Skip to content

Remove -Zoom=panic #147725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Remove -Zoom=panic #147725

wants to merge 3 commits into from
+136 −239

Conversation

bjorn3
Copy link
Member

@bjorn3 bjorn3 commented Oct 15, 2025
edited
Loading

There are major questions remaining about the reentrancy that this allows. It doesn't have any users on github outside of a single project that uses it in a panic=abort project to show backtraces. It can still be emulated through #[alloc_error_handler] or set_alloc_error_hook depending on if you use the standard library or not. And finally it makes it harder to do various improvements to the allocator shim.

This also adds support for showing backtraces on the first call of the libstd alloc error handler to satisfy the needs of this single project on github that uses it and because it seems generally useful to have. If an allocation while printing the backtrace fails, we don't try to print another backtrace as that will never succeed.

With this PR the sole remaining symbol in the allocator shim that is not effectively emulating weak symbols is the symbol that prevents skipping the allocator shim on stable even when it would otherwise be empty because libstd + #[global_allocator] is used.

Closes #43596
Fixes #126683

@rustbot
Copy link
Collaborator

rustbot commented Oct 15, 2025

The Miri subtree was changed

cc @rust-lang/miri

Some changes occurred in compiler/rustc_codegen_ssa

cc @WaffleLapkin

Some changes occurred in compiler/rustc_codegen_gcc

cc @antoyo, @GuillaumeGomez

@rustbot rustbot added A-LLVM Area: Code generation parts specific to LLVM. Both correctness bugs and optimization-related issues. S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Oct 15, 2025
@rustbot rustbot added T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Oct 15, 2025
@rustbot
Copy link
Collaborator

rustbot commented Oct 15, 2025

r? @lcnr

rustbot has assigned @lcnr.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rust-log-analyzer

This comment has been minimized.

Sign in to view
@rust-log-analyzer

This comment has been minimized.

Sign in to view
This was referenced Oct 15, 2025
Open
Open
@RalfJung
Copy link
Member

Cc @rust-lang/wg-allocators

RalfJung
RalfJung reviewed Oct 15, 2025
View reviewed changes
@kornelski
Copy link
Contributor

kornelski commented Oct 15, 2025
edited
Loading

I've been waiting for oom=panic to stabilize!!!

At Cloudflare we were waiting for ability to use it in servers. It was part of the RFC https://github.com/rust-lang/rfcs/blob/master/text/2116-alloc-me-maybe.md#user-profile-server. We currently aren't only because we use stable Rust, and have a ton of hacks in place already put in due to suffering from lack of this feature. In some places we do rely on panics from allocators not being totally UB any more.

Is removal of oom=panic removing just the convenience option, or is the goal to forbid unwinding on allocation failures completely? Will it be allowed to panic in alloc_error_handler or in global allocator functions? (and have it unwind whenever possible instead of always aborting?)

@bjorn3
Copy link
Member Author

bjorn3 commented Oct 15, 2025

You can still panic in the alloc error hook you register with std::alloc::set_alloc_error_hook with this PR (or the #[alloc_error_handler] if you don't use libstd). Any stabilization of this is blocked on the same reentrancy soundness questions as -Zoom=panic. The only allocation errors that set_alloc_error_hook doesn't cover that -Zoom=panic does is for allocations in code running before user code runs, but panics there can't be recovered from anyway.

@bjorn3
Copy link
Member Author

bjorn3 commented Oct 15, 2025

You can still panic in the alloc error hook you register with std::alloc::set_alloc_error_hook with this PR

In fact I changed the existing -Zoom=panic test to test this behavior: tests/ui/panics/alloc_error_hook-unwind.rs

@bors
Copy link
Collaborator

bors commented Oct 16, 2025

☔ The latest upstream changes (presumably #147745) made this pull request unmergeable. Please resolve the merge conflicts.

