Extends AArch64 branch protection support to include GCS #146338

CrooseGit · 2025-09-08T15:32:01Z

Extends existing support for AArch64 branch protection to include support for Guarded Control Stacks.

rustbot · 2025-09-08T15:32:06Z

rustbot has assigned @davidtwco.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

rustbot · 2025-09-08T15:32:10Z

Some changes occurred in src/doc/unstable-book/src/compiler-flags/branch-protection.md

cc @rust-lang/project-exploit-mitigations, @rcvalle

davidtwco · 2025-09-08T15:35:55Z

I've reviewed this internally so will reroll. GCS is exposed in Clang through their -mbranch-protection flag, so this just mirrors that like the rest of this flag.

r? compiler

Urgau

Seems pretty straightforward, and looks consistent with clang.

View changes since this review

tests/ui/invalid-compile-flags/branch-protection-missing-pac-ret.BADFLAGS.stderr

Urgau · 2025-09-08T16:11:04Z

r=me with the updated test output and CI green

r? Urgau
@bors delegate+

bors · 2025-09-08T16:11:07Z

✌️ @CrooseGit, you can now approve this pull request!

If @Urgau told you to "r=me" after making some further change, please make that change, then do @bors r=@Urgau

nnethercote

Thanks, @Urgau!

View changes since this review

Urgau · 2025-09-09T15:27:04Z

Does your local rustc uses LLVM 19 (like the job)? Or are you building LLVM locally/with download-ci-llvm?

davidtwco · 2025-09-09T16:48:11Z

Checked locally and it's the LLVM version that is causing this, just add a //@ min-llvm-version: 21 directive only for the GCS revision (or //@ min-llvm-version: 20 if it works with that version).

CrooseGit · 2025-09-11T09:51:30Z

@bors r=@Urgau

Thank you

bors · 2025-09-11T09:51:33Z

📌 Commit 661289b has been approved by Urgau

It is now in the queue for this repository.

…<try> Extends AArch64 branch protection support to include GCS try-job: *aarch64*

rust-bors · 2025-09-16T17:41:00Z

💔 Test for 6f90524 failed: CI. Failed jobs:

try - aarch64-gnu-debug (web logs, extended logs)

src/ci/docker/host-aarch64/aarch64-gnu-debug/Dockerfile

- Adds option to rustc config to enable GCS - Passes `guarded-control-stack` flag to llvm if enabled

rustbot · 2025-09-18T13:30:07Z

This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

rust-bors · 2025-09-18T13:31:44Z

@CrooseGit: 🔑 Insufficient privileges: not in try users

Urgau · 2025-09-18T19:56:30Z

src/ci/docker/host-aarch64/aarch64-gnu-llvm-20/Dockerfile

 RUN apt-get update && apt-get install -y --no-install-recommends \
  bzip2 \
-  g++ \
+  g++-15 \


Seems like installing a specific version of g++ doesn't provide the cc binary by default.

I tested adding the update-alternatives to provide gcc, cc, g++ and cxx and that fixes the issue about cc not being provided.

# Link standard gcc binary to the g++-15 ones RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-15 10 \ && update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-15 10 \ && update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-15 30 \ && update-alternatives --install /usr/bin/cxx cxx /usr/bin/g++-15 30

(to be added after the install in this Dockerfile)

Just seen this, thank you very much for looking into this issue.
I believe I found an alternative fix for the problem, changing the Ubuntu version to 25.10 for the builds where the above is a problem gives you gcc15 as the default. It is passing when I run the CI locally. Of course if it fails now I shall try your solution.

davidtwco · 2025-09-19T12:00:52Z

cc @rust-lang/infra for the CI image changes

Urgau · 2025-09-19T12:03:24Z

@bors try jobs=aarch64

…<try> Extends AArch64 branch protection support to include GCS try-job: *aarch64*

rust-bors · 2025-09-19T13:28:14Z

💔 Test for d260a23 failed: CI. Failed jobs:

try - aarch64-apple (web logs, extended logs)

Urgau · 2025-09-19T16:49:12Z

@bors try jobs=aarch64

…<try> Extends AArch64 branch protection support to include GCS try-job: *aarch64*

rust-bors · 2025-09-19T18:09:24Z

💔 Test for c3587c9 failed: CI. Failed jobs:

try - aarch64-apple (web logs, extended logs)

jieyouxu · 2025-09-20T04:43:21Z

src/ci/docker/host-aarch64/aarch64-gnu-debug/Dockerfile

@@ -1,8 +1,8 @@
-FROM ubuntu:22.04
+FROM ubuntu:25.04


Question: doesn't this mean that we no longer test if we can build against Ubuntu 22?

jieyouxu · 2025-09-20T04:44:11Z

src/ci/docker/host-aarch64/aarch64-gnu-debug/Dockerfile

 ARG DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && apt-get install -y --no-install-recommends \
-  g++ \
+  g++-15 \


Question: ... and for that matter, is this a higher g++ baseline? (I'm not super sure.)

GCS support was added to GCC in version 15, thus the rmake test for this patch requires GCC15 Similarly, the ubuntu version is updated so the newer clang version is available, and/or GCC15 is the default.

rustbot assigned davidtwco Sep 8, 2025

rustbot assigned nnethercote and unassigned davidtwco Sep 8, 2025

Urgau approved these changes Sep 8, 2025

View reviewed changes

tests/ui/invalid-compile-flags/branch-protection-missing-pac-ret.BADFLAGS.stderr Outdated Show resolved Hide resolved

rustbot assigned Urgau Sep 8, 2025

rustbot unassigned nnethercote Sep 8, 2025