Stabilize -Zstack-protector as -Cstack-protector

Ariel Ben-Yehuda · Ariel Ben-Yehuda · commit 9c411ab2f213 · 2026-01-09T01:20:56.000+02:00
I propose stabilizing `-Cstack-protector` as `-Zstack-protector`. This PR adds a new `-Cstack-protector` flag, leaving the unstable `-Z` flag as is to ease the transition period. The `-Z` flag will be removed in the future. No RFC/MCP, this flag was added in 84197 and was not deemed large enough to require additional process. The tracking issue for this feature is 114903. The `-Cstack-protector=strong` mode uses the same underlying heuristics as Clang's `-fstack-protector-strong`. These heuristics weren't designed for Rust, and may be over-conservative in some cases - for example, if Rust stores a field's data in an alloca using an LLVM array type, LLVM regard the alloca as meaning that the function has a C array, and enable stack overflow canaries even if the function accesses the alloca in a safe way. Some people thought we should wait on stabilization until there are better heuristics, but I didn't hear about any concrete case where this unduly harms performance, and I think that when a need comes, we can improve the heuristics in LLVM after stabilization. The heuristics do seem to not be under-conservative, so this should not be a security risk. The `-Cstack-protector=basic` mode (`-fstack-protector`) uses heuristics that are specifically designed to catch old-C-style string manipulation. This is not a good fit to Rust, which does not perform much unsafe C-style string manipulation. As far as I can tell, nobody has been asking for it, and few people are using it even in today's C - modern distros (e.g. [Debian]) tend to use `-fstack-protector-strong`. Therefore, `-Cstack-protector=basic` has been **removed**. If anyone is interested in it, they are welcome to add it back as an unstable option. [Debian]: https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_STACKPROTECTOR_.28gcc.2Fg.2B-.2B-_-fstack-protector-strong.29 Most implementation was done in <rust-lang#84197>. The command-line attribute enables the relevant LLVM attribute on all functions in <https://github.com/rust-lang/rust/blob/68baa87ba6f03f8b6af2a368690161f1601e4040/compiler/rustc_codegen_llvm/src/attributes.rs#L267-L276>. Each target can indicate that it does not support stack canaries - currently, the GPU platforms `nvptx64-nvidia-cuda` and `amdgcn-amd-amdhsa`. On these platforms, use of `-Cstack-protector` causes an error. The feature has tests that make sure that the LLVM heuristic gives reasonable results for several functions, by checking for `__security_check_cookie` (on Windows) or `__stack_chk_fail` (on Linux). See <https://github.com/rust-lang/rust/tree/68baa87ba6f03f8b6af2a368690161f1601e4040/tests/assembly-llvm/stack-protector> No call-for-testing has been conducted, but the feature seems to be in use. No reported bugs seem to exist. - bbjornse was the original implementor at 84197 - mrcnski documented it at 111722 - wesleywiser added tests for Windows at 116037 - davidtwco worked on the feature at 121742 - nikic provided support from the LLVM side (on Zulip on <https://rust-lang.zulipchat.com/#narrow/channel/233931-t-compiler.2Fmajor-changes/topic/Proposal.20for.20Adapt.20Stack.20Protector.20for.20Ru.E2.80.A6.20compiler-team.23841> and elsewhere), thanks nikic! No FIXMEs related to this feature. This feature cannot cause undefined behavior. No changes to reference/spec, docs added to the codegen docs as part of the stabilization PR. No. None. No support needed for rustdoc, clippy, rust-analyzer, rustfmt or rustup. Cargo could expose this as an option in build profiles but I would expect the decision as to what version should be used would be made for the entire crate graph at build time rather than by individual package authors. `-C stack-protector` is propagated to C compilers using cc-rs via rust-lang/cc-rs issue 1550
diff --git a/bootstrap.example.toml b/bootstrap.example.toml
@@ -755,7 +755,7 @@
 #rust.frame-pointers = false
 
 # Indicates whether stack protectors should be used
-# via the unstable option `-Zstack-protector`.
+# via `-Cstack-protector`.
 #
 # Valid options are : `none`(default),`basic`,`strong`, or `all`.
 # `strong` and `basic` options may be buggy and are not recommended, see rust-lang/rust#114903.
diff --git a/compiler/rustc_codegen_llvm/src/lib.rs b/compiler/rustc_codegen_llvm/src/lib.rs
@@ -300,19 +300,32 @@ impl CodegenBackend for LlvmCodegenBackend {
         Generate stack canaries in all functions.
 
     strong
-        Generate stack canaries in a function if it either:
-        - has a local variable of `[T; N]` type, regardless of `T` and `N`
-        - takes the address of a local variable.
+        Generate stack canaries for all functions, unless the compiler
+        can prove these functions can't be the source of a stack
+        buffer overflow (even in the presence of undefined behavior).
 