@lcnr
Copy link
Contributor

lcnr commented Oct 16, 2025

r? @Amanieu maybe

@rustbot rustbot assigned Amanieu and unassigned lcnr Oct 16, 2025
bjorn3 added 3 commits October 16, 2025 13:47
@bjorn3
Remove -Zoom=panic
2012b73 
There are major questions remaining about the reentrancy that this
allows. It doesn't have any users on github outside of a single project
that uses it in a panic=abort project to show backtraces. It
can still be emulated through #[alloc_error_handler] or
set_alloc_error_hook depending on if you use the standard library or
not. And finally it makes it harder to do various improvements to the
allocator shim.
@bjorn3
Show backtrace on allocation failures when possible
6f46c85
@bjorn3
Update message for double allocation error
0c3cdac
@rustbot
Copy link
Collaborator

rustbot commented Oct 16, 2025

This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

@rust-log-analyzer
Copy link
Collaborator

The job x86_64-gnu-tools failed! Check out the build log: (web) (plain enhanced) (plain)

Click to see the possible cause of the failure (guessed by this bot) 
[WARNING] `tests/rustdoc-gui/search-result-display.goml` line 39: Delta is 0 for "x", maybe try to use `compare-elements-position` instead?

======== tests/rustdoc-gui/settings-button.goml ========

`tests/rustdoc-gui/settings-button.goml` settings-button output:
Waiting failed: 30000ms exceeded
stack: TimeoutError: Waiting failed: 30000ms exceeded
    at new WaitTask (/checkout/obj/build/x86_64-unknown-linux-gnu/test/rustdoc-gui/node_modules/puppeteer-core/lib/cjs/puppeteer/common/WaitTask.js:50:34)
    at IsolatedWorld.waitForFunction (/checkout/obj/build/x86_64-unknown-linux-gnu/test/rustdoc-gui/node_modules/puppeteer-core/lib/cjs/puppeteer/api/Realm.js:25:26)
    at CdpFrame.waitForFunction (/checkout/obj/build/x86_64-unknown-linux-gnu/test/rustdoc-gui/node_modules/puppeteer-core/lib/cjs/puppeteer/api/Frame.js:561:43)
    at CdpFrame.<anonymous> (/checkout/obj/build/x86_64-unknown-linux-gnu/test/rustdoc-gui/node_modules/puppeteer-core/lib/cjs/puppeteer/util/decorators.js:98:27)
    at CdpPage.waitForFunction (/checkout/obj/build/x86_64-unknown-linux-gnu/test/rustdoc-gui/node_modules/puppeteer-core/lib/cjs/puppeteer/api/Page.js:1366:37)
    at runAllCommands (/checkout/obj/build/x86_64-unknown-linux-gnu/test/rustdoc-gui/node_modules/browser-ui-test/src/index.js:418:28)
    at async innerRunTestCode (/checkout/obj/build/x86_64-unknown-linux-gnu/test/rustdoc-gui/node_modules/browser-ui-test/src/index.js:696:21)
    at async innerRunTests (/checkout/obj/build/x86_64-unknown-linux-gnu/test/rustdoc-gui/node_modules/browser-ui-test/src/index.js:633:17)
    at async runTests (/checkout/obj/build/x86_64-unknown-linux-gnu/test/rustdoc-gui/node_modules/browser-ui-test/src/index.js:824:27)



<= doc-ui tests done: 142 succeeded, 1 failed, 0 filtered out

@CAD97
Copy link
Contributor

CAD97 commented Oct 16, 2025

Reducing the number of symbols used by the global allocation interface is a valid argument, and I do agree that it should be over extern "C" and not extern "C-unwind".

But the reentrancy concerns aren't a reason to remove oom panic support, because the same exact concerns still exist without oom panic, both panics within the allocator (that don't escape) and unwinds from the alloc (error) handler.

Personally I think handling (non-pre-main) OOM through the same panic machinery as standard code panics is the correct thing to do for global general purpose "infallible" allocations, since it's the same general style of "allegedly impossible" error, but I can see logic in saying it's notable enough to use its own specialized machinery, instead of the heavily generic and indirected panic machinery.

Consider this a neutral vote from me, I suppose.

@bjorn3
Copy link
Member Author

bjorn3 commented Oct 16, 2025

By the way the awkward thing with -Zoom is that only the -Zoom value in the crate where we happen to codegen the allocator shim matters. This for example means that -Zoom=panic doesn't have any effect when using -Cprefer-dynamic and has unpredictable behavior when you don't compile everything with the same -Zoom value, while set_alloc_error_hook always works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RalfJung RalfJung RalfJung left review comments

Assignees

@Amanieu Amanieu

Labels

A-LLVM Area: Code generation parts specific to LLVM. Both correctness bugs and optimization-related issues. S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

-Zoom=panic double panic due to panicking allocating Tracking issue for oom=panic (RFC 2116)

9 participants

@bjorn3 @rustbot @rust-log-analyzer @RalfJung @kornelski @bors @lcnr @CAD97 @Amanieu