The go! macro is unsound

[jmaargh]

The go! macro is unsound and should require an unsafe block to use, with proper "Safety" documentation for the macro.

As discussed in #6, this crate can be unsound when thread-local storage is used. My understanding is that this is an unavoidable property of stackful coroutines when there isn't language-level support for them. Nonetheless, APIs that can lead to UB should only be accessible within an unsafe block and have documentation for the conditions under which their use is sound (that's what unsafe is for).

In #8 the spawn API was correctly marked as unsafe because of this. However, then the go! macro was introduced which simply silently inserts the unsafe block -- this only serves to hide the issue from users and obscure the safety documentation.

Personally, I'd remove the go! macro altogether. But if it is to stay, then I think it should definitely require an unsafe block and its safety requirements should be properly documented as any unsafe function should.

[Xudong-Huang]

This is designed intentially. If you need to make unsafe block explicitly, you could use the raw spawn API directcly.

[jmaargh]

That's not how unsafe works. It is possible to cause UB by using the go! macro and therefore the go! macro should require an unsafe block to use every time for all users (and should come with documentation specifying exactly when it is safe or unsafe to use)

[DavidLee18]

Hi, I just saw caveats, and became curious, so here I ask. can we detect when accessing the TLS in coroutine? If so, what about just panic!ing instead of UB? The same goes for when exceeding the coroutine stack. If implemented, it would be much better(safe and sound actually) than undefined behavior or segfault.

[fuji-184]

I encountered this issue sir. Here's the code I used.

The first code using V8 engine :

#[macro_use]
extern crate may;

fn main() {
    go!(move || {
        let platform = v8::new_default_platform(0, false).make_shared();
        v8::V8::initialize_platform(platform);
        v8::V8::initialize();

        let isolate = &mut v8::Isolate::new(Default::default());

        let scope = &mut v8::HandleScope::new(isolate);
        let context = v8::Context::new(scope, Default::default());
        let scope = &mut v8::ContextScope::new(scope, context);

        let code = v8::String::new(scope, "'Hello' + ' World!'").unwrap();
        println!("javascript code: {}", code.to_rust_string_lossy(scope));

        let script = v8::Script::compile(scope, code, None).unwrap();
        let result = script.run(scope).unwrap();
        let result = result.to_string(scope).unwrap();
        println!("result: {}", result.to_rust_string_lossy(scope));

        println!("hello");
    });
}

The second code using JS Core engine

#[macro_use]
extern crate may;

fn main() {
    go!(move || {
        let mut context = rusty_jsc::JSContext::default();
        println!("hello");
    });
}

The code above doesn't execute the println statement, which it should. If I replace it with one that doesn't use the macro (using may::coroutine directly), it throws a segmentation fault (core dumped) error.