mirror of https://github.com/rust-lang/nomicon
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36 lines
2.1 KiB
36 lines
2.1 KiB
10 years ago
|
% Poisoning
|
||
|
|
||
|
Although all unsafe code *must* ensure it has minimal exception safety, not all
|
||
|
types ensure *maximal* exception safety. Even if the type does, your code may
|
||
|
ascribe additional meaning to it. For instance, an integer is certainly
|
||
|
exception-safe, but has no semantics on its own. It's possible that code that
|
||
|
panics could fail to correctly update the integer, producing an inconsistent
|
||
|
program state.
|
||
|
|
||
|
This is *usually* fine, because anything that witnesses an exception is about
|
||
|
to get destroyed. For instance, if you send a Vec to another thread and that
|
||
|
thread panics, it doesn't matter if the Vec is in a weird state. It will be
|
||
|
dropped and go away forever. However some types are especially good at smuggling
|
||
|
values across the panic boundary.
|
||
|
|
||
|
These types may choose to explicitly *poison* themselves if they witness a panic.
|
||
|
Poisoning doesn't entail anything in particular. Generally it just means
|
||
|
preventing normal usage from proceeding. The most notable example of this is the
|
||
|
standard library's Mutex type. A Mutex will poison itself if one of its
|
||
|
MutexGuards (the thing it returns when a lock is obtained) is dropped during a
|
||
|
panic. Any future attempts to lock the Mutex will return an `Err` or panic.
|
||
|
|
||
|
Mutex poisons not for *true* safety in the sense that Rust normally cares about. It
|
||
|
poisons as a safety-guard against blindly using the data that comes out of a Mutex
|
||
|
that has witnessed a panic while locked. The data in such a Mutex was likely in the
|
||
|
middle of being modified, and as such may be in an inconsistent or incomplete state.
|
||
|
It is important to note that one cannot violate memory safety with such a type
|
||
|
if it is correctly written. After all, it must be minimally exception-safe!
|
||
|
|
||
|
However if the Mutex contained, say, a BinaryHeap that does not actually have the
|
||
|
heap property, it's unlikely that any code that uses it will do
|
||
|
what the author intended. As such, the program should not proceed normally.
|
||
|
Still, if you're double-plus-sure that you can do *something* with the value,
|
||
|
the Mutex exposes a method to get the lock anyway. It *is* safe, after all.
|
||
|
Just maybe nonsense.
|