failurepanic semantics in Rust are rather bad – destructors get called for all objects, which may contain subobjects that were currently mutably borrowed and are in an invalid state.
This unfortunately means that every object that can be mutably borrowed must be in a safe state on every possibly-panicking method.
For example, when a
PriorityQueue comparator fails, the queue is left in an invalid state, and further operations can potentially cause unsafety via out-of-bound array access.
Some people say that the best way to deal with this is to abolish unwinding. However, the situation isn’t as horrible as it seems, as the only reason to run destructors on failure is to release resources, and the kinds of resources that need manual release are (a) held by unsafe code and (b) traceable relatively easily, even through unwinding.
I would propose adding something an UnsafeFinalizer trait, that is unsafe to implement, and is run on panic in lieu of drop.