-Zharden-sls flag (target modifier) added to enable mitigation against straight line speculation (SLS)

azhogin · azhogin · commit 99b405a493bf · 2026-01-29T09:28:24.000+07:00
diff --git a/compiler/rustc_codegen_gcc/src/gcc_util.rs b/compiler/rustc_codegen_gcc/src/gcc_util.rs
@@ -7,6 +7,7 @@ use rustc_target::spec::Arch;
 
 fn gcc_features_by_flags(sess: &Session, features: &mut Vec<String>) {
     target_features::retpoline_features_by_flags(sess, features);
+    target_features::sls_features_by_flags(sess, features);
     // FIXME: LLVM also sets +reserve-x18 here under some conditions.
 }
 
diff --git a/compiler/rustc_codegen_llvm/src/llvm_util.rs b/compiler/rustc_codegen_llvm/src/llvm_util.rs
@@ -643,6 +643,7 @@ fn llvm_features_by_flags(sess: &Session, features: &mut Vec<String>) {
     }
 
     target_features::retpoline_features_by_flags(sess, features);
+    target_features::sls_features_by_flags(sess, features);
 
     // -Zfixed-x18
     if sess.opts.unstable_opts.fixed_x18 {
diff --git a/compiler/rustc_codegen_ssa/src/target_features.rs b/compiler/rustc_codegen_ssa/src/target_features.rs
@@ -7,6 +7,7 @@ use rustc_middle::middle::codegen_fn_attrs::{TargetFeature, TargetFeatureKind};
 use rustc_middle::query::Providers;
 use rustc_middle::ty::TyCtxt;
 use rustc_session::Session;
+use rustc_session::config::HardenSls;
 use rustc_session::lint::builtin::AARCH64_SOFTFLOAT_NEON;
 use rustc_session::parse::feature_err;
 use rustc_span::{Span, Symbol, sym};
@@ -455,6 +456,18 @@ pub fn retpoline_features_by_flags(sess: &Session, features: &mut Vec<String>) {
     }
 }
 
+pub fn sls_features_by_flags(sess: &Session, features: &mut Vec<String>) {
+    match &sess.opts.unstable_opts.harden_sls {
+        HardenSls::None => (),
+        HardenSls::All => {
+            features.push("+harden-sls-ijmp".into());
+            features.push("+harden-sls-ret".into());
+        }
+        HardenSls::Return => features.push("+harden-sls-ret".into()),
+        HardenSls::IndirectJmp => features.push("+harden-sls-ijmp".into()),
+    }
+}
+
 pub(crate) fn provide(providers: &mut Providers) {
     *providers = Providers {
         rust_target_features: |tcx, cnum| {
diff --git a/compiler/rustc_session/src/config.rs b/compiler/rustc_session/src/config.rs
@@ -3074,10 +3074,11 @@ pub(crate) mod dep_tracking {
     use super::{
         AnnotateMoves, AutoDiff, BranchProtection, CFGuard, CFProtection, CoverageOptions,
         CrateType, DebugInfo, DebugInfoCompression, ErrorOutputType, FmtDebug, FunctionReturn,
-        InliningThreshold, InstrumentCoverage, InstrumentXRay, LinkerPluginLto, LocationDetail,
-        LtoCli, MirStripDebugInfo, NextSolverConfig, Offload, OptLevel, OutFileName, OutputType,
-        OutputTypes, PatchableFunctionEntry, Polonius, ResolveDocLinks, SourceFileHashAlgorithm,
-        SplitDwarfKind, SwitchWithOptPath, SymbolManglingVersion, WasiExecModel,
+        HardenSls, InliningThreshold, InstrumentCoverage, InstrumentXRay, LinkerPluginLto,
+        LocationDetail, LtoCli, MirStripDebugInfo, NextSolverConfig, Offload, OptLevel,
+        OutFileName, OutputType, OutputTypes, PatchableFunctionEntry, Polonius, ResolveDocLinks,
+        SourceFileHashAlgorithm, SplitDwarfKind, SwitchWithOptPath, SymbolManglingVersion,
+        WasiExecModel,
     };
     use crate::lint;
     use crate::utils::NativeLib;
@@ -3180,6 +3181,7 @@ pub(crate) mod dep_tracking {
         Polonius,
         InliningThreshold,
         FunctionReturn,
+        HardenSls,
         Align,
     );
 
@@ -3394,6 +3396,16 @@ pub enum FunctionReturn {
     ThunkExtern,
 }
 
+/// The different settings that the `-Zharden-sls` flag can have.
+#[derive(Clone, Copy, PartialEq, Hash, Debug, Default)]
+pub enum HardenSls {
+    #[default]
+    None,
+    All,
+    Return,
+    IndirectJmp,
+}
+
 /// Whether extra span comments are included when dumping MIR, via the `-Z mir-include-spans` flag.
 /// By default, only enabled in the NLL MIR dumps, and disabled in all other passes.
 #[derive(Clone, Copy, Default, PartialEq, Debug)]
diff --git a/compiler/rustc_session/src/options.rs b/compiler/rustc_session/src/options.rs
@@ -878,6 +878,7 @@ mod desc {
         "either a boolean (`yes`, `no`, `on`, `off`, etc), or a non-negative number";
     pub(crate) const parse_llvm_module_flag: &str = "<key>:<type>:<value>:<behavior>. Type must currently be `u32`. Behavior should be one of (`error`, `warning`, `require`, `override`, `append`, `appendunique`, `max`, `min`)";
     pub(crate) const parse_function_return: &str = "`keep` or `thunk-extern`";
+    pub(crate) const parse_harden_sls: &str = "`none`, `all`, `return` or `indirect-jmp`";
     pub(crate) const parse_wasm_c_abi: &str = "`spec`";
     pub(crate) const parse_mir_include_spans: &str =
         "either a boolean (`yes`, `no`, `on`, `off`, etc), or `nll` (default: `nll`)";
@@ -2029,6 +2030,17 @@ pub mod parse {
         true
     }
 
+    pub(crate) fn parse_harden_sls(slot: &mut HardenSls, v: Option<&str>) -> bool {
+        match v {
+            Some("none") => *slot = HardenSls::None,
+            Some("all") => *slot = HardenSls::All,
+            Some("return") => *slot = HardenSls::Return,
+            Some("indirect-jmp") => *slot = HardenSls::IndirectJmp,
+            _ => return false,
+        }
+        true
+    }
+
     pub(crate) fn parse_wasm_c_abi(_slot: &mut (), v: Option<&str>) -> bool {
         v == Some("spec")
     }
@@ -2374,6 +2386,9 @@ options! {
     graphviz_font: String = ("Courier, monospace".to_string(), parse_string, [UNTRACKED],
         "use the given `fontname` in graphviz output; can be overridden by setting \
         environment variable `RUSTC_GRAPHVIZ_FONT` (default: `Courier, monospace`)"),
+    harden_sls: HardenSls = (HardenSls::None, parse_harden_sls, [TRACKED TARGET_MODIFIER],
+        "flag to mitigate against straight line speculation (SLS) [none|all|return|indirect-jmp] \
+        (default: none)"),
     has_thread_local: Option<bool> = (None, parse_opt_bool, [TRACKED],
         "explicitly enable the `cfg(target_thread_local)` directive"),
     help: bool = (false, parse_no_value, [UNTRACKED], "Print unstable compiler options"),
diff --git a/compiler/rustc_target/src/target_features.rs b/compiler/rustc_target/src/target_features.rs
@@ -453,6 +453,16 @@ static X86_FEATURES: &[(&str, Stability, ImpliedFeatures)] = &[
     ("fma", Stable, &["avx"]),
     ("fxsr", Stable, &[]),
     ("gfni", Stable, &["sse2"]),
+    (
+        "harden-sls-ijmp",
+        Stability::Forbidden { reason: "use `harden-sls` compiler flag instead", hard_error: true },
+        &[],
+    ),
+    (
+        "harden-sls-ret",
+        Stability::Forbidden { reason: "use `harden-sls` compiler flag instead", hard_error: true },
+        &[],
+    ),
     ("kl", Stable, &["sse2"]),
     ("lahfsahf", Unstable(sym::lahfsahf_target_feature), &[]),
     ("lzcnt", Stable, &[]),
diff --git a/src/doc/rustc-dev-guide/src/tests/directives.md b/src/doc/rustc-dev-guide/src/tests/directives.md
@@ -241,12 +241,14 @@ See also [Debuginfo tests](compiletest.md#debuginfo-tests) for directives for ig
 
 | Directive           | Explanation                                                                                  | Supported test suites                      | Possible values                                                                            |
 |---------------------|----------------------------------------------------------------------------------------------|--------------------------------------------|--------------------------------------------------------------------------------------------|
-| `compile-flags`     | Flags passed to `rustc` when building the test or aux file                                   | All except for `run-make`/`run-make-cargo` | Any valid `rustc` flags, e.g. `-Awarnings -Dfoo`. Cannot be `-Cincremental` or `--edition` |
-| `edition`           | The edition used to build the test                                                           | All except for `run-make`/`run-make-cargo` | Any valid `--edition` value                                                                |
-| `rustc-env`         | Env var to set when running `rustc`                                                          | All except for `run-make`/`run-make-cargo` | `<KEY>=<VALUE>`                                                                            |
-| `unset-rustc-env`   | Env var to unset when running `rustc`                                                        | All except for `run-make`/`run-make-cargo` | Any env var name                                                                           |
-| `incremental`       | Proper incremental support for tests outside of incremental test suite                       | `ui`, `crashes`                            | N/A                                                                                        |
-| `no-prefer-dynamic` | Don't use `-C prefer-dynamic`, don't build as a dylib via a `--crate-type=dylib` preset flag | `ui`, `crashes`                            | N/A                                                                                        |
+| `compile-flags`          | Flags passed to `rustc` when building the test or aux file                           | All except for `run-make`/`run-make-cargo` | Any valid `rustc` flags, e.g. `-Awarnings -Dfoo`. Cannot be `-Cincremental` or `--edition` |
+| `minicore-compile-flags` | Additional flags passed to `rustc` when building minicore                            | All except for `run-make`/`run-make-cargo` | Any valid `rustc` flags, e.g. `-Awarnings -Dfoo`. Cannot be `-Cincremental` or `--edition` |
+| `non-aux-compile-flags`  | Additional flags passed to `rustc` when building the test (not for auxiliary builds) | All except for `run-make`/`run-make-cargo` | Any valid `rustc` flags, e.g. `-Awarnings -Dfoo`. Cannot be `-Cincremental` or `--edition` |
+| `edition`                | The edition used to build the test                                                   | All except for `run-make`/`run-make-cargo` | Any valid `--edition` value                                                                |
+| `rustc-env`              | Env var to set when running `rustc`                                                  | All except for `run-make`/`run-make-cargo` | `<KEY>=<VALUE>`                                                                            |
+| `unset-rustc-env`        | Env var to unset when running `rustc`                                                | All except for `run-make`/`run-make-cargo` | Any env var name                                                                           |
+| `incremental`            | Proper incremental support for tests outside of incremental test suite               | `ui`, `crashes`                            | N/A                                                                                        |
+| `no-prefer-dynamic`      | Don't use `-C prefer-dynamic`, don't build as a dylib via a `--crate-type=dylib` preset flag | `ui`, `crashes`                    | N/A                                                                                        |
 
 <div class="warning">
 
diff --git a/src/doc/rustc-dev-guide/src/tests/minicore.md b/src/doc/rustc-dev-guide/src/tests/minicore.md
@@ -44,6 +44,11 @@ The `minicore` items must be kept up to date with `core`.
 For consistent diagnostic output between using `core` and `minicore`, any `diagnostic`
 attributes (e.g. `on_unimplemented`) should be replicated exactly in `minicore`.
 
