The extern "C" ABI of SIMD vector types depends on target features (tracking issue for abi_unsupported_vector_types future-incompatibility lint)

[RalfJung]

The following program has UB, for very surprising reasons:

use std::mem::transmute;
#[cfg(target_arch = "x86")]
use std::arch::x86::*;
#[cfg(target_arch = "x86_64")]
use std::arch::x86_64::*;

extern "C" fn no_target_feature(_dummy: f32, x: __m256) {
    let val = unsafe { transmute::<_, [u32; 8]>(x) };
    dbg!(val);
}

#[target_feature(enable = "avx")]
unsafe fn with_target_feature(x: __m256) {
  // Here we're seemingly just calling a safe function... but actually this call is UB!
  // Caller and callee do not agree on the ABI; specifically they disagree on how the
  // `__m256` argument gets passed.
  no_target_feature(0.0, x);
}

fn main() {
    assert!(is_x86_feature_detected!("avx"));
    // SAFETY: we checked that the `avx` feature is present.
    unsafe {
        with_target_feature(transmute([1; 8]));
    }
}

The reason is that the ABI of the __m256 type depends on the set of target features, so the caller (with_target_feature) and callee (no_target_feature) do not agree on how the argument should be passed. The result is a vector half-filled with junk. (The same issue also arises in the other direction, where the caller has fewer features than the callee: example here.)

Currently, we have no good way to do correct code generation here. See #132865 for a discussion of how we could support such code in the future; it will require some non-trivial work. So instead, the current plan is to reject such code entirely.

This is the tracking issue for the lint that moves us in that direction. The hope is that passing SIMD vectors across a C ABI is sufficiently rare, and most of the cases being rejected have anyway already been broken, that we can reject this without much of an ecosystem impact. Crater showed no regressions.

This is linted against since Rust 1.84, and shown in future breakage reports starting with Rust 1.85. The plan is to move to a hard error with Rust 1.87.

When this becomes a hard error:

• We can probably remove the error tracked at Tracking issue for RFC 2574, "SIMD vectors in FFI" #63068?
• And also the warning triggered in this example?

---

Original issue text:

I'm not sure if this is currently even properly documented? We are mentioning it in #115476 but the program above doesn't involve any function pointers so we really cannot expect people to be aware of that part of the docs. We show a general warning about the type not being FFI-compatible, but that warning shows up a lot and anyway in this case both caller and callee are Rust functions!

I think we need to do better here, but backwards compatibility might make that hard. @chorman0773 suggested we should just reject functions like no_target_feature that take an AVX type by-val without having declared the AVX feature. That seems reasonable; a crater run would be needed to assess whether it breaks too much code. An alternative might be to have a deny-by-default lint that very clearly explains what is happening.

There are also details to work out wrt what exactly the lint should check. Newtypes around __m256 will have the same problem. What about other larger types that contain __m256? Behind a ptr indirection it's obviously fine, but what about (__m256, __m256)? If we apply the ScalarPair optimization this will be passed in registers even on x86.

A possible place to put the check could be somewhere around here.

In terms of process, I am not sure if an RFC is required; a t-compiler MCP might be sufficient. Currently we accept code that clearly doesn't do what it looks like it should do.

And finally -- are there any other targets (besides x86 and x86-64) that have target-features that affect the ABI? They should get the same treatment.

Note that this is different from #116344 in two ways:

• This issue only affects non-"Rust" ABIs; the other issue affects even the "Rust" ABI. (The Rust ABI passes __m256 by-pointer exactly to work-around this issue.)
• This issue comes about when the user enables extra features (which is possible also locally via #[target_feature]), the other issue comes about when the user disables features (which is only possible on a per-crate level via -C, and if you're mixing crates with different -C flags then you're already already on very shaky grounds -- we do that with std but nobody else really gets to do that, I think).

Cc @workingjubilee more ABI fun ;)

[chorman0773]

For a hard error, I think it probably should go through RFC. I can start drafting that now. As for what it would check, I'd expect a hard error on any time a simd type is passed by value and the appropriate feature is unavailable, even if the specific ABI wouldn't necessarily pass it in registers, including inside a structure, and the lint should probably check the same thing.

[RalfJung]

That can have potentially surprising effects, e.g. when a closure captures something of type __m256 and the closure gets passed by-value to a generic function.

It also means adding adding a private field that contains by-val repr(simd) data can be a semver-breaking change. Cc @ehuss

[chorman0773]

It also means adding adding a private field that contains by-val repr(simd) data can be a semver-breaking change

This would already be the case with replacing several fields with a SIMD type. For example, changing struct Foo(u64,u64,u64,u64); to struct Foo(__m256i);

Although thinking about it, because features can be per-crate, this might be a problem on crates that specialize based on target features.

Perhaps #[repr(Rust)] types should be exempted and always passed indirectly when they contain SIMD types (but not #[repr(C)] types).

[coastalwhite]

With RISC-V, you have Zfinx and Zdinx which have hard-floats but have moved the floats to the normal general purpose registers. In this case, forbidding the passing of floats by-value, if the f (RISC-V's version of single-precision float) target is not present, is very restrictive and probably not what you would want. Otherwise, allowing the passing-by-value of floats between f and Zfinx is also UB.

[RalfJung]

But the ABI only changes when f is present or not present, I assume? When f is present, Zfinx just means more instructions can be used but the ABI still says f32 is passed on float registers? And when f is not present, softfloat and Zfinx use the same ABI?

So that sounds like whether or not f is present should be a different target triple. Code with vs without f simply cannot be linked together. But having or not having Zfinx doesn't make an ABI difference. Or am I misunderstanding?

[coastalwhite]

No, that is exactly it. Do I understand correctly that you essentially want to do something similar to thumb with the eabi and eabihf?

[RalfJung]

I'm not an expert on target details. 🙈 Usually my purview ends when I have given precise abstract semantics to nasty pieces of unsafe Rust and MIR.^^ But every now and then terrible low-level CPU nightmares creep onto my territory and then I have to learn how to deal with them...

So, I don't know what ARM does with eabi vs eabihf. But it sounds like they are considering "hard float" and "soft float" two different ABIs that presumably use different registers for argument passing (so they are indeed different ABIs), and then have corresponding target triples to tell apart the ABIs. So yeah that sounds like what I am suggesting we should do for other targets as well. (We could also consider different ABI strings, like "C" vs "C-softfloat" or so. No idea if that makes any sense.)

Obviously we don't actually care whether the functions behind those ABIs use x87/d/f hardware instructions or do some softfloat stuff, we just care how arguments are passed. But sadly it seems that in LLVM, there's no way to say "you have the d,f target features available but please use the softfloat ABI anyway"? If that is something people need (enable d,f or x87,sse,sse2 on softfloat targets without affecting ABI) we should start talking with LLVM people about whether and how that could be achieved.

This may all be completely naive since I'm just coming at this with my principled approach of making everything safe or at least sound and giving it semantics at a high level; I rely on people like @chorman0773 to tell me when my ideas make no sense "in the field". ;)

[Skgland]

If with_target_feature calling no_target_feature is UB due do different target features, shouldn't main calling with_target_feature have the same problem? just the other way around?
Or is this specific to "C" being a non Rust-ABI?

[RalfJung]

Yeah for the Rust ABI we do apply a work-around (it always passes such types in memory), so that call is fine. But the combination of extern fn and target_feature is a big minefield currently.

(I updated the example to actually use the Rust ABI for with_target_feature.)

[Skgland]

Would adding a inline(never) Rust ABI intermediate function be a valid workaround to prevent UB here?
Unconditional code generation #[target_feature]: Note 1 making #[inline(never)] required as otherwise the compiler may inline the function and then we would be back to the incorrect feature set.

