#[naked]: report incompatible attributes

[folkertdev]

tracking issue: #90957

this is a re-implementation of #93809 by @bstrie which was closed 2 years ago due to inactivity.

This PR takes some of the final comments into account, specifically providing a little more context in error messages, and using an allow list to determine which attributes are compatible with #[naked].

Notable attributes that are incompatible with #[naked] are:

• #[inline]
• #[track_caller]
• #[target_feature] (this is now allowed, see PR discussion)
• #[test], #[ignore], #[should_panic]

These attributes just directly conflict with what #[naked] should do.

Naked functions are still important for systems programming, embedded, and operating systems, so I'd like to move them forward.

[rustbot]

r? @compiler-errors

rustbot has assigned @compiler-errors.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[bjorn3]

#[target_feature] affects the set of instructions allowed inside inline assembly as well as the exact encoding of certain instructions.

[folkertdev]

yes, I'm going off of #90957 (comment) where @joshtriplett suggests to exclude #[target_feature] initially.

that was 2 years ago though so maybe that should be re-evaluated. Do you have concerns with allowing #[target_feature] now?

[Noratrieb]

I don't know what a reason for forbidding it would be, and why @joshtriplett thought it would be hard to get right

[folkertdev]

well a reason to be cautious is that I think to most (me included) it's not 100% clear what #[target_feature] could do. Are we absolutely sure that on no platform, present or future, a target feature would insert additional instructions that violate the assumptions of #[naked]?

[joshtriplett]

What I said at the time was that it might take some care to get right. If we take that care, and commit to avoiding any potential issues that might arise (e.g. locking down what a given target_feature means for a naked function and never inserting any instructions for it), then supporting the combination seems fine.

[folkertdev]

With the implementation strategy in #128004 I don't think there is any risk of #[target_feature] inserting instructions. The user's inline assembly block is hoisted to a top-level global asm block, and the function itself becomes effectively an extern fn.

So I've now added target_feature to the allow list in a separate commit that can be reverted if there are any concerns.

[compiler-errors]

r? bjorn3

[bjorn3]

@bors r+

[bors]

📌 Commit 45e943f has been approved by bjorn3

It is now in the queue for this repository.

[tgross35]

@bors r-

It looks like the changes here are breaking the compiler_builtins build #128248 (comment). It seems like link-related attributes (linkage here) shouldn't be incompatible?

[folkertdev]

right, that's a (perma-unstable, apparently) unstable attribute and only external linkage makes sense, but it makes sense to add to the allowlist I think. I'll add it

[folkertdev]

@rustbot ready

though are there other unstable attributes that may be missing from that list? is there a comprehensive list of such attributes?

[tgross35]

I don't know of any list specific for attributes unfortunately, just the huge list in compiler/rustc_span/src/symbol.rs. link_ordinal seems to make sense too, maybe worth double checking the other link_* symbols to see if they are applicable.

Does this correctly flag on #[cfg_attr(foo, invalid_attribute)] when foo is true? Could probably use a test if so. (Also probably a squash).

[folkertdev]

I'm pretty sure bors will fail when running aarch64 tests. The last commit fixes those issues. Not sure what should happen but because the bors thing is tied to a commit I think some action is needed

[tgross35]

Bors bumps you out of the queue when you push, just doesn't update the labels for some reason.

Your last change switched from att_syntax to raw, why wouldn't at&t syntax work on aarch64?

[folkertdev]

well, "the att_syntax option is only supported on x86" is an error that is given. I guess it is just the default on any non-x86 system, and you cannot be explicit about that. Now that you bring it up that does seem a little weird, but not something that this PR should change I think.

[tgross35]

Ah weird, yeah seems reasonable.

@bors r=bjorn3

[bors]

📌 Commit c7e688e has been approved by bjorn3

It is now in the queue for this repository.

[hsanzg]

I'm currently running into "error[E0736]: attribute incompatible with #[naked]" when compiling this function with rustc 1.82.0-nightly (612a33f 2024-07-29). The x86_64 module is under a target_arch cfg attribute, but this code used to work fine in 1.81.0-nightly.

[portasynthinca3]

Having the same issue over here.

[tgross35]

The fix is in #128380, unless your case is different @portasynthinca3. It will probably make it into either today or tomorrow's nightly.

[Freax13]

unclear. Whether these make sense really depends on the outcome of #128004

• sym::repr

• sym::patchable_function_entry

• sym::no_sanitize

Before this PR was merged, I was able to use #[no_sanitize(address)] on a #[naked] function with the calling convention "x86-interrupt". Omitting #[no_sanitize(address)] leads to a compiler crash. I tried looking at the generated LLVM IR and the function prologue contains a bunch of other KASAN-related stuff which I wouldn't expect for naked function. I'm not sure whether the right solution here is to stop sanitizing naked functions in the first place or to allow #[no_sanitize(...)] on them.

[folkertdev]

The idea of the linked PR is to implement naked functions like this

core::arch::global_asm!(".globl page_fault_handler","page_fault_handler:", "ud2");

extern "x86-interrupt" { 
    fn page_fault_handler(_: u64, _: u64);
}

but with support for (const) generics and with being able to export the symbol (which is tricky with extern function declarations in user space). I think in that world, the no_sanitize is no longer needed? At least on godbolt the above codegens fine.

However, in the meantime, we probably should not break anyone? @bjorn3 do you have thoughts on what to do?

[tgross35]

Before this PR was merged, I was able to use #[no_sanitize(address)] on a #[naked] function with the calling convention "x86-interrupt". Omitting #[no_sanitize(address)] leads to a compiler crash. I tried looking at the generated LLVM IR and the function prologue contains a bunch of other KASAN-related stuff which I wouldn't expect for naked function. I'm not sure whether the right solution here is to stop sanitizing naked functions in the first place or to allow #[no_sanitize(...)] on them.

@Freax13 could you open a new bug for this crash? It seems like that very specific combination of extern "x86-interrupt", sanitizers, and naked functions is required to reproduce. And it's been around since before this PR, https://godbolt.org/z/EnhsWxejT (using RUSTC_BOOTSTRAP for the demo). Naked functions should probably just never get sanitizer annotations, but we can ping project-exploit-mitigations on the issue to confirm.