Prevent foreign Rust exceptions from being caught

[nbdd0121]

Fix #102715

Use the address of a static variable (which is guaranteed to be unique per copy of std) to tell apart if a Rust exception comes from local or foreign Rust code, and abort for the latter.

[rustbot]

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with @rustbot label +T-libs-api -T-libs to tag it appropriately. If this PR contains changes to any unstable APIs please edit the PR description to add a link to the relevant API Change Proposal or create one if you haven't already. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

• Stabilizing library features
• Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
• Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
• Changing public documentation in ways that create new stability guarantees
• Changing observable runtime behavior of library APIs

[rust-highfive]

r? @m-ou-se

(rust-highfive has picked a reviewer for you, use r? to override)

[bjorn3]

Maybe change this to avoid unsoundness in combination with older rust versions? Same for the exception type for the other unwinding mechanisms.

[nbdd0121]

I think it's worth mentioning that catching a foreign unwind in Rust is UB. We are providing guards against this but it's not part of guarantee.

Currently there are no ways to hit this on stable, and if you hit this using nightly you are already in UB territory. So we can change this string (and the exception class), but we don't have to.

[m-ou-se]

r? @Amanieu

[Amanieu]

@bors r+

[bors]

📌 Commit c33cef6 has been approved by Amanieu

It is now in the queue for this repository.

[joboet]

I hope I am correct in doing this, but this should probably not be merged with the unsoundness above (I think that also caused the rollup to fail).

@bors r-

[bors]

@joboet: 🔑 Insufficient privileges: Not in reviewers

[Amanieu]

Nice catch!

@bors r+

[bors]

📌 Commit 65c7d94d94e575edc934de5081d674856baf67df has been approved by Amanieu

It is now in the queue for this repository.

[bors]

⌛ Testing commit 65c7d94d94e575edc934de5081d674856baf67df with merge d3129761e1defe2e2c5878b84934fa9664e251a7...

[bors]

💔 Test failed - checks-actions

[Dylan-DPC]

failed in rollup

@bors r-

[nbdd0121]

Hmm, I tested the test case on nightly i686-pc-windows-gnu and it doesn't work either. I am not familiar enough with windows-gnu targets to troubleshoot it, unfortunately.

However, given that the problem is not related to the main PR itself, I'll just mark the test as ignore-windows-gnu. Is that okay? @Amanieu

[Amanieu]

i686-mingw requires unwind tables to be registered with the unwinder when the module is loaded. We do this, but the problem in this case is that the cdylib has its own copy of libgcc statically linked into it. This is somewhat by design so that mingw executables don't have a runtime dependency on libgcc_s.dll, but it breaks cross-DLL unwinding since the respective unwinders are not aware of the unwind tables in other modules.

I think ignoring the test is fine in this case, but only on i686. Other architectures do not have this limitation.

[nbdd0121]

I think ignoring the test is fine in this case, but only on i686. Other architectures do not have this limitation.

Yeah, I tested this on x86_64 MinGW and it works fine. However we only have ignore-x86 and ignore-windows-gnu, but not ignore-(x86 and windows-gnu). Which directive should I use?

[Amanieu]

You can pass a full target triple: // ignore-i686-pc-windows-gnu

[Amanieu]

@bors r+

[bors]

📌 Commit bfac2da has been approved by Amanieu

It is now in the queue for this repository.