Mixing crates using different panic modes may introduce UB if a non-Rust unwind "escapes" into panic=abort crate via "C-unwind"

[BatmanAoD]

This is a case of undefined behavior around unwinding that will not be fixed by the stabilization of the "C-unwind" ABI.

Suppose there exists a C++ library with this function:

void cpp_unwind() {
    throw "gotcha";
}

If this function is compiled as part of a crate with panic=unwind:

extern "C-unwind" {
    cpp_unwind()
}

pub fn unwinds() { unsafe { cpp_unwind() } }

...and then called from a crate compiled with panic=abort, the behavior is undefined, because the calling function will be compiled with the assumption that unwinding is impossible.

Note:

• If cpp_unwind is declared with extern "C", the behavior will be well-defined: the runtime will abort even if panic=unwind is used.
• Cargo does not support mixing panic modes like this, so this situation is only possible by invoking rustc directly (or via a different build system).
• The unwind must originate outside of Rust, because only one panic!() implementation will be linked in the final binary, so using panic=abort will prevent panic!() from unwinding the stack in the first place.

[BatmanAoD]

There is a draft for a fix here: #86801

Edit: this would not quite fix the issue. Discussion here: https://rust-lang.zulipchat.com/#narrow/stream/210922-project-ffi-unwind/topic/soundness.20in.20mixed.20panic.20mode/near/281893151

[RalfJung]

The unwind must originate outside of Rust, because only one panic!() implementation will be linked in the final binary, so using panic=abort will prevent panic!() from unwinding the stack in the first place.

Ah, that would indeed make it impossible to even trigger this in Miri, let alone detect it.

Marking this as unsound for now, but I guess the alternative would be to say that if you are linking with external code that unwinds, it is your responsibility to ensure that all crates are compiled appropriately (and cargo will take care of that automatically).

Do we even want to support mixed panics modes, given cargo doesn't and they can be unsound and are generally rather subtle? Could we have rsutc warn against or even error in case panic modes are mixed?

[RalfJung]

Also see the Zulip discussion.

EDIT: oops that was already linked above.

[nbdd0121]

@rustbot claim