Auto merge of rust-lang#97033 - nbdd0121:unwind3, r=Amanieu

bors · bors · commit 50872bdb99c9 · 2022-05-19T04:04:40.000Z
Remove libstd's calls to `C-unwind` foreign functions Remove all libstd and its dependencies' usage of `extern "C-unwind"`. This is a prerequiste of a WIP PR which will forbid libraries calling `extern "C-unwind"` functions to be compiled in `-Cpanic=unwind` and linked against `panic_abort` (this restriction is necessary to address soundness bug rust-lang#96926). Cargo will ensure all crates are compiled with the same `-Cpanic` but the std is only compiled `-Cpanic=unwind` but needs the ability to be linked into `-Cpanic=abort`. Currently there are two places where `C-unwind` is used in libstd: * `__rust_start_panic` is used for interfacing to the panic runtime. This could be `extern "Rust"` * `_{rdl,rg}_oom`: a shim `__rust_alloc_error_handler` will be generated by codegen to call into one of these; they can also be `extern "Rust"` (in fact, the generated shim is used as `extern "Rust"`, so I am not even sure why these are not, probably because they used to `extern "C"` and was changed to `extern "C-unwind"` when we allow alloc error hooks to unwind, but they really should just be using Rust ABI). For dependencies, there is only one `extern "C-unwind"` function call, in `unwind` crate. This can be expressed as a re-export. More dicussions can be seen in the Zulip thread: https://rust-lang.zulipchat.com/#narrow/stream/210922-project-ffi-unwind/topic/soundness.20in.20mixed.20panic.20mode `@rustbot` label: T-libs F-c_unwind
diff --git a/library/alloc/src/alloc.rs b/library/alloc/src/alloc.rs
@@ -398,13 +398,13 @@ pub mod __alloc_error_handler {
 
     // if there is no `#[alloc_error_handler]`
     #[rustc_std_internal_symbol]
-    pub unsafe extern "C-unwind" fn __rdl_oom(size: usize, _align: usize) -> ! {
+    pub unsafe fn __rdl_oom(size: usize, _align: usize) -> ! {
         panic!("memory allocation of {size} bytes failed")
     }
 
     // if there is an `#[alloc_error_handler]`
     #[rustc_std_internal_symbol]
-    pub unsafe extern "C-unwind" fn __rg_oom(size: usize, align: usize) -> ! {
+    pub unsafe fn __rg_oom(size: usize, align: usize) -> ! {
         let layout = unsafe { Layout::from_size_align_unchecked(size, align) };
         extern "Rust" {
             #[lang = "oom"]
diff --git a/library/panic_abort/src/lib.rs b/library/panic_abort/src/lib.rs
@@ -30,7 +30,7 @@ pub unsafe extern "C" fn __rust_panic_cleanup(_: *mut u8) -> *mut (dyn Any + Sen
 
 // "Leak" the payload and shim to the relevant abort on the platform in question.
 #[rustc_std_internal_symbol]
-pub unsafe extern "C-unwind" fn __rust_start_panic(_payload: *mut &mut dyn BoxMeUp) -> u32 {
+pub unsafe fn __rust_start_panic(_payload: *mut &mut dyn BoxMeUp) -> u32 {
     // Android has the ability to attach a message as part of the abort.
     #[cfg(target_os = "android")]
     android::android_set_abort_message(_payload);
diff --git a/library/panic_unwind/src/lib.rs b/library/panic_unwind/src/lib.rs
@@ -104,7 +104,7 @@ pub unsafe extern "C" fn __rust_panic_cleanup(payload: *mut u8) -> *mut (dyn Any
 // Entry point for raising an exception, just delegates to the platform-specific
 // implementation.
 #[rustc_std_internal_symbol]
-pub unsafe extern "C-unwind" fn __rust_start_panic(payload: *mut &mut dyn BoxMeUp) -> u32 {
+pub unsafe fn __rust_start_panic(payload: *mut &mut dyn BoxMeUp) -> u32 {
     let payload = Box::from_raw((*payload).take_box());
 
     imp::panic(payload)
diff --git a/library/std/src/panicking.rs b/library/std/src/panicking.rs
@@ -47,7 +47,7 @@ extern "C" {
 }
 
 #[allow(improper_ctypes)]
-extern "C-unwind" {
+extern "Rust" {
     /// `payload` is passed through another layer of raw pointers as `&mut dyn Trait` is not
     /// FFI-safe. `BoxMeUp` lazily performs allocation only when needed (this avoids allocations
     /// when using the "abort" panic runtime).
diff --git a/library/unwind/src/libunwind.rs b/library/unwind/src/libunwind.rs
@@ -264,10 +264,7 @@ if #[cfg(not(all(target_os = "ios", target_arch = "arm")))] {
         pub fn _Unwind_SjLj_RaiseException(e: *mut _Unwind_Exception) -> _Unwind_Reason_Code;
     }
 
-    #[inline]
-    pub unsafe fn _Unwind_RaiseException(exc: *mut _Unwind_Exception) -> _Unwind_Reason_Code {
-        _Unwind_SjLj_RaiseException(exc)
-    }
+    pub use _Unwind_SjLj_RaiseException as _Unwind_RaiseException;
 }
 } // cfg_if!
 

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ extern "C" {`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`#[allow(improper_ctypes)]`
`50`		`-extern "C-unwind" {`
	`50`	`+extern "Rust" {`
`51`	`51`	/// `payload` is passed through another layer of raw pointers as `&mut dyn Trait` is not
`52`	`52`	/// FFI-safe. `BoxMeUp` lazily performs allocation only when needed (this avoids allocations
`53`	`53`	`/// when using the "abort" panic runtime).`
Original file line number	Diff line number	Diff line change
`@@ -264,10 +264,7 @@ if #[cfg(not(all(target_os = "ios", target_arch = "arm")))] {`
`264`	`264`	`pub fn _Unwind_SjLj_RaiseException(e: *mut _Unwind_Exception) -> _Unwind_Reason_Code;`
`265`	`265`	`}`
`266`	`266`
`267`		`- #[inline]`
`268`		`- pub unsafe fn _Unwind_RaiseException(exc: *mut _Unwind_Exception) -> _Unwind_Reason_Code {`
`269`		`- _Unwind_SjLj_RaiseException(exc)`
`270`		`- }`
	`267`	`+ pub use _Unwind_SjLj_RaiseException as _Unwind_RaiseException;`
`271`	`268`	`}`
`272`	`269`	`} // cfg_if!`
`273`	`270`