Fix FFI-unwind unsoundness with mixed panic mode

[nbdd0121]

UB maybe introduced when an FFI exception happens in a C-unwind foreign function and it propagates through a crate compiled with -C panic=unwind into a crate compiled with -C panic=abort (#96926).

To prevent this unsoundness from happening, we will disallow a crate compiled with -C panic=unwind to be linked into panic-abort if it contains a call to C-unwind foreign function or function pointer. If no such call exists, then we continue to allow such mixed panic mode linking because it's sound (and stable). In fact we still need the ability to do mixed panic mode linking for std, because we only compile std once with -C panic=unwind and link it regardless panic strategy.

For libraries that wish to remain compile-once-and-linkable-to-both-panic-runtimes, a ffi_unwind_calls lint is added (gated under c_unwind feature gate) to flag any FFI unwind calls that will cause the linkable panic runtime be restricted.

In summary:

#![warn(ffi_unwind_calls)]

mod foo {
    #[no_mangle]
    pub extern "C-unwind" fn foo() {}
}

extern "C-unwind" {
    fn foo();
}

fn main() {
    // Call to Rust function is fine regardless ABI.
    foo::foo();
    // Call to foreign function, will cause the crate to be unlinkable to panic-abort if compiled with `-Cpanic=unwind`.
    unsafe { foo(); }
    //~^ WARNING call to foreign function with FFI-unwind ABI
    let ptr: extern "C-unwind" fn() = foo::foo;
    // Call to function pointer, will cause the crate to be unlinkable to panic-abort if compiled with `-Cpanic=unwind`.
    ptr();
    //~^ WARNING call to function pointer with FFI-unwind ABI
}

Fix #96926

@rustbot label: T-compiler F-c_unwind

[rust-highfive]

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with r? rust-lang/libs-api @rustbot label +T-libs-api -T-libs to request review from a libs-api team reviewer. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

• Stabilizing library features
• Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
• Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
• Changing public documentation in ways that create new stability guarantees
• Changing observable runtime behavior of library APIs

[rust-highfive]

r? @compiler-errors

(rust-highfive has picked a reviewer for you, use r? to override)

[BatmanAoD]

What would cause this to be None?

[nbdd0121]

If the crate is compiled with -C panic=unwind and contains no FFI unwind calls. I.e. it does not require a particular panic runtime to be linked.

[BatmanAoD]

Got it, thanks!

[RalfJung]

That seems a bit odd? The panic strategy still makes a difference for other things, doesn't it?

[Amanieu]

This field should definitely be renamed (perhaps requires_panic_runtime?), it is very confusing at the moment since "panic strategy" refers to how the current crate was compiled.

[bjorn3]

#![no_std] code doesn't require a panic runtime, but could still require a particular panic strategy for any dependent crates. For example a -Cpanic=abort no std crate requires all dependent crates to be compiled with -Cpanic=abort too, even though using #[panic_handler] rather than linking a panic runtime would work.

[nbdd0121]

This field and related query (panic_strategy(_: CrateNum)) is only used for checking compatibility. I could rename this to required_panic_strategy.

[compiler-errors]

not sure if i'm the best person to review this

r? rust-lang/compiler

[bors]

☔ The latest upstream changes (presumably #97239) made this pull request unmergeable. Please resolve the merge conflicts.

[RalfJung]

// Call to Rust function is fine regardless ABI.

Why is that okay?
I first thought the check would be "reject if there are any calls with C-unwind ABI", but clearly what actually happens is a bit more subtle, so I want to make sure we document precisely why this is okay. :)

(And that documentation should be somewhere more permanent that this PR, such as in the code and maybe even ameded to the RFC or added to the reference or so.)

[RalfJung]

This is a key part of the PR, right? That's where previously we skipped a check that we do not skip any more now.

[nbdd0121]

Sorts of. Previously any crate can be linked to panic-abort; this line only has to be removed because the required panic strategy becomes three-value. You can think of the all previous PanicStrategy::Unwind maps to None in this PR.

[RalfJung]

Why is that okay?

Trying to answer my own question... Is it correct that this PR ensures the following property?

If anywhere in the crate graph is a panic=abort crate, then all call sites where foreign exceptions could enter the Rust part of the program are in a panic=abort crate, and hence will lead to immediate abort.
These call sites are C-unwind call sites to FFI functions or function pointers -- a call site calling a Rust function cannot be where anything enters Rust.

