Tracking issue for target_feature 1.1 RFC

[nikomatsakis]

This is a tracking issue for the RFC "target_feature 1.1" (rust-lang/rfcs#2396).

Issues: F-target_feature_11 target feature 1.1 RFC

People

Last updated in Mar 2023:

• Shepherd: gnzlbg @workingjubilee (person who can help answer tricky questions that arise during implementation)
• Lang team liaison: @joshtriplett (main point of contact from lang team)

Step

• Implement the RFC: Implement RFC 2396: #[target_feature] 1.1 #69274
• Adjust documentation: Document the target_feature_11 feature reference#1181
• Stabilization PR (see instructions on rustc-guide)
• Revert? Revert stabilization of #![feature(target_feature_11)] #108654
• I suppose we're off the end of the script, here. Bugs to fix:
  • #[target_feature] is allowed on main #108645
  • #[target_feature] is allowed on default implementations #108646
  • target_feature_11 rejects code that was previously accepted #108655
  • The extern "C" ABI of SIMD vector types depends on target features (tracking issue for abi_unsupported_vector_types future-incompatibility lint) #116558
  • The (stable) neon aarch64 target feature is unsound: it changes the float ABI #131058
• Re-stabilization PR? Please cc @workingjubilee when you (re)open this!

Unresolved questions

• target_feature_11 allows bypassing safety checks through Fn* traits #72012 -- soundness hole where safe target-feature functions implement the Fn traits.
• target-feature 1.1: should closures inherit target-feature annotations? #73631 -- behavior of closures and target-features

[LeSeulArtichaut]

I've been working on this, trying to see if I would be able to implement this with my very little knowledge of the compiler. I think I can propose a PR soon.

@rustbot claim

[hanna-kruppe]

In #69274 (comment), @petrochenkov pointed out a complication not made clear in the RFC (nor realized by anyone during the original discussion, AFAICT): safe trait functions are explicitly excluded because we can't check all call sites, but function items implement the Fn* traits, so safe functions with target features enabled face a similar problem. That is, unless they are special-cased in some way that results in them not implementing those traits.

[petrochenkov]

It would probably be better to add the unsafe to #[target_feature] functions implicitly during lowering to HIR.
Implicit unsafe is already added to functions in extern blocks in the same way.

That would make the unsafety checker the only place (besides AST lowering) where they would be treated specially. Like, "yes, the function is unsafe, but we know that it's safe to call in this specific context, so the unsafe block can be omitted".

The special coercion checks would no longer be necessary in that case.

[LeSeulArtichaut]

Now that #69274 landed, I think we can check Implement the RFC 🙂

[LeSeulArtichaut]

@rustbot release-assignment

[hanna-kruppe]

Filed #72012 for the unsoundness discussed above (I think this is how T-lang tracking issues are supposed to be used now).

[nikomatsakis]

Opened #73631 to discuss the expected behavior of closures with target-feature.

[calebzulawski]

It looks like there haven't been any updates on this in a while--is there anything I can do to bring this closer to stabilization?

[nikomatsakis]

@calebzulawski I know it's almost a year later but I think this is probably ready for a stabilization report? (cc @rust-lang/lang)

[LeSeulArtichaut]

Tried to help by opening rust-lang/reference#1181, feedback from people who actually know what they are doing would be greatly appreciated.

While writing the PR, I noticed that #72012 is a breaking change for wasm targets, where target_features could be used on safe functions. It looks like you can still safely call target_feature functions though:

fn call_it(f: impl FnOnce()) {}

#[target_feature(enable = "simd128")]
fn foo_simd128() {}

fn main() {
    foo_simd128(); // OK
    call_it(foo_simd128); // error: the trait `FnOnce<()>` is not implemented
}

[RalfJung]

The two remaining bugs listed here now have mitigations:

• as for neon, enabling that target feature on a softfloat target shouldn't be a problem any more thanks to aarch64 softfloat target: always pass floats in int registers #133102. And AFAIK all hardfloat targets enable neon in their baseline, so enabling neon there is a NOP. We should probably have a check somewhere that enforces this.
• as for the general SIMD ABI issue, Emit warning when calling/declaring functions with unavailable vectors. #132173 makes it so that there is a warning for the cases that would be unsound with target_feature 1.1. Crater found no such cases.

There is one bug that carries the label, #58279, but I think that one can be closed.

So... seems like there's no longer a blocker here?

