FIX: Add AbortIfPanic guard to remove_index

It's a critical section where we can't panic. Mark the reason in the
guard and message.

Author: bluss

src/impl_methods.rs

@@ -26,6 +26,7 @@ use crate::dimension::broadcast::co_broadcast;
 use crate::error::{self, ErrorKind, ShapeError, from_kind};
 use crate::math_cell::MathCell;
 use crate::itertools::zip;
+use crate::low_level_util::AbortIfPanic;
 use crate::zip::{IntoNdProducer, Zip};
 use crate::AxisDescription;
 
@@ -2476,6 +2477,7 @@ where
             //      dst = elt;
             //  }
             //
+            let guard = AbortIfPanic(&"remove_index: temporarily moving out of owned value");
             let mut slot = MaybeUninit::<A>::uninit();
             unsafe {
                 slot.as_mut_ptr().copy_from_nonoverlapping(dst, 1);
@@ -2485,6 +2487,7 @@ where
                 }
                 (dst as *mut A).copy_from_nonoverlapping(slot.as_ptr(), 1);
             }
+            guard.defuse();
         });
         // then slice the axis in place to cut out the removed final element
         self.slice_axis_inplace(axis, Slice::new(0, Some(-1), 1));

src/lib.rs

@@ -205,6 +205,7 @@ mod shape_builder;
 mod slice;
 mod split_at;
 mod stacking;
+mod low_level_util;
 #[macro_use]
 mod zip;
 

src/low_level_util.rs

@@ -0,0 +1,40 @@
+// Copyright 2021 bluss and ndarray developers.
+//
+// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
+// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
+// option. This file may not be copied, modified, or distributed
+// except according to those terms.
+
+
+/// Guard value that will abort if it is dropped.
+/// To defuse, this value must be forgotten before the end of the scope.
+///
+/// The string value is added to the message printed if aborting.
+#[must_use]
+pub(crate) struct AbortIfPanic(pub(crate) &'static &'static str);
+
+impl AbortIfPanic {
+    /// Defuse the AbortIfPanic guard. This *must* be done when finished.
+    #[inline]
+    pub(crate) fn defuse(self) {
+        std::mem::forget(self);
+    }
+}
+
+impl Drop for AbortIfPanic {
+    // The compiler should be able to remove this, if it can see through that there
+    // is no panic in the code section.
+    fn drop(&mut self) {
+        #[cfg(feature="std")]
+        {
+            eprintln!("ndarray: panic in no-panic section, aborting: {}", self.0);
+            std::process::abort()
+        }
+        #[cfg(not(feature="std"))]
+        {
+            // no-std uses panic-in-panic (should abort)
+            panic!("ndarray: panic in no-panic section, bailing out: {}", self.0);
+        }
+    }
+}