Stabilize -Zno-jump-tables into -Cjump-tables=bool #145974
Conversation
Both gcc and llvm accept -fjump-tables as well as -fno-jump-tables. For consistency, allow rustc to accept -Zjump-tables=yes too.
rustbot
added
A-LLVM
There was a problem hiding this comment.
Question [GUARANTEE 1/3]: is this intended to be a hint, or a guarantee?
There was a problem hiding this comment.
This is guarantee for the crate being compiled. No attempts are made to verify the entire link unit is compiled with this flag.
I think that is OK. It may be desirable for some crates to control this option. A jump table isn't always a more performant optimization (such was my experience when experimenting with them on Go/PPC64).
There was a problem hiding this comment.
Maybe it's worth mentioning in the docs that:
- This can be enabled for a single crate if you are interested in controlling this for performance reasons
- If you are going after IBT concerns, it probably needs to be enabled for all crates in the graph
- Pre-built std may not meet your requirements
(Great questions btw Jieyou)
There was a problem hiding this comment.
Yeah, this is why I asked, because depending on what you are aiming for, perf-only versus security concerns might want different levels of guarantees (or don't need guarantees).
There was a problem hiding this comment.
For clarification, is this a concern with the implementation or documentation? If the latter, I wonder what the most appropriate wording is. If the flag is not consistently used for all crates, this option is most likely a hint. I am unsure how this attribute survives through inlining and LTO of crates which don't enable this option.
There was a problem hiding this comment.
Question:
This option enables the -fno-jump-tables flag for LLVM, which makes the codegen backend avoid generating jump tables when lowering switches.
This option adds the LLVM no-jump-tables=true attribute to every function.
The option can be used to help provide protection against jump-oriented-programming (JOP) attacks, such as with the linux kernel's IBT.
How does this interact with pre-compiled std? I.e. can you mix downstream user crates compiled with -Cjump-tables=no versus a pre-compiled std compiled and distributed with -Cjump-tables=yes?
There was a problem hiding this comment.
It should link without issue. Disabling this codegen optimization should have no effect on ABI.
| Disabling jump tables can be used to help provide protection against | ||
| jump-oriented-programming (JOP) attacks, such as with the linux kernel's [IBT]. |
There was a problem hiding this comment.
Discussion [GUARANTEE 3/3]: If the flag is intended to be a hint, then this sentence can be a bit misleading, because we may not always guarantee it. We may want to slightly caveat this wording to not convey a "false promise" so to speak.
Or, if a user do want such protection, then do they need to enforce it over the whole crate graph?
There was a problem hiding this comment.
The flag should be guarantee anything compiled with jump tables turned off does not contain jump tables. It would be up to the user to enforce this dependency beyond the individual crate.
I think it might be better to remove this statement entirely. Maybe it would be better rewriten as:
Disabling jump tables can be used to help provide protection against
jump-oriented-programming (JOP) attacks. However, this option makes
no guarantee any precompiled or external dependencies are compiled
with or without jump tables.
There was a problem hiding this comment.
Yes, that wording I think conveys the "caveat" that I was concerned about.
| This option is used to allow or prevent the codegen backend from creating | ||
| jump tables when lowering switches. |
There was a problem hiding this comment.
Discussion: Hm, what happens if a different cg backend is selected?
There was a problem hiding this comment.
It is not implemented yet in cg_gcc, but I guess it could be by sending -fno-jump-tables with context.add_driver_option("-fno-jump-tables") or context.add_command_line_option("-fno-jump-tables").
There was a problem hiding this comment.
Should this be implemented for the other backends before stabilizing?
There was a problem hiding this comment.
I don't think we need to block on it, though it may be worth a note. For GCC it should be a simple check here
, I think it should be fine to add a commit doing that to this PR if you're up for it.(assuming Antoni is okay with doing it here rather than the submodule repo to avoid dancing also dancing around the name change).
Cc @bjorn3 for cranelift
There was a problem hiding this comment.
Cranelift doesn't have support emission of jump tables for the br_table instruction. Avoiding emitting br_table itself may be feasible, but would require a cranelift-frontend change. FWIW cg_clif silently ignores many of these flags already.
There was a problem hiding this comment.
(assuming Antoni is okay with doing it here rather than the submodule repo to avoid dancing also dancing around the name change).
I'm OK with this.
There was a problem hiding this comment.
Adding support to the gcc backend seems straightforward. What is the difference between using add_driver_option vs add_command_line_option? The former did inhibit jump tables when I tested it.
There was a problem hiding this comment.
It looks like maybe precedence? https://gcc.gnu.org/onlinedocs/jit/topics/contexts.html#c.gcc_jit_context_add_command_line_option
There was a problem hiding this comment.
Some options won't work if not using the correct function. If it works, all is good.
There was a problem hiding this comment.
Should this be implemented for the other backends before stabilizing?
Given that only the LLVM codegen backend is "stably" supported, it is not a stabilization blocker.
There was a problem hiding this comment.
Question: I'm assuming that if you inspect the assembly of an actual hello world binary that uses std in some way, then you might see jump stables still? 🤔
There was a problem hiding this comment.
Yes, if they exist and are included when linking. That is expected, though unintuitive to someone unfamiliar with the rust build system.
jieyouxu
added
the
needs-fcp
|
Thanks for this!
Yeah, it may get used for other things. Apart from what I mentioned in the original PR, I see LoongArch also uses it since a year ago (so I assume it should be passed for Rust too there, Cc @chenhuacai in case there is a reason not to).
I assume you mean As for the name change, it seems fine -- the usual argument for using the current name is to keep it close to GCC's and Clang's flags, which always helps, but here it is obvious, i.e. we are not changing other parts of the name or grouping different flags into a new one or things like that.
I think it is fine either way for us. If the old flag isn't there, we may get a kernel build error here in this PR, in which case I can give you a commit to fix it. |
Yes. I've updated the report. The PR intentionally contains a commit to rename |
pmur
force-pushed
the
murp/stabilize-zno-jump-tables
branch
from
68bfda9 to
08d2690
Compare
|
Some changes occurred in compiler/rustc_codegen_gcc |
tgross35
added
the
I-compiler-nominated
|
It seems like this should be about ready, with some possible delta to docs. Nominated for discussion. |
|
r? @jieyouxu maybe? |
| if !tcx.sess.opts.cg.jump_tables { | ||
| context.add_command_line_option("-fno-jump-tables"); | ||
| } |
There was a problem hiding this comment.
Remark (meta): in general for any stabilization PRs, I really would recommend that any functionality or design changes are implemented and landed before the stabilization PR, and not in the stabilization PR itself (as these changes are prone to receive less scrutiny when mixed with stabilization concerns). For example, this goes straight from unimplemented -> be under a stable compiler flag.
(This is not really specific to this PR, but I've found stabilization PRs that batch non-stabilization-specific concerns super easy to miss things.)
There was a problem hiding this comment.
Ok. I agree the patch detracts from the stabilization discussion and have dropped it.
| Disabling jump tables can be used to help provide protection against | ||
| jump-oriented-programming (JOP) attacks, such as with the linux kernel's [IBT]. |
There was a problem hiding this comment.
Yes, that wording I think conveys the "caveat" that I was concerned about.
| Note, in many cases the rust toolchain is distributed with precompiled | ||
| crates which could possibly include jump tables. Furthermore, this option | ||
| does not guarantee a target will be free of jump tables. They could arise | ||
| from external dependencies, inline asm, or other complicated interactions | ||
| when using crates which are compiled with jump table support. |
There was a problem hiding this comment.
Suggestion: I recommend explicitly calling out that this notably includes the precompiled standard library (cf. the hello-world-using-std binary example #145974 (comment)). Basically
Note, in many cases the rust toolchain is distributed with precompiled
crates (such as the precompiled standard library) which could possibly include jump tables.
| This option is used to allow or prevent the LLVM or GCC codegen backend from | ||
| creating jump tables when lowering switches from Rust code. |
There was a problem hiding this comment.
Discussion: hm, I'm not sure if we should mention the GCC codegen backend's support of this from stable-facing rustc docs, especially given that we don't have cg_gcc tests for this right? I might even recommend dropping the GCC part from this stabilization PR (and perhaps land that separately).
There was a problem hiding this comment.
I've dropped it. If the gcc codegen backend is still unstable, I don't think it should be mentioned here. There wasn't an explicit test, and I haven't yet figured what an architecture independent test would look like.
rustbot
added
S-waiting-on-author
|
@rustbot author |
|
Reminder, once the PR becomes ready for a review, use |
|
Should this involve mitigation enforcement (rust-lang/rfcs#3855) as well? Looks like a CFI-like option. Why should this differ from stack protector in that respect? |
Be more verbose about what this option can and cannot do.
I think there are valid scenarios where this could be used outside of potentially improving security. A future improvement might add a |
pmur
force-pushed
the
murp/stabilize-zno-jump-tables
branch
from
696892f to
34e914d
Compare
|
I'll wait a bit for the mitigation enforcement discussions, seems like it's not super clear if this should be blocked on that effort (as a more "cohesive" package, so to speak). |
I propose stabilizing the -Zno-jump-tables option into -Cjump-tables=.
-Zno-jump-tablesstabilization reportWhat is the RFC for this feature and what changes have occurred to the user-facing design since the RFC was finalized?
No RFC was created for this option. This was a narrowly scoped option introduced in #105812 to support code generation requirements of the x86-64 linux kernel, and eventually other targets as Rust For Linux grows.
The tracking is #116592.
What behavior are we committing to that has been controversial? Summarize the major arguments pro/con.
The behavior of this flag is well defined, and mimics the existing
-fno-jump-tablesoption currently available with LLVM and GCC.As introduced, this option was named
-Zno-jump-tables. However, other major toolchains allow both positive and negative variants of this option to toggle this feature. Renaming the option to-Cjump-tables=<bool>makes this option consistent, and if for some reason, expandable to other arguments in the future. Notably, many LLVM targets have a configurable and different thresholds for when to lower into a jump table.Are there extensions to this feature that remain unstable? How do we know that we are not accidentally committing to those.
No. This option is used exclusively to gate a very specific class of optimization.
Summarize the major parts of the implementation and provide links into the code (or to PRs)
-Zno-jump-tables#105812 by @ojedahttps://github.com/pmur/rust/blob/68bfda9025ccb2778e2606e12e8021b9918f40d3/compiler/rustc_session/src/options.rs#L2025-L2026
https://github.com/pmur/rust/blob/68bfda9025ccb2778e2606e12e8021b9918f40d3/compiler/rustc_codegen_llvm/src/attributes.rs#L210-L215
https://github.com/pmur/rust/blob/68bfda9025ccb2778e2606e12e8021b9918f40d3/src/doc/rustc/src/codegen-options/index.md?plain=1#L212-L223
Has a call-for-testing period been conducted? If so, what feedback was received?
No. The option has originally created is being used by Rust For Linux to build the x86-64 kernel without issue.
What outstanding bugs in the issue tracker involve this feature? Are they stabilization-blocking?
There are no outstanding issues.
Summarize contributors to the feature by name for recognition and assuredness that people involved in the feature agree with stabilization
-Zno-jump-tables.no-jump-tables#116592, and provided feedback about the naming of the cli option.What FIXMEs are still in the code for that feature and why is it ok to leave them there?
There are none.
What static checks are done that are needed to prevent undefined behavior?
This option cannot cause undefined behavior. It is a boolean option with well defined behavior in both cases.
In what way does this feature interact with the reference/specification, and are those edits prepared?
This adds a new cli option to
rustc. The documentation is updated, and the unstable documentation cleaned up in this PR.Does this feature introduce new expressions and can they produce temporaries? What are the lifetimes of those temporaries?
No.
What other unstable features may be exposed by this feature?
None.
What is tooling support like for this feature, w.r.t rustdoc, clippy, rust-analzyer, rustfmt, etc.?
No support is required from other rust tooling.
Open Items
-Zno-jump-tablesto-Cjump-tables=<bool>?-Zno-jump-tablesfor a period of time?Closes #116592