Rollup merge of #142681 - 1c3t3a:sanitize-off-on, r=rcvalle

Remove the `#[no_sanitize]` attribute in favor of `#[sanitize(xyz = "on|off")]` This came up during the sanitizer stabilization (rust-lang/rust#123617). Instead of a `#[no_sanitize(xyz)]` attribute, we would like to have a `#[sanitize(xyz = "on|off")]` attribute, which is more powerful and allows to be extended in the future (instead of just focusing on turning sanitizers off). The implementation is done according to what was [discussed on Zulip](https://rust-lang.zulipchat.com/#narrow/channel/343119-project-exploit-mitigations/topic/Stabilize.20the.20.60no_sanitize.60.20attribute/with/495377292)). The new attribute also works on modules, traits and impl items and thus enables usage as the following: ```rust #[sanitize(address = "off")] mod foo { fn unsanitized(..) {} #[sanitize(address = "on")] fn sanitized(..) {} } trait MyTrait { #[sanitize(address = "off")] fn unsanitized_default(..) {} } #[sanitize(thread = "off")] impl MyTrait for () { ... } ``` r? ```@rcvalle```
author: Stuart Cook <Zalathar@users.noreply.github.com> 2025-08-19 14:18:16 +1000
committer: GitHub <noreply@github.com> 2025-08-19 14:18:16 +1000
commit: 633cc0cc6cfc6b77da14864dbefb1dab25dcb8d0 (patch)
tree: 145a2b42a2741b0f113868938d76e060d6988292 /tests/codegen-llvm
parent: 027c7a5d857ff9692ce40bfd3bc9a90ef3764232 (diff)
parent: 95bdb34494ad795f552cab7a0eb7bfd2e98ef033 (diff)
download: rust-633cc0cc6cfc6b77da14864dbefb1dab25dcb8d0.tar.gz
rust-633cc0cc6cfc6b77da14864dbefb1dab25dcb8d0.zip
8 files changed, 199 insertions, 29 deletions
diff --git a/tests/codegen-llvm/sanitizer/cfi/emit-type-checks-attr-no-sanitize.rs b/tests/codegen-llvm/sanitizer/cfi/emit-type-checks-attr-sanitize-off.rs
index 71ccdc8ca62..651afb33228 100644
--- a/tests/codegen-llvm/sanitizer/cfi/emit-type-checks-attr-no-sanitize.rs
+++ b/tests/codegen-llvm/sanitizer/cfi/emit-type-checks-attr-sanitize-off.rs
@@ -4,11 +4,11 @@
 //@ compile-flags: -Clto -Cno-prepopulate-passes -Ctarget-feature=-crt-static -Zsanitizer=cfi -Copt-level=0
 
 #![crate_type = "lib"]
-#![feature(no_sanitize)]
+#![feature(sanitize)]
 
-#[no_sanitize(cfi)]
+#[sanitize(cfi = "off")]
 pub fn foo(f: fn(i32) -> i32, arg: i32) -> i32 {
-    // CHECK-LABEL: emit_type_checks_attr_no_sanitize::foo
+    // CHECK-LABEL: emit_type_checks_attr_sanitize_off::foo
     // CHECK:       Function Attrs: {{.*}}
     // CHECK-LABEL: define{{.*}}foo{{.*}}!type !{{[0-9]+}} !type !{{[0-9]+}} !type !{{[0-9]+}} !type !{{[0-9]+}}
     // CHECK:       start:
diff --git a/tests/codegen-llvm/sanitizer/kasan-emits-instrumentation.rs b/tests/codegen-llvm/sanitizer/kasan-emits-instrumentation.rs
index 774c9ab53f1..c70aae1703e 100644
--- a/tests/codegen-llvm/sanitizer/kasan-emits-instrumentation.rs
+++ b/tests/codegen-llvm/sanitizer/kasan-emits-instrumentation.rs
@@ -13,7 +13,7 @@
 //@[x86_64] needs-llvm-components: x86
 
 #![crate_type = "rlib"]
-#![feature(no_core, no_sanitize, lang_items)]
+#![feature(no_core, sanitize, lang_items)]
 #![no_core]
 
 extern crate minicore;
@@ -25,7 +25,7 @@ use minicore::*;
 // CHECK:       start:
 // CHECK-NOT:   call void @__asan_report_load
 // CHECK:       }
-#[no_sanitize(address)]
+#[sanitize(address = "off")]
 pub fn unsanitized(b: &mut u8) -> u8 {
     *b
 }
diff --git a/tests/codegen-llvm/sanitizer/kcfi/emit-kcfi-operand-bundle-attr-no-sanitize.rs b/tests/codegen-llvm/sanitizer/kcfi/emit-kcfi-operand-bundle-attr-sanitize-off.rs
index 02c31fb8e9b..2581784ce3e 100644
--- a/tests/codegen-llvm/sanitizer/kcfi/emit-kcfi-operand-bundle-attr-no-sanitize.rs
+++ b/tests/codegen-llvm/sanitizer/kcfi/emit-kcfi-operand-bundle-attr-sanitize-off.rs
@@ -9,15 +9,15 @@
 //@ compile-flags: -Cno-prepopulate-passes -Zsanitizer=kcfi -Copt-level=0
 
 #![crate_type = "lib"]
-#![feature(no_core, no_sanitize, lang_items)]
+#![feature(no_core, sanitize, lang_items)]
 #![no_core]
 
 extern crate minicore;
 use minicore::*;
 
-#[no_sanitize(kcfi)]
+#[sanitize(kcfi = "off")]
 pub fn foo(f: fn(i32) -> i32, arg: i32) -> i32 {
-    // CHECK-LABEL: emit_kcfi_operand_bundle_attr_no_sanitize::foo
+    // CHECK-LABEL: emit_kcfi_operand_bundle_attr_sanitize_off::foo
     // CHECK:       Function Attrs: {{.*}}
     // CHECK-LABEL: define{{.*}}foo{{.*}}!{{<unknown kind #36>|kcfi_type}} !{{[0-9]+}}
     // CHECK:       start:
diff --git a/tests/codegen-llvm/sanitizer/sanitize-off-asan-kasan.rs b/tests/codegen-llvm/sanitizer/sanitize-off-asan-kasan.rs
new file mode 100644
index 00000000000..37549aba447
--- /dev/null
+++ b/tests/codegen-llvm/sanitizer/sanitize-off-asan-kasan.rs
@@ -0,0 +1,42 @@
+// Verifies that the `#[sanitize(address = "off")]` attribute also turns off
+// the kernel address sanitizer.
+//
+//@ add-core-stubs
+//@ compile-flags: -Zsanitizer=kernel-address -Ctarget-feature=-crt-static -Copt-level=0
+//@ revisions: aarch64 riscv64imac riscv64gc x86_64
+//@[aarch64] compile-flags: --target aarch64-unknown-none
+//@[aarch64] needs-llvm-components: aarch64
+//@[riscv64imac] compile-flags: --target riscv64imac-unknown-none-elf
+//@[riscv64imac] needs-llvm-components: riscv
+//@[riscv64gc] compile-flags: --target riscv64gc-unknown-none-elf
+//@[riscv64gc] needs-llvm-components: riscv
+//@[x86_64] compile-flags: --target x86_64-unknown-none
+//@[x86_64] needs-llvm-components: x86
+
+#![crate_type = "rlib"]
+#![feature(no_core, sanitize, lang_items)]
+#![no_core]
+
+extern crate minicore;
+use minicore::*;
+
+// CHECK-LABEL: ; sanitize_off_asan_kasan::unsanitized
+// CHECK-NEXT:  ; Function Attrs:
+// CHECK-NOT:   sanitize_address
+// CHECK:       start:
+// CHECK-NOT:   call void @__asan_report_load
+// CHECK:       }
+#[sanitize(address = "off")]
+pub fn unsanitized(b: &mut u8) -> u8 {
+    *b
+}
+
+// CHECK-LABEL: ; sanitize_off_asan_kasan::sanitized
+// CHECK-NEXT:  ; Function Attrs:
+// CHECK:       sanitize_address
+// CHECK:       start:
+// CHECK:       call void @__asan_report_load
+// CHECK:       }
+pub fn sanitized(b: &mut u8) -> u8 {
+    *b
+}
diff --git a/tests/codegen-llvm/sanitizer/no-sanitize-inlining.rs b/tests/codegen-llvm/sanitizer/sanitize-off-inlining.rs
index 4bd832d2ab1..69771827c3a 100644
--- a/tests/codegen-llvm/sanitizer/no-sanitize-inlining.rs
+++ b/tests/codegen-llvm/sanitizer/sanitize-off-inlining.rs
@@ -1,4 +1,4 @@
-// Verifies that no_sanitize attribute prevents inlining when
+// Verifies that sanitize(xyz = "off") attribute prevents inlining when
 // given sanitizer is enabled, but has no effect on inlining otherwise.
 //
 //@ needs-sanitizer-address
@@ -9,7 +9,7 @@
 //@[LSAN] compile-flags: -Zsanitizer=leak
 
 #![crate_type = "lib"]
-#![feature(no_sanitize)]
+#![feature(sanitize)]
 
 // ASAN-LABEL: define void @test
 // ASAN:         call {{.*}} @random_inline
@@ -23,7 +23,7 @@ pub fn test(n: &mut u32) {
     random_inline(n);
 }
 
-#[no_sanitize(address)]
+#[sanitize(address = "off")]
 #[inline]
 #[no_mangle]
 pub fn random_inline(n: &mut u32) {
diff --git a/tests/codegen-llvm/sanitizer/no-sanitize.rs b/tests/codegen-llvm/sanitizer/sanitize-off-kasan-asan.rs
index 2a309f6b9c6..94945f2b2e6 100644
--- a/tests/codegen-llvm/sanitizer/no-sanitize.rs
+++ b/tests/codegen-llvm/sanitizer/sanitize-off-kasan-asan.rs
@@ -1,34 +1,24 @@
-// Verifies that no_sanitize attribute can be used to
-// selectively disable sanitizer instrumentation.
+// Verifies that the `#[sanitize(kernel_address = "off")]` attribute also turns off
+// the address sanitizer.
 //
 //@ needs-sanitizer-address
 //@ compile-flags: -Zsanitizer=address -Ctarget-feature=-crt-static -Copt-level=0
 
 #![crate_type = "lib"]
-#![feature(no_sanitize)]
+#![feature(sanitize)]
 
-// CHECK:     @UNSANITIZED = constant{{.*}} no_sanitize_address
-// CHECK-NOT: @__asan_global_UNSANITIZED
-#[no_mangle]
-#[no_sanitize(address)]
-pub static UNSANITIZED: u32 = 0;
-
-// CHECK: @__asan_global_SANITIZED
-#[no_mangle]
-pub static SANITIZED: u32 = 0;
-
-// CHECK-LABEL: ; no_sanitize::unsanitized
+// CHECK-LABEL: ; sanitize_off_kasan_asan::unsanitized
 // CHECK-NEXT:  ; Function Attrs:
 // CHECK-NOT:   sanitize_address
 // CHECK:       start:
 // CHECK-NOT:   call void @__asan_report_load
 // CHECK:       }
-#[no_sanitize(address)]
+#[sanitize(kernel_address = "off")]
 pub fn unsanitized(b: &mut u8) -> u8 {
     *b
 }
 
