[workerd-cxx] no-abort (#2)

_This is the first change in a series to replace abort on panic with
exceptions._

This change replaces the usage of aborting `prevent_unwind` with new
error-generating `catch_unwind` and `try_unwind` in ffi *rust functions*
only (see the note below).

It largerly uses existing setup for returning exceptions in case of
`Result` return type by forecibly enabling it.

Since handling exceptions in cxx requires passing return values as
pointer arguments (see example), this transformation requires
specificatin of return references lifetime (eforced by #3)

There are plenty of remaining usages of `prevent_unwind` but they are
all (mostly?) concerned generating various
c++ operators (that we don't really use). I intend to fix them in follow
ups.

Internal PR 8720

For `fn r_return_identity(_: usize) -> usize;`

```rust
unsafe extern "C" fn __r_return_identity(arg0: usize) -> usize {
    let __fn = "cxx_test_suite::ffi::r_return_identity";
    fn __r_return_identity(arg0: usize) -> usize {
        super::r_return_identity(arg0)
    }
    ::cxx::private::prevent_unwind(__fn, move ||
__r_return_identity(arg0))
}
```

```c++
::std::size_t r_return_identity(::std::size_t arg0) noexcept {
  return tests$cxxbridge1$r_return_identity(arg0);
}
```

```rust
unsafe extern "C" fn __r_return_identity(
    arg0: usize,
    __return: *mut usize,
) -> ::cxx::private::Result {
    let __fn = "cxx_test_suite::ffi::r_return_identity";
    fn __r_return_identity(arg0: usize) -> usize {
        super::r_return_identity(arg0)
    }
    ::cxx::private::catch_unwind(
        __fn,
        move || unsafe {
            ::cxx::core::ptr::write(__return, __r_return_identity(arg0))
        },
    )
}
```
```c++
::std::size_t r_return_identity(::std::size_t arg0) {
  ::rust::MaybeUninit<::std::size_t> return$;
  ::rust::repr::PtrLen error$ = tests$cxxbridge1$r_return_identity(arg0,
&return$.value);
  if (error$.ptr) {
    throw ::rust::impl<::rust::Error>::error(error$);
  }
  return ::std::move(return$.value);
}
```

Author: mikea

gen/src/write.rs

@@ -8,6 +8,7 @@ use crate::syntax::map::UnorderedMap as Map;
 use crate::syntax::set::UnorderedSet;
 use crate::syntax::symbol::{self, Symbol};
 use crate::syntax::trivial::{self, TrivialReason};
+use crate::syntax::Lang;
 use crate::syntax::{
     derive, mangle, Api, Doc, Enum, EnumRepr, ExternFn, ExternType, Pair, Signature, Struct, Trait,
     Type, TypeAlias, Types, Var,
@@ -274,7 +275,8 @@ fn write_struct<'a>(out: &mut OutFile<'a>, strct: &'a Struct, methods: &[&Extern
         let sig = &method.sig;
         let local_name = method.name.cxx.to_string();
         let indirect_call = false;
-        write_rust_function_shim_decl(out, &local_name, sig, indirect_call);
+        let throws = sig.throws || method.lang == Lang::Rust;
+        write_rust_function_shim_decl(out, &local_name, sig, indirect_call, throws);
         writeln!(out, ";");
         if !method.doc.is_empty() {
             out.next_section();
@@ -366,7 +368,8 @@ fn write_opaque_type<'a>(out: &mut OutFile<'a>, ety: &'a ExternType, methods: &[
         let sig = &method.sig;
         let local_name = method.name.cxx.to_string();
         let indirect_call = false;
-        write_rust_function_shim_decl(out, &local_name, sig, indirect_call);
+        let throws = sig.throws || method.lang == Lang::Rust;
+        write_rust_function_shim_decl(out, &local_name, sig, indirect_call, throws);
         writeln!(out, ";");
         if !method.doc.is_empty() {
             out.next_section();
@@ -897,12 +900,11 @@ fn write_rust_function_decl_impl(
     indirect_call: bool,
 ) {
     out.next_section();
-    if sig.throws {
-        out.builtin.ptr_len = true;
-        write!(out, "::rust::repr::PtrLen ");
-    } else {
-        write_extern_return_type_space(out, &sig.ret);
-    }
+
+    // rust functions always throw because of panic
+    out.builtin.ptr_len = true;
+    write!(out, "::rust::repr::PtrLen ");
+
     write!(out, "{}(", link_name);
     let mut needs_comma = false;
     if let Some(receiver) = &sig.receiver {
@@ -924,7 +926,9 @@ fn write_rust_function_decl_impl(
         write_extern_arg(out, arg);
         needs_comma = true;
     }
-    if indirect_return(sig, out.types) {
+    // rust functions always use indirect return
+    let indirect_return = sig.ret.is_some();
+    if indirect_return {
         if needs_comma {
             write!(out, ", ");
         }
@@ -947,7 +951,7 @@ fn write_rust_function_decl_impl(
         }
         write!(out, "void *");
     }
-    writeln!(out, ") noexcept;");
+    writeln!(out, ");");
 }
 
