On Tue, Mar 22, 2016 at 3:51 PM, Brian Smith <br...@briansmith.org> wrote:
> Is the Rust MP4 parser using panics for flow control (like is common in JS > and Java with exceptions), or only for "should be impossible" situations > (like MOZ_CRASH in Gecko)? We're not using panics for flow control. We do have assert!s, and we started with a bunch of unwrap()s which have all now been converted to proper Result flow as we've become more confident in the code. But in the defensive programming sense one generally can't control whether dependent code is going to panic or not, so unwinding through FFI is something we need to think about. > I personally don't expect people to write correctly write unwinding-safe > code—especially when mixing non-Rust and Rust—any more than I expect people > to write exception-safe code (i.e. not at all), and so abort-on-panic is > really the only acceptable configuration to run Rust code in. In the specific case of the mp4 parser, I catch panics in the major parsing call because the overhead is acceptable, and it's nice to be able to return an error instead of taking down a user-facing process. Obviously there are a lot of situations where the thread-spawn overhead would be a problem, and we'd have to crash. But in that case we still want to make sure it crashes cleanly, rather than doing something undefined (and maybe exploitable?) and that we get notification so we can address the issue, which I think was Ted's point. -r _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