[RalfJung]

Hm, actually I did discover some very surprising interaction with closures, caused by #108655 / #111836. Consider this:

#![allow(improper_ctypes_definitions)]
#![feature(target_feature_11)]

use std::mem::transmute;
#[cfg(target_arch = "x86")]
use std::arch::x86::*;
#[cfg(target_arch = "x86_64")]
use std::arch::x86_64::*;

#[inline(never)]
#[target_feature(enable = "avx")]
unsafe extern "C" fn with_tf_c(_dummy: f32, x: __m256) {
    let val = unsafe { transmute::<_, [u32; 8]>(x) };
    dbg!(val);
}

#[target_feature(enable = "avx")]
unsafe fn with_tf() -> impl FnOnce(f32, __m256) {
    #[inline(always)]
    |dummy, x| with_tf_c(dummy, x)
}

fn main() {
    // This makes all the following target feature stuff sound.
    assert!(is_x86_feature_detected!("avx"));
    
    unsafe {
        with_tf()(0.0, transmute([1; 8]));
    }
}

Turns out that the inline(always) here disables inheriting the target features into the closure. That's really surprising since they are otherwise inherited.

The lint about vector ABI issues does trigger in the above example (I should add that as a testcase). I currently can't think of any other way this could break... but it does seem quite surprising. Should we at least warn against inline(always) on closures inside target feature functions? I think we should.

[RalfJung]

Looking at the logic here, just stabilizing target_feature_11 will suddenly change the behavior of all closures defined in target_feature functions: they will now start inheriting feature gates, except if they are marked inline(always). Is that truly what we want? It seems like a potentially surprising flag day...

It should be sound (apart from possible ABI issues) because for the closure to be constructed, the function containing it must have been called, which means the target feature must be available, and target features can never become un-available. Still, it should be called out loudly in the stabilization report so t-lang is aware of this when we do the FCP.

EDIT: t-lang discussed this in #73631, but it doesn't seem to discuss that we are changing the behavior of existing code the moment we are stabilizing this feature. It's probably fine, but should at least be mentioned.

[calebzulawski]

Hm, actually I did discover some very surprising interaction with closures, caused by #108655 / #111836. Consider this:

#![allow(improper_ctypes_definitions)]
#![feature(target_feature_11)]

use std::mem::transmute;
#[cfg(target_arch = "x86")]
use std::arch::x86::;
#[cfg(target_arch = "x86_64")]
use std::arch::x86_64::;

#[inline(never)]
#[target_feature(enable = "avx")]
unsafe extern "C" fn with_tf_c(dummy: f32, x: __m256) {
let val = unsafe { transmute::<, [u32; 8]>(x) };
dbg!(val);
}

#[target_feature(enable = "avx")]
unsafe fn with_tf() -> impl FnOnce(f32, __m256) {
#[inline(always)]
|dummy, x| with_tf_c(dummy, x)
}

fn main() {
// This makes all the following target feature stuff sound.
assert!(is_x86_feature_detected!("avx"));

unsafe {
    with_tf()(0.0, transmute([1; 8]));
}

}

Turns out that the inline(always) here disables inheriting the target features into the closure. That's really surprising since they are otherwise inherited.

The lint about vector ABI issues does trigger in the above example (I should add that as a testcase). I currently can't think of any other way this could break... but it does seem quite surprising. Should we at least warn against inline(always) on closures inside target feature functions? I think we should.

A little context/summary here: the target feature attribute is only being dropped in codegen, at the language level it is present and it should still be accounted for when doing safety checks etc. #[inline(always)] and #[target_feature] don't play nice together in any context, because LLVM will refuse to inline mismatched target features and rustc will emit an ICE. Prior to tf1.1, I believe #[target_feature] wasn't propagated into closures at all--it only became relevant when making safe calls with tf1.1. Rust currently rejects #[target_feature] and #[inline(always)] on regular functions for this reason, but obviously we don't want to break any existing code by rejecting it on closures.

The assumption made is that if you want #[inline(always)] on a closure, it's being inlined into its enclosing function (otherwise the inline attribute is useless), so it will still inherit the target features via inlining. However, in the off chance you pass the closure in some way that results in a target feature mismatch, dropping the #[target_feature] attribute prevents the ICE from LLVM. Across an edition change we might be able to add an additional check that errors nicely if the #[inline(always)] closure escapes in that way, and allow inheriting the codegen target feature attribute.

[calebzulawski]

A possible alternative is to drop #[inline(always)] down to #[inline] in those scenarios, but I think that's more likely to break existing code that may have depended on that behavior to performance.

[RalfJung]

The end result of all that is confusing though - e.g. if inside the closure you call a tf 1.1 fn that needs a particular feature, that will not work (I assume). If you call an extern C fn that takes a vector, it will trigger the ABI mismatch lint. Hence the suggestion to inform the programmer that their inline(always) has some quite surprising consequences.

[calebzulawski]

It does work, because the target feature attribute is still present everywhere except codegen/LLVM: https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=987b48c66d3ef5d7a0dcdf8f716d976c

You're right that the ABI mismatch lint was never accounted for in this solution, though. I think a lint is reasonable, hopefully across an edition change we can simply prevent the closure from being called in one of those edge cases and reenable the codegen attribute.

