Lint against `&T` to `&mut T` and `&T` to `&UnsafeCell<T>` transmutes #128351

ChayimFriedman2 · 2024-07-29T15:52:56Z

Conversion from & to &mut are and always were immediate UB, and we already lint against them, but until now the lint did not catch the case were the reference was in a field.

Conversion from & to &UnsafeCell is more nuanced: Stacked Borrows makes it immediate UB, but in Tree Borrows it is sound.

However, even in Tree Borrows it is UB to write into that reference (if the original value was Freeze). In all cases crater found where the lint triggered, the reference was written into.

Lints (mutable_transmutes existed before):

The mutable_transmutes lint catches transmuting from &T to &mut T because it is undefined behavior.

Example
unsafe {
    let y = std::mem::transmute::<&i32, &mut i32>(&5);
}
Produces:
error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
 --> .\example.rs:5:17
  |
5 |         let y = std::mem::transmute::<&i32, &mut i32>(&5);
  |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  |
  = note: transmute from `&i32` to `&mut i32`
  = note: `#[deny(mutable_transmutes)]` on by default
Explanation

Certain assumptions are made about aliasing of data, and this transmute
violates those assumptions. Consider using UnsafeCell instead.

The unsafe_cell_transmutes lint catches transmuting or casting from &T to &UnsafeCell<T>
because it dangerous and might be undefined behavior.

Example
use std::cell::Cell;

unsafe {
    let x = 5_i32;
    let y = std::mem::transmute::<&i32, &Cell<i32>>(&x);
    y.set(6);

    let z = &*(&x as *const i32 as *const Cell<i32>);
    z.set(7);
}
Produces:
error: transmuting &T to &UnsafeCell<T> is error-prone, rarely intentional and may cause undefined behavior
 --> .\example.rs:6:17
  |
6 |         let y = std::mem::transmute::<&i32, &Cell<i32>>(&x);
  |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  |
  = note: transmute from `*&i32` to `(*&Cell<i32>).value`
  = note: `#[deny(unsafe_cell_transmutes)]` on by default

error: transmuting &T to &UnsafeCell<T> is error-prone, rarely intentional and may cause undefined behavior
 --> .\example.rs:9:17
  |
9 |         let z = &*(&x as *const i32 as *const Cell<i32>);
  |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  |
  = note: transmute from `i32` to `Cell<i32>.value`
Explanation

Conversion from &T to &UnsafeCell<T> might be immediate undefined behavior, depending on
unspecified details of the aliasing model.

Even if it is not, writing to it will be undefined behavior if there was no UnsafeCell in
the original T, and even if there was, it might be undefined behavior (again, depending
on unspecified details of the aliasing model).

It is also highly dangerous and error-prone, and unlikely to be useful.

Crater summary is below.

cc #111229

r? compiler

rustbot · 2024-07-29T15:53:00Z

The Miri subtree was changed

cc @rust-lang/miri

oli-obk · 2024-07-29T16:00:59Z

@bors try

…e-cell, r= [crater] Lint against &T to &mut T and &T to &UnsafeCell<T> transmutes Needs a (check-only) crater run as per https://rust-lang.zulipchat.com/#narrow/stream/213817-t-lang/topic/Lint.20against.20.60.26.60-.3E.60.26UnsafeCell.60.20transmutes/near/454868964. r? ghost

bors · 2024-07-29T16:02:11Z

⌛ Testing commit 5c1d66e with merge 94971c2...

bors · 2024-07-29T16:21:18Z

💔 Test failed - checks-actions

oli-obk · 2024-07-29T21:58:43Z

@bors try

…e-cell, r=<try> [crater] Lint against &T to &mut T and &T to &UnsafeCell<T> transmutes Needs a (check-only) crater run as per https://rust-lang.zulipchat.com/#narrow/stream/213817-t-lang/topic/Lint.20against.20.60.26.60-.3E.60.26UnsafeCell.60.20transmutes/near/454868964. r? ghost

bors · 2024-07-29T21:59:54Z

⌛ Trying commit 59c22c3 with merge be92fb7...

tgross35 · 2024-07-30T01:21:26Z

@bors try

…e-cell, r=<try> [crater] Lint against &T to &mut T and &T to &UnsafeCell<T> transmutes Needs a (check-only) crater run as per https://rust-lang.zulipchat.com/#narrow/stream/213817-t-lang/topic/Lint.20against.20.60.26.60-.3E.60.26UnsafeCell.60.20transmutes/near/454868964. r? ghost

bors · 2024-07-30T01:22:37Z

⌛ Trying commit cc72a92 with merge 0914651...

bors · 2024-07-30T03:15:57Z

☀️ Try build successful - checks-actions
Build commit: 0914651 (09146510cdb33d15474a35fde290187a88b1cf35)

oli-obk · 2024-07-30T05:37:55Z

@craterbot check

craterbot · 2024-07-30T05:38:02Z

👌 Experiment pr-128351 created and queued.
🤖 Automatically detected try build 0914651
🔍 You can check out the queue and this experiment's details.

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

craterbot · 2024-07-30T05:38:38Z

🚧 Experiment pr-128351 is now running

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

RalfJung · 2024-10-17T18:39:13Z

Hm, just makes me wonder if there are any other wrong assumptions encoded in the lint...

tmandry · 2024-10-24T01:34:45Z

@rfcbot reviewed

rfcbot · 2024-10-26T15:58:28Z

The final comment period, with a disposition to merge, as per the review above, is now complete.

As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed.

This will be merged soon.

ChayimFriedman2 · 2024-12-07T19:20:26Z

Since we haven't heard from the reviewer...

r? compiler

This adds the lint against `&T`->`&UnsafeCell<T>` transmutes, and also check in struct fields, and reference casts (`&*(&a as *const u8 as *const UnsafeCell<u8>)`). The code is quite complex; I've tried my best to simplify and comment it. This is missing one parts: array transmutes. When transmuting an array, this only consider the first element. The reason for that is that the code is already quite complex, and I didn't want to complicate it more. This catches the most common pattern of transmuting an array into an array of the same length with type of the same size; more complex cases are likely not properly handled. We could take a bigger sample, for example the first and last elements to increase the chance that the lint will catch mistakes, but then the runtime complexity becomes exponential with the nesting of the arrays (`[[[[[T; 2]; 2]; 2]; 2]; 2]` has complexity of O(2**5), for instance).

nnethercote · 2024-12-09T05:48:23Z

@oli-obk: would you be willing to review? This is covering lots of territory I don't know well, and I imagine there are subtleties that I could easily overlook.

oli-obk · 2024-12-09T11:52:03Z

😭 that's a lot of new code to review

nnethercote

This feels like it's heading in the right direction.

My main observation is about terminology. To me:

"casting" is a specific thing, done via as or cast
"transmuting" is a different specific thing, done only via mem::transmute
"converting" is an imprecise term that possibly covers both "casting" and "transmuting".

Is that correct? It aligns with the Type Conversions chapter of the Rustonomicon. But this PR tends to use "cast" and "transmute" imprecisely and somewhat interchangeably.

I think mutable_transmutes only triggers on mem::transmute, but unsafe_cell_transmutes triggers on both mem::transmute and casting.
The crater result mentions unsafe_cell_reference_casting. Is that an old name for unsafe_cell_transmutes?
The error message only mention transmuting.
The lint descriptions (in doc comments) mention both transmuting and casting in a way that matches my understanding.
is_type_cast seems to cover both casting and transmuting.

I feel like this needs to be clarified, and the whole commit needs a once-over to ensure these terms are being used precisely and consistently. Should unsafe_cell_transmutes should be renamed unsafe_cell_conversions?

Beyond that, mutable_transmutes.rs has most of the new code. I reviewed it and it seems reasonable, but that kind of traversal is not my forte so it's possible I missed stuff. All the breadcrumb code is quite complicated, and I do I wonder if something like that already exists elsewhere in the compiler for some other kind of error message.

nnethercote · 2024-12-10T02:50:36Z

tests/ui/transmute/transmute-imut-to-mut.rs

@@ -1,8 +0,0 @@
-// Tests that transmuting from &T to &mut T is Undefined Behavior.


Why is this test removed?

Maybe because there's more comprehensive testing in another file now?

nnethercote · 2024-12-10T02:55:05Z

tests/ui/lint/mutable_transmutes/lint.rs

@@ -0,0 +1,163 @@
+use std::cell::UnsafeCell;


The tests/ui/lint/mutable_transmutes directory name is slightly misleading because it contains tests that cover both mutable_transmutes and unsafe_cell_transmutes. I'm not sure how to fix it, though, and whether it's worth fixing.

nnethercote · 2024-12-10T03:02:46Z

compiler/rustc_lint/src/lints.rs

 #[derive(LintDiagnostic)]
 #[diag(lint_builtin_mutable_transmutes)]
-pub(crate) struct BuiltinMutablesTransmutes;
+#[note]
+pub(crate) struct BuiltinMutablesTransmutes<'a> {


Why does this one have a Builtin prefix but UnsafeCellTransmutes does not?

nnethercote · 2024-12-10T03:03:57Z

compiler/rustc_lint/src/lints.rs

@@ -224,9 +225,39 @@ pub(crate) struct BuiltinConstNoMangle {
    pub suggestion: Span,
 }

+// This would be more convenient as `from: String` and `to: String`, but then we'll ICE for formatting a `Ty`
+// when the lint is `#[allow]`ed.


I read this comment several times, but I still don't really understand it. Explain some more, perhaps? Also, the comment talks about "from"/"to" but the fields are "before"/"after", which is confusing.

nnethercote · 2024-12-10T03:10:30Z