EDIT: The referenced Note

Note 1: a function has the features of the crate where the function is defined +/- #[target_feature] annotations. Iff the function is inlined into a context that extends its feature set, then the compiler is allowed to generate code for the function using this extended feature set (sub-note: inlining is forbidden in the opposite case).

[RalfJung]

Inlining should be aware of target features, so inline(never) should not be needed. If it is needed that's a critical bug in the inliner that we should track and fix.

Yes such an intermediate Rust ABI function works around the problem successfully. But the fundamental problem remains with function pointers: we have to decide whether an extern "C" fn(__m256) has the AVX ABI or some fallback ABI, without having any clue where and how the function it points to was declared. We probably want it to have the AVX ABI since people that use AVX and interface between Rust and C code likely will have their C code built in a way that it uses the AVX ABI. This means all extern "C" fn declared in Rust that take __m256 as arguments should do this the AVX style, no matter the set of enabled target features -- or they should fail to build.

[RalfJung]

Ah, the inline actually does make a difference here... well that's bad, I opened #116573 to track that.

[briansmith]

The compiler does report improper_ctypes_definitions warnings for the given code so I guess it isn't unexpected? It would e better to have an example that doesn't trigger improper_ctypes_definitions.

[workingjubilee]

The compiler does report improper_ctypes_definitions warnings for the given code so I guess it isn't unexpected? It would e better to have an example that doesn't trigger improper_ctypes_definitions.

And that's supposed to be just a warning. We should hard error if we know everything is fucked and there's no salvaging the compilation (whether hard erroring is appropriate here, I don't know yet).

[RalfJung]

There's no C code involved here so I would argue it is reasonable to silence the lint for the example. The lint talks about FFI, but the example does no FFI, this is all Rust-to-Rust calls.

[briansmith]

Is there an example that can trigger this with only FFI-safe types though?

[chorman0773]

I've actually suppressed that lint for __m128 on sse3 only code (so xmm registers 100% exist) that was experiencing a perf regression when the function used default ABI.
But also I wouldn't trust improper_ctypes{,_definitions} to not get blanket suppressed in FFI heavy code, so at the very least a lint for this should be it's own thing. improper_ctypes is a clippy lint in rustc.

[tmandry]

I don't think #[target_feature] should ever affect the ABI of function pointers called from within them, especially not extern "C", ones where the C ABI is defined statically at the TU level.

If we did anything with ABI based on #[target_feature], it would have to be encoded in the type of the function pointers somehow. So for example, an extern "C" function with an avx calling convention would really be extern "C+avx" or similar.

[RalfJung]

@tmandry yeah agreed. Sadly target_feature 1.0 was stabilized in a form where #[target_feature] does affect ABI, and core::arch SIMD types were stabilized in a form where -C target-feature affects ABI. That's causing this issue here and also #116344.

[RalfJung]

@briansmith our ctypes lints seem to have enough gaps to be easily circumvented; here's a reproducer that the lint doesn't catch. It's using a closure to pass the value -- closures that capture a single field are newtypes around that field so they get the field's ABI, but the improper-ctypes lint ignores closures.

[workingjubilee]

More to the point, there's no formal definition of "FFI-safe" and "FFI-unsafe" in the Rust language. As far as I can tell, the actual thing that bears the obligation to be ABI-correct is when you do

extern "C" {
    fn c_func(arg: SomeType) -> ReturnType;
}

fn rust_func() -> ReturnType {
    let arg = SomeType::random();
    // here, the Rust caller actually discharges the obligation...
    // which is honestly slightly unfortunate:
    // in real scenarios, we might not be the author of the `extern "C"` block!
    unsafe { c_func(arg) }
}

[RalfJung]

Do we know if clang is doing anything clever here? I assume C has exactly the same problem, since their function types don't track target features either.

[chorman0773]

clang does not fix this issue. See llvm-project#64706

[RalfJung]

That's a different issue (mismatch with GCC). This here is about mismatch within code compiled by the same compiler, but with different locally set target features.

[ehuss]

I'm not sure if people are aware, but [email protected] is currently triggering this future-incompatibility warning. This is showing up on the test-various and dist-various-2 CI jobs with x86_64-unknown-uefi. This can be reproduced (on x86_64) with ./x build library/std --stage=1 --target x86_64-unknown-uefi or in the compiler-builtins repo, running cargo b --target x86_64-unknown-uefi (at commit 3c09866aa4c699ed5f430567f6de97ed56b65126).

The warnings look something like:

The package `compiler_builtins v0.1.146` currently triggers the following future incompatibility lints:
> warning: this function definition uses a SIMD vector type that (with the chosen ABI) requires the `sse` target feature, which is not enabled
>    --> /cargo/registry/src/index.crates.io-1949cf8c6b5b557f/compiler_builtins-0.1.146/src/macros.rs:252:9
>     |
> 71  | /  macro_rules! intrinsics {
> 72  | |      () => ();
> ...   |
> 252 | |          pub extern $abi fn $name( $($argname: $ty),* ) $(-> $ret)? {
>     | |          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ function defined here
> ...   |
> 426 | |          intrinsics!($($rest)*);
>     | |          ----------------------
>     | |          |
>     | |          in this macro invocation (#2)
>     | |          in this macro invocation (#3)
> ...   |
> 577 | |      );
> 578 | |  }
>     | |  -
>     | |  |
>     | |  in this expansion of `intrinsics!` (#1)
>     | |__in this expansion of `intrinsics!` (#2)
>     |    in this expansion of `intrinsics!` (#3)
>     |
>    ::: /cargo/registry/src/index.crates.io-1949cf8c6b5b557f/compiler_builtins-0.1.146/src/float/conv.rs:395:1
>     |
> 395 |  / intrinsics! {
> 396 |  |     #[arm_aeabi_alias = __aeabi_f2uiz]
> 397 |  |     pub extern "C" fn __fixunssfsi(f: f32) -> u32 {
> 398 |  |         float_to_unsigned_int(f)
> ...    |
> 443 |  | }
>     |  |_- in this macro invocation (#1)
>     |
>     = warning: this was previously accepted by the compiler but is being phased out; it will become a hard error in a future release!
>     = note: for more information, see issue #116558 <https://github.com/rust-lang/rust/issues/116558>
>     = help: consider enabling it globally (`-C target-feature=+sse`) or locally (`#[target_feature(enable="sse")]`)

[RalfJung]

Oh, good point... I was about to make this a hard error, I guess then we would have noticed. ;)

Cc @Amanieu looks like something is wrong with one of the intrinsics when building for x86_64-unknown-uefi? Sadly we don't get a great span as there are some macros involved. That's a soft-float target so one cannot pass SIMD types across extern "C" boundaries -- there's no ABI for that, as far as I know.

[RalfJung]

Hm, but there are no SIMD types in the signature for any of these intrinsics. Very strange.

[RalfJung]

#137092 helps figure out what is going on. :)
Some of these errors are about U64x2, but the vast majority is about u128. This is probably caused by the following ABI adjustment:

rust/compiler/rustc_target/src/callconv/x86_win64.rs

Lines 26 to 30 in 1f37b9a

	if is_ret && matches!(scalar.primitive(), Primitive::Int(Integer::I128, _)) {
	// `i128` is returned in xmm0 by Clang and GCC
	// FIXME(#134288): This may change for the `-msvc` targets in the future.
	let reg = Reg { kind: RegKind::Vector, size: Size::from_bits(128) };
	a.cast_to(reg);

This was added in #134290, Cc @tgross35. Surely on a target that does not have float or SIMD registers, i128 does not get passed in xmm0?

[RalfJung]

#137094 fixes most of the warnings. The remaining ones seem to be about U64x2 which indeed does not make sense as a type on a softfloat target; I created a separate issue for that: rust-lang/compiler-builtins#758.