Create x86_64-asan-linux-gnu target which enables ASAN by default

[jakos-sec]

As suggested, in order to distribute sanitizer instrumented standard libraries without introducing new rustc flags, this adds a new dedicated target. With the target, we can distribute the instrumented standard libraries through a separate rustup component.

A tier 3 target must have a designated developer or developers (the "target maintainers") on record to be CCed when issues arise regarding the target. (The mechanism to track and CC such developers may evolve over time.)

I pledge to do my best maintaining it and we can also include the folks from the Exploit Mitigations Project Group (rcvalle@ & 1c3t3a@).

Targets must use naming consistent with any existing targets; for instance, a target for the same CPU or OS as an existing Rust target should use the same name for that CPU or OS. Targets should normally use the same names and naming conventions as used elsewhere in the broader ecosystem beyond Rust (such as in other toolchains), unless they have a very good reason to diverge. Changing the name of a target can be highly disruptive, especially once the target reaches a higher tier, so getting the name right is important even for a tier 3 target.

I've chosen x86_64-asan-linux-gnu as the name since the -unknown-linux-gnu part should stay identical to the x86_64-unknown-linux-gnu target. We could also choose asan_x86_64-unknown-linux-gnu if that is preferrable.

Target names should not introduce undue confusion or ambiguity unless absolutely necessary to maintain ecosystem compatibility. For example, if the name of the target makes people extremely likely to form incorrect beliefs about what it targets, the name should be changed or augmented to disambiguate it.

There should be no confusion, it's clear that it's the original target with ASAN enabled.

If possible, use only letters, numbers, dashes and underscores for the name. Periods (.) are known to cause issues in Cargo.

Only letters, numbers and dashes used.

Tier 3 targets may have unusual requirements to build or use, but must not create legal issues or impose onerous legal terms for the Rust project or for Rust developers or users.

There are no unusual requirements to build or use it. It's the original x86_64-unknown-linux-gnu target with ASAN enabled as a default sanitizer.

The target must not introduce license incompatibilities.

There are no license implications.

Anything added to the Rust repository must be under the standard Rust license (MIT OR Apache-2.0).

Given, by reusing the existing ASAN code.

The target must not cause the Rust tools or libraries built for any other host (even when supporting cross-compilation to the target) to depend on any new dependency less permissive than the Rust licensing policy. This applies whether the dependency is a Rust crate that would require adding new license exceptions (as specified by the tidy tool in the rust-lang/rust repository), or whether the dependency is a native library or binary. In other words, the introduction of the target must not cause a user installing or running a version of Rust or the Rust tools to be subject to any new license requirements.

There are no new dependencies/features required.

Compiling, linking, and emitting functional binaries, libraries, or other code for the target (whether hosted on the target itself or cross-compiling from another target) must not depend on proprietary (non-FOSS) libraries. Host tools built for the target itself may depend on the ordinary runtime libraries supplied by the platform and commonly used by other applications built for the target, but those libraries must not be required for code generation for the target; cross-compilation to the target must not require such libraries at all. For instance, rustc built for the target may depend on a common proprietary C runtime library or console output library, but must not depend on a proprietary code generation library or code optimization library. Rust's license permits such combinations, but the Rust project has no interest in maintaining such combinations within the scope of Rust itself, even at tier 3.

It's using open source tools only.

"onerous" here is an intentionally subjective term. At a minimum, "onerous" legal/licensing terms include but are not limited to: non-disclosure requirements, non-compete requirements, contributor license agreements (CLAs) or equivalent, "non-commercial"/"research-only"/etc terms, requirements conditional on the employer or employment of any particular Rust developers, revocable terms, any requirements that create liability for the Rust project or its developers or users, or any requirements that adversely affect the livelihood or prospects of the Rust project or its developers or users.

There are no such terms present.

