Commit Graph

302 Commits

Author SHA1 Message Date
Benjamin A. Bjørnseth
bb9dee95ed add rustc option for using LLVM stack smash protection
LLVM has built-in heuristics for adding stack canaries to functions. These
heuristics can be selected with LLVM function attributes. This patch adds a
rustc option `-Z stack-protector={none,basic,strong,all}` which controls the use
of these attributes. This gives rustc the same stack smash protection support as
clang offers through options `-fno-stack-protector`, `-fstack-protector`,
`-fstack-protector-strong`, and `-fstack-protector-all`. The protection this can
offer is demonstrated in test/ui/abi/stack-protector.rs. This fills a gap in the
current list of rustc exploit
mitigations (https://doc.rust-lang.org/rustc/exploit-mitigations.html),
originally discussed in #15179.

Stack smash protection adds runtime overhead and is therefore still off by
default, but now users have the option to trade performance for security as they
see fit. An example use case is adding Rust code in an existing C/C++ code base
compiled with stack smash protection. Without the ability to add stack smash
protection to the Rust code, the code base artifacts could be exploitable in
ways not possible if the code base remained pure C/C++.

Stack smash protection support is present in LLVM for almost all the current
tier 1/tier 2 targets: see
test/assembly/stack-protector/stack-protector-target-support.rs. The one
exception is nvptx64-nvidia-cuda. This patch follows clang's example, and adds a
warning message printed if stack smash protection is used with this target (see
test/ui/stack-protector/warn-stack-protector-unsupported.rs). Support for tier 3
targets has not been checked.

Since the heuristics are applied at the LLVM level, the heuristics are expected
to add stack smash protection to a fraction of functions comparable to C/C++.
Some experiments demonstrating how Rust code is affected by the different
heuristics can be found in
test/assembly/stack-protector/stack-protector-heuristics-effect.rs. There is
potential for better heuristics using Rust-specific safety information. For
example it might be reasonable to skip stack smash protection in functions which
transitively only use safe Rust code, or which uses only a subset of functions
the user declares safe (such as anything under `std.*`). Such alternative
heuristics could be added at a later point.

LLVM also offers a "safestack" sanitizer as an alternative way to guard against
stack smashing (see #26612). This could possibly also be included as a
stack-protection heuristic. An alternative is to add it as a sanitizer (#39699).
This is what clang does: safestack is exposed with option
`-fsanitize=safe-stack`.

The options are only supported by the LLVM backend, but as with other codegen
options it is visible in the main codegen option help menu. The heuristic names
"basic", "strong", and "all" are hopefully sufficiently generic to be usable in
other backends as well.

Reviewed-by: Nikita Popov <nikic@php.net>

Extra commits during review:

- [address-review] make the stack-protector option unstable

- [address-review] reduce detail level of stack-protector option help text

- [address-review] correct grammar in comment

- [address-review] use compiler flag to avoid merging functions in test

- [address-review] specify min LLVM version in fortanix stack-protector test

  Only for Fortanix test, since this target specifically requests the
  `--x86-experimental-lvi-inline-asm-hardening` flag.

- [address-review] specify required LLVM components in stack-protector tests

- move stack protector option enum closer to other similar option enums

- rustc_interface/tests: sort debug option list in tracking hash test

- add an explicit `none` stack-protector option

Revert "set LLVM requirements for all stack protector support test revisions"

This reverts commit a49b74f92a4e7d701d6f6cf63d207a8aff2e0f68.
2021-11-22 20:06:22 +01:00
bors
ce3f3a5ffa Auto merge of #90329 - nbdd0121:typeck, r=nagisa
Try all stable method candidates first before trying unstable ones

Currently we try methods in this order in each step:
* Stable by value
* Unstable by value
* Stable autoref
* Unstable autoref
* ...

This PR changes it to first try pick methods without any unstable candidates, and if none is found, try again to pick unstable ones.

Fix #90320
CC #88971, hopefully would allow us to rename the "unstable_*" methods for integer impls back.

`@rustbot` label T-compiler T-libs-api
2021-11-19 03:00:46 +00:00
Yuki Okushi
728b3f2356
Rollup merge of #90386 - pierwill:assert-incr-state-85864, r=Aaron1011
Add `-Zassert-incr-state` to assert state of incremental cache

Closes #85864.
2021-11-19 02:22:54 +09:00
Josh Triplett
e35b7bbdf8 Stabilize -Z strip as -C strip
Leave -Z strip available temporarily as an alias, to avoid breaking
cargo until cargo transitions to using -C strip. (If the user passes
both, the -C version wins.)
2021-11-15 10:21:02 +01:00
Gary Guo
6a207f23eb Try all stable candidates first before trying unstable ones 2021-11-15 02:14:54 +00:00
pierwill
1642fdfea0 Add -Zassert-incr-state to assert state of incremental cache 2021-11-12 13:41:46 -06:00
bors
9dbbbb12c0 Auto merge of #83846 - torhovland:issue-10971, r=davidtwco
Added the --temps-dir option

Fixes #10971.

The new `--temps-dir` option puts intermediate files in a user-specified directory. This provides a fix for the issue where parallel invocations of rustc would overwrite each other's intermediate files.

No files are kept in the intermediate directory unless `-C save-temps=yes`.

If additional files are specifically requested using `--emit asm,llvm-bc,llvm-ir,obj,metadata,link,dep-info,mir`, these will be put in the output directory rather than the intermediate directory.

This is a backward-compatible change, i.e. if `--temps-dir` is not specified, the behavior is the same as before.
2021-11-11 02:52:32 +00:00
bors
46b8e7488e Auto merge of #90668 - matthiaskrgr:clippy_nov7, r=jyn514
more clippy fixes
2021-11-07 20:04:54 +00:00
Matthias Krüger
5c454551da more clippy fixes 2021-11-07 16:59:05 +01:00
Vadim Petrochenkov
2834f57c45 ast: Fix naming conventions in AST structures
TraitKind -> Trait
TyAliasKind -> TyAlias
ImplKind -> Impl
FnKind -> Fn

All `*Kind`s in AST are supposed to be enums.

Tuple structs are converted to braced structs for the types above, and fields are reordered in syntactic order.

Also, mutable AST visitor now correctly visit spans in defaultness, unsafety, impl polarity and constness.
2021-11-07 21:38:17 +08:00
Tor Hovland
ede76c40d1 Made temps-dir an unstable option. 2021-11-07 09:32:05 +01:00
Tor Hovland
bde794dada Create temps_dir before it's needed. 2021-11-02 22:43:48 +01:00
Tor Hovland
5d1e09f44a Added the --temps-dir option. 2021-11-02 22:41:34 +01:00
Mark Rousskov
3215eeb99f
Revert "Add rustc lint, warning when iterating over hashmaps" 2021-10-28 11:01:42 -04:00
bors
17e13b549f Auto merge of #85830 - bjorn3:separate_provide_extern, r=cjgillot
Avoid a branch on key being local for queries that use the same local and extern providers

Currently based on https://github.com/rust-lang/rust/pull/85810 as it slightly conflicts with it. Only the last two commits are new.
2021-10-26 00:38:58 +00:00
Matthias Krüger
2f67647606
Rollup merge of #89581 - jblazquez:master, r=Mark-Simulacrum
Add -Z no-unique-section-names to reduce ELF header bloat.

This change adds a new compiler flag that can help reduce the size of ELF binaries that contain many functions.

By default, when enabling function sections (which is the default for most targets), the LLVM backend will generate different section names for each function. For example, a function `func` would generate a section called `.text.func`. Normally this is fine because the linker will merge all those sections into a single one in the binary. However, starting with [LLVM 12](https://github.com/llvm/llvm-project/commit/ee5d1a04), the backend will also generate unique section names for exception handling, resulting in thousands of `.gcc_except_table.*` sections ending up in the final binary because some linkers like LLD don't currently merge or strip these EH sections (see discussion [here](https://reviews.llvm.org/D83655)). This can bloat the ELF headers and string table significantly in binaries that contain many functions.

The new option is analogous to Clang's `-fno-unique-section-names`, and instructs LLVM to generate the same `.text` and `.gcc_except_table` section for each function, resulting in a smaller final binary.

The motivation to add this new option was because we have a binary that ended up with so many ELF sections (over 65,000) that it broke some existing ELF tools, which couldn't handle so many sections.

Here's our old binary:

```
$ readelf --sections old.elf | head -1
There are 71746 section headers, starting at offset 0x2a246508:

$ readelf --sections old.elf | grep shstrtab
  [71742] .shstrtab      STRTAB          0000000000000000 2977204c ad44bb 00      0   0  1
```

That's an 11MB+ string table. Here's the new binary using this option:

```
$ readelf --sections new.elf | head -1
There are 43 section headers, starting at offset 0x29143ca8:

$ readelf --sections new.elf | grep shstrtab
  [40] .shstrtab         STRTAB          0000000000000000 29143acc 0001db 00      0   0  1
```

The whole binary size went down by over 20MB, which is quite significant.
2021-10-25 22:59:46 +02:00
bjorn3
f5c3e83013 Avoid a branch on key being local for queries that use the same local and extern providers 2021-10-25 13:36:23 +02:00
Matthias Krüger
87822b27ee
Rollup merge of #89558 - lcnr:query-stable-lint, r=estebank
Add rustc lint, warning when iterating over hashmaps

r? rust-lang/wg-incr-comp
2021-10-24 15:48:42 +02:00
Matthias Krüger
8fb194c86f
Rollup merge of #89920 - hudson-ayers:location-detail-control, r=davidtwco
Implement -Z location-detail flag

This PR implements the `-Z location-detail` flag as described in https://github.com/rust-lang/rfcs/pull/2091 .

`-Z location-detail=val` controls what location details are tracked when using `caller_location`. This allows users to control what location details are printed as part of panic messages, by allowing them to exclude any combination of filenames, line numbers, and column numbers. This option is intended to provide users with a way to mitigate the size impact of `#[track_caller]`.

Some measurements of the savings of this approach on an embedded binary can be found here: https://github.com/rust-lang/rust/issues/70579#issuecomment-942556822 .

Closes #70580 (unless people want to leave that open as a place for discussion of further improvements).

This is my first real PR to rust, so any help correcting mistakes / understanding side effects / improving my tests is appreciated :)

I have one question: RFC 2091 specified this as a debugging option (I think that is what -Z implies?). Does that mean this can never be stabilized without a separate MCP? If so, do I need to submit an MCP now, or is the initial RFC specifying this option sufficient for this to be merged as is, and then an MCP would be needed for eventual stabilization?
2021-10-23 05:28:23 +02:00
Matthias Krüger
0f81c7faf5
Rollup merge of #89468 - FabianWolff:issue-89358, r=jackh726
Report fatal lexer errors in `--cfg` command line arguments

Fixes #89358. The erroneous behavior was apparently introduced by `@Mark-Simulacrum` in a678e31911; the idea is to silence individual parser errors and instead emit one catch-all error message after parsing. However, for the example in #89358, a fatal lexer error is created here:
edebf77e00/compiler/rustc_parse/src/lexer/mod.rs (L340-L349)

This fatal error aborts the compilation, and so the call to `new_parser_from_source_str()` never returns and the catch-all error message is never emitted. I have therefore changed the `SilentEmitter` to silence only non-fatal errors; with my changes, for the rustc invocation described in #89358:
```sh
rustc --cfg "abc\""
```
I get the following output:
```
error[E0765]: unterminated double quote string
  |
  = note: this error occurred on the command line: `--cfg=abc"`
```
2021-10-23 05:28:22 +02:00
Hudson Ayers
b802629311 add tests for -Zlocation-detail 2021-10-21 10:44:22 -07:00
Camille GILLOT
bd5c107672 Build jump table at runtime. 2021-10-20 18:32:29 +02:00
Camille GILLOT
b09de95fab Merge two query callbacks arrays. 2021-10-20 18:29:27 +02:00
lcnr
00e5abe9b6 allow potential_query_instability everywhere 2021-10-15 10:58:18 +02:00
Javier Blazquez
4ed846ad4d Add -Z no-unique-section-names to reduce ELF header bloat.
This change adds a new compiler flag that can help reduce the size of
ELF binaries that contain many functions.

By default, when enabling function sections (which is the default for most
targets), the LLVM backend will generate different section names for each
function. For example, a function "func" would generate a section called
".text.func". Normally this is fine because the linker will merge all those
sections into a single one in the binary. However, starting with LLVM 12
(llvm/llvm-project@ee5d1a0), the backend will
also generate unique section names for exception handling, resulting in
thousands of ".gcc_except_table.*" sections ending up in the final binary
because some linkers don't currently merge or strip these EH sections.
This can bloat the ELF headers and string table significantly in
binaries that contain many functions.

