Skip to content

Adopt wasm-bindgen unwind safety enforcement#999

Open
guybedford wants to merge 1 commit into
cloudflare:mainfrom
guybedford:unwind-safety-update
Open

Adopt wasm-bindgen unwind safety enforcement#999
guybedford wants to merge 1 commit into
cloudflare:mainfrom
guybedford:unwind-safety-update

Conversation

@guybedford
Copy link
Copy Markdown
Collaborator

@guybedford guybedford commented May 14, 2026

This adopts the unwind safety enforcement landed in wasm-bindgen/wasm-bindgen#5128, which adds MaybeUnwindSafe bounds on #[wasm_bindgen] exports and closure types so that types crossing the JS/Rust boundary under panic=unwind are explicitly unwind safe.

Picking up that change required updates in two dependencies, which propagate the bound through their public APIs:

Both are added here as submodules pointing at the corresponding fork branches and patched via [patch.crates-io] until the upstreams land and are published.

The durable object test fixtures (test/src/counter.rs, test/src/durable.rs) had RefCell<T> fields holding Copy primitives. These were refactored to Cell<T> wrapped in AssertUnwindSafe:

// before
count: RefCell<usize>,
*self.count.borrow_mut() += 10;
// after
count: AssertUnwindSafe<Cell<usize>>,
self.count.set(self.count.get() + 10);

Cell<T: Copy> is genuinely unwind safe in single-threaded wasm - every operation is an atomic move with no borrow guard to leave dangling - but the type system rejects it because UnsafeCell has a blanket negative RefUnwindSafe impl. AssertUnwindSafe is the narrow assertion scoped to just the interior-mutability fields rather than a blanket impl RefUnwindSafe on the durable object structs (which would also be asserting unwind safety on the State and Env fields we don't own).

Also adds a .cargo/config.toml URL replacement so transitive git deps fetched via SSH fall back to HTTPS, useful for cargo generate users without GitHub SSH set up.

Tested via npm run test-panic-unwind - the panic-unwind build now compiles cleanly and the existing test suite passes (one pre-existing rate_limit test failure unrelated to this change).

@guybedford
Adopt wasm-bindgen unwind safety enforcement
f82adff 
Update wasm-bindgen submodule to pick up unwind safety enforcement
on #[wasm_bindgen] exports (wasm-bindgen/wasm-bindgen#5128).

Add wasm-streams and gloo as submodules pointing at forks that
propagate unwind safety bounds through closures and timers. Patch
both via [patch.crates-io] so the worker crate compiles against the
new enforcement.

Refactor durable object test fixtures to use Cell wrapped in
AssertUnwindSafe, replacing RefCell. Cell is single-threaded safe
for Copy types because every operation is an atomic move with no
borrow guard to leave dangling; AssertUnwindSafe is the narrow,
honest assertion for the interior mutability fields without making
blanket promises about State/Env.

Add cargo url replacement so transitive git deps fetched via SSH
fall back to HTTPS for cargo generate users.
@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented May 14, 2026

Merging this PR will not alter performance

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

✅ 2 untouched benchmarks

Comparing guybedford:unwind-safety-update (f82adff) with main (fe8acaa)

Open in CodSpeed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@guybedford