rustig VS no-panic

There is also rustig though it seems quite dead.

There’s the rustig tool (https://github.com/Technolution/rustig) that looks for code paths leading to the panic handler. Not sure if it still works though.

That's fair. I think I may just be a bit sore that Rustig was allowed to bit-rot and findpanics hasn't seen a commit since 2020.

There's Rustig which does it for panics, though it seems unmaintained and uses inspection of the final binary rather than source code/AST inspection.

You might be interested in this: https://github.com/Technolution/rustig

> Doesnt Rust have implicit panics on indexing out of bounds?

It does yes. A fair number of other constructs can panic as well.

> I wonder if any codebases lint those away.

Clippy has a lint for indexing so probably.

For the general case, it's almost impossible unless you're working on very low-level software (embedded, probably kernel-rust eventually) e.g. `std` assumes allocations can't fail, so any allocation will show up as a panic path.

https://github.com/Technolution/rustig can actually uncover panic paths, but because of the above the results are quite noisy, and while it's possible to uncover bugs thanks to rustig it requires pretty ridiculous amounts of filtering.

This comment is strongly confused.

> [1] https://github.com/Technolution/rustig

That's a binary analysis tool. It is only approximate, and does not claim to be an accurate analysis like unsafe-checking and typechecking are:

https://github.com/Technolution/rustig#limitations

> All paths leading to panic! from one of those functions (whether actually used or not) will be reported.

It also only works on x86_64 binaries.

Panics are an ugly leftover from the bad old days before Rust had nice monad-like syntax for Result error-handling (the "?" syntax). It's time for panic to sunset.

I discovered a crate called no_panic that prevents a function from compiling, unless the compiler can proof that this function can't panic.

/u/dtolnay has a no-panic macro, I don't know its limitations but in older comments they note it pretty much has to be used in release mode, as there are lots of panic codepaths which get optimised out.

'Hacks' such as https://github.com/dtolnay/no-panic, https://crates.io/crates/no-panics-whatsoever that ensure any calls to panic handling will result in link errors. Not really reliable in terms of being able to abort instead, but a possible tool.

nope. Unfortunately, no mainstream language has this yet. We need an Algebraic effects typesystem to do this properly. There are a few temporary band-aid solutions like https://github.com/dtolnay/no-panic

This kind of already exists in the form of #[no_panic] [1]?

> If the function does panic (or the compiler fails to prove that the function cannot panic), the program fails to compile with a linker error that identifies the function name.

1: https://github.com/dtolnay/no-panic

I really think that Rust needs an official #[no_panic] macro that can validate these sort of things (like dtolnay’s crate, I’m not sure why it was archived)

Because it's convenient and familiar to most programmers. Not providing bounds-checked indexing makes some kinds of code very hard to write.

But note his problem also happens with integer division.

In Rust, a[x] on an array or vec is really a roughly a shortand for a.get(x).unwrap() (with a different error message)

Likewise, a / b on integers is a kind of a shortand for a.checked_div(b).unwrap()

The thing is, if the index ever is out of bounds, or if the denominator is zero, the program has a bug, 100% of time. And if you catch a bug using an assertion there is seldom anything better than interrupting the execution (the only thing I can think of is restarting the program or the subsystem). If you continue execution past a programming error, you may sometimes corrupt data structures or introduce bizarre, hard to debug situations.

Doing a pattern match on a.get(x) doesn't help because if it's ever None (and your program logic expects that x is in bounds) then you are kind of forced to bail.

The downside here is that we aren't catching this bug at compile time. And it's true that sometimes we can rewrite the program to not have an indexing operation, usually using iterators (eliding the bounds check will make the program run faster, too). But in general this is not possible, at least not without bringing formal methods. But that's what tests are for, to ensure the correctness of stuff type errors can't catch.

Now, there are some crates like https://github.com/dtolnay/no-panic or https://github.com/facebookexperimental/MIRAI that will check that your code is panic free. The first one is based on the fact that llvm optimizations can often remove dead code and thus remove the panic from a[x] or a / b - if it doesn't, then compilation fails. The second one employs formal methods to mathematically prove that there is no panic. I guess those techniques will eventually be ported to the kernel even if panics happen differently there (by hooking on the BUG mechanism or whatever)

Hmm, yeah as you mentioned, looks like a surprising amount of stuff is already done in the rust for the linux kernel project: https://github.com/Rust-for-Linux/linux/tree/rust/rust/. It's also MIT/Apache licensed, but I was expecting gpl, so I can actually use it. It's still a lot to trim down on, so might be easier to just build up as needed. Additionally I just saw /u/dtolnay's #[no_panic] attribute which at least makes it a compiler error if it's accidentally done.

Obviously, in bare metal systems, in the kernel, etc, you always want to use the second style. In this patch series, the first type had been stubbed out to panic, but Linus doesn't want any chance of panicking, he wants it to be a compile time error if anyone tries to call these methods from within the kernel, for example by not providing the symbols and failing to link if someone did try to use them. There is already precedent for doing that in the Rust ecosystem, so it's planned to do that in this patch series, but the authors hadn't gotten to that yet.