[RalfJung]

Also, the target feature inheritance itself is done in an odd way: just enabling the target_feature_11 feature, without changing anything else about the code, will change which target features are enabled in some closures. Generally, enabling a feature gate itself should never change anything about how we build the program, it should only unlock new syntax that then can change behavior.

It does work, because the target feature attribute is still present everywhere except codegen/LLVM: https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=987b48c66d3ef5d7a0dcdf8f716d976c

This example doesn't show anything since the closure is not inline(always). But it seems to work even with an inline(always) closure.

hopefully across an edition change we can simply prevent the closure from being called in one of those edge cases and reenable the codegen attribute.

I don't think we should do such checks on how the closure is called, that's too complicated and confusing.

We should instead ensure our backend doesn't have critical soundness bugs like #116573 that we have to work around on the language level... forbidding inline(always) on closures in target_feature functions until then is reasonable IMO, just like we forbid it on target_feature functions themselves.

[RalfJung]

A possible alternative is to drop #[inline(always)] down to #[inline] in those scenarios, but I think that's more likely to break existing code that may have depended on that behavior to performance.

Not having the target feature in the closure can also be pretty bad for performance, can't it? Presumably people enabled the target feature for a reason.

I think we should have a lint that suggests people drop the always, and telling them that until they do that, the closure will not have the target feature enabled. It seems unlikely to me that this will be a worse problem than forbidding inline(always) on target_feature functions in general.

[calebzulawski]

A possible alternative is to drop #[inline(always)] down to #[inline] in those scenarios, but I think that's more likely to break existing code that may have depended on that behavior to performance.

Not having the target feature in the closure can also be pretty bad for performance, can't it? Presumably people enabled the target feature for a reason.

Prior to target_feature_11, the target features weren't enabled on any closure (see the LLVM IR): https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=cc8f5a52cd484f6ee54b7457215fd945

I support adding the lint, as long as you are still permitted to use #[inline(always)] to inline into the enclosing function if that's what you really want (user's choice to disable the lint).

[RalfJung]

I support adding the lint, as long as you are still permitted to use #[inline(always)] to inline into the enclosing function if that's what you really want (user's choice to disable the lint).

That seems odd to me; we don't allow this for regular functions either.

Do you have a concrete usecase where this is relevant? I don't think we should just go based on "vibes" here. We'd have a future-compat lint for a while, and if nobody shows up with a usecase, IMO we should make it a hard error.

[calebzulawski]

Oh, I'm fine with that plan as well, it's the most consistent. #108655 suggested to me that there were users who wanted it, I don't personally have an example. However it does seem there's a PR coming to allow #[inline(always)] on regular target feature functions by checking that there isn't a target feature mismatch at the call site, I'm not sure how successful that will be.

[RalfJung]

However it does seem there's a PR coming to allow #[inline(always)] on regular target feature functions by checking that there isn't a target feature mismatch at the call site, I'm not sure how successful that will be.

I heard there are such plans but IMO they should be blocked on fixing LLVM. Since I posted the link to the soundness issue in that Zulip thread, there has not been further discussion there AFAIK. But anyway that is a separate discussion.

[hanna-kruppe]

Do you have a concrete usecase where this is relevant? I don't think we should just go based on "vibes" here. We'd have a future-compat lint for a while, and if nobody shows up with a usecase, IMO we should make it a hard error.

I've written some code which I think would trigger the future-compat lint you're proposing (obviously I can't try it out yet). I think it's reasonable code:

1. There's an inline(always) higher order function involved because I want to share common code structure between multiple implementations of the same algorithm. Currently that's five implementations total (including a portable non-SIMD one) and I could add even more once Rust stabilizes SIMD intrinsics for other platforms. The alternative would be a macro, but that's clearly worse.
2. I'm doing dynamic feature detection for AVX2, so I need to use #[target_feature(enable = ...)] on the outer function. I'm passing a closure because I'm using a witness with safety invariant "AVX2 is available" to make the AVX2 intrinsics safe-to-use, so the closure has a capture (even if it's ZST). I could manually desugar the closure into a free function with an extra parameter, but that would complicate eight_rounds and every backend that doesn't do dynamic feature detection.
3. The closure has to be inline(always) because otherwise I've seen the calls to it not getting inlined, and that's fatal for performance. I'm not sure if the closure having different target features has anything to do with it or not, but even if making closures inherit them would help in this specific case, there will always be cases where the programmer wants to tell LLVM to inline harder. Plus, libraries can't rely on this in their design decisions until they drop support for Rust versions prior to that change.

