-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
c_unwind
full stabilization request: change in extern "C"
behavior
#115285
Comments
Request for StabilizationThis is a request for full stabilization of the SummaryWhen using Previously, the runtime would simply attempt to unwind the caller's stack, but the behavior when doing so was undefined, because This affects existing programs. If a program relies on a Rust panic "escaping" from
The behavior of function calls using Changes since the RFCNone. Unresolved questionsThis feature does not affect the behavior of Tests
|
@rfcbot merge |
Team member @joshtriplett has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns. |
cc @rust-lang/wg-ffi-unwind |
Do we have a crater run showing the impact of this? I'd prefer to give the ecosystem time to update their code ahead of crashing everyone's programs (even if they're technically already broken). That said, we will need some way of alerting all the broken libraries. |
We could do the crater run on the PR (still under preparation, sorry!) |
I do think it makes sense to do a crater run before actually approving the stabilization. |
@rustbot labels +I-lang-nominated Nominating so we can discuss what needs to happen to move this forward. |
@rustbot labels -I-lang-nominated |
I'm in favor of doing this. At worst we can tie it to the edition. |
@traviscross That's correct; sorry for not linking to those myself. |
Stabilise `c_unwind` Fix rust-lang#74990 Fix rust-lang#115285 Marking as draft PR for now due to `compiler_builtins` issues r? `@Amanieu`
Stabilise `c_unwind` Fix rust-lang#74990 Fix rust-lang#115285 Marking as draft PR for now due to `compiler_builtins` issues r? `@Amanieu`
Crater run is completed. I have triaged all crater failures and determined they are either flaky test, or broken crate, or are expected failure due to the change to enforce extern "C" to be nounwind. |
I think that's should only be blocking the PR, not the FCP? |
I think this is what we were specifically worried about, isn't it? How widespread is this? From your comment, it looks like it's these crates?
Any idea if the maintainers of these crates know about the upcoming change? |
p.s. so excited to see this work in the final comment period! thank you all again for helping mentor my work on #76570. 💟 |
The crater report contains regressions for several zcash related git repos: https://crater-reports.s3.amazonaws.com/pr-116088-2/index.html Several at least are forks of the upstream zcash, for which no regressions are reported. So it may well be that they were forked before it was fixed in upstream. |
@rustbot labels -I-lang-nominated We discussed this in triage today with the result that this in now entering FCP. Thanks to @BatmanAoD for working to push this forward. |
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
Small thing: I find it somewhat surprising the exact manner in which unwinds become aborts in Further refining, it surprises me that wrapping a function body in an immediately invoked closure changes semantics. I do not expect the changed ABI in the signature to change the semantics of the contained body. I could live with this, as the developer actually technically has more control in this setup, and it's lower overhead to abort more eagerly, but it still feels a bit wrong, and performance of the about-to-abort edge isn't particularly important. Any optimization barriers to the happy path are mostly still present due to the unwind edge existing at all. (Sorry for just missing FCP on this observation... I said something similar in the discussion around drop unwinds when I determined this is how it works, but didn't think to mention it here as well for some reason.) nbdd0121 notes that while this is the case for the Itanium unwind ABI, MSVC+SEH produces an immediate abort at the unwind source instead. This doesn't exactly match the behavior my testing gets, but it is at least different for SEH than Itanium. |
I agree that's surprising, and opened an issue: #123231. Not sure if that's something we need to resolve before stabilization. However if we want to keep the current behavior we definitely need to document somewhere that calling these destructors is not guaranteed. |
Speaking as ECC's engineering manager responsible for zcashd and librustzcash, I strongly support stabilization of this change. In fact I have been bitterly complaining, with this issue as one of the examples, about the time it takes to fix soundness bugs in Rust. So it would be rather ironic if Zcash-related code were any part of the reason you were not doing so in this case (although I cannot see why it would be). zcashd pins a specific Rust version, so there is no significant risk. If it breaks us, we will fix it before changing that pin — or not, because zcashd is being deprecated anyway. We also have an issue to change all our uses of "C" to "C-unwind" in librustzcash; the only reason why that was not prioritized is that there appeared to be no significant progress on the full stabilization, which is precisely the thing that would make "C-unwind" useful to us. |
Believe me, I sympathize with the pain of how long this feature/fix has taken.
Sorry, I don't understand this dilemma; the "full stabilization" will only affect |
Stabilise `c_unwind` Fix rust-lang#74990 Fix rust-lang#115285 (that's also where FCP is happening) Marking as draft PR for now due to `compiler_builtins` issues r? `@Amanieu`
Stabilise `c_unwind` Fix rust-lang#74990 Fix rust-lang#115285 (that's also where FCP is happening) Marking as draft PR for now due to `compiler_builtins` issues r? ``@Amanieu``
Stabilise `c_unwind` Fix rust-lang#74990 Fix rust-lang#115285 (that's also where FCP is happening) Marking as draft PR for now due to `compiler_builtins` issues r? `@Amanieu`
… r=Mark-Simulacrum Update `catch_unwind` doc comments for `c_unwind` Updates `catch_unwind` doc comments to indicate that catching a foreign exception _will no longer_ be UB. Instead, there are two possible behaviors, though it is not specified which one an implementation will choose. Nominated for t-lang to confirm that they are okay with making such a promise based on t-opsem FCP, or whether they would like to be included in the FCP. Related: rust-lang#74990, rust-lang#115285, rust-lang/reference#1226
…=Mark-Simulacrum Update `catch_unwind` doc comments for `c_unwind` Updates `catch_unwind` doc comments to indicate that catching a foreign exception _will no longer_ be UB. Instead, there are two possible behaviors, though it is not specified which one an implementation will choose. Nominated for t-lang to confirm that they are okay with making such a promise based on t-opsem FCP, or whether they would like to be included in the FCP. Related: rust-lang#74990, rust-lang#115285, rust-lang/reference#1226
…ulacrum Update `catch_unwind` doc comments for `c_unwind` Updates `catch_unwind` doc comments to indicate that catching a foreign exception _will no longer_ be UB. Instead, there are two possible behaviors, though it is not specified which one an implementation will choose. Nominated for t-lang to confirm that they are okay with making such a promise based on t-opsem FCP, or whether they would like to be included in the FCP. Related: rust-lang/rust#74990, rust-lang/rust#115285, rust-lang/reference#1226
…ulacrum Update `catch_unwind` doc comments for `c_unwind` Updates `catch_unwind` doc comments to indicate that catching a foreign exception _will no longer_ be UB. Instead, there are two possible behaviors, though it is not specified which one an implementation will choose. Nominated for t-lang to confirm that they are okay with making such a promise based on t-opsem FCP, or whether they would like to be included in the FCP. Related: rust-lang/rust#74990, rust-lang/rust#115285, rust-lang/reference#1226
Tracking issue: #74990
This is a separate issue to enable using the FCP bot a second time. The request-for-stabilization comment is duplicated below, without modification.
RFC "C-unwind ABI": rust-lang/rfcs#2945
Feature gate to be stabilized:
#![feature(c_unwind)]
Stabilization PR: #116088
The text was updated successfully, but these errors were encountered: