The (stable) neon aarch64 target feature is unsound: it changes the float ABI
#131058
Comments
rustbot
added
the
needs-triage
|
|
jieyouxu
added
T-compiler
rustbot
added
the
I-prioritize
I don't think LLVM currently supports this. On other architectures, it is possible to force a soft-float ABI while still having FP instructions and registers available inside functions (e.g. |
|
WG-prioritization assigning priority (Zulip discussion). @rustbot label -I-prioritize +P-high |
rustbot
added
P-high
|
imo the major reason that we support |
|
However, it's also a super dangerous attribute. If that function takes or returns But given current LLVM I don't think there is a sound way to tell it to build code that makes use of the FPU on an aarch64 softfloat target. So seems like the proper fix is to match what other targets do, and add a |
|
I filed an LLVM issue; I hope I used the right words here since there's still a lot I don't understand around target features. ;) |
|
Note for aarch64 there is NO defined soft-float ABI. Even though advanced simd (and fp) are optional part of armv8-a, there is no parts out there where it is not included. I have no idea why LLVM has a softfloat aarch64 target. There is a way to forbid all simd and fp usage (in both LLVM and GCC) but that does not change the ABI. |
I took the position that we should do this because
There is no situation where one is enabled and the other is not. |
It does change the ABI though, as one can easily verify on godbolt: https://rust.godbolt.org/z/aP55vT1bf |
Yeah that makes perfect sense if one just looks at which features the hardware supports, but sadly LLVM conflates that aspect with whether a softfloat or hardfloat ABI should be used. |
|
LLVM has many bugs, yes. |
|
arguably the first bug is "having a soft-float ABI for AArch64". |
That's the argument being brought up in the LLVM issue, yeah. |
Actually it is defined here: ARM-software/abi-aa#232 . But it is only for the R cores rather than the A cores. |
|
From the ABI: "This variant is incompatible with the base procedure call standard and toolchains are not required to support it." |
|
huh, interesting. |
|
The problen is that LLVM does (pretend to?) support it, just in an incomplete way. So it seems reasonable to ask whether the existing support could be made a bit less incomplete.
|
|
Given that there is no standard softfloat ABI for this target, maybe the right thing to do is to make sure that on an aarch64 softfloat target, we never use the LLVM-defined ABI for floats, but instead use (Suggested by @Amanieu , or at least I think that is what they meant.) We'd still have to forbid disabling |
|
The other (valid) question being raised on the LLVM side is, what is even the usecase for ever allowing the use of neon or the FPU on the softfloat target? The target exists for kernels that want to avoid the cost of saving float registers on a context switch. So that usecase certainly does not want to ever enable the |
This is an instance of #116344, but since it affects a target feature marked as "stable" I made a separate issue. See rust-lang/compiler-team#780 for the MCP that approved forbidding the toggling of target features that are unsound due to their ABI impact. Stabilization of
neonhappened in #90621. I am not sure where the FCP for this occurred.The summary of the problem is that code compiled with
-C target-feature=-neonon an aarch64 target, if it calls any pre-compiled function from the standard library that involvesf32/f64arguments, will use the wrong ABI and hence cause UB. I am working towards marking such features as "forbidden" so that we can fix this soundness hole. But now we are hitting the same where a relevant feature is also already stable, so making it "forbidden" would be a breaking change... so we'll have to figure out something more clever. Like maybe only forbidding disabling the feature? Note however that on theaarch64-unknown-none-softfloattarget,+neonis unsound for the same reason.Cc @Amanieu @workingjubilee
The text was updated successfully, but these errors were encountered: