[libc++][hardening] Rework how the assertion handler can be overridden.

[var-const]

Previously there were two ways to override the verbose abort function
which gets called when a hardening assertion is triggered:

• compile-time: define the _LIBCPP_VERBOSE_ABORT macro;
• link-time: provide a definition of __libcpp_verbose_abort function.

This patch adds a new configure-time approach: the vendor can provide
a path to a custom header file which will get copied into the build by
CMake and included by the library. The header must provide a definition of the
_LIBCPP_ASSERTION_HANDLER macro which is what will get called should
a hardening assertion fail. As of this patch, overriding
_LIBCPP_VERBOSE_ABORT will still work, but the previous mechanisms
will be effectively removed in a follow-up patch, making the
configure-time mechanism the sole way of overriding the default handler.

Note that _LIBCPP_ASSERTION_HANDLER only gets invoked when a hardening
assertion fails. It does not affect other cases where
_LIBCPP_VERBOSE_ABORT is currently used (e.g. when an exception is
thrown in the -fno-exceptions mode).

The library provides a default version of the custom header file that
will get used if it's not overridden by the vendor. That allows us to
always test the override mechanism and reduces the difference in
configuration between the pristine version of the library and
a platform-specific version.

[llvmbot]

@llvm/pr-subscribers-libcxx

Author: Konstantin Varlamov (var-const)

Changes

Previously there were two ways to override the verbose abort function
which gets called when a hardening assertion is triggered:

• compile-time: define the _LIBCPP_VERBOSE_ABORT macro;
• link-time: provide a definition of __libcpp_verbose_abort function.

This patch adds a new configure-time approach: a vendor can provide
a path to a custom header file whose contents will get injected into the
build by CMake. The header must provide a definition of the
_LIBCPP_ASSERTION_HANDLER macro which is what will get called should
a hardening assertion fail. As of this patch, overriding
_LIBCPP_VERBOSE_ABORT will still work, but the previous mechanisms
will be effectively removed in a follow-up patch, making the
configure-time mechanism the sole way of overriding the default handler.

Note that _LIBCPP_ASSERTION_HANDLER only gets invoked when a hardening
assertion fails. It does not affect other cases where
_LIBCPP_VERBOSE_ABORT is currently used (e.g. when an exception is
thrown in the -fno-exceptions mode).

The library provides a default version of the custom header file that
will get used if it's not overridden by the vendor. That allows us to
always test the override mechanism and reduces the difference in
configuration between the pristine version of the library and
a platform-specific version.

---

Full diff: https://github.com/llvm/llvm-project/pull/77883.diff

8 Files Affected:

• (modified) libcxx/CMakeLists.txt (+7)
• (modified) libcxx/include/CMakeLists.txt (+9)
• (modified) libcxx/include/__assert (+2-2)
• (added) libcxx/include/__assertion_handler.in (+13)
• (modified) libcxx/test/libcxx/lint/lint_headers.sh.py (+1)
• (modified) libcxx/utils/generate_iwyu_mapping.py (+2)
• (modified) libcxx/utils/libcxx/header_information.py (+3)
• (added) libcxx/vendor/llvm/default_assertion_handler.in (+14)

diff --git a/libcxx/CMakeLists.txt b/libcxx/CMakeLists.txt
index 75cb63222da35c..b09836a6ab69c8 100644
--- a/libcxx/CMakeLists.txt
+++ b/libcxx/CMakeLists.txt
@@ -69,6 +69,13 @@ if (NOT "${LIBCXX_HARDENING_MODE}" IN_LIST LIBCXX_SUPPORTED_HARDENING_MODES)
   message(FATAL_ERROR
     "Unsupported hardening mode: '${LIBCXX_HARDENING_MODE}'. Supported values are ${LIBCXX_SUPPORTED_HARDENING_MODES}.")
 endif()
+set(LIBCXX_ASSERTION_HANDLER_FILE
+  "${CMAKE_CURRENT_SOURCE_DIR}/vendor/llvm/default_assertion_handler.in"
+  CACHE STRING
+  "Specify the path to a header that contains a custom implementation of the
+   assertion handler that gets invoked when a hardening assertion fails. If
+   provided, the contents of this header will get injected into the library code
+   and override the default assertion handler.")
 option(LIBCXX_ENABLE_RANDOM_DEVICE
   "Whether to include support for std::random_device in the library. Disabling
    this can be useful when building the library for platforms that don't have
diff --git a/libcxx/include/CMakeLists.txt b/libcxx/include/CMakeLists.txt
index 0fe3ab44d2466e..efbce0fee847d7 100644
--- a/libcxx/include/CMakeLists.txt
+++ b/libcxx/include/CMakeLists.txt
@@ -1019,9 +1019,12 @@ foreach(feature LIBCXX_ENABLE_FILESYSTEM LIBCXX_ENABLE_LOCALIZATION LIBCXX_ENABL
 endforeach()
 
 configure_file("__config_site.in" "${LIBCXX_GENERATED_INCLUDE_TARGET_DIR}/__config_site" @ONLY)
+file(READ ${LIBCXX_ASSERTION_HANDLER_FILE} _LIBCPP_ASSERTION_HANDLER_OVERRIDE)
+configure_file("__assertion_handler.in" "${LIBCXX_GENERATED_INCLUDE_TARGET_DIR}/__assertion_handler" @ONLY)
 configure_file("module.modulemap.in" "${LIBCXX_GENERATED_INCLUDE_DIR}/module.modulemap" @ONLY)
 
 set(_all_includes "${LIBCXX_GENERATED_INCLUDE_TARGET_DIR}/__config_site"
+                  "${LIBCXX_GENERATED_INCLUDE_TARGET_DIR}/__assertion_handler"
                   "${LIBCXX_GENERATED_INCLUDE_DIR}/module.modulemap")
 foreach(f ${files})
   set(src "${CMAKE_CURRENT_SOURCE_DIR}/${f}")
@@ -1059,6 +1062,12 @@ if (LIBCXX_INSTALL_HEADERS)
     PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
     COMPONENT cxx-headers)
 
+  # Install the generated __assertion_handler file to the per-target include dir.
+  install(FILES "${LIBCXX_GENERATED_INCLUDE_TARGET_DIR}/__assertion_handler"
+    DESTINATION "${LIBCXX_INSTALL_INCLUDE_TARGET_DIR}"
+    PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
+    COMPONENT cxx-headers)
+
   # Install the generated modulemap file to the generic include dir.
   install(FILES "${LIBCXX_GENERATED_INCLUDE_DIR}/module.modulemap"
     DESTINATION "${LIBCXX_INSTALL_INCLUDE_DIR}"
diff --git a/libcxx/include/__assert b/libcxx/include/__assert
index d4af7e6c7192ab..3c49c96f65a3e4 100644
--- a/libcxx/include/__assert
+++ b/libcxx/include/__assert
@@ -10,8 +10,8 @@
 #ifndef _LIBCPP___ASSERT
 #define _LIBCPP___ASSERT
 
+#include <__assertion_handler>
 #include <__config>
-#include <__verbose_abort>
 
 #if !defined(_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER)
 #  pragma GCC system_header
@@ -20,7 +20,7 @@
 #define _LIBCPP_ASSERT(expression, message)                                                                            \
   (__builtin_expect(static_cast<bool>(expression), 1)                                                                  \
        ? (void)0                                                                                                       \
-       : _LIBCPP_VERBOSE_ABORT(                                                                                        \
+       : _LIBCPP_ASSERTION_HANDLER(                                                                                    \
              "%s:%d: assertion %s failed: %s\n", __builtin_FILE(), __builtin_LINE(), #expression, message))
 
 // TODO: __builtin_assume can currently inhibit optimizations. Until this has been fixed and we can add
diff --git a/libcxx/include/__assertion_handler.in b/libcxx/include/__assertion_handler.in
new file mode 100644
index 00000000000000..59342a3b0be891
--- /dev/null
+++ b/libcxx/include/__assertion_handler.in
@@ -0,0 +1,13 @@
+// -*- C++ -*-
+#ifndef _LIBCPP___ASSERTION_HANDLER
+#define _LIBCPP___ASSERTION_HANDLER
+
+#include <__config>
+
+#if !defined(_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER)
+#  pragma GCC system_header
+#endif
+
+@_LIBCPP_ASSERTION_HANDLER_OVERRIDE@
+
+#endif // _LIBCPP___ASSERTION_HANDLER
diff --git a/libcxx/test/libcxx/lint/lint_headers.sh.py b/libcxx/test/libcxx/lint/lint_headers.sh.py
index ab237c968da7e1..aee10e13b9560c 100644
--- a/libcxx/test/libcxx/lint/lint_headers.sh.py
+++ b/libcxx/test/libcxx/lint/lint_headers.sh.py
@@ -14,6 +14,7 @@ def exclude_from_consideration(path):
         or path.endswith(".modulemap.in")
         or os.path.basename(path) == "__config"
         or os.path.basename(path) == "__config_site.in"
+        or os.path.basename(path) == "__assertion_handler.in"
         or os.path.basename(path) == "libcxx.imp"
         or os.path.basename(path).startswith("__pstl")
         or not os.path.isfile(path)  # TODO: Remove once PSTL integration is finished
diff --git a/libcxx/utils/generate_iwyu_mapping.py b/libcxx/utils/generate_iwyu_mapping.py
index 343538a6cae481..d5d1577e4a2ad6 100644
--- a/libcxx/utils/generate_iwyu_mapping.py
+++ b/libcxx/utils/generate_iwyu_mapping.py
@@ -43,6 +43,8 @@ def generate_map(include):
         public = []
         if i == "__assert":
             continue
+        elif i == "__assertion_handler.in":
+            continue
         elif i == "__availability":
             continue
         elif i == "__bit_reference":
diff --git a/libcxx/utils/libcxx/header_information.py b/libcxx/utils/libcxx/header_information.py
index 54e18b5ea533dd..326931b0081c00 100644
--- a/libcxx/utils/libcxx/header_information.py
+++ b/libcxx/utils/libcxx/header_information.py
@@ -168,6 +168,9 @@ def is_modulemap_header(header):
     if header == "__config_site":
         return False
 
+    if header == "__assertion_handler":
+        return False
+
     # exclude libc++abi files
     if header in ["cxxabi.h", "__cxxabi_config.h"]:
         return False
diff --git a/libcxx/vendor/llvm/default_assertion_handler.in b/libcxx/vendor/llvm/default_assertion_handler.in
new file mode 100644
index 00000000000000..2422b6dadbe644
--- /dev/null
+++ b/libcxx/vendor/llvm/default_assertion_handler.in
@@ -0,0 +1,14 @@
+// -*- C++ -*-
+#include <__config>
+#include <__verbose_abort>
+
+#if _LIBCPP_HARDENING_MODE == _LIBCPP_HARDENING_MODE_DEBUG
+
+#define _LIBCPP_ASSERTION_HANDLER(...) _LIBCPP_VERBOSE_ABORT(__VA_ARGS__)
+
+#else
+
+// TODO(hardening): in production, trap rather than abort.
+#define _LIBCPP_ASSERTION_HANDLER(...) _LIBCPP_VERBOSE_ABORT(__VA_ARGS__)
+
+#endif // #if _LIBCPP_HARDENING_MODE == _LIBCPP_HARDENING_MODE_DEBUG

[var-const]

@nico Hi Nico, this patch still needs some work to update the documentation, but I wanted to give you a heads-up as soon as possible. This patch is not a breaking change (the new _LIBCPP_ASSERTION_HANDLER still calls _LIBCPP_VERBOSE_ABORT, so the existing mechanisms for overriding verbose abort should still work), but an immediate follow-up will make the assertion handler call __builtin_trap instead, which would essentially force projects to use the new mechanism (overriding verbose abort wouldn't produce errors but will effectively become a no-op as hardening failures will ignore it). We hope it makes transition easier by introducing an intermediate state where both the old and the new overriding mechanisms work.

Please let us know if you have any concerns or feedback regarding this direction. Thanks!

[var-const]

Also pinging @llvm/libcxx-vendors (please see the comment above).

[zmodem]

Thanks for the heads up! This seems very flexible, providing a __assertion_handler header should allow us to do whatever we want essentially.

@alanzhao1 can you take a look too?

[mordante]

I like the idea of the patch, but I'm not convinced by the current configure approach.

[mordante]

Looking at the code it feels somewhat clunky to me.
Why would the following approach not work?

set(LIBCXX_ASSERTION_HANDLER_FILE
  "${CMAKE_CURRENT_SOURCE_DIR}/vendor/llvm/default_assertion_handler.h"
  CACHE STRING
  "Specify the path to a header that contains a custom implementation of the
   assertion handler that gets invoked when a hardening assertion fails. If
   provided, this header will be used instead of libc++'s default handler.")

Then in libcxx/include/CMakeLists.txt you copy this file and no configuring at all.

The current approach would result in a file below or am I missing something.

