Reject unsupported, unstable ABIs during AST lowering #141877
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
r? @Nadrieril rustbot has assigned @Nadrieril. Use |
rustbot
added
S-waiting-on-review
|
HIR ty lowering was modified cc @fmease This PR changes a file inside These commits modify the If this was unintentional then you should revert the changes before this PR is merged. |
This comment has been minimized.
This comment has been minimized.
|
@aDotInTheVoid Mm. I... am just gonna remove the |
|
These commits modify Please ensure that if you've changed the output:
|
It's checking that we produces the rust/src/librustdoc/json/conversions.rs Lines 365 to 378 in 91fad92 rust/src/rustdoc-json-types/lib.rs Lines 771 to 794 in 91fad92 Could you instead change the tests to use some other unstable ABI here? But it's fine to only test this once (with both the |
|
@aDotInTheVoid Well. Most other unstable ABIs don't have "unwind" cases. |
workingjubilee
force-pushed
the
wipe-the-extern-ast
branch
from
a705901 to
1fb2cf4
Compare
|
I have pushed an alternative which does some rearrangement so that we don't have complications due to aarch64 hosts, still test an unstable ABI, and retain the vectorcall-unwind coverage when we do. |
|
I don't know enough about ABI to review this r? compiler |
We elaborate rustc_ast_lowering to prevent unstable, unsupported ABIs
from leaking through the HIR without being checked for target support.
Previously ad-hoc checking on various HIR items required making sure
we check every HIR item which could contain an extern "{abi}" string.
This is a losing proposition compared to gating the lowering itself.
As a consequence, unstable ABI strings will now hard-error instead of
triggering the FCW `unsupported_fn_ptr_calling_conventions`.
This FCW was upgraded to warn in dependencies in Rust 1.87 so it has
become active within a stable Rust version and it was within the
compiler's nightly-feature contract to break this code without warning,
so this breakage has likely had a reasonable amount of foreshadowing.
We already gated unstable, unsupported ABIs during AST lowering.
If we check all ABIs for target support during HIR lowering, then we
risk duplicate errors in code that uses unstable extern "{abi}"s.
Limiting the ABI support checks to stable ABIs reduces this, and
remains correct because of gating all unstable ABIs already.
This code complication can be reduced when we switch the FCW to error.
Explicitly test it for relevant targets and check it errors on hosts.
workingjubilee
force-pushed
the
wipe-the-extern-ast
branch
3 times, most recently
from
9aecfc6 to
15a693d
Compare
We move the vectorcall ABI tests into their own file which is now only run on x86-64, while replacing them with rust-cold ABI tests so that aarch64 hosts continue to test an unstable ABI. A better solution might be cross-compiling or something but I really don't have time for that right now.
workingjubilee
force-pushed
the
wipe-the-extern-ast
branch
from
15a693d to
8c89905
Compare
rust-bors bot
added a commit
that referenced
this pull request
Jun 6, 2025
Reject `extern "{abi}"` when the target does not support it
## What
Promote [`unsupported_fn_ptr_calling_conventions`] from a warning to a hard error, making sure edge-cases will not escape. We now emit hard errors for every case we would return `Invalid` from `AbiMap::canonize_abi` during AST to HIR lowering. In particular, these architecture-specific ABIs now only compile on their architectures[^1]:
- amdgpu: "gpu-kernel"
- arm: "aapcs", "C-cmse-nonsecure-entry"
- avr: "avr-interrupt", "avr-non-blocking-interrupt"
- msp430: "msp430-interrupt"
- nvptx64: "gpu-kernel", "ptx-kernel"
- riscv32 and riscv64: "riscv-interrupt-machine", "riscv-interrupt-supervisor"
- x86: "thiscall"
- x86 and x86_64: "x86-interrupt"
- x86_64: "sysv64", "win64"
The panoply of ABIs that are logically x86-specific but actually permitted on all Windows targets remain supported on Windows, as they were before. For non-Windows targets they error if the architecture does not match.
Moving the check into AST lowering **is itself a breaking change in rare cases**, above and beyond the cases rustc currently warns about. See "Why or Why Not" for details.
## How
We modify rustc_ast_lowering to prevent unsupported ABIs from leaking through the HIR without being checked for target support. Previously ad-hoc checking on various HIR items required making sure we check every HIR item which could contain an `extern "{abi}"` string. This is a losing proposition compared to gating the lowering itself.
