Improve debugging ergonomics on mismatched catch/catch_unwind

Author: purplesyringa

.github/workflows/ci.yml

@@ -115,6 +115,8 @@ jobs:
         run: LITHIUM_BACKEND=panic cross test --target $target
       - name: Test with Wasm backend (debug)
         run: RUSTFLAGS="-Z emscripten_wasm_eh" RUSTDOCFLAGS="-Z emscripten_wasm_eh" LITHIUM_BACKEND=wasm cross test --target $target -Z build-std
+      - name: Test with Itanium backend (debug)
+        run: RUSTFLAGS="-Z emscripten_wasm_eh" RUSTDOCFLAGS="-Z emscripten_wasm_eh" LITHIUM_BACKEND=itanium cross test --target $target -Z build-std
       - name: Test with Emscripten backend (debug)
         run: LITHIUM_BACKEND=emscripten cross test --target $target
       - name: Test with std thread locals (debug)
@@ -124,6 +126,8 @@ jobs:
       # XXX: https://github.com/rust-lang/rust/issues/132416
       # - name: Test with Wasm backend (release)
       #   run: RUSTFLAGS="-Z emscripten_wasm_eh" RUSTDOCFLAGS="-Z emscripten_wasm_eh" LITHIUM_BACKEND=wasm cross test --target $target --release -Z build-std
+      # - name: Test with Itanium backend (release)
+      #   run: RUSTFLAGS="-Z emscripten_wasm_eh" RUSTDOCFLAGS="-Z emscripten_wasm_eh" LITHIUM_BACKEND=itanium cross test --target $target --release -Z build-std
       - name: Test with Emscripten backend (release)
         run: LITHIUM_BACKEND=emscripten cross test --target $target --release
       - name: Test with std thread locals (release)
@@ -152,13 +156,17 @@ jobs:
         run: LITHIUM_BACKEND=panic ci/cargo-wasi test --target $target
       - name: Test with Wasm backend (debug)
         run: LITHIUM_BACKEND=wasm ci/cargo-wasi test --target $target
+      - name: Test with Itanium backend (debug)
+        run: LITHIUM_BACKEND=itanium ci/cargo-wasi test --target $target
       - name: Test with std thread locals (debug)
         run: LITHIUM_THREAD_LOCAL=std ci/cargo-wasi test --target $target
       - name: Test with panic backend (release)
         run: LITHIUM_BACKEND=panic ci/cargo-wasi test --target $target --release
       # XXX: Upstream bug at https://github.com/rust-lang/rust/issues/132416
       # - name: Test with Wasm backend (release)
       #   run: LITHIUM_BACKEND=wasm ci/cargo-wasi test --target $target --release
+      # - name: Test with Itanium backend (release)
+      #   run: LITHIUM_BACKEND=itanium ci/cargo-wasi test --target $target --release
       # - name: Test with std thread locals (release)
       #   run: LITHIUM_THREAD_LOCAL=std ci/cargo-wasi test --target $target --release
 

build.rs

@@ -48,7 +48,16 @@ fn main() {
         if is_nightly && cfg("target_os") == "emscripten" && !has_cfg("emscripten_wasm_eh") {
             "emscripten"
         } else if is_nightly && cfg("target_arch") == "wasm32" {
-            "wasm"
+            // Catching a foreign Itanium exception from within Rust is (currently) guaranteed to
+            // abort, but the optimizations we use for Wasm cause std to read uninitialized memory
+            // in this case. Make missing `catch` or misplaced `catch_unwind` calls easier to debug
+            // by switching to the more robust, but slower mechanism in debug mode. We can't use
+            // `has_cfg("debug_assertions")` due to https://github.com/rust-lang/cargo/issues/7634.
+            if std::env::var("PROFILE").unwrap_or_default() == "debug" {
+                "itanium"
+            } else {
+                "wasm"
+            }
         } else if is_nightly
             && (has_cfg("unix") || (has_cfg("windows") && cfg("target_env") == "gnu"))
         {

src/backend/itanium.rs

@@ -42,7 +42,7 @@ unsafe impl ThrowByPointer for ActiveBackend {
     unsafe fn throw(ex: *mut Header) -> ! {
         // SAFETY: We provide a valid exception header.
         unsafe {
-            _Unwind_RaiseException(ex.cast());
+            raise(ex.cast());
         }
     }
 
@@ -81,7 +81,7 @@ unsafe impl ThrowByPointer for ActiveBackend {
             //   If project-ffi-unwind changes the rustc behavior, we might have to update this
             //   code.
             unsafe {
-                _Unwind_RaiseException(ex);
+                raise(ex);
             }
         }
 