+## Specific compile flags
+`compile-flags` is used both for auxiliary builds (including minicore) and main test build.
+`minicore-compile-flags` directive may be used to provide compile flags for minicore build only.
+`non-aux-compile-flags` directive may be used to provide compile flags for main test only.
+
 ## Example codegen test that uses `minicore`
 
 ```rust,no_run
diff --git a/src/tools/compiletest/src/directives.rs b/src/tools/compiletest/src/directives.rs
@@ -206,6 +206,8 @@ pub(crate) struct TestProps {
     pub add_minicore: bool,
     /// Add these flags to the build of `minicore`.
     pub minicore_compile_flags: Vec<String>,
+    /// Add these flags to the non-auxiliary build.
+    pub non_aux_compile_flags: Vec<String>,
     /// Whether line annotations are required for the given error kind.
     pub dont_require_annotations: HashSet<ErrorKind>,
     /// Whether pretty printers should be disabled in gdb.
@@ -259,6 +261,7 @@ mod directives {
     pub const NO_AUTO_CHECK_CFG: &'static str = "no-auto-check-cfg";
     pub const ADD_MINICORE: &'static str = "add-minicore";
     pub const MINICORE_COMPILE_FLAGS: &'static str = "minicore-compile-flags";
+    pub const NON_AUX_COMPILE_FLAGS: &'static str = "non-aux-compile-flags";
     pub const DISABLE_GDB_PRETTY_PRINTERS: &'static str = "disable-gdb-pretty-printers";
     pub const COMPARE_OUTPUT_BY_LINES: &'static str = "compare-output-by-lines";
 }
@@ -316,6 +319,7 @@ impl TestProps {
             no_auto_check_cfg: false,
             add_minicore: false,
             minicore_compile_flags: vec![],
+            non_aux_compile_flags: vec![],
             dont_require_annotations: Default::default(),
             disable_gdb_pretty_printers: false,
             compare_output_by_lines: false,
diff --git a/src/tools/compiletest/src/directives/directive_names.rs b/src/tools/compiletest/src/directives/directive_names.rs
@@ -196,6 +196,7 @@ pub(crate) const KNOWN_DIRECTIVE_NAMES: &[&str] = &[
     "needs-xray",
     "no-auto-check-cfg",
     "no-prefer-dynamic",
+    "non-aux-compile-flags",
     "normalize-stderr",
     "normalize-stderr-32bit",
     "normalize-stderr-64bit",
diff --git a/src/tools/compiletest/src/directives/handlers.rs b/src/tools/compiletest/src/directives/handlers.rs
@@ -339,6 +339,19 @@ fn make_directive_handlers_map() -> HashMap<&'static str, Handler> {
                 props.minicore_compile_flags.extend(flags);
             }
         }),
+        handler(NON_AUX_COMPILE_FLAGS, |config, ln, props| {
+            if let Some(flags) = config.parse_name_value_directive(ln, NON_AUX_COMPILE_FLAGS) {
+                let flags = split_flags(&flags);
+                // FIXME(#147955): Extract and unify this with other handlers that
+                // check compiler flags, e.g. COMPILE_FLAGS.
+                for flag in &flags {
+                    if flag == "--edition" || flag.starts_with("--edition=") {
+                        panic!("you must use `//@ edition` to configure the edition");
+                    }
+                }
+                props.non_aux_compile_flags.extend(flags);
+            }
+        }),
         handler(DONT_REQUIRE_ANNOTATIONS, |config, ln, props| {
             if let Some(err_kind) = config.parse_name_value_directive(ln, DONT_REQUIRE_ANNOTATIONS)
             {
diff --git a/src/tools/compiletest/src/runtest.rs b/src/tools/compiletest/src/runtest.rs
@@ -1004,6 +1004,7 @@ impl<'test> TestCx<'test> {
             allow_unused,
             LinkToAux::Yes,
             passes,
+            false,
         );
 
         self.compose_and_run_compiler(rustc, None)
@@ -1364,6 +1365,7 @@ impl<'test> TestCx<'test> {
             AllowUnused::Yes,
             LinkToAux::No,
             vec![],
+            true,
         );
 
         rustc.args(&["--crate-type", "rlib"]);
@@ -1423,6 +1425,7 @@ impl<'test> TestCx<'test> {
             AllowUnused::No,
             LinkToAux::No,
             Vec::new(),
+            false,
         );
         aux_cx.build_all_auxiliary(&aux_dir, &mut aux_rustc);
 
@@ -1608,6 +1611,7 @@ impl<'test> TestCx<'test> {
         allow_unused: AllowUnused,
         link_to_aux: LinkToAux,
         passes: Vec<String>, // Vec of passes under mir-opt test to be dumped
+        for_minicore: bool,
     ) -> Command {
         // FIXME(Zalathar): We should have a cleaner distinction between
         // `rustc` flags, `rustdoc` flags, and flags shared by both.
@@ -1956,6 +1960,10 @@ impl<'test> TestCx<'test> {
         }
 
         compiler.args(&self.props.compile_flags);
+        let is_aux = input_file.components().map(|c| c.as_os_str()).any(|c| c == "auxiliary");
