RFC: Abort by default #1759
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| - Feature Name: abort_by_default | ||
| - Start Date: 2016-10-01 | ||
| - RFC PR: (leave this empty) | ||
| - Rust Issue: (leave this empty) | ||
|
|
||
| # Summary | ||
| [summary]: #summary | ||
|
|
||
| Specify `panic=abort` in `Cargo.toml` when the user does `cargo new --bin`. | ||
|
|
||
| # Motivation | ||
| [motivation]: #motivation | ||
|
|
||
| ## Performance | ||
|
|
||
| Generally, the performance of bigger programs [improves by 10%](https://www.youtube.com/watch?v=mRGb4hoGuPs), which is no small amount. When overflow checking is enabled, it is as high as 2x, making overflowing checking plausible in production. | ||
|
|
||
| The performance gains mainly originates in the fact that it is a lot easier for the compiler to optimize, due to the unwind path disappearing, and hence reasoning about the code becomes easier. | ||
|
|
||
| ## Binary size | ||
|
|
||
| Binary size improves by 10% as well. This is due to the lack of landing pads which are injected in the stack when unwinding is enabled. | ||
|
|
||
| ## Compile time | ||
|
|
||
| Compile time in debug mode improves by 20% on average. In release mode, the number is around 10%. | ||
|
|
||
| ## Runtime size | ||
|
|
||
| Unwinding requires a fair amount of runtime code, which can be seen as conflicting with the goals of Rust. | ||
|
|
||
| ## Correctness | ||
|
|
||
| You often see people abusing `std::panic::catch_unwind` for exception handling. Forcing the user to explicitly opt in to unwinding will make it harder to unintentionally misuse it. | ||
|
|
||
| # Detailed design | ||
| [design]: #detailed-design | ||
|
|
||
| Have `cargo` generate `panic=abort` to the `Cargo.toml`. Whenever the user inteacts with `cargo` (by using a command) and the `Cargo.toml` has no specified panicking strategy, it will add `panic=unwind` and leave a note to the user: | ||
|
|
||
| Warning: No panic strategy was specified, added unwinding to the `Cargo.toml` file, please consider change it to your needs. | ||
|
|
||
| For libraries, nothing is modified, as they inherit the strategy of the binary. | ||
|
|
||
| After several release cycles, an extension could be added, which makes specifying the strategy mandatory. | ||
|
|
||
| # Drawbacks | ||
| [drawbacks]: #drawbacks | ||
|
|
||
| It makes panics global by default (i.e., panicking in some thread will abort the whole program). | ||
|
There was a problem hiding this comment. This will break There was a problem hiding this comment. Well, not really: with panic=abort one will never see a non-zero panic_count, which is still functional behavior as long as the program's functionality doesn't rely on panics being non-fatal to the program. There was a problem hiding this comment.
If 'abort by default' was implemented, programs that use There was a problem hiding this comment.
|
||
|
|
||
| It might make it tempting to ignore the existence of an unwind option and consequently shaping the code after panicking being aborting. | ||
|
|
||
| ## Unwinding is not bad per se | ||
|
|
||
| Unwinding has numerous advantages. Especially for certain classes of applications. These includes better error handling and better cleanup. | ||
|
|
||
| Unwinding is especially important to long-running applications. | ||
|
|
||
| # Alternatives | ||
| [alternatives]: #alternatives | ||
|
|
||
| Keep unwinding as default. | ||
|
|
||
| Make Cargo set `panic=abort` in all new binaries. | ||
|
|
||
| Use unwind in `debug` and abort in `release`. | ||
|
|
||
| Make use of more exotic instructions like `bound`, allowing e.g. overflow or bound checking without branches. This comes at the expense of error output. | ||
|
|
||
| # Unresolved questions | ||
| [unresolved]: #unresolved-questions | ||
|
|
||
| None. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think I have ever actually seen this in practice. Where does this pop up often?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At least one person has done this:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On /r/rust people regularly talk about how "nice it is to have exceptions".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was an intentional misuse though. Cf. https://www.reddit.com/r/rust/comments/53ft4m/my_experience_rewriting_enjarify_in_rust/d7ss1vy