Strict provenance lints #95599
Strict provenance lints #95599
Conversation
rustbot
added
the
T-compiler
|
(rust-highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
This comment has been minimized.
This comment has been minimized.
niluxv
force-pushed
the
strict-provenance-lint
branch
from
1b0ed94
to
804c72d
Compare
This comment has been minimized.
This comment has been minimized.
niluxv
force-pushed
the
strict-provenance-lint
branch
from
804c72d
to
f46392e
Compare
|
Will address the comments later today. |
niluxv
force-pushed
the
strict-provenance-lint
branch
from
f46392e
to
f9764e3
Compare
|
I can do a follow up PR later to enable these lints in the std library crates and compiler crates. Main question right now is whether to use a separate feature gate or the |
|
credit where it's due: @eddyb actually wrote most of the code here, I mostly just wrote the docs. |
niluxv
force-pushed
the
strict-provenance-lint
branch
from
fbe942d
to
5f81934
Compare
|
Seems like things are moving in #95588 so I will adjust docs and suggestions hopefully tomorrow. |
|
Done. Also fixed suggestions for ptr2int non-usize casts. Now really ready for review I guess. I can rebase it into a nice history at the end. |
|
@rustbot label A-strict-provenance |
|
I'll try to take a look at this shortly. |
There was a problem hiding this comment.
Thanks for the PR, @niluxv! I left some comments below. But under the assumption that @Gankra has taken a look at this too, this seems basically good to merge, I'd say.
Main question right now is whether to use a separate feature gate or the strict_provenance feature gate for these lints.
I think it's fine to use the same feature gate -- but if there turns out to be a problem with that, we can split it out later.
niluxv
force-pushed
the
strict-provenance-lint
branch
from
28340e4
to
9fb4fd0
Compare
| err.span_suggestion( | ||
| self.span, | ||
| msg, | ||
| format!("({}).addr(){}", snippet, scalar_cast), |
There was a problem hiding this comment.
This suggestion can contain unnecessary parenthesis but I have no idea how to reliably check whether snippet requires enclosing parenthesis, and also don't know whether fixing that would be worth it.
There was a problem hiding this comment.
Because we have access to the hir::Node::Expr we can check its op_precedence. We do it in some diagnostics already. It's also usually better to use a multipart_suggestion instead of relying on getting the code's snippet when possible. We used not to do that because the output is more verbose, but it is so much easier to read that I think it is worth it.
There was a problem hiding this comment.
Thank you for the hints. Opened #96112.
| --> $DIR/lint-strict-provenance-lossy-casts.rs:9:22 | ||
| | | ||
| LL | let addr_32bit = &x as *const u8 as u32; | ||
| | ^^^^^^^^^^^^^^^^^^^^^^ help: use `.addr()` to obtain the address of a pointer: `(&x as *const u8).addr() as u32` |
There was a problem hiding this comment.
As seen in this example the suggestion lines tend to get really long. Feels suboptimal, but I don't know how to change the way the suggestion is shown.
|
I think this can be merged in the current state (with the commit history squashed/cleaned up). The remaining issues seem like minor diagnostics polish, which can be done in a follow up PR. |
…casts. ALL OF THEM
… test it * split `fuzzy_provenance_casts` into a ptr2int and a int2ptr lint * feature gate both lints * update documentation to be more realistic short term * add tests for these lints
niluxv
force-pushed
the
strict-provenance-lint
branch
from
9fb4fd0
to
98a4834
Compare
|
Rebased onto master and squashed all my commits together (so it is 2 commits now). |
|
📌 Commit 98a4834 has been approved by |
bors
added
S-waiting-on-bors
| err.help(msg); | ||
| } | ||
| err.help( | ||
| "if you can't comply with strict provenance and need to expose the pointer\ |
There was a problem hiding this comment.
| "if you can't comply with strict provenance and need to expose the pointer\ | |
| "if you can't comply with strict provenance and need to expose the pointer \ |
Currently it is printed without a space, I doubt that is intentional. (Test output also needs to be adjusted then.)
There was a problem hiding this comment.
Sorry, I'm too late to modify this PR. Should I open a new one?
…chaelwoerister Strict provenance lints See rust-lang#95488. This PR introduces two unstable (allow by default) lints to which lint on int2ptr and ptr2int casts, as the former is not possible in the strict provenance model and the latter can be written nicer using the `.addr()` API. Based on an initial version of the lint by `@Gankra` in rust-lang#95199.
…chaelwoerister Strict provenance lints See rust-lang#95488. This PR introduces two unstable (allow by default) lints to which lint on int2ptr and ptr2int casts, as the former is not possible in the strict provenance model and the latter can be written nicer using the `.addr()` API. Based on an initial version of the lint by ``@Gankra`` in rust-lang#95199.
Rollup of 8 pull requests Successful merges: - rust-lang#90066 (Add new ThinBox type for 1 stack pointer wide heap allocated trait objects) - rust-lang#95374 (assert_uninit_valid: ensure we detect at least arrays of uninhabited types) - rust-lang#95599 (Strict provenance lints) - rust-lang#95751 (Don't report numeric inference ambiguity when we have previous errors) - rust-lang#95764 ([macro_metavar_expr] Add tests to ensure the feature requirement) - rust-lang#95787 (reword panic vs result section to remove recoverable vs unrecoverable framing) - rust-lang#95797 (Remove explicit delimiter token trees from `Delimited`.) - rust-lang#95804 (rustdoc: Fix empty doc comment with backline ICE) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
…, r=Dylan-DPC Fix missing space in lossy provenance cast lint See rust-lang#95599 (comment)
…, r=Dylan-DPC Fix missing space in lossy provenance cast lint See rust-lang#95599 (comment)
…, r=Dylan-DPC Fix missing space in lossy provenance cast lint See rust-lang#95599 (comment)
|
thanks so much @niluxv!!! |
See #95488.
This PR introduces two unstable (allow by default) lints to which lint on int2ptr and ptr2int casts, as the former is not possible in the strict provenance model and the latter can be written nicer using the
.addr()API.Based on an initial version of the lint by @Gankra in #95199.