Fix for closure-captured values not being dropped on panic (#1853)

* Fix for #1850 * Update changelog * Fix for compilation warnings * Apply suggestions from code review Co-authored-by: Markus Røyset <maroider@protonmail.com> * Improve code quality * Change Arc<Mutex> to Rc<RefCell> * Panicking in the user callback is now well defined * Address feedback * Fix nightly warning * The panic info is now not a global. * Apply suggestions from code review Co-authored-by: Francesca Lovebloom <francesca@brainiumstudios.com> * Address feedback Co-authored-by: Markus Røyset <maroider@protonmail.com> Co-authored-by: Francesca Lovebloom <francesca@brainiumstudios.com>
2021-03-08 19:56:39 +01:00 · 2021-03-08 19:56:39 +01:00 · ffe2143d14
commit ffe2143d14
parent 98470393d1
5 changed files with 275 additions and 83 deletions
--- a/src/platform_impl/macos/event_loop.rs
+++ b/src/platform_impl/macos/event_loop.rs
@ -1,14 +1,24 @@
 use std::{
-    collections::VecDeque, marker::PhantomData, mem, os::raw::c_void, process, ptr, rc::Rc,
+    any::Any,
+    cell::{Cell, RefCell},
+    collections::VecDeque,
+    marker::PhantomData,
+    mem,
+    os::raw::c_void,
+    panic::{catch_unwind, resume_unwind, RefUnwindSafe, UnwindSafe},
+    process, ptr,
+    rc::{Rc, Weak},
    sync::mpsc,
 };

 use cocoa::{
-    appkit::NSApp,
-    base::{id, nil},
-    foundation::NSAutoreleasePool,
+    appkit::{NSApp, NSEventType::NSApplicationDefined},
+    base::{id, nil, YES},
+    foundation::{NSAutoreleasePool, NSPoint},
 };

+use scopeguard::defer;
+
 use crate::{
    event::Event,
    event_loop::{ControlFlow, EventLoopClosed, EventLoopWindowTarget as RootWindowTarget},
@ -23,6 +33,34 @@ use crate::{
    },
 };

+#[derive(Default)]
+pub struct PanicInfo {
+    inner: Cell<Option<Box<dyn Any + Send + 'static>>>,
+}
+
+// WARNING:
+// As long as this struct is used through its `impl`, it is UnwindSafe.
+// (If `get_mut` is called on `inner`, unwind safety may get broken.)
+impl UnwindSafe for PanicInfo {}
+impl RefUnwindSafe for PanicInfo {}
+impl PanicInfo {
+    pub fn is_panicking(&self) -> bool {
+        let inner = self.inner.take();
+        let result = inner.is_some();
+        self.inner.set(inner);
+        result
+    }
+    /// Overwrites the curret state if the current state is not panicking
+    pub fn set_panic(&self, p: Box<dyn Any + Send + 'static>) {
+        if !self.is_panicking() {
+            self.inner.set(Some(p));
+        }
+    }
+    pub fn take(&self) -> Option<Box<dyn Any + Send + 'static>> {
+        self.inner.take()
+    }
+}
+
 pub struct EventLoopWindowTarget<T: 'static> {
    pub sender: mpsc::Sender<T>, // this is only here to be cloned elsewhere
    pub receiver: mpsc::Receiver<T>,
@ -50,6 +88,15 @@ impl<T: 'static> EventLoopWindowTarget<T> {

 pub struct EventLoop<T: 'static> {
    window_target: Rc<RootWindowTarget<T>>,
+    panic_info: Rc<PanicInfo>,
+
+    /// We make sure that the callback closure is dropped during a panic
+    /// by making the event loop own it.
+    ///
+    /// Every other reference should be a Weak reference which is only upgraded
+    /// into a strong reference in order to call the callback but then the
+    /// strong reference should be dropped as soon as possible.
+    _callback: Option<Rc<RefCell<dyn FnMut(Event<'_, T>, &RootWindowTarget<T>, &mut ControlFlow)>>>,
    _delegate: IdRef,
 }

@ -72,12 +119,15 @@ impl<T> EventLoop<T> {
            let _: () = msg_send![pool, drain];
            delegate
        };
-        setup_control_flow_observers();
+        let panic_info: Rc<PanicInfo> = Default::default();
+        setup_control_flow_observers(Rc::downgrade(&panic_info));
        EventLoop {
            window_target: Rc::new(RootWindowTarget {
                p: Default::default(),
                _marker: PhantomData,
            }),
+            panic_info,
+            _callback: None,
            _delegate: delegate,
        }
    }
@ -98,14 +148,37 @@ impl<T> EventLoop<T> {
    where
        F: FnMut(Event<'_, T>, &RootWindowTarget<T>, &mut ControlFlow),
    {
+        // This transmute is always safe, in case it was reached through `run`, since our
+        // lifetime will be already 'static. In other cases caller should ensure that all data
+        // they passed to callback will actually outlive it, some apps just can't move
+        // everything to event loop, so this is something that they should care about.
+        let callback = unsafe {
+            mem::transmute::<
+                Rc<RefCell<dyn FnMut(Event<'_, T>, &RootWindowTarget<T>, &mut ControlFlow)>>,
+                Rc<RefCell<dyn FnMut(Event<'_, T>, &RootWindowTarget<T>, &mut ControlFlow)>>,
+            >(Rc::new(RefCell::new(callback)))
+        };
+
+        self._callback = Some(Rc::clone(&callback));
+
        unsafe {
            let pool = NSAutoreleasePool::new(nil);
+            defer!(pool.drain());
            let app = NSApp();
            assert_ne!(app, nil);
-            AppState::set_callback(callback, Rc::clone(&self.window_target));
-            let _: () = msg_send![app, run];
+
+            // A bit of juggling with the callback references to make sure
+            // that `self.callback` is the only owner of the callback.
+            let weak_cb: Weak<_> = Rc::downgrade(&callback);
+            mem::drop(callback);
+
+            AppState::set_callback(weak_cb, Rc::clone(&self.window_target));
+            let () = msg_send![app, run];
+
+            if let Some(panic) = self.panic_info.take() {
+                resume_unwind(panic);
+            }
            AppState::exit();
-            pool.drain();
        }
    }

@ -114,6 +187,56 @@ impl<T> EventLoop<T> {
    }
 }

+#[inline]
+pub unsafe fn post_dummy_event(target: id) {
+    let event_class = class!(NSEvent);
+    let dummy_event: id = msg_send![
+        event_class,
+        otherEventWithType: NSApplicationDefined
+        location: NSPoint::new(0.0, 0.0)
+        modifierFlags: 0
+        timestamp: 0
+        windowNumber: 0
+        context: nil
+        subtype: 0
+        data1: 0
+        data2: 0
+    ];
+    let () = msg_send![target, postEvent: dummy_event atStart: YES];
+}
+
+/// Catches panics that happen inside `f` and when a panic
+/// happens, stops the `sharedApplication`
+#[inline]
+pub fn stop_app_on_panic<F: FnOnce() -> R + UnwindSafe, R>(
+    panic_info: Weak<PanicInfo>,
+    f: F,
+) -> Option<R> {
+    match catch_unwind(f) {
+        Ok(r) => Some(r),
+        Err(e) => {
+            // It's important that we set the panic before requesting a `stop`
+            // because some callback are still called during the `stop` message
+            // and we need to know in those callbacks if the application is currently
+            // panicking
+            {
+                let panic_info = panic_info.upgrade().unwrap();
+                panic_info.set_panic(e);
+            }
+            unsafe {
+                let app_class = class!(NSApplication);
+                let app: id = msg_send![app_class, sharedApplication];
+                let () = msg_send![app, stop: nil];
+
+                // Posting a dummy event to get `stop` to take effect immediately.
+                // See: https://stackoverflow.com/questions/48041279/stopping-the-nsapplication-main-event-loop/48064752#48064752
+                post_dummy_event(app);
+            }
+            None
+        }
+    }
+}
+
 pub struct Proxy<T> {
    sender: mpsc::Sender<T>,
    source: CFRunLoopSourceRef,