+        if !for_minicore && !is_aux {
+            compiler.args(&self.props.non_aux_compile_flags);
+        }
 
         compiler
     }
@@ -2177,6 +2185,7 @@ impl<'test> TestCx<'test> {
             AllowUnused::No,
             LinkToAux::Yes,
             Vec::new(),
+            false,
         );
 
         let proc_res = self.compose_and_run_compiler(rustc, None);
diff --git a/src/tools/compiletest/src/runtest/assembly.rs b/src/tools/compiletest/src/runtest/assembly.rs
@@ -42,6 +42,7 @@ impl TestCx<'_> {
             AllowUnused::No,
             LinkToAux::Yes,
             Vec::new(),
+            false,
         );
 
         let proc_res = self.compose_and_run_compiler(rustc, None);
diff --git a/src/tools/compiletest/src/runtest/ui.rs b/src/tools/compiletest/src/runtest/ui.rs
@@ -234,6 +234,7 @@ impl TestCx<'_> {
                 AllowUnused::No,
                 LinkToAux::Yes,
                 Vec::new(),
+                false,
             );
 
             // If a test is revisioned, it's fixed source file can be named "a.foo.fixed", which,
diff --git a/tests/assembly-llvm/x86_64-sls.rs b/tests/assembly-llvm/x86_64-sls.rs
@@ -0,0 +1,76 @@
+// Test harden-sls flag
+
+#![feature(core_intrinsics)]
+//@ revisions: NONE ALL RET IJMP
+//@ assembly-output: emit-asm
+//@ compile-flags: -Copt-level=3 -Cunsafe-allow-abi-mismatch=harden-sls
+//@ [NONE] compile-flags: -Zharden-sls=none
+//@ [ALL] compile-flags: -Zharden-sls=all
+//@ [RET] compile-flags: -Zharden-sls=return
+//@ [IJMP] compile-flags: -Zharden-sls=indirect-jmp
+//@ only-x86_64
+#![crate_type = "lib"]
+
+#[no_mangle]
+pub fn double_return(a: i32, b: i32) -> i32 {
+    // CHECK-LABEL: double_return:
+    // CHECK:         jle
+    // CHECK-NOT:     int3
+    // CHECK:         retq
+    // RET-NEXT:      int3
+    // ALL-NEXT:      int3
+    // IJMP-NOT:      int3
+    // NONE-NOT:      int3
+    // CHECK:         retq
+    // RET-NEXT:      int3
+    // ALL-NEXT:      int3
+    // IJMP-NOT:      int3
+    // NONE-NOT:      int3
+    if a > 0 {
+        unsafe { std::intrinsics::unchecked_div(a, b) }
+    } else {
+        unsafe { std::intrinsics::unchecked_div(b, a) }
+    }
+}
+
+#[no_mangle]
+pub fn indirect_branch(a: i32, b: i32, i: i32) -> i32 {
+    // CHECK-LABEL: indirect_branch:
+    // CHECK:         jmpq *
+    // RET-NOT:       int3
+    // NONE-NOT:      int3
+    // IJMP-NEXT:     int3
+    // ALL-NEXT:      int3
+    // CHECK:         retq
+    // RET-NEXT:      int3
+    // ALL-NEXT:      int3
+    // IJMP-NOT:      int3
+    // NONE-NOT:      int3
+    // CHECK:         retq
+    // RET-NEXT:      int3
+    // ALL-NEXT:      int3
+    // IJMP-NOT:      int3
+    // NONE-NOT:      int3
+    match i {
+        0 => unsafe { std::intrinsics::unchecked_div(a, b) },
+        1 => unsafe { std::intrinsics::unchecked_div(b, a) },
+        2 => unsafe { std::intrinsics::unchecked_div(b, a) + 2 },
+        3 => unsafe { std::intrinsics::unchecked_div(b, a) + 3 },
+        4 => unsafe { std::intrinsics::unchecked_div(b, a) + 4 },
+        5 => unsafe { std::intrinsics::unchecked_div(b, a) + 5 },
+        6 => unsafe { std::intrinsics::unchecked_div(b, a) + 6 },
+        _ => panic!(""),
+    }
+}
+
+#[no_mangle]
+pub fn bar(ptr: fn()) {
+    // CHECK-LABEL: bar:
+    // CHECK:         jmpq *
+    // RET-NOT:       int3
+    // NONE-NOT:      int3
+    // IJMP-NEXT:     int3
+    // ALL-NEXT:      int3
+    // CHECK-NOT:     ret
+    ptr()
+}
diff --git a/tests/codegen-llvm/harden-sls.rs b/tests/codegen-llvm/harden-sls.rs
diff --git a/tests/ui/target-feature/harden-sls-target-feature-flag.by_feature.stderr b/tests/ui/target-feature/harden-sls-target-feature-flag.by_feature.stderr
diff --git a/tests/ui/target-feature/harden-sls-target-feature-flag.rs b/tests/ui/target-feature/harden-sls-target-feature-flag.rs

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ use rustc_target::spec::Arch;`
`7`	`7`
`8`	`8`	`fn gcc_features_by_flags(sess: &Session, features: &mut Vec<String>) {`
`9`	`9`	`target_features::retpoline_features_by_flags(sess, features);`
	`10`	`+ target_features::sls_features_by_flags(sess, features);`
`10`	`11`	`// FIXME: LLVM also sets +reserve-x18 here under some conditions.`
`11`	`12`	`}`
`12`	`13`
Original file line number	Diff line number	Diff line change
`@@ -643,6 +643,7 @@ fn llvm_features_by_flags(sess: &Session, features: &mut Vec<String>) {`
`643`	`643`	`}`
`644`	`644`
`645`	`645`	`target_features::retpoline_features_by_flags(sess, features);`
	`646`	`+ target_features::sls_features_by_flags(sess, features);`
`646`	`647`
`647`	`648`	`// -Zfixed-x18`
`648`	`649`	`if sess.opts.unstable_opts.fixed_x18 {`