}

This PR changes the behavior of generated code to be sound-by-default. If an extern fn is unwound (panicked through) then it immediately aborts the program. Put another way, no extern fn can unwind.

The implementation in this PR is pretty simple because an unstable #[unwind] attribute could already be used to tweak the unwinding behavior. As a result this PR basically just switches the default from #[unwind] to #[unwind(abort)] for all extern fn definitions.

@SimonSapin

This comment has been minimized.

Copy link
Contributor

SimonSapin commented Dec 13, 2018

Yes this is better, thanks! I don’t know if this example is actually UB though. I though what was undefined was unwinding from Rust into a call stack of another language.

@alexcrichton

This comment has been minimized.

Copy link
Member Author

alexcrichton commented Dec 13, 2018

You can explore the UB through the IR of a program like this:

#![crate_type = "lib"]      
                            
#[inline(never)]            
extern fn foo() {           
    panic!("x");            
}                           
                            
struct A;                   
                            
impl Drop for A {           
    fn drop(&mut self) {    
        extern { fn foo(); }
        unsafe { foo(); }   
    }                       
}                           
                            
pub fn bar() {              
    let _x = A;             
    foo();                  
}                           

The compiler places the nounwind LLVM attribute on the function foo, but it actually ends up unwinding. According to LLVM:

If the function does raise an exception, its runtime behavior is undefined

Note that recent compilers have a bug where they don't place nounwind (fixed in this PR), but 1.25.0 for example placed the nounwind attribute.

@SimonSapin

This comment has been minimized.

Copy link
Contributor

SimonSapin commented Dec 13, 2018

Ok I see. I didn’t know about nounwind. Thanks!

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Mar 3, 2019

he
Update rust to version 1.33.0.
Pkgsrc changes:
 * Bump required rust version to build to 1.32.0.
 * Adapt patches to changed file locations.
 * Since we now patch some more vendor/ modules, doctor the corresponding
   .cargo-checksum.json files accordingly

Upstream changes:

Version 1.33.0 (2019-02-28)
==========================

Language
--------
- [You can now use the `cfg(target_vendor)` attribute.][57465] E.g.
  `#[cfg(target_vendor="apple")] fn main() { println!("Hello Apple!"); }`
- [Integer patterns such as in a match expression can now be exhaustive.][56362]
  E.g. You can have match statement on a `u8` that covers `0..=255` and
  you would no longer be required to have a `_ => unreachable!()` case.
- [You can now have multiple patterns in `if let` and `while let`
  expressions.][57532] You can do this with the same syntax as a `match`
  expression. E.g.
  ```rust
  enum Creature {
      Crab(String),
      Lobster(String),
      Person(String),
  }

  fn main() {
      let state = Creature::Crab("Ferris");

      if let Creature::Crab(name) | Creature::Person(name) = state {
          println!("This creature's name is: {}", name);
      }
  }
  ```
- [You can now have irrefutable `if let` and `while let` patterns.][57535]
  Using this feature will by default produce a warning as this behaviour
  can be unintuitive. E.g. `if let _ = 5 {}`
- [You can now use `let` bindings, assignments, expression statements,
  and irrefutable pattern destructuring in const functions.][57175]
- [You can now call unsafe const functions.][57067] E.g.
  ```rust
  const unsafe fn foo() -> i32 { 5 }
  const fn bar() -> i32 {
      unsafe { foo() }
  }
  ```
- [You can now specify multiple attributes in a `cfg_attr` attribute.][57332]
  E.g. `#[cfg_attr(all(), must_use, optimize)]`
- [You can now specify a specific alignment with the `#[repr(packed)]`
  attribute.][57049] E.g. `#[repr(packed(2))] struct Foo(i16, i32);` is a
  struct with an alignment of 2 bytes and a size of 6 bytes.
- [You can now import an item from a module as an `_`.][56303] This allows you
  to import a trait's impls, and not have the name in the namespace. E.g.
  ```rust
  use std::io::Read as _;

  // Allowed as there is only one `Read` in the module.
  pub trait Read {}
  ```
- [You may now use `Rc`, `Arc`, and `Pin` as method receivers][56805].