-// CHECK-LABEL: ; no_sanitize::sanitized
+// CHECK-LABEL: ; sanitize_off_kasan_asan::sanitized
 // CHECK-NEXT:  ; Function Attrs:
 // CHECK:       sanitize_address
 // CHECK:       start:
diff --git a/tests/codegen-llvm/sanitizer/sanitize-off.rs b/tests/codegen-llvm/sanitizer/sanitize-off.rs
new file mode 100644
index 00000000000..9f3f7cd9df7
--- /dev/null
+++ b/tests/codegen-llvm/sanitizer/sanitize-off.rs
@@ -0,0 +1,138 @@
+// Verifies that the `#[sanitize(address = "off")]` attribute can be used to
+// selectively disable sanitizer instrumentation.
+//
+//@ needs-sanitizer-address
+//@ compile-flags: -Zsanitizer=address -Ctarget-feature=-crt-static -Copt-level=0
+
+#![crate_type = "lib"]
+#![feature(sanitize)]
+
+// CHECK:     @UNSANITIZED = constant{{.*}} no_sanitize_address
+// CHECK-NOT: @__asan_global_SANITIZED
+#[no_mangle]
+#[sanitize(address = "off")]
+pub static UNSANITIZED: u32 = 0;
+
+// CHECK: @__asan_global_SANITIZED
+#[no_mangle]
+pub static SANITIZED: u32 = 0;
+
+// CHECK-LABEL: ; sanitize_off::unsanitized
+// CHECK-NEXT:  ; Function Attrs:
+// CHECK-NOT:   sanitize_address
+// CHECK:       start:
+// CHECK-NOT:   call void @__asan_report_load
+// CHECK:       }
+#[sanitize(address = "off")]
+pub fn unsanitized(b: &mut u8) -> u8 {
+    *b
+}
+
+// CHECK-LABEL: ; sanitize_off::sanitized
+// CHECK-NEXT:  ; Function Attrs:
+// CHECK:       sanitize_address
+// CHECK:       start:
+// CHECK:       call void @__asan_report_load
+// CHECK:       }
+pub fn sanitized(b: &mut u8) -> u8 {
+    *b
+}
+
+#[sanitize(address = "off")]
+pub mod foo {
+    // CHECK-LABEL: ; sanitize_off::foo::unsanitized
+    // CHECK-NEXT:  ; Function Attrs:
+    // CHECK-NOT:   sanitize_address
+    // CHECK:       start:
+    // CHECK-NOT:   call void @__asan_report_load
+    // CHECK:       }
+    pub fn unsanitized(b: &mut u8) -> u8 {
+        *b
+    }
+
+    // CHECK-LABEL: ; sanitize_off::foo::sanitized
+    // CHECK-NEXT:  ; Function Attrs:
+    // CHECK:       sanitize_address
+    // CHECK:       start:
+    // CHECK:       call void @__asan_report_load
+    // CHECK:       }
+    #[sanitize(address = "on")]
+    pub fn sanitized(b: &mut u8) -> u8 {
+        *b
+    }
+}
+
+pub trait MyTrait {
+    fn unsanitized(&self, b: &mut u8) -> u8;
+    fn sanitized(&self, b: &mut u8) -> u8;
+
+    // CHECK-LABEL: ; sanitize_off::MyTrait::unsanitized_default
+    // CHECK-NEXT:  ; Function Attrs:
+    // CHECK-NOT:   sanitize_address
+    // CHECK:       start:
+    // CHECK-NOT:   call void @__asan_report_load
+    // CHECK:       }
+    #[sanitize(address = "off")]
+    fn unsanitized_default(&self, b: &mut u8) -> u8 {
+        *b
+    }
+
+    // CHECK-LABEL: ; sanitize_off::MyTrait::sanitized_default
+    // CHECK-NEXT:  ; Function Attrs:
+    // CHECK:       sanitize_address
+    // CHECK:       start:
+    // CHECK:       call void @__asan_report_load
+    // CHECK:       }
+    fn sanitized_default(&self, b: &mut u8) -> u8 {
+        *b
+    }
+}
+
+#[sanitize(address = "off")]
+impl MyTrait for () {
+    // CHECK-LABEL: ; <() as sanitize_off::MyTrait>::unsanitized
+    // CHECK-NEXT:  ; Function Attrs:
+    // CHECK-NOT:   sanitize_address
+    // CHECK:       start:
+    // CHECK-NOT:   call void @__asan_report_load
+    // CHECK:       }
+    fn unsanitized(&self, b: &mut u8) -> u8 {
+        *b
+    }
+
+    // CHECK-LABEL: ; <() as sanitize_off::MyTrait>::sanitized
+    // CHECK-NEXT:  ; Function Attrs:
+    // CHECK:       sanitize_address
+    // CHECK:       start:
+    // CHECK:       call void @__asan_report_load
+    // CHECK:       }
+    #[sanitize(address = "on")]
+    fn sanitized(&self, b: &mut u8) -> u8 {
+        *b
+    }
+}
+
+pub fn expose_trait(b: &mut u8) -> u8 {
+    <() as MyTrait>::unsanitized_default(&(), b);
+    <() as MyTrait>::sanitized_default(&(), b)
+}
+
+#[sanitize(address = "off")]
+pub mod outer {
+    #[sanitize(thread = "off")]
+    pub mod inner {
+        // CHECK-LABEL: ; sanitize_off::outer::inner::unsanitized
+        // CHECK-NEXT:  ; Function Attrs:
+        // CHECK-NOT:   sanitize_address
+        // CHECK:       start:
+        // CHECK-NOT:   call void @__asan_report_load
+        // CHECK:       }
+        pub fn unsanitized() {
+            let xs = [0, 1, 2, 3];
+            // Avoid optimizing everything out.
+            let xs = std::hint::black_box(xs.as_ptr());
+            let code = unsafe { *xs.offset(4) };
+            std::process::exit(code);
+        }
+    }
+}
diff --git a/tests/codegen-llvm/sanitizer/scs-attr-check.rs b/tests/codegen-llvm/sanitizer/scs-attr-check.rs
index 6f4cbc2c0a6..f726503503c 100644
--- a/tests/codegen-llvm/sanitizer/scs-attr-check.rs
+++ b/tests/codegen-llvm/sanitizer/scs-attr-check.rs
@@ -5,7 +5,7 @@
 //@ compile-flags: -Zsanitizer=shadow-call-stack
 