There are ways I could rework my code to side-step the lint, but all I can think of make the code more ugly and brittle. And I don't really see a reason why I should have to do this. As I understand it, there's no problem with my code either under the old (closure doesn't inherit target_feature) or proposed new (does inherit) semantics. I appreciate that passing such a closure outside of the function it's defined in causes problems when combined with target_feature inheritance and LLVM's current behavior. But I don't think a future-compat warning and eventually hard error on perfectly good code is a nice way to handle that.

[RalfJung]

@hanna-kruppe thanks! Yes that would trigger the lint.

there will always be cases where the programmer wants to tell LLVM to inline harder.

Yes, but that's just incompatible with per-function target features, until LLVM fixes that bug.

So the question is, what's more important -- having the target features in the closure, or having inline(always)?

Would be interesting whether inheriting target features and regular #[inline] are sufficient to get the desired result here.

As I understand it, there's no problem with my code either under the old (closure doesn't inherit target_feature) or proposed new (does inherit) semantics.

To be clear, the new semantics is that your closure still does not inherit target features, because it is inline(always).

[hanna-kruppe]

In code like this, I mostly treat closures and non-target_feature helper functions as a more convenient alternative to macros and manual copy-paste: useful for structuring my source code, but intended to be melted down into a single big function. In most cases I don't think it matters which way LLVM takes to get there (always-inline or regular inline) because once the helper functions are inlined they'll be in a function with the right target features anyway. But I suppose inline(always) reflects my intentions more precise in extreme cases and for opt-level = "s" builds, which doesn't always handle the "write nice, small composable functions and hope LLVM inlines them all" style of programming very well.

Of course there are scenarios where I don't want or need everything to be inlined, e.g. because it's a big chunk of code that gets called from several different places. But in those cases I'm not slapping inline(always) on it, and it's less likely to be a closure in the first place.

[RalfJung]

I mean we could also say that we'll "just" document that target_features is inherited into closures except for inline(always) closures. I just thought that'd be too surprising, and people would just assume it gets always inherited.

[veluca93]

I mean we could also say that we'll "just" document that target_features is inherited into closures except for inline(always) closures. I just thought that'd be too surprising, and people would just assume it gets always inherited.

Note that the current behaviour is somewhat more surprising than that: it is inherited in inline(always) closures for purposes of safety checking, but not for codegen...

[hanna-kruppe]

What difference does not inheriting make, anyway?

• For safety checking: not inheriting would mean you'd still need unsafe to call any target_feature functions in closures, even if the call would be safe in the enclosing function? Sounds pretty annoying. Edit: and I don't think the humble #[inline] attribute should be allowed to have such a big semantic impact.
• For codegen: I think it only matters in cases where the inline(always) closure isn't inlined after all. Or I guess if it's inlined into a caller that lacks the target features the closure would have inherited. Both seems like pretty niche problems to have.

[RalfJung]

If we do inherit target features into inline(always) closures for codegen, I can construct a miscompilation based on #116573. I think that's a blocker.

[hanna-kruppe]

I hadn't seen that issue before and got confused trying to match what you're saying to the original reproducer in that issue. Are you saying inline(always) closure with target features inherited for codegen would give you the gadget for bypassing the check from #127731 described in #116573 (comment) ?

[...] we need a "with target feature" function and coerce LLVM into inlining its call site into a "no target feature" function. It will only do that when the "with target feature" function has inline(always), [...]

[RalfJung]

Yes that is exactly what I am saying. Specifically the example I posted above would be exactly that gadget, and I am fairly sure it would miscompile.

[calebzulawski]

I've written some code which I think would trigger the future-compat lint you're proposing (obviously I can't try it out yet).

This looks like it would trigger it. While not directly related to this topic, I see you are passing the closure via Fn--I've run into issues passing closures via Fn* traits in the past (#96929)

[RalfJung]

The idea that target_features inhibits inlining or that inlining inhibits target feature usage doesn't make sense.

It's a work-around for an LLVM bug. In an ideal world we wouldn't have to worry about this.

why we can't inline a function f() with target features into a function g() that doesn't have a superset of f() target features

Strictly speaking this doesn't make sense either. LLVM "just" has to ensure that the operations from f are not hoisted out of any conditionals or loops in g. But LLVM isn't able to represent that, so instead it just stops inlining altogether. Which then puts us into a pickle regarding inline(always) (even ignoring the bug): the user requested to be always inlined, but we can't actually make that happen if the function has target features. What do we do?

The status quo is that:

• on regular functions, we just error on that combination
• on a closure, then if TF 1.1 is turned on we'd usually inherit the surrounding function's target features into the closure, but if the closure is inline(always) then we don't inherit

It's not pretty, but between that long-standing LLVM bug and the general LLVM limitation around inlining and target features, and given our backwards compatibility constraints, it is unclear how to do better.

Compared to stable, with TF 1.1 nothing changes for the behavior of inline(always) functions or closures. What does change is the behavior of non-inline(always) closures in a target_feature function.