As a consequence, unsupported ABI strings will now hard-error instead of triggering the FCW `unsupported_fn_ptr_calling_conventions`.
However, per #86232 this does cause errors for rare usages of `extern "{abi}"` that were theoretically possible to write in Rust source, without previous warning or error. For instance, trait declarations without impls were never checked. These are the exact kinds of leakages that this new approach prevents.
This differs from the following PRs:
- #141435 is orthogonal, as it adds a new lint for ABIs we have not warned on and are not touched by this PR
- #141877 is subsumed by this, in that this simply cuts out bad functionality instead of adding epicycles for stable code
## Why or Why Not
We already made the decision to issue the `unsupported_fn_ptr_calling_conventions` future compatibility warning. It has warned in dependencies since #135767, which reached stable with Rust 1.87. That was released on 2025 May 17, and it is now June. As we already had erred on these ABI strings in most other positions, and warn on stable for function pointer types, this breakage has had reasonable foreshadowing.
Upgrading the warning to an error addresses a real problem. In some cases the Rust compiler can attempt to actually compute the ABI for calling a function. We could accept this case and compute unsupported ABIs according to some other ABI, silently[^0]. However, this obviously exposes Rust to errors in codegen. We cannot lower directly to the "obvious" ABI and then trust code generators like LLVM to reliably error on these cases, either.
Refactoring the compiler so we could defer more ABI computations would be possible, but seems weakly motivated. Even if we succeeded, we would at minimum risk:
- exposing the "whack-a-mole" problem but "approaching linking" instead of "leaving AST"
- making it harder to reason about functions we *can* lower further
- complicating the compiler for no clear benefit
A deprecation cycle for the edge-cases could be implemented first, but it is not very useful for such marginal cases, like this trait declaration without a definition:
```rust
pub trait UsedToSneakBy {
pub extern "gpu-kernel" fn sneaky();
}
```
Upon any impl, even for provided fn within trait declarations, e.g. `pub extern "gpu-kernel" fn sneaky() {}`, different HIR types were used which would, in fact, get checked. Likewise with anything with function pointers. Thus we would be discussing deprecation cycles for code that is impotent or forewarned[^2].
Implementing a deprecation cycle _is_ possible, but it would likely require emitting multiple of a functionally identical warning or error on code that would not have multiple warnings or errors before. It is also not clear to me we would not find **another**, even more marginal edge-case that slipped through, as "things slip through" is the motivation for checking earlier. Additional effort spent on additional warnings should require committing to a hard limit first.
r? lang
Fixes #86232
Fixes #132430
Fixes #138738
Fixes #142107
[`unsupported_fn_ptr_calling_conventions`]: #130260
[^1]: Some already will not compile, due to reaching ICEs or LLVM errors.
[^0]: We already do this for all `AbiStr` we cannot parse, pretending they are `ExternAbi::Rust`, but we also emit an error to prevent reaching too far into codegen.
[^2]: It actually did appear in two cases in rustc's test suite because we are a collection of Rust edge-cases by the simple fact that we don't care if the code actually runs. These cases were excised in c1db989.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, we check whether ABIs have support on the target we are compiling for during HIR analysis. This unfortunately is a slightly "whack-a-mole" proposition, because there is no inherent relationship between ABI strings and their usages in the HIR1. We can instead check for support in
rustc_ast_lowering, where we first materializeExternAbifrom strings. This lets us always error on ABIs we wish to error on.As a first step, we throw the switch for unstable ABIs. Despite being nightly features, we actually have emitted future compatibility warnings for all unsupported ABIs for some time:
unsupported_calling_conventionsbecame a hard error.unsupported_fn_ptr_calling_conventionsis warn-in-deps since Rust 1.87, a stable Rust version.With this we effectively make the latter lint a hard error on unstable ABIs. Stable ABIs still only receive warnings.
As a bonus, this addresses three ICEs that the compiler could reach. It prevents many more LLVM errors from being seen by programmers as well, as most unstable ABIs cannot have correct code generated for them by targets that do not support the ABI.
Fixes #132430
Fixes #138738
Footnotes
For example, we already missed some use-sites of ABI strings because FnSigs are not BareFnTys, requiring us to implement a new future-compat-warning to handle the function pointer case. ↩