Description
Spec-063 (/specs/063-worktree-subsystem/spec.md) documents that CwdRestoreGuard uses a RAII Drop impl to restore cwd after worktree operations, and states "This ensures restore happens on panic and cancellation, not just normal completion."
However, this guarantee does NOT hold when the binary is compiled with panic = "abort" (which is common for release profiles). With abort semantics, Rust skips Drop destructors entirely — the cwd restore will not run on panic.
The spec and srs.md FR-CWD-03 should document this limitation and the mitigation strategy:
- Note that the RAII guarantee only holds for
panic = "unwind"
- Document the expected behavior under
panic = "abort" (no restoration, process terminates)
- Assess whether a
panic = "unwind" override in the root Cargo.toml profile is appropriate, or whether the limitation is acceptable given that abort kills the process anyway
Environment
- Files:
specs/063-worktree-subsystem/spec.md:222-223, specs/063-worktree-subsystem/srs.md:119
- This was flagged as gap A3 in CI-946 but no issue was filed at that time
- HEAD: e8ca5c0
Description
Spec-063 (
/specs/063-worktree-subsystem/spec.md) documents thatCwdRestoreGuarduses a RAII Drop impl to restorecwdafter worktree operations, and states "This ensures restore happens on panic and cancellation, not just normal completion."However, this guarantee does NOT hold when the binary is compiled with
panic = "abort"(which is common for release profiles). With abort semantics, Rust skips Drop destructors entirely — the cwd restore will not run on panic.The spec and
srs.mdFR-CWD-03 should document this limitation and the mitigation strategy:panic = "unwind"panic = "abort"(no restoration, process terminates)panic = "unwind"override in the rootCargo.tomlprofile is appropriate, or whether the limitation is acceptable given that abort kills the process anywayEnvironment
specs/063-worktree-subsystem/spec.md:222-223,specs/063-worktree-subsystem/srs.md:119