Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: Implement RealtimeSanitizer (RTSan) support, add #[realtime(nonblocking)], #[realtime(blocking)] attributes #3766

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

RFC: Implement RealtimeSanitizer (RTSan) support, add #[realtime(nonblocking)], #[realtime(blocking)] attributes #3766

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
adc27b3
Implement RealtimeSanitizer (RTSan) support, add `#[nonblocking]`,
cjappl Jan 30, 2025
11a2711
PR: Clean up mentions of unsafe
cjappl Feb 1, 2025
f844ab8
PR: Fix wording 'an upper bound'
cjappl Feb 1, 2025
4348f86
PR: Change attr name to `realtime(nonblocking)` `realtime(blocking)`
cjappl Feb 1, 2025
8568f5c
Change document to match PR number
cjappl Feb 3, 2025
8043b62
Add PR link to document
cjappl Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
270 changes: 270 additions & 0 deletions text/0000-rtsan-and-attributes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,270 @@
- Feature Name: RealtimeSanitizer, `nonblocking` and `blocking` attributes
- Start Date: 2025-01-30
- RFC PR:
- Rust Issue:

# Summary
[summary]: #summary

Many software projects that utilize Rust are subject to real-time constraints. Software that is written for use in audio, embedded, robotics, and aerospace must adhere to strict deterministic-time execution or face consequences that may be catastrophic. LLVM 20 introduces RealtimeSanitizer, one approach to detecting and reporting disallowed non-deterministic execution time calls in real-time contexts.

This RFC proposes that RealtimeSanitizer be integrated into the Rust ecosystem. To serve that end, we propose a few changes, outlined in this document:

1. RealtimeSanitizer can be enabled in unstable mode - like the other sanitizers
2. The introduction of `nonblocking` (marking a function as real-time constrained) and `blocking` (marking a function as inappropriate for use in a `nonblocking` context)
3. The addition of the `rtsan_scoped_disabler!` macro
4. Disabling rtsan for the `panic!` and `assert*!` macros

# Motivation
[motivation]: #motivation

Increasingly, Rust is being used in problem spaces that are real-time constrained, such as audio, robotics, aerospace and embedded. Real-time programming is defined by deadlines - if a solution is not provided by a specific deadline, some consequence may occur.

For example:

> In an autonomous vehicle perception subsystem, it is not enough to detect an obstacle and decide to stop in some unknown amount of time. You must detect the obstacle AND stop within N ms, or you may crash.

> In audio, you must fill a buffer and pass it back to the operating system within N ms, otherwise your user may hear a click or pop which may damage their audio equipment, or minimally annoy them.

> In aerospace guidance systems if your software doesn't update on a regular tick your simulation of what is happening may diverge from reality. Unfortunately this may also mean your rocket converges with the ground.

Code in these environments must run in a deterministic amount of time. Allocations, locks, and other OS resource access are disallowed because they don't have bound upper execution time.

**Historically, it has been very difficult for programmers to detect these issues in their code. RealtimeSanitizer is one approach to detecting real-time safety issues before they run on end-users machines.**

A few resources that go into more depth on real-time programming:
* https://en.wikipedia.org/wiki/Real-time_computing
* http://www.rossbencina.com/code/real-time-audio-programming-101-time-waits-for-nothing
* https://www.youtube.com/watch?v=ndeN983j_GQ

# Guide-level explanation
[guide-level-explanation]: #guide-level-explanation

[RealtimeSanitizer](https://clang.llvm.org/docs/RealtimeSanitizer.html) can detect and alert users to real-time safety issues when they occur. This new sanitizer has been integrated into LLVM 20. You can explore this tool using clang in Compiler Explorer using the `-fsanitize=realtime` flag. This proposal aims to mimic much of the behavior available in clang.

