Validate exception types in debug

Author: purplesyringa

src/backend/seh.rs

@@ -6,6 +6,7 @@ use super::{
     super::{abort, intrinsic::intercept},
     RethrowHandle, ThrowByValue,
 };
+use crate::type_checker::TypeChecker;
 use alloc::boxed::Box;
 use core::any::Any;
 use core::marker::{FnPtr, PhantomData};
@@ -89,12 +90,16 @@ unsafe impl ThrowByValue for ActiveBackend {
 
             // We catch the exception by reference, so the C++ runtime will drop it. Tell our
             // destructor to calm down.
+
+            // SAFETY: This is our exception, so `ex_lithium` at least points at a valid instance of
+            // `ExceptionHeader`. We don't really want to assert that it's `Exception<E>` yet, since
+            // the E might be wrong and we want to guard against that in debug.
+            let header = unsafe { &mut (*ex_lithium).header };
+            header.caught = true;
+            header.type_checker.expect::<E>();
+
             // SAFETY: This is our exception, so `ex_lithium` points at a valid instance of
             // `Exception<E>`.
-            unsafe {
-                (*ex_lithium).header.caught = true;
-            }
-            // SAFETY: As above.
             let cause = unsafe { &mut (*ex_lithium).cause };
             // SAFETY: We only read the cause here, so no double copies.
             CaughtUnwind::LithiumException(unsafe { ManuallyDrop::take(cause) })
@@ -131,6 +136,7 @@ unsafe fn do_throw<E>(cause: E) -> ! {
         header: ExceptionHeader {
             canary: (&raw const THROW_INFO).cast(), // any static will work
             caught: false,
+            type_checker: TypeChecker::new::<E>(),
         },
         cause: ManuallyDrop::new(cause),
     };
@@ -145,6 +151,7 @@ unsafe fn do_throw<E>(cause: E) -> ! {
 struct ExceptionHeader {
     canary: *const (), // From Rust ABI
     caught: bool,
+    type_checker: TypeChecker,
 }
 
 #[repr(C)]
@@ -354,11 +361,15 @@ impl<T: ?Sized> SmallPtr<*const T> {
 }
 
 unsafe extern "system-unwind" {
+    #[allow(
+        improper_ctypes,
+        reason = "false positive that TypeId is not FFI-safe in debug"
+    )]
     fn RaiseException(
         code: u32,
         flags: u32,
         n_parameters: u32,
-        paremeters: *mut ExceptionRecordParameters,
+        parameters: *mut ExceptionRecordParameters,
     ) -> !;
 }
 

src/lib.rs

@@ -287,6 +287,8 @@ mod stacked_exceptions;
 ))]
 mod intrinsic;
 
+mod type_checker;
+
 pub use api::{InFlightException, catch, intercept, throw};
 
 /// Abort the process with a message.

src/stacked_exceptions.rs

@@ -2,6 +2,7 @@ use super::{
     backend::{ActiveBackend, RethrowHandle, ThrowByPointer, ThrowByValue},
     heterogeneous_stack::unbounded::Stack,
 };
+use crate::type_checker::TypeChecker;
 use core::mem::{ManuallyDrop, offset_of};
 
 // Module invariant: thrown exceptions of type `E` are passed to the pointer-throwing backend as
@@ -82,7 +83,12 @@ impl<E> RethrowHandle for PointerRethrowHandle<E> {
     }
 }
 
-type Header = <ActiveBackend as ThrowByPointer>::ExceptionHeader;
+type BackendHeader = <ActiveBackend as ThrowByPointer>::ExceptionHeader;
+
+struct Header {
+    backend_header: ManuallyDrop<BackendHeader>,
+    type_checker: TypeChecker,
+}
 
 /// An exception object, to be used by the backend.
 ///
@@ -92,7 +98,7 @@ type Header = <ActiveBackend as ThrowByPointer>::ExceptionHeader;
 /// accidentally caught by user code.
 #[repr(C)] // ensure `header` is at the same offset regardless of `E`
 pub struct Exception<E> {
-    header: ManuallyDrop<Header>,
+    header: Header,
     cause: ManuallyDrop<Unaligned<E>>,
 }
 
@@ -103,7 +109,10 @@ impl<E> Exception<E> {
     /// Create a new exception to be thrown.
     fn new(cause: E) -> Self {
         Self {
-            header: ManuallyDrop::new(ActiveBackend::new_header()),
+            header: Header {
+                backend_header: ManuallyDrop::new(ActiveBackend::new_header()),
+                type_checker: TypeChecker::new::<E>(),
+            },
             cause: ManuallyDrop::new(Unaligned(cause)),
         }
     }
@@ -113,9 +122,9 @@ impl<E> Exception<E> {
     /// # Safety
     ///
     /// `ex` must be a unique pointer at an exception object.
-    pub const unsafe fn header(ex: *mut Self) -> *mut Header {
+    pub const unsafe fn header(ex: *mut Self) -> *mut BackendHeader {
         // SAFETY: Required transitively.
-        unsafe { &raw mut (*ex).header }.cast()
+        unsafe { &raw mut (*ex).header.backend_header }.cast()
     }
 
     /// Restore pointer from pointer to header.
@@ -124,9 +133,9 @@ impl<E> Exception<E> {
     ///
     /// `header` must have been produced by [`Exception::header`], and the corresponding object must
     /// be alive.
-    pub const unsafe fn from_header(header: *mut Header) -> *mut Self {
+    pub const unsafe fn from_header(header: *mut BackendHeader) -> *mut Self {
         // SAFETY: Required transitively.
-        unsafe { header.byte_sub(offset_of!(Self, header)) }.cast()
+        unsafe { header.byte_sub(offset_of!(Self, header.backend_header)) }.cast()
     }
 
     /// Get the cause of the exception.
@@ -136,6 +145,7 @@ impl<E> Exception<E> {
     /// This function returns a bitwise copy of the cause. This means that it can only be called
     /// once on each exception.
     pub unsafe fn cause(&mut self) -> E {
+        self.header.type_checker.expect::<E>();
         // SAFETY: We transitively require that the cause is not read twice.
         unsafe { ManuallyDrop::take(&mut self.cause).0 }
     }
@@ -227,6 +237,10 @@ pub unsafe fn replace_last<E, F>(ex: *mut Exception<E>, cause: F) -> *mut Except
     if const { get_alloc_size::<E>() == get_alloc_size::<F>() } {
         // Reuse existing allocation without populating the header again
         let ex: *mut Exception<F> = ex.cast();
+        // SAFETY: Type checker is stored at the same offset regardless of type.
+        unsafe {
+            (*ex).header.type_checker = TypeChecker::new::<F>();
+        }
         // SAFETY: If `ex.cause` was valid for writes for `size_of::<E>()` bytes, it should be valid
         // for `size_of::<F>()` bytes as well because those are equal.
         unsafe {

src/type_checker.rs

@@ -0,0 +1,85 @@
+#[cfg(debug_assertions)]
+mod imp {
+    use crate::abort;
+    use core::any::{TypeId, type_name};
+    use core::marker::PhantomData;
+
+    /// A best-effort runtime type checker for thrown and caught exception.
+    ///
+    /// Only enabled in debug, zero-cost in release.
+    pub struct TypeChecker {
+        id: TypeId,
+        name: &'static str,
+    }
+
+    impl TypeChecker {
+        // Create RTTI for `T`.
+        pub fn new<T: ?Sized>() -> Self {
+            Self {
+                id: type_id::<T>(),
+                name: type_name::<T>(),
+            }
+        }
+
+        // Validate that `T` matches the stored RTTI (best-effort only).
+        pub fn expect<T: ?Sized>(&self) {
+            if self.id != type_id::<T>() {
+                abort(&alloc::format!(
+                    "lithium::catch::<_, {}> caught an exception of type {}. This is undefined behavior. The process will now terminate.\n",
+                    core::any::type_name::<T>(),
+                    self.name,
+                ));
+            }
+        }
+    }
+
+    fn type_id<T: ?Sized>() -> TypeId {
+        // This implements `core::any::type_id` for non-`'static` types and is simply copied from
+        // dtolnay's `typeid` crate. That's a small crate, but keeping Lithium zero-dep sounds
+        // worthwhile, and it'll probably slightly improve compilation times.
+        trait NonStaticAny {
+            fn get_type_id(&self) -> TypeId
+            where
+                Self: 'static;
+        }
+
+        impl<T: ?Sized> NonStaticAny for PhantomData<T> {
+            fn get_type_id(&self) -> TypeId
+            where
+                Self: 'static,
+            {
+                TypeId::of::<T>()
+            }
+        }
+
+        NonStaticAny::get_type_id(
+            // SAFETY: Just a lifetime transmute, we never handle references with the extended
+            // lifetime.
+            unsafe {
+                core::mem::transmute::<&dyn NonStaticAny, &(dyn NonStaticAny + 'static)>(
+                    &PhantomData::<T>,
+                )
+            },
+        )
+    }
+}
+
+#[cfg(not(debug_assertions))]
+mod imp {
+    /// A best-effort runtime type checker for thrown and caught exception.
+    ///
+    /// Only enabled in debug, zero-cost in release.
+    pub struct TypeChecker;
+
+    impl TypeChecker {
+        // Create RTTI for `T`.
+        pub fn new<T: ?Sized>() -> Self {
+            Self
+        }
+
+        // Validate that `T` matches the stored RTTI (best-effort only).
+        pub fn expect<T: ?Sized>(&self) {}
+    }
+}
+
+pub use imp::TypeChecker;