Bug: 175299806

Clone this repo:
  1. 496cf7a Update Android.bp by running cargo_embargo by James Farrell · 3 weeks ago main master
  2. 180eb93 Update Android.bp by running cargo_embargo by James Farrell · 5 weeks ago
  3. c643b0d Migrate to cargo_embargo. am: 1587f3726d am: 761da70cd7 am: af58c17d4c by Andrew Walbran · 7 months ago android14-qpr3-release android-14.0.0_r50
  4. ffc9790 Upgrade no-panic to 0.1.26 am: 749d3912bb am: 5a044c4fa1 am: eddaf95b3d by Andrew Walbran · 7 months ago
  5. d4988dd Migrate to cargo_embargo. am: 1587f3726d am: 54cf2a5826 am: 01712417b3 by Andrew Walbran · 7 months ago


A Rust attribute macro to require that the compiler prove a function can't ever panic.

no-panic = "0.1"
use no_panic::no_panic;

fn demo(s: &str) -> &str {

fn main() {
    println!("{}", demo("input string"));

If the function does panic (or the compiler fails to prove that the function cannot panic), the program fails to compile with a linker error that identifies the function name. Let's trigger that by passing a string that cannot be sliced at the first byte:

fn main() {
    println!("{}", demo("\u{1f980}input string"));
   Compiling no-panic-demo v0.0.1
error: linking with `cc` failed: exit code: 1
  = note: /no-panic-demo/target/release/deps/no_panic_demo-7170785b672ae322.no_p
anic_demo1-cba7f4b666ccdbcbbf02b7348e5df1b2.rs.rcgu.o: In function `_$LT$no_pani
3002b8d9fE+0x2): undefined reference to `

          ERROR[no-panic]: detected panic in function `demo`
          collect2: error: ld returned 1 exit status

The error is not stellar but notice the ERROR[no-panic] part at the end that provides the name of the offending function.


  • Functions that require some amount of optimization to prove that they do not panic may no longer compile in debug mode after being marked #[no_panic].

  • Panic detection happens at link time across the entire dependency graph, so any Cargo commands that do not invoke a linker will not trigger panic detection. This includes cargo build of library crates and cargo check of binary and library crates.

  • The attribute is useless in code built with panic = "abort".

If you find that code requires optimization to pass #[no_panic], either make no-panic an optional dependency that you only enable in release builds, or add a section like the following to Cargo.toml to enable very basic optimization in debug builds.

opt-level = 1

If the code that you need to prove isn't panicking makes function calls to non-generic non-inline functions from a different crate, you may need thin LTO enabled for the linker to deduce those do not panic.

lto = "thin"

If you want no_panic to just assume that some function you call doesn't panic, and get Undefined Behavior if it does at runtime, see dtolnay/no-panic#16; try wrapping that call in an unsafe extern "C" wrapper.


The linker error technique is based on Kixunil's crate dont_panic. Check out that crate for other convenient ways to require absence of panics.