Auto merge of #97033 - nbdd0121:unwind3, r=Amanieu

Remove libstd's calls to `C-unwind` foreign functions

Remove all libstd and its dependencies' usage of `extern "C-unwind"`.

This is a prerequiste of a WIP PR which will forbid libraries calling `extern "C-unwind"` functions to be compiled in `-Cpanic=unwind` and linked against `panic_abort` (this restriction is necessary to address soundness bug #96926).
Cargo will ensure all crates are compiled with the same `-Cpanic` but the std is only compiled `-Cpanic=unwind` but needs the ability to be linked into `-Cpanic=abort`.

Currently there are two places where `C-unwind` is used in libstd:
* `__rust_start_panic` is used for interfacing to the panic runtime. This could be `extern "Rust"`
* `_{rdl,rg}_oom`: a shim `__rust_alloc_error_handler` will be generated by codegen to call into one of these; they can also be `extern "Rust"` (in fact, the generated shim is used as `extern "Rust"`, so I am not even sure why these are not, probably because they used to `extern "C"` and was changed to `extern "C-unwind"` when we allow alloc error hooks to unwind, but they really should just be using Rust ABI).

For dependencies, there is only one `extern "C-unwind"` function call, in `unwind` crate. This can be expressed as a re-export.

More dicussions can be seen in the Zulip thread: https://rust-lang.zulipchat.com/#narrow/stream/210922-project-ffi-unwind/topic/soundness.20in.20mixed.20panic.20mode

`@rustbot` label: T-libs F-c_unwind

diff --git a/library/alloc/src/alloc.rs b/library/alloc/src/alloc.rs
index 6162b5c6d4c9308fa379f9ab9567e57f22ba02a5..649aeb0890dc050ee32f55b760538e80243da5b4 100644 (file)
--- a/library/alloc/src/alloc.rs
+++ b/library/alloc/src/alloc.rs
@@ -398,13 +398,13 @@ pub mod __alloc_error_handler {
 
     // if there is no `#[alloc_error_handler]`
     #[rustc_std_internal_symbol]
-    pub unsafe extern "C-unwind" fn __rdl_oom(size: usize, _align: usize) -> ! {
+    pub unsafe fn __rdl_oom(size: usize, _align: usize) -> ! {
         panic!("memory allocation of {size} bytes failed")
     }
 
     // if there is an `#[alloc_error_handler]`
     #[rustc_std_internal_symbol]
-    pub unsafe extern "C-unwind" fn __rg_oom(size: usize, align: usize) -> ! {
+    pub unsafe fn __rg_oom(size: usize, align: usize) -> ! {
         let layout = unsafe { Layout::from_size_align_unchecked(size, align) };
         extern "Rust" {
             #[lang = "oom"]

diff --git a/library/panic_abort/src/lib.rs b/library/panic_abort/src/lib.rs
index 2bcb3182a7bf2eac0ec9b998ba0c78350bcfc1f1..0a1aa7bb3c833939e8477d172956bd7724beeb6b 100644 (file)
--- a/library/panic_abort/src/lib.rs
+++ b/library/panic_abort/src/lib.rs
@@ -30,7 +30,7 @@
 
 // "Leak" the payload and shim to the relevant abort on the platform in question.
 #[rustc_std_internal_symbol]
-pub unsafe extern "C-unwind" fn __rust_start_panic(_payload: *mut &mut dyn BoxMeUp) -> u32 {
+pub unsafe fn __rust_start_panic(_payload: *mut &mut dyn BoxMeUp) -> u32 {
     // Android has the ability to attach a message as part of the abort.
     #[cfg(target_os = "android")]
     android::android_set_abort_message(_payload);

diff --git a/library/panic_unwind/src/lib.rs b/library/panic_unwind/src/lib.rs
index 7f05c82ac284bdfc9c279c8ff0f4a221a3235464..4ae5f8ae4468d80e42e40f02ad55efcc4b39d3c2 100644 (file)
--- a/library/panic_unwind/src/lib.rs
+++ b/library/panic_unwind/src/lib.rs
@@ -104,7 +104,7 @@
 // Entry point for raising an exception, just delegates to the platform-specific
 // implementation.
 #[rustc_std_internal_symbol]
-pub unsafe extern "C-unwind" fn __rust_start_panic(payload: *mut &mut dyn BoxMeUp) -> u32 {
+pub unsafe fn __rust_start_panic(payload: *mut &mut dyn BoxMeUp) -> u32 {
     let payload = Box::from_raw((*payload).take_box());
 
     imp::panic(payload)

diff --git a/library/std/src/panicking.rs b/library/std/src/panicking.rs
index f1baf077580e672d03f4b924d7940d1dc0908740..9b045980d4543dfc33ebd3265aaace13afd55002 100644 (file)
--- a/library/std/src/panicking.rs
+++ b/library/std/src/panicking.rs
@@ -47,7 +47,7 @@
 }
 
 #[allow(improper_ctypes)]
-extern "C-unwind" {
+extern "Rust" {
     /// `payload` is passed through another layer of raw pointers as `&mut dyn Trait` is not
     /// FFI-safe. `BoxMeUp` lazily performs allocation only when needed (this avoids allocations
     /// when using the "abort" panic runtime).

diff --git a/library/unwind/src/libunwind.rs b/library/unwind/src/libunwind.rs
index 432628613f586e0480d06dc45a7aa3397cfa36a5..7b78bda424bb02a14fa019d47ae115cf768a9fae 100644 (file)
--- a/library/unwind/src/libunwind.rs
+++ b/library/unwind/src/libunwind.rs
@@ -264,10 +264,7 @@ pub fn _Unwind_Backtrace(trace: _Unwind_Trace_Fn,
         pub fn _Unwind_SjLj_RaiseException(e: *mut _Unwind_Exception) -> _Unwind_Reason_Code;
     }
 
-    #[inline]
-    pub unsafe fn _Unwind_RaiseException(exc: *mut _Unwind_Exception) -> _Unwind_Reason_Code {
-        _Unwind_SjLj_RaiseException(exc)
-    }
+    pub use _Unwind_SjLj_RaiseException as _Unwind_RaiseException;
 }
 } // cfg_if!