Neither this policy nor any decisions made regarding targets shall create any binding agreement or estoppel by any party. If any member of an approving Rust team serves as one of the maintainers of a target, or has any legal or employment requirement (explicit or implicit) that might affect their decisions regarding a target, they must recuse themselves from any approval decisions regarding the target's tier status, though they may otherwise participate in discussions.

Understood.

This requirement does not prevent part or all of this policy from being cited in an explicit contract or work agreement (e.g. to implement or maintain support for a target). This requirement exists to ensure that a developer or team responsible for reviewing and approving a target does not face any legal threats or obligations that would prevent them from freely exercising their judgment in such approval, even if such judgment involves subjective matters or goes beyond the letter of these requirements.

Understood.

Tier 3 targets should attempt to implement as much of the standard libraries as possible and appropriate (core for most targets, alloc for targets that can support dynamic memory allocation, std for targets with an operating system or equivalent layer of system-provided functionality), but may leave some code unimplemented (either unavailable or stubbed out as appropriate), whether because the target makes it impossible to implement or challenging to implement. The authors of pull requests are not obligated to avoid calling any portions of the standard library on the basis of a tier 3 target not implementing those portions.

The goal is to have ASAN instrumented standard library variants of the existing x86_64-unknown-linux-gnu target, so all should be present.

The target must provide documentation for the Rust community explaining how to build for the target, using cross-compilation if possible. If the target supports running binaries, or running tests (even if they do not pass), the documentation must explain how to run such binaries or tests for the target, using emulation if possible or dedicated hardware if necessary.

I think the explanation in platform support doc is enough to make this aspect clear.

Tier 3 targets must not impose burden on the authors of pull requests, or other developers in the community, to maintain the target. In particular, do not post comments (automated or manual) on a PR that derail or suggest a block on the PR based on a tier 3 target. Do not send automated messages or notifications (via any medium, including via @) to a PR author or others involved with a PR regarding a tier 3 target, unless they have opted into such messages.
Backlinks such as those generated by the issue/PR tracker when linking to an issue or PR are not considered a violation of this policy, within reason. However, such messages (even on a separate repository) must not generate notifications to anyone involved with a PR who has not requested such notifications.

Understood.

Patches adding or updating tier 3 targets must not break any existing tier 2 or tier 1 target, and must not knowingly break another tier 3 target without approval of either the compiler team or the maintainers of the other tier 3 target.

Understood.

In particular, this may come up when working on closely related targets, such as variations of the same architecture with different features. Avoid introducing unconditional uses of features that another variation of the target may not have; use conditional compilation or runtime detection, as appropriate, to let each target run code supported by that target.

I don't believe this PR is affected by this.

Tier 3 targets must be able to produce assembly using at least one of rustc's supported backends from any host target. (Having support in a fork of the backend is not sufficient, it must be upstream.)

The target should work on all rustc versions that correctly compile for x86_64-unknown-linux-gnu.

[rustbot]

This PR changes how LLVM is built. Consider updating src/bootstrap/download-ci-llvm-stamp.

These commits modify compiler targets.
(See the Target Tier Policy.)

[rustbot]

r? @mati865

rustbot has assigned @mati865.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[mati865]

Thanks.

You will have to modify this PR to meet the guidelines outlined at https://doc.rust-lang.org/rustc/target-tier-policy.html#adding-a-new-target.

@rustbot author

[rustbot]

Reminder, once the PR becomes ready for a review, use @rustbot ready.

[rustbot]

Some changes occurred in src/doc/rustc/src/platform-support

cc @Noratrieb

[Noratrieb]

How about x86_64-unknown-linux-gnu-asan? I think that would make the most sense, adding a new component and leaving all the other components the same. x86_64_asan would imply cfg(target_arch = "x86_64_asan") which is obviously not the case.

[jakos-sec]

Actually I'd love to have your idea for this. I tried a bunch of things now and couldn't find any great solution.

I tried:

• x86_64-unknown-linux-gnu-asan (which you suggested) => cc-rs complains: "too many components in target x86_64-unknown-linux-gnu-asan"
• x86_64_asan-unknown-linux-gnu: compiling sanitizer rt complains since the LLVM sees: Compiler-RT supported architectures: x86_64_asan (which is not a valid ARCH).
• x86_64-asan-linux-gnu worked but I'm not sure if that's ideal either
• x86_64-unknown-linux_asan-gnu worked but I'm not sure if that's ideal either

[bjorn3]

x86_64-unknown-linux-gnu-asan (which you suggested) => cc-rs complains: "too many components in target x86_64-unknown-linux-gnu-asan"

That is something that can be changed in the cc crate I think. It tries to parse the target name rather than getting all this information from say rustc --print cfg --target .... The current cc behavior also breaks with custom target json files as those can have an arbitrary target name. I don't know why cc does it this way though.

[jakos-sec]

Great, I can look into supporting it in there then. I wasn't sure if it's desired to actually support a <arch>-<vendor>-<os>-<env>-<config> case, if it is, I agree that would be the best solution.

[jakos-sec]

I made a prototype that makes cc-rs work: https://github.com/rust-lang/cc-rs/compare/main...jakos-sec:cc-rs:allow-parsing-sanitizer-targets?expand=1

However I think I'd need some input on how this is best wanted. (Right now I'm basically just throwing away the 5th component. Should we also parse this into the TargetInfo, do we want this sanitizer specific or give this a more generic name?)

[Noratrieb]

x86_64-unknown-linux-gnu-asan (which you suggested) => cc-rs complains: "too many components in target x86_64-unknown-linux-gnu-asan"

That is something that can be changed in the cc crate I think. It tries to parse the target name rather than getting all this information from say rustc --print cfg --target .... The current cc behavior also breaks with custom target json files as those can have an arbitrary target name. I don't know why cc does it this way though.

cc has gone through many iterations of getting target information, including hardcoding it for every target (which was bad). i think the problem is that it wants the underlying llvm-target, which isn't accessible on stable. maybe it should be.

[Noratrieb]

my opinion here is that we should just give up making target names machine readable and provide the tools people need to get the information from rustc (which today is mainly --print cfg, but that's not always enough)

[jakos-sec]

Based on the discussion on zulip (#t-compiler/major changes > Allow using prebuilt sanitizer libraries compiler-team#943), I've now opted to use the vendor part to specify ASAN (x86_64-asan-linux-gnu).

[jakos-sec]

@bors retry

[bors]

@jakos-sec: 🔑 Insufficient privileges: not in try users

[rustbot]

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

[jakos-sec]

@rustbot ready

[mati865]

x86_64_asan-unknown-linux-gnu from the description seems outdated?

[mati865]

Just two more nits. I believe once the discussion in Zulip thread settles, we can more forward.

View changes since this review

[mati865]

Just a note, to ship libstd this will have to become a tier 2 target (without host tools).

[jakos-sec]

Thank you for pointing this out! I removed host-tools since there is no good reason to have them (nobody needs ASAN within the host tools). But I'll look into what tier 2 changes for this PR.

[mati865]

I mean, the tiers are:

• tier 1
• tier 2 w/ host tools
• tier 2 w/o host tools
• tier 3

So, going to tier 2 without host tools would be just a next step on that ladder.

[jakos-sec]

Does this mean, we should merge this PR as tier 3 and then promote it or is it possible to merge it directly as tier 2 w/o host tools?

[mati865]

It's up to you. I think in this case tier 3 target won't be much better than just using -Zbuild-std, but won't hurt.
Tier 2 target will require MCP.

[jakos-sec]

I think it'd be best to simply wait and merge it as Tier 2 instead of going through the process to promote it later.

[jakos-sec]

FYI I opened the MCP so we can change this to Tier 2 (to actually allow shipping prebuilt artifacts): rust-lang/compiler-team#951