rustc_lint/

transmute.rs

use rustc_ast::LitKind;
use rustc_errors::Applicability;
use rustc_hir::def::{DefKind, Res};
use rustc_hir::def_id::LocalDefId;
use rustc_hir::{self as hir};
use rustc_macros::LintDiagnostic;
use rustc_middle::ty::{self, Ty};
use rustc_session::{declare_lint, impl_lint_pass};
use rustc_span::sym;

use crate::lints::{IntegerToPtrTransmutes, IntegerToPtrTransmutesSuggestion};
use crate::{LateContext, LateLintPass};

declare_lint! {
    /// The `ptr_to_integer_transmute_in_consts` lint detects pointer to integer
    /// transmute in const functions and associated constants.
    ///
    /// ### Example
    ///
    /// ```rust
    /// const fn foo(ptr: *const u8) -> usize {
    ///    unsafe {
    ///        std::mem::transmute::<*const u8, usize>(ptr)
    ///    }
    /// }
    /// ```
    ///
    /// {{produces}}
    ///
    /// ### Explanation
    ///
    /// Transmuting pointers to integers in a `const` context is undefined behavior.
    /// Any attempt to use the resulting integer will abort const-evaluation.
    ///
    /// But sometimes the compiler might not emit an error for pointer to integer transmutes
    /// inside const functions and associated consts because they are evaluated only when referenced.
    /// Therefore, this lint serves as an extra layer of defense to prevent any undefined behavior
    /// from compiling without any warnings or errors.
    ///
    /// See [std::mem::transmute] in the reference for more details.
    ///
    /// [std::mem::transmute]: https://doc.rust-lang.org/std/mem/fn.transmute.html
    pub PTR_TO_INTEGER_TRANSMUTE_IN_CONSTS,
    Warn,
    "detects pointer to integer transmutes in const functions and associated constants",
}

declare_lint! {
    /// The `unnecessary_transmutes` lint detects transmutations that have safer alternatives.
    ///
    /// ### Example
    ///
    /// ```rust
    /// fn bytes_at_home(x: [u8; 4]) -> u32 {
    ///   unsafe { std::mem::transmute(x) }
    /// }
    /// ```
    ///
    /// {{produces}}
    ///
    /// ### Explanation
    ///
    /// Using an explicit method is preferable over calls to
    /// [`transmute`](https://doc.rust-lang.org/std/mem/fn.transmute.html) as
    /// they more clearly communicate the intent, are easier to review, and
    /// are less likely to accidentally result in unsoundness.
    pub UNNECESSARY_TRANSMUTES,
    Warn,
    "detects transmutes that can also be achieved by other operations"
}

declare_lint! {
    /// The `integer_to_ptr_transmutes` lint detects integer to pointer
    /// transmutes where the resulting pointers are undefined behavior to dereference.
    ///
    /// ### Example
    ///
    /// ```rust
    /// fn foo(a: usize) -> *const u8 {
    ///    unsafe {
    ///        std::mem::transmute::<usize, *const u8>(a)
    ///    }
    /// }
    /// ```
    ///
    /// {{produces}}
    ///
    /// ### Explanation
    ///
    /// Any attempt to use the resulting pointers are undefined behavior as the resulting
    /// pointers won't have any provenance.
    ///
    /// Alternatively, [`std::ptr::with_exposed_provenance`] should be used, as they do not
    /// carry the provenance requirement. If wanting to create pointers without provenance
    /// [`std::ptr::without_provenance`] should be used instead.
    ///
    /// See [`std::mem::transmute`] in the reference for more details.
    ///
    /// [`std::mem::transmute`]: https://doc.rust-lang.org/std/mem/fn.transmute.html
    /// [`std::ptr::with_exposed_provenance`]: https://doc.rust-lang.org/std/ptr/fn.with_exposed_provenance.html
    /// [`std::ptr::without_provenance`]: https://doc.rust-lang.org/std/ptr/fn.without_provenance.html
    pub INTEGER_TO_PTR_TRANSMUTES,
    Warn,
    "detects integer to pointer transmutes",
}

pub(crate) struct CheckTransmutes;

impl_lint_pass!(CheckTransmutes => [PTR_TO_INTEGER_TRANSMUTE_IN_CONSTS, UNNECESSARY_TRANSMUTES, INTEGER_TO_PTR_TRANSMUTES]);

impl<'tcx> LateLintPass<'tcx> for CheckTransmutes {
    fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx hir::Expr<'tcx>) {
        let hir::ExprKind::Call(callee, [arg]) = expr.kind else {
            return;
        };
        let hir::ExprKind::Path(qpath) = callee.kind else {
            return;
        };
        let Res::Def(DefKind::Fn, def_id) = cx.qpath_res(&qpath, callee.hir_id) else {
            return;
        };
        if !cx.tcx.is_intrinsic(def_id, sym::transmute) {
            return;
        };
        let body_owner_def_id = cx.tcx.hir_enclosing_body_owner(expr.hir_id);
        let const_context = cx.tcx.hir_body_const_context(body_owner_def_id);
        let args = cx.typeck_results().node_args(callee.hir_id);

        let src = args.type_at(0);
        let dst = args.type_at(1);

        check_ptr_transmute_in_const(cx, expr, body_owner_def_id, const_context, src, dst);
        check_unnecessary_transmute(cx, expr, callee, arg, const_context, src, dst);
        check_int_to_ptr_transmute(cx, expr, arg, src, dst);
    }
}

/// Check for transmutes from integer to pointers (*const/*mut and &/&mut).
///
/// Using the resulting pointers would be undefined behavior.
fn check_int_to_ptr_transmute<'tcx>(
    cx: &LateContext<'tcx>,
    expr: &'tcx hir::Expr<'tcx>,
    arg: &'tcx hir::Expr<'tcx>,
    src: Ty<'tcx>,
    dst: Ty<'tcx>,
) {
    if !matches!(src.kind(), ty::Uint(_) | ty::Int(_)) {
        return;
    }
    let (ty::Ref(_, inner_ty, mutbl) | ty::RawPtr(inner_ty, mutbl)) = dst.kind() else {
        return;
    };
    // bail-out if the argument is literal 0 as we have other lints for those cases
    if matches!(arg.kind, hir::ExprKind::Lit(hir::Lit { node: LitKind::Int(v, _), .. }) if v == 0) {
        return;
    }
    // bail-out if the inner type is a ZST
    let Ok(layout_inner_ty) = cx.tcx.layout_of(cx.typing_env().as_query_input(*inner_ty)) else {
        return;
    };
    if layout_inner_ty.is_1zst() {
        return;
    }

    let suffix = if mutbl.is_mut() { "_mut" } else { "" };
    cx.tcx.emit_node_span_lint(
        INTEGER_TO_PTR_TRANSMUTES,
        expr.hir_id,
        expr.span,
        IntegerToPtrTransmutes {
            suggestion: if layout_inner_ty.is_sized() {
                Some(if dst.is_ref() {
                    IntegerToPtrTransmutesSuggestion::ToRef {
                        dst: *inner_ty,
                        suffix,
                        ref_mutbl: mutbl.prefix_str(),
                        start_call: expr.span.shrink_to_lo().until(arg.span),
                    }
                } else {
                    IntegerToPtrTransmutesSuggestion::ToPtr {
                        dst: *inner_ty,
                        suffix,
                        start_call: expr.span.shrink_to_lo().until(arg.span),
                    }
                })
            } else {
                // We can't suggest using `with_exposed_provenance` for unsized type
                // so don't suggest anything.
                None
            },
        },
    );
}

/// Check for transmutes that exhibit undefined behavior.
/// For example, transmuting pointers to integers in a const context.
///
/// Why do we consider const functions and associated constants only?
///
/// Generally, undefined behavior in const items are handled by the evaluator.
/// But, const functions and associated constants are evaluated only when referenced.
/// This can result in undefined behavior in a library going unnoticed until
/// the function or constant is actually used.
///
/// Therefore, we only consider const functions and associated constants here and leave
/// other const items to be handled by the evaluator.
fn check_ptr_transmute_in_const<'tcx>(
    cx: &LateContext<'tcx>,
    expr: &'tcx hir::Expr<'tcx>,
    body_owner_def_id: LocalDefId,
    const_context: Option<hir::ConstContext>,
    src: Ty<'tcx>,
    dst: Ty<'tcx>,
) {
    if matches!(const_context, Some(hir::ConstContext::ConstFn))
        || matches!(cx.tcx.def_kind(body_owner_def_id), DefKind::AssocConst)
    {
        if src.is_raw_ptr() && dst.is_integral() {
            cx.tcx.emit_node_span_lint(
                PTR_TO_INTEGER_TRANSMUTE_IN_CONSTS,
                expr.hir_id,
                expr.span,
                UndefinedTransmuteLint,
            );
        }
    }
}

