Remove -Zoom=panic #147725

bjorn3 · 2025-10-15T14:03:50Z

There are major questions remaining about the reentrancy that this allows. It doesn't have any users on github outside of a single project that uses it in a panic=abort project to show backtraces. It can still be emulated through #[alloc_error_handler] or set_alloc_error_hook depending on if you use the standard library or not. And finally it makes it harder to do various improvements to the allocator shim.

With this PR the sole remaining symbol in the allocator shim that is not effectively emulating weak symbols is the symbol that prevents skipping the allocator shim on stable even when it would otherwise be empty because libstd + #[global_allocator] is used.

Closes #43596
Fixes #126683

rustbot · 2025-10-15T14:03:53Z

The Miri subtree was changed

cc @rust-lang/miri

Some changes occurred in compiler/rustc_codegen_ssa

cc @WaffleLapkin

Some changes occurred in compiler/rustc_codegen_gcc

cc @antoyo, @GuillaumeGomez

rustbot · 2025-10-15T14:03:56Z

r? @lcnr

rustbot has assigned @lcnr.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

RalfJung · 2025-10-15T15:07:25Z

Cc @rust-lang/wg-allocators

library/std/src/alloc.rs

kornelski · 2025-10-15T18:19:53Z

I've been waiting for oom=panic to stabilize!!!

At Cloudflare we were waiting for ability to use it in servers. It was part of the RFC https://github.com/rust-lang/rfcs/blob/master/text/2116-alloc-me-maybe.md#user-profile-server. We currently aren't only because we use stable Rust, and have a ton of hacks in place already put in due to suffering from lack of this feature. In some places we do rely on panics from allocators not being totally UB any more.

Is removal of oom=panic removing just the convenience option, or is the goal to forbid unwinding on allocation failures completely? Will it be allowed to panic in alloc_error_handler or in global allocator functions? (and have it unwind whenever possible instead of always aborting?)

bjorn3 · 2025-10-15T18:48:14Z

You can still panic in the alloc error hook you register with std::alloc::set_alloc_error_hook with this PR (or the #[alloc_error_handler] if you don't use libstd). Any stabilization of this is blocked on the same reentrancy soundness questions as -Zoom=panic. The only allocation errors that set_alloc_error_hook doesn't cover that -Zoom=panic does is for allocations in code running before user code runs, but panics there can't be recovered from anyway.

bjorn3 · 2025-10-15T18:56:44Z

You can still panic in the alloc error hook you register with std::alloc::set_alloc_error_hook with this PR

In fact I changed the existing -Zoom=panic test to test this behavior: tests/ui/panics/alloc_error_hook-unwind.rs

bors · 2025-10-16T04:01:01Z

☔ The latest upstream changes (presumably #147745) made this pull request unmergeable. Please resolve the merge conflicts.

lcnr · 2025-10-16T09:14:37Z

r? @Amanieu maybe

CAD97 · 2025-10-16T15:49:40Z

Reducing the number of symbols used by the global allocation interface is a valid argument, and I do agree that it should be over extern "C" and not extern "C-unwind".

But the reentrancy concerns aren't a reason to remove oom panic support, because the same exact concerns still exist without oom panic, both panics within the allocator (that don't escape) and unwinds from the alloc (error) handler.

Personally I think handling (non-pre-main) OOM through the same panic machinery as standard code panics is the correct thing to do for global general purpose "infallible" allocations, since it's the same general style of "allegedly impossible" error, but I can see logic in saying it's notable enough to use its own specialized machinery, instead of the heavily generic and indirected panic machinery.

Consider this a neutral vote from me, I suppose.

bjorn3 · 2025-10-16T18:22:37Z

By the way the awkward thing with -Zoom is that only the -Zoom value in the crate where we happen to codegen the allocator shim matters. This for example means that -Zoom=panic doesn't have any effect when using -Cprefer-dynamic and has unpredictable behavior when you don't compile everything with the same -Zoom value, while set_alloc_error_hook always works.

hanna-kruppe · 2025-10-19T14:02:48Z

But the reentrancy concerns aren't a reason to remove oom panic support, because the same exact concerns still exist without oom panic, both panics within the allocator (that don't escape) and unwinds from the alloc (error) handler.

