rust-lang · WaffleLapkin · Oct 29, 2022 · Oct 29, 2022 · Nov 1, 2022 · Nov 2, 2022
diff --git a/compiler/rustc_lint/src/implicit_unsafe_autorefs.rs b/compiler/rustc_lint/src/implicit_unsafe_autorefs.rs
@@ -0,0 +1,83 @@
+use crate::{LateContext, LateLintPass, LintContext};
+
+use rustc_errors::Applicability;
+use rustc_hir::{self as hir, Expr, ExprKind, UnOp};
+use rustc_middle::ty::adjustment::{Adjust, AutoBorrow};
+
+declare_lint! {
+ /// The `implicit_unsafe_autorefs` lint checks for implicitly taken references to dereferences of raw pointers.
+ ///
+ /// ### Example
+ ///
+ /// ```rust
+ /// unsafe fn fun(ptr: *mut [u8]) -> *mut [u8] {
+ /// addr_of_mut!((*ptr)[..16])
+ /// // ^^^^^^ this calls `IndexMut::index_mut(&mut ..., ..16)`,
+ /// // implicitly creating a reference
+ /// }
+ /// ```
+ ///
+ /// {{produces}}
+ ///
+ /// ### Explanation
+ ///
+ /// When working with raw pointers it's usually undesirable to create references,
+ /// since they inflict a lot of safety requirement. Unfortunately, it's possible
+ /// to take a reference to a dereferece of a raw pointer implitly, which inflicts
+ /// the usual reference requirements without you even knowing that.
+ /// 
+ /// If you are sure, you can soundly take a reference, then you can take it explicitly:
+ /// ```rust
+ /// unsafe fn fun(ptr: *mut [u8]) -> *mut [u8] {
+ /// addr_of_mut!((&mut *ptr)[..16])
+ /// }
+ /// ```
+ /// 
+ /// Otherwise try to find an alternative way to achive your goals that work only with
+ /// raw pointers:
+ /// ```rust
+ /// #![feature(slice_ptr_get)]
+ /// 
+ /// unsafe fn fun(ptr: *mut [u8]) -> *mut [u8] {
+ /// ptr.get_unchecked_mut(..16)
+ /// }
+ /// ```
+ pub IMPLICIT_UNSAFE_AUTOREFS,
+ Deny,
+ "implicit reference to a dereference of a raw pointer"
+}
+
+declare_lint_pass!(ImplicitUnsafeAutorefs => [IMPLICIT_UNSAFE_AUTOREFS]);
+
+impl<'tcx> LateLintPass<'tcx> for ImplicitUnsafeAutorefs {
+ fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'_>) {
+ let typeck = cx.typeck_results();
+ let adjustments_table = typeck.adjustments();
+
+ if let Some(adjustments) = adjustments_table.get(expr.hir_id) 
+ && let [adjustment] = &**adjustments
+ // An auto-borrow
+ && let Adjust::Borrow(AutoBorrow::Ref(_, mutbl)) = adjustment.kind
+ // ... of a deref
+ && let ExprKind::Unary(UnOp::Deref, dereferenced) = expr.kind
+ // ... of a raw pointer
+ && typeck.expr_ty(dereferenced).is_unsafe_ptr()
+ {
+ let mutbl = hir::Mutability::prefix_str(&mutbl.into());
+
+ let msg = "implicit auto-ref creates a reference to a dereference of a raw pointer";
+ cx.struct_span_lint(IMPLICIT_UNSAFE_AUTOREFS, expr.span, msg, |lint| {
+ lint
+ .note("creating a reference inflicts a lot of safety requirements")
+ .multipart_suggestion(
+ "if this reference is intentional, make it explicit", 
+ vec![
+ (expr.span.shrink_to_lo(), format!("(&{mutbl}")),
+ (expr.span.shrink_to_hi(), ")".to_owned())
+ ], 
+ Applicability::MaybeIncorrect
+ )
+ })
+ }
+ }
+}
diff --git a/compiler/rustc_lint/src/lib.rs b/compiler/rustc_lint/src/lib.rs
@@ -54,6 +54,7 @@ mod errors;
 mod expect;
 mod for_loops_over_fallibles;
 pub mod hidden_unicode_codepoints;
+mod implicit_unsafe_autorefs;
 mod internal;
 mod late;
 mod let_underscore;
@@ -89,6 +90,7 @@ use builtin::*;
 use enum_intrinsics_non_enums::EnumIntrinsicsNonEnums;
 use for_loops_over_fallibles::*;
 use hidden_unicode_codepoints::*;
+use implicit_unsafe_autorefs::*;
 use internal::*;
 use let_underscore::*;
 use methods::*;
@@ -191,6 +193,7 @@ macro_rules! late_lint_mod_passes {
  $args,
  [
  ForLoopsOverFallibles: ForLoopsOverFallibles,
+ ImplicitUnsafeAutorefs: ImplicitUnsafeAutorefs,
  HardwiredLints: HardwiredLints,
  ImproperCTypesDeclarations: ImproperCTypesDeclarations,
  ImproperCTypesDefinitions: ImproperCTypesDefinitions,

