-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FFI is not prod-safe until c_unwind
RFC stabilizes and we can use it
#113
Comments
c_unwind
stabilizes and we can use itc_unwind
RFC stabilizes and we can use it
The stabilization PR rust-lang/rust#116088 finally merged and rust-lang/rust#74990 has closed. Now we just need to wait for the next rust release to ship. Among other things, this means duckdb-delta can just throw an exception directly when kernel asks it to allocate an error, which would simplify a lot of FFI code. |
As a subtask we sould protect all engine entry points with |
One potential issue: The beta catch_unwind (1.84) docs state:
Thus, if we use Note: The
|
For FFI to really be prod-ready, we need the rust
c_unwind
RFC to stabilize (see rust-lang/rust#115285 and rust-lang/rust#116088), and then we must update FFI code to take advantage of it. Otherwise, exceptions thrown from C++ code, orpanic!
originating in rust code, have undefined behavior when unwinding across an FFI boundary.Context
C++ and Rust take completely different approaches to exception handling.
Rust generally prefers methods to return an error
Result
when something expected and recoverable goes wrong, and topanic!
if the problem is unexpected or unrecoverable. In turn,panic!
may be implemented by stack unwinding, if the runtime is configured withpanic=unwind
.Meanwhile, C++ relies heavily on exceptions, and on stack unwinding to run destructors as uncaught exceptions propagate. Exceptions can be thrown from just about anywhere (including the standard library) unless extreme care is taken to avoid them.
Because kernel-rs relies heavily on callbacks, and often on double-trampoline callbacks, we must expect cases where an exception thrown from C++ might propagate uncaught through rust code and back into C++ where it is caught and handled. Or for a rust panic to propagate uncaught through C++ code and back to rust code protected by a catch_unwind block.
Unfortunately, any kind of stack unwinding across an FFI boundary (whether C++ -> Rust or Rust -> C++) is undefined behavior today in Rust. The
c_unwind
RFC proposes to address this by allowing exceptions thrown byextern "c-unwind" fn
to safely propagate -- uncaught -- through rust code and back into C++, and for panics inextern "rust-unwind" fn
to safely propagate -- also uncaught -- through C++ code and back into rust. Attempting to catch a foreign exception would still produce undefined behavior, but we don't need that capability.The text was updated successfully, but these errors were encountered: