Same thing could happen due to bailing out of a function with a return, after checking some condition.
if (bad_thing)
return ERR_BAD_THING;
... code here to turn off controlled device ...
From my understanding from prior HN discussions, panic is paired with recover; it's a kind of typeless non-local jump and unwind mechanism which can be intercepted. If the device must be turned off, then any panics must be intercepted and code must be executed to put the device in that state.