Compiler
--------
- [You can now set a linker flavor for `rustc` with the `-Clinker-flavor`
  command line argument.][56351]
- [The mininum required LLVM version has been bumped to 6.0.][56642]
- [Added support for the PowerPC64 architecture on FreeBSD.][57615]
- [The `x86_64-fortanix-unknown-sgx` target support has been upgraded to
  tier 2 support.][57130] Visit the [platform support][platform-support]
  page for information on Rust's platform support.
- [Added support for the `thumbv7neon-linux-androideabi` and
  `thumbv7neon-unknown-linux-gnueabihf` targets.][56947]
- [Added support for the `x86_64-unknown-uefi` target.][56769]

Libraries
---------
- [The methods `overflowing_{add, sub, mul, shl, shr}` are now `const`
  functions for all numeric types.][57566]
- [The methods `rotate_left`, `rotate_right`, and `wrapping_{add, sub, mul,
  shl, shr}`
  are now `const` functions for all numeric types.][57105]
- [The methods `is_positive` and `is_negative` are now `const` functions for
  all signed numeric types.][57105]
- [The `get` method for all `NonZero` types is now `const`.][57167]
- [The methods `count_ones`, `count_zeros`, `leading_zeros`, `trailing_zeros`,
  `swap_bytes`, `from_be`, `from_le`, `to_be`, `to_le` are now `const` for all
  numeric types.][57234]
- [`Ipv4Addr::new` is now a `const` function][57234]

Stabilized APIs
---------------
- [`unix::FileExt::read_exact_at`]
- [`unix::FileExt::write_all_at`]
- [`Option::transpose`]
- [`Result::transpose`]
- [`convert::identity`]
- [`pin::Pin`]
- [`marker::Unpin`]
- [`marker::PhantomPinned`]
- [`Vec::resize_with`]
- [`VecDeque::resize_with`]
- [`Duration::as_millis`]
- [`Duration::as_micros`]
- [`Duration::as_nanos`]


Cargo
-----
- [Cargo should now rebuild a crate if a file was modified during the initial
  build.][cargo/6484]

Compatibility Notes
-------------------
- The methods `str::{trim_left, trim_right, trim_left_matches,
  trim_right_matches}` are now deprecated in the standard library, and their
  usage will now produce a warning.  Please use the `str::{trim_start,
  trim_end, trim_start_matches, trim_end_matches}` methods instead.
- The `Error::cause` method has been deprecated in favor of `Error::source`
  which supports downcasting.

[55982]: rust-lang/rust#55982
[56303]: rust-lang/rust#56303
[56351]: rust-lang/rust#56351
[56362]: rust-lang/rust#56362
[56642]: rust-lang/rust#56642
[56769]: rust-lang/rust#56769
[56805]: rust-lang/rust#56805
[56947]: rust-lang/rust#56947
[57049]: rust-lang/rust#57049
[57067]: rust-lang/rust#57067
[57105]: rust-lang/rust#57105
[57130]: rust-lang/rust#57130
[57167]: rust-lang/rust#57167
[57175]: rust-lang/rust#57175
[57234]: rust-lang/rust#57234
[57332]: rust-lang/rust#57332
[57465]: rust-lang/rust#57465
[57532]: rust-lang/rust#57532
[57535]: rust-lang/rust#57535
[57566]: rust-lang/rust#57566
[57615]: rust-lang/rust#57615
[cargo/6484]: rust-lang/cargo#6484
[`unix::FileExt::read_exact_at`]: https://doc.rust-lang.org/std/os/unix/fs/trait.FileExt.html#method.read_exact_at
[`unix::FileExt::write_all_at`]: https://doc.rust-lang.org/std/os/unix/fs/trait.FileExt.html#method.write_all_at
[`Option::transpose`]: https://doc.rust-lang.org/std/option/enum.Option.html#method.transpose
[`Result::transpose`]: https://doc.rust-lang.org/std/result/enum.Result.html#method.transpose
[`convert::identity`]: https://doc.rust-lang.org/std/convert/fn.identity.html
[`pin::Pin`]: https://doc.rust-lang.org/std/pin/struct.Pin.html
[`marker::Unpin`]: https://doc.rust-lang.org/stable/std/marker/trait.Unpin.html
[`marker::PhantomPinned`]: https://doc.rust-lang.org/nightly/std/marker/struct.PhantomPinned.html
[`Vec::resize_with`]: https://doc.rust-lang.org/std/vec/struct.Vec.html#method.resize_with
[`VecDeque::resize_with`]: https://doc.rust-lang.org/std/collections/struct.VecDeque.html#method.resize_with
[`Duration::as_millis`]: https://doc.rust-lang.org/std/time/struct.Duration.html#method.as_millis
[`Duration::as_micros`]: https://doc.rust-lang.org/std/time/struct.Duration.html#method.as_micros
[`Duration::as_nanos`]: https://doc.rust-lang.org/std/time/struct.Duration.html#method.as_nanos
[platform-support]: https://forge.rust-lang.org/platform-support.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.