Auto merge of #157575 - hanna-kruppe:merge-strict-provenance-lints, r=RalfJung

Merge and reframe strict_provenance_lints

There does not seem to be any good reason to have separate lints for ptr2int and int2ptr casts. The main reason to enable this lint is to help with replacing `as` casts with strict provenance APIs (if possible) or explicit provenance APIs (when needed). That applies equally to both directions.

Merging the lints requires coming up with new name and lint explanation. This is a good chance to reconsider the purpose and messaging of the lints which have been essentially unchanged since the early days of the "strict provenance experiment". For reasons described below, I called the merged lint `implicit_provenance_casts`, rewrote its explanation from scratch, and made some changes to diagnostics.

First, the lint is not (only) about strict provenance any more. While strict provenance is often the best fix, migrating `as` casts to exposed provenance APIs also silences the lint. The exposed provenance APIs aren't any better for Miri and CHERI, but at least provenance considerations are made *explicit*, not picked up as side effect of the `as` keyword. (Banning use of exposed provenance APIs can be done with clippy's existing `disallowed_methods` lint.)

Second, provenance is now officially part of the language and prominently explained in the `std::ptr` documentation. The new lint refers to those docs and is more consistent with them.

Third, while strict provenance is encouraged whenever possible, exposed provenance is also part of the language and here to stay. Indeed, if we eventually enable the lint by default and make it `cargo fix`-able to keep the ecosystem migration manageable, we may want to suggest exposed provenance APIs to err on the side of not introducing UB. Thus, I made the diagnostics more neutral and descriptive. I've kept the suggestions that introduce strict provenance APIs, but we may want to reconsider this later.



