Implement -Z allow-partial-mitigations (RFC 3855)

This implements `-Z allow-partial-mitigations` as an unstable option,
currently with support for control-flow-guard and stack-protector.

As a difference from the RFC, we have `-Z allow-partial-mitigations=!foo`
rather than `-Z deny-partial-mitigations=foo`, since I couldn't find an easy
way to have an allow/deny pair of flags where the latter flag wins.

To allow for stabilization, this is only enabled starting from the next edition. Maybe a
better policy is possible (bikeshed).

Author: Ariel Ben-Yehuda

compiler/rustc_interface/src/passes.rs

@@ -304,8 +304,7 @@ fn configure_and_expand(
 
     resolver.resolve_crate(&krate);
 
-    CStore::from_tcx(tcx).report_incompatible_target_modifiers(tcx, &krate);
-    CStore::from_tcx(tcx).report_incompatible_async_drop_feature(tcx, &krate);
+    CStore::from_tcx(tcx).report_session_incompatibilities(tcx, &krate);
     krate
 }
 

compiler/rustc_metadata/messages.ftl

@@ -153,6 +153,11 @@ metadata_link_ordinal_raw_dylib =
 metadata_missing_native_library =
     could not find native static library `{$libname}`, perhaps an -L flag is missing?
 
+metadata_mitigation_less_strict_in_dependency =
+    your program uses the crate `{$extern_crate}`, that is not protected by `{$mitigation_name}{$mitigation_level}`
+    .note = Recompile that crate with the mitigation enabled, or use `-Z allow-partial-mitigations={$mitigation_name}` to allow creating an artifact that has the mitigation only partially enabled
+    .help = It is possible to disable `-Z allow-partial-mitigations={$mitigation_name}` via `-Z allow-partial-mitigations=!{$mitigation_name}`
+
 metadata_multiple_candidates =
     multiple candidates for `{$flavor}` dependency `{$crate_name}` found
 

compiler/rustc_metadata/src/creader.rs

@@ -1,5 +1,6 @@
 //! Validates all used crates and extern libraries and loads their metadata
 
+use std::collections::BTreeMap;
 use std::error::Error;
 use std::path::Path;
 use std::str::FromStr;
@@ -25,8 +26,8 @@ use rustc_middle::ty::{TyCtxt, TyCtxtFeed};
 use rustc_proc_macro::bridge::client::ProcMacro;
 use rustc_session::Session;
 use rustc_session::config::{
-    CrateType, ExtendedTargetModifierInfo, ExternLocation, Externs, OptionsTargetModifiers,
-    TargetModifier,
+    CrateType, EnforcedMitigationLevel, ExtendedTargetModifierInfo, ExternLocation, Externs,
+    OptionsTargetModifiers, TargetModifier,
 };
 use rustc_session::cstore::{CrateDepKind, CrateSource, ExternCrate, ExternCrateSource};
 use rustc_session::lint::{self, BuiltinLintDiag};
@@ -453,6 +454,12 @@ impl CStore {
         }
     }
 
+    pub fn report_session_incompatibilities(&self, tcx: TyCtxt<'_>, krate: &Crate) {
+        self.report_incompatible_target_modifiers(tcx, krate);
+        self.report_incompatible_enforced_mitigations(tcx, krate);
+        self.report_incompatible_async_drop_feature(tcx, krate);
+    }
+
     pub fn report_incompatible_target_modifiers(&self, tcx: TyCtxt<'_>, krate: &Crate) {
         for flag_name in &tcx.sess.opts.cg.unsafe_allow_abi_mismatch {
             if !OptionsTargetModifiers::is_target_modifier(flag_name) {
@@ -474,6 +481,46 @@ impl CStore {
         }
     }
 