Reentrancy from panics within the allocator logic are indeed a tough problem but seem unrelated to OOM since you can already cause reentrancy today by allocating (or calling other non-reentrant code that’s using the allocator) in the panic hook or panic handler. I found such an issue in dlmalloc and I’d be surprised if any other allocator implemented in Rust didn’t have similar issues.

Panicking from the alloc error handler or the allocator shim is less problematic for the allocator because at least that’s after all the allocator’s own code has returned (a null pointer) normally. But the rest of the world that’s using the allocator has to deal with the potential reentrancy.

bjorn3 · 2025-10-20T09:10:00Z

Reentrancy from panics within the allocator logic are indeed a tough problem but seem unrelated to OOM since you can already cause reentrancy today by allocating (or calling other non-reentrant code that’s using the allocator) in the panic hook or panic handler.

The global allocator is #[rustc_nounwind], so even if the global allocator itself panics that should abort during unwinding. If the panic hook can unwind however that would provide a path to unwind out of allocating code even when said code expects not to be unwound out of. Now that I think about it, I believe we do run the panic hook when the global allocator panics, so that is still reentrancy even if you can't unwind out of the global allocator.

In any case I don't think the reentrancy issue is all that relevant to this PR. It is an explanation why neither -Zoom=panic nor set_alloc_error_hook are stable, but this PR doesn't remove any functionality. It just requires you to change how exactly you enable panics on allocation failure (using set_alloc_error_hook instead of -Zoom=panic).

RalfJung · 2025-10-20T09:45:43Z

set_alloc_error_hook is global mutable state where libraries can clobber each other's hooks... so just as an interface, -Zoom=panic does seem somewhat nicer.

There are major questions remaining about the reentrancy that this allows. It doesn't have any users on github outside of a single project that uses it in a panic=abort project to show backtraces. It can still be emulated through #[alloc_error_handler] or set_alloc_error_hook depending on if you use the standard library or not. And finally it makes it harder to do various improvements to the allocator shim.

rustbot · 2025-11-28T19:31:27Z

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

Show backtrace on allocation failures when possible And if an allocation while printing the backtrace fails, don't try to print another backtrace as that will never succeed. Split out of rust-lang/rust#147725 to allow landing this independently of a decision whether or not to remove `-Zoom=panic`.

Amanieu · 2025-12-09T18:05:20Z

This was discussed in the @rust-lang/libs-api meeting. It seems like the way forward is likely going to be removing both -Zoom=panic and alloc_error_hook in favor of just allowing users to override the default #[alloc_error_handler] that is provided by the standard library.

@bors r+

bors · 2025-12-09T18:05:24Z

📌 Commit 8f55c15 has been approved by Amanieu

It is now in the queue for this repository.

Remove -Zoom=panic There are major questions remaining about the reentrancy that this allows. It doesn't have any users on github outside of a single project that uses it in a panic=abort project to show backtraces. It can still be emulated through `#[alloc_error_handler]` or `set_alloc_error_hook` depending on if you use the standard library or not. And finally it makes it harder to do various improvements to the allocator shim. With this PR the sole remaining symbol in the allocator shim that is not effectively emulating weak symbols is the symbol that prevents skipping the allocator shim on stable even when it would otherwise be empty because libstd + `#[global_allocator]` is used. Closes rust-lang#43596 Fixes rust-lang#126683

Rollup of 6 pull requests Successful merges: - #147602 (Deduplicate higher-ranked lifetime capture errors in impl Trait) - #147725 (Remove -Zoom=panic) - #148491 ( Correctly provide suggestions when encountering `async fn` with a `dyn Trait` return type) - #148717 (Point at span within local macros even when error happens in nested external macro) - #149458 (Run clippy on cg_gcc in CI) - #149816 (Make typo in field and name suggestions verbose) r? `@ghost` `@rustbot` modify labels: rollup

Remove -Zoom=panic There are major questions remaining about the reentrancy that this allows. It doesn't have any users on github outside of a single project that uses it in a panic=abort project to show backtraces. It can still be emulated through `#[alloc_error_handler]` or `set_alloc_error_hook` depending on if you use the standard library or not. And finally it makes it harder to do various improvements to the allocator shim. With this PR the sole remaining symbol in the allocator shim that is not effectively emulating weak symbols is the symbol that prevents skipping the allocator shim on stable even when it would otherwise be empty because libstd + `#[global_allocator]` is used. Closes rust-lang#43596 Fixes rust-lang#126683

Rollup of 12 pull requests Successful merges: - #147602 (Deduplicate higher-ranked lifetime capture errors in impl Trait) - #147725 (Remove -Zoom=panic) - #148294 (callconv: fix mips64 aggregate argument passing for C FFI) - #148491 ( Correctly provide suggestions when encountering `async fn` with a `dyn Trait` return type) - #149417 (tidy: Detect outdated workspaces in workspace list) - #149458 (Run clippy on cg_gcc in CI) - #149679 (Restrict spe_acc to PowerPC SPE targets) - #149781 (Don't suggest wrapping attr in unsafe if it may come from proc macro) - #149795 (Use `let`...`else` instead of `match foo { ... _ => return };` and `if let ... else return` in std) - #149816 (Make typo in field and name suggestions verbose) - #149824 (Add a regression test for issue 145748) - #149826 (compiletest: tidy up `adb_path`/`adb_test_dir` handling) r? `@ghost` `@rustbot` modify labels: rollup

Rollup of 10 pull requests Successful merges: - #147725 (Remove -Zoom=panic) - #148294 (callconv: fix mips64 aggregate argument passing for C FFI) - #148491 ( Correctly provide suggestions when encountering `async fn` with a `dyn Trait` return type) - #149458 (Run clippy on cg_gcc in CI) - #149679 (Restrict spe_acc to PowerPC SPE targets) - #149781 (Don't suggest wrapping attr in unsafe if it may come from proc macro) - #149795 (Use `let`...`else` instead of `match foo { ... _ => return };` and `if let ... else return` in std) - #149816 (Make typo in field and name suggestions verbose) - #149824 (Add a regression test for issue 145748) - #149826 (compiletest: tidy up `adb_path`/`adb_test_dir` handling) r? `@ghost` `@rustbot` modify labels: rollup

Show backtrace on allocation failures when possible And if an allocation while printing the backtrace fails, don't try to print another backtrace as that will never succeed. Split out of rust-lang/rust#147725 to allow landing this independently of a decision whether or not to remove `-Zoom=panic`.

Show backtrace on allocation failures when possible And if an allocation while printing the backtrace fails, don't try to print another backtrace as that will never succeed. Split out of rust-lang#147725 to allow landing this independently of a decision whether or not to remove `-Zoom=panic`.

Rollup merge of #147725 - bjorn3:remove_oom_panic, r=Amanieu Remove -Zoom=panic There are major questions remaining about the reentrancy that this allows. It doesn't have any users on github outside of a single project that uses it in a panic=abort project to show backtraces. It can still be emulated through `#[alloc_error_handler]` or `set_alloc_error_hook` depending on if you use the standard library or not. And finally it makes it harder to do various improvements to the allocator shim. With this PR the sole remaining symbol in the allocator shim that is not effectively emulating weak symbols is the symbol that prevents skipping the allocator shim on stable even when it would otherwise be empty because libstd + `#[global_allocator]` is used. Closes #43596 Fixes #126683