/// Check for transmutes that overlap with stdlib methods.
/// For example, transmuting `[u8; 4]` to `u32`.
///
/// We chose not to lint u8 -> bool transmutes, see #140431.
fn check_unnecessary_transmute<'tcx>(
    cx: &LateContext<'tcx>,
    expr: &'tcx hir::Expr<'tcx>,
    callee: &'tcx hir::Expr<'tcx>,
    arg: &'tcx hir::Expr<'tcx>,
    const_context: Option<hir::ConstContext>,
    src: Ty<'tcx>,
    dst: Ty<'tcx>,
) {
    let callee_span = callee.span.find_ancestor_inside(expr.span).unwrap_or(callee.span);
    let (sugg, help) = match (src.kind(), dst.kind()) {
        // dont check the length; transmute does that for us.
        // [u8; _] => primitive
        (ty::Array(t, _), ty::Uint(_) | ty::Float(_) | ty::Int(_))
            if *t.kind() == ty::Uint(ty::UintTy::U8) =>
        {
            (
                Some(vec![(callee_span, format!("{dst}::from_ne_bytes"))]),
                Some(
                    "there's also `from_le_bytes` and `from_be_bytes` if you expect a particular byte order",
                ),
            )
        }
        // primitive => [u8; _]
        (ty::Uint(_) | ty::Float(_) | ty::Int(_), ty::Array(t, _))
            if *t.kind() == ty::Uint(ty::UintTy::U8) =>
        {
            (
                Some(vec![(callee_span, format!("{src}::to_ne_bytes"))]),
                Some(
                    "there's also `to_le_bytes` and `to_be_bytes` if you expect a particular byte order",
                ),
            )
        }
        // char → u32
        (ty::Char, ty::Uint(ty::UintTy::U32)) => {
            (Some(vec![(callee_span, "u32::from".to_string())]), None)
        }
        // char (→ u32) → i32
        (ty::Char, ty::Int(ty::IntTy::I32)) => (
            Some(vec![
                (callee_span, "u32::from".to_string()),
                (expr.span.shrink_to_hi(), ".cast_signed()".to_string()),
            ]),
            None,
        ),
        // u32 → char
        (ty::Uint(ty::UintTy::U32), ty::Char) => (
            Some(vec![(callee_span, "char::from_u32_unchecked".to_string())]),
            Some("consider using `char::from_u32(…).unwrap()`"),
        ),
        // i32 → char
        (ty::Int(ty::IntTy::I32), ty::Char) => (
            Some(vec![
                (callee_span, "char::from_u32_unchecked(i32::cast_unsigned".to_string()),
                (expr.span.shrink_to_hi(), ")".to_string()),
            ]),
            Some("consider using `char::from_u32(i32::cast_unsigned(…)).unwrap()`"),
        ),
        // uNN → iNN
        (ty::Uint(_), ty::Int(_)) => {
            (Some(vec![(callee_span, format!("{src}::cast_signed"))]), None)
        }
        // iNN → uNN
        (ty::Int(_), ty::Uint(_)) => {
            (Some(vec![(callee_span, format!("{src}::cast_unsigned"))]), None)
        }
        // fNN → usize, isize
        (ty::Float(_), ty::Uint(ty::UintTy::Usize) | ty::Int(ty::IntTy::Isize)) => (
            Some(vec![
                (callee_span, format!("{src}::to_bits")),
                (expr.span.shrink_to_hi(), format!(" as {dst}")),
            ]),
            None,
        ),
        // fNN (→ uNN) → iNN
        (ty::Float(_), ty::Int(..)) => (
            Some(vec![
                (callee_span, format!("{src}::to_bits")),
                (expr.span.shrink_to_hi(), ".cast_signed()".to_string()),
            ]),
            None,
        ),
        // fNN → uNN
        (ty::Float(_), ty::Uint(..)) => {
            (Some(vec![(callee_span, format!("{src}::to_bits"))]), None)
        }
        // xsize → fNN
        (ty::Uint(ty::UintTy::Usize) | ty::Int(ty::IntTy::Isize), ty::Float(_)) => (
            Some(vec![
                (callee_span, format!("{dst}::from_bits")),
                (arg.span.shrink_to_hi(), " as _".to_string()),
            ]),
            None,
        ),
        // iNN (→ uNN) → fNN
        (ty::Int(_), ty::Float(_)) => (
            Some(vec![
                (callee_span, format!("{dst}::from_bits({src}::cast_unsigned")),
                (expr.span.shrink_to_hi(), ")".to_string()),
            ]),
            None,
        ),
        // uNN → fNN
        (ty::Uint(_), ty::Float(_)) => {
            (Some(vec![(callee_span, format!("{dst}::from_bits"))]), None)
        }
        // bool → x8 in const context since `From::from` is not const yet
        // FIXME: Consider arg expr's precedence to avoid parentheses.
        // FIXME(const_traits): Remove this when `From::from` is constified.
        (ty::Bool, ty::Int(..) | ty::Uint(..)) if const_context.is_some() => (
            Some(vec![
                (callee_span, "".to_string()),
                (expr.span.shrink_to_hi(), format!(" as {dst}")),
            ]),
            None,
        ),
        // bool → x8 using `x8::from`
        (ty::Bool, ty::Int(..) | ty::Uint(..)) => {
            (Some(vec![(callee_span, format!("{dst}::from"))]), None)
        }
        _ => return,
    };

    cx.tcx.node_span_lint(UNNECESSARY_TRANSMUTES, expr.hir_id, expr.span, |diag| {
        diag.primary_message("unnecessary transmute");
        if let Some(sugg) = sugg {
            diag.multipart_suggestion("replace this with", sugg, Applicability::MachineApplicable);
        }
        if let Some(help) = help {
            diag.help(help);
        }
    });
}

#[derive(LintDiagnostic)]
#[diag(lint_undefined_transmute)]
#[note]
#[note(lint_note2)]
#[help]
pub(crate) struct UndefinedTransmuteLint;