C-unwind and safety

aochagavia · September 1, 2025, 11:49pm

Note: this question is similar to this one from 2017, but that thread doesn't have a clear answer and I'm hoping for something more informative (hopefully there's more knowledge about this, 8 years later).

At work, I started helping with a Rust project that relies on the C library libpng to deal with images. I'm trying to convince myself we are using the library in a correct way, without triggering UB. I'd love to have a second opinion though, because unsafe Rust is notoriously difficult to get right.

The main challenge is that libpng handles errors using setjmp and longjmp (in a way that resembles throwing and catching exceptions). The user is responsible of using setjmp at the right places, and libpng is responsible for calling longjmp when an error is encountered. In Rust, however, setjmp and longjmp are heavily discouraged (I'm not even certain you can use them at at all without some hackery), so we'd rather not use them.

Fortunately, libpng allows us to configure custom error callbacks. That means that, with the right callbacks, we can skip setjmp / longjmp entirely and rely on Rust's unwinding instead to propagate errors. We currently provide callbacks that trigger an unwind on error, and we make sure to catch the unwind somewhere up the stack. Here's an example:

// Fatal error handler callback
unsafe extern "C-unwind" fn err_handler(_png_ptr: *mut ffi::png_struct, _msg: *const c_char) {
    resume_unwind(Box::new(()));
}

// Read callback (we are reading from memory)
unsafe extern "C-unwind" fn read_handler(png: *mut ffi::png_struct, data: *mut u8, len: usize) {
    let data = slice::from_raw_parts_mut(data.cast(), len);
    let reader = &mut *ffi::png_get_io_ptr(png).cast::<Cursor<&[u8]>>();
    if reader.read_exact(data).is_err() {
        // Unexpected EOF, trigger unwind
        resume_unwind(Box::new(()));
    }
}

// Rust function to decode an image
pub(crate) fn decode_png(data: &[u8]) -> Result<DecodedImage> {
    let result = catch_unwind(|| {
        // Code that calls libpng functions that may unwind
    });
    result.unwrap_or(Err(Error::DecodeFailed))
}

With this in place, everything seems to work properly (fingers crossed). However, people in the Rust community often mention it's unsafe to trigger an unwind from Rust, let it go through a C library and catch it when it arrives back to Rust code (meaning that it is undefined behavior). Because of that, I'm in doubt: how can I be sure what I'm doing satisfies Rust's safety requirements? If it's impossible with the current approach, do you know of any alternative that would guarantee safety?

kornel · September 2, 2025, 1:24am

Yes, it's sound as far as Rust is concerned. C-unwind has been created specifically for C libraries that need panicking to handle errors (like libjpeg and libpng).

I've heard suggestion to also use -fexceptions on the C side just in case C doesn't like unwinding, but I don't think it's necessary.

OTOH, longjmp can't mix with Rust calls, and there's no blessed way to make it work. You have to make C trigger Rust panics instead.

Vorpal · September 2, 2025, 10:27am

They are straight up undefined behaviour, as they skip Drop during the unwind. So you did the right thing to avoid them.

Cerber-Ursi · September 2, 2025, 1:09pm

Could you explain this in more detail? Skipping Drop is safe in general, since mem::forget is safe.

aochagavia · September 2, 2025, 1:27pm

Thanks! It's nice to hear, especially since you were the one that asked the original question

Would you say it's also necessary to use the C-unwind ABI for libpng functions that will not trigger an unwind themselves, but that are using my callbacks under the hood and, therefore, might propagate an unwind from below? For instance, png_read_info currently uses the C ABI in my code, but I'm worried the compiler might assume unwinds are never coming from there and generate code that relies on that assumption.

nerditation · September 2, 2025, 2:03pm

you are right, skipping the destructors is indeed not the problem.

ironically, because rust move semantic is control flow aware, the real problem setjmp/longjmp could cause is double dropping (not "zero" dropping), which is UB.

UB WARNING: code snippet below is for illustration purpose only

    let mut buf: jmp_buf = [0; 8];
    let a = SomeTypeWithDestructor {};
    if unsafe { setjmp(&mut buf) } != 0 {
        // `a` is dropped for the second time
        std::mem::drop(a);
        // when this branch returns early, the drop happens implicitly
        return; 
    }
    // `a` is dropped for the first time
    std::mem::drop(a);
    unsafe { longjmp(&mut buf, 1) };

you can read this discussion for detailed context:

github.com/rust-lang/rfcs

Support for setjmp / longjmp

opened 03:13PM - 20 Jan 19 UTC

gnzlbg

T-lang A-ffi A-machine

## Motivation https://github.com/rust-lang/libc/pull/1216 proposes adding [`s…etjmp`](https://en.cppreference.com/w/cpp/utility/program/setjmp) and [`longjmp`](https://en.cppreference.com/w/cpp/utility/program/longjmp) to `libc`. These functions are required to interface with some C libraries, but sadly these functions are currently impossible to use correctly. Users deserve a solution that works and warns or prevents common pitfalls. ## Issues with current solution The first issue is that `libc` cannot add LLVM [`returns_twice`](https://llvm.org/docs/LangRef.html) attribute to `setjmp`: > This attribute indicates that this function can return twice. The C `setjmp` is an example of such a function. The compiler disables some optimizations (like tail calls) in the caller of these functions. Basically, LLVM assumes that `setjmp` can return only once without this attribute, potentially leading to miscompilations ([playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=8b3ad9e3f703b7e19639078b099c65ce)): ```rust unsafe fn foo() -> i32 { let mut buf: jmp_buf = [0; 8]; let mut x = 42; if setjmp(&mut buf) != 0 { // Step 0: setjmp returns 0 // Step 3: when setjmp returns 1 x has always been // modified to be == 13 so this should always return 13: return x; } x = 13; // Step 1: x is modified longjmp(&mut buf, 1); // Step 2: jumps to Step 0 returning 1 x // this will never be reached } // In debug builds foo returns 13 correctly, but // in release builds foo returns 42 assert_eq!(unsafe { foo() }, 13); // FAILs in release ``` Because `setjmp` is not `returns_twice`, LLVM assumes that the `return x;` will only be reached before `x = 13`, so it will always return `42`. However, `setjmp` returns `0` the first time, and returns `1` when jumped into it from the `longjmp`. Using a volatile load instead works around this issue (e.g. [playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=e6ca15a0066efe3548b30ef2ed29a8a6)). Basically, if stack variables are modified after a `setjmp`, all reads and writes until all possible `longjmp`s will probably need to be volatile. One way to improve this could be to add an stable attribute `#[returns_twice]` that users can use to mark that `extern "C" { ... }` functions can return multiple times and for Rust to handle these functions specially (e.g. by emitting the corresponding LLVM attribute). An alternative would be for Rust to provide these functions as part of the language. --- Modulo LLVM-level misoptimizations, C only allows `setjmp` in specific "contexts" [0], and these features interact badly with languages with destructors. Rust does not guarantee that destructors will run (e.g. `mem::forget` is safe), so skipping destructors using `longjmp` is not unsound [1]. However, `unsafe` code will need to take into account that code outside it can use `longjmp` to skip destructors when creating safe abstractions (e.g. see [Observational equivalency and unsafe code](http://smallcultfollowing.com/babysteps/blog/2016/10/02/observational-equivalence-and-unsafe-code/)). More worrying is how `longjmp` subverts the borrow checker to, e.g., produce undefined behavior of the form use-after-move without triggering a type error ([playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=8178f0ce2cad650d5e76d4f6e7f126d8)): ```rust fn bar(_a: A) { println!("a moved") } fn foo() { let mut buf: jmp_buf = [0; 8]; let a = A; if unsafe { setjmp(&mut buf) } != 0 { // Step 0: setjmp returns 0 bar(a); // Step 3: a is moved _again_ (UB: use-after-move) return; } bar(a); // Step 1: a is moved here unsafe { longjmp(&mut buf, 1) }; // Step 2: jumps to Step 0 returning 1 } ``` This prints "a moved" twice, which means that the variable `a` was moved from twice, so the second time an use-after-move happened which type-checked. Obviously, `longjmp` is not the only way to achieve this in Rust, e.g. it is trivial to use the pointer methods to do so as well, but `longjmp` combined with `Drop` types makes this happen with no effort ([playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=51d6407335cd5156e54eb088ed584cac)): ```rust struct A; impl Drop for A { ... } fn bar(_a: A) { // _a is dropped here } fn foo() { let mut buf: jmp_buf = [0; 8]; let a = A; if unsafe { setjmp(&mut buf) } != 0 { // use-after-move: a has been moved (and dropped) below // but a is used (and dropped) in this branch again // => double-drop => UB return; } bar(a); // moves a unsafe { longjmp(&mut buf, 1) }; } ``` That is, using `setjmp+longjmp` to create double-drops (undefined behavior) is trivial. Finally, there are problems with creating wrappers around these functions ([playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=33c1c92926470fef3ac43a279640a44e)): ```rust fn foo(buf: &mut jmp_buf) { let mut a: i32 = 42; if unsafe { setjmp(buf) } != 0 { dbg!(a); // use-after-free panic!("done"); } a = 13; } fn main() { let mut buf: jmp_buf = [0; 8]; foo(&mut buf); let b: i32 = 666; dbg!(b); unsafe { longjmp(&mut buf, 1); } } ``` Prints `b = 666` and `a = 0`. The problem here is that this code saves the stack pointer inside `foo`, but then `foo` returns, and afterwards the `longjmp` jumps to a stack frame that is no longer live, so `dbg!(a)` reads `a` after it has been free'd (use-after-free). There are probably many other problems with these two functions, that does not mean that they are impossible to use correctly. Still, it would be good to have a solution here that at least warns about potentially incorrect usages since reasoning about these and the surrounding unsafe code is often very tricky. It would also be good to have a way to soundly model these in miri and detect when they are used incorrectly. At a minimum we should be able to write down documentation for these functions in Rust. Where exactly can they be used, what does the unsafe code surrounding them need to uphold to be correct, etc. --- cc @nikomatsakis (wrote blog post about observational equivalence and unsafe code), @rkruppe , @RalfJung @ubsan - the unsafe code guidelines should probably say whether extern "C" functions are allowed to modify the stack pointer etc. like setjmp/longjmp do. --- * [0] [C11 7.13.1.1p4](http://port70.net/~nsz/c/c11/n1570.html#7.13.1.1p4) states the following about `setjmp`: > An invocation of the setjmp macro shall appear only in one of the following contexts: > > * the entire controlling expression of a selection or iteration statement; > * one operand of a relational or equality operator with the other operand an integer constant expression, with the resulting expression being the entire controlling expression of a selection or iteration statement; > * the operand of a unary ! operator with the resulting expression being the entire controlling expression of a selection or iteration statement; or > * the entire expression of an expression statement (possibly cast to void). While [C11 7.13.1.1p5](http://port70.net/~nsz/c/c11/n1570.html#7.13.1.1p5) states: > If the invocation appears in any other context, the behavior is undefined. That is, `let x = setjmp(...);` would be UB in C. In Rust having a result of a function be usable only in some contexts would be weird. * [1] In C++, skipping destructors with `longjmp` is undefined behavior, e.g., [[support.runtime]](http://eel.is/c++draft/support.runtime#csetjmp.syn-2) states: > If any automatic objects would be destroyed by a thrown exception transferring control to another (destination) point in the program, then a call to longjmp(jbuf, val) at the throw point that transfers control to the same (destination) point has undefined behavior.

