Closed dead-claudia closed 1 year ago
I don't see anything addressing the safety requirements as documented in core::arch
: https://doc.rust-lang.org/core/arch/index.html#overview
All of these are already guarded with
#[target_feature]
as appropriate, thus avoiding undefined behavior on that front.
This seems quite confused. Firstly, I don't see any uses of #[target_feature]
in your code sample (other than calling vendor intrinsics that are annotated with it). Secondly, and more importantly, #[target_feature]
doesn't discharge safety requirements, it introduces them. You can't annotate a safe function with #[target_feature]
. It has to be marked unsafe
. And that has nothing to do with "access memory nor impact processor state." It's marked unsafe because it's undefined behavior to execute code that isn't supported by the CPU. In the best case you'll get SIGILL
. This was explicitly discussed in the RFC that introduced #[target_feature]
. So if you want to make #[target_feature]
safe to use, you have to address what the RFC said by either not making it undefined behavior (which I would assume would require figuring it out at the code generator level, i.e., LLVM) or finding some other way to mitigate it.
I don't see anything addressing the safety requirements as documented in
core::arch
: doc.rust-lang.org/core/arch/index.html#overviewAll of these are already guarded with
#[target_feature]
as appropriate, thus avoiding undefined behavior on that front.This seems quite confused. Firstly, I don't see any uses of
#[target_feature]
in your code sample (other than calling vendor intrinsics that are annotated with it).
@BurntSushi Apologies for the (very) sloppy imprecision here. I meant that they're only accessible when you either specify #[target_feature]
or explicitly opt into them through -C target-cpu
/-C target-features
. And I was proposing making them safe when using the latter.
The way the rest of your stuff reads, I'd be better served making an RFC instead for this as there's lower-level language kinks to work out, so I'll close this ACP.
I meant that they're only accessible when you either specify
#[target_feature]
or explicitly opt into them through-C target-cpu
/-C target-features
. And I was proposing making them safe when using the latter.
I would definitely suggest a pre-RFC first. Firstly because I still don't quite understand these sentences. Secondly, because compile time CPU features is somewhat less compelling (although perhaps that's changing with microarchitecture levels). Thirdly, because safe_arch
exists, which looks like important prior art here.
Proposal
Problem statement
Currently, any time you want to use vector intrinsics directly, you have to resort to
unsafe
blocks. As that's still very much unstable, it's not exactly accessible for most currently. Also, there's features that doesn't cover, like AVX-512's result masking (which saves a lot of instructions in some niche cases).Motivating examples or use cases
I've got this code laying around in an experiment:
None of those
unsafe
blocks are truly dealing with anything unsafe as per the book, the unsafe code guidelines, or the reference manual.#[target_feature]
as appropriate, thus avoiding undefined behavior on that front._mm256_castpd128_pd256
in x86.Solution sketch
For each architecture intrinsics that neither read nor modify memory or persistent processor state, make it safe and wrap the inner contents with an
unsafe
block as needed.For x86-64, this equates to roughly the following:
unsafe
unsafe
as it reads persistent processor state__rdtscp
and_rdtsc
unsafe
as it reads persistent processor stateunsafe
as it interacts with persistent processor stateunsafe
as it interacts with persistent processor stateunsafe
as it interacts with persistent processor state_mm256_cast*128_*256
unsafe
due to its upper half being undefined_mm512_cast*128_*512
unsafe
due to its upper 3/4 being undefined_mm512_cast*256_*512
unsafe
due to its upper half being undefined_mm*_undefined*
unsafe
since they're intentionally supposed to be undefinedbsf
/bsr
instructions don't exist, so they don't need covered)Alternatives
Do nothing and just focus on
std::simd
. This is workable, but see my note on AVX-512's result masking for why this isn't helpful in of itself. (I didn't include an example for that here, but it wouldn't be hard for me to provide one.)Links and related work
What happens now?
This issue is part of the libs-api team API change proposal process. Once this issue is filed the libs-api team will review open proposals as capability becomes available. Current response times do not have a clear estimate, but may be up to several months.
Possible responses
The libs team may respond in various different ways. First, the team will consider the problem (this doesn't require any concrete solution or alternatives to have been proposed):
Second, if there's a concrete solution: