Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stabilize target_feature_11 #116114

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

calebzulawski
Copy link
Member

Stabilization report

This is a redo of #99767. Most of this commit and report were copied from that PR. Thanks @LeSeulArtichaut!

Summary

Allows for safe functions to be marked with #[target_feature] attributes.

Functions marked with #[target_feature] are generally considered as unsafe functions: they are unsafe to call, cannot be assigned to safe function pointers, and don't implement the Fn* traits.

However, calling them from other #[target_feature] functions with a superset of features is safe.

// Demonstration function
#[target_feature(enable = "avx2")]
fn avx2() {}

fn foo() {
    // Calling `avx2` here is unsafe, as we must ensure
    // that AVX is available first.
    unsafe {
        avx2();
    }
}

#[target_feature(enable = "avx2")]
fn bar() {
    // Calling `avx2` here is safe.
    avx2();
}

Test cases

Tests for this feature can be found in src/test/ui/rfcs/rfc-2396-target_feature-11/.

Edge cases

Closures

Closures defined inside functions marked with #[target_feature] inherit the target features of their parent function. They can still be assigned to safe function pointers and implement the appropriate Fn* traits.

#[target_feature(enable = "avx2")]
fn qux() {
    let my_closure = || avx2(); // this call to `avx2` is safe
    let f: fn() = my_closure;
}

This means that in order to call a function with #[target_feature], you must show that the target-feature is available while the function executes and for as long as whatever may escape from that function lives.

Closures accept #[inline(always)], even within functions marked with #[target_feature]. Since these attributes conflict, #[inline(always)] wins out to maintain compatibility.

Special functions

The #[target_feature] attribute is forbidden from a variety of special functions, such as main, current and future lang items (e.g. #[start], #[panic_handler]), and default trait implementations.

Documentation


cc tracking issue #69098
cc @workingjubilee
r? @rust-lang/lang

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Sep 24, 2023
@eduardosm
Copy link
Contributor

#116078 has been merged and added a test with #![feature(target_feature_11)], so you'll have to rebase and remove the feature line.

@calebzulawski
Copy link
Member Author

Thanks for the heads up!

I realized the stdarch submodule uses the feature as well. I'm not quite sure how to work around that. (cc @Amanieu)

@Amanieu
Copy link
Member

Amanieu commented Sep 29, 2023

I don't think any workaround is needed? stdarch doesn't specify its own features since it is directly included in libcore.

@RalfJung
Copy link
Member

RalfJung commented Oct 9, 2023

Do we make the issue around target features affecting ABI any worse with this? If I understand the RFC correctly, then this allows safe code to do something like

extern "C" fn no_target_feature(x: __m256) {}

#[target_feature(enable = "avx")]
extern "C" fn with_target_feature(x: __m256) {
  no_target_feature(x);
}

Calling with_target_feature will cause UB since no_target_feature is called in an ABI-incompatible way (the caller passes __m256 in an AVX register but the callee doesn't support AVX). Now there's not even any unsafe around to potentially catch this. That seems bad?

(See #116558 for the ABI issue itself.)

@bjorn3
Copy link
Member

bjorn3 commented Oct 9, 2023

One potential fix for that would be to deny using this feature for non-extern "Rust" functions.

@est31
Copy link
Member

est31 commented Oct 9, 2023

@RalfJung is it indeed UB or is the caller aware of those target features?

In general when there is call of a function with ABI X (and I consider target features to be part of the ABI), then no matter what the ABI of the surrounding context is, the way X gets invoked should always be through that X ABI. That's a should and not a does because I don't know if it's actually implemented that way.

@RalfJung
Copy link
Member

RalfJung commented Oct 9, 2023

That's not how it works, and that's not how it could possibly work since no_target_feature might be invoked through a function pointer. The function type doesn't capture which target features are enabled (and most target features aren't even relevant).

So right now unfortunately the target features of the caller are used to compute the ABI. It's terrible but it's what we got. Also see #116558.

@est31
Copy link
Member

est31 commented Oct 9, 2023

not how it could possibly work since no_target_feature might be invoked through a function pointer.

Right now on stable we require target_feature function pointers to be coerced to unsafe function pointers, and also to be unsafe themselves. This gives us a lot of design ability for the "safe" counterpart. We can for example require for safe function pointers that they have the entire target feature list attached to them, regardless of the caller context.

most target features aren't even relevant

IMO one can refine this later on to allow some fn pointer conversions safely while banning others. But it's generally in the domain of the "safe transmute" project.

right now unfortunately the target features of the caller are used to compute the ABI. It's terrible but it's what we got.

Yeah then the current target_feature 1.1 implementation is not sound and, I would think this is a clear case for a stabilization blocker.

@RalfJung
Copy link
Member

RalfJung commented Oct 9, 2023

Right now on stable we require target_feature function pointers to be coerced to unsafe function pointers, and also to be unsafe themselves. This gives us a lot of design ability for the "safe" counterpart. We can for example require for safe function pointers that they have the entire target feature list attached to them, regardless of the caller context.

I think I'd rather fix the ABI to not depend on target features, than equiv function pointers with target feature information. But anyway that's a discussion for #116558.

Note that this doesn't just affect #[target_feature], it also affects linking together crates that were compiled with different -C flags. I don't think we officially support that, but we also don't officially not support it, and in fact the distributed sysroot relies on it to work to some extent.

@workingjubilee
Copy link
Member

Do we make the issue around target features affecting ABI any worse with this? If I understand the RFC correctly, then this allows safe code to do something like

I had been wondering about that, which is why I didn't immediately push for stabilizing this again. I don't believe anyone really knows since our ABI code is a mess.

@calebzulawski
Copy link
Member Author

I support limiting it to extern "Rust". I think that actually improves the ABI situation. Right now, since unsafe is always required, these edge case invariants are easy to miss. If you can use a safe function (limited to the Rust ABI) you know you are using a "blessed" ABI; if you are required to use unsafe you know there are hidden invariants you need to watch out for.

@tmandry
Copy link
Member

tmandry commented Oct 10, 2023

I'll restate here what I said in #116558 (comment): #[target_feature] should not affect the ABI of a function. That's especially important to make escaping closures coercible to function pointers; I don't think such a feature could ever be sound otherwise.

If we want to take advantage of #[target_feature] for ABI, it must be encoded in the types of function pointers somehow, e.g. extern "Rust+avx".

@RalfJung
Copy link
Member

@calebzulawski

I support limiting it to extern "Rust".

Note that the reproducer for #116558 only uses #[target_feature] on extern "Rust" functions. So that's not enough. The issue comes about when a #[target_feature] function calls (or is called by) a function with a different set of target features.

@est31
Copy link
Member

est31 commented Oct 10, 2023

@tmandry

I'll restate here what I said in #116558 (comment): #[target_feature] should not affect the ABI of a function.

You said this in the linked comment

I don't think #[target_feature] should ever affect the ABI of function pointers called from within them

to me that sounds like the opposite of what you were saying. Which one do you mean?

@calebzulawski
Copy link
Member Author

calebzulawski commented Oct 10, 2023

@calebzulawski

I support limiting it to extern "Rust".

Note that the reproducer for #116558 only uses #[target_feature] on extern "Rust" functions. So that's not enough. The issue comes about when a #[target_feature] function calls (or is called by) a function with a different set of target features.

I see, you're right. So it sounds to me like this is less of a TF 1.1 problem, and more like it is impossible to use even existing #[target_feature] beyond extern "Rust". I guess there is no action to be taken for TF1.1 specifically?

@RalfJung
Copy link
Member

The issue isn't with TF1.1, but I feel like allowing more things in safe code here would be a mistake given the pitfalls we currently have.

@bors
Copy link
Contributor

bors commented Oct 16, 2023

☔ The latest upstream changes (presumably #116550) made this pull request unmergeable. Please resolve the merge conflicts.

@tmandry
Copy link
Member

tmandry commented Oct 17, 2023

to me that sounds like the opposite of what you were saying. Which one do you mean?

Both :). Those are different statements but I don't think they are opposites.

@RalfJung
Copy link
Member

rust-lang/lang-team#235 suggests a design to resolve the ABI issues, which would then hopefully unblock target-feature 1.1.

@Dylan-DPC Dylan-DPC added S-blocked Status: Marked as blocked ❌ on something else such as an RFC or other implementation work. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Nov 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
S-blocked Status: Marked as blocked ❌ on something else such as an RFC or other implementation work. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Development

Successfully merging this pull request may close these issues.