Document that CFI diverges from Rust wrt. ABI-compatibility rules by Darksonn · Pull Request #155361 · rust-lang/rust

Darksonn · 2026-04-15T21:27:14Z

The CFI sanitizer is a sanitizer that checks that no ABI-incompatible function calls are made at runtime, but there is currently an unfortunate divergence between the Rust ABI-compatibility rules and what the CFI sanitizer checks. Thus, document that this divergence exists.

There are proposals for how we can align the ABI rules to eliminate this discrepancy, and I would like to follow through with those, but for now I think we can at least document that the discrepancy exists.

For further discussion please see Re-evaluate ABI compatibility rules in light of CFI and Can CFI be made compatible with type erasure schemes? and fn_cast! macro.

cc @rcvalle @samitolvanen @maurer @bjorn3 @RalfJung

Rendered:

rustbot · 2026-04-15T21:27:20Z

r? @scottmcm

rustbot has assigned @scottmcm.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

Owners of files modified in this PR: @scottmcm, libs
@scottmcm, libs expanded to 7 candidates
Random selection from Mark-Simulacrum, jhpratt, scottmcm

scottmcm · 2026-04-20T02:23:45Z

TBH, I think this is a fundamental flaw in CFI, being coupled to typed-memory concepts that don't exist in Rust.

Since he's been looking at this,
r? RalfJung

rustbot · 2026-04-20T02:23:50Z

RalfJung is not on the review rotation at the moment.
They may take a while to respond.

Darksonn · 2026-04-20T14:34:53Z

@scottmcm CFI does have some pretty big flaws, but I don't think that's one of them. It's a useful way to detect function pointer mixups, and ABI-compatibility has always been a stronger requirement than just being memory compatible. Just because f32 and u32 are memory compatible does not imply they should be ABI-compatible.

RalfJung · 2026-04-28T14:07:57Z

The content seems reasonable to me. The one thing I am not sure about is the location. Maybe these docs are a more natural place for CFI-specific documentation?

Darksonn · 2026-04-28T14:38:07Z

 /// - `*const T`, `*mut T`, `&T`, `&mut T`, `Box<T>` (specifically, only `Box<T, Global>`), and
 ///   `NonNull<T>` are all ABI-compatible with each other for all `T`. They are also ABI-compatible
 ///   with each other for _different_ `T` if they have the same metadata type (`<T as
-///   Pointee>::Metadata`).
+///   Pointee>::Metadata`). However, see the [Control Flow Integrity] section below for caveats.


I can move the main docs section, but I'd like to keep this note in this file.

View changes since the review

Yeah that makes sense.

rustbot · 2026-04-28T15:11:03Z

Some changes occurred in src/doc/unstable-book/src/compiler-flags/sanitizer.md

cc @rust-lang/project-exploit-mitigations, @rcvalle

RalfJung · 2026-04-28T15:16:45Z

@bors squash msg="Document that CFI diverges from Rust wrt. ABI-compatibility rules"

rust-bors · 2026-04-28T15:17:06Z

🔨 10 commits were squashed into aef93ca.

RalfJung · 2026-04-28T15:18:49Z

@bors r+ rollup

rust-bors · 2026-04-28T15:18:52Z

📌 Commit aef93ca has been approved by RalfJung

It is now in the queue for this repository.

@rcvalle

Document that CFI diverges from Rust wrt. ABI-compatibility rules The CFI sanitizer is a sanitizer that checks that no ABI-incompatible function calls are made at runtime, but there is currently an unfortunate divergence between the Rust ABI-compatibility rules and what the CFI sanitizer checks. Thus, document that this divergence exists. There are proposals for how we can align the ABI rules to eliminate this discrepancy, and I would like to follow through with those, but for now I think we can at least document that the discrepancy exists. For further discussion please see [Re-evaluate ABI compatibility rules in light of CFI](rust-lang/unsafe-code-guidelines#489) and [Can CFI be made compatible with type erasure schemes?](rust-lang#128728) and [`fn_cast!` macro](rust-lang#140803). cc @rcvalle @samitolvanen @maurer @bjorn3 @RalfJung Rendered: <img width="956" height="391" alt="image" src="https://github.com/user-attachments/assets/410d3eaa-9476-4800-9ef8-bbb100a100c5" />

