1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
//! Panic boundary for Rust closures invoked from Lean.
//!
//! Rust panics must not unwind across C or Lean frames (see
//! `docs/architecture/01-safety-model.md`, "Panic discipline"). The
//! [`catch_callback_panic`] helper wraps a closure that may be called by
//! Lean, contains any panic via [`std::panic::catch_unwind`], and renders
//! the payload as a [`LeanError::Host`] with [`super::HostStage::CallbackPanic`]
//! and code [`super::LeanDiagnosticCode::Internal`].
//!
//! The contained-and-converted mode is the only mode this crate
//! offers; an explicit-abort mode (panic-the-process when a callback
//! panics) is not part of the public discipline today. The unit-test
//! suite in `crate::error::tests` exercises both the panic-payload
//! rendering and the diagnostic-code projection.
use ;
use ;
/// Run `f` and return its result; if `f` panics, contain the panic and
/// return [`LeanError::callback_panic`] (code
/// [`super::LeanDiagnosticCode::Internal`], stage
/// [`super::HostStage::CallbackPanic`]).
///
/// `AssertUnwindSafe` is required because [`LeanResult`] does not
/// implement [`UnwindSafe`] (it can carry interior types that do not).
/// The closure is expected to run in Rust-only territory before
/// mutating any Lean state: if a callback is half-way through updating
/// Lean-owned data when it panics, the recovery here cannot restore
/// that state.
///
/// [`UnwindSafe`]: std::panic::UnwindSafe
pub