Design rationale: why uncaught panics in threads don't abort?

FWIW, this would break the entire design of docs.rs. If a panic in one thread crashes the whole server, we'd be up less than a day. I wrote more about this in https://news.ycombinator.com/item?id=22938712.

I'm fine with having this opt-in, but it should definitely not be the default.

Note also that we can't use catch_unwind because the threads are launched through a framework we don't have control over. We've been meaning to switch away, but it's a long-term project - making this the default would force us to pin an old version of Rust.

Out of interest.. You have a bunch of okay-to-panic-and-die threads. How isolated is each of these threads from the rest of the server?

Very isolated. We have no mutexes or shared state other than a database pool. I'm not sure how the pool is implemented under the hood but the worst I forsee happening is a database connection getting leaked.

https://github.com/rust-lang/docs.rs/blob/master/src/db/pool.rs#L52, https://docs.rs/r2d2/0.8.9/src/r2d2/lib.rs.html#456, https://docs.rs/r2d2/0.8.9/src/r2d2/lib.rs.html#611-618

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.