@@ -140,7 +140,8 @@ const fn get_unwinder_private_word_count() -> usize {
         target_arch = "sparc64",
         target_arch = "riscv64",
         target_arch = "riscv32",
-        target_arch = "loongarch64"
+        target_arch = "loongarch64",
+        target_arch = "wasm32"
     )) {
         2
     } else {
@@ -159,6 +160,29 @@ unsafe extern "C" fn cleanup(_code: i32, _ex: *mut Header) {
     );
 }
 
+#[cfg(not(target_arch = "wasm32"))]
 unsafe extern "C-unwind" {
     fn _Unwind_RaiseException(ex: *mut u8) -> !;
 }
+
+/// Raise an Itanium EH ABI-compatible exception.
+///
+/// # Safety
+///
+/// `ex` must point at a valid instance of `_Unwind_Exception`.
+#[inline]
+unsafe fn raise(ex: *mut u8) -> ! {
+    #[cfg(not(target_arch = "wasm32"))]
+    // SAFETY: Passthrough.
+    unsafe {
+        _Unwind_RaiseException(ex);
+    }
+
+    // Although Wasm has its own backend, it has worse debug experience than Itanium can offer, so
+    // we teach this backend how to handle Wasm as well.
+    #[cfg(target_arch = "wasm32")]
+    // SAFETY: Passthrough.
+    unsafe {
+        core::arch::wasm32::throw::<0>(ex);
+    }
+}

src/backend/panic.rs

@@ -1,4 +1,5 @@
 use super::ThrowByPointer;
+use crate::abort;
 use alloc::boxed::Box;
 use core::mem::ManuallyDrop;
 use core::panic::AssertUnwindSafe;
@@ -94,3 +95,11 @@ unsafe impl ThrowByPointer for ActiveBackend {
 
 #[repr(transparent)]
 pub(crate) struct LithiumMarker;
+
+impl Drop for LithiumMarker {
+    fn drop(&mut self) {
+        abort(
+            "A Lithium exception was caught by a non-Lithium catch mechanism. This is undefined behavior. The process will now terminate.\n",
+        );
+    }
+}

src/lib.rs

@@ -189,7 +189,10 @@
     feature(core_intrinsics, rustc_attrs)
 )]
 #![cfg_attr(backend = "seh", feature(fn_ptr_trait, std_internals))]
-#![cfg_attr(backend = "wasm", feature(wasm_exception_handling_intrinsics))]
+#![cfg_attr(
+    any(backend = "wasm", all(backend = "itanium", target_arch = "wasm32")),
+    feature(wasm_exception_handling_intrinsics)
+)]
 #![deny(unsafe_op_in_unsafe_fn)]
 #![warn(
     clippy::cargo,
@@ -289,7 +292,6 @@ pub use api::{InFlightException, catch, intercept, throw};
 /// Abort the process with a message.
 ///
 /// If `std` is available, this also outputs a message to stderr before aborting.
-#[allow(dead_code, reason = "not used by all backends")]
 #[cold]
 #[inline(never)]
 fn abort(message: &str) -> ! {

src/stacked_exceptions.rs

@@ -85,9 +85,14 @@ impl<E> RethrowHandle for PointerRethrowHandle<E> {
 type Header = <ActiveBackend as ThrowByPointer>::ExceptionHeader;
 
 /// An exception object, to be used by the backend.
+///
+/// Neither the backend header nor the cause are dropped automatically when `Exception` is dropped.
+/// Use [`Exception::cause`] to extract the cause and drop data owned by the backend header in
+/// [`ActiveBackend::intercept`]. This allows the panic backend to abort in `Drop` when it's
+/// accidentally caught by user code.
 #[repr(C)] // ensure `header` is at the same offset regardless of `E`
 pub struct Exception<E> {
-    header: Header,
+    header: ManuallyDrop<Header>,
     cause: ManuallyDrop<Unaligned<E>>,
 }
 
@@ -98,7 +103,7 @@ impl<E> Exception<E> {
     /// Create a new exception to be thrown.
     fn new(cause: E) -> Self {
         Self {
-            header: ActiveBackend::new_header(),
+            header: ManuallyDrop::new(ActiveBackend::new_header()),
             cause: ManuallyDrop::new(Unaligned(cause)),
         }
     }
@@ -110,7 +115,7 @@ impl<E> Exception<E> {
     /// `ex` must be a unique pointer at an exception object.
     pub const unsafe fn header(ex: *mut Self) -> *mut Header {
         // SAFETY: Required transitively.
-        unsafe { &raw mut (*ex).header }
+        unsafe { &raw mut (*ex).header }.cast()
     }
 
     /// Restore pointer from pointer to header.