Mirrors/rust
1
0
Fork 0
mirror of https://github.com/rust-lang/rust.git synced 2026-04-27 18:57:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add lint against integer to pointer transmutes

Browse Source
This commit is contained in:
Urgau
2025-07-27 12:56:02 +02:00
parent c5a6a7bdd8
commit d4cbd9a440
6 changed files with 406 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
compiler/rustc_lint/messages.ftl
+8
View File
@@ -462,6 +462,14 @@ lint_invalid_reference_casting_note_book = for more information, visit <https://
lint_invalid_reference_casting_note_ty_has_interior_mutability = even for types with interior mutability, the only legal way to obtain a mutable pointer from a shared reference is through `UnsafeCell::get`
lint_int_to_ptr_transmutes = transmuting an integer to a pointer creates a pointer without provenance
.note = this is dangerous because dereferencing the resulting pointer is undefined behavior
.note_exposed_provenance = exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
.help_transmute = for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
.help_exposed_provenance = for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
.suggestion_with_exposed_provenance = use `std::ptr::with_exposed_provenance{$suffix}` instead to use a previously exposed provenance
.suggestion_without_provenance_mut = if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
lint_legacy_derive_helpers = derive helper attribute is used before it is introduced
.label = the attribute is introduced here
compiler/rustc_lint/src/lints.rs
+42
View File
@@ -1,3 +1,5 @@
// ignore-tidy-filelength
#![allow(rustc::untranslatable_diagnostic)]
use std::num::NonZero;
@@ -1542,6 +1544,46 @@ fn decorate_lint<'b>(self, diag: &'b mut Diag<'a, ()>) {
}
}
// transmute.rs
#[derive(LintDiagnostic)]
#[diag(lint_int_to_ptr_transmutes)]
#[note]
#[note(lint_note_exposed_provenance)]
#[help(lint_suggestion_without_provenance_mut)]
#[help(lint_help_transmute)]
#[help(lint_help_exposed_provenance)]
pub(crate) struct IntegerToPtrTransmutes<'tcx> {
#[subdiagnostic]
pub suggestion: IntegerToPtrTransmutesSuggestion<'tcx>,
}
#[derive(Subdiagnostic)]
pub(crate) enum IntegerToPtrTransmutesSuggestion<'tcx> {
#[multipart_suggestion(
lint_suggestion_with_exposed_provenance,
applicability = "machine-applicable"
)]
ToPtr {
dst: Ty<'tcx>,
suffix: &'static str,
#[suggestion_part(code = "std::ptr::with_exposed_provenance{suffix}::<{dst}>(")]
start_call: Span,
},
#[multipart_suggestion(
lint_suggestion_with_exposed_provenance,
applicability = "machine-applicable"
)]
ToRef {
dst: Ty<'tcx>,
suffix: &'static str,
ref_mutbl: &'static str,
#[suggestion_part(
code = "&{ref_mutbl}*std::ptr::with_exposed_provenance{suffix}::<{dst}>("
)]
start_call: Span,
},
}
// types.rs
#[derive(LintDiagnostic)]
#[diag(lint_range_endpoint_out_of_range)]
compiler/rustc_lint/src/transmute.rs
+91 -1
View File
@@ -1,3 +1,4 @@
use rustc_ast::LitKind;
use rustc_errors::Applicability;
use rustc_hir::def::{DefKind, Res};
use rustc_hir::def_id::LocalDefId;
@@ -7,6 +8,7 @@
use rustc_session::{declare_lint, impl_lint_pass};
use rustc_span::sym;
use crate::lints::{IntegerToPtrTransmutes, IntegerToPtrTransmutesSuggestion};
use crate::{LateContext, LateLintPass};
declare_lint! {
@@ -67,9 +69,44 @@
"detects transmutes that can also be achieved by other operations"
}
declare_lint! {
/// The `integer_to_ptr_transmutes` lint detects integer to pointer
/// transmutes where the resulting pointers are undefined behavior to dereference.
///
/// ### Example
///
/// ```rust
/// fn foo(a: usize) -> *const u8 {
/// unsafe {
/// std::mem::transmute::<usize, *const u8>(a)
/// }
/// }
/// ```
///
/// {{produces}}
///
/// ### Explanation
///
/// Any attempt to use the resulting pointers are undefined behavior as the resulting
/// pointers won't have any provenance.
///
/// Alternatively, [`std::ptr::with_exposed_provenance`] should be used, as they do not
/// carry the provenance requirement. If wanting to create pointers without provenance
/// [`std::ptr::without_provenance`] should be used instead.
///
/// See [`std::mem::transmute`] in the reference for more details.
///
/// [`std::mem::transmute`]: https://doc.rust-lang.org/std/mem/fn.transmute.html
/// [`std::ptr::with_exposed_provenance`]: https://doc.rust-lang.org/std/ptr/fn.with_exposed_provenance.html
/// [`std::ptr::without_provenance`]: https://doc.rust-lang.org/std/ptr/fn.without_provenance.html
pub INTEGER_TO_PTR_TRANSMUTES,
Warn,
"detects integer to pointer transmutes",
}
pub(crate) struct CheckTransmutes;
impl_lint_pass!(CheckTransmutes => [PTR_TO_INTEGER_TRANSMUTE_IN_CONSTS, UNNECESSARY_TRANSMUTES]);
impl_lint_pass!(CheckTransmutes => [PTR_TO_INTEGER_TRANSMUTE_IN_CONSTS, UNNECESSARY_TRANSMUTES, INTEGER_TO_PTR_TRANSMUTES]);
impl<'tcx> LateLintPass<'tcx> for CheckTransmutes {
fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx hir::Expr<'tcx>) {
@@ -94,9 +131,62 @@ fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx hir::Expr<'tcx>) {
check_ptr_transmute_in_const(cx, expr, body_owner_def_id, const_context, src, dst);
check_unnecessary_transmute(cx, expr, callee, arg, const_context, src, dst);
check_int_to_ptr_transmute(cx, expr, arg, src, dst);
}
}
/// Check for transmutes from integer to pointers (*const/*mut and &/&mut).
///
/// Using the resulting pointers would be undefined behavior.
fn check_int_to_ptr_transmute<'tcx>(
cx: &LateContext<'tcx>,
expr: &'tcx hir::Expr<'tcx>,
arg: &'tcx hir::Expr<'tcx>,
src: Ty<'tcx>,
dst: Ty<'tcx>,
) {
if !matches!(src.kind(), ty::Uint(_) | ty::Int(_)) {
return;
}
let (ty::Ref(_, inner_ty, mutbl) | ty::RawPtr(inner_ty, mutbl)) = dst.kind() else {
return;
};
// bail-out if the argument is literal 0 as we have other lints for those cases
if matches!(arg.kind, hir::ExprKind::Lit(hir::Lit { node: LitKind::Int(v, _), .. }) if v == 0) {
return;
}
// bail-out if the inner type is a ZST
let Ok(layout_inner_ty) = cx.tcx.layout_of(cx.typing_env().as_query_input(*inner_ty)) else {
return;
};
if layout_inner_ty.is_1zst() {
return;
}
let suffix = if mutbl.is_mut() { "_mut" } else { "" };
cx.tcx.emit_node_span_lint(
INTEGER_TO_PTR_TRANSMUTES,
expr.hir_id,
expr.span,
IntegerToPtrTransmutes {
suggestion: if dst.is_ref() {
IntegerToPtrTransmutesSuggestion::ToRef {
dst: *inner_ty,
suffix,
ref_mutbl: mutbl.prefix_str(),
start_call: expr.span.shrink_to_lo().until(arg.span),
}
} else {
IntegerToPtrTransmutesSuggestion::ToPtr {
dst: *inner_ty,
suffix,
start_call: expr.span.shrink_to_lo().until(arg.span),
}
},
},
);
}
/// Check for transmutes that exhibit undefined behavior.