The new option is analogous to Clang's -fno-unique-section-names, and
instructs LLVM to generate the same ".text" and ".gcc_except_table"
section for each function, resulting in smaller object files and
potentially a smaller final binary.
2021-10-11 12:09:32 -07:00
Michael Benfield
a17193dbb9 Enable AutoFDO.
This largely involves implementing the options debug-info-for-profiling
and profile-sample-use and forwarding them on to LLVM.

AutoFDO can be used on x86-64 Linux like this:
rustc -O -Cdebug-info-for-profiling main.rs -o main
perf record -b ./main
create_llvm_prof --binary=main --out=code.prof
rustc -O -Cprofile-sample-use=code.prof main.rs -o main2

Now `main2` will have feedback directed optimization applied to it.

The create_llvm_prof tool can be obtained from this github repository:
https://github.com/google/autofdo

Fixes #64892.
2021-10-06 19:36:52 +00:00
bors
55111d656f Auto merge of #89266 - cjgillot:session-ich, r=michaelwoerister
Move ICH to rustc_query_system

Based on https://github.com/rust-lang/rust/pull/89183

The StableHashingContext does not need to be in rustc_middle.

This PR moves it to rustc_query_system. This will avoid a dependency between rustc_ast_lowering and rustc_middle in https://github.com/rust-lang/rust/pull/89124.
2021-10-05 09:45:11 +00:00
Fabian Wolff
a28a78f247 Fix ICE with buffered lint referring to AST node deleted by everybody_loops 2021-10-03 21:04:36 +02:00
Camille GILLOT
8961616e60 Move rustc_middle::middle::cstore to rustc_session. 2021-10-03 16:08:51 +02:00
Fabian Wolff
041212f8fb Report fatal lexer errors in --cfg command line arguments 2021-10-02 19:15:55 +02:00
bors
b27661eb33 Auto merge of #89405 - GuillaumeGomez:fix-clippy-lints, r=cjgillot
Fix clippy lints

I'm currently working on allowing clippy to run on librustdoc after a discussion I had with `@Mark-Simulacrum.` So in the meantime, I fixed a few lints on the compiler crates.
2021-10-02 10:52:09 +00:00
Guillaume Gomez
759eba0a08 Fix clippy lints 2021-10-01 23:17:19 +02:00
bors
c02371c442 Auto merge of #88880 - cjgillot:no-krate, r=oli-obk
Rework HIR API to make invocations of the hir_crate query harder.

`hir_crate` forces the recomputation of queries that depend on it.

This PR aims at avoiding useless invocations of `hir_crate` by making dependent code go through `tcx.hir()`.
2021-10-01 20:06:34 +00:00
Camille GILLOT
b244b98e7c Move EncodedMetadata to rustc_metadata. 2021-09-30 19:41:32 +02:00
Camille GILLOT
df54d3980b Move encode_metadata out of CrateStore. 2021-09-30 19:41:31 +02:00
Camille GILLOT
abc57f63ad Move body_owners to tcx.hir(). 2021-09-29 23:16:48 +02:00
Camille GILLOT
db9fea508a Avoid more invocations of hir_crate query. 2021-09-29 23:16:47 +02:00
Vadim Petrochenkov
a09fb901cb rustc_session: Remove lint store from Session 2021-09-28 11:56:15 +03:00
bors
98c8619502 Auto merge of #89214 - smoelius:register_tool, r=petrochenkov
Pass real crate-level attributes to `pre_expansion_lint`

The PR concerns the unstable feature `register_tool` (#66079).

The feature's implementation requires the attributes of the crate being compiled, so that when attributes like `allow(foo::bar)` are encountered, it can be verified that `register_tool(foo)` appears in the crate root.

However, the crate's attributes are not readily available during early lint passes. Specifically, on this line, `krate.attrs` appears to be the attributes of the current source file, not the attributes of the whole crate: bf642323d6/compiler/rustc_lint/src/context.rs (L815)

Consequently, "unknown tool" errors were being produced when `allow(foo::bar)` appeared in a submodule, even though `register_tool(foo)` appeared in the crate root.

EDITED: The proposed fix is to obtain the real crate-level attributes in `configure_and_expand` and pass them to `pre_expansion_lint`. (See `@petrochenkov's` [comment](https://github.com/rust-lang/rust/pull/89214#issuecomment-926927072) below.)

The original "prosed fix" text follows.

---

The proposed fix is to add an `error_on_unknown_tool` flag to `LintLevelsBuilder`. The flag controls whether "unknown tool" errors are emitted. The flag is set during late passes, but not earlier.

More specifically, this PR contains two commits:

* The first adds a `known-tool-in-submodule` UI test that does not currently pass.
* The second adds the `error_on_unknown_tool` flag. The new test passes with the addition of this flag.

This change has the added benefit of eliminating some errors that were duplicated in existing tests.

To the reviewer: please check that I implemented the UI test correctly.
2021-09-27 18:21:14 +00:00
Samuel Moelius
1e15bbe552 Pass real crate-level attributes to pre_expansion_lint 2021-09-26 21:50:50 +00:00
Eric Huss
75f058dbfd Check for macros in built-in attributes that don't support them. 2021-09-25 09:03:15 -07:00
Mark Rousskov
0222556c07 Simplify scoped_thread
Avoids a bunch of manual pointer manipulation.
2021-09-23 12:56:59 -04:00
Mark Rousskov
c746be2219 Migrate to 2021 2021-09-20 22:21:42 -04:00
Mark Rousskov
45b989a033 Enable 2021 compatibility lints for all in-tree code
This just applies the suggested fixes from the compatibility warnings,
leaving any that are in practice spurious in. This is primarily intended to
provide a starting point to identify possible fixes to the migrations (e.g., by
avoiding spurious warnings).

A secondary commit cleans these up where they are false positives (as is true in
many of the cases).
2021-09-20 08:45:39 -04:00
bors
7b5f95270f Auto merge of #88703 - cjgillot:lazymod, r=petrochenkov
Gather module items after lowering.

This avoids having a non-local analysis inside lowering.

By implementing `hir_module_items` using a visitor, we make sure that iterations and visitors are consistent.
2021-09-19 16:13:42 +00:00
Manish Goregaokar
84646e9d67
Rollup merge of #87320 - danakj:debug-compilation-dir, r=michaelwoerister
Introduce -Z remap-cwd-prefix switch

This switch remaps any absolute paths rooted under the current
working directory to a new value. This includes remapping the
debug info in `DW_AT_comp_dir` and `DW_AT_decl_file`.

Importantly, this flag does not require passing the current working
directory to the compiler, such that the command line can be
run on any machine (with the same input files) and produce the
same results. This is critical property for debugging compiler
issues that crop up on remote machines.

This is based on adetaylor's dbc4ae7cba

Major Change Proposal: https://github.com/rust-lang/compiler-team/issues/450
Discussed on #38322. Would resolve issue #87325.
2021-09-15 14:56:56 -07:00
bors
51e514c0fb Auto merge of #88759 - Amanieu:panic_in_drop, r=nagisa,eddyb
Add -Z panic-in-drop={unwind,abort} command-line option

This PR changes `Drop` to abort if an unwinding panic attempts to escape it, making the process abort instead. This has several benefits:
- The current behavior when unwinding out of `Drop` is very unintuitive and easy to miss: unwinding continues, but the remaining drops in scope are simply leaked.
- A lot of unsafe code doesn't expect drops to unwind, which can lead to unsoundness:
  - https://github.com/servo/rust-smallvec/issues/14
  - https://github.com/bluss/arrayvec/issues/3
- There is a code size and compilation time cost to this: LLVM needs to generate extra landing pads out of all calls in a drop implementation. This can compound when functions are inlined since unwinding will then continue on to process drops in the callee, which can itself unwind, etc.
  - Initial measurements show a 3% size reduction and up to 10% compilation time reduction on some crates (`syn`).

One thing to note about `-Z panic-in-drop=abort` is that *all* crates must be built with this option for it to be sound since it makes the compiler assume that dropping `Box<dyn Any>` will never unwind.

cc https://github.com/rust-lang/lang-team/issues/97
2021-09-12 20:48:09 +00:00
Camille GILLOT
fa6f5adf73 Gather module items after lowering. 2021-09-12 16:33:16 +02:00
Camille GILLOT
fb5ced0fbd Add sanity check.
We force the relative span's parent to be absolute. This avoids having to
handle long dependency chains.
2021-09-10 20:18:26 +02:00
Camille GILLOT
b19ae20aad Track span dependency using a callback. 2021-09-10 20:18:18 +02:00