-          (Note that a local variable being borrowed is not equivalent to its
-          address being taken: e.g. some borrows may be removed by optimization,
-          while by-value argument passing may be implemented with reference to a
-          local stack variable in the ABI.)
+        This provides the same security guarantees as Clang's
+        `-fstack-protector=strong`.
+
+        The exact rules are unstable and subject to change, but
+        currently, it generates stack protectors for functions that,
+        *post-optimization*, contain either arrays (of any size
+        or type) or address-taken locals.
 
     basic
-        Generate stack canaries in functions with local variables of `[T; N]`
+        Generate stack canaries in functions that are heuristically
+        suspected to contain buffer overflows.
+
+        The heuristic is subject to change, but currently it
+        includes functions with local variables of `[T; N]`
         type, where `T` is byte-sized and `N` >= 8.
 
+        This heuristic originated from C, where it detects
+        functions that allocate a `char buf[N];` buffer on the
+        stack, and are therefore likely to have a stack buffer overflow
+        in the case of a length-calculation error. It is *not* a good
+        heuristic for Rust code.
+
     none
         Do not generate stack canaries.
 "#
diff --git a/compiler/rustc_interface/src/tests.rs b/compiler/rustc_interface/src/tests.rs
@@ -641,6 +641,7 @@ fn test_codegen_options_tracking_hash() {
     tracked!(relro_level, Some(RelroLevel::Full));
     tracked!(soft_float, true);
     tracked!(split_debuginfo, Some(SplitDebuginfo::Packed));
+    tracked!(stack_protector, StackProtector::All);
     tracked!(symbol_mangling_version, Some(SymbolManglingVersion::V0));
     tracked!(target_cpu, Some(String::from("abc")));
     tracked!(target_feature, String::from("all the features, all of them"));
@@ -871,7 +872,6 @@ fn test_unstable_options_tracking_hash() {
     tracked!(small_data_threshold, Some(16));
     tracked!(split_lto_unit, Some(true));
     tracked!(src_hash_algorithm, Some(SourceFileHashAlgorithm::Sha1));
-    tracked!(stack_protector, StackProtector::All);
     tracked!(teach, true);
     tracked!(thinlto, Some(true));
     tracked!(tiny_const_eval_limit, true);
diff --git a/compiler/rustc_session/messages.ftl b/compiler/rustc_session/messages.ftl
@@ -130,7 +130,7 @@ session_target_requires_unwind_tables = target requires unwind tables, they cann
 
 session_target_small_data_threshold_not_supported = `-Z small-data-threshold` is not supported for target {$target_triple} and will be ignored
 
-session_target_stack_protector_not_supported = `-Z stack-protector={$stack_protector}` is not supported for target {$target_triple} and will be ignored
+session_target_stack_protector_not_supported = `-C stack-protector={$stack_protector}` is not supported for target {$target_triple}
 
 session_unexpected_builtin_cfg = unexpected `--cfg {$cfg}` flag
     .controlled_by = config `{$cfg_name}` is only supposed to be controlled by `{$controlled_by}`
diff --git a/compiler/rustc_session/src/options.rs b/compiler/rustc_session/src/options.rs
@@ -1917,9 +1917,12 @@ pub mod parse {
         true
     }
 