/// For example, transmuting pointers to integers in a const context.
///
tests/ui/lint/int_to_ptr.fixed
+47
View File
@@ -0,0 +1,47 @@
// Checks for the `integer_to_pointer_transmutes` lint
//@ check-pass
//@ run-rustfix
#![allow(unused_unsafe)]
#![allow(dead_code)]
unsafe fn should_lint(a: usize) {
let _ptr: *const u8 = unsafe { std::ptr::with_exposed_provenance::<u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ptr: *mut u8 = unsafe { std::ptr::with_exposed_provenance_mut::<u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ref: &'static u8 = unsafe { &*std::ptr::with_exposed_provenance::<u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ref: &'static mut u8 = unsafe { &mut *std::ptr::with_exposed_provenance_mut::<u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ptr = unsafe { std::ptr::with_exposed_provenance::<u8>(42usize) };
//~^ WARN transmuting an integer to a pointer
let _ptr = unsafe { std::ptr::with_exposed_provenance::<u8>(a + a) };
//~^ WARN transmuting an integer to a pointer
}
const unsafe fn should_lintin_const(a: usize) {
let _ptr: *const u8 = unsafe { std::ptr::with_exposed_provenance::<u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ptr: *mut u8 = unsafe { std::ptr::with_exposed_provenance_mut::<u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ref: &'static u8 = unsafe { &*std::ptr::with_exposed_provenance::<u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ref: &'static mut u8 = unsafe { &mut *std::ptr::with_exposed_provenance_mut::<u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ptr = unsafe { std::ptr::with_exposed_provenance::<u8>(42usize) };
//~^ WARN transmuting an integer to a pointer
let _ptr = unsafe { std::ptr::with_exposed_provenance::<u8>(a + a) };
//~^ WARN transmuting an integer to a pointer
}
unsafe fn should_not_lint(a: usize) {
let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(0usize) }; // linted by other lints
let _ptr = unsafe { std::mem::transmute::<usize, *const ()>(a) }; // inner type is a ZST
let _ptr = unsafe { std::mem::transmute::<usize, fn()>(a) }; // omit fn-ptr for now
}
fn main() {}
tests/ui/lint/int_to_ptr.rs
+47
View File
@@ -0,0 +1,47 @@
// Checks for the `integer_to_pointer_transmutes` lint
//@ check-pass
//@ run-rustfix
#![allow(unused_unsafe)]
#![allow(dead_code)]
unsafe fn should_lint(a: usize) {
let _ptr: *const u8 = unsafe { std::mem::transmute::<usize, *const u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ptr: *mut u8 = unsafe { std::mem::transmute::<usize, *mut u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ref: &'static u8 = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ref: &'static mut u8 = unsafe { std::mem::transmute::<usize, &'static mut u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(42usize) };
//~^ WARN transmuting an integer to a pointer
let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a + a) };
//~^ WARN transmuting an integer to a pointer
}
const unsafe fn should_lintin_const(a: usize) {
let _ptr: *const u8 = unsafe { std::mem::transmute::<usize, *const u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ptr: *mut u8 = unsafe { std::mem::transmute::<usize, *mut u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ref: &'static u8 = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ref: &'static mut u8 = unsafe { std::mem::transmute::<usize, &'static mut u8>(a) };
//~^ WARN transmuting an integer to a pointer
let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(42usize) };
//~^ WARN transmuting an integer to a pointer
let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a + a) };
//~^ WARN transmuting an integer to a pointer
}
unsafe fn should_not_lint(a: usize) {
let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(0usize) }; // linted by other lints
let _ptr = unsafe { std::mem::transmute::<usize, *const ()>(a) }; // inner type is a ZST
let _ptr = unsafe { std::mem::transmute::<usize, fn()>(a) }; // omit fn-ptr for now
}
fn main() {}
tests/ui/lint/int_to_ptr.stderr
+171
View File
@@ -0,0 +1,171 @@
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:10:36
|
LL | let _ptr: *const u8 = unsafe { std::mem::transmute::<usize, *const u8>(a) };
| ----------------------------------------^^
| |