+    pub fn report_incompatible_enforced_mitigations(&self, tcx: TyCtxt<'_>, krate: &Crate) {
+        let my_mitigations = tcx.sess.gather_enabled_enforced_mitigations();
+        let mut my_mitigations: BTreeMap<_, _> = my_mitigations
+            .iter()
+            .filter(|mitigation| mitigation.kind.enforced_since() <= tcx.sess.edition())
+            .map(|mitigation| (mitigation.kind, mitigation))
+            .collect();
+        for skipped_mitigation in tcx.sess.opts.allowed_partial_mitigations() {
+            my_mitigations.remove(&skipped_mitigation);
+        }
+        const MAX_ERRORS_PER_MITIGATION: usize = 5;
+        let mut errors_per_mitigation = BTreeMap::new();
+        for (_cnum, data) in self.iter_crate_data() {
+            if data.is_proc_macro_crate() {
+                continue;
+            }
+            let their_mitigations = data.enforced_mitigations();
+            for my_mitigation in my_mitigations.values() {
+                let their_mitigation = their_mitigations
+                    .iter()
+                    .find(|mitigation| mitigation.kind == my_mitigation.kind)
+                    .map_or(EnforcedMitigationLevel::Enabled(false), |m| m.level);
+                if their_mitigation < my_mitigation.level {
+                    let errors = errors_per_mitigation.entry(my_mitigation.kind).or_insert(0);
+                    if *errors >= MAX_ERRORS_PER_MITIGATION {
+                        continue;
+                    }
+                    *errors += 1;
+
+                    tcx.dcx().emit_err(errors::MitigationLessStrictInDependency {
+                        span: krate.spans.inner_span.shrink_to_lo(),
+                        mitigation_name: my_mitigation.kind.to_string(),
+                        mitigation_level: my_mitigation.level.level_str().to_string(),
+                        extern_crate: data.name(),
+                    });
+                }
+            }
+        }
+    }
+
     // Report about async drop types in dependency if async drop feature is disabled
     pub fn report_incompatible_async_drop_feature(&self, tcx: TyCtxt<'_>, krate: &Crate) {
         if tcx.features().async_drop() {

compiler/rustc_metadata/src/errors.rs

@@ -615,3 +615,13 @@ pub struct RawDylibMalformed {
     #[primary_span]
     pub span: Span,
 }
+
+#[derive(Diagnostic)]
+#[diag(metadata_mitigation_less_strict_in_dependency)]
+pub struct MitigationLessStrictInDependency {
+    #[primary_span]
+    pub span: Span,
+    pub mitigation_name: String,
+    pub mitigation_level: String,
+    pub extern_crate: Symbol,
+}

compiler/rustc_metadata/src/rmeta/decoder.rs

@@ -29,7 +29,7 @@ use rustc_proc_macro::bridge::client::ProcMacro;
 use rustc_serialize::opaque::MemDecoder;
 use rustc_serialize::{Decodable, Decoder};
 use rustc_session::Session;
-use rustc_session::config::TargetModifier;
+use rustc_session::config::{EnforcedMitigation, TargetModifier};
 use rustc_session::cstore::{CrateSource, ExternCrate};
 use rustc_span::hygiene::HygieneDecodeContext;
 use rustc_span::{
@@ -76,9 +76,12 @@ impl MetadataBlob {
 /// own crate numbers.
 pub(crate) type CrateNumMap = IndexVec<CrateNum, CrateNum>;
 
-/// Target modifiers - abi or exploit mitigations flags
+/// Target modifiers - abi or exploit mitigations flags that cause unsoundness when mixed
 pub(crate) type TargetModifiers = Vec<TargetModifier>;
 
+/// Enforced Mitigations
+pub(crate) type EnforcedMitigations = Vec<EnforcedMitigation>;
+
 pub(crate) struct CrateMetadata {
     /// The primary crate data - binary metadata blob.
     blob: MetadataBlob,
@@ -984,6 +987,13 @@ impl CrateRoot {
     ) -> impl ExactSizeIterator<Item = TargetModifier> {
         self.target_modifiers.decode(metadata)
     }
+
+    pub(crate) fn decode_enforced_mitigations<'a>(
+        &self,
+        metadata: &'a MetadataBlob,
+    ) -> impl ExactSizeIterator<Item = EnforcedMitigation> {
+        self.enforced_mitigations.decode(metadata)
+    }
 }
 
 impl<'a> CrateMetadataRef<'a> {
@@ -1929,6 +1939,10 @@ impl CrateMetadata {
         self.root.decode_target_modifiers(&self.blob).collect()
     }
 
+    pub(crate) fn enforced_mitigations(&self) -> EnforcedMitigations {
+        self.root.decode_enforced_mitigations(&self.blob).collect()
+    }
+
     /// Keep `new_extern_crate` if it looks better in diagnostics
     pub(crate) fn update_extern_crate_diagnostics(
         &mut self,

compiler/rustc_metadata/src/rmeta/encoder.rs

@@ -27,7 +27,7 @@ use rustc_middle::ty::codec::TyEncoder;
 use rustc_middle::ty::fast_reject::{self, TreatParams};
 use rustc_middle::{bug, span_bug};
 use rustc_serialize::{Decodable, Decoder, Encodable, Encoder, opaque};
-use rustc_session::config::{CrateType, OptLevel, TargetModifier};
+use rustc_session::config::{CrateType, EnforcedMitigation, OptLevel, TargetModifier};
 use rustc_span::hygiene::HygieneEncodeContext;
 use rustc_span::{
     ByteSymbol, ExternalSource, FileName, SourceFile, SpanData, SpanEncoder, StableSourceFileId,
@@ -715,6 +715,8 @@ impl<'a, 'tcx> EncodeContext<'a, 'tcx> {
         // `SourceFiles` we actually need to encode.
         let source_map = stat!("source-map", || self.encode_source_map());
         let target_modifiers = stat!("target-modifiers", || self.encode_target_modifiers());
+        let enforced_mitigations =
+            stat!("enforced-mitigations", || self.encode_enforced_mitigations());
 
         let root = stat!("final", || {
             let attrs = tcx.hir_krate_attrs();
@@ -760,6 +762,7 @@ impl<'a, 'tcx> EncodeContext<'a, 'tcx> {
                 foreign_modules,
                 source_map,
                 target_modifiers,
+                enforced_mitigations,
                 traits,
                 impls,
                 incoherent_impls,
@@ -2093,6 +2096,12 @@ impl<'a, 'tcx> EncodeContext<'a, 'tcx> {
         self.lazy_array(tcx.sess.opts.gather_target_modifiers())
     }
 
+    fn encode_enforced_mitigations(&mut self) -> LazyArray<EnforcedMitigation> {
+        empty_proc_macro!(self);
+        let tcx = self.tcx;
+        self.lazy_array(tcx.sess.gather_enabled_enforced_mitigations())
+    }
+
     fn encode_lib_features(&mut self) -> LazyArray<(Symbol, FeatureStability)> {
         empty_proc_macro!(self);
         let tcx = self.tcx;

compiler/rustc_metadata/src/rmeta/mod.rs

@@ -34,7 +34,7 @@ use rustc_middle::ty::fast_reject::SimplifiedType;
 use rustc_middle::ty::{self, Ty, TyCtxt, UnusedGenericParams};
 use rustc_middle::util::Providers;
 use rustc_serialize::opaque::FileEncoder;
-use rustc_session::config::{SymbolManglingVersion, TargetModifier};
+use rustc_session::config::{EnforcedMitigation, SymbolManglingVersion, TargetModifier};
 use rustc_session::cstore::{CrateDepKind, ForeignModule, LinkagePreference, NativeLib};
 use rustc_span::edition::Edition;
 use rustc_span::hygiene::{ExpnIndex, MacroKind, SyntaxContextKey};
@@ -283,6 +283,7 @@ pub(crate) struct CrateRoot {
 
     source_map: LazyTable<u32, Option<LazyValue<rustc_span::SourceFile>>>,
     target_modifiers: LazyArray<TargetModifier>,
+    enforced_mitigations: LazyArray<EnforcedMitigation>,
 
     compiler_builtins: bool,
     needs_allocator: bool,

compiler/rustc_metadata/src/rmeta/parameterized.rs

@@ -116,6 +116,7 @@ trivially_parameterized_over_tcx! {
     rustc_middle::ty::Visibility<DefIndex>,
     rustc_middle::ty::adjustment::CoerceUnsizedInfo,
     rustc_middle::ty::fast_reject::SimplifiedType,
+    rustc_session::config::EnforcedMitigation,
     rustc_session::config::TargetModifier,
     rustc_session::cstore::ForeignModule,
     rustc_session::cstore::LinkagePreference,

compiler/rustc_session/src/config.rs

@@ -1541,6 +1541,18 @@ impl Options {
     pub fn autodiff_enabled(&self) -> bool {
         self.unstable_opts.autodiff.contains(&AutoDiff::Enable)
     }
+
+    pub fn allowed_partial_mitigations(&self) -> impl Iterator<Item = EnforcedMitigationKind> {
+        let mut result = BTreeSet::default();
+        for mitigation in &self.unstable_opts.allow_partial_mitigations {
+            if mitigation.enabled {
+                result.insert(mitigation.kind);
+            } else {
+                result.remove(&mitigation.kind);
+            }
+        }
+        result.into_iter()
+    }
 }
 
 impl UnstableOptions {