 fn write_rust_function_shim<'a>(out: &mut OutFile<'a>, efn: &'a ExternFn) {
@@ -971,6 +975,7 @@ fn write_rust_function_shim_decl(
     local_name: &str,
     sig: &Signature,
     indirect_call: bool,
+    throws: bool,
 ) {
     begin_function_definition(out);
     write_return_type(out, &sig.ret);
@@ -994,7 +999,7 @@ fn write_rust_function_shim_decl(
             write!(out, " const");
         }
     }
-    if !sig.throws {
+    if !throws {
         write!(out, " noexcept");
     }
 }
@@ -1015,7 +1020,7 @@ fn write_rust_function_shim_impl(
         // Member functions already documented at their declaration.
         write_doc(out, "", doc);
     }
-    write_rust_function_shim_decl(out, local_name, sig, indirect_call);
+    write_rust_function_shim_decl(out, local_name, sig, indirect_call, true);
     if out.header {
         writeln!(out, ";");
         return;
@@ -1031,7 +1036,8 @@ fn write_rust_function_shim_impl(
         }
     }
     write!(out, "  ");
-    let indirect_return = indirect_return(sig, out.types);
+    // rust functions always use indirect return
+    let indirect_return = sig.ret.is_some();
     if indirect_return {
         out.builtin.maybe_uninit = true;
         write!(out, "::rust::MaybeUninit<");
@@ -1047,35 +1053,10 @@ fn write_rust_function_shim_impl(
         }
         writeln!(out, "> return$;");
         write!(out, "  ");
-    } else if let Some(ret) = &sig.ret {
-        write!(out, "return ");
-        match ret {
-            Type::RustBox(_) => {
-                write_type(out, ret);
-                write!(out, "::from_raw(");
-            }
-            Type::UniquePtr(_) => {
-                write_type(out, ret);
-                write!(out, "(");
-            }
-            Type::Ref(_) => write!(out, "*"),
-            Type::Str(_) => {
-                out.builtin.rust_str_new_unchecked = true;
-                write!(out, "::rust::impl<::rust::Str>::new_unchecked(");
-            }
-            Type::SliceRef(_) => {
-                out.builtin.rust_slice_new = true;
-                write!(out, "::rust::impl<");
-                write_type(out, ret);
-                write!(out, ">::slice(");
-            }
-            _ => {}
-        }
-    }
-    if sig.throws {
-        out.builtin.ptr_len = true;
-        write!(out, "::rust::repr::PtrLen error$ = ");
     }
+    out.builtin.ptr_len = true;
+    write!(out, "::rust::repr::PtrLen error$ = ");
+
     write!(out, "{}(", invoke);
     let mut needs_comma = false;
     if sig.receiver.is_some() {
@@ -1120,12 +1101,11 @@ fn write_rust_function_shim_impl(
         }
     }
     writeln!(out, ";");
-    if sig.throws {
-        out.builtin.rust_error = true;
-        writeln!(out, "  if (error$.ptr) {{");
-        writeln!(out, "    throw ::rust::impl<::rust::Error>::error(error$);");
-        writeln!(out, "  }}");
-    }
+    out.builtin.rust_error = true;
+    writeln!(out, "  if (error$.ptr) {{");
+    writeln!(out, "    throw ::rust::impl<::rust::Error>::error(error$);");
+    writeln!(out, "  }}");
+
     if indirect_return {
         write!(out, "  return ");
         match sig.ret.as_ref().unwrap() {