-    pub(crate) fn parse_stack_protector(slot: &mut StackProtector, v: Option<&str>) -> bool {
+    pub(crate) fn parse_stack_protector(
+        slot: &mut Option<StackProtector>,
+        v: Option<&str>,
+    ) -> bool {
         match v.and_then(|s| StackProtector::from_str(s).ok()) {
-            Some(ssp) => *slot = ssp,
+            Some(ssp) => *slot = Some(ssp),
             _ => return false,
         }
         true
@@ -2211,6 +2214,9 @@ options! {
     #[rustc_lint_opt_deny_field_access("use `Session::split_debuginfo` instead of this field")]
     split_debuginfo: Option<SplitDebuginfo> = (None, parse_split_debuginfo, [TRACKED],
         "how to handle split-debuginfo, a platform-specific option"),
+    #[rustc_lint_opt_deny_field_access("use `Session::stack_protector` instead of this field")]
+    stack_protector: Option<StackProtector> = (None, parse_stack_protector, [TRACKED],
+        "control stack smash protection strategy (`rustc --print stack-protector-strategies` for details)"),
     strip: Strip = (Strip::None, parse_strip, [UNTRACKED],
         "tell the linker which information to strip (`none` (default), `debuginfo` or `symbols`)"),
     symbol_mangling_version: Option<SymbolManglingVersion> = (None,
@@ -2687,7 +2693,7 @@ written to standard error output)"),
     src_hash_algorithm: Option<SourceFileHashAlgorithm> = (None, parse_src_file_hash, [TRACKED],
         "hash algorithm of source files in debug info (`md5`, `sha1`, or `sha256`)"),
     #[rustc_lint_opt_deny_field_access("use `Session::stack_protector` instead of this field")]
-    stack_protector: StackProtector = (StackProtector::None, parse_stack_protector, [TRACKED],
+    stack_protector: Option<StackProtector> = (None, parse_stack_protector, [TRACKED],
         "control stack smash protection strategy (`rustc --print stack-protector-strategies` for details)"),
     staticlib_allow_rdylib_deps: bool = (false, parse_bool, [TRACKED],
         "allow staticlibs to have rust dylib dependencies"),
diff --git a/compiler/rustc_session/src/session.rs b/compiler/rustc_session/src/session.rs
@@ -714,11 +714,12 @@ impl Session {
     }
 
     pub fn stack_protector(&self) -> StackProtector {
-        if self.target.options.supports_stack_protector {
-            self.opts.unstable_opts.stack_protector
-        } else {
-            StackProtector::None
-        }
+        // -C stack-protector overwrites -Z stack-protector, default to StackProtector::None
+        self.opts
+            .cg
+            .stack_protector
+            .or(self.opts.unstable_opts.stack_protector)
+            .unwrap_or(StackProtector::None)
     }
 
     pub fn must_emit_unwind_tables(&self) -> bool {
@@ -1240,10 +1241,10 @@ fn validate_commandline_args_with_session_available(sess: &Session) {
         }
     }
 
-    if sess.opts.unstable_opts.stack_protector != StackProtector::None {
+    if sess.stack_protector() != StackProtector::None {
         if !sess.target.options.supports_stack_protector {
-            sess.dcx().emit_warn(errors::StackProtectorNotSupportedForTarget {
-                stack_protector: sess.opts.unstable_opts.stack_protector,
+            sess.dcx().emit_err(errors::StackProtectorNotSupportedForTarget {
+                stack_protector: sess.stack_protector(),
                 target_triple: &sess.opts.target_triple,
             });
         }
diff --git a/src/bootstrap/src/core/builder/cargo.rs b/src/bootstrap/src/core/builder/cargo.rs
@@ -952,7 +952,7 @@ impl Builder<'_> {
         cargo.env(profile_var("STRIP"), self.config.rust_strip.to_string());
 
         if let Some(stack_protector) = &self.config.rust_stack_protector {
-            rustflags.arg(&format!("-Zstack-protector={stack_protector}"));
+            rustflags.arg(&format!("-Cstack-protector={stack_protector}"));
         }
 
         let debuginfo_level = match mode {
diff --git a/src/doc/rustc/src/codegen-options/index.md b/src/doc/rustc/src/codegen-options/index.md
@@ -695,6 +695,34 @@ Note that all three options are supported on Linux and Apple platforms,
 Attempting to use an unsupported option requires using the nightly channel
 with the `-Z unstable-options` flag.
 
+## stack-protector
+
+The option `-C stack-protector` (currently also supported in the
+old style `-Z stack-protector`) controls the generation of
+stack-protector canaries.
+
+This flag controls stack smashing protection strategy.
+
+Supported values for this option are:
+- `none` (default): Disable stack canary generation
+- `basic`: Generate stack canaries in functions that are suspected
+  to have a high chance of containing stack buffer overflows (deprecated).
+- `strong`: Generate stack canaries in all functions, unless the compiler
+  can prove these functions can't be the source of a stack
+  buffer overflow (even in the presence of undefined behavior).
+
+  This provides the same security guarantees as Clang's
+  `-fstack-protector=strong`.
+
+  The exact rules are unstable and subject to change, but
+  currently, it generates stack protectors for functions that,
+  *post-optimization*, contain either arrays (of any size
+  or type) or address-taken locals.
+- `all`: Generate stack canaries in all functions
+
+Stack protectors are not supported on many GPU targets, use of stack
+protectors on these targets is an error.
+
 ## strip
 
 The option `-C strip=val` controls stripping of debuginfo and similar auxiliary
diff --git a/src/doc/rustc/src/exploit-mitigations.md b/src/doc/rustc/src/exploit-mitigations.md
@@ -62,7 +62,7 @@ equivalent.
 | Stack clashing protection | Yes | Yes | 1.20.0 (2017-08-31) |
 | Read-only relocations and immediate binding | Yes | Yes | 1.21.0 (2017-10-12) |
 | Heap corruption protection | Yes | Yes | 1.32.0 (2019-01-17) (via operating system default or specified allocator) |
-| Stack smashing protection | Yes | No, `-Z stack-protector` | Nightly |
+| Stack smashing protection | Yes | No, `-C stack-protector` | ??? |
 | Forward-edge control flow protection | Yes | No, `-Z sanitizer=cfi` | Nightly |
 | Backward-edge control flow protection (e.g., shadow and safe stack) | Yes | No, `-Z sanitizer=shadow-call-stack,safestack` | Nightly |
 
diff --git a/tests/assembly-llvm/stack-protector/stack-protector-heuristics-effect-windows-32bit.rs b/tests/assembly-llvm/stack-protector/stack-protector-heuristics-effect-windows-32bit.rs
@@ -3,10 +3,10 @@
 //@ only-windows
 //@ only-msvc
 //@ ignore-64bit 64-bit table based SEH has slightly different behaviors than classic SEH
-//@ [all] compile-flags: -Z stack-protector=all
-//@ [strong] compile-flags: -Z stack-protector=strong
-//@ [basic] compile-flags: -Z stack-protector=basic
-//@ [none] compile-flags: -Z stack-protector=none
+//@ [all] compile-flags: -C stack-protector=all
+//@ [strong] compile-flags: -C stack-protector=strong
+//@ [basic] compile-flags: -C stack-protector=basic
+//@ [none] compile-flags: -C stack-protector=none
 //@ compile-flags: -C opt-level=2 -Z merge-functions=disabled -Cpanic=abort -Cdebuginfo=1
 
 #![crate_type = "lib"]
diff --git a/tests/assembly-llvm/stack-protector/stack-protector-heuristics-effect-windows-64bit.rs b/tests/assembly-llvm/stack-protector/stack-protector-heuristics-effect-windows-64bit.rs
@@ -3,10 +3,10 @@
 //@ only-windows
 //@ only-msvc
 //@ ignore-32bit 64-bit table based SEH has slightly different behaviors than classic SEH
-//@ [all] compile-flags: -Z stack-protector=all
-//@ [strong] compile-flags: -Z stack-protector=strong
-//@ [basic] compile-flags: -Z stack-protector=basic
-//@ [none] compile-flags: -Z stack-protector=none
+//@ [all] compile-flags: -C stack-protector=all
+//@ [strong] compile-flags: -C stack-protector=strong
+//@ [basic] compile-flags: -C stack-protector=basic
+//@ [none] compile-flags: -C stack-protector=none
 //@ compile-flags: -C opt-level=2 -Z merge-functions=disabled -Cpanic=abort
 
 #![crate_type = "lib"]
diff --git a/tests/assembly-llvm/stack-protector/stack-protector-heuristics-effect.rs b/tests/assembly-llvm/stack-protector/stack-protector-heuristics-effect.rs
@@ -4,10 +4,10 @@
 //@ ignore-msvc stack check code uses different function names
 //@ ignore-nvptx64 stack protector is not supported
 //@ ignore-wasm32-unknown-unknown
-//@ [all] compile-flags: -Z stack-protector=all
-//@ [strong] compile-flags: -Z stack-protector=strong
-//@ [basic] compile-flags: -Z stack-protector=basic
-//@ [none] compile-flags: -Z stack-protector=none
+//@ [all] compile-flags: -C stack-protector=all
+//@ [strong] compile-flags: -C stack-protector=strong
+//@ [basic] compile-flags: -C stack-protector=basic
+//@ [none] compile-flags: -C stack-protector=none
 //@ compile-flags: -C opt-level=2 -Z merge-functions=disabled
 
 // NOTE: the heuristics for stack smash protection inappropriately rely on types in LLVM IR,
diff --git a/tests/assembly-llvm/stack-protector/stack-protector-target-support.rs b/tests/assembly-llvm/stack-protector/stack-protector-target-support.rs
@@ -4,7 +4,7 @@
 //@ add-minicore
 //@ revisions: r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15 r16 r17 r18 r19 r20 r21 r22 r23
 //@ revisions: r24 r25 r26 r27 r28 r29 r30 r31 r32 r33         r36 r37 r38 r39 r40 r41 r42 r43 r44
-//@ revisions: r45 r46 r47 r48 r49 r50 r51 r52 r53 r54 r55 r56 r57 r58 r59 r60 r61 r62 r63 r64 r65
+//@ revisions: r45 r46 r47 r48     r50 r51 r52 r53 r54 r55 r56 r57 r58 r59 r60 r61 r62 r63 r64 r65
 //@ revisions: r66 r67 r68 r69 r70 r71 r72 r73 r74 r75 r76 r77 r78 r79 r80 r81 r82 r83 r84 r85
 //@ assembly-output: emit-asm
 //@ [r1] compile-flags: --target aarch64-unknown-linux-gnu
@@ -99,8 +99,8 @@
 //@ [r47] needs-llvm-components: mips
 //@ [r48] compile-flags: --target mipsel-unknown-linux-musl
 //@ [r48] needs-llvm-components: mips
-//@ [r49] compile-flags: --target nvptx64-nvidia-cuda
-//@ [r49] needs-llvm-components: nvptx
+//-@ [r49] compile-flags: --target nvptx64-nvidia-cuda [stack protector not supported on CUDA
+//-  see the test fail-stack-protector-unsupported]
 //@ [r50] compile-flags: --target powerpc-unknown-linux-gnu
 //@ [r50] needs-llvm-components: powerpc
 //@ [r51] compile-flags: --target powerpc64-unknown-linux-gnu
@@ -173,7 +173,7 @@
 //@ [r84] needs-llvm-components: x86
 //@ [r85] compile-flags: --target x86_64-unknown-redox
 //@ [r85] needs-llvm-components: x86
-//@ compile-flags: -Z stack-protector=all -Cpanic=abort
+//@ compile-flags: -C stack-protector=all -Cpanic=abort
 //@ compile-flags: -C opt-level=2
 
 #![crate_type = "lib"]
@@ -193,10 +193,6 @@ pub fn foo() {
     // r7: callq __security_check_cookie
     // r13: bl __security_check_cookie
 
-    // cuda doesn't support stack-smash protection
-    // r49-NOT: __security_check_cookie
-    // r49-NOT: __stack_chk_fail
-
     // Other targets do stack checking within the function, and call a failure function on error
     // r1: __stack_chk_fail
     // r2: __stack_chk_fail
diff --git a/tests/codegen-llvm/stack-protector.rs b/tests/codegen-llvm/stack-protector.rs
@@ -1,8 +1,12 @@
-//@ revisions: all strong basic none
+//@ revisions: all all-z strong strong-z basic basic-z none strong-c-overrides-z
 //@ ignore-nvptx64 stack protector not supported
-//@ [all] compile-flags: -Z stack-protector=all
-//@ [strong] compile-flags: -Z stack-protector=strong
-//@ [basic] compile-flags: -Z stack-protector=basic
+//@ [all] compile-flags: -C stack-protector=all
+//@ [all-z] compile-flags: -Z stack-protector=all
+//@ [strong] compile-flags: -C stack-protector=strong
+//@ [strong-z] compile-flags: -Z stack-protector=strong
+//@ [basic] compile-flags: -C stack-protector=basic
+//@ [basic-z] compile-flags: -Z stack-protector=basic
+//@ [strong-c-overrides-z] compile-flags: -C stack-protector=strong -Z stack-protector=all
 
 #![crate_type = "lib"]
 
@@ -16,18 +20,42 @@ pub fn foo() {
     // all-NOT: attributes #0 = { {{.*}}sspstrong {{.*}} }
     // all-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
 
+    // all-z-NOT: attributes #0 = { {{.*}}sspstrong {{.*}} }
+    // all-z-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
+    // all-z: attributes #0 = { {{.*}}sspreq {{.*}} }
+    // all-z-NOT: attributes #0 = { {{.*}}sspstrong {{.*}} }
+    // all-z-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
+
     // strong-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
     // strong-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
     // strong: attributes #0 = { {{.*}}sspstrong {{.*}} }
     // strong-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
     // strong-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
 
+    // strong-z-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
+    // strong-z-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
+    // strong-z: attributes #0 = { {{.*}}sspstrong {{.*}} }
+    // strong-z-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
+    // strong-z-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
+
+    // strong-c-overrides-z-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
+    // strong-c-overrides-z-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
+    // strong-c-overrides-z: attributes #0 = { {{.*}}sspstrong {{.*}} }
+    // strong-c-overrides-z-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
+    // strong-c-overrides-z-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
+
     // basic-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
     // basic-NOT: attributes #0 = { {{.*}}sspstrong {{.*}} }
     // basic: attributes #0 = { {{.*}}ssp {{.*}} }
     // basic-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
     // basic-NOT: attributes #0 = { {{.*}}sspstrong {{.*}} }
 
+    // basic-z-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
+    // basic-z-NOT: attributes #0 = { {{.*}}sspstrong {{.*}} }
+    // basic-z: attributes #0 = { {{.*}}ssp {{.*}} }
+    // basic-z-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
+    // basic-z-NOT: attributes #0 = { {{.*}}sspstrong {{.*}} }
+
     // none-NOT: attributes #0 = { {{.*}}sspreq {{.*}} }
     // none-NOT: attributes #0 = { {{.*}}sspstrong {{.*}} }
     // none-NOT: attributes #0 = { {{.*}}ssp {{.*}} }
diff --git a/tests/ui/README.md b/tests/ui/README.md
@@ -1229,7 +1229,7 @@ Stability attributes used internally by the standard library: `#[stable()]` and
 
 Some tests for pretty printing of rustc_public's IR.
 
-## `tests/ui/stack-protector/`: `-Z stack-protector` command line flag
+## `tests/ui/stack-protector/`: `-C stack-protector` command line flag
 
 See [Tracking Issue for stabilizing stack smashing protection (i.e., `-Z stack-protector`) #114903](https://github.com/rust-lang/rust/issues/114903).
 
diff --git a/tests/ui/abi/stack-protector.rs b/tests/ui/abi/stack-protector.rs
@@ -1,7 +1,7 @@
 //@ run-pass
 //@ only-x86_64-unknown-linux-gnu
 //@ revisions: ssp no-ssp
-//@ [ssp] compile-flags: -Z stack-protector=all
+//@ [ssp] compile-flags: -C stack-protector=all
 //@ compile-flags: -C opt-level=2
 //@ compile-flags: -g
 //@ ignore-backends: gcc
diff --git a/tests/ui/stack-protector/fail-stack-protector-unsupported.all-z.stderr b/tests/ui/stack-protector/fail-stack-protector-unsupported.all-z.stderr
@@ -0,0 +1,4 @@
+error: `-C stack-protector=all` is not supported for target nvptx64-nvidia-cuda
+
+error: aborting due to 1 previous error
+
diff --git a/tests/ui/stack-protector/fail-stack-protector-unsupported.all.stderr b/tests/ui/stack-protector/fail-stack-protector-unsupported.all.stderr
@@ -0,0 +1,4 @@
+error: `-C stack-protector=all` is not supported for target nvptx64-nvidia-cuda
+
+error: aborting due to 1 previous error
+
diff --git a/tests/ui/stack-protector/fail-stack-protector-unsupported.rs b/tests/ui/stack-protector/fail-stack-protector-unsupported.rs
@@ -0,0 +1,30 @@
+//@ check-fail
+//@ revisions: all strong all-z
+//@ compile-flags: --target nvptx64-nvidia-cuda
+//@ needs-llvm-components: nvptx
+//@ [all] compile-flags: -C stack-protector=all
+//@ [strong] compile-flags: -C stack-protector=strong
+//@ [all-z] compile-flags: -Z stack-protector=all
+
+#![crate_type = "lib"]
+#![feature(no_core, lang_items)]
+#![no_std]
+#![no_core]
+
+#[lang = "pointee_sized"]
+pub trait PointeeSized {}
+
+#[lang = "meta_sized"]
+pub trait MetaSized: PointeeSized {}
+
+#[lang = "sized"]
+trait Sized: MetaSized {}
+
+#[lang = "copy"]
+trait Copy {}
+
+pub fn main(){}
+
+//[all]~? ERROR `-C stack-protector=all` is not supported for target nvptx64-nvidia-cuda
+//[all-z]~? ERROR `-C stack-protector=all` is not supported for target nvptx64-nvidia-cuda
+//[strong]~? ERROR `-C stack-protector=strong` is not supported for target nvptx64-nvidia-cuda
diff --git a/tests/ui/stack-protector/fail-stack-protector-unsupported.strong.stderr b/tests/ui/stack-protector/fail-stack-protector-unsupported.strong.stderr
diff --git a/tests/ui/stack-protector/warn-stack-protector-unsupported.all.stderr b/tests/ui/stack-protector/warn-stack-protector-unsupported.all.stderr
diff --git a/tests/ui/stack-protector/warn-stack-protector-unsupported.basic.stderr b/tests/ui/stack-protector/warn-stack-protector-unsupported.basic.stderr
diff --git a/tests/ui/stack-protector/warn-stack-protector-unsupported.strong.stderr b/tests/ui/stack-protector/warn-stack-protector-unsupported.strong.stderr

