Fixes safe Rust part of soundness bug 52652 by aborting on safe extern "C" functions

gnzlbg · gnzlbg · commit 08574db45981 · 2019-09-09T19:32:29.000+02:00
diff --git a/src/librustc_mir/build/mod.rs b/src/librustc_mir/build/mod.rs
@@ -491,6 +491,7 @@ fn should_abort_on_panic(tcx: TyCtxt<'_>, fn_def_id: DefId, abi: Abi) -> bool {
 
     // Validate `#[unwind]` syntax regardless of platform-specific panic strategy
     let attrs = &tcx.get_attrs(fn_def_id);
+    let unsafety = &tcx.fn_sig(fn_def_id).skip_binder().unsafety.clone();
     let unwind_attr = attr::find_unwind_attr(Some(tcx.sess.diagnostic()), attrs);
 
     // We never unwind, so it's not relevant to stop an unwind
@@ -502,9 +503,11 @@ fn should_abort_on_panic(tcx: TyCtxt<'_>, fn_def_id: DefId, abi: Abi) -> bool {
     // This is a special case: some functions have a C abi but are meant to
     // unwind anyway. Don't stop them.
     match unwind_attr {
-        None => false, // FIXME(#58794)
         Some(UnwindAttr::Allowed) => false,
         Some(UnwindAttr::Aborts) => true,
+        // If no `#[unwind]` attribute present unsafe function definitions
+        // are temporarily allowed to unwind:
+        None => unsafety == &rustc::hir::Unsafety::Normal,
     }
 }
 
diff --git a/src/test/ui/abi/abort-on-c-abi.rs b/src/test/ui/abi/abort-on-c-abi.rs
@@ -14,14 +14,19 @@ use std::io::prelude::*;
 use std::io;
 use std::process::{Command, Stdio};
 
-#[unwind(aborts)] // FIXME(#58794)
+unsafe extern "C" fn unsafe_panic_in_ffi() {
+    panic!("Test");
+}
+
 extern "C" fn panic_in_ffi() {
     panic!("Test");
 }
 
 fn test() {
-    let _ = panic::catch_unwind(|| { panic_in_ffi(); });
-    // The process should have aborted by now.
+    // A safe extern "C" function that panics should abort the process:
+    let _ = panic::catch_unwind(|| panic_in_ffi() );
+
+    // If the process did not abort, the panic escaped FFI:
     io::stdout().write(b"This should never be printed.\n");
     let _ = io::stdout().flush();
 }
@@ -37,4 +42,7 @@ fn main() {
                         .stdin(Stdio::piped())
                         .arg("test").spawn().unwrap();
     assert!(!p.wait().unwrap().success());
+
+    // An unsafe extern "C" function that panics should let the panic escape:
+    assert!(panic::catch_unwind(|| unsafe { unsafe_panic_in_ffi() }).is_err());
 }
