Add lint against integer to pointer transmutes

[Urgau]

integer_to_ptr_transmutes

warn-by-default

The integer_to_ptr_transmutes lint detects integer to pointer transmutes where the resulting pointers are undefined behavior to dereference.

Example

fn foo(a: usize) -> *const u8 {
    unsafe {
        std::mem::transmute::<usize, *const u8>(a)
    }
}

warning: transmuting an integer to a pointer creates a pointer without provenance
   --> a.rs:1:9
    |
158 |         std::mem::transmute::<usize, *const u8>(a)
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
    = note: this is dangerous because dereferencing the resulting pointer is undefined behavior
    = note: exposed provenance semantics can be used to create a pointer based on some previously exposed provenance
    = help: if you truly mean to create a pointer without provenance, use `std::ptr::without_provenance_mut`
    = help: for more information about transmute, see <https://doc.rust-lang.org/std/mem/fn.transmute.html#transmutation-between-pointers-and-integers>
    = help: for more information about exposed provenance, see <https://doc.rust-lang.org/std/ptr/index.html#exposed-provenance>
    = note: `#[warn(integer_to_ptr_transmutes)]` on by default
help: use `as` cast instead to use a previously exposed provenance
    |
158 -         std::mem::transmute::<usize, *const u8>(a)
158 +         std::ptr::with_exposed_provenance::<u8>(a)
    |

Explanation

Any attempt to use the resulting pointers are undefined behavior as the resulting pointers won't have any provenance.

Alternatively, std::ptr::with_exposed_provenance should be used, as they do not carry the provenance requirement or if the wanting to create pointers without provenance std::ptr::without_provenance_mut should be used.

See std::mem::transmute in the reference for more details.

---

People are getting tripped up on this, see #128409 and #141220. There are >90 cases like these on GitHub search.

Fixes rust-lang/rust-clippy#13140
Fixes #141220

@rustbot labels +I-lang-nominated +T-lang
cc @traviscross
r? compiler

[rustbot]

The Miri subtree was changed

cc @rust-lang/miri

[RalfJung]

for more information about exposed provenance

This is confusing since exposed provenance is not previously mentioned in the error message.

use std::ptr::without_provenance_mut to create a pointer without provenance

The error should probably make it clear that int-to-ptr transmute also create a pointer without provenance.

[Urgau]

I have adjusted the diagnostics to make it clear that int-to-ptr transmute also create a pointer without transmute and added a note about exposed provenance (since suggestions always go at the end).

[traviscross]

What's the other lint? I'm not immediately seeing another diagnostic in testing.

[traviscross]

(We have deref-nullptr, but that fires when dereferencing it.)

[Urgau]

For references, we lint on transmutes with the 0 literal with the invalid_value lint:

warning: the type `&i32` does not permit zero-initialization
 --> src/lib.rs:2:39
  |
2 |     let _val: &'static i32 = unsafe { std::mem::transmute(0usize) };
  |                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  |                                       |
  |                                       this code causes undefined behavior when executed
  |                                       help: use `MaybeUninit<T>` instead, and only call `assume_init` after initialization is done
  |
  = note: references must be non-null
  = note: `#[warn(invalid_value)]` on by default

For pointer we lint on some function with the invalid_null_arguments lint:

error: calling this function with a null pointer is undefined behavior, even if the result of the function is unused
  --> /home/archie/Projects/RustProjects/rust/tests/ui/lint/invalid_null_args.rs:27:23
   |
LL |     let _: &[usize] = std::slice::from_raw_parts(mem::transmute(0usize), 0);
   |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^------^^^^^
   |                                                                 |
   |                                                                 null pointer originates from here
   |
   = help: for more information, visit <https://doc.rust-lang.org/std/ptr/index.html> and <https://doc.rust-lang.org/reference/behavior-considered-undefined.html>

[Urgau]

We could not care about the invalid_null_arguments lint and lint on transmutes to raw pointer.

For references I think we should keep it under the invalid_value lint.

[RalfJung]

I feel like nobody will be surprised that transmuting 0 to a pointer will not give you something you can dereference...

[samueltardieu]

Even in the context of #141260? (I haven't checked carefully, it just rang a bell)

[RalfJung]

For out-of-AM volatile accesses, provenance does not matter.

[rustbot]

Some changes occurred in src/tools/clippy

cc @rust-lang/clippy

[traviscross]

Seems like a clear win. Thanks @Urgau. Let's...

@rfcbot fcp merge

[rfcbot]

Team member @traviscross has proposed to merge this. The next step is review by the rest of the tagged team members:

• @joshtriplett
• @nikomatsakis
• @scottmcm
• @tmandry
• @traviscross

No concerns currently listed.

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns.
See this document for info about what commands tagged team members can give me.