Tracking issue: #130351

Author: bors

compiler/rustc_lint/src/fuzzy_provenance_casts.rs

@@ -0,0 +1,122 @@
+use rustc_ast::util::parser::ExprPrecedence;
+use rustc_hir as hir;
+use rustc_middle::ty::Ty;
+use rustc_session::{declare_lint, declare_lint_pass};
+
+use crate::lints::{
+    ImplicitProvenanceCastsInt2Ptr, ImplicitProvenanceCastsPtr2Int, Int2PtrSuggestion,
+    Ptr2IntSuggestion,
+};
+use crate::{LateContext, LateLintPass};
+
+declare_lint! {
+    /// The `implicit_provenance_casts` lint detects integer-to-pointer and pointer-to-integer
+    /// casts.
+    ///
+    /// ### Example
+    ///
+    /// ```rust
+    /// #![feature(strict_provenance_lints)]
+    /// #![warn(implicit_provenance_casts)]
+    ///
+    /// fn main() {
+    ///     let x: u8 = 37;
+    ///     let addr: usize = &x as *const u8 as usize;
+    ///     let _ptr = addr as *const u8;
+    /// }
+    /// ```
+    ///
+    /// {{produces}}
+    ///
+    /// ### Explanation
+    ///
+    /// This lint exists to help migrate code to [*Strict Provenance* APIs][strict-provenance] where
+    /// possible, and make remaining uses of [*Exposed Provenance*][exposed-provenance] explicit.
+    /// For more information on pointer provenance, see the [`std::ptr` documentation][provenance].
+    ///
+    /// Earlier versions of Rust did not have a clear answer how integer-to-pointer and
+    /// pointer-to-integer casts interact with provenance. Such casts are now defined to use the
+    /// exposed provenance model, but in many cases the code can be updated to strict provenance
+    /// APIs, which is preferable as it enables more precise reasoning about unsafe code, both by
+    /// humans and by tools like [Miri].
+    ///
+    /// However, there are situations where exposed provenance is required or following the strict
+    /// provenance model requires major refactorings. In those cases, it's still useful to replace
+    /// the `as` casts with equivalent explicit use of exposed provenance APIs and a comment
+    /// explaining why they are needed.
+    ///
+    /// [provenance]: https://doc.rust-lang.org/core/ptr/index.html#provenance
+    /// [strict-provenance]: https://doc.rust-lang.org/core/ptr/index.html#strict-provenance
+    /// [exposed-provenance]: https://doc.rust-lang.org/core/ptr/index.html#exposed-provenance
+    /// [Miri]: https://github.com/rust-lang/miri
+    pub IMPLICIT_PROVENANCE_CASTS,
+    Allow,
+    "an `as` cast relying on exposed provenance is used",
+    @feature_gate = strict_provenance_lints;
+}
+
+declare_lint_pass!(
+    /// Lint for int2ptr and ptr2int `as` casts.
+    ImplicitProvenanceCasts => [IMPLICIT_PROVENANCE_CASTS]
+);
+
+impl<'tcx> LateLintPass<'tcx> for ImplicitProvenanceCasts {
+    fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx hir::Expr<'tcx>) {
+        let hir::ExprKind::Cast(cast_from_expr, cast_to_hir) = expr.kind else { return };
+
+        let typeck_results = cx.typeck_results();
+        let cast_from_ty = typeck_results.expr_ty(cast_from_expr);
+        if cast_from_ty.is_raw_ptr() {
+            let cast_to_ty = typeck_results.expr_ty(expr);
+            if cast_to_ty.is_integral() {
+                lint_ptr2int(cx, expr, cast_from_expr, cast_from_ty, cast_to_hir, cast_to_ty)
+            }
+        } else if cast_from_ty.is_integral() {
+            let cast_to_ty = typeck_results.expr_ty(expr);
+            if cast_to_ty.is_raw_ptr() {
+                lint_int2ptr(cx, expr, cast_from_expr, cast_from_ty, cast_to_hir, cast_to_ty)
+            }
+        }
+    }
+}
+
+fn lint_ptr2int<'tcx>(
+    cx: &LateContext<'tcx>,
+    expr: &'tcx hir::Expr<'tcx>,
+    cast_from_expr: &'tcx hir::Expr<'tcx>,
+    cast_from_ty: Ty<'tcx>,
+    cast_to_hir: &'tcx hir::Ty<'tcx>,
+    cast_to_ty: Ty<'tcx>,
+) {
+    let sugg = expr.span.can_be_used_for_suggestions().then(|| {
+        let needs_parens = cx.precedence(cast_from_expr) < ExprPrecedence::Unambiguous;
+        let needs_cast = !cast_to_ty.is_usize();
+        let cast_span = cast_from_expr.span.shrink_to_hi().to(cast_to_hir.span);
+        let expr_span = cast_from_expr.span.shrink_to_lo();
+        match (needs_parens, needs_cast) {
+            (true, true) => Ptr2IntSuggestion::NeedsParensCast { expr_span, cast_span, cast_to_ty },
+            (true, false) => Ptr2IntSuggestion::NeedsParens { expr_span, cast_span },
+            (false, true) => Ptr2IntSuggestion::NeedsCast { cast_span, cast_to_ty },
+            (false, false) => Ptr2IntSuggestion::Other { cast_span },
+        }
+    });
+
+    let lint = ImplicitProvenanceCastsPtr2Int { cast_from_ty, cast_to_ty, sugg };
+    cx.tcx.emit_node_span_lint(IMPLICIT_PROVENANCE_CASTS, expr.hir_id, expr.span, lint);
+}
+
+fn lint_int2ptr<'tcx>(
+    cx: &LateContext<'tcx>,
+    expr: &'tcx hir::Expr<'tcx>,
+    cast_from_expr: &'tcx hir::Expr<'tcx>,
+    cast_from_ty: Ty<'tcx>,
+    cast_to_hir: &'tcx hir::Ty<'tcx>,
+    cast_to_ty: Ty<'tcx>,
+) {
+    let sugg = expr.span.can_be_used_for_suggestions().then(|| Int2PtrSuggestion {
+        lo: cast_from_expr.span.shrink_to_lo(),
+        hi: cast_from_expr.span.shrink_to_hi().to(cast_to_hir.span),
+    });
+    let lint = ImplicitProvenanceCastsInt2Ptr { expr_ty: cast_from_ty, cast_ty: cast_to_ty, sugg };
+    cx.tcx.emit_node_span_lint(IMPLICIT_PROVENANCE_CASTS, expr.hir_id, expr.span, lint)
+}

compiler/rustc_lint/src/implicit_provenance_casts.rs

@@ -45,10 +45,10 @@ mod expect;
 mod for_loops_over_fallibles;
 mod foreign_modules;
 mod function_cast_as_integer;
-mod fuzzy_provenance_casts;
 mod gpukernel_abi;
 mod if_let_rescope;
 mod impl_trait_overcaptures;
+mod implicit_provenance_casts;
 mod interior_mutable_consts;
 mod internal;
 mod invalid_from_utf8;
@@ -57,7 +57,6 @@ mod let_underscore;
 mod levels;
 pub mod lifetime_syntax;
 mod lints;
-mod lossy_provenance_casts;
 mod macro_expr_fragment_specifier_2024_migration;
 mod map_unit_fn;
 mod multiple_supertrait_upcastable;
@@ -95,16 +94,15 @@ use drop_forget_useless::*;
 use enum_intrinsics_non_enums::EnumIntrinsicsNonEnums;
 use for_loops_over_fallibles::*;
 use function_cast_as_integer::*;
-use fuzzy_provenance_casts::FuzzyProvenanceCasts;
 use gpukernel_abi::*;
 use if_let_rescope::IfLetRescope;
 use impl_trait_overcaptures::ImplTraitOvercaptures;
+use implicit_provenance_casts::ImplicitProvenanceCasts;
 use interior_mutable_consts::*;
 use internal::*;
 use invalid_from_utf8::*;
 use let_underscore::*;
 use lifetime_syntax::*;
-use lossy_provenance_casts::LossyProvenanceCasts;
 use macro_expr_fragment_specifier_2024_migration::*;
 use map_unit_fn::*;
 use multiple_supertrait_upcastable::*;
@@ -270,8 +268,7 @@ late_lint_methods!(
             CheckTransmutes: CheckTransmutes,
             LifetimeSyntax: LifetimeSyntax,
             InternalEqTraitMethodImpls: InternalEqTraitMethodImpls,
-            FuzzyProvenanceCasts: FuzzyProvenanceCasts,
-            LossyProvenanceCasts: LossyProvenanceCasts,
+            ImplicitProvenanceCasts: ImplicitProvenanceCasts,
         ]
     ]
 );
@@ -410,6 +407,8 @@ fn register_builtins(store: &mut LintStore) {
     store.register_renamed("static_mut_ref", "static_mut_refs");
     store.register_renamed("temporary_cstring_as_ptr", "dangling_pointers_from_temporaries");
     store.register_renamed("elided_named_lifetimes", "mismatched_lifetime_syntaxes");
+    store.register_renamed("fuzzy_provenance_casts", "implicit_provenance_casts");
+    store.register_renamed("lossy_provenance_casts", "implicit_provenance_casts");
 
     // These were moved to tool lints, but rustc still sees them when compiling normally, before
     // tool lints are registered, so `check_tool_name_for_backwards_compat` doesn't work. Use

compiler/rustc_lint/src/lib.rs

@@ -2934,45 +2934,43 @@ impl Subdiagnostic for MismatchedLifetimeSyntaxesSuggestion {
 pub(crate) struct EqInternalMethodImplemented;
 
 #[derive(Diagnostic)]
-#[diag("strict provenance disallows casting integer `{$expr_ty}` to pointer `{$cast_ty}`")]
+#[diag("cast from `{$expr_ty}` to `{$cast_ty}` implicitly relies on exposed provenance")]
 #[help(
-    "if you can't comply with strict provenance and don't have a pointer with the correct provenance you can use `std::ptr::with_exposed_provenance()` instead"
+    "if conforming to strict provenance is not possible, use `std::ptr::with_exposed_provenance()`"
 )]
-pub(crate) struct LossyProvenanceInt2Ptr<'tcx> {
+#[note("for more information, visit <https://doc.rust-lang.org/std/ptr/index.html#provenance>")]
+pub(crate) struct ImplicitProvenanceCastsInt2Ptr<'tcx> {
     pub expr_ty: Ty<'tcx>,
     pub cast_ty: Ty<'tcx>,
     #[subdiagnostic]
-    pub sugg: Option<LossyProvenanceInt2PtrSuggestion>,
+    pub sugg: Option<Int2PtrSuggestion>,
 }
 
 #[derive(Subdiagnostic)]
 #[multipart_suggestion(
-    "use `.with_addr()` to adjust a valid pointer in the same allocation, to this address",
+    "use `.with_addr()` to adjust the address of a valid pointer in the same allocation",
     applicability = "has-placeholders"
 )]
-pub(crate) struct LossyProvenanceInt2PtrSuggestion {
+pub(crate) struct Int2PtrSuggestion {
     #[suggestion_part(code = "(...).with_addr(")]
     pub lo: Span,
     #[suggestion_part(code = ")")]
     pub hi: Span,
 }
 
 #[derive(Diagnostic)]
-#[diag(
-    "under strict provenance it is considered bad style to cast pointer `{$cast_from_ty}` to integer `{$cast_to_ty}`"
-)]
-#[help(
-    "if you can't comply with strict provenance and need to expose the pointer provenance you can use `.expose_provenance()` instead"
-)]
-pub(crate) struct LossyProvenancePtr2Int<'tcx> {
+#[diag("cast from `{$cast_from_ty}` to `{$cast_to_ty}` implicitly exposes pointer provenance")]
+#[help("if conforming to strict provenance is not possible, use `.expose_provenance()`")]
+#[note("for more information, visit <https://doc.rust-lang.org/std/ptr/index.html#provenance>")]
+pub(crate) struct ImplicitProvenanceCastsPtr2Int<'tcx> {
     pub cast_from_ty: Ty<'tcx>,
     pub cast_to_ty: Ty<'tcx>,
     #[subdiagnostic]
-    pub sugg: Option<LossyProvenancePtr2IntSuggestion<'tcx>>,
+    pub sugg: Option<Ptr2IntSuggestion<'tcx>>,
 }
 
 #[derive(Subdiagnostic)]
-pub(crate) enum LossyProvenancePtr2IntSuggestion<'tcx> {
+pub(crate) enum Ptr2IntSuggestion<'tcx> {
     #[multipart_suggestion(
         "use `.addr()` to obtain the address of a pointer",
         applicability = "maybe-incorrect"