Stabilize -Cmin-function-alignment

[folkertdev]

tracking issue: #82232
split out from: #140261

Request for Stabilization

Summary

The -Cmin-function-alignment=<align> flag specifies the minimum alignment of functions for which code is generated.
The align value must be a power of 2, other values are rejected.

Note that -Zbuild-std (or similar) is required to apply this minimum alignment to standard library functions.
By default, these functions come precompiled and their alignments won't respect the min-function-alignment flag.

This flag is equivalent to:

• -fmin-function-alignment for GCC
• -falign-functions for Clang

The specified alignment is a minimum. A higher alignment can be specified for specific functions by annotating the function with a #[align(<align>)] attribute.
The attribute's value is ignored when it is lower than the value passed to min-function-alignment.

There are two additional edge cases for this flag:

• targets have a minimum alignment for functions (e.g. on x86_64 the lowest that LLVM generates is 16 bytes).
  A min-function-alignment value lower than the target's minimum has no effect.
• the maximum alignment supported by this flag is 8192. Trying to set a higher value results in an error.

Testing

• tests/codegen/min-function-alignment.rs tests the behavior of the -Zmin-function-alignment flag and how it interacts with #[align(N)].
• tests/ui/invalid-compile-flags/min-function-alignment.rs tests that incorrect alignments error

History

• add -Zmin-function-alignment #134030

The -Zmin-function-alignment flag was requested by rust-for-linux #128830. It will be used soon (see #t-compiler/help > ✔ Alignment for function addresses).

Miri supports function alignment since #140072. In const-eval there is no way to observe the address of a function pointer, so no special attention is needed there (see #t-compiler/const-eval > function address alignment).

Originally, the maximum allowed alignment was 1 << 29, because this is the highest value the LLVM API accepts. However, on COFF the highest supported alignment is only 8192 (see #142638). Practically speaking, that seems more than sufficient for all known use cases. So for simplicity, for now, we limit the alignment to 8192. The value can be increased on platforms that support it if the need arises.

---

r? @workingjubilee

the first commit can be split out if that is more convenient.

Caution

Concerns (6 active)

• per-target-vs-universal-max-alignment
• hint-vs-language-guarantee-can-be-relied-upon-for-soundness
• applicability-current-crate-or-whole-crate-graph
• carve-out-interface-and-behavioral-stability-guarantees
• interaction-with-extern-functions resolved in this comment
• resolve interaction-with-extern-functions resolved in this comment
• wasm
• resolve-interaction-with-fn-ptrs

Managed by @rustbot—see help for details.

[rustbot]

Some changes occurred to the CTFE machinery

cc @RalfJung, @oli-obk, @lcnr

Some changes occurred to the CTFE / Miri interpreter

cc @rust-lang/miri

Some changes occurred in compiler/rustc_codegen_cranelift

cc @bjorn3

Some changes occurred in compiler/rustc_codegen_ssa

cc @WaffleLapkin

The Miri subtree was changed

cc @rust-lang/miri

[bjorn3]

Why should it be limited on all platforms? Can't we error when the alignment exceeds the maximum that the actual target we are compiling for supports? Maybe someone genuinely needs to align to 16k on ELF for whatever reason?

[folkertdev]

Well, so as we've discovered, alignment is just a mess between clang and llvm. For instance -falign-function only goes up to 1 << 16, although you can manually align a function to a much higher alignment.

For 8192, we know it'll work everywhere, and the logic for when to accept/reject an alignment value is clear.

This flag aligns all functions to the minimum, so I have a hard time seeing a realistic scenario where aligning all functions to 16k is a reasonable thing to do (the limit on individual functions will be handled separately).

[folkertdev]

So I think the options are:

1. Limit to 8192 on all platforms, it's consistent and unlikely to cause issues. The limit can be safely raised in the future if a need arises
2. Follow clang and allow 1 << 16, except when the target object format is COFF, then the limit is 8192.
3. Accept what llvm accepts: allow 1 << 29, except when the target object format is COFF, then the limit is 8192.

I've picked the most conservative one (again, with the option to relax the limits if the need ever arises), but if there is consensus now on one of the other options that's also fine.

[workingjubilee]

It is my understanding that on Linux kernels we still nominally support, overaligning beyond the page size, typically 4096, is not going to work properly, so it is arguable that even 8192 is too high.

[jieyouxu]

IMO for the long term, hard-coding to 8192 across all platforms seem like a mistake -- especially because then, does this become part of the language or even more problematic, become part of (compiler/language) stability guarantees?

EDIT: or rather, what is a suitable upper bound in this case in terms of stability guarantees? As in, if we stabilize n=8192 as a universal upper bound, if we find out some platform cannot handle that in the future?

[RalfJung]

(orthogonal to this PR)
it is not great that the logic for merging the per-fn alignment and the global alignment needs to be repeated in each backend.

Maybe codegen_fn_attrs should just take min_function_alignment into account?

[RalfJung]

In fact, using sess.opts in the interpreter is at best iffy since it means the interpreter can behave differently in different crates in the same crate graph which can cause unsoundness...

[RalfJung]

Given that function pointers can be odd even when -Cmin-function-alignment is 2 (see here), I don't think it makes sense for the interpreter to do anything with min_function_alignment.

[traviscross]

@rustbot labels +T-lang

If the idea with this is that passing -Cmin-function-alignment represents a language-level guarantee, e.g. that a naked function could validly rely on this minimum alignment holding when this flag is passed to prove the soundness of its operations -- that from a language spec standpoint, this is equivalent to marking each function with #[align(..)] -- then I'd suggest that a dual FCP with lang here is proper.

cc @rust-lang/lang

[folkertdev]

Yeah that sounds right. There is also a bunch of overlap with rfc 3806.

Specifically, it contains a section that attempts to define what alignment values are accepted. #[align] and -Cmin-function-alignment should accept/reject the same values.

[traviscross]

@rust-lang/spec: What thoughts do we have about how to handle compiler flags that affect the language definition?

cc @RalfJung

[traviscross]

Here's a question. Since this does have language-level effect, might this be better expressed as a crate-level attribute?

If there's a good reason, given the use case, for this to be a compiler flag instead, probably it'd be good to describe that in some detail.

[ojeda]

If it can then be applied via --crate-attr similarly, then that should be fine for our use case.

[workingjubilee]

Huh. That could be... interesting to work with, since it would logically apply only to entities that originate from that crate, right?

[workingjubilee]

@folkertdev Do any of our tests verify that if you

• use this option on the functions described in a crate
• one is generic or from a trait or otherwise non-instantiated
• you instantiate that function in another crate without this flag

Then the resulting function is instantiated with the correct alignment? Where "correct" is... well, pick an answer, I guess?

[bors]

☔ The latest upstream changes (presumably #142901) made this pull request unmergeable. Please resolve the merge conflicts.

[folkertdev]

@workingjubilee we don't, currently. I think the expected answer is clear though, because -Zmin-function-alignment is applied to all compiled crates, not just the top-level one?

I'm not sure how that would work with #![min_function_alignment = N], because then library crates could set the value as well? So far I've been thinking of this option as similar to -Ctarget-cpu or -Ctarget-feature: they are not properties of a crate but of the compilation as a whole.

What thoughts do we have about how to handle compiler flags that affect the language definition?

Is setting and then relying on the alignment fundamentally different from -Ctarget-feature=+avx2 and then asserting in the program that avx2 is available?

[traviscross]

Is setting and then relying on the alignment fundamentally different from -Ctarget-feature=+avx2 and then asserting in the program that avx2 is available?

It's about whether we like this as a safety argument:

/// SAFETY: The pointee must be a 32-byte aligned function.  It's OK
/// for the low-order bits of the function pointer itself to be
/// non-zero, e.g., if they're used for controlling the processor
/// mode.
unsafe fn f(x: fn()) { todo!() }
fn g() {
    let p = g as fn();
    // SAFETY: We compiled with `-Cmin-function-alignment=32`.
    unsafe { f(p) };
}

For avx2, I'd expect that the safety argument would be made by use of cfg(target_feature = ".."), if is_x86_feature_detected!("avx2") { .. }, etc., rather than by using the argument that it was compiled with -Ctarget-feature=+avx2 in the proof.

[jieyouxu]

they are not properties of a crate but of the compilation as a whole.

Wait so, does this need to be handled like Target Modifiers?

[jieyouxu]

Actually, let my try to use rustbot's concern functionality to make the existing discussions/concerns more explicit.

