[strict provenance] add lints for evil pointer casts #95488
Comments
Gankra
added
A-lint
Von Neumann would be the appropriate name if you wanted to highlight that aspect, though some Harvard architectures can handle them just fine too, depends on whether the data pointer representation is sufficient to also safely round-trip function pointers (though it may refer to something else when interpreted as a data pointer). |
|
Can't we just make this lint unstable like |
|
Oh yes if there's properly lint stability stuff that would be Good To Use (unless that introduces "have to use nightly" and that is deemed unacceptable). |
|
Oh also I have no idea what the deal is with "safe transmute" stuff, but if these lints can at all look "into" transmutes and try to catch more Secret Casts that would be Friggin' Rad. |
I proposed this in side channels, with the (joking) explanation that "if you start with just a few, they'll proliferate" :P |
@Gankra Should be possible! The in-development safe(r) transmute API, which will be a distinct API from |
|
Bytemuck also removed the Pod impl for pointers a few versions back <3 |
|
Note that lang and libs both want a lint for ptr-to-int via |
|
I would like to give it a try. |
|
@Gankra regarding "lints that don't exist", there's a lint deprecation mechanism that allows you to register names as deprecated (and delete the impl), it's used often in clippy and occasionally in rustc |
|
#95599 contains lints for int-to-ptr and ptr-to-int The exposing API methods introduced by #95588 might be linted against using clippy's Regarding transmutes it should be pretty trivial to lint against ptr-to-int and int-to-ptr transmutes, but not when the integers/pointers are hidden inside other structs. That will probably require the full safer transmute stuff. |
…chaelwoerister Strict provenance lints See rust-lang#95488. This PR introduces two unstable (allow by default) lints to which lint on int2ptr and ptr2int casts, as the former is not possible in the strict provenance model and the latter can be written nicer using the `.addr()` API. Based on an initial version of the lint by `@Gankra` in rust-lang#95199.
…chaelwoerister Strict provenance lints See rust-lang#95488. This PR introduces two unstable (allow by default) lints to which lint on int2ptr and ptr2int casts, as the former is not possible in the strict provenance model and the latter can be written nicer using the `.addr()` API. Based on an initial version of the lint by ``@Gankra`` in rust-lang#95199.
…chaelwoerister Strict provenance lints See rust-lang#95488. This PR introduces two unstable (allow by default) lints to which lint on int2ptr and ptr2int casts, as the former is not possible in the strict provenance model and the latter can be written nicer using the `.addr()` API. Based on an initial version of the lint by ```@Gankra``` in rust-lang#95199.
This issue is part of the Strict Provenance Experiment - #95228
We should make it easier for people to detect places where they are using casts instead of the "blessed" strict_provenance APIs.
@eddyb and I prototyped this out here: 93f7f06
The patch needs some cleanups, though. Quoting from elsewhere:
All lints should be made allow by default, meaning they're opt-in.
At least in the bootstrap, the compiler will complain if you
allow()a lint in your code that doesn't exist. This potentially just means:Also due to the "Opaque Function Pointers" / "Harvard Architecture" / "AVR is cursed" issue
rust/library/core/src/ptr/mod.rs
Lines 1390 to 1395 in 9280445
I think we want the lint broken up into parts:
#[fuzzy_provenance_casts]- int-to-ptr, totally evil#[lossy_provencance_casts]- ptr-to-int, sketchy but valid as long as you actually want.addr()semantics#[oxford_casts]- casts that make harvard architectures sad -- fn<->ptr (name is a joke... unless...)I can't justify discouraging
fn <-> int, absent better ways to talk about fn ptrs properly.The text was updated successfully, but these errors were encountered: