Add lint against integer to pointer transmutes

Author: Urgau

compiler/rustc_lint/messages.ftl

@@ -476,6 +476,14 @@ lint_invalid_reference_casting_note_book = for more information, visit <https://
 
 lint_invalid_reference_casting_note_ty_has_interior_mutability = even for types with interior mutability, the only legal way to obtain a mutable pointer from a shared reference is through `UnsafeCell::get`
 
+lint_int_to_ptr_transmutes = transmuting a integer to a pointer without provenance is dangerous
+    .note = dereferencing the resulting pointer is Undefined Behavior as it doesn't have any provenance
+    .note_exposed_provenance = exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
+    .help_transmute = for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
+    .help_exposed_provenance = for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
+    .suggestion_as = use `as` cast instead to use a previously exposed provenance
+    .suggestion_without_provenance_mut = use `std::ptr::without_provenance_mut` to create a pointer without provenance
+
 lint_legacy_derive_helpers = derive helper attribute is used before it is introduced
     .label = the attribute is introduced here
 

compiler/rustc_lint/src/lints.rs

@@ -1603,6 +1603,45 @@ impl<'a> LintDiagnostic<'a, ()> for DropGlue<'_> {
     }
 }
 
+// transmute.rs
+#[derive(LintDiagnostic)]
+#[diag(lint_int_to_ptr_transmutes)]
+#[note]
+#[note(lint_note_exposed_provenance)]
+#[help(lint_help_transmute)]
+#[help(lint_help_exposed_provenance)]
+#[help(lint_suggestion_without_provenance_mut)]
+pub(crate) struct IntegerToPtrTransmutes<'tcx> {
+    #[subdiagnostic]
+    pub suggestion: IntegerToPtrTransmutesSuggestion<'tcx>,
+}
+
+#[derive(Subdiagnostic)]
+pub(crate) enum IntegerToPtrTransmutesSuggestion<'tcx> {
+    #[multipart_suggestion(lint_suggestion_as, applicability = "machine-applicable")]
+    ToPtr {
+        dst: Ty<'tcx>,
+        paren_left: &'static str,
+        paren_right: &'static str,
+        #[suggestion_part(code = "{paren_left}")]
+        start_call: Span,
+        #[suggestion_part(code = "{paren_right} as {dst}")]
+        end_call: Span,
+    },
+    #[multipart_suggestion(lint_suggestion_as, applicability = "machine-applicable")]
+    ToRef {
+        dst: Ty<'tcx>,
+        ptr_mutbl: &'static str,
+        ref_mutbl: &'static str,
+        paren_left: &'static str,
+        paren_right: &'static str,
+        #[suggestion_part(code = "&{ref_mutbl}*({paren_left}")]
+        start_call: Span,
+        #[suggestion_part(code = "{paren_right} as *{ptr_mutbl} {dst})")]
+        end_call: Span,
+    },
+}
+
 // types.rs
 #[derive(LintDiagnostic)]
 #[diag(lint_range_endpoint_out_of_range)]

compiler/rustc_lint/src/transmute.rs

@@ -1,3 +1,4 @@
+use rustc_ast::LitKind;
 use rustc_errors::Applicability;
 use rustc_hir::def::{DefKind, Res};
 use rustc_hir::def_id::LocalDefId;
@@ -7,6 +8,7 @@ use rustc_middle::ty::{self, Ty};
 use rustc_session::{declare_lint, impl_lint_pass};
 use rustc_span::sym;
 
+use crate::lints::{IntegerToPtrTransmutes, IntegerToPtrTransmutesSuggestion};
 use crate::{LateContext, LateLintPass};
 
 declare_lint! {
@@ -67,9 +69,42 @@ declare_lint! {
     "detects transmutes that can also be achieved by other operations"
 }
 
+declare_lint! {
+    /// The `integer_to_ptr_transmutes` lint detects integer to pointer
+    /// transmutes where the resulting pointers are Undefined Behavior to dereference.
+    ///
+    /// ### Example
+    ///
+    /// ```rust
+    /// fn foo(a: usize) -> *const u8 {
+    ///    unsafe {
+    ///        std::mem::transmute::<usize, *const u8>(a)
+    ///    }
+    /// }
+    /// ```
+    ///
+    /// {{produces}}
+    ///
+    /// ### Explanation
+    ///
+    /// Any attempt to use the resulting pointers are undefined behavior as the resulting
+    /// pointers won't have any provenance.
+    ///
+    /// Alternatively, `as` casts should be used, as they do not carry the provenance
+    /// requirement or if the wanting to create pointers without provenance
+    /// `ptr::without_provenance_mut` should be used.
+    ///
+    /// See [std::mem::transmute] in the reference for more details.
+    ///
+    /// [std::mem::transmute]: https://doc.rust-lang.org/std/mem/fn.transmute.html
+    pub INTEGER_TO_PTR_TRANSMUTES,
+    Warn,
+    "detects integer to pointer transmutes",
+}
+
 pub(crate) struct CheckTransmutes;
 
-impl_lint_pass!(CheckTransmutes => [PTR_TO_INTEGER_TRANSMUTE_IN_CONSTS, UNNECESSARY_TRANSMUTES]);
+impl_lint_pass!(CheckTransmutes => [PTR_TO_INTEGER_TRANSMUTE_IN_CONSTS, UNNECESSARY_TRANSMUTES, INTEGER_TO_PTR_TRANSMUTES]);
 
 impl<'tcx> LateLintPass<'tcx> for CheckTransmutes {
     fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx hir::Expr<'tcx>) {
@@ -94,6 +129,63 @@ impl<'tcx> LateLintPass<'tcx> for CheckTransmutes {
 
         check_ptr_transmute_in_const(cx, expr, body_owner_def_id, const_context, src, dst);
         check_unnecessary_transmute(cx, expr, callee, arg, const_context, src, dst);
+        check_int_to_ptr_transmute(cx, expr, arg, src, dst);
+    }
+}
+
+/// Check for transmutes from integer to pointers (*const/*mut, &/&mut and fn()).
+///
+/// Using the resulting pointers would be undefined behavior.
+fn check_int_to_ptr_transmute<'tcx>(
+    cx: &LateContext<'tcx>,
+    expr: &'tcx hir::Expr<'tcx>,
+    arg: &'tcx hir::Expr<'tcx>,
+    src: Ty<'tcx>,
+    dst: Ty<'tcx>,
+) {
+    if matches!(src.kind(), ty::Uint(_) | ty::Int(_))
+        && let ty::Ref(_, inner_ty, mutbl) | ty::RawPtr(inner_ty, mutbl) = dst.kind()
+        // bail-out if the argument is literal 0 as we have other lints for those cases
+        && !matches!(arg.kind, hir::ExprKind::Lit(hir::Lit { node: LitKind::Int(v, _), .. }) if v == 0)
+        // bail-out if the inner type if a ZST
+        && cx.tcx
+            .layout_of(cx.typing_env().as_query_input(*inner_ty))
+            .is_ok_and(|layout| !layout.is_1zst())
+    {
+        // does the argument needs parenthesis
+        let mut paren_left = "";
+        let mut paren_right = "";
+        if matches!(arg.kind, hir::ExprKind::Binary(..)) {
+            paren_left = "(";
+            paren_right = ")";
+        }
+
+        cx.tcx.emit_node_span_lint(
+            INTEGER_TO_PTR_TRANSMUTES,
+            expr.hir_id,
+            expr.span,
+            IntegerToPtrTransmutes {
+                suggestion: if dst.is_ref() {
+                    IntegerToPtrTransmutesSuggestion::ToRef {
+                        dst: *inner_ty,
+                        ref_mutbl: mutbl.prefix_str(),
+                        ptr_mutbl: mutbl.ptr_str(),
+                        paren_left,
+                        paren_right,
+                        start_call: expr.span.shrink_to_lo().until(arg.span),
+                        end_call: arg.span.shrink_to_hi().until(expr.span.shrink_to_hi()),
+                    }
+                } else {
+                    IntegerToPtrTransmutesSuggestion::ToPtr {
+                        dst,
+                        paren_left,
+                        paren_right,
+                        start_call: expr.span.shrink_to_lo().until(arg.span),
+                        end_call: arg.span.shrink_to_hi().until(expr.span.shrink_to_hi()),
+                    }
+                },
+            },
+        );
     }
 }
 

tests/ui/lint/int_to_ptr.fixed

@@ -0,0 +1,26 @@
+// Checks for the `integer_to_pointer_transmutes` lint
+
+//@ check-pass
+//@ run-rustfix
+
+#![allow(unused_unsafe)]
+#![allow(dead_code)]
+
+unsafe fn should_lint(a: usize) {
+    let _ptr = unsafe { a as *const u8 };
+    //~^ WARN transmuting a integer to a pointer
+    let _ptr = unsafe { &*(a as *const u8) };
+    //~^ WARN transmuting a integer to a pointer
+    let _ptr = unsafe { 42usize as *const u8 };
+    //~^ WARN transmuting a integer to a pointer
+    let _ptr = unsafe { (a + a) as *const u8 };
+    //~^ WARN transmuting a integer to a pointer
+}
+
+unsafe fn should_not_lint(a: usize) {
+    let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(0usize) }; // linted by other lints
+    let _ptr = unsafe { std::mem::transmute::<usize, *const ()>(a) }; // inner type is a ZST
+    let _ptr = unsafe { std::mem::transmute::<usize, fn()>(a) }; // omit fn-ptr for now
+}
+
+fn main() {}

tests/ui/lint/int_to_ptr.rs

@@ -0,0 +1,26 @@
+// Checks for the `integer_to_pointer_transmutes` lint
+
+//@ check-pass
+//@ run-rustfix
+
+#![allow(unused_unsafe)]
+#![allow(dead_code)]
+
+unsafe fn should_lint(a: usize) {
+    let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a) };
+    //~^ WARN transmuting a integer to a pointer
+    let _ptr = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
+    //~^ WARN transmuting a integer to a pointer
+    let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(42usize) };
+    //~^ WARN transmuting a integer to a pointer
+    let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a + a) };
+    //~^ WARN transmuting a integer to a pointer
+}
+
+unsafe fn should_not_lint(a: usize) {
+    let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(0usize) }; // linted by other lints
+    let _ptr = unsafe { std::mem::transmute::<usize, *const ()>(a) }; // inner type is a ZST
+    let _ptr = unsafe { std::mem::transmute::<usize, fn()>(a) }; // omit fn-ptr for now
+}
+
+fn main() {}

tests/ui/lint/int_to_ptr.stderr

@@ -0,0 +1,71 @@
+warning: transmuting a integer to a pointer without provenance is dangerous
+  --> $DIR/int_to_ptr.rs:10:25
+   |
+LL |     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a) };
+   |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: dereferencing the resulting pointer is Undefined Behavior as it doesn't have any provenance
+   = note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
+   = help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
+   = help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
+   = help: use `std::ptr::without_provenance_mut` to create a pointer without provenance
+   = note: `#[warn(integer_to_ptr_transmutes)]` on by default
+help: use `as` cast instead to use a previously exposed provenance
+   |
+LL -     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a) };
+LL +     let _ptr = unsafe { a as *const u8 };
+   |
+
+warning: transmuting a integer to a pointer without provenance is dangerous
+  --> $DIR/int_to_ptr.rs:12:25
+   |
+LL |     let _ptr = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
+   |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: dereferencing the resulting pointer is Undefined Behavior as it doesn't have any provenance
+   = note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
+   = help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
+   = help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
+   = help: use `std::ptr::without_provenance_mut` to create a pointer without provenance
+help: use `as` cast instead to use a previously exposed provenance
+   |
+LL -     let _ptr = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
+LL +     let _ptr = unsafe { &*(a as *const u8) };
+   |
+
+warning: transmuting a integer to a pointer without provenance is dangerous
+  --> $DIR/int_to_ptr.rs:14:25
+   |
+LL |     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(42usize) };
+   |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: dereferencing the resulting pointer is Undefined Behavior as it doesn't have any provenance
+   = note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
+   = help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
+   = help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
+   = help: use `std::ptr::without_provenance_mut` to create a pointer without provenance
+help: use `as` cast instead to use a previously exposed provenance
+   |
+LL -     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(42usize) };
+LL +     let _ptr = unsafe { 42usize as *const u8 };
+   |
+
+warning: transmuting a integer to a pointer without provenance is dangerous
+  --> $DIR/int_to_ptr.rs:16:25
+   |
+LL |     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a + a) };
+   |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: dereferencing the resulting pointer is Undefined Behavior as it doesn't have any provenance
+   = note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
+   = help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
+   = help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
+   = help: use `std::ptr::without_provenance_mut` to create a pointer without provenance
+help: use `as` cast instead to use a previously exposed provenance
+   |
+LL -     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a + a) };
+LL +     let _ptr = unsafe { (a + a) as *const u8 };
+   |
+
+warning: 4 warnings emitted
+