| help: use `std::ptr::with_exposed_provenance` instead to use a previously exposed provenance: `std::ptr::with_exposed_provenance::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
= note: `#[warn(integer_to_ptr_transmutes)]` on by default
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:12:34
|
LL | let _ptr: *mut u8 = unsafe { std::mem::transmute::<usize, *mut u8>(a) };
| --------------------------------------^^
| |
| help: use `std::ptr::with_exposed_provenance_mut` instead to use a previously exposed provenance: `std::ptr::with_exposed_provenance_mut::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:14:38
|
LL | let _ref: &'static u8 = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
| ------------------------------------------^^
| |
| help: use `std::ptr::with_exposed_provenance` instead to use a previously exposed provenance: `&*std::ptr::with_exposed_provenance::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:16:42
|
LL | let _ref: &'static mut u8 = unsafe { std::mem::transmute::<usize, &'static mut u8>(a) };
| ----------------------------------------------^^
| |
| help: use `std::ptr::with_exposed_provenance_mut` instead to use a previously exposed provenance: `&mut *std::ptr::with_exposed_provenance_mut::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:19:25
|
LL | let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(42usize) };
| ----------------------------------------^^^^^^^^
| |
| help: use `std::ptr::with_exposed_provenance` instead to use a previously exposed provenance: `std::ptr::with_exposed_provenance::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:21:25
|
LL | let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a + a) };
| ----------------------------------------^^^^^^
| |
| help: use `std::ptr::with_exposed_provenance` instead to use a previously exposed provenance: `std::ptr::with_exposed_provenance::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:26:36
|
LL | let _ptr: *const u8 = unsafe { std::mem::transmute::<usize, *const u8>(a) };
| ----------------------------------------^^
| |
| help: use `std::ptr::with_exposed_provenance` instead to use a previously exposed provenance: `std::ptr::with_exposed_provenance::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:28:34
|
LL | let _ptr: *mut u8 = unsafe { std::mem::transmute::<usize, *mut u8>(a) };
| --------------------------------------^^
| |
| help: use `std::ptr::with_exposed_provenance_mut` instead to use a previously exposed provenance: `std::ptr::with_exposed_provenance_mut::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:30:38
|
LL | let _ref: &'static u8 = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
| ------------------------------------------^^
| |
| help: use `std::ptr::with_exposed_provenance` instead to use a previously exposed provenance: `&*std::ptr::with_exposed_provenance::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:32:42
|
LL | let _ref: &'static mut u8 = unsafe { std::mem::transmute::<usize, &'static mut u8>(a) };
| ----------------------------------------------^^
| |
| help: use `std::ptr::with_exposed_provenance_mut` instead to use a previously exposed provenance: `&mut *std::ptr::with_exposed_provenance_mut::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:35:25
|
LL | let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(42usize) };
| ----------------------------------------^^^^^^^^
| |
| help: use `std::ptr::with_exposed_provenance` instead to use a previously exposed provenance: `std::ptr::with_exposed_provenance::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: transmuting an integer to a pointer creates a pointer without provenance
--> $DIR/int_to_ptr.rs:37:25
|
LL | let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a + a) };
| ----------------------------------------^^^^^^
| |
| help: use `std::ptr::with_exposed_provenance` instead to use a previously exposed provenance: `std::ptr::with_exposed_provenance::<u8>(`
|
= note: this is dangerous because dereferencing the resulting pointer is undefined behavior
= note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
= help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
= help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
= help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
warning: 12 warnings emitted