Withdraw the claim extern "C-cmse-nonsecure-*" always matches extern "C"
#142146
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
rustbot has assigned @compiler-errors. Use |
|
HIR ty lowering was modified cc @fmease These commits modify compiler targets. Some changes occurred in diagnostic error codes This PR changes a file inside |
rustbot
added
S-waiting-on-review
This was referenced Jun 7, 2025
|
Fair enough. AAPCS is used as a base, but https://arm-software.github.io/acle/cmse/cmse.html describes some of deviations from it (e.g. secure can't assume that unsecure properly sign/zero extended integers). Also actually we implement the LLVM interpretation of the specification (which just disallows using the stack for argument passing altogether). |
|
Yeah, there was speculation in the original thread, as it led to the suggestion of |
|
☔ The latest upstream changes (presumably #142181) made this pull request unmergeable. Please resolve the merge conflicts. |
workingjubilee
force-pushed
the
doubt-that-cmse-nonsecure-abis-always-match-c
branch
from
0ac788f to
a8346e9
Compare
|
☔ The latest upstream changes (presumably #141435) made this pull request unmergeable. Please resolve the merge conflicts. |
workingjubilee
force-pushed
the
doubt-that-cmse-nonsecure-abis-always-match-c
branch
from
a8346e9 to
78bd02d
Compare
|
☔ The latest upstream changes (presumably #142299) made this pull request unmergeable. Please resolve the merge conflicts. |
compiler-errors
approved these changes
Jun 11, 2025
|
@rustbot author |
rustbot
added
S-waiting-on-author
workingjubilee
force-pushed
the
doubt-that-cmse-nonsecure-abis-always-match-c
branch
from
78bd02d to
1bc022e
Compare
|
Right. Rebased this over the 10 different PRs that are touching ABI-related code. Will push actual update soon. |
workingjubilee
force-pushed
the
doubt-that-cmse-nonsecure-abis-always-match-c
branch
3 times, most recently
from
4e5b1b9 to
b769c62
Compare
|
@bors r=compiler-errors |
bors
added
S-waiting-on-bors
workingjubilee
added a commit
to workingjubilee/rustc
that referenced
this pull request
Jun 25, 2025
…secure-abis-always-match-c, r=compiler-errors Withdraw the claim `extern "C-cmse-nonsecure-*"` always matches `extern "C"` We currently claim that `extern "C-cmse-nonsecure-*"` ABIs will always match `extern "C"`, but that seems... **optimistic** when one considers that `extern "C"` is ambiguous enough to be redefined in ways we may not want the Cortex M Security Extensions ABIs to mirror. If some configuration, feature, or other platform quirk that applied to Arm CPUs with CMSE would modify the `extern "C"` ABI, it does not seem like we should guarantee that also applies to the `extern "cmse-nonsecure-*"` ABIs. Anything involving target modifiers that might affect register availability or usage could make us liars if, for instance, clang decides those apply to normal C functions but not ones with the CMSE attributes, but we still want to have interop with the C compiler. We simply do not control enough of the factors involved to both force these ABIs to match and still provide useful interop, so we shouldn't implicitly promise they do. We should leave this judgement call to the decisions of platform experts who can afford to keep up with the latest news from Cambridge, instead of enshrining today's hopeful guess forever in Rust's permitted ABIs. It's a bit weird anyways. - The attributes are `__attribute__((cmse_nonsecure_call))` and `__attribute__((cmse_nonsecure_entry))`, so the obvious choice is `extern "cmse-nonsecure-call"` and `extern "cmse-nonsecure-entry"`. - We do not prefix any other ABI that reflects (or even *is*) a C ABI with "C-", with the exception of the Rust-defined `extern "C-unwind`", e.g. we do not have `extern "C-aapcs"` or `extern "C-sysv64"`. Tracking issues: - rust-lang#75835 - rust-lang#81391
workingjubilee
added a commit
to workingjubilee/rustc
that referenced
this pull request
Jun 25, 2025
…secure-abis-always-match-c, r=compiler-errors Withdraw the claim `extern "C-cmse-nonsecure-*"` always matches `extern "C"` We currently claim that `extern "C-cmse-nonsecure-*"` ABIs will always match `extern "C"`, but that seems... **optimistic** when one considers that `extern "C"` is ambiguous enough to be redefined in ways we may not want the Cortex M Security Extensions ABIs to mirror. If some configuration, feature, or other platform quirk that applied to Arm CPUs with CMSE would modify the `extern "C"` ABI, it does not seem like we should guarantee that also applies to the `extern "cmse-nonsecure-*"` ABIs. Anything involving target modifiers that might affect register availability or usage could make us liars if, for instance, clang decides those apply to normal C functions but not ones with the CMSE attributes, but we still want to have interop with the C compiler. We simply do not control enough of the factors involved to both force these ABIs to match and still provide useful interop, so we shouldn't implicitly promise they do. We should leave this judgement call to the decisions of platform experts who can afford to keep up with the latest news from Cambridge, instead of enshrining today's hopeful guess forever in Rust's permitted ABIs. It's a bit weird anyways. - The attributes are `__attribute__((cmse_nonsecure_call))` and `__attribute__((cmse_nonsecure_entry))`, so the obvious choice is `extern "cmse-nonsecure-call"` and `extern "cmse-nonsecure-entry"`. - We do not prefix any other ABI that reflects (or even *is*) a C ABI with "C-", with the exception of the Rust-defined `extern "C-unwind`", e.g. we do not have `extern "C-aapcs"` or `extern "C-sysv64"`. Tracking issues: - rust-lang#75835 - rust-lang#81391
workingjubilee
force-pushed
the
doubt-that-cmse-nonsecure-abis-always-match-c
branch
from
b769c62 to
3beed38
Compare
|
@bors r- |
bors
added
S-waiting-on-author
|
last rebase. I think. pray. |
bors
added
S-waiting-on-bors
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Jun 25, 2025
…secure-abis-always-match-c, r=compiler-errors Withdraw the claim `extern "C-cmse-nonsecure-*"` always matches `extern "C"` We currently claim that `extern "C-cmse-nonsecure-*"` ABIs will always match `extern "C"`, but that seems... **optimistic** when one considers that `extern "C"` is ambiguous enough to be redefined in ways we may not want the Cortex M Security Extensions ABIs to mirror. If some configuration, feature, or other platform quirk that applied to Arm CPUs with CMSE would modify the `extern "C"` ABI, it does not seem like we should guarantee that also applies to the `extern "cmse-nonsecure-*"` ABIs. Anything involving target modifiers that might affect register availability or usage could make us liars if, for instance, clang decides those apply to normal C functions but not ones with the CMSE attributes, but we still want to have interop with the C compiler. We simply do not control enough of the factors involved to both force these ABIs to match and still provide useful interop, so we shouldn't implicitly promise they do. We should leave this judgement call to the decisions of platform experts who can afford to keep up with the latest news from Cambridge, instead of enshrining today's hopeful guess forever in Rust's permitted ABIs. It's a bit weird anyways. - The attributes are `__attribute__((cmse_nonsecure_call))` and `__attribute__((cmse_nonsecure_entry))`, so the obvious choice is `extern "cmse-nonsecure-call"` and `extern "cmse-nonsecure-entry"`. - We do not prefix any other ABI that reflects (or even *is*) a C ABI with "C-", with the exception of the Rust-defined `extern "C-unwind`", e.g. we do not have `extern "C-aapcs"` or `extern "C-sysv64"`. Tracking issues: - rust-lang#75835 - rust-lang#81391
bors
added a commit
that referenced
this pull request
Jun 25, 2025
Rollup of 7 pull requests Successful merges: - #142146 (Withdraw the claim `extern "C-cmse-nonsecure-*"` always matches `extern "C"`) - #142200 (`tests/ui`: A New Order [8/N]) - #142724 (Add runtime check to avoid overwrite arg in `Diag`) - #142809 (Add PrintTAFn flag for targeted type analysis printing) - #142976 (Check CoerceUnsized impl validity before coercing) - #142992 (Convert some ABI tests to use `extern "rust-invalid"`) - #143000 (Make `Sub`, `Mul`, `Div` and `Rem` `const_traits`) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
