RFC: Add an attribute for raising the alignment of various items #3806
Conversation
Jules-Bertholet
force-pushed
the
align-attr
branch
from
75d8fc6 to
f6f7686
Compare
Jules-Bertholet
force-pushed
the
align-attr
branch
from
f6f7686 to
3a4f5ac
Compare
ehuss
added
the
T-lang
traviscross
added
I-lang-nominated
Jules-Bertholet
force-pushed
the
align-attr
branch
from
800e69d to
eca25f7
Compare
Jules-Bertholet
force-pushed
the
align-attr
branch
from
eca25f7 to
4badbc9
Compare
| The `align` attribute is a new inert, built-in attribute that can be applied to | ||
| ADT fields, `static` items, function items, and local variable declarations. The | ||
| attribute accepts a single required parameter, which must be a power-of-2 | ||
| integer literal from 1 up to 2<sup>29</sup>. (This is the same as | ||
| `#[repr(align(…))]`.) |
There was a problem hiding this comment.
The 2^29 limit is way too high. The consistency with #[repr(align(..))] is a good default but alignments larger than a page or two have never worked properly in local variables (rust-lang/rust#70143) and in statics (rust-lang/rust#70022, rust-lang/rust#70144). While there are some use cases for larger alignments on types (if they're heap allocated) and an error on putting such a type in a local or static is ugly, for this new attribute we could just avoid the problem from the start.
There was a problem hiding this comment.
For a struct field, both GCC and clang supported _Alignas(N) for N ≤ 228 (268435456).
There was a problem hiding this comment.
The bug with local variables (rust-lang/rust#70143) seems to have been fixed everywhere except Windows, and just waiting on someone to fix it there as well in LLVM. (And even on Windows where the issue is not fixed, the only effect is to break the stack overflow protection, bringing it down to the same level as many Tier 2 targets.)
So the only remaining issue is with statics, where it looks like a target-specific max alignment might be necessary. Once implemented, that solution can be used to address align as well.
Overall, I don't think any of this is sufficient motivation to impose a stricter maximum on #[align].
There was a problem hiding this comment.
Note that fixing the soundness issue for locals just means that putting a local with huge alignment in a stack frame is very likely to trigger the stack overflow check and abort the program. There is no use case for such massively over-aligned locals or statics, which is why those soundness issues been mostly theoretical problems and why the only progress toward fixing them over many years has been side effects of unrelated improvements (inline stack checks).
The only reason why the repr(align(..)) limit is so enormous is because it’s plausibly useful for heap allocations. Adding a second , lower limit for types put in statics and locals nowadays is somewhat tricky to design and drive to consensus (e.g., there’s theoretical backwards compatibility concerns) and not a priority for anyone, so who knows when it’ll happen. For #[align] we have the benefit of hindsight and could just mostly side-step the whole mess. I don’t see this as “needlessly restricting the new feature” but rather as “not pointlessly expanding upon an existing soundness issue for no reason”.
There was a problem hiding this comment.
There is no use case for such massively over-aligned locals or statics
one use case I can think of is having a massive array that is faster because it's properly aligned so the OS can use huge pages (on x86_64, those require alignment statics or heap-allocated/mmap-ed memory.
There was a problem hiding this comment.
To use huge pages for static data, you'd want to align the ELF segment containing the relevant sections (or equivalent in other formats), so the right tool there is a linker script or similar platform-specific mechanism. Over-aligning individual statics is a bad alternative:
- It risks wasting a lot more (physical!) memory than expected if you end up with multiple
statics in the program doing it and there's not enough other data to fill the padding required between them or they go in different sections. - If the linker/loader ignores the requested section alignment then that leads to UB if you used Rust-level
#[align(N)]/#[repr(align(N))]and the code was optimized under that assumption. - While aligning statics appears easier and more portable than linker scripts, the reality is that platform/toolchain support for this is spotty anyway, so you really ought to carefully consider when and where to apply this trick.
In any case, I'm sure I'm technically wrong to claim that nobody could ever come up with a use case for massively over-aligned statics. But there's a reason why Linux and glibc have only started supporting it at all in the last few years, and other environments like musl-based Linux and Windows apparently doesn't support it at all (see discussion in aforementioned issues).
| In Rust, a type’s size is always a multiple of its alignment. However, there are | ||
| other languages that can interoperate with Rust, where this is not the case | ||
| (WGSL, for example). It’s important for Rust to be able to represent such | ||
| structures. |
There was a problem hiding this comment.
It's not clear to me how this would work while keeping Rust's "size is multiple of align" rule intact. I guess if it's about individual fields in a larger aggregate that maintains the rule in total? I don't know anything about WGSL so an example would be appreciated.
There was a problem hiding this comment.
That’s exactly it. The WSGL example was taken from this comment on Internals: https://internals.rust-lang.org/t/pre-rfc-align-attribute/21004/20
There was a problem hiding this comment.
Adding a worked example would indeed help readers of the RFC on this point.
|
We discussed this in the lang call today. We were feeling generally favorable about this, but all need to read it more closely. |
Also, justify prohibition on fn params.
| 1. What should the syntax be for applying the `align` attribute to `ref`/`ref | ||
| mut` bindings? | ||
|
|
||
| - Option A: the attribute goes inside the `ref`/`ref mut`. | ||
|
|
||
| ```rust | ||
| fn foo(x: &u8) { | ||
| let ref #[align(4)] _a = *x; | ||
| } | ||
| ``` | ||
|
|
||
| - Option B: the attribute goes outside the `ref`/`ref mut`. | ||
|
|
||
| ```rust | ||
| fn foo(x: &u8) { | ||
| let #[align(4)] ref _a = *x; | ||
| } | ||
| ``` |
There was a problem hiding this comment.
Whatever we do, I'd expect it to be the same as for mut. So it's probably not worth deferring this question, as we need to handle it there.
As for where to put it, it seems like a bit of a coin toss. Anyone have a good argument for which way it should go?
There was a problem hiding this comment.
I’m comfortable deferring it because I see no use-case for it, and I don’t want to hold up the RFC on something with no use case.
| ## `#[align(…)]` on function parameters | ||
|
|
||
| We could choose to allow this. However, this RFC specifies that it should be | ||
| rejected, because users might incorrectly think the attribute affects ABI when | ||
| it does not. C and C++ make the same choice. |
There was a problem hiding this comment.
In Rust, I actually think it probably makes sense to allow this. We treat function parameters mostly as though they were let bindings, e.g. by even allowing patterns there. It'd seem surprising to me to start widening the gap between these.
There was a problem hiding this comment.
I don’t feel very strongly about this. But I added an extra paragraph to elaborate on what the potential danger is.
Port C
alignasto Rust.Rendered