nomicon/poisoning.md

% Poisoning

Although all unsafe code *must* ensure it has minimal exception safety, not all
types ensure *maximal* exception safety. Even if the type does, your code may
ascribe additional meaning to it. For instance, an integer is certainly
exception-safe, but has no semantics on its own. It's possible that code that
panics could fail to correctly update the integer, producing an inconsistent
program state.

This is *usually* fine, because anything that witnesses an exception is about
to get destroyed. For instance, if you send a Vec to another thread and that
thread panics, it doesn't matter if the Vec is in a weird state. It will be
dropped and go away forever. However some types are especially good at smuggling
values across the panic boundary.

These types may choose to explicitly *poison* themselves if they witness a panic.
Poisoning doesn't entail anything in particular. Generally it just means
preventing normal usage from proceeding. The most notable example of this is the
standard library's Mutex type. A Mutex will poison itself if one of its
MutexGuards (the thing it returns when a lock is obtained) is dropped during a
panic. Any future attempts to lock the Mutex will return an `Err` or panic.

Mutex poisons not for *true* safety in the sense that Rust normally cares about. It
poisons as a safety-guard against blindly using the data that comes out of a Mutex
that has witnessed a panic while locked. The data in such a Mutex was likely in the
middle of being modified, and as such may be in an inconsistent or incomplete state.
It is important to note that one cannot violate memory safety with such a type
if it is correctly written. After all, it must be minimally exception-safe!

However if the Mutex contained, say, a BinaryHeap that does not actually have the
heap property, it's unlikely that any code that uses it will do
what the author intended. As such, the program should not proceed normally.
Still, if you're double-plus-sure that you can do *something* with the value,
the Mutex exposes a method to get the lock anyway. It *is* safe, after all.
Just maybe nonsense.
shard out and clean up unwinding 9 years ago			`% Poisoning`

			`Although all unsafe code must ensure it has minimal exception safety, not all`
			`types ensure maximal exception safety. Even if the type does, your code may`
			`ascribe additional meaning to it. For instance, an integer is certainly`
			`exception-safe, but has no semantics on its own. It's possible that code that`
			`panics could fail to correctly update the integer, producing an inconsistent`
			`program state.`

			`This is usually fine, because anything that witnesses an exception is about`
			`to get destroyed. For instance, if you send a Vec to another thread and that`
			`thread panics, it doesn't matter if the Vec is in a weird state. It will be`
			`dropped and go away forever. However some types are especially good at smuggling`
			`values across the panic boundary.`

			`These types may choose to explicitly poison themselves if they witness a panic.`
			`Poisoning doesn't entail anything in particular. Generally it just means`
			`preventing normal usage from proceeding. The most notable example of this is the`
			`standard library's Mutex type. A Mutex will poison itself if one of its`
			`MutexGuards (the thing it returns when a lock is obtained) is dropped during a`
			panic. Any future attempts to lock the Mutex will return an `Err` or panic.

			`Mutex poisons not for true safety in the sense that Rust normally cares about. It`
			`poisons as a safety-guard against blindly using the data that comes out of a Mutex`
			`that has witnessed a panic while locked. The data in such a Mutex was likely in the`
			`middle of being modified, and as such may be in an inconsistent or incomplete state.`
			`It is important to note that one cannot violate memory safety with such a type`
			`if it is correctly written. After all, it must be minimally exception-safe!`

			`However if the Mutex contained, say, a BinaryHeap that does not actually have the`
			`heap property, it's unlikely that any code that uses it will do`
			`what the author intended. As such, the program should not proceed normally.`
			`Still, if you're double-plus-sure that you can do something with the value,`
			`the Mutex exposes a method to get the lock anyway. It is safe, after all.`
			`Just maybe nonsense.`