macro/src/expand.rs

@@ -1123,17 +1123,17 @@ fn expand_rust_function_shim_impl(
         }
     };
 
-    let mut outparam = None;
-    let indirect_return = indirect_return(sig, types);
-    if indirect_return {
-        let ret = expand_extern_type(sig.ret.as_ref().unwrap(), types, false);
-        outparam = Some(quote_spanned!(span=> __return: *mut #ret,));
-    }
+    // always indirect return when there's a return value
+    let out_param = sig.ret.as_ref().map(|ret| {
+        let ret = expand_extern_type(ret, types, false);
+        quote_spanned!(span=> __return: *mut #ret,)
+    });
+    let out = match sig.ret {
+        Some(_) => quote_spanned!(span=> __return),
+        None => quote_spanned!(span=> &mut ()),
+    };
+    let indirect_return = sig.ret.is_some();
     if sig.throws {
-        let out = match sig.ret {
-            Some(_) => quote_spanned!(span=> __return),
-            None => quote_spanned!(span=> &mut ()),
-        };
         requires_closure = true;
         requires_unsafe = true;
         expr = quote_spanned!(span=> ::cxx::private::r#try(#out, #expr));
@@ -1153,13 +1153,15 @@ fn expand_rust_function_shim_impl(
         quote!(#local_name)
     };
 
-    expr = quote_spanned!(span=> ::cxx::private::prevent_unwind(__fn, #closure));
-
-    let ret = if sig.throws {
-        quote!(-> ::cxx::private::Result)
+    if sig.throws {
+        // the function itself throws, wire through the exception
+        expr = quote_spanned!(span=> ::cxx::private::try_unwind(__fn, #closure));
     } else {
-        expand_extern_return_type(&sig.ret, types, false)
-    };
+        // always protect against the panic
+        expr = quote_spanned!(span=> ::cxx::private::catch_unwind(__fn, #closure));
+    }
+    // rust functions always potentially throw
+    let ret = quote!(-> ::cxx::private::Result);
 
     let pointer = match invoke {
         None => Some(quote_spanned!(span=> __extern: *const ())),
@@ -1170,7 +1172,7 @@ fn expand_rust_function_shim_impl(
         #attrs
         #[doc(hidden)]
         #[#UnsafeAttr(#ExportNameAttr = #link_name)]
-        unsafe extern "C" fn #local_name #generics(#(#all_args,)* #outparam #pointer) #ret {
+        unsafe extern "C" fn #local_name #generics(#(#all_args,)* #out_param #pointer) #ret {
             let __fn = ::cxx::private::concat!(::cxx::private::module_path!(), #prevent_unwind_label);
             #wrap_super
             #expr

src/lib.rs

@@ -507,7 +507,12 @@ pub mod private {
     pub use crate::shared_ptr::SharedPtrTarget;
     pub use crate::string::StackString;
     pub use crate::unique_ptr::UniquePtrTarget;
+    #[cfg(feature = "std")]
+    pub use crate::unwind::catch_unwind;
+    #[cfg(feature = "std")]
     pub use crate::unwind::prevent_unwind;
+    #[cfg(feature = "std")]
+    pub use crate::unwind::try_unwind;
     pub use crate::weak_ptr::WeakPtrTarget;
     pub use core::{concat, module_path};
     pub use cxxbridge_macro::type_id;

