Synchronization primitives not robust against unwinding #59614
Description
Various synchronization primitives in std are not robust against unwinding triggered inside the std implementation. This may result in
- double panics
- deadlocks
- Mutexes being poisoned that shouldn't be
Such unwinding may be triggered in many different ways, for example:
- pthread_cancel on certain pthread implementations
- assertion/unwrap failure due to a variety of causes:
- The kernel may return an unexpected error value from a system call
- The libc implementation may return an unexpected error from a call
- An unexpected return value due to the use of Linux seccomp
- Iago attacks
I've identified at least the following cases. Fixes for some of these have been proposed and rejected in #58042 and #58461.
| Primitive | Unwind during blocking in | Failure occurs in | Test case |
|---|---|---|---|
| MPSC oneshot | recv/recv_timeout | Receiver drop | https://github.com/jethrogb/rust/blob/95e8613d4e92f5f4b5487f2e7b4b936ea17d96d2/src/test/run-fail/mpsc-recv-unwind/oneshot.rs |
| MPSC sync | recv/recv_timeout | Receiver drop | https://github.com/jethrogb/rust/blob/95e8613d4e92f5f4b5487f2e7b4b936ea17d96d2/src/test/run-fail/mpsc-recv-unwind/sync.rs |
| MPSC shared | recv/recv_timeout | Receiver drop | https://github.com/jethrogb/rust/blob/95e8613d4e92f5f4b5487f2e7b4b936ea17d96d2/src/test/run-fail/mpsc-recv-unwind/shared.rs |
| MPSC stream | recv/recv_timeout | Receiver drop | https://github.com/jethrogb/rust/blob/95e8613d4e92f5f4b5487f2e7b4b936ea17d96d2/src/test/run-fail/mpsc-recv-unwind/stream.rs |
| Condvar | wait/wait_timeout | wait | https://github.com/jethrogb/rust/blob/dd20f165ded66619ee040f5d819a4490fad3bd5c/src/test/run-pass/condvar-wait-panic-poison.rs |
| thread | park/park_timeout | park/ThreadInfo::with | #58461 (comment) |