-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsoundness when a panic Rust code is caught by separetely compiled Rust code through FFI-unwind #102715
Comments
@rustbot label: +F-c_unwind +WG-project-ffi-unwind +I-unsound +requires-nightly +A-ffi +A-runtime |
I think it's worth mentioning that catching a foreign unwind in Rust is UB. I mark this as I-unsound because:
While guarding against it is favorable, this issue could be considered solved if we simply document clearly that this kind of situation is same as catching a non-Rust (e.g. C++) foreign unwind, which is UB. |
I would like to see this somewhat changed in the future. Specifically, I would like:
That would likely require a separate RFC, though. |
You can't rethrow foreign exceptions without hooking directly into the runtime of the respective language when catching them and when rethrowing them. libstd can't hook into the C++ standard library, so rethrowing after std::panic::catch_unwind is out of the question.
Unwinding through C++ or Rust already causes destructors to run. It is only the catching that isn't allowed. |
Yeah this makes sense to me. Do we have any documentation talking about linking together Rust code compiled with different toolchains? We already obviously don't allow passing |
Rust panics pass a |
The problem is that there are no explicit use of |
Prevent foreign Rust exceptions from being caught Fix rust-lang#102715 Use the address of a static variable (which is guaranteed to be unique per copy of std) to tell apart if a Rust exception comes from local or foreign Rust code, and abort for the latter.
Prevent foreign Rust exceptions from being caught Fix rust-lang#102715 Use the address of a static variable (which is guaranteed to be unique per copy of std) to tell apart if a Rust exception comes from local or foreign Rust code, and abort for the latter.
Prevent foreign Rust exceptions from being caught Fix rust-lang#102715 Use the address of a static variable (which is guaranteed to be unique per copy of std) to tell apart if a Rust exception comes from local or foreign Rust code, and abort for the latter.
Prevent foreign Rust exceptions from being caught Fix rust-lang#102715 Use the address of a static variable (which is guaranteed to be unique per copy of std) to tell apart if a Rust exception comes from local or foreign Rust code, and abort for the latter.
Prevent foreign Rust exceptions from being caught Fix rust-lang#102715 Use the address of a static variable (which is guaranteed to be unique per copy of std) to tell apart if a Rust exception comes from local or foreign Rust code, and abort for the latter.
Prevent foreign Rust exceptions from being caught Fix rust-lang#102715 Use the address of a static variable (which is guaranteed to be unique per copy of std) to tell apart if a Rust exception comes from local or foreign Rust code, and abort for the latter.
Rust code might be able to catch foreign Rust code through FFI unwind.
a.rs:
b.rs:
These two crates could be compiled with different Rust versions, or same version with different flags (e.g. struct layout randomisation), and this will create unsoundness because we couldn't guarantee the ABI for separate compilations.
Currently we just use the exception class in the unwind runtime ("MOZ\0RUST") to tell apart Rust exceptions from foreign exceptions, but for soundness we need to treat Rust exception from another compilation as foreign exception as well.
The text was updated successfully, but these errors were encountered: