Skip to content

Remove panic opportunities #1661

New issue
New issue
Closed
Closed
Remove panic opportunities#1661
Labels
do-after-next-releaseNot blocking release, but we should do soon after release
@joshlf

Description

@joshlf
joshlf
opened on Sep 15, 2024

These are the result of auditing (as of 0003184) for panic opportunities. Some have been left off which are either unavoidable, in progress of being removed (#1658), or downstream of ones listed here (namely, downstream of is_bit_valid).

validate_cast_and_convert_metadata

zerocopy/src/layout.rs

Lines 444 to 445 in 0003184

/// `validate_cast_and_convert_metadata` will panic if `self` describes a
/// DST whose trailing slice element is zero-sized.

We should be able to make this work via a post-monomorphization error instead, and thus avoid a panic opportunity.

PointerMetadata::size_for_metadata

zerocopy/src/lib.rs

Lines 719 to 721 in 0003184

/// If `Self = ()`, `layout` must describe a sized type. If `Self = usize`,
/// `layout` must describe a slice DST. Otherwise, `size_for_metadata` may
/// panic.

TryFromBytes::is_bit_valid

zerocopy/src/lib.rs

Lines 1243 to 1251 in 0003184

/// `is_bit_valid` may panic. Callers are responsible for ensuring that any
/// `unsafe` code remains sound even in the face of `is_bit_valid`
/// panicking. (We support user-defined validation routines; so long as
/// these routines are not required to be `unsafe`, there is no way to
/// ensure that these do not generate panics.)
///
/// Besides user-defined validation routines panicking, `is_bit_valid` will
/// either panic or fail to compile if called on a pointer with [`Shared`]
/// aliasing when `Self: !Immutable`.

Now that const eval semantics are more nailed down, we can probably stop hedging that this might panic and just guarantee a post-monomorphization error.

Note that many panics are downstream of is_bit_valid. If we tackle this, we should make sure to remove panic documentation from all downstream functions.

round_down_to_next_multiple_of_alignment

zerocopy/src/util/mod.rs

Lines 623 to 624 in 0003184

/// May panic if `align` is not a power of two. Even if it doesn't panic in this
/// case, it will produce nonsense results.

We could benefit from a power-of-two witness type.

Metadata

Metadata

Assignees

No one assigned

    Labels

    do-after-next-releaseNot blocking release, but we should do soon after release

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions