Stabilize target_feature_11

[calebzulawski]

Stabilization report

This is a redo of #99767. Most of this commit and report were copied from that PR. Thanks @LeSeulArtichaut!

Summary

Allows for safe functions to be marked with #[target_feature] attributes.

Functions marked with #[target_feature] are generally considered as unsafe functions: they are unsafe to call, cannot be assigned to safe function pointers, and don't implement the Fn* traits.

However, calling them from other #[target_feature] functions with a superset of features is safe.

// Demonstration function
#[target_feature(enable = "avx2")]
fn avx2() {}

fn foo() {
    // Calling `avx2` here is unsafe, as we must ensure
    // that AVX is available first.
    unsafe {
        avx2();
    }
}

#[target_feature(enable = "avx2")]
fn bar() {
    // Calling `avx2` here is safe.
    avx2();
}

Test cases

Tests for this feature can be found in src/test/ui/rfcs/rfc-2396-target_feature-11/.

Edge cases

Closures

• target-feature 1.1: should closures inherit target-feature annotations? #73631

Closures defined inside functions marked with #[target_feature] inherit the target features of their parent function. They can still be assigned to safe function pointers and implement the appropriate Fn* traits.

#[target_feature(enable = "avx2")]
fn qux() {
    let my_closure = || avx2(); // this call to `avx2` is safe
    let f: fn() = my_closure;
}

This means that in order to call a function with #[target_feature], you must show that the target-feature is available while the function executes and for as long as whatever may escape from that function lives.

• Fix #[inline(always)] on closures with target feature 1.1 #111836

Closures accept #[inline(always)], even within functions marked with #[target_feature]. Since these attributes conflict, #[inline(always)] wins out to maintain compatibility.

Special functions

• #[target_feature] is allowed on main #108645
• #[target_feature] is allowed on default implementations #108646
• #[target_feature] is allowed on #[panic_handler] with target_feature 1.1 #109411
• Prevent using #[target_feature] on lang item functions #115910

The #[target_feature] attribute is forbidden from a variety of special functions, such as main, current and future lang items (e.g. #[start], #[panic_handler]), and default trait implementations.

Documentation

• Reference: Document the target_feature_11 feature reference#1181

---

cc tracking issue #69098
cc @workingjubilee
r? @rust-lang/lang

[eduardosm]

#116078 has been merged and added a test with #![feature(target_feature_11)], so you'll have to rebase and remove the feature line.

[calebzulawski]

Thanks for the heads up!

I realized the stdarch submodule uses the feature as well. I'm not quite sure how to work around that. (cc @Amanieu)

[Amanieu]

I don't think any workaround is needed? stdarch doesn't specify its own features since it is directly included in libcore.

[RalfJung]

Do we make the issue around target features affecting ABI any worse with this? If I understand the RFC correctly, then this allows safe code to do something like

extern "C" fn no_target_feature(x: __m256) {}

#[target_feature(enable = "avx")]
extern "C" fn with_target_feature(x: __m256) {
  no_target_feature(x);
}

Calling with_target_feature will cause UB since no_target_feature is called in an ABI-incompatible way (the caller passes __m256 in an AVX register but the callee doesn't support AVX). Now there's not even any unsafe around to potentially catch this. That seems bad?

(See #116558 for the ABI issue itself.)

[bjorn3]

One potential fix for that would be to deny using this feature for non-extern "Rust" functions.

[est31]

@RalfJung is it indeed UB or is the caller aware of those target features?

In general when there is call of a function with ABI X (and I consider target features to be part of the ABI), then no matter what the ABI of the surrounding context is, the way X gets invoked should always be through that X ABI. That's a should and not a does because I don't know if it's actually implemented that way.

[RalfJung]

That's not how it works, and that's not how it could possibly work since no_target_feature might be invoked through a function pointer. The function type doesn't capture which target features are enabled (and most target features aren't even relevant).

So right now unfortunately the target features of the caller are used to compute the ABI. It's terrible but it's what we got. Also see #116558.

[est31]

not how it could possibly work since no_target_feature might be invoked through a function pointer.

Right now on stable we require target_feature function pointers to be coerced to unsafe function pointers, and also to be unsafe themselves. This gives us a lot of design ability for the "safe" counterpart. We can for example require for safe function pointers that they have the entire target feature list attached to them, regardless of the caller context.

most target features aren't even relevant

IMO one can refine this later on to allow some fn pointer conversions safely while banning others. But it's generally in the domain of the "safe transmute" project.

right now unfortunately the target features of the caller are used to compute the ABI. It's terrible but it's what we got.

Yeah then the current target_feature 1.1 implementation is not sound and, I would think this is a clear case for a stabilization blocker.

[RalfJung]

Right now on stable we require target_feature function pointers to be coerced to unsafe function pointers, and also to be unsafe themselves. This gives us a lot of design ability for the "safe" counterpart. We can for example require for safe function pointers that they have the entire target feature list attached to them, regardless of the caller context.

I think I'd rather fix the ABI to not depend on target features, than equiv function pointers with target feature information. But anyway that's a discussion for #116558.

Note that this doesn't just affect #[target_feature], it also affects linking together crates that were compiled with different -C flags. I don't think we officially support that, but we also don't officially not support it, and in fact the distributed sysroot relies on it to work to some extent.

[workingjubilee]

Do we make the issue around target features affecting ABI any worse with this? If I understand the RFC correctly, then this allows safe code to do something like

I had been wondering about that, which is why I didn't immediately push for stabilizing this again. I don't believe anyone really knows since our ABI code is a mess.

[calebzulawski]

I support limiting it to extern "Rust". I think that actually improves the ABI situation. Right now, since unsafe is always required, these edge case invariants are easy to miss. If you can use a safe function (limited to the Rust ABI) you know you are using a "blessed" ABI; if you are required to use unsafe you know there are hidden invariants you need to watch out for.

[tmandry]

I'll restate here what I said in #116558 (comment): #[target_feature] should not affect the ABI of a function. That's especially important to make escaping closures coercible to function pointers; I don't think such a feature could ever be sound otherwise.

If we want to take advantage of #[target_feature] for ABI, it must be encoded in the types of function pointers somehow, e.g. extern "Rust+avx".

[RalfJung]

@calebzulawski

I support limiting it to extern "Rust".

Note that the reproducer for #116558 only uses #[target_feature] on extern "Rust" functions. So that's not enough. The issue comes about when a #[target_feature] function calls (or is called by) a function with a different set of target features.

[est31]

@tmandry

I'll restate here what I said in #116558 (comment): #[target_feature] should not affect the ABI of a function.

You said this in the linked comment

I don't think #[target_feature] should ever affect the ABI of function pointers called from within them

to me that sounds like the opposite of what you were saying. Which one do you mean?

[calebzulawski]

@calebzulawski

I support limiting it to extern "Rust".

Note that the reproducer for #116558 only uses #[target_feature] on extern "Rust" functions. So that's not enough. The issue comes about when a #[target_feature] function calls (or is called by) a function with a different set of target features.

I see, you're right. So it sounds to me like this is less of a TF 1.1 problem, and more like it is impossible to use even existing #[target_feature] beyond extern "Rust". I guess there is no action to be taken for TF1.1 specifically?

[RalfJung]

The issue isn't with TF1.1, but I feel like allowing more things in safe code here would be a mistake given the pitfalls we currently have.

[bors]

☔ The latest upstream changes (presumably #116550) made this pull request unmergeable. Please resolve the merge conflicts.

[tmandry]

to me that sounds like the opposite of what you were saying. Which one do you mean?

Both :). Those are different statements but I don't think they are opposites.

[RalfJung]

rust-lang/lang-team#235 suggests a design to resolve the ABI issues, which would then hopefully unblock target-feature 1.1.