 #![crate_type = "lib"]
-#![feature(no_sanitize)]
+#![feature(sanitize)]
 
 // CHECK: ; sanitizer_scs_attr_check::scs
 // CHECK-NEXT: ; Function Attrs:{{.*}}shadowcallstack
@@ -13,5 +13,5 @@ pub fn scs() {}
 
 // CHECK: ; sanitizer_scs_attr_check::no_scs
 // CHECK-NOT: ; Function Attrs:{{.*}}shadowcallstack
-#[no_sanitize(shadow_call_stack)]
+#[sanitize(shadow_call_stack = "off")]
 pub fn no_scs() {}
author	Stuart Cook <Zalathar@users.noreply.github.com>	2025-08-19 14:18:16 +1000
committer	GitHub <noreply@github.com>	2025-08-19 14:18:16 +1000
commit	633cc0cc6cfc6b77da14864dbefb1dab25dcb8d0 (patch)
tree	145a2b42a2741b0f113868938d76e060d6988292 /tests/codegen-llvm
parent	027c7a5d857ff9692ce40bfd3bc9a90ef3764232 (diff)
parent	95bdb34494ad795f552cab7a0eb7bfd2e98ef033 (diff)
download	rust-633cc0cc6cfc6b77da14864dbefb1dab25dcb8d0.tar.gz rust-633cc0cc6cfc6b77da14864dbefb1dab25dcb8d0.zip