-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
target_feature_11 allows bypassing safety checks through Fn* traits #72012
Comments
Proposed resolution: #69098 (comment).
|
Or perhaps the RFC should be revised to still require writing That would be even less magic, which is good, IMO. |
Good catch. Another option is that referencing, not calling, a target-feature function is unsafe, but I guess that is a bit inconsistent given that this already compiles (playground): #[target_feature(enable="avx")]
unsafe fn use_avx() {
println!("Hello from AVX")
}
fn call_it(f: impl FnOnce()) {
f();
}
fn main() {
let x = use_avx;
} In other words, accessing a safe target feature 1.1 function would be unsafe (unless the target feature is in scope), not just calling it. I think that this is what I would expect somehow, but I would expect it to apply uniformly to both safe and unsafe target feature functions (and that's not an option).
The downside of this approach is that we don't know why the function was declared unsafe, not really -- was it only because of the target feature? Or were there additional requirements that would have made it unsafe? |
For example, a whole bunch of |
Ah, right, that's a good argument. |
I'm new to the compiler, but it seemed non-trivial to change |
So there are sort of two questions here. One of them is what user-visible behavior is permitted, and the other is how precisely that is implemented in the compiler. I think the latter only concerns the @rust-lang/lang team in-so-far as it represents the impact on the language spec and on the "mental model" that users must keep in mind. Nominating for the lang-team meeting to discuss @calebzulawski's solution, which is simply to make "target-feature" functions not implement the |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
We discussed this in the @rust-lang/lang meeting today. The conclusion was that the fix that @calebzulawski proposed is good for right now. It's already the case that many We uncovered a few other interesting observations: @joshtriplett pointed out that their ideal preference would be to have something like " Another possibility might be " To that end, I was thinking that you could model this last point using closures, but I found that it doesn't work. In particular, We did discuss briefly whether target features should be part of the type of function pointers but I think the conclusion was 'well maybe but there is already stable code out there that lets you coerce, and it seems rather niche'. We also discussed whether we should permit one to annotate closures with target-feature annotations. In any case, those are things we can address separately from this issue, but the point is that adopting more accepting solutions can be done in the future. |
I'm going to move the question of whether closures should "inherit" target features to the main tracking issue -- I'm not sure if that is something that was discussed as part of the original RFC discussion? |
Opened #73631 to discuss closures. |
…trait-soundness, r=nikomatsakis Don't implement Fn* traits for #[target_feature] functions Closes rust-lang#72012.
…trait-soundness, r=nikomatsakis Don't implement Fn* traits for #[target_feature] functions Closes rust-lang#72012.
…trait-soundness, r=nikomatsakis Don't implement Fn* traits for #[target_feature] functions Closes rust-lang#72012.
…trait-soundness, r=nikomatsakis Don't implement Fn* traits for #[target_feature] functions Closes rust-lang#72012.
(Moved from #69098 (comment) with an added PoC.)
The following program (playground) demonstrates how current implementation of
target_feature_11
allows using a target_feature from safe code without ensuring it's actually available:This is unsound because it allows executing (e.g.) AVX instructions on CPUs that do not implement them, which is UB. It only works because "safe fns with target_features" are erroneously considered to implement the FnOnce/FnMut/Fn traits.
The text was updated successfully, but these errors were encountered: