You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Gary proposed reading DWARF instead and wrote a quick Rust script for it via object and gimli, though DWARF would need to be available or generated on the fly just for that (and we cannot commit a fixed list since the kernel config may change and we support several Rust versions and so on): https://gist.github.com/nbdd0121/449692570622c2f46a29ad9f47c3379a.
It could perhaps be a flag like -Cunsigned-char, or a "target modifier" instead, if those (RFC) come to fruition.
The kernel uses it (unconditionally) since commit 3bc753c ("kbuild: treat char as always unsigned") (v6.2).
The kernel uses a custom FFI mapping (kernel::ffi:: instead of core::ffi::) everywhere (i.e. for bindgen-generated code as well as manually written code), so we have a workaround for that part. However, things like CStr/c"" still use core::ffi::'s definition, so it would still be nice to match it.
Clippy has a lint, but Klint is more accurate (Clippy's one works essentially summing the total of the local variables, before even register allocation; thus it has false positives).
It should probably be in rustc, upstream Rust open to have it in nightly (even before a way to configure lints in general, i.e. for the stack size in this case, is figured out): https://hackmd.io/4iWZvqBnTq2KUetjKf5X-A.
Oxide Computer has been using some compiler build output's stack size data to check their kernel against stack overflow. Nightly feature emit_stack_sizes.
Nice to have (not critical, we could workaround if needed, etc.)
Support overriding all flags on the command line (i.e. support multiple --target, --sysroot, --edition...).
Some flags, such as --target, --sysroot and --edition, can only be applied once: it is a hard error to supply them more than once.
Some projects would benefit from a way to allow to override them, or have had issues related to this behavior. For instance:
The Linux kernel allows users to pass "additional" flags as environment variables, rather than having to pass (again) the entire flag list (or having in the kernel side a way to manually filter previous flags). This came up for the Android build and was a problem.
Compiler Explorer allows users to pass flags, but it added a custom UI for toggling the edition, which in turn meant writing --edition was a hard error unless handled especially, which was eventually added.
If backwards compatibility is desired, then perhaps an opt-in flag could be added, e.g. --allow-override=target,edition.
This is not critical now, since we mainly support only LLVM=1 builds so far, but eventually we will want to match the C side for GCC builds when those become non-experimental.
Showing type aliases (perhaps in addition to resolved types) in error messages, potentially manually tagging the cases with sometimes like #[own_name].
Some kernel developers want to build Linux under macOS, but the kernel does not support that (the macOS support is maintained out-of-tree). So they may need something like this to minimize the differences with upstream. There may be other possible solutions (e.g. using symlinks, if that works, but it would require knowing the names in general). Perhaps this could help other projects to be ported to macOS too.
I wonder if it makes sense to request a feature to mute dead_code lint on
certain types which we know are there to represent a registration or resource
enablement.
Currently rustc's dead_code lint has a builtin exception for PhantomData, but
I think a lot other types should have the same treatment, this can be useful
even for other core types, e.g PhantomPinned.
Low priority (we will likely not use them in the end)
--check mode / --emit=check.
Like cargo check, but for rustc.
cargo check appears to do --emit=dep-info,metadata, but that would not be needed for the leaves.
Currently, the best approximation appears to be --emit=metadata, but it would be nice to have a way that reduces the work to the minimum, at least avoiding to emit the metadata and temporaries.
--emit=metadata=/dev/null does not appear to work due to the generated temporaries (and -Ztemps-dir does not seem to change that).
Use case: some tests (e.g. in upstream Rust: the warning-free builds of core and alloc under no_global_oom_handling in rustc) and faster development (it could also be part of a dev-mode in the kernel, which could include other changes like disabling the missing documentation warning).
Done (stabilized, fixed, not needed anymore, etc.)
-Zpatchable-function-entry support (GCC's and Clang's -fpatchable-function-entry), as well as the patchable_function_entry function attribute.
Moved into the main list since it got implemented.
-Zregparm=3 and -Zreg-struct-return.
Moved to the main list, since they got issued a tracking issue and are being implemented.
GCC's/Clang's -mregparm=3 and -freg-struct-return.
Used by: x86 (i.e. 32-bit).
-Zregparm=3 could have been just a bit of plumbing in rustc, but it turns out Clang is the one that has the logic to decide the registers, which then get marked in LLVM IR, and thus rustc needs to duplicate the logic (or moving it into LLVM and then wait for a release).
-Zreg-struct-return can be skipped if a target.json is used (abi_return_struct_as_int in target spec).
Commit: e852f31 ("[PATCH] Add CONFIG for -mregparm=3") (in history.git).
Commit: 2516512 ("[PATCH] x86: add -freg-struct-return to CFLAGS").
Layout randomization.
-Zrandomize-layout (and -Zlayout-seed=<seed>) were implemented, though the use case of the MCP was debugging (e.g. detecting invalid layout assumptions), rather than security (which the kernel uses under some configurations -- see CONFIG_RANDSTRUCT*).
The -softfloat target does not have KCFI nor KASAN enabled.
Starting with Rust 1.85.0, we are supposed to use the -softfloat target to avoid the warning avoid disabling neon in the non-softfloat one, because it warns (without the ability to silence it) and will be a hard error eventually.
We are considering migrating from Edition 2021 to 2024, but for that we will need to make sure the tooling that checks for behavior changes has no false negatives, because we would need to use it for checking backports into stable/LTS branches of the Linux kernel that use the older Edition.
rustc 1.76 (beta) warns about non-recursive invocation from Make.
rustc may document that it may always take advantage of the jobserver (e.g. for backend and eventually frontend parallelism), and thus users should always call rustc as recursive from Make.
Are attributes such as noalias, readonly, dereferenceable... worth it for performance or could they potentially be all disabled to get something like -fno-strict-aliasing?
Note: there is the "A-rust-for-linux" label in the
rustrepository: https://github.com/rust-lang/rust/labels/A-rust-for-linux.Features that we would like to see
Required (we almost certainly want them)
x86's
CONFIG_CPU_MITIGATIONS(previouslyCONFIG_SPECULATION_MITIGATIONS).rustc.CONFIG_MITIGATION_RETPOLINE: moved to the main list since it got implemented.CONFIG_MITIGATION_RETHUNK: moved to the main list since it got implemented.CONFIG_MITIGATION_SLS:-mharden-sls=all.-Ctarget-feature=due to the warnings -- see SLS support inrustc(target features or dedicated flags) rust-lang/rust#116851.Export (somehow) a list of all
noreturnsymbols.objtoolneeds a list of functions that do not return.rustccould emit somewhere (e.g. a file, via--emit=noreturns) a list ofnoreturnsymbols. In particular, Peter suggests using a section: https://lore.kernel.org/rust-for-linux/20240806202217.GZ37996@noisy.programming.kicks-ass.net/objectandgimli, though DWARF would need to be available or generated on the fly just for that (and we cannot commit a fixed list since the kernel config may change and we support several Rust versions and so on): https://gist.github.com/nbdd0121/449692570622c2f46a29ad9f47c3379a.-funsigned-char(GCC, Clang).-Cunsigned-char, or a "target modifier" instead, if those (RFC) come to fruition.kernel::ffi::instead ofcore::ffi::) everywhere (i.e. forbindgen-generated code as well as manually written code), so we have a workaround for that part. However, things likeCStr/c""still usecore::ffi::'s definition, so it would still be nice to match it.-mpreferred-stack-boundary(GCC, Clang does not support it) /-mstack-alignment(GCC does not support it, Clang).-mpreferred-stack-boundary=3,-mstack-alignment=8).-mpreferred-stack-boundary=2,-mstack-alignment=4).-Cstack-alignment/-Cpreferred-stack-boundarysupport inrustcrust-lang/rust#128833.-mskip-rax-setup(GCC, Clang).rustc's equivalent to-Wframe-larger-than.rustc, upstream Rust open to have it in nightly (even before a way to configure lints in general, i.e. for the stack size in this case, is figured out): https://hackmd.io/4iWZvqBnTq2KUetjKf5X-A.KHWASAN support (kernel hardware-assisted AddressSanitizer,
-fsanitize=kernel-hwaddress).-Zsanitize=kernel-hwaddressrust-lang/rust#153049.-Zsanitizer=kernel-hwaddressrust-lang/compiler-team#975.BTF generation.
pahole-- see LLVM and Clang wanted features & bugfixes #1132.Nice to have (not critical, we could workaround if needed, etc.)
Support overriding all flags on the command line (i.e. support multiple
--target,--sysroot,--edition...).--target,--sysrootand--edition, can only be applied once: it is a hard error to supply them more than once.--editionwas a hard error unless handled especially, which was eventually added.--allow-override=target,edition.--editionflag broke with compiler overrides compiler-explorer/compiler-explorer#5429.--edition=2021for Rust compiler-explorer/compiler-explorer#3765.editionappears in both overrides and compiler-options, prefer the options compiler-explorer/compiler-explorer#6789.-falign-jumps=1, i.e. not aligned (GCC, Clang does not support it).-falign-jumps=0, only for a few CPUs).-Calign-jumps=1support inrustcrust-lang/rust#128831.LLVM=1builds so far, but eventually we will want to match the C side for GCC builds when those become non-experimental.-falign-loops=1, i.e. not aligned (GCC, Clang).-falign-loops=0, only for a few CPUs).-Calign-loops=1support inrustcrust-lang/rust#128832.-Cllvm-args=--align-loops=1:-Calign-loops=1support inrustcrust-lang/rust#128832 (comment).Showing type aliases (perhaps in addition to resolved types) in error messages, potentially manually tagging the cases with sometimes like
#[own_name].Arc<T> = ARef<WithRef<T>>and would improve readability of messages around e.g.Mutex<T> = Lock<T, MutexBackend>.A way to skip the existing bypass of lints that come from foreign crates.
-Dunsafe_op_in_unsafe_fnin generated code by proc macros.-masm=equivalent (i.e. the ability to configure the assembly syntax default).MSRV for
rustc, similar to Cargo's and Clippy ones (--msrv=version).--hint-msrv=versionoption so the compiler can take MSRV into account when linting rust-lang/compiler-team#772 (accepted).Ability to load
.solibraries under macOS.--extern mycrate=path/to/my/crate/with/random.suffixfails with "file name should be lib*.rlib or lib*.so" rust-lang/rust#131720.Flag output.
Removing crate disambiguators from symbol names.
Mitigation enforcement (
#![feature(mitigation_enforcement)],-Zallow-partial-mitigations).-Z allow-partial-mitigations(RFC 3855) rust-lang/rust#149357.dead_codelint exceptions for more types.Low priority (we will likely not use them in the end)
--checkmode /--emit=check.cargo check, but forrustc.cargo checkappears to do--emit=dep-info,metadata, but that would not be needed for the leaves.--emit=metadata, but it would be nice to have a way that reduces the work to the minimum, at least avoiding to emit the metadata and temporaries.--emit=metadata=/dev/nulldoes not appear to work due to the generated temporaries (and-Ztemps-dirdoes not seem to change that).coreandallocunderno_global_oom_handlinginrustc) and faster development (it could also be part of a dev-mode in the kernel, which could include other changes like disabling the missing documentation warning).coreunderno_global_oom_handlingrust-lang/rust#110652.Done (stabilized, fixed, not needed anymore, etc.)
-Zpatchable-function-entrysupport (GCC's and Clang's-fpatchable-function-entry), as well as thepatchable_function_entryfunction attribute.-Zregparm=3and-Zreg-struct-return.-mregparm=3and-freg-struct-return.-Zregparm=3could have been just a bit of plumbing inrustc, but it turns out Clang is the one that has the logic to decide the registers, which then get marked in LLVM IR, and thusrustcneeds to duplicate the logic (or moving it into LLVM and then wait for a release).-Zreg-struct-returncan be skipped if atarget.jsonis used (abi_return_struct_as_intin target spec).-Zregparmrust-lang/rust#131749.-Zreg-struct-returnsupport inrustcrust-lang/rust#116973.-Zregparm=3support inrustcrust-lang/rust#116972.history.git).Layout randomization.
-Zrandomize-layout(and-Zlayout-seed=<seed>) were implemented, though the use case of the MCP was debugging (e.g. detecting invalid layout assumptions), rather than security (which the kernel uses under some configurations -- seeCONFIG_RANDSTRUCT*).-Z randomize-layoutflag rust-lang/compiler-team#457.-Zrandomize-layoutflag to better detect code that rely on unspecified behavior related to memory layout rust-lang/rust#77316.-Z randomize-layoutrust-lang/rust#106764.-Z randomize-layoutrust-lang/rust#91932.CET (
-Zcf-protection=branch).KCFI (
-Zsanitizer=kcfi&-Zsanitizer-cfi-normalize-integers).x86's
CONFIG_X86_KERNEL_IBTsupport (-Zcf-protection=branch -Zno-jump-tables).-fcf-protection=branch -fno-jump-tables.Make
debug_tripledepend ontarget.jsonfile content rather than file path.Diagnostics for
-Dflags make it slightly harder to allow vs.#![deny(...)].-Dflags make it slightly harder to allow vs.#![deny(...)]rust-lang/rust#114030.help:line): Add an allow attribute suggestion along with the implied by suggestion rust-lang/rust#114089 (1.74)..commentsection support..commentsection like GCC/Clang (!llvm.ident) rust-lang/rust#97550 (1.73).rustc_codegen_gcc): subtree update cg_gcc 2023/11/17 rust-lang/rust#118068 (1.76).arm64: shadow call stack (SCS) support.
-Zsanitizer=shadow-call-stackin the builtin target): Shadow call stack should be supported onaarch64-unknown-nonerust-lang/rust#121972.-Ctarget-feature=+reserve-x18to avoid warning): Compiler does not recognize thereserve-x18target feature rust-lang/rust#121970.-Ctarget-feature=+reserve-x18to avoid warning): Addreserve-x18target feature for aarch64 rust-lang/rust#124323.-Zfixed-x18flag): Add-Zfixed-x18rust-lang/rust#124655 (1.80).-Zfixed-x18rust-lang/compiler-team#748.KASAN.
-Zsanitizer=kernel-addressis being implemented.kernel-addresssanitizer support for freestanding targets rust-lang/rust#99679.-fmin-function-alignment(GCC, Clang does not support it) /-falign-functions(GCC, Clang)-falign-functions=0, only for a few CPUs).-fmin-function-alignmentand Clang's-falign-functions, i.e. align all functions, including cold functions.feature(fn_align), but we need to do it globally.#[align(...)]on function items (fn_align) rust-lang/rust#82232.-Cmin-function-alignment/-Calign-functionssupport inrustcrust-lang/rust#128830.-Zmin-function-alignmentrust-lang/rust#134030 (1.86).-Zsanitize-kcfi-arity(i.e. the equivalent of Clang's-fsanitize-kcfi-arity).CONFIG_FINEIBT_BHI.-Zsanitize-kcfi-arityrust-lang/rust#138311.Longstanding issue affecting Klint.
otherwiseedge in dataflow analysis rust-lang/rust#142707 (1.90).Adding flags directly as
-Cinstead of-Z(requiring-Zunstable-optionsto use them) to avoid churn in downstream projects like Rust for Linux.Bugs that we would like to see fixed
Required (we almost certainly want them)
The
-softfloattarget does not have KCFI nor KASAN enabled.-softfloattarget to avoid the warning avoid disablingneonin the non-softfloat one, because it warns (without the ability to silence it) and will be a hard error eventually.rustc 1.85.0-beta.8 (38213856a 2025-02-06)).-Zregparmdoesn't put 64-bit arguments in registers.-Zregparmdoesn't put 64-bit arguments in registers rust-lang/rust#145694.MIR optimization produces worse code by losing aliasing information.
build_assert!withinwrite32not working due topr_err!call in-between.Unsafe macros inside
unsafe fns do not respect-Dunsafe_op_in_unsafe_fn.container_of!can be called without anunsafeblock (and no// SAFETY: ...comment) within anunsafe fn.unsafe_op_in_unsafe_fnnot triggered for raw pointer dereferencing insideaddr_of/addr_of_mutrust-lang/rust#112504.Improved Edition migration tooling (2021 -> 2024).
Nice to have (probably not critical, we could workaround if needed, etc.)
Include all (i.e. non-code-related) warnings in
-Dwarnings(or include a way to control whether they are errors).target json file contains unused fieldsunaffected by-Dwarningsrust-lang/rust#91262.-Dwarningsto cover all warnings rust-lang/compiler-team#473.Finish
unreachable_publint implementation.unreachable_pubgot easily confused by multiple items in a singlepub use ...statement rust-lang/rust#64762.rustc_privacytorustc_resolverust-lang/rust#82064.--emit=dep-info+-Zunpretty=expandedemits output.--emit=dep-info+-Zunpretty=expandedemits output rust-lang/rust#93201.Missed optimization (
to_resultdiscussion).Missed optimization (wrapping "raw generated
enums into cleaner ones).enums rust-lang/rust#116272.rustc_parserincorrectly parses groups withDelimiter::None.rustc_parserincorrectly parses groups withDelimiter::Nonerust-lang/rust#67062.Low priority (we will likely not use them in the end)
rustcwarns when finding an unknown jobserver style.rustc(or users could force an older jobserver style).rustcwarns when finding an unknown jobserver style rust-lang/rust#120532.Done (stabilized, fixed, or not needed anymore, etc.)
creader: Host crate loaded twice produces different
CrateNums if host != target.CrateNums if host != target rust-lang/rust#56935.Skip linking if it is not required.
ICE when proc macro panics if compiled with
-Cpanic=abort.-Cpanic=abortrust-lang/rust#82320.Set
dso_localfor hidden, private and local items.Set
dso_localfor more items.Add back support for
inlinestack-probes.Strange
-Zunpretty=expandedbehavior withglobal_asm!.-Zunpretty=expandedoutput withglobal_asm!loses semicolon thus cannot be formatted rust-lang/rust#101047.-Zunpretty=expandedoutput may not containglobal_asm!depending on comments/whitespace/... rust-lang/rust#101051.global_asmmacro pretty printing rust-lang/rust#101369.The
x86_64-unknown-none-linuxkerneltarget is not actually used.ARM64: Fix some issues with folded AArch64 features.
Ensure 128-bit types from the C side (
__int128_t,__uint128_t) are usable for architectures that need it.i128/u128match the ABI of the C ones, and that should remain the case thanks to Create optionally-available __int128 typedefs and use them for ARM64 definitions. rust-lang/libc#2719.i128/u128from theimproper_ctypeslint rust-lang/lang-team#255..eh_framesection emitted forkernel.o(debug assertions enabled,rustc>= 1.70.0)..eh_framesection emitted forkernel.o(debug assertions enabled,rustc>= 1.70.0) #1012..eh_framefrom being emitted for-C panic=abortrust-lang/rust#112403 (1.72)..eh_framesection emitted forrust_echo_server.o..eh_framesection emitted forrust_echo_server.o#1016.-Zunpretty=expandeddoes not emitdep-infoanymore (1.68 -> 1.69).-Zunpretty=expandeddoes not emitdep-infoanymore (1.68 -> 1.69) rust-lang/rust#112898.-Zunprettyrust-lang/rust#114476 (1.73).#[expect(dead_code)]does not behave identically to#[allow(dead_code)].#[expect(dead_code)]does not behave identically to#[allow(dead_code)]rust-lang/rust#114557.#[expect]the same way#[allow]is with thedead_codelint rust-lang/rust#114710 (1.73).1.74 ICE.
rustc1.76 (beta) warns about non-recursive invocation from Make.rustcmay document that it may always take advantage of the jobserver (e.g. for backend and eventually frontend parallelism), and thus users should always callrustcas recursive from Make.rustcinsidemake -j2warns (regression from 1.75.0) rust-lang/rust#120515.The last
--jobserver-authflag should be used like the GNU Make manual asks to (jobservercrate, used byrustc).--jobserver-authflag should be used rust-lang/jobserver-rs#66.jobserver): fix: last--jobserver-authwins rust-lang/jobserver-rs#67.rustcshould disable the jobserver if file descriptors are negative like the GNU Make manual asks to.rustccalls as recursive.rustcinsidemake -j2warns (regression from 1.75.0) rust-lang/rust#120515.jobserver): disable jobserver on unix, if file descriptors are negative rust-lang/jobserver-rs#68.ICE on
rustc 1.79.0-beta.4 (a26981974 2024-05-10)when compilingcore.o.RUSTC_BOOTSTRAP=1 rustc --edition=2021 -Csymbol-mangling-version=v0 --cfg no_fp_fmt_parse --crate-type rlib library/core/src/lib.rs --sysroot=/dev/null.f16andf128rust-lang/rust#123816 (1.79).f16/f128fallback code is not getting inlined rust-lang/rust#125229.#[inline]to floatDebugfallback used bycfg(no_fp_fmt_parse)rust-lang/rust#125252 (1.79).rustc 1.79.0-beta.7 (d9e85b56e 2024-05-25).Are attributes such as
noalias,readonly,dereferenceable... worth it for performance or could they potentially be all disabled to get something like-fno-strict-aliasing?Fix
-Zremap-path-scope.std::panic::Location::caller().file()uses absolute path when monomorphized in a different crate. rust-lang/rust#148328.Miscompilation on ppc64.
lint_reasons+unused_featuresinteraction.allowthe lint.unused_featurestriggers on stablelint_reasonsdespite usage rust-lang/rust#153523."error: target feature
fp-armv8cannot be toggled with#[target_feature]: Rust tiesfp-armv8to `neon".