Add lint to deny transmuting &T to &mut T

[seanmonstar]

The UnsafeCell documentation says it is undefined behavior, so people shouldn't do it.

This happened to catch one case in libstd that was doing this, and I switched that to use an UnsafeCell internally.

Closes #13146

[rust-highfive]

r? @eddyb

(rust_highfive has picked a reviewer for you, use r? to override)

[Manishearth]

Just use expr_ty?

[seanmonstar]

I actually stole most of this code from rustc::middle::instrinsicck...

[Manishearth]

I'm not sure why we need to go through resolve_expr here, actually.

We have transmute(a), where transmute(a) is an ExprCall (where the first Expr is an ExprPath) and a is some form of Expr. Just running expr_ty on both should be enough to get the types, without going through BareFnTy and whatnot.

[seanmonstar]

It seems it's needed to get to the DefId, so that we can determine if this method is actually std::mem::transmute, even if it's been imported as a different name. The BareFnTy is also needed to check the ABI.

[Manishearth]

nit: we should probably compare the strings (there is a get() or a deref impl on Ident), not idents

Edit: as_str()

[seanmonstar]

Why compare the strings? It seems token::get_ident() doesn't return an ast::Ident (the fn name is misleading), but an InternedString. Comparing an interned string should be strictly faster than pulling out the original Strings and then doing a memcmp, right?

[Manishearth]

Yeah, but you have to intern a string to get there, so you do the comparison anyway in the interning.

item.ident is an Ident and can be directly compared with "transmute" after an as_str()

[Manishearth]

I'll have another look later when I can access docs, but this looks good to me code-wise. There may be a way to avoid the csearch.

I'm not certain if we want to add more lints though. @alexcrichton thoughts?

[alexcrichton]

I personally feel that we have far too many lints as-is, but I'm also quite biased! I don't believe we have a strict policy on what lints are included and which are not.

[seanmonstar]

So, this doesn't need to be a lint. It could be built in to the instrinsicck code that checks all other kinds of transmutes. However, this one doesn't violate a size difference. Either way, docs saying "don't ever do this" but a compiler who happily allows it reminds me of C.

[Manishearth]

I don't think we need the csearch here. Just check that the ABI is rust-intrinsic and that the path matches transmute

[seanmonstar]

I don't know enough yet, so likely ignore me. However, it looks like csearch is needed if the fn def_id is not defined in the same crate (so most cases), right?

[Manishearth]

Well, you don't need to lookup the def, the name of the function is already with you in the ExprPath -- transmute(a) is an ExprCall(ExprPath("transmute"), vec![whatever a is])

[seanmonstar]

Hm, good point!

[seanmonstar]

@Manishearth oh, what about use std::mem::transmute as trans? I imagine that's why the original fn is being looked up?

[Manishearth]

Ah right. Lookup is necessary in that case.

[steveklabnik]

This would fix #13146

[seanmonstar]

@Manishearth okay, using .as_str() == "transmute" instead.

Also added [breaking-change] to the commit, since it technically is. However, it's UB without it, so the breakage seems worth it.

Also, nominate for beta, since breaking at 1.1 seems impossible?

[Manishearth]

triage: beta-nominated

wonder if that works

[seanmonstar]

Anything else required for this?

[Manishearth]

Looks good to me.

I'll let @alexcrichton r+ this though

[pnkfelix]

from nominated to (nominated, accepted)

[nwin]

Maybe the documentation of UnsafeCell should be reworded. That transmuting & to &mut is “in general” undefined behavior does not mean that it is undefined behavior per se. The reference makes much stronger arguments.

[alexcrichton]

I still personally feel that lints like this are too specific to be that beneficial. For example this does not provide an iron-clad guarantee that this kind of "undefined behavior" isn't actually happening. The biggest abuser of &mut self in the standard library, channels, is not caught by this change and probably wouldn't with any form of lint. I know that lints are not meant to provide an iron-clad guarantee, but I'm just not sure how useful this will end up being (especially being deny-by-default).

[Manishearth]

IMO if we crack down on UB now, even with semi effective solutions like this one; it will still be a net gain in the future when there isn't any UB abuse scattered all over the place.

-----Original Message-----
From: "Alex Crichton" notifications@github.com
Sent: ‎4/‎25/‎2015 12:24 AM
To: "rust-lang/rust" rust@noreply.github.com
Cc: "Manish Goregaokar" manishsmail@gmail.com
Subject: Re: [rust] Add lint to deny transmuting &T to &mut T (#24392)

I still personally feel that lints like this are too specific to be that beneficial. For example this does not provide an iron-clad guarantee that this kind of "undefined behavior" isn't actually happening. The biggest abuser of &mut self in the standard library, channels, is not caught by this change and probably wouldn't with any form of lint. I know that lints are not meant to provide an iron-clad guarantee, but I'm just not sure how useful this will end up being (especially being deny-by-default).
—
Reply to this email directly or view it on GitHub.