// -*- C++ -*-
#ifndef _LIBCPP___ASSERTION_HANDLER
#define _LIBCPP___ASSERTION_HANDLER

#include <__config>

#if !defined(_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER)
#  pragma GCC system_header
#endif

// -*- C++ -*-
#include <__config>
#include <__verbose_abort>

#if _LIBCPP_HARDENING_MODE == _LIBCPP_HARDENING_MODE_DEBUG

#define _LIBCPP_ASSERTION_HANDLER(error_message, ...) ((void)error_message, _LIBCPP_VERBOSE_ABORT(__VA_ARGS__))

#else

// TODO(hardening): in production, trap rather than abort.
#define _LIBCPP_ASSERTION_HANDLER(error_message, ...) ((void)error_message, _LIBCPP_VERBOSE_ABORT(__VA_ARGS__))

#endif // #if _LIBCPP_HARDENING_MODE == _LIBCPP_HARDENING_MODE_DEBUG

#endif // _LIBCPP___ASSERTION_HANDLER

[var-const]

Injecting the contents of the header should give us a little more control over the custom handler. In particular, it is currently up to the vendor whether they want to allow users to override the macro. To support overriding, a custom implementation might first check that the macro isn't already defined, e.g. on the command line:

// In a vendor-provided `./custom_assertion_handler.h`
#ifndef _LIBCPP_ASSERTION_HANDLER
#define _LIBCPP_ASSERTION_HANDLER(...) platform::assert(__VA_ARGS__)
#endif

That way, a user can compile with -D_LIBCPP_ASSERTION_HANDLER(...)=my_project::special_assert(__VA_ARGS__) and it will be honored. Or the vendor could do the opposite and explicitly forbid overriding:

#ifdef _LIBCPP_ASSERTION_HANDLER
#error "You should not attempt to override the platform-provided assertion handler"
#endif

If in a future release we wanted to make sure that the handler can always be overridden by users, we could change our header to do something like:

#ifndef _LIBCPP_ASSERTION_HANDLER
@_LIBCPP_ASSERTION_HANDLER_OVERRIDE@
#endif

We don't necessarily want to do that, but I think leaving us some degree of flexibility in this regard is useful.

Also, this allows us to provide some internal includes for the custom header in a supported manner. E.g. we can make <__config> available without having the vendor include that internal header explicitly (which we generally don't support), and if in the future we decided to granularize <__config>, we could update the includes without the vendor having to update their code.

[var-const]

@mordante After writing this, I realized that we can just as well do something like:

#ifndef _LIBCPP_ASSERTION_HANDLER
#include "__custom_assertion_handler.h"
#endif

which alleviates my concern. In fact, I think both approaches have equal expressive power and are not visible to the user/vendor. I think they're very similar, but having a single header seems to be a little simpler/cleaner, so I'll give it a shot based on your suggestion.

[ldionne]

I think this changes to something like

diff --git a/libcxx/include/CMakeLists.txt b/libcxx/include/CMakeLists.txt
index 0fe3ab44d246..7546d8f2aed9 100644
--- a/libcxx/include/CMakeLists.txt
+++ b/libcxx/include/CMakeLists.txt
@@ -1020,9 +1020,11 @@ endforeach()
 
 configure_file("__config_site.in" "${LIBCXX_GENERATED_INCLUDE_TARGET_DIR}/__config_site" @ONLY)
 configure_file("module.modulemap.in" "${LIBCXX_GENERATED_INCLUDE_DIR}/module.modulemap" @ONLY)
+file(COPY "${LIBCXX_ASSERTION_HANDLER_FILE}" "${LIBCXX_GENERATED_INCLUDE_DIR}/__assertion_handler")
 
 set(_all_includes "${LIBCXX_GENERATED_INCLUDE_TARGET_DIR}/__config_site"
-                  "${LIBCXX_GENERATED_INCLUDE_DIR}/module.modulemap")
+                  "${LIBCXX_GENERATED_INCLUDE_DIR}/module.modulemap"
+                  "${LIBCXX_GENERATED_INCLUDE_DIR}/__assertion_handler")
 foreach(f ${files})
   set(src "${CMAKE_CURRENT_SOURCE_DIR}/${f}")
   set(dst "${LIBCXX_GENERATED_INCLUDE_DIR}/${f}")

after @mordante 's suggestion. It's a bit simpler indeed, we should probably go for that.

[ldionne]

This should just be _LIBCPP_ASSERTION_HANDLER(message) unless we want to be stuck with this interface forever.