nerditation · September 2, 2025, 2:17pm

yes. if calling the function can lead to an unwinding, it doesn't matter the unwinding was triggered at 1 stack frame deep or 100 frames deep, what matters is the boundary between rust functions and foreign functions, which should be declared with an unwinding ABI.

quoting the reference:

Unwinding with the wrong ABI is undefined behavior:

Causing an unwind into Rust code from a foreign function that was called via a function declaration or pointer declared with a non-unwinding ABI, such as "C", "system", etc. (For example, this case occurs when such a function written in C++ throws an exception that is uncaught and propagates to Rust.)

[...]

SkiFire13 · September 2, 2025, 2:22pm

Skipping Drop of local variables (i.e. values sitting on the stack) is considered unsound and a bunch of unsafe APIs rely on this (e.g. std::thread::scope).

It's not immediate undefined behaviour but can very easily lead to it especially if you jump across frames not controlled by you.

kornel · September 2, 2025, 3:52pm

Yes, everything called from Rust must have C-unwind ABI if there's any chance of it observing unwinding from anywhere.

You don't need to tell Rust about ABI of C functions that are never called from Rust.

jorendorff · September 2, 2025, 9:32pm

(dark humor) So basically the same as longjmp in C, then.

Cerber-Ursi · September 3, 2025, 1:45am

Ah, I see. In other words, forgetting something you remember is fine, but forcing amnesia on someone else is not.

Vorpal · September 3, 2025, 7:17am

This is actually an open question as far as I can tell, as it would affect some optimisations. It might turn out to be UB. See the discussion in:

system · December 2, 2025, 7:18am

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Passing callbacks to C: panic! help	26	1920	August 29, 2023
Catching panic through C code, how bad is it? help	18	3079	January 12, 2023
Is jumping over Rust stack frames UB in a context of FFI? help	4	963	January 25, 2020
What is the actual current (1.68ish) behavior of unwinding into C/C++? help	6	887	June 21, 2023
Force cleanup before longjmp help	2	1271	January 12, 2023

C-unwind and safety

Related topics