Original file line number	Diff line number	Diff line change
`@@ -755,7 +755,7 @@`
`755`	`755`	`#rust.frame-pointers = false`
`756`	`756`
`757`	`757`	`# Indicates whether stack protectors should be used`
`758`		-# via the unstable option `-Zstack-protector`.
	`758`	+# via `-Cstack-protector`.
`759`	`759`	`#`
`760`	`760`	# Valid options are : `none`(default),`basic`,`strong`, or `all`.
`761`	`761`	# `strong` and `basic` options may be buggy and are not recommended, see rust-lang/rust#114903.
Original file line number	Diff line number	Diff line change
`@@ -714,11 +714,12 @@ impl Session {`
`714`	`714`	`}`
`715`	`715`
`716`	`716`	`pub fn stack_protector(&self) -> StackProtector {`
`717`		`- if self.target.options.supports_stack_protector {`
`718`		`- self.opts.unstable_opts.stack_protector`
`719`		`- } else {`
`720`		`- StackProtector::None`
`721`		`- }`
	`717`	`+ // -C stack-protector overwrites -Z stack-protector, default to StackProtector::None`
	`718`	`+ self.opts`
	`719`	`+ .cg`
	`720`	`+ .stack_protector`
	`721`	`+ .or(self.opts.unstable_opts.stack_protector)`
	`722`	`+ .unwrap_or(StackProtector::None)`
`722`	`723`	`}`
`723`	`724`
`724`	`725`	`pub fn must_emit_unwind_tables(&self) -> bool {`
`@@ -1240,10 +1241,10 @@ fn validate_commandline_args_with_session_available(sess: &Session) {`
`1240`	`1241`	`}`
`1241`	`1242`	`}`
`1242`	`1243`
`1243`		`- if sess.opts.unstable_opts.stack_protector != StackProtector::None {`
	`1244`	`+ if sess.stack_protector() != StackProtector::None {`
`1244`	`1245`	`if !sess.target.options.supports_stack_protector {`
`1245`		`- sess.dcx().emit_warn(errors::StackProtectorNotSupportedForTarget {`
`1246`		`- stack_protector: sess.opts.unstable_opts.stack_protector,`
	`1246`	`+ sess.dcx().emit_err(errors::StackProtectorNotSupportedForTarget {`
	`1247`	`+ stack_protector: sess.stack_protector(),`
`1247`	`1248`	`target_triple: &sess.opts.target_triple,`
`1248`	`1249`	`});`
`1249`	`1250`	`}`
Original file line number	Diff line number	Diff line change
`@@ -952,7 +952,7 @@ impl Builder<'_> {`
`952`	`952`	`cargo.env(profile_var("STRIP"), self.config.rust_strip.to_string());`
`953`	`953`
`954`	`954`	`if let Some(stack_protector) = &self.config.rust_stack_protector {`
`955`		`- rustflags.arg(&format!("-Zstack-protector={stack_protector}"));`
	`955`	`+ rustflags.arg(&format!("-Cstack-protector={stack_protector}"));`
`956`	`956`	`}`
`957`	`957`
`958`	`958`	`let debuginfo_level = match mode {`