…uwer Rollup of 12 pull requests Successful merges: - #151994 (switch to v0 mangling by default on stable) - #154325 (Tweak irrefutable let else warning output) - #155899 (`dlltool`: Set the working directory to workaround `--temp-prefix` bug) - #155273 (Lock stable_crate_ids once in create_crate_num) - #155361 (Document that CFI diverges from Rust wrt. ABI-compatibility rules) - #155692 (disable naked-dead-code-elimination test if no RET mnemonic is available) - #155747 (Update documentation for `wasm32-wali-linux-musl` after integrating n…) - #155768 (compiletest: Overhaul the code for running an incremental test revision) - #155907 (Handle hkl const closures) - #155910 (misc stuff from reading borrowck again :)) - #155913 (Delete the 12 year old fixme) - #155920 (remove review queue triagebot mentions)

@rcvalle

Document that CFI diverges from Rust wrt. ABI-compatibility rules The CFI sanitizer is a sanitizer that checks that no ABI-incompatible function calls are made at runtime, but there is currently an unfortunate divergence between the Rust ABI-compatibility rules and what the CFI sanitizer checks. Thus, document that this divergence exists. There are proposals for how we can align the ABI rules to eliminate this discrepancy, and I would like to follow through with those, but for now I think we can at least document that the discrepancy exists. For further discussion please see [Re-evaluate ABI compatibility rules in light of CFI](rust-lang/unsafe-code-guidelines#489) and [Can CFI be made compatible with type erasure schemes?](rust-lang#128728) and [`fn_cast!` macro](rust-lang#140803). cc @rcvalle @samitolvanen @maurer @bjorn3 @RalfJung Rendered: <img width="956" height="391" alt="image" src="https://github.com/user-attachments/assets/410d3eaa-9476-4800-9ef8-bbb100a100c5" />

…uwer Rollup of 14 pull requests Successful merges: - #155850 (Only exclude the #155473 change for 1-byte bool-likes) - #155923 (Subtree sync for rustc_codegen_cranelift) - #151994 (switch to v0 mangling by default on stable) - #154325 (Tweak irrefutable let else warning output) - #155899 (`dlltool`: Set the working directory to workaround `--temp-prefix` bug) - #155273 (Lock stable_crate_ids once in create_crate_num) - #155361 (Document that CFI diverges from Rust wrt. ABI-compatibility rules) - #155692 (disable naked-dead-code-elimination test if no RET mnemonic is available) - #155747 (Update documentation for `wasm32-wali-linux-musl` after integrating n…) - #155768 (compiletest: Overhaul the code for running an incremental test revision) - #155907 (Handle hkl const closures) - #155910 (misc stuff from reading borrowck again :)) - #155913 (Delete the 12 year old fixme) - #155920 (remove review queue triagebot mentions)

…uwer Rollup of 15 pull requests Successful merges: - #155923 (Subtree sync for rustc_codegen_cranelift) - #155930 (Sync from portable simd 2026 04 28) - #155850 (Only exclude the #155473 change for 1-byte bool-likes) - #151994 (switch to v0 mangling by default on stable) - #154325 (Tweak irrefutable let else warning output) - #155273 (Lock stable_crate_ids once in create_crate_num) - #155361 (Document that CFI diverges from Rust wrt. ABI-compatibility rules) - #155692 (disable naked-dead-code-elimination test if no RET mnemonic is available) - #155747 (Update documentation for `wasm32-wali-linux-musl` after integrating n…) - #155768 (compiletest: Overhaul the code for running an incremental test revision) - #155907 (Handle hkl const closures) - #155910 (misc stuff from reading borrowck again :)) - #155913 (Delete the 12 year old fixme) - #155920 (remove review queue triagebot mentions) - #155936 (Rename `SharedContext::emit_dyn_lint*` into `emit_lint*`)

@rcvalle

Rollup merge of #155361 - Darksonn:abi-cfi, r=RalfJung Document that CFI diverges from Rust wrt. ABI-compatibility rules The CFI sanitizer is a sanitizer that checks that no ABI-incompatible function calls are made at runtime, but there is currently an unfortunate divergence between the Rust ABI-compatibility rules and what the CFI sanitizer checks. Thus, document that this divergence exists. There are proposals for how we can align the ABI rules to eliminate this discrepancy, and I would like to follow through with those, but for now I think we can at least document that the discrepancy exists. For further discussion please see [Re-evaluate ABI compatibility rules in light of CFI](rust-lang/unsafe-code-guidelines#489) and [Can CFI be made compatible with type erasure schemes?](#128728) and [`fn_cast!` macro](#140803). cc @rcvalle @samitolvanen @maurer @bjorn3 @RalfJung Rendered: <img width="956" height="391" alt="image" src="https://github.com/user-attachments/assets/410d3eaa-9476-4800-9ef8-bbb100a100c5" />

rustbot assigned scottmcm Apr 15, 2026

rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Apr 15, 2026

RalfJung reviewed Apr 16, 2026

View reviewed changes

Comment thread library/core/src/primitive_docs.rs Outdated

Comment thread library/core/src/primitive_docs.rs Outdated

Comment thread library/core/src/primitive_docs.rs Outdated

rustbot assigned RalfJung and unassigned scottmcm Apr 20, 2026

RalfJung reviewed Apr 20, 2026

View reviewed changes

Comment thread library/core/src/primitive_docs.rs Outdated

Comment thread library/core/src/primitive_docs.rs Outdated

Darksonn commented Apr 28, 2026

View reviewed changes

This comment has been minimized.

Sign in to view

Document that CFI diverges from Rust wrt. ABI-compatibility rules

aef93ca

rust-bors Bot force-pushed the abi-cfi branch from 9334c51 to aef93ca Compare April 28, 2026 15:17

rust-bors Bot added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Apr 28, 2026

JonathanBrouwer mentioned this pull request Apr 28, 2026

Rollup of 12 pull requests #155933

Closed

JonathanBrouwer mentioned this pull request Apr 28, 2026

Rollup of 14 pull requests #155937

Closed

JonathanBrouwer mentioned this pull request Apr 28, 2026

Rollup of 15 pull requests #155941

Merged

rust-bors Bot merged commit 8f15da4 into rust-lang:main Apr 28, 2026
11 checks passed

rustbot added this to the 1.97.0 milestone Apr 28, 2026

Darksonn deleted the abi-cfi branch April 28, 2026 22:28

Uh oh!

Conversation

Darksonn commented Apr 15, 2026 • edited by rustbot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rustbot commented Apr 15, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

scottmcm commented Apr 20, 2026

Uh oh!

rustbot commented Apr 20, 2026

Uh oh!

Uh oh!

Uh oh!

Darksonn commented Apr 20, 2026

Uh oh!

RalfJung commented Apr 28, 2026

Uh oh!

Darksonn Apr 28, 2026 • edited by rustbot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

RalfJung Apr 28, 2026

Choose a reason for hiding this comment

Uh oh!

rustbot commented Apr 28, 2026

Uh oh!

RalfJung commented Apr 28, 2026

Uh oh!

This comment has been minimized.

rust-bors Bot commented Apr 28, 2026

Uh oh!

RalfJung commented Apr 28, 2026

Uh oh!

rust-bors Bot commented Apr 28, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Darksonn commented Apr 15, 2026 •

edited by rustbot

Loading

Darksonn Apr 28, 2026 •

edited by rustbot

Loading