that referenced
this pull request
Jun 26, 2025
Rollup merge of #142146 - workingjubilee:doubt-that-cmse-nonsecure-abis-always-match-c, r=compiler-errors Withdraw the claim `extern "C-cmse-nonsecure-*"` always matches `extern "C"` We currently claim that `extern "C-cmse-nonsecure-*"` ABIs will always match `extern "C"`, but that seems... **optimistic** when one considers that `extern "C"` is ambiguous enough to be redefined in ways we may not want the Cortex M Security Extensions ABIs to mirror. If some configuration, feature, or other platform quirk that applied to Arm CPUs with CMSE would modify the `extern "C"` ABI, it does not seem like we should guarantee that also applies to the `extern "cmse-nonsecure-*"` ABIs. Anything involving target modifiers that might affect register availability or usage could make us liars if, for instance, clang decides those apply to normal C functions but not ones with the CMSE attributes, but we still want to have interop with the C compiler. We simply do not control enough of the factors involved to both force these ABIs to match and still provide useful interop, so we shouldn't implicitly promise they do. We should leave this judgement call to the decisions of platform experts who can afford to keep up with the latest news from Cambridge, instead of enshrining today's hopeful guess forever in Rust's permitted ABIs. It's a bit weird anyways. - The attributes are `__attribute__((cmse_nonsecure_call))` and `__attribute__((cmse_nonsecure_entry))`, so the obvious choice is `extern "cmse-nonsecure-call"` and `extern "cmse-nonsecure-entry"`. - We do not prefix any other ABI that reflects (or even *is*) a C ABI with "C-", with the exception of the Rust-defined `extern "C-unwind`", e.g. we do not have `extern "C-aapcs"` or `extern "C-sysv64"`. Tracking issues: - #75835 - #81391
github-actions bot
pushed a commit
to rust-lang/rustc-dev-guide
that referenced
this pull request
Jun 26, 2025
Rollup of 7 pull requests Successful merges: - rust-lang/rust#142146 (Withdraw the claim `extern "C-cmse-nonsecure-*"` always matches `extern "C"`) - rust-lang/rust#142200 (`tests/ui`: A New Order [8/N]) - rust-lang/rust#142724 (Add runtime check to avoid overwrite arg in `Diag`) - rust-lang/rust#142809 (Add PrintTAFn flag for targeted type analysis printing) - rust-lang/rust#142976 (Check CoerceUnsized impl validity before coercing) - rust-lang/rust#142992 (Convert some ABI tests to use `extern "rust-invalid"`) - rust-lang/rust#143000 (Make `Sub`, `Mul`, `Div` and `Rem` `const_traits`) r? `@ghost` `@rustbot` modify labels: rollup
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We currently claim that
extern "C-cmse-nonsecure-*"ABIs will always matchextern "C", but that seems... optimistic when one considers thatextern "C"is ambiguous enough to be redefined in ways we may not want the Cortex M Security Extensions ABIs to mirror. If some configuration, feature, or other platform quirk that applied to Arm CPUs with CMSE would modify theextern "C"ABI, it does not seem like we should guarantee that also applies to theextern "cmse-nonsecure-*"ABIs. Anything involving target modifiers that might affect register availability or usage could make us liars if, for instance, clang decides those apply to normal C functions but not ones with the CMSE attributes, but we still want to have interop with the C compiler.We simply do not control enough of the factors involved to both force these ABIs to match and still provide useful interop, so we shouldn't implicitly promise they do. We should leave this judgement call to the decisions of platform experts who can afford to keep up with the latest news from Cambridge, instead of enshrining today's hopeful guess forever in Rust's permitted ABIs.
It's a bit weird anyways.
__attribute__((cmse_nonsecure_call))and__attribute__((cmse_nonsecure_entry)), so the obvious choice isextern "cmse-nonsecure-call"andextern "cmse-nonsecure-entry".extern "C-unwind", e.g. we do not haveextern "C-aapcs"orextern "C-sysv64".Tracking issues:
extern "C-cmse-nonsecure-entry"ABI #75835extern "C-cmse-nonsecure-call"ABI #81391