Remove the #[no_sanitize] attribute in favor of #[sanitize(xyz = "on|off")]
#142681
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
A-attributes
|
Some changes occurred in compiler/rustc_codegen_ssa Some changes occurred in compiler/rustc_passes/src/check_attr.rs The rustc-dev-guide subtree was changed. If this PR only touches the dev guide consider submitting a PR directly to rust-lang/rustc-dev-guide otherwise thank you for updating the dev guide with your changes. cc @BoxyUwU, @jieyouxu, @Kobzol
Some changes occurred in src/doc/unstable-book/src/language-features/no-sanitize.md cc @rust-lang/project-exploit-mitigations, @rcvalle Some changes occurred in tests/codegen/sanitizer cc @rcvalle Some changes occurred in tests/ui/sanitizer cc @rcvalle Some changes occurred in compiler/rustc_codegen_ssa/src/codegen_attrs.rs |
|
Thank you very much for your time and work on this, @1c3t3a! Much appreciated. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
It doesn't matter for me, but should we make this change gradually by supporting both for some time? |
That's possible for sure, I put stuff into different commits for that reason and I can just drop the middle commit to have both exist in parallel. What's the reason for having both at the same time? An easier migration period? |
|
We generally do not make such efforts to migrate usage of nightly features without a specific known good reason to do so. (Let us know of course if there is one, e.g. if this affects RfL in some way.) |
|
☔ The latest upstream changes (presumably #142770) made this pull request unmergeable. Please resolve the merge conflicts. |
99 tasks
We don't use |
26 tasks
|
I rebased the change to make review easier. |
This comment has been minimized.
This comment has been minimized.
jieyouxu
reviewed
Jul 14, 2025
There was a problem hiding this comment.
Note that if this is a built-in attribute, then IIUC #[sanitize] (even if unstably gated) could introduce new name resolution ambiguities with user macros or derive macro attributes and thus technically break existing user code. See for instance #143834. cf. #134963.
// tests/ui/whatever_subdir/test.rs
//@ proc-macro: my_derive.rs
//@ edition: 2024
use my_derive::MyDerive;
#[derive(MyDerive)]
#[sanitize]
//~^ ERROR `sanitize` is ambiguous
pub struct Foo;
fn main() {}// tests/ui/whatever_subdir/auxiliary/my_derive.rs
//@ edition: 2024
extern crate proc_macro;
use proc_macro::{Span, TokenStream};
#[proc_macro_derive(
MyDerive,
attributes(
sanitize
)
)]
pub fn derive_custom(_item: TokenStream) -> TokenStream {
TokenStream::new()
}You can still observe this for #[no_sanitize] too, if you switch sanitize for no_sanitize in the above test case.
error: malformed `no_sanitize` attribute input
--> /home/joe/repos/rust/tests/ui/bitbuffer_derive/test.rs:7:1
|
LL | #[no_sanitize]
| ^^^^^^^^^^^^^^ help: must be of the form: `#[no_sanitize(address, kcfi, memory, thread)]`
error[E0659]: `no_sanitize` is ambiguous
--> /home/joe/repos/rust/tests/ui/bitbuffer_derive/test.rs:7:3
|
LL | #[no_sanitize]
| ^^^^^^^^^^^ ambiguous name
|
= note: ambiguous because of a name conflict with a builtin attribute
= note: `no_sanitize` could refer to a built-in attribute
error[E0658]: the `#[no_sanitize]` attribute is an experimental feature
--> /home/joe/repos/rust/tests/ui/bitbuffer_derive/test.rs:7:1
|
LL | #[no_sanitize]
| ^^^^^^^^^^^^^^
|
= note: see issue #39699 <https://github.com/rust-lang/rust/issues/39699> for more information
= help: add `#![feature(no_sanitize)]` to the crate attributes to enable
= note: this compiler was built on YYYY-MM-DD; consider upgrading it if it is out of date
error: aborting due to 3 previous errors
Some errors have detailed explanations: E0658, E0659.
For more information about an error, try `rustc --explain E0658`.
Or just
macro_rules! sanitize {
() => {
/* .. */
};
}
pub(crate) use sanitize; // `use` here becomes ambiguous
fn main() {}I imagine no_sanitize is much less likely to collide with something a user would write (not an argument against this change, just an observation re. technically a breaking change).
I don't know how much of a concern for breakage this is in practice, a crater run may or may not be a good idea. If the breakage is deemed acceptable, then this should get relnotes.
|
☔ The latest upstream changes (presumably #143919) made this pull request unmergeable. Please resolve the merge conflicts. |
This change implements the #[sanitize(..)] attribute, which opts to
replace the currently unstable #[no_sanitize]. Essentially the new
attribute works similar as #[no_sanitize], just with more flexible
options regarding where it is applied. E.g. it is possible to turn
a certain sanitizer either on or off:
`#[sanitize(address = "on|off")]`
This attribute now also applies to more places, e.g. it is possible
to turn off a sanitizer for an entire module or impl block:
```rust
\#[sanitize(address = "off")]
mod foo {
fn unsanitized(..) {}
#[sanitize(address = "on")]
fn sanitized(..) {}
}
\#[sanitize(thread = "off")]
impl MyTrait for () {
...
}
```
This attribute is enabled behind the unstable `sanitize` feature.
This removes the #[no_sanitize] attribute, which was behind an unstable feature named no_sanitize. Instead, we introduce the sanitize attribute which is more powerful and allows to be extended in the future (instead of just focusing on turning sanitizers off).
…ress To do it the same as how clang disables address sanitizer, we now disable ASAN on sanitize(kernel_address = "off") and KASAN on sanitize(address = "off"). The same was added to clang in https://reviews.llvm.org/D44981.
|
The job Click to see the possible cause of the failure (guessed by this bot) |
|
@rustbot labels +T-lang +needs-fcp Given that this is breaking, we should review and FCP. Let's do that crater run, since we'll need it for our review. @bors2 try |
rustbot
added
needs-fcp
rust-bors bot
added a commit
that referenced
this pull request
Jul 14, 2025
Remove the `#[no_sanitize]` attribute in favor of `#[sanitize(xyz = "on|off")]` This came up during the sanitizer stabilization (#123617). Instead of a `#[no_sanitize(xyz)]` attribute, we would like to have a `#[sanitize(xyz = "on|off")]` attribute, which is more powerful and allows to be extended in the future (instead of just focusing on turning sanitizers off). The implementation is done according to what was [discussed on Zulip](https://rust-lang.zulipchat.com/#narrow/channel/343119-project-exploit-mitigations/topic/Stabilize.20the.20.60no_sanitize.60.20attribute/with/495377292)). The new attribute also works on modules, traits and impl items and thus enables usage as the following: ```rust #[sanitize(address = "off")] mod foo { fn unsanitized(..) {} #[sanitize(address = "on")] fn sanitized(..) {} } trait MyTrait { #[sanitize(address = "off")] fn unsanitized_default(..) {} } #[sanitize(thread = "off")] impl MyTrait for () { ... } ``` r? `@rcvalle`
|
Since this produces a user-visible effect on stable Rust, it feels like we should be documenting this somehow in the Reference. We'll talk about how we might want to do that on the lang-docs side. cc @ehuss |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This came up during the sanitizer stabilization (#123617). Instead of a
#[no_sanitize(xyz)]attribute, we would like to have a#[sanitize(xyz = "on|off")]attribute, which is more powerful and allows to be extended in the future (insteadof just focusing on turning sanitizers off). The implementation is done according to what was discussed on Zulip).
The new attribute also works on modules, traits and impl items and thus enables usage as the following:
r? @rcvalle