Merge and reframe strict_provenance_lints#157575
Conversation
rustbot
added
O-SGX
This comment has been minimized.
This comment has been minimized.
hanna-kruppe
force-pushed
the
merge-strict-provenance-lints
branch
from
d8b8b2f to
6e531ef
Compare
rustbot
added
the
S-waiting-on-review
rustbot
removed
the
S-waiting-on-author
|
r? @mu001999 rustbot has assigned @mu001999. Use Why was this reviewer chosen?The reviewer was selected based on:
|
|
Not sure what the right process for renaming unstable lints. Does it need a lang FCP or is that only for new stable lints? Also: cc @RalfJung |
|
Since this is unstable it doesn't need heavy process.
Actually an easier approach might be for me to become the champion for these lints, so I can approve changes to them. I'll ask about that on Zulip. |
This comment has been minimized.
This comment has been minimized.
|
This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed. Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers. |
This comment has been minimized.
This comment has been minimized.
rustbot
added
has-merge-commits
There does not seem to be any good reason to have separate lints for ptr2int and int2ptr casts. The main reason to enable this lint is to help with replacing `as` casts with strict provenance APIs (if possible) or explicit provenance APIs (when needed). That applies equally to both directions. Merging the lints requires coming up with new name and lint explanation. This is a good chance to reconsider the purpose and messaging of the lints which have been essentially unchanged since the early days of the "strict provenance experiment". For reasons described below, I called the merged lint `implicit_provenance_casts`, rewrote its explanation from scratch, and made some changes to diagnostics. First, the lint is not (only) about strict provenance any more. While strict provenance is often the best fix, migrating `as` casts to exposed provenance APIs also silences the lint. The exposed provenance APIs aren't any better for Miri and CHERI, but at least provenance considerations are made *explicit*, not picked up as side effect of the `as` keyword. (Banning use of exposed provenance APIs can be done with clippy's existing `disallowed_methods` lint.) Second, provenance is now officially part of the language and prominently explained in the `std::ptr` documentation. The new lint refers to those docs and is more consistent with them. Third, while strict provenance is encouraged whenever possible, exposed provenance is also part of the language and here to stay. Indeed, if we eventually enable the lint by default and make it `cargo fix`-able to keep the ecosystem migration manageable, we may want to suggest exposed provenance APIs to err on the side of not introducing UB. Thus, I made the diagnostics more neutral and descriptive. I've kept the suggestions that introduce strict provenance APIs, but we may want to reconsider this later.
hanna-kruppe
force-pushed
the
merge-strict-provenance-lints
branch
from
0274a30 to
fda7bff
Compare
rustbot
removed
has-merge-commits
There was a problem hiding this comment.
Thanks for your patience! I'm finally back from my trip and can start catching up with my backlog.
Mostly minor comments, but I am kind of concerned about the suggestions these lints emit. That's pre-existing though -- it does not block this PR, but I am not sure we want to stabilize this as-is.
@rustbot author
| /// The `implicit_provenance_casts` lint detects integer-to-pointer and pointer-to-integer casts | ||
| /// that rely on [*Exposed Provenance*][exposed-provenance]. |
There was a problem hiding this comment.
This sounds like it only detects those int/ptr casts that rely on exposed provenance -- but really, they all do.
| /// The `implicit_provenance_casts` lint detects integer-to-pointer and pointer-to-integer casts | |
| /// that rely on [*Exposed Provenance*][exposed-provenance]. | |
| /// The `implicit_provenance_casts` lint detects integer-to-pointer and pointer-to-integer casts. |
| /// | ||
| /// However, there are situations where exposed provenance is required or following the strict | ||
| /// provenance model requires major refactorings. In those cases, it's still useful to replace | ||
| /// the `as` casts with explicit use of exposed provenance APIs and a comment explaining why |
There was a problem hiding this comment.
| /// the `as` casts with explicit use of exposed provenance APIs and a comment explaining why | |
| /// the `as` casts with equivalent explicit use of exposed provenance APIs and a comment explaining why |
| LL - let addr: usize = &x as *const u8 as usize; | ||
| LL + let addr: usize = (&x as *const u8).addr(); |
There was a problem hiding this comment.
This suggestion seems kind of dangerous -- it is almost always wrong to just apply this, because the cast back to a pointer somewhere else in the code also needs to be adjusted. Do we really want such a suggestions?
There was a problem hiding this comment.
This doesn't seem worth a test
rustbot
added
S-waiting-on-author
|
Reminder, once the PR becomes ready for a review, use |
5 participants
There does not seem to be any good reason to have separate lints for ptr2int and int2ptr casts. The main reason to enable this lint is to help with replacing
ascasts with strict provenance APIs (if possible) or explicit provenance APIs (when needed). That applies equally to both directions.Merging the lints requires coming up with new name and lint explanation. This is a good chance to reconsider the purpose and messaging of the lints which have been essentially unchanged since the early days of the "strict provenance experiment". For reasons described below, I called the merged lint
implicit_provenance_casts, rewrote its explanation from scratch, and made some changes to diagnostics.First, the lint is not (only) about strict provenance any more. While strict provenance is often the best fix, migrating
ascasts to exposed provenance APIs also silences the lint. The exposed provenance APIs aren't any better for Miri and CHERI, but at least provenance considerations are made explicit, not picked up as side effect of theaskeyword. (Banning use of exposed provenance APIs can be done with clippy's existingdisallowed_methodslint.)Second, provenance is now officially part of the language and prominently explained in the
std::ptrdocumentation. The new lint refers to those docs and is more consistent with them.Third, while strict provenance is encouraged whenever possible, exposed provenance is also part of the language and here to stay. Indeed, if we eventually enable the lint by default and make it
cargo fix-able to keep the ecosystem migration manageable, we may want to suggest exposed provenance APIs to err on the side of not introducing UB. Thus, I made the diagnostics more neutral and descriptive. I've kept the suggestions that introduce strict provenance APIs, but we may want to reconsider this later.Tracking issue: #130351