Rollup of 10 pull requests Successful merges: - rust-lang/rust#147725 (Remove -Zoom=panic) - rust-lang/rust#148294 (callconv: fix mips64 aggregate argument passing for C FFI) - rust-lang/rust#148491 ( Correctly provide suggestions when encountering `async fn` with a `dyn Trait` return type) - rust-lang/rust#149458 (Run clippy on cg_gcc in CI) - rust-lang/rust#149679 (Restrict spe_acc to PowerPC SPE targets) - rust-lang/rust#149781 (Don't suggest wrapping attr in unsafe if it may come from proc macro) - rust-lang/rust#149795 (Use `let`...`else` instead of `match foo { ... _ => return };` and `if let ... else return` in std) - rust-lang/rust#149816 (Make typo in field and name suggestions verbose) - rust-lang/rust#149824 (Add a regression test for issue 145748) - rust-lang/rust#149826 (compiletest: tidy up `adb_path`/`adb_test_dir` handling) r? `@ghost` `@rustbot` modify labels: rollup

rustbot added A-LLVM Area: Code generation parts specific to LLVM. Both correctness bugs and optimization-related issues. S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Oct 15, 2025

rustbot assigned lcnr Oct 15, 2025

rustbot added T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Oct 15, 2025

This comment has been minimized.

Sign in to view

bjorn3 force-pushed the remove_oom_panic branch from 0bdf920 to c159b2b Compare October 15, 2025 14:22

This comment has been minimized.

Sign in to view

This was referenced Oct 15, 2025

-Zoom=panic double panic due to panicking allocating #126683

Closed

Tracking issue for oom=panic (RFC 2116) #43596

Closed

bjorn3 force-pushed the remove_oom_panic branch from c159b2b to 8800809 Compare October 15, 2025 15:05

RalfJung reviewed Oct 15, 2025

View reviewed changes

library/std/src/alloc.rs Outdated Show resolved Hide resolved

rustbot assigned Amanieu and unassigned lcnr Oct 16, 2025

bjorn3 force-pushed the remove_oom_panic branch from 05a4290 to 0c3cdac Compare October 16, 2025 13:48

This comment has been minimized.

Sign in to view

bjorn3 force-pushed the remove_oom_panic branch from 7147dbb to 8f55c15 Compare November 28, 2025 19:31

Amanieu added the I-libs-api-nominated Nominated for discussion during a libs-api team meeting. label Dec 9, 2025

bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Dec 9, 2025

Amanieu removed the I-libs-api-nominated Nominated for discussion during a libs-api team meeting. label Dec 9, 2025

matthiaskrgr mentioned this pull request Dec 9, 2025

Rollup of 6 pull requests #149820

Closed

Zalathar mentioned this pull request Dec 10, 2025

Rollup of 13 pull requests #149828

Closed

Zalathar mentioned this pull request Dec 10, 2025

Rollup of 12 pull requests #149830

Closed

matthiaskrgr mentioned this pull request Dec 10, 2025

Rollup of 10 pull requests #149836

Merged

bors merged commit 6078dd3 into rust-lang:main Dec 10, 2025
11 checks passed

rustbot added this to the 1.94.0 milestone Dec 10, 2025

github-actions bot mentioned this pull request Dec 12, 2025

Toolchain upgrade to nightly-2025-12-11 flux-rs/flux#1345

Draft

Uh oh!

Remove -Zoom=panic #147725

Remove -Zoom=panic #147725

Uh oh!

Conversation

bjorn3 commented Oct 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rustbot commented Oct 15, 2025

Uh oh!

rustbot commented Oct 15, 2025

Uh oh!

This comment has been minimized.

This comment has been minimized.

RalfJung commented Oct 15, 2025

Uh oh!

Uh oh!

kornelski commented Oct 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bjorn3 commented Oct 15, 2025

Uh oh!

bjorn3 commented Oct 15, 2025

Uh oh!

bors commented Oct 16, 2025

Uh oh!

lcnr commented Oct 16, 2025

Uh oh!

This comment has been minimized.

This comment has been minimized.

CAD97 commented Oct 16, 2025

Uh oh!

bjorn3 commented Oct 16, 2025

Uh oh!

hanna-kruppe commented Oct 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bjorn3 commented Oct 20, 2025

Uh oh!

RalfJung commented Oct 20, 2025

Uh oh!

rustbot commented Nov 28, 2025

Uh oh!

Amanieu commented Dec 9, 2025

Uh oh!

bors commented Dec 9, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

bjorn3 commented Oct 15, 2025 •

edited

Loading

kornelski commented Oct 15, 2025 •

edited

Loading

hanna-kruppe commented Oct 19, 2025 •

edited

Loading