Skip to content

Lint against &T to &mut T and &T to &UnsafeCell<T> transmutes (rebase) #143343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Lint against &T to &mut T and &T to &UnsafeCell<T> transmutes (rebase) #143343

wants to merge 1 commit into from
+1,130 −92

Conversation

GrigorenkoPV
Copy link
Contributor

@GrigorenkoPV GrigorenkoPV commented Jul 2, 2025
edited by rustbot
Loading

This is a rebase of #128351 with the new lint's name being reverted back to unsafe_cell_transmutes, as requested by T-lang.

Original description:

Conversion from & to &mut are and always were immediate UB, and we already lint against them, but until now the lint did not catch the case were the reference was in a field.

Conversion from & to &UnsafeCell is more nuanced: Stacked Borrows makes it immediate UB, but in Tree Borrows it is sound.

However, even in Tree Borrows it is UB to write into that reference (if the original value was Freeze). In all cases crater found where the lint triggered, the reference was written into.

Lints (mutable_transmutes existed before):

The mutable_transmutes lint catches transmuting from &T to &mut T because it is undefined behavior.

Example

unsafe {
    let y = std::mem::transmute::<&i32, &mut i32>(&5);
}

Produces:

error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
 --> .\example.rs:5:17
  |
5 |         let y = std::mem::transmute::<&i32, &mut i32>(&5);
  |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  |
  = note: transmute from `&i32` to `&mut i32`
  = note: `#[deny(mutable_transmutes)]` on by default

Explanation

Certain assumptions are made about aliasing of data, and this transmute
violates those assumptions. Consider using UnsafeCell instead.

The unsafe_cell_transmutes lint catches transmuting or casting from &T to &UnsafeCell<T>
because it dangerous and might be undefined behavior.

Example

use std::cell::Cell;

unsafe {
    let x = 5_i32;
    let y = std::mem::transmute::<&i32, &Cell<i32>>(&x);
    y.set(6);

    let z = &*(&x as *const i32 as *const Cell<i32>);
    z.set(7);
}

Produces:

error: transmuting &T to &UnsafeCell<T> is error-prone, rarely intentional and may cause undefined behavior
 --> .\example.rs:6:17
  |
6 |         let y = std::mem::transmute::<&i32, &Cell<i32>>(&x);
  |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  |
  = note: transmute from `*&i32` to `(*&Cell<i32>).value`
  = note: `#[deny(unsafe_cell_transmutes)]` on by default

error: transmuting &T to &UnsafeCell<T> is error-prone, rarely intentional and may cause undefined behavior
 --> .\example.rs:9:17
  |
9 |         let z = &*(&x as *const i32 as *const Cell<i32>);
  |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  |
  = note: transmute from `i32` to `Cell<i32>.value`

Explanation

Conversion from &T to &UnsafeCell<T> might be immediate undefined behavior, depending on
unspecified details of the aliasing model.
Even if it is not, writing to it will be undefined behavior if there was no UnsafeCell in
the original T, and even if there was, it might be undefined behavior (again, depending
on unspecified details of the aliasing model).
It is also highly dangerous and error-prone, and unlikely to be useful.

Crater summary is below.

cc #111229

r? compiler

@rustbot
Copy link
Collaborator

rustbot commented Jul 2, 2025

r? @SparrowLii

rustbot has assigned @SparrowLii.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. labels Jul 2, 2025
@rustbot
Copy link
Collaborator

rustbot commented Jul 2, 2025

The Miri subtree was changed

cc @rust-lang/miri

@rust-log-analyzer

This comment has been minimized.

Sign in to view
@GrigorenkoPV GrigorenkoPV force-pushed the lints/unsafe_cell_transmutes branch from 553a558 to abcc149 Compare July 2, 2025 23:22
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@GrigorenkoPV GrigorenkoPV force-pushed the lints/unsafe_cell_transmutes branch from abcc149 to 0b550dd Compare July 3, 2025 18:13
@ChayimFriedman2 @GrigorenkoPV
Lint against &T to &mut T and &T to &UnsafeCell<T> transmutes
3495b59 
This adds the lint against `&T`->`&UnsafeCell<T>` transmutes, and also check in struct fields, and reference casts (`&*(&a as *const u8 as *const UnsafeCell<u8>)`).

The code is quite complex; I've tried my best to simplify and comment it.

This is missing one parts: array transmutes. When transmuting an array, this only consider the first element. The reason for that is that the code is already quite complex, and I didn't want to complicate it more.
This catches the most common pattern of transmuting an array into an array of the same length with type of the same size; more complex cases are likely not properly handled.
We could take a bigger sample, for example the first and last elements to increase the chance that the lint will catch mistakes, but then the runtime complexity becomes exponential with the nesting of the arrays (`[[[[[T; 2]; 2]; 2]; 2]; 2]` has complexity of O(2**5), for instance).
@GrigorenkoPV GrigorenkoPV force-pushed the lints/unsafe_cell_transmutes branch from 0b550dd to 3495b59 Compare July 3, 2025 22:27
@SparrowLii
Copy link
Member

I'm not familiar with lints so I'd like to roll this
r? compiler

@rustbot rustbot assigned fee1-dead and unassigned SparrowLii Jul 4, 2025
@jieyouxu jieyouxu mentioned this pull request Jul 4, 2025
Closed
@jieyouxu
Copy link
Member

jieyouxu commented Jul 4, 2025

See also #133653, which appears to be a more restricted subset of this lint, I have not had the bandwidth to look into this.

fee1-dead
fee1-dead requested changes Jul 7, 2025
View reviewed changes
compiler/rustc_lint/messages.ftl
@@ -121,6 +121,7 @@ lint_builtin_missing_doc = missing documentation for {$article} {$desc}
lint_builtin_mutable_transmutes =
transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
transmuting `&T` to `&mut T` is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell

compiler/rustc_lint/messages.ftl
@@ -934,6 +935,11 @@ lint_unsafe_attr_outside_unsafe = unsafe attribute used without unsafe
.label = usage of unsafe attribute
lint_unsafe_attr_outside_unsafe_suggestion = wrap the attribute in `unsafe(...)`
lint_unsafe_cell_transmutes =
converting &T to &UnsafeCell<T> is error-prone, rarely intentional and may cause undefined behavior
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
converting &T to &UnsafeCell<T> is error-prone, rarely intentional and may cause undefined behavior
converting `&T` to `&UnsafeCell<T>` is error-prone, rarely intentional and may cause undefined behavior

tests/ui/lint/mutable_transmutes/lint.stderr
LL | let _: Foo<&'static UnsafeCell<u8>> = unsafe { transmute(Other(&1u8, &1u8)) };
| ^^^^^^^^^
|
= note: conversion from `*main::Other.1` to `*main::Foo<&UnsafeCell<u8>>.b.0.0`
Copy link
Member

@fee1-dead fee1-dead Jul 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a bit hard to untangle the formatting machinery and I feel like this could be clearer. Here's a diagnostic I'd like to see instead:

Suggested change
= note: conversion from `*main::Other.1` to `*main::Foo<&UnsafeCell<u8>>.b.0.0`
note: this field... (`1` in `main::Other`)
--> file.rs:LL:CC
|
LL | struct Other(&'static u8, &'static u8);
| ^^^^^^^^^^^
|
= note: this field has type `&u8`
|
note: ...is being converted to this (`b.0.0` in `main::Foo<&UnsafeCell<u8>>`)
--> file.rs:LL:CC
|
LL | struct Baz<T>(T);
| ^
|
= note: this field has type `&UnsafeCell<u8>`

Storing the relevant information for this (instead of what is done currently) would probably reduce the complexity in the code.

@rustbot rustbot added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Jul 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fee1-dead fee1-dead fee1-dead requested changes

Assignees

@fee1-dead fee1-dead

Labels
S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@GrigorenkoPV @rustbot @rust-log-analyzer @SparrowLii @jieyouxu @fee1-dead @ChayimFriedman2