Report allocation errors through the panic handler

[Amanieu]

Proposal

Problem statement

We currently use a completely separate mechanism to handle allocation errors (OOM) than panics, despite both of these being very similar. However both are very similar: they involve handling runtime failures that are generally unrecoverable. It would be better to unify them under a single mechanism which is already stable: panic handlers (no_std) and panic hooks (std).

Motivation, use-cases

This change has already been done for no_std in rust-lang/rust#66741: it was noticed that the vast majority of users of #[alloc_error_handler] were just calling panic anyways. This avoided the need to stabilize the alloc_error_handler attribute by defaulting to a panic if one was not specified.

The OOM hook API has also remained unstable for a very long time with no clear path to stabilization. The best way forward would be to unify it with the panic hook API just like it has been done in no_std.

Some use cases (firefox) still need access to the size of the failed allocation, so this is provided as a custom panic payload.

Solution sketches

// alloc::alloc

pub struct AllocErrorPanicPayload { .. }

impl AllocErrorPanicPayload {
    pub fn layout(&self) -> Layout;
}

This ACP proposes to make the following changes:

• Introduce the AllocErrorPanicPayload type which holds the Layout of a failed allocation.
• Make handle_alloc_error call the normal panic handler with a special payload of AllocErrorPanicPayload.
  • This can be observed by panic hooks with std or by the panic handler with no_std.
  • Unless -Zoom=panic is used, this is a non-unwinding panic: if the panic hook returns then the process is aborted. This maintains the current behavior of aborting on OOM by default.
• Remove the unstable alloc_error_hook std API (Tracking issue for the OOM hook (alloc_error_hook) rust#51245). Its job is now handled by panic hooks.
• Remove the unstable #[alloc_error_handler] attribute (Tracking issue for the #[alloc_error_handler] attribute (for no_std + liballoc) rust#51540) for no_std programs. Its job is now handled by #[panic_handler].

In the standard library, no additional allocations are made as part of the OOM handling process, except in 1 specific situation:

• With -Zoom=panic, if the panic hook returns then an allocation is necessary to box the payload and allocate an exception object. However it's not a big deal if this, fails, the process will simply abort immediately in that case.

Links and related work

Tracking issues that will be closed by this change:

• Tracking issue for the OOM hook (alloc_error_hook) rust#51245 alloc_error_hook
• Tracking issue for the #[alloc_error_handler] attribute (for no_std + liballoc) rust#51540 alloc_error_handler
  • Discussion about removing alloc_error_handler

What happens now?

This issue is part of the libs-api team API change proposal process. Once this issue is filed the libs-api team will review open proposals in its weekly meeting. You should receive feedback within a week or two.

[m-ou-se]

I don't think this is the right thing to do.

Currently, a (no-std) #[panic_handler] never gets a payload(), not even a &'static str or String, even for something as simple as panic!("hello"). Payloads are currently a std-only feature. It is true that one can call info.payload() in a #[panic_handler], but that's likely a mistake (see rust-lang/rust#115974). That method has never done anything useful in a panic handler. Currently, any time anyone implements a #[panic_handler] by downcasting a payload() they're just adding dead code: downcasting there always returns None.

So, I disagree this proposal is a way "to unify them under a single mechanism". &dyn Any panic payloads are currently a std-only feature, that just happens to also compile (but not work) in no-std.