On Wed, Aug 17, 2022 at 10:22:37PM +0200, Miguel Ojeda wrote: > On Wed, Aug 17, 2022 at 9:44 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > Given the distaste for ever using BUG()[1], why does this helper exist? > > We use it exclusively for the Rust panic handler, which does not > return (we use fallible operations as much as possible, of course, but > we need to provide a panic handler nevertheless). Gotcha -- it's for the implicit situations (e.g. -C overflow-checks=on), nothing is expected to explicitly call the Rust panic handler? > Killing the entire machine is definitely too aggressive for some > setups/situations, so at some point last year we discussed potential > alternatives (e.g. `make_task_dead()` or similar) with, if I recall > correctly, Greg. Maybe we want to make it configurable too. We are > open to suggestions! I suffer the same problems trying to fix C and the old "can never fail" interfaces. Mainly we've just been systematically replacing such APIs with APIs that return error codes, allowing the error to bubble back up. (Which I know is exactly what you've already done with the allocator, etc. Yay!) -Kees -- Kees Cook
