So Hubris on stm32 has a task called "sys" that handles a lot of common shared peripherals, like GPIO and clocking and reset.
One of the challenges on Hubris is that _parts_ of your application (like sys) can crash, and the other parts need to figure out how to deal with that.
Well, as of this afternoon, sys can't. As in, I have squashed the last potential panic, and turned on a switch that makes new panics into build errors.
I think this is neat.
cliffle
in reply to cliffle • • •I think it's impractical to require generated code to be totally free of panics in _all_ cases, because you wind up spending a lot of time proving that certain things are impossible to the compiler. Toolchain upgrades can make you do it all over again. So, in general, we let task code _contain_ panics in Hubris even if they should be unreachable.
But this component is so central and so relatively-simple that I'm giving this a shot.
cliffle
in reply to cliffle • • •If you'd like to read the horrible, horrible trick I used to disable panics entirely -- a thing Rust can't currently do -- start at line 1495 here: https://github.com/oxidecomputer/hubris/blob/master/sys/userlib/src/lib.rs#L1495-L1507
I stole this idea from @kupiakos for the record.
hubris/sys/userlib/src/lib.rs at master · oxidecomputer/hubris
GitHub