src/result.rs

@@ -23,16 +23,26 @@ pub union Result {
     ok: *const u8, // null
 }
 
+impl Result {
+    pub(crate) fn ok() -> Self {
+        Result { ok: ptr::null() }
+    }
+
+    pub(crate) fn error<E: Display>(err: E) -> Self {
+        unsafe { to_c_error(err.to_string()) }
+    }
+}
+
 pub unsafe fn r#try<T, E>(ret: *mut T, result: StdResult<T, E>) -> Result
 where
     E: Display,
 {
     match result {
         Ok(ok) => {
             unsafe { ptr::write(ret, ok) }
-            Result { ok: ptr::null() }
+            Result::ok()
         }
-        Err(err) => unsafe { to_c_error(err.to_string()) },
+        Err(err) => Result::error(err),
     }
 }
 

src/unwind.rs

@@ -1,6 +1,8 @@
 #![allow(missing_docs)]
+#![allow(dead_code)]
 
 use core::mem;
+use std::panic;
 
 pub fn prevent_unwind<F, R>(label: &'static str, foreign_call: F) -> R
 where
@@ -37,3 +39,36 @@ impl Drop for Guard {
         panic!("panic in ffi function {}, aborting.", self.label);
     }
 }
+
+/// Run the void `foreign_call`, intercepting panics and converting them to errors.
+#[cfg(feature = "std")]
+pub fn catch_unwind<F>(label: &'static str, foreign_call: F) -> ::cxx::result::Result
+where
+    F: FnOnce(),
+{
+    match panic::catch_unwind(panic::AssertUnwindSafe(foreign_call)) {
+        Ok(()) => ::cxx::private::Result::ok(),
+        Err(err) => panic_result(label, &err),
+    }
+}
+
+
+/// Run the error-returning `foreign_call`, intercepting panics and converting them to errors.
+#[cfg(feature = "std")]
+pub fn try_unwind<F>(label: &'static str, foreign_call: F) -> ::cxx::private::Result
+where
+    F: FnOnce() -> ::cxx::private::Result,
+{
+    match panic::catch_unwind(panic::AssertUnwindSafe(foreign_call)) {
+        Ok(r) => r,
+        Err(err) => panic_result(label, &err),
+    }
+}
+
+#[cfg(feature = "std")]
+fn panic_result(label: &'static str, err: &alloc::boxed::Box<dyn core::any::Any + Send>) -> ::cxx::private::Result {
+    if let Some(err) = err.downcast_ref::<alloc::string::String>() {
+        return ::cxx::private::Result::error(std::format!("panic in {label}: {err}"));
+    }
+    ::cxx::private::Result::error(std::format!("panic in {label}"))
+}

tests/ffi/lib.rs

@@ -317,6 +317,8 @@ pub mod ffi {
 
         #[cxx_name = "rAliasedFunction"]
         fn r_aliased_function(x: i32) -> String;
+
+        fn r_panic(s: &str);
     }
 
     struct Dag0 {
@@ -659,3 +661,7 @@ fn r_try_return_mutsliceu8(slice: &mut [u8]) -> Result<&mut [u8], Error> {
 fn r_aliased_function(x: i32) -> String {
     x.to_string()
 }
+
+fn r_panic(s: &str) {
+    panic!("{s}");
+}

tests/ffi/tests.cc

@@ -975,6 +975,13 @@ extern "C" const char *cxx_run_test() noexcept {
   (void)rust::Vec<size_t>();
   (void)rust::Vec<rust::isize>();
 
+  try {
+    r_panic("foobar");
+    ASSERT(false);
+  } catch (const rust::Error &e) {
+    ASSERT(std::strcmp(e.what(), "panic in cxx_test_suite::ffi::r_panic: foobar") == 0);
+  }
+
   cxx_test_suite_set_correct();
   return nullptr;
 }