Right now, we basically use this exclusively to pass the following arguments: "%s:%d: assertion %s failed: %s\n", __builtin_FILE(), __builtin_LINE(), #expression, message. However, we can do this instead:

_LIBCPP_ASSERTION_HANDLER(__FILE__ ":" _LIBCPP_STRINGIZE(__LINE__) ": assertion " _LIBCPP_STRINGIZE(expression) " failed: " message)

Basically we don't really need the full power of printf-style formatting in our current use case, and anyway __builtin_verbose_trap(...) will require a compile-time string, so that wouldn't work in that world.

For example: https://godbolt.org/z/1r75K7jo5

We don't want to encourage using variadic functions for this, as shown in the godbolt the codegen for calling variadic functions is very poor.

[var-const]

Done. (This required tweaking how we parse the assertion message in tests a little bit, but that was pretty minor)

I was originally a little concerned that it would make every assertion message slightly larger (since e.g. the assertion failed: part is now "inlined" into every message), but got convinced otherwise during the review:

• it only matters when the string literal is actually referenced by the program. With the new approach we're aiming for with __builtin_verbose_trap, the string will end up not being referenced by the application and will simply not be stored in the binary (only in the debug metadata), making this a non-issue for all projects using the default assertion handler;
• even if a project overrides the default handler and references the string, it looks like switching to passing a single parameter to the macro instead of variadics results in noticeably less code being generated (well, the difference is minor, but it affects every single assertion so it adds up). While I haven't measured, it looks like it should offset if not exceed the extra size coming from the string (which is already pretty small). Moreover, for projects using the default handler, this is strictly a binary size improvement (no extra instructions needed for passing variadic arguments).

So all in all, I really like this suggestion! Not doing runtime formatting also removes one more potential point of failure.

[alanzhao1]

Thanks for the heads up! This seems very flexible, providing a __assertion_handler header should allow us to do whatever we want essentially.

@alanzhao1 can you take a look too?

+1, thanks for the change and the heads up!

One thing we (Chrome) will need to keep in mind is that we'll need to provide our own implementation of <__assertion_handler> since we don't use CMake. I filed https://crbug.com/1517992 to keep track of this on our end.

[github-actions]

✅ With the latest revision this PR passed the C/C++ code formatter.

[var-const]

Thanks for the heads up! This seems very flexible, providing a __assertion_handler header should allow us to do whatever we want essentially.
@alanzhao1 can you take a look too?

+1, thanks for the change and the heads up!

One thing we (Chrome) will need to keep in mind is that we'll need to provide our own implementation of <__assertion_handler> since we don't use CMake. I filed https://crbug.com/1517992 to keep track of this on our end.

Thanks for the feedback! One thing I'd like to mention is that based on @mordante's comment, we're thinking to change/simplify things a little bit:

• the custom header will still come from the same CMake variable;
• rather than copying its contents into our internal header, we will copy the custom header file itself into our include directory and include it directly. Copying simplifies things for us by making sure we know all the files (and their paths and names) in our default installation and that we don't have to worry about include search paths since the custom include is always guaranteed to be at an always-available location;
• we will remove the __assertion_handler.in file and instead directly include the (copy of the) custom header from __assert.

If using CMake, I think this change should be completely invisible. But since you mentioned you don't use CMake, I just wanted to run it by you to make sure it doesn't make things worse for your use case. Thanks!

(I hope to update the patch by end of day to implement the new mechanism outlined above)

[var-const]

Do we want to prefix this filename with __?

[ldionne]

We need to, if it gets installed into $PREFIX/usr/include/c++/v1.

[var-const]

Sorry, I mean this specific file. During installation, it gets renamed to __assertion_handler, so the generated include directory will contain the prefixed version.

[ldionne]

I guess I would leave it without __, since that makes it more obvious that the two files are named differently.

[var-const]

Note: I first tried using file(COPY ...), but there seem to be several downsides to it:

1. It doesn't support changing the filename (I think). The newer (and simpler) file(COPY_FILE ...) command does, but it's only available starting from CMake 3.21, which is above the minimum version we support (3.20). I tried renaming after copying, but it looks pretty ugly:

file(COPY "${LIBCXX_ASSERTION_HANDLER_FILE}" DESTINATION "${LIBCXX_GENERATED_INCLUDE_DIR}")
cmake_path(GET LIBCXX_ASSERTION_HANDLER_FILE FILENAME _assertion_handler_short_name)
file(RENAME "${LIBCXX_GENERATED_INCLUDE_DIR}/${_assertion_handler_short_name}" "${LIBCXX_GENERATED_INCLUDE_DIR}/__assertion_handler")

2. The docs state the following:

An important difference is that configure_file() creates a dependency on the source file, so CMake will be re-run if it changes. The file(COPY_FILE) sub-command does not create such a dependency.

(It is said about COPY_FILE but seems to apply to COPY as well)

This seems to be a downside. Testing locally, I can confirm that modifying the header triggers a rebuild of cxx-test-depends if I use configure_file but not if I use file(COPY ...).

IIUC, the COPYONLY option prevents variables from being expanded, making the behavior identical. Let me know if I'm missing anything!

[var-const]

(Tagging @mordante to make sure this comment doesn't get lost among various threads)

[ldionne]

LGTM once these few comments are addressed!

[ldionne]

We need to, if it gets installed into $PREFIX/usr/include/c++/v1.

[ldionne]

LGTM w/ comments, once CI is green. It seems like the Windows CI is super backed up right now, I think it would be fine to merge without waiting for that signal. But if you do, let's keep an eye on the CI to make sure this doesn't fail.

[ldionne]

I guess I would leave it without __, since that makes it more obvious that the two files are named differently.

[var-const]

For the record, the CI was green at the time of merging except for the Buildkite jobs which were still pending (specifically the Windows and FreeBSD jobs). I'll monitor their status and make sure to quickly address failures, if any (hopefully not).

[nico]

Sorry, I didn't see the ping.

Have you considered putting this in __config_site? We (and I suppose others) already have to generate that one.

[nico]

After reading this for a bit, putting the macro in __config_site probably doesn't work, due to circular includes.

Can you say a bit more about which problem this solves?

Also, since the file is only getting copied, why is it called .in?

I think on our end, for layering reasons, we'll have to provide a version of this file that calls a weak symbol that calls std::abort and then provide a strong override in our base library that calls our dump override (…since a small number of test binaries don't link in our base library). So we'll basically have to reinvent what's in libc++. Not the end of the world, but a bunch of busywork, and it's not super clear why this approach is better to me. (It also doesn't have to be clear to me, of course! I'm still curious why the change was made.)

[var-const]

For the record, the CI was green at the time of merging except for the Buildkite jobs which were still pending (specifically the Windows and FreeBSD jobs). I'll monitor their status and make sure to quickly address failures, if any (hopefully not).

Update: all the jobs finished successfully.

[var-const]

After reading this for a bit, putting the macro in __config_site probably doesn't work, due to circular includes.

Can you say a bit more about which problem this solves?

Also, since the file is only getting copied, why is it called .in?

I think on our end, for layering reasons, we'll have to provide a version of this file that calls a weak symbol that calls std::abort and then provide a strong override in our base library that calls our dump override (…since a small number of test binaries don't link in our base library). So we'll basically have to reinvent what's in libc++. Not the end of the world, but a bunch of busywork, and it's not super clear why this approach is better to me. (It also doesn't have to be clear to me, of course! I'm still curious why the change was made.)

A big part of the motivation for this change is to make sure that the codegen can come down to a single instruction (intended to be __builtin_trap, or __builtin_verbose_trap once that becomes available). This is important for code size and was raised in the RFC; we also know some users that need this. Unfortunately, while the mechanism we had originally that allowed for link-time overriding is convenient, it also results in generating a function call that can't be optimized away in the general case (the fact that verbose_abort is a variadic function doesn't help, either, the codegen for variadics isn't great). This imposes a code size penalty even on users who don't make use of overriding (or else would force them to do the macro redefinition).

Also, we feel that this should primarily be controlled by vendors, not users in most cases, and thus should be a configuration-time mechanism. If we ship libc++ on a platform where we can't afford to call __verbose_abort, without configuration-time customization every user would have to redefine the _LIBCPP_VERBOSE_ABORT macro, which is really cumbersome.

We're really sorry it creates additional churn for you, but I think the most important thing is to make sure there is no downgrade in functionality, i.e., you would still be able to use the overrides you're currently using. It's a little hard to balance, but basically we're trying to impose the minimal performance penalty by default while still allowing for full customizability for platforms and projects that need it.

Also, since the file is only getting copied, why is it called .in?

I don't feel very strongly about it, but I felt that the name makes it more obvious that this header is used as an input to the build configuration and not included (or meant to be included) as is from its directory. Also, while we don't currently plan to use e.g. variable expansion, I think it's more of an implementation detail whether the header is copied as-is or somehow modified by build rules.