[jieyouxu]

@rustbot concern per-target-vs-universal-max-alignment

Why should it be limited on all platforms? Can't we error when the alignment exceeds the maximum that the actual target we are compiling for supports? Maybe someone genuinely needs to align to 16k on ELF for whatever reason?

[jieyouxu]

@rustbot concern hint-vs-language-guarantee-can-be-relied-upon-for-soundness

We should figure out if this is a hint or a language guarantee -- can this be relied upon for soundness?

[jieyouxu]

@rustbot concern applicability-current-crate-or-whole-crate-graph

Looks like the current direction is "for the whole crate graph" (potentially "enforced" via Target Modifiers mechanism), but just noting a concern to make sure this is what we explicitly decide to go with.

[jieyouxu]

@rustbot concern carve-out-interface-and-behavioral-stability-guarantees

See #142824 (comment)

[folkertdev]

I suppose in theory if -Zbuild-std becomes stabilized this might be less of an issue.

My understanding is that target modifiers effectively require -Zbuild-std. From the RFC:

https://github.com/rust-lang/rfcs/blob/master/text/3716-target-modifiers.md#guide-level-explanation

The requirement that all CUs agree includes stdlib crates (core, alloc, std), so using these flags usually requires that you compile your own standard library with -Zbuild-std or by directly invoking rustc. That said, some flags (e.g., -Cpanic) have mechanisms to avoid this requirement.

---

I also have another question: would -Cmin-function-alignment (whether hint form, or in some theoretical guarantee form) apply to extern functions? I guess why I'm asking is more for the "if this is intended to become a language guarantee", that can code also assume extern functions follow this min alignment?

You mean foreign functions here right (so, declared in an extern "abi" {} block)? Making that assumption would mean that linking to any foreign function that is not appropriately aligned would be UB.

Such a guarantee/requirement would be really restrictive, especially for the performance use-case. I guess RfL does control it's build process sufficiently to guarantee that external C code also follows the alignment, but in general that seems unlikely?

On the other hand, from the outside it's not really clear whether a symbol is a foreign function, or a vanilla rust function.

[jieyouxu]

Yeah, I'm assuming that this flag wouldn't apply to extern functions as a hint or guarantee (I don't really see how it meaningfully can). Or rather, if for whatever reason the intended use case is a language guarantee, then in any case reasoning about min alignment of extern functions seems like "well, the burden of ensuring that said extern fns do have the min alignment falls upon the user, if the user wishes to rely upon that for soundness". I'm asking in case there are... interesting or really weird interactions.

@rustbot resolve interaction-with-extern-functions

(Ignore this, this is purely my skill issue)
@rustbot resolve resolve interaction-with-extern-functions

[folkertdev]

Well an implication is that you can't, for an arbitrary function pointer, assume that it is well-aligned, because it may be an extern function

[folkertdev]

the PR for making -Zmin-function-alignment a target modifier is up at #143323

[Jules-Bertholet]

As discovered in #143206 (comment), it looks like LLVM completely ignores function alignment specifications on WASM.

[RalfJung]

As discovered in #143206 (comment), it looks like LLVM completely ignores function alignment specifications on WASM.

That's tracked at #143368 now and yeah I assume it also affects this flag.

[RalfJung]

@rustbot concern wasm

[RalfJung]

@rustbot concern resolve-interaction-with-fn-ptrs

It seems like this does not actually interact with function pointers in any reasonable way, and in particular does not guarantee anything about the integral value of function pointers (see here).

That means this is entirely unobservable in the language itself, i.e. in pure Rust programs. It can only possibly be exploited by inline asm code that observes the layout of the generated machine code. We should make sure this is suitably documented as it is extremely surprising.

[bors]

☔ The latest upstream changes (presumably #143556) made this pull request unmergeable. Please resolve the merge conflicts.

[RalfJung]

#144661 also relates to this -- const-eval prematurely considered function alignment as a property observable via function pointers, leading to nonsense behavior (arguably that could even be an unsoundness).

[workingjubilee]

@folkertdev Please feel free to ping me about this if you need review/guidance/ideas on addressing these concerns and to of course rustbot-ready it when it is indeed ready. I am just whittling down my queue.

[folkertdev]

@rustbot blocked

this is effectively blocked on #143323, which in turn needs some sort of decision on the alignment guarantees and limitations (e.g. what to do on targets where the maximum alignment is lower than what LLVM tells us is allowed).