There will also be no exceptions generated from Rust itself, and hence it is correct that a "Rust" ABI function can never unwind.

[RalfJung]

Don't core and alloc need the same?

[nbdd0121]

I actually want to make it a default for compiling std and all its dependencies -- but not sure how.

[Mark-Simulacrum]

@nbdd0121 was this followed up on? In the future, please feel free to reach out to #t-infra on Zulip for questions like this, we can help with the instrumentation necessary. In this case you'd likely add to the deny'd lints in bootstrap, around here, with a gate on Mode::Std.

[nbdd0121]

I created a thread in t-libs. The lint should be denied for std and its dependencies but not denied for panic runtimes, and it seems that this isn't quite achievement at the moment.

[RalfJung]

Cc @Amanieu

[Amanieu]

This seems to be called twice: here and in mir_const. Is this intentional?

[nbdd0121]

Yes. This query uses mir_built, which will be stolen later. So I followed the same pattern as check_unsafety (which also uses mir_built, by making sure it's evaluated before a query that could steal it.

[RalfJung]

This is a change in behavior; is_fn_like returns false for a Ctor.

[nbdd0121]

It's fine; ctor won't call other functions.

[Dylan-DPC]

failed in rollup

@bors r-

[RalfJung]

@bors rollup=never

[nbdd0121]

Currently the lint only fires when -C panic=unwind is used -- if -C panic=abort is used then the lint does not fire.

It's possible to have ffi_unwind_calls lint to fire regardless current panic statregy -- but doing so would require me to change fn_can_unwind from returning bool to returning a tristate (CanUnwind, NoUnwind, FollowPanicStrategy). If that behaviour is desirable I can do it in a follow up PR.

[Amanieu]

@bors r+

[bors]

📌 Commit 0cf28dc has been approved by Amanieu

[bors]

⌛ Testing commit 0cf28dc with merge 6a10920...

[bors]

☀️ Test successful - checks-actions
Approved by: Amanieu
Pushing 6a10920 to master...

[rust-timer]

Finished benchmarking commit (6a10920): comparison url.

Instruction count

• Primary benchmarks: 😿 relevant regressions found
• Secondary benchmarks: 😿 relevant regressions found

	mean1	max	count2
Regressions 😿 (primary)	0.5%	1.2%	86
Regressions 😿 (secondary)	0.9%	2.5%	36
Improvements 🎉 (primary)	N/A	N/A	0
Improvements 🎉 (secondary)	N/A	N/A	0
All 😿🎉 (primary)	0.5%	1.2%	86

Max RSS (memory usage)

Results

• Primary benchmarks: mixed results
• Secondary benchmarks: 😿 relevant regressions found

	mean1	max	count2
Regressions 😿 (primary)	2.9%	4.6%	4
Regressions 😿 (secondary)	5.8%	10.2%	8
Improvements 🎉 (primary)	-1.6%	-1.7%	3
Improvements 🎉 (secondary)	N/A	N/A	0
All 😿🎉 (primary)	1.0%	4.6%	7

Cycles

Results

• Primary benchmarks: 😿 relevant regressions found
• Secondary benchmarks: mixed results

	mean1	max	count2
Regressions 😿 (primary)	2.9%	3.5%	4
Regressions 😿 (secondary)	4.8%	5.7%	4
Improvements 🎉 (primary)	N/A	N/A	0
Improvements 🎉 (secondary)	-2.4%	-2.4%	1
All 😿🎉 (primary)	2.9%	3.5%	4

If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf.

Next Steps: If you can justify the regressions found in this perf run, please indicate this with @rustbot label: +perf-regression-triaged along with sufficient written justification. If you cannot justify the regressions please open an issue or create a new PR that fixes the regressions, add a comment linking to the newly created issue or PR, and then add the perf-regression-triaged label to this PR.

@rustbot label: +perf-regression

Footnotes

1. the arithmetic mean of the percent change ↩ ↩² ↩³

2. number of relevant changes ↩ ↩² ↩³

[Mark-Simulacrum]

@nbdd0121 @Amanieu was a perf regression expected here? Do you have ideas on what caused it? It seems to me that it's pretty consistently a small regression across multiple benchmarks, so I suspect it's worth following up on to try and see if we can eliminate it or at least understand the cause.

[nbdd0121]

There is a new query to be executed (and cached) for each MIR function body, so the regression is not unexpected.