A function marked with the new attribute `nonblocking` is the real-time restricted execution context. **In these `nonblocking` functions, two broad sets of actions are disallowed:**

1. Intercepted calls into libc, such as `malloc`, `socket`, `write`, `pthread_mutex_*` and many more, representing a broad collection of allocations, locks and system calls.

Each of these actions are known to have non-deterministic execution time. When these actions occur during a `nonblocking` function, or any function invoked by this function, they print the stack and abort.

[Example of this working in Compiler Explorer in C++](https://godbolt.org/z/sPTh63o67).

The full list of intercepted functions can be found on [GitHub](https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/rtsan/rtsan_interceptors_posix.cpp), and is continually growing.

2. User defined functions marked `blocking`

The new `blocking` attribute allows users to mark a function as unsafe for real-time contexts.

[Example of this working in Compiler Explorer in C++](https://godbolt.org/z/dErqE5nnM)

One classic example of this is a spin-lock `lock` method. Spin locks do not call into a `pthread_mutex_lock`, so they cannot be intercepted. However they are still prone to spinning indefinitely, so they are unsafe in real-time contexts. The `blocking` attribute allows a user to document this behavior in their code.

An example of an improper allocation being detected in a `nonblocking` function:
```rust
> cat example/src/main.rs
#[nonblocking]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attribute naming thread

Existing comments: #3766 (comment) , #3766 (comment) , #3766 (comment)

I'll toss my hat in for realtime(constrained) to mark a "please validate this function" root, and realtime(blocking) to mark a function as forbidden underneath a validation root. Further naming work is needed to have separate validation classes for "blocking event loop" (target 20Hz 50ms) versus "blocking the frame timer" (target 120Hz 8ms - you cannot call Windows Thread sleep) versus "hard realtime" (no allocations)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading further, I see rtsan_scoped_disabler!. I already had text typed to propose realtime(unconstrained) for that usecase, but deleted it after I realized that wasn't the two primary attributes.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like realtime(constrained) and realtime(blocking). I would be OK with that being the two.

Any thoughts other co-authors @steckes @davidtrevelyan?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can get on board with this style, for sure! If we're happy with realtime(blocking), would we also be happy with realtime(nonblocking)? I suggest this in an effort to maintain the blocking/nonblocking symmetry and consistency with clang, while at the same time being explicit about it being realtime blocking/nonblocking (and thereby reducing confusion with other definitions of blocking and nonblocking). What do you think?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also like to keep it closer to the original documentation, so it is less confusing.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also support realtime(nonblocking/blocking). This may be the best of both worlds as it keeps the documentation green, and doesn't collide with any async work. Any thoughts @riking @clarfonthey @programmerjake?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems good to me!

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated the doc to use realtime(nonblocking/blocking) because of the support of all original authors and no objections (thusfar). Of course this can be changed again if more feedback comes in :)

pub fn process() {
let audio = vec![1.0; 256]; // allocates memory
}

fn main() {
process();
}

> cargo run --package example
==16304==ERROR: RealtimeSanitizer: unsafe-library-call
Intercepted call to real-time unsafe function `malloc` in real-time context!
#0 0x0001052c5bcc in malloc+0x20 (libclang_rt.rtsan_osx_dynamic.dylib:arm64+0x5bcc)
#1 0x000104cd7360 in alloc::alloc::alloc::h213dba927a6f8af7 alloc.rs:98
#2 0x000104cd7478 in alloc::alloc::Global::alloc_impl::h7034d3dd14644937 alloc.rs:181
#3 0x000104cd7bac in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::allocate::hd5e7c341a83b5ed4 alloc.rs:241
... snip ...
#11 0x000104cd7d30 in std::sys::backtrace::__rust_begin_short_backtrace::h73bbd1f9991c56fb backtrace.rs:154
#12 0x000104cd72cc in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::hf6a09edd6941dbc1 rt.rs:164
#13 0x000104cf1958 in std::rt::lang_start_internal::h9e88109c8deb8787+0x324 (example:arm64+0x10001d958)
#14 0x000104cd7298 in std::rt::lang_start::ha4c268826019738b rt.rs:163
#15 0x000104cd9658 in main+0x20 (example:arm64+0x100005658)
#16 0x00018d8860dc (<unknown module>)
#17 0xf062fffffffffffc (<unknown module>)

SUMMARY: RealtimeSanitizer: unsafe-library-call alloc.rs:98 in alloc::alloc::alloc::h213dba927a6f8af7
fish: Job 1, 'cargo run --package example --f…' terminated by signal SIGABRT (Abort)
```
# Reference-level explanation
[reference-level-explanation]: #reference-level-explanation

