target_feature_11 allows bypassing safety checks through Fn* traits

[hanna-kruppe]

(Moved from #69098 (comment) with an added PoC.)

The following program (playground) demonstrates how current implementation of target_feature_11 allows using a target_feature from safe code without ensuring it's actually available:

#![feature(target_feature_11)]

#[target_feature(enable="avx")]
fn use_avx() {
    println!("Hello from AVX")
}

fn call_it(f: impl FnOnce()) {
    f();
}

fn main() {
    call_it(use_avx);
}

This is unsound because it allows executing (e.g.) AVX instructions on CPUs that do not implement them, which is UB. It only works because "safe fns with target_features" are erroneously considered to implement the FnOnce/FnMut/Fn traits.

[petrochenkov]

Proposed resolution: #69098 (comment).

It would probably be better to add the unsafe to #[target_feature] functions implicitly during lowering to HIR.
Implicit unsafe is already added to functions in extern blocks in the same way.

That would make the unsafety checker the only place (besides AST lowering) where they would be treated specially. Like, "yes, the function is unsafe, but we know that it's safe to call in this specific context, so the unsafe block can be omitted".

The special coercion checks would no longer be necessary in that case.

[petrochenkov]

Or perhaps the RFC should be revised to still require writing unsafe fn and only unsafety checker need to be enhanced to allow calling unsafe functions without unsafe blocks in the situations known to be safe.

That would be even less magic, which is good, IMO.
The ergonomic regression would be minor because unsafe would still be not required at call sites.

[nikomatsakis]

Good catch. Another option is that referencing, not calling, a target-feature function is unsafe, but I guess that is a bit inconsistent given that this already compiles (playground):

#[target_feature(enable="avx")]
unsafe fn use_avx() {
    println!("Hello from AVX")
}

fn call_it(f: impl FnOnce()) {
    f();
}

fn main() {
    let x = use_avx;
}

In other words, accessing a safe target feature 1.1 function would be unsafe (unless the target feature is in scope), not just calling it.

I think that this is what I would expect somehow, but I would expect it to apply uniformly to both safe and unsafe target feature functions (and that's not an option).

Or perhaps the RFC should be revised to still require writing unsafe fn and only unsafety checker need to be enhanced to allow calling unsafe functions without unsafe blocks in the situations known to be safe.

The downside of this approach is that we don't know why the function was declared unsafe, not really -- was it only because of the target feature? Or were there additional requirements that would have made it unsafe?

[hanna-kruppe]

The downside of this approach is that we don't know why the function was declared unsafe, not really -- was it only because of the target feature? Or were there additional requirements that would have made it unsafe?

For example, a whole bunch of core::arch::* functions take raw pointers and use them to access memory, so they need to be unsafe even if the respective target feature is enabled in the calling context.

[petrochenkov]

The downside of this approach is that we don't know why the function was declared unsafe, not really -- was it only because of the target feature? Or were there additional requirements that would have made it unsafe?

Ah, right, that's a good argument.
The "unsafety checker enhancement" should only affect unsafe functions that are made unsafe through #[target_feature], but not other means (explicit unsafe or extern block).