rust-lang · madsmtm · Sep 11, 2025 · Sep 2, 2025 · Sep 11, 2025 · Sep 11, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -24,6 +24,7 @@ anstyle = "1.0.11"
 anyhow = "1.0.98"
 base64 = "0.22.1"
 blake3 = "1.8.2"
+block2 = "0.6.1"
 build-rs = { version = "0.3.1", path = "crates/build-rs" }
 cargo = { path = "" }
 cargo-credential = { version = "0.4.2", path = "credential/cargo-credential" }
@@ -69,6 +70,7 @@ libgit2-sys = "0.18.2"
 libloading = "0.8.8"
 memchr = "2.7.5"
 miow = "0.6.0"
+objc2 = "0.6.2"
 opener = "0.8.2"
 openssl = "0.10.73"
 openssl-sys = "0.9.109"
@@ -253,6 +255,11 @@ features = [
   "Win32_System_Threading",
 ]
 
+# For ExecutionPolicy framework interaction.
+[target.'cfg(target_vendor = "apple")'.dependencies]
+block2.workspace = true
+objc2.workspace = true
+
 [dev-dependencies]
 annotate-snippets = { workspace = true, features = ["testing-colors"] }
 cargo-test-support.workspace = true

diff --git a/src/bin/cargo/commands/install.rs b/src/bin/cargo/commands/install.rs
@@ -216,7 +216,7 @@ pub fn exec(gctx: &mut GlobalContext, args: &ArgMatches) -> CliResult {
 
     let mut compile_opts = args.compile_options(
         gctx,
-        UserIntent::Build,
+        UserIntent::Install,
         workspace.as_ref(),
         ProfileChecking::Custom,
     )?;

diff --git a/src/cargo/core/compiler/build_config.rs b/src/cargo/core/compiler/build_config.rs
@@ -1,4 +1,5 @@
 use crate::core::compiler::CompileKind;
+use crate::core::features::DetectAntivirus;
 use crate::util::context::JobsConfig;
 use crate::util::interning::InternedString;
 use crate::util::{CargoResult, GlobalContext, RustfixDiagnosticServer};
@@ -52,6 +53,9 @@ pub struct BuildConfig {
     pub sbom: bool,
     /// Build compile time dependencies only, e.g., build scripts and proc macros
     pub compile_time_deps_only: bool,
+    /// Whether we should try to detect and notify the user when antivirus
+    /// software might make newly created binaries slow to launch.
+    pub detect_antivirus: DetectAntivirus,
 }
 
 fn default_parallelism() -> CargoResult<u32> {
@@ -127,6 +131,19 @@ impl BuildConfig {
             _ => Vec::new(),
         };
 
+        let detect_antivirus = match (cfg.detect_antivirus, gctx.cli_unstable().detect_antivirus) {
+            // Warn while the config is still unstable.
+            (Some(_), DetectAntivirus::Never) => {
+                gctx.shell().warn(
+                    "ignoring 'build.detect-antivirus' config, pass `-Zdetect-antivirus` to enable it",
+                )?;
+                DetectAntivirus::Never
+            }
+            // Allow overriding with config.
+            (Some(false), _) => DetectAntivirus::Never,
+            (_, flag) => flag,
+        };
+
         Ok(BuildConfig {
             requested_kinds,
             jobs,
@@ -145,6 +162,7 @@ impl BuildConfig {
             timing_outputs,
             sbom,
             compile_time_deps_only: false,
+            detect_antivirus,
         })
     }
 
@@ -280,12 +298,14 @@ impl CompileMode {
 ///
 /// For example, when a user runs `cargo test`, the intent is [`UserIntent::Test`],
 /// but this might result in multiple [`CompileMode`]s for different units.
-#[derive(Clone, Copy, Debug)]
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
 pub enum UserIntent {
     /// Build benchmark binaries, e.g., `cargo bench`
     Bench,
-    /// Build binaries and libraries, e.g., `cargo run`, `cargo install`, `cargo build`.
+    /// Build binaries and libraries, e.g., `cargo run`, `cargo build`, `cargo rustc`.
     Build,
+    /// Build binaries and libraries for installing, e.g. `cargo install`.
+    Install,
     /// Perform type-check, e.g., `cargo check`.
     Check { test: bool },
     /// Document packages.

diff --git a/src/cargo/core/features.rs b/src/cargo/core/features.rs
@@ -400,6 +400,38 @@ impl FromStr for FixEdition {
     }
 }
 
+/// The value for `-Zdetect-antivirus`.
+#[derive(Debug, Deserialize, Default, PartialEq, Eq, Hash, Copy, Clone)]
+#[serde(rename_all = "lowercase")]
+pub enum DetectAntivirus {
+    /// Always detect antivirus.
+    ///
+    /// This is useful when testing the feature, but isn't expected to be
+    /// useful to the general user.
+    Always,
+    /// Detect antivirus, but only when deemed reasonable.
+    ///
+    /// This is intended to be the default in the future.
+    Auto,
+    /// Never attempt to detect antivirus.
+    #[default]
+    Never,
+}
+
+impl FromStr for DetectAntivirus {
+    type Err = anyhow::Error;
+    fn from_str(s: &str) -> Result<Self, <Self as FromStr>::Err> {
+        Ok(match s {
+            "always" => Self::Always,
+            "auto" => Self::Auto,
+            "never" => Self::Never,
+            _ => bail!(
+                "invalid `-Zdetect-antivirus`, expected `always`, `auto` or `never`, got `{s}`"
+            ),
+        })
+    }
+}
+
 #[derive(Debug, PartialEq)]
 enum Status {
     Stable,
@@ -854,6 +886,7 @@ unstable_cli_options!(
     checksum_freshness: bool = ("Use a checksum to determine if output is fresh rather than filesystem mtime"),
     codegen_backend: bool = ("Enable the `codegen-backend` option in profiles in .cargo/config.toml file"),
     config_include: bool = ("Enable the `include` key in config files"),
+    detect_antivirus: DetectAntivirus = ("Enable the experimental antivirus detection and the config option to disable it"),
     direct_minimal_versions: bool = ("Resolve minimal dependency versions instead of maximum (direct dependencies only)"),
     dual_proc_macros: bool = ("Build proc-macros for both the host and the target"),
     feature_unification: bool = ("Enable new feature unification modes in workspaces"),
@@ -1373,6 +1406,7 @@ impl CliUnstable {
             "codegen-backend" => self.codegen_backend = parse_empty(k, v)?,
             "config-include" => self.config_include = parse_empty(k, v)?,
             "direct-minimal-versions" => self.direct_minimal_versions = parse_empty(k, v)?,
+            "detect-antivirus" => self.detect_antivirus = v.unwrap_or("auto").parse()?,
             "dual-proc-macros" => self.dual_proc_macros = parse_empty(k, v)?,
             "feature-unification" => self.feature_unification = parse_empty(k, v)?,
             "fix-edition" => {

diff --git a/src/cargo/ops/cargo_compile/compile_filter.rs b/src/cargo/ops/cargo_compile/compile_filter.rs
@@ -219,17 +219,18 @@ impl CompileFilter {
         match intent {
             UserIntent::Test | UserIntent::Doctest | UserIntent::Bench => true,
             UserIntent::Check { test: true } => true,
-            UserIntent::Build | UserIntent::Doc { .. } | UserIntent::Check { test: false } => {
-                match *self {
-                    CompileFilter::Default { .. } => false,
-                    CompileFilter::Only {
-                        ref examples,
-                        ref tests,
-                        ref benches,
-                        ..
-                    } => examples.is_specific() || tests.is_specific() || benches.is_specific(),
-                }
-            }
+            UserIntent::Build
+            | UserIntent::Install
+            | UserIntent::Doc { .. }
+            | UserIntent::Check { test: false } => match *self {
+                CompileFilter::Default { .. } => false,
+                CompileFilter::Only {
+                    ref examples,
+                    ref tests,
+                    ref benches,
+                    ..
+                } => examples.is_specific() || tests.is_specific() || benches.is_specific(),
+            },
         }
     }
 

diff --git a/src/cargo/ops/cargo_compile/mod.rs b/src/cargo/ops/cargo_compile/mod.rs
@@ -43,9 +43,10 @@ use crate::core::compiler::UserIntent;
 use crate::core::compiler::unit_dependencies::build_unit_dependencies;
 use crate::core::compiler::unit_graph::{self, UnitDep, UnitGraph};
 use crate::core::compiler::{BuildConfig, BuildContext, BuildRunner, Compilation};
-use crate::core::compiler::{CompileKind, CompileTarget, RustcTargetData, Unit};
+use crate::core::compiler::{CompileKind, CompileMode, CompileTarget, RustcTargetData, Unit};
 use crate::core::compiler::{CrateType, TargetInfo, apply_env_config, standard_lib};
 use crate::core::compiler::{DefaultExecutor, Executor, UnitInterner};
+use crate::core::features::DetectAntivirus;
 use crate::core::profiles::Profiles;
 use crate::core::resolver::features::{self, CliFeatures, FeaturesFor};
 use crate::core::resolver::{HasDevUnits, Resolve};
@@ -55,7 +56,7 @@ use crate::ops;
 use crate::ops::resolve::{SpecsAndResolvedFeatures, WorkspaceResolve};
 use crate::util::context::{GlobalContext, WarningHandling};
 use crate::util::interning::InternedString;
-use crate::util::{CargoResult, StableHasher};
+use crate::util::{CargoResult, StableHasher, detect_antivirus};
 
 mod compile_filter;
 pub use compile_filter::{CompileFilter, FilterRule, LibRule};
@@ -228,7 +229,11 @@ pub fn create_bcx<'a, 'gctx>(
 
     // Perform some pre-flight validation.
     match build_config.intent {
-        UserIntent::Test | UserIntent::Build | UserIntent::Check { .. } | UserIntent::Bench => {
+        UserIntent::Test
+        | UserIntent::Build
+        | UserIntent::Install
+        | UserIntent::Check { .. }
+        | UserIntent::Bench => {
             if ws.gctx().get_env("RUST_FLAGS").is_ok() {
                 gctx.shell().warn(
                     "Cargo does not read `RUST_FLAGS` environment variable. Did you mean `RUSTFLAGS`?",
@@ -556,6 +561,40 @@ where `<compatible-ver>` is the latest version supporting rustc {rustc_version}"
         }
     }
 
+    if build_config.detect_antivirus != DetectAntivirus::Never {
+        // Count the number of test binaries and build scripts we'll need to
+        // run. This doesn't take into account the binary that will be run
+        // if `cargo run` was specified, and doesn't handle pre-2024 `rustdoc`
+        // tests, but that's fine, this is only a heuristic.
+        let num_binaries = unit_graph
+            .keys()
+            .filter(|unit| {
+                matches!(
+                    unit.mode,
+                    CompileMode::Test | CompileMode::Doctest | CompileMode::RunCustomBuild
+                )
+            })
+            .count();
+
+        tracing::debug!("estimated {num_binaries} binaries that could be slowed down by antivirus");
+
+        // Heuristic: Only do the check if we have to run more than a specific
+        // number of binaries. This makes it so that small beginner projects
+        // don't hit this.
+        //
+        // We also don't want to do this check when installing, since there
+        // might be `cargo install` users who are not necessarily developers
+        // (and so the note will be irrelevant to them).
+        if (10 < num_binaries && build_config.intent != UserIntent::Install)
+            || build_config.detect_antivirus == DetectAntivirus::Always
+        {
+            if let Err(err) = detect_antivirus::detect_and_report(gctx) {
+                // Errors in this detection are not fatal.
+                tracing::error!("failed detecting whether binaries may be slow to run: {err}");
+            }
+        }
+    }
+
     let bcx = BuildContext::new(
         ws,
         pkg_set,

diff --git a/src/cargo/ops/cargo_compile/unit_generator.rs b/src/cargo/ops/cargo_compile/unit_generator.rs
@@ -182,7 +182,7 @@ impl<'a> UnitGenerator<'a, '_> {
                 .iter()
                 .filter(|t| t.tested() || t.is_example())
                 .collect(),
-            UserIntent::Build | UserIntent::Check { .. } => targets
+            UserIntent::Build | UserIntent::Install | UserIntent::Check { .. } => targets
                 .iter()
                 .filter(|t| t.is_bin() || t.is_lib())
                 .collect(),
@@ -453,7 +453,7 @@ impl<'a> UnitGenerator<'a, '_> {
                     FilterRule::Just(_) => Target::is_test,
                 };
                 let test_mode = match self.intent {
-                    UserIntent::Build => CompileMode::Test,
+                    UserIntent::Build | UserIntent::Install => CompileMode::Test,
                     UserIntent::Check { .. } => CompileMode::Check { test: true },
                     _ => default_mode,
                 };
@@ -775,7 +775,7 @@ Rustdoc did not scrape the following examples because they require dev-dependenc
 fn to_compile_mode(intent: UserIntent) -> CompileMode {
     match intent {
         UserIntent::Test | UserIntent::Bench => CompileMode::Test,
-        UserIntent::Build => CompileMode::Build,
+        UserIntent::Build | UserIntent::Install => CompileMode::Build,
         UserIntent::Check { test } => CompileMode::Check { test },
         UserIntent::Doc { .. } => CompileMode::Doc,
         UserIntent::Doctest => CompileMode::Doctest,

diff --git a/src/cargo/util/context/mod.rs b/src/cargo/util/context/mod.rs
@@ -2770,6 +2770,8 @@ pub struct CargoBuildConfig {
     pub sbom: Option<bool>,
     /// Unstable feature `-Zbuild-analysis`.
     pub analysis: Option<CargoBuildAnalysis>,
+    /// Unstable feature `-Zdetect-antivirus`.
+    pub detect_antivirus: Option<bool>,
 }
 
 /// Metrics collection for build analysis.