zlacker

[parent] [thread] 10 comments
1. hegels+(OP)[view] [source] 2022-10-02 16:25:53
I think you're missing the point Linus made. Panicking is safer from a memory safety perspective, but it's not from a kernel perspective. You'll lose all the file changes that are not saved, you'll risk having disk written in a bad state which can be catastrophic, etc.
replies(3): >>pornel+i2 >>lifthr+83 >>zozbot+P8
2. pornel+i2[view] [source] 2022-10-02 16:36:37
>>hegels+(OP)
I understand his point. I just disagree, and prefer a different tradeoff.

Yes, a kernel panic will cause disruption when it happens. But that will also give a precise error location, which makes reporting and fixing of the root cause easier. It could be harder to pinpoint of the code rolled forward in broken state.

It will cause loss of unsaved data when it happens, but OTOH it will prevent corrupted data from being persisted.

replies(2): >>wtalli+g6 >>stjohn+6s
3. lifthr+83[view] [source] 2022-10-02 16:40:58
>>hegels+(OP)
Panic corresponds to a potential logic bug. If you have a logic bug, you already risk its consequences even if the panic didn't happen. As long as panic can be caught (and in Rust, it's indeed the case) it is safer than the alternative.
replies(1): >>hegels+7i1
◧◩
4. wtalli+g6[view] [source] [discussion] 2022-10-02 16:58:29
>>pornel+i2
> But that will also give a precise error location, which makes reporting and fixing of the root cause easier. It could be harder to pinpoint of the code rolled forward in broken state.

I think you must have missed out on how Linux currently handles these situations. It does not silently move on past the error; it prints a stack trace and CPU state to the kernel log before moving on. So you have all of the information you'd get from a full kernel panic, plus the benefit of a system that may be able to keep running long enough to save that kernel log to disk.

5. zozbot+P8[view] [source] 2022-10-02 17:12:08
>>hegels+(OP)
Panic in Rust need not equate to a literal kernel panic. It can call an oops handler, which might manage to keep the system operational depending on where the failure occurred.
replies(1): >>hegels+Vi1
◧◩
6. stjohn+6s[view] [source] [discussion] 2022-10-02 19:05:56
>>pornel+i2
On one embedded projected we had a separate debug chip could safely shutdown what might be dangerous circuits in the case of controller failure. The source code for that was much much much smaller than the controller and heavily vetted by mulitiple people. The small dedicated would initiate circuit shutdown on panic from the linux kernel on the controller. My point being is it's hard to know what happens after a panic, and logging and such is nice, but that may or may not be available, but being able to do some action as simple as sending a "panic" signal to a second dedicated processor to shut down critical systems in a controlled manner is nice. "Stop the world" can be very dangerous in some situations. There were even more independent backup failsafes on the potentially dangerous circuits as well, but redundancy is even more insurance something bad won't happen.
◧◩
7. hegels+7i1[view] [source] [discussion] 2022-10-03 01:25:44
>>lifthr+83
1. As far as i'm aware there's no way to reliably catch all panics. catch_unwind does not catch all panics. 2. The whole point is that consequences of a panic are worse than the consequences of memory corruption. That's how the kernel was designed. There was an explicit design decision not to kernel panic in every situation where a logic error occurs.
replies(1): >>lifthr+0v1
◧◩
8. hegels+Vi1[view] [source] [discussion] 2022-10-03 01:32:36
>>zozbot+P8
As far as I'm aware there's no way to reliably catch all panics. catch_unwind does not catch all panics. Handlers don't stop the program from terminating abruptly.
◧◩◪
9. lifthr+0v1[view] [source] [discussion] 2022-10-03 03:23:50
>>hegels+7i1
There are tons of edge cases with panics, e.g. panic can trigger a destructor that can panic itself, or unwinding may cross a language boundary which may not be well defined, but to my knowledge `catch_unwind` does catch all panics as long as unwinding reliably works. That disclaimer in the `catch_unwind` documentation only describes the `panic = abort` case.

And I thought it was clear that kernel panic is different from Rust panic, which you don't seem to distinguish. Rust panic doesn't need to cause a kernel panic because it can be caught earlier.

replies(1): >>hegels+Oy1
◧◩◪◨
10. hegels+Oy1[view] [source] [discussion] 2022-10-03 04:11:43
>>lifthr+0v1
Obviously rust panic is not the same as a kernel panic. What you're taking for granted is that just because rust can catch a panic that it will. A simple overflow can cause a panic. When this happens, the panic might be caught before the kernel panics, but by then the program is probably already in an undefined state. It also might not be caught at all, and cause an actual kernel panic.
replies(1): >>lifthr+NB1
◧◩◪◨⬒
11. lifthr+NB1[view] [source] [discussion] 2022-10-03 04:47:14
>>hegels+Oy1
The program is in a defined but undesirable state, both when panic occurred in Rust and when a "simple" uncontrolled overflow happened in C (provided that the compiler is configured to not treat it as an UB, otherwise it'd be worse). And anyone doing Rust-C interop already has to be conscious about the language boundary, which happens to be a perfect place to catch Rust panics.
[go to top]