diff --git a/library/alloc/src/collections/btree/node.rs b/library/alloc/src/collections/btree/node.rs
@@ -1699,7 +1699,7 @@ unsafe fn slice_insert<T>(slice: &mut [MaybeUninit<T>], idx: usize, val: T) {
  if len > idx + 1 {
  ptr::copy(slice_ptr.add(idx), slice_ptr.add(idx + 1), len - idx - 1);
  }
- (*slice_ptr.add(idx)).write(val);
+ slice_ptr.add(idx).cast::<T>().write(val);
  }
 }
 
@@ -1713,7 +1713,7 @@ unsafe fn slice_remove<T>(slice: &mut [MaybeUninit<T>], idx: usize) -> T {
  let len = slice.len();
  debug_assert!(idx < len);
  let slice_ptr = slice.as_mut_ptr();
- let ret = (*slice_ptr.add(idx)).assume_init_read();
+ let ret = slice_ptr.add(idx).cast::<T>().read();
  ptr::copy(slice_ptr.add(idx + 1), slice_ptr.add(idx), len - idx - 1);
  ret
  }

diff --git a/library/alloc/src/string.rs b/library/alloc/src/string.rs
@@ -2909,7 +2909,7 @@ impl Drop for Drain<'_> {
  unsafe {
  // Use Vec::drain. "Reaffirm" the bounds checks to avoid
  // panic code being inserted again.
- let self_vec = (*self.string).as_mut_vec();
+ let self_vec = (&mut *self.string).as_mut_vec();
  if self.start <= self.end && self.end <= self_vec.len() {
  self_vec.drain(self.start..self.end);
  }

diff --git a/library/alloc/src/vec/mod.rs b/library/alloc/src/vec/mod.rs
@@ -1942,7 +1942,7 @@ impl<T, A: Allocator> Vec<T, A> {
  #[cfg(not(no_global_oom_handling))]
  #[inline]
  unsafe fn append_elements(&mut self, other: *const [T]) {
- let count = unsafe { (*other).len() };
+ let count = other.len();
  self.reserve(count);
  let len = self.len();
  unsafe { ptr::copy_nonoverlapping(other as *const T, self.as_mut_ptr().add(len), count) };

diff --git a/library/proc_macro/src/bridge/closure.rs b/library/proc_macro/src/bridge/closure.rs
@@ -19,7 +19,7 @@ struct Env;
 impl<'a, A, R, F: FnMut(A) -> R> From<&'a mut F> for Closure<'a, A, R> {
  fn from(f: &'a mut F) -> Self {
  unsafe extern "C" fn call<A, R, F: FnMut(A) -> R>(env: *mut Env, arg: A) -> R {
- (*(env as *mut _ as *mut F))(arg)
+ (&mut *(env as *mut _ as *mut F))(arg)
  }
  Closure { call: call::<A, R, F>, env: f as *mut _ as *mut Env, _marker: PhantomData }
  }

diff --git a/library/std/src/sync/mpsc/oneshot.rs b/library/std/src/sync/mpsc/oneshot.rs
@@ -86,7 +86,7 @@ impl<T> Packet<T> {
  NothingSent => {}
  _ => panic!("sending on a oneshot that's already sent on "),
  }
- assert!((*self.data.get()).is_none());
+ assert!((&*self.data.get()).is_none());
  ptr::write(self.data.get(), Some(t));
  ptr::write(self.upgrade.get(), SendUsed);
 
@@ -289,7 +289,7 @@ impl<T> Packet<T> {
  // We then need to check to see if there was an upgrade requested,
  // and if so, the upgraded port needs to have its selection aborted.
  DISCONNECTED => unsafe {
- if (*self.data.get()).is_some() {
+ if (&*self.data.get()).is_some() {
  Ok(true)
  } else {
  match ptr::replace(self.upgrade.get(), SendUsed) {

diff --git a/library/std/src/sys/unix/stack_overflow.rs b/library/std/src/sys/unix/stack_overflow.rs
@@ -81,7 +81,7 @@ mod imp {
  _data: *mut libc::c_void,
  ) {
  let guard = thread_info::stack_guard().unwrap_or(0..0);
- let addr = (*info).si_addr() as usize;
+ let addr = (&*info).si_addr() as usize;
 
  // If the faulting address is within the guard page, then we print a
  // message saying so and abort.

diff --git a/library/std/src/thread/local.rs b/library/std/src/thread/local.rs
@@ -799,7 +799,7 @@ mod lazy {
  // the inner cell nor mutable reference to the Option<T> inside said
  // cell. This make it safe to hand a reference, though the lifetime
  // of 'static is itself unsafe, making the get method unsafe.
- unsafe { (*self.inner.get()).as_ref() }
+ unsafe { (&*self.inner.get()).as_ref() }
  }
 
  /// The caller must ensure that no reference is active: this method
@@ -853,7 +853,7 @@ mod lazy {
  #[allow(unused)]
  pub unsafe fn take(&mut self) -> Option<T> {
  // SAFETY: See doc comment for this method.
- unsafe { (*self.inner.get()).take() }
+ unsafe { (&mut *self.inner.get()).take() }
  }
  }
 }

diff --git a/src/test/ui/lint/implicit_unsafe_autorefs.fixed b/src/test/ui/lint/implicit_unsafe_autorefs.fixed
@@ -0,0 +1,14 @@
+// run-rustfix
+use std::ptr::{addr_of, addr_of_mut};
+
+unsafe fn _test_mut(ptr: *mut [u8]) -> *mut [u8] {
+ addr_of_mut!((&mut (*ptr))[..16])
+ //~^ error: implicit auto-ref creates a reference to a dereference of a raw pointer
+}
+
+unsafe fn _test_const(ptr: *const [u8]) -> *const [u8] {
+ addr_of!((&(*ptr))[..16])
+ //~^ error: implicit auto-ref creates a reference to a dereference of a raw pointer
+}
+
+fn main() {}
diff --git a/src/test/ui/lint/implicit_unsafe_autorefs.rs b/src/test/ui/lint/implicit_unsafe_autorefs.rs
@@ -0,0 +1,14 @@
+// run-rustfix
+use std::ptr::{addr_of, addr_of_mut};
+
+unsafe fn _test_mut(ptr: *mut [u8]) -> *mut [u8] {
+ addr_of_mut!((*ptr)[..16])
+ //~^ error: implicit auto-ref creates a reference to a dereference of a raw pointer
+}
+
+unsafe fn _test_const(ptr: *const [u8]) -> *const [u8] {
+ addr_of!((*ptr)[..16])
+ //~^ error: implicit auto-ref creates a reference to a dereference of a raw pointer
+}
+
+fn main() {}
diff --git a/src/test/ui/lint/implicit_unsafe_autorefs.stderr b/src/test/ui/lint/implicit_unsafe_autorefs.stderr
@@ -0,0 +1,27 @@
+error: implicit auto-ref creates a reference to a dereference of a raw pointer
+ --> $DIR/implicit_unsafe_autoref.rs:5:18
+ |
+LL | addr_of_mut!((*ptr)[..16])
+ | ^^^^^^
+ |
+ = note: creating a reference inflicts a lot of safety requirements
+ = note: `#[deny(implicit_unsafe_autorefs)]` on by default
+help: if this reference is intentional, make it explicit
+ |
+LL | addr_of_mut!((&mut (*ptr))[..16])
+ | +++++ +
+
+error: implicit auto-ref creates a reference to a dereference of a raw pointer
+ --> $DIR/implicit_unsafe_autoref.rs:10:14
+ |
+LL | addr_of!((*ptr)[..16])
+ | ^^^^^^
+ |
+ = note: creating a reference inflicts a lot of safety requirements
+help: if this reference is intentional, make it explicit
+ |
+LL | addr_of!((&(*ptr))[..16])
+ | ++ +
+
+error: aborting due to 2 previous errors
+