We would like to propose that RTSan be integrated into Rust using similar semantics to clang.

There are a few sub-pieces to consider when integrating RTSan:
### The integration of the sanitizer

Similar to ASan and TSan, we propose adding RTSan as an unstable feature. Enabling RTSan will be done via the same method.

```
RUSTFLAGS=-Zsanitizer=realtime cargo build
```

Much of the heavy lifting in this tool is done in the LLVM IR and runtime library, so the changes to `rustc` front-end should be light.

This process to enable a sanitizer has been completed by many of the other LLVM sanitizers, and we would follow their template for exposing the RUSTFLAGS.

[PR adding support for lsan, tsan, msan, asan](https://github.com/rust-lang/rust/pull/38699)

### The addition two new outer attributes to rust - `#[nonblocking]` `#[blocking]`

`#[nonblocking]` defines a scope as real-time constrained. During this scope, one cannot call any intercepted call (`malloc`, `socket` etc) or call any function marked `#[blocking]`. The rustc front-end will parse the `#[nonblocking]` attribute and add the LLVM attribute `llvm::Attribute::SanitizeRealtime`. This will leave most of the work to the already-implemented LLVM instrumentation pass.

`#[blocking]` defines a function as unfit for execution within a `#[nonblocking]` function. The rustc front-end will parse the `#[blocking]` attribute and add the LLVM attribute `llvm::Attribute::SanitizeRealtimeBlocking`.

The example in the previous section shows that the interceptors written for the RealtimeSanitizer runtime are mostly shared across Rust and C/C++. Rust calls into libc `malloc` for basic allocation operations so it is automatically intercepted with no additional changes to the Rust version. A vast majority of the unsafe behavior that RTSan detects will be detected in this way.

Users may also mark their own functions as unfit for a `nonblocking` context with the `#[blocking]` attribute, as seen below. This allows for detection of calls that do not result in a system call, but may be non-deterministically delayed.

```rust
#[blocking]
fn spin() {
loop {}
}


#[nonblocking]
fn process() {
spin();
}

fn main() {
process();
}
> cargo run --package example --features rtsan
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.05s
Running `target/debug/example`
==16364==ERROR: RealtimeSanitizer: blocking-call
Call to blocking function `spin` in real-time context!
#0 0x0001021a6940 in rtsan::notify_blocking_call::ha111b6bcc1e1c566+0x24 (example:arm64+0x100002940)
#1 0x0001021a6864 in example::spin::h3f7c52e56f3fcffa main.rs:1
#2 0x0001021a6880 in example::process::hace23451997fd8f2 main.rs:9
#3 0x0001021a6840 in example::main::h700c0ae2eb60a977 main.rs:16
#4 0x0001021a670c in core::ops::function::FnOnce::call_once::hd7f394a2ba7ce532 function.rs:250
#5 0x0001021a6824 in std::sys::backtrace::__rust_begin_short_backtrace::h73bbd1f9991c56fb backtrace.rs:154
#6 0x0001021a67ec in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::hf6a09edd6941dbc1 rt.rs:164
#7 0x0001021bebbc in std::rt::lang_start_internal::h9e88109c8deb8787+0x324 (example:arm64+0x10001abbc)
#8 0x0001021a67b8 in std::rt::lang_start::ha4c268826019738b rt.rs:163
#9 0x0001021a68b4 in main+0x20 (example:arm64+0x1000028b4)
#10 0x00018d8860dc (<unknown module>)
#11 0x4c3d7ffffffffffc (<unknown module>)

SUMMARY: RealtimeSanitizer: blocking-call (example:arm64+0x100002940) in rtsan::notify_blocking_call::ha111b6bcc1e1c566+0x24
fish: Job 1, 'cargo run --package example --f…' terminated by signal SIGABRT (Abort)

```

### The addition of the `rtsan_scoped_disabler!` macro
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@steckes @programmerjake starting a thread to discuss changing or not changing this macro name (so it's not in the main thread)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@steckes and @programmerjake just poking this conversation here on the name of this proposed macro. Interested to see if you have any new thoughts.

After thinking about it some more, I think I support the original proposal of rtsan_scoped_disabler!. There are a couple reasons why I think this is right:

  1. Because we are using the attributes similar to the clang variables, rtsan_scoped_disabler! also follows the rule of keeping as much documentation and education out there green, because it matches the clang name. It will match all of the LLVM docs, any tech talks and documentation in other languages.
  2. no_sanitize_realtime would overload the attribute of the same name, so I'm not sure it's quite right. Users may be confused why this is sometimes a macro and sometimes an attribute.
  3. While assume_realtime_unchecked! is great because it's general, it may be preferable to do the opposite and be as specific as possible until such an extension is actually needed. rtsan_scoped_disabler! is unambiguous what tool it is referring to. If some time in the future there is some additional real-time checking tool, we can add some "umbrella macro" assume_realtime_unchecked!. Because we have no conception of what that tool could be, or how it may work, I think there is a case to make this macro as specific to rtsan as possible. I think this follows a kind of atomic design principle.

Open to any feedback or discussion as always.


It will be important to allow users to opt-out of rtsan detection for a specific scope. This may be useful if the end user thinks RTsan has a false positive, or it happens in third-party code they don't control.

We propose addition of the `rtsan_scoped_disabler!` macro:
```rust
#[nonblocking]
fn process() {
rtsan_scoped_disabler!({
Copy link
Contributor

@madsmtm madsmtm Jan 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with the implementation of RealtimeSanitizer, but would it be possible to implement this kind of thing / sanitizer/rtsan_interface.h in a crate instead? I recall that something like that is possible with Callgrind.

If that's the case, you could perhaps downscope this to just "add RealtimeSanitizer and std support", and let users figure it out for themselves to do something else on cfg!(sanitize = "realtime") if they have some API themselves that they want to mark as realtime.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand, could you elaborate more?

As for internal details, let me give you some more info to help understand the inner workings of rtsan.

The main component is the sanitizer runtime library. This is a simple dynamic library, similar to the runtime components of tsan, asan etc. Like any shared library, if you have the header and the compiled library you can include it in your binary.

So, it would be possible to include the header, and link against the shared library. In fact, we made a standalone proof of concept crate to work out many of the kinks of rtsan in rust and write this proposal, that can be seen here:

https://github.com/realtime-sanitizer/rtsan-standalone-rs

With an article from @steckes on his blog on how he implemented and lessons he learned (not necessary to read for this RFC, but may provide additional info): https://steck.tech/posts/rtsan-in-rust/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, assuming that std can get special treatment and thus we don't need to worry about that for the design of the feature / the public API, the main part is that rustc is going to link in this shared libclang_rt.rtsan* library when you enable -Zsantizer=realtime (or -Csantizer=realtime), right?

If that is done, could the rtsan-standalone-rs crate be updated such that e.g. realtime_enter would be defined as the following?

pub fn realtime_enter() {
    #[cfg(all(sanitize = "realtime", any(target_os = "macos", target_os = "linux")))]
    unsafe { rtsan_standalone_sys::__rtsan_realtime_enter() };
}

Along with rtsan-standalone-sys being updated to not do anything in build.rs (because rustc already does it for it)?

(Remember that the sanitize = "..." cfg is already provided for the other sanitizers).

If so, then I don't see the reason why these attributes has to be exposed by rustc as a language feature?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My argument here is not so much against a built-in #[blocking] etc., it's just that, if we can avoid having this in the language, and restrict it to just adding a rustc flag, then there's a much higher probability that the feature will be accepted (actually, then I don't even think you'd need an RFC, at most an MCP. But I'm not a compiler team member, so I can't say that for sure).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, assuming that std can get special treatment and thus we don't need to worry about that for the design of the feature / the public API, the main part is that rustc is going to link in this shared libclang_rt.rtsan* library when you enable -Zsantizer=realtime (or -Csantizer=realtime), right?

Yes, you're correct in your understanding here!

If that is done, could the rtsan-standalone-rs crate be updated such that e.g. realtime_enter would be defined as the following?

pub fn realtime_enter() {
    #[cfg(all(sanitize = "realtime", any(target_os = "macos", target_os = "linux")))]
    unsafe { rtsan_standalone_sys::__rtsan_realtime_enter() };
}

Along with rtsan-standalone-sys being updated to not do anything in build.rs (because rustc already does it for it)?

(Remember that the sanitize = "..." cfg is already provided for the other sanitizers).

If so, then I don't see the reason why these attributes has to be exposed by rustc as a language feature?

I see what you're saying, I think! I agree this would make it easier to accept/deny this RFC, the most controversial part is definitely the addition of the attributes (and changes to assert, panic etc).

However, as an end user, I think it would be strange for the compiler to expose the flag, link the library and do nothing until I downloaded and used another third party crate (rtsan-standalone-rs). I think a good proposal from the end users perspective would allow them to do everything with only rustc, not relying on a third party crate.

I think the addition of the attributes into the standard would also encourage libraries to document their expectations - far in the future you could imagine just looking at the signature of functions and reasoning about if they are real-time safe because they have the attribute.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the most controversial part is definitely the addition of the attributes

Again, I'm not the one that's gonna make a decision here, but personally, I would like to evaluate the merits of such attributes separately from the actual sanitizer being added.

However, as an end user, I think it would be strange for the compiler to expose the flag
the addition of the attributes into the standard would also encourage libraries to document their expectations

That's fair, and I agree that having this in the language/std could have ecosystem effects, but then I think the RFC should be written around that; or at least have a section that says "why does this belong in the language/std".

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, I'm not the one that's gonna make a decision here, but personally, I would like to evaluate the merits of such attributes separately from the actual sanitizer being added.

In our initial zulip thread, one of the compiler team members said we did not need an RFC for adding the sanitizer, only the attributes (see the thread). However, to piece together the RFC we thought it made most sense to provide all of the context in which the attributes will be used.

Definitely we expect most of the conversation here to be around the attributes!

I'll wait a bit to see what some others say about this. Thanks for the feedback so far, it's appreciated.

let audio = vec![1.0; 256]; // report is suppressed
});
}
```

When rtsan is not enabled with RUSTFLAGS, this will become a no-op, so it will be safe for users to leave in their code.

We are open to advice on which file this macro belongs in.

### Run-time suppression list
There is one other way to opt-out of rtsan checking which will automatically work with Rust.

Users may specify suppression lists, which may be passed in via an environment variable
```
> cat suppressions.supp
call-stack-contains:*spin*
> RTSAN_OPTIONS=suppressions=suppressions.supp cargo run
```

### `no_sanitize`
Another approach we could take is similar to the ASan and TSan `no_sanitize` attribute. We advocate for the scoped disabler macro, as it allows users to specify a more specific scope to disable the tool in. This means users will not have to extract real-time unsafe code into helper functions to disable them at the function level.

To match the other sanitizers, adding in `no_sanitize` could be considered instead of/in addition to the macro, depending on input on this RFC.

### Disabling RealtimeSanitizer in the `panic!` and all `assert!` macros.

If users rely on `panic!` or `assert!` while running under RealtimeSanitizer, they will hit an intercepted call before the message is printed.

For example:

```rust
#[nonblocking]
fn processor(buffer: &[f32]) {
buffer[512]; // Oops, out of bounds!! should panic!
}

processor(&[0.0; 512]);
```

Running under RTSan the user gets this message. This is due to some memory being allocated to prepare to print the panic message.
```
==31969==ERROR: RealtimeSanitizer: unsafe-library-call
Intercepted call to real-time unsafe function `malloc` in real-time context!
```

A user should expect this out of bounds access to print:
```
index out of bounds: the len is 512 but the index is 512
```

To adhere to this expected behavior, RTSan should be disabled for `panic!` and each of the assertion macros: `assert`, `assert_eq`, `assert_ne`, `debug_assert`, `debug_assert_eq`, `debug_assert_ne`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that it would be possible to make panic! and the following backtrace process not allocate, but obviously it currently does.


# Drawbacks
[drawbacks]: #drawbacks

Many of the drawbacks are minimized by the fact that RTSan will only be available in unstable Rust, until the rest of the sanitizers are stabilized this is not likely to change.

Introducing new attributes to the language means more code bloat and maintenance cost.

RTSan may also inadvertently increase the number of "bug reports" the rust language gets if the real-time safety of a standard library implementation changes.

For instance, let's pretend the standard library exposes `foo::bar()`, which then gets used in real-time code, checked with RealtimeSanitizer, and is later changed to have an allocation. The end user detecting this change could file a bug against the standard library complaining about the new allocation and asking the new allocation to be reverted.

In the opinion of the author, unless `foo::bar()` is annotated as `nonblocking` this should be closed as "Not A Bug", but dealing with this case still takes resources from the maintainers.

# Rationale and alternatives
[rationale-and-alternatives]: #rationale-and-alternatives

RealtimeSanitizer is a run-time approach to detecting real-time safety issues. The run-time approach has many positives, but also some drawbacks. As an alternative to this approach, we could do a compile time check that any `nonblocking` function can only call other `nonblocking` functions. This would be similar to LLVM's new [function effect analysis system](https://clang.llvm.org/docs/FunctionEffectAnalysis.html).

We designed RTSan hand-in-hand with the static functions effects system, and through that design process we came to the conclusion the compile-time and run-time approaches complement each other. It is our recommendation that if a static approach is considered, it is done **in addition** to rtsan, not **instead of**.

Some strengths of rtsan/run-time detection:
- Lighter weight on the end code-writer, easier to get started.
- Isn't prone to false-positives, like pushing into a pre-reserved vector.
- Can easily work with third party libraries.
- Can "see through" false annotations, and sanity check a partial implementation of the static approach.

Some strengths of a static approach:
- Heavier lift to get started for the end code-writer, but more foolproof in the end.
- Not prone to false negatives, if some path is not hit in the code, or an interceptor is not implemented.

Overall, both approaches complement each other. Taking this proposal would allow for a future extension of a function-effects-like system to be added to rustc in the future.


# Prior art
[prior-art]: #prior-art

[A link to RealtimeSanitizer in C/C++ in LLVM 20.](https://clang.llvm.org/docs/RealtimeSanitizer.html)

# Unresolved questions
[unresolved-questions]: #unresolved-questions

* What file should the `rtsan_scoped_disabler!` macro be inserted into?
* Should `no_sanitize` be supported in addition to `rtsan_scoped_disabler`?

# Future possibilities
[future-possibilities]: #future-possibilities

As stated above in Rationales and Alternatives, the addition of the `nonblocking` and `blocking` attributes allows for a future static analysis extension similar to clang's function effect analysis system.