[bstrie]

I happen to believe that any lint that's supposed to be so important to be deny-by-default should be a feature of the language proper rather than being left up to a lint. I dunno, maybe the perfect is the enemy of the good...

[Manishearth]

I'm open to warn by default

[seanmonstar]

Since this is undefined behavior, I think it should be deny by default. If you somehow know better, you can add an allow.

I originally thought of adding this code to intrinsicsck, but several in #rust-internals said it seemed wrong since that's only supposed to enforce the values are the same size.

[alexcrichton]

I do agree with @bstrie that it seems weird to implement a check for undefined behavior as a lint instead of some sort of other error. A lint is an admission that "sure, you may want to actually do this sometimes, just not all the time", but I'm not sure that we have a set of behavior where you would indeed want this kind of a transmute.

[Manishearth]

I don't know, I'm wary of building in "no, you should never need this" into a language; there should always be a way to do stuff like this, just that there are more hoops to jump through.

[seanmonstar]

@alexcrichton I guess it's technically not undefined behavior to transmute if you already are using an UnsafeCell? Such as:

unsafe {
    let val = &*self.foo.get();
    let val_mut: &mut Foo = transmute(val);
}

Though, at that point, you should likely just do &mut *self.foo.get(). Again, if this should always be an error, not something that can be turned off, I can move it to intrinsicck, if that seems better.

[seanmonstar]

@alexcrichton I think that quote from nwin is regarding the repr + drop lint, not this one?

As for motivation, it actually came from seeing it appear in crates on crates.io, such as the issue I linked regarding pool, which did this transmute in several places. I likewise started with a transmute in hyper's OptCell, until I noticed that line in the UnsafeCell docs, and scrambled to fix it.

I genuinely think that more often than not, it's a mistake because people don't realize it is undefined behavior, and pointing it out and suggesting UnsafeCell is the right thing to do. Those who think they know better, can add an allow in special cases.

[seanmonstar]

Another instance: http://www.reddit.com/r/rust/comments/34u40n/abomonation_terrifying_serialization/cqynb6u

[nwin]

@seanmonstar yes it was not about this one, admittedly ambiguously formulated.

[llogiq]

tomaka:

But is there really a situation where someone would say: "oh, this lint detected a mistake I made, let me fix my code"?

Lints – and static code analysis in general – are regarded very positively in many language communities. E.g. many front-end devs won't allow code that doesn't pass jslint, and I (a seasoned Java dev with more than a decade of experience) have FindBugs check my code at all times. It's cheap and will sometimes catch oversights. Errors happen. Having an additional safety net cannot hurt. Rust is already very good in this regard.

So while I certainly agree that not all lints belong in rustc, I don't feel that we have too many. But I'm just a rust newbie, so feel free to ignore my opinion. 😄

[frankmcsherry]

I'm with @seanmonstar on this one. The issue that I had (linked above) was something that a) seems to work fine, b) I had every reason to believe would work (exclusive ownership was guaranteed elsewhere), and c) should never be allowed by anyone serious about things.

The suggestion to do the transmute was made by a seasoned (unnamed) Rust-y in IRC. Now that I've internalized some of the things on the UB link I know a bit better, but I could really use the help from lints written by smarter folks.

[alexcrichton]

@bors: r+ f224446

[bors]

⌛️ Testing commit f224446 with merge f872a82...

[bors]

💔 Test failed - auto-mac-64-opt

[seanmonstar]

@alexcrichton updated the failing run-pass tests

[alexcrichton]

Did you run this test? I think that the binding to b needs to be mut for this to work? (I'd recommend being sure to run the tests for these cases).

[seanmonstar]

I pushed before running (the run caught what you noticed), since I needed to rebuild and it'd take a while. It's all done, and I'm pushing the corrections that make these 2 tests pass.

[alexcrichton]

@bors: r+ 5b0d828

[bors]

⌛️ Testing commit 5b0d828 with merge e609b8a...

[bors]

💔 Test failed - auto-mac-64-opt

[seanmonstar]

Sigh, had improved the lint message from review comments, but forgot to adjust the expected error in the compile-fail. Then the subsequent check-stage1-rpass for the previous failure hadn't caught it either.

Now cfail passes as well.

[alexcrichton]

@bors: r+ 5624cfb

[bors]

⌛️ Testing commit 5624cfb with merge 8767e97...

[bors]

☀️ Test successful - auto-linux-32-nopt-t, auto-linux-32-opt, auto-linux-64-nopt-t, auto-linux-64-opt, auto-linux-64-x-android-t, auto-mac-32-opt, auto-mac-64-nopt-t, auto-mac-64-opt, auto-win-32-nopt-t, auto-win-32-opt, auto-win-64-nopt-t, auto-win-64-opt

[apoelstra]

Thanks a ton for merging this; to add to the support, after this lint appeared I found the bug in eventual carllerche/eventual#21 and in my own rust-bitcoin.