-
-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Panic safety (or lack thereof) #1543
Comments
I'm not sure I understand this, because a safe function can be internally Consider |
I think the |
Thanks @workingjubilee ! Could you elaborate on your second point about accessing Postgress panics? Do you mean Postgres could cause a panic in C code, and the Rust code simply ignores it and passes it through until some code up the stack handles it? If so, we could move the panic catching logic to wrap the FFI code that calls C function - and only propagate a proper |
Postgres has an error-handling context, it doesn't use unwinding. Instead it "throws" using You might find looking at this informative:
|
thx for the links, but i must still be misunderstanding the meaning of "we should unconditionally panic on" -- at the end of the day, panics and error results are nearly identical in the sense that both can be caught and handled by the calling function. The results are just "cleaner". So there are these cases:
|
One of the error levels that Postgres uses indicates that data corruption is occurring or could occur if the program proceeds further, rescue is not possible, and everything should terminate essentially immediately. It may still run certain termination handlers nonetheless (like unwinding would). So, no. I agree that we may want to make it easier to handle certain possibly-panicking functions, but mostly because if we do things that encourage people to roll their own logic for catching unwinds in Rust, they will incorrectly try to "handle" an error that should never be handled. |
I absolutely agree that there is a very small (?) class of errors that should bypass the |
Would it be possible to refactor the code to place all unsafe code within one crate? Similar to how other crates keep FFI bindings in
-sys
, where as the rest of complex code is in pure safe Rust, without any safety concerns? This is more of a hypothetical question at this stage, but if this goal is set early on, it might be possible to move towards that.The second aspect is panics - seems panics is the default method for most PGRX operations, whereas typically
.unwrap()
is a sign that an error is not being properly handled, and may result in a runtime error. Should gradual migration towards theResult<T,E>
be preferred, and what would be needed for this?I am a newcomer to the codebase, so please take it with a grain of salt. Thx!
The text was updated successfully, but these errors were encountered: