1 use crate::build::ExprCategory;
2 use rustc_middle::thir::visit::{self, Visitor};
4 use rustc_errors::struct_span_err;
6 use rustc_middle::mir::BorrowKind;
7 use rustc_middle::thir::*;
8 use rustc_middle::ty::{self, ParamEnv, Ty, TyCtxt};
9 use rustc_session::lint::builtin::{UNSAFE_OP_IN_UNSAFE_FN, UNUSED_UNSAFE};
10 use rustc_session::lint::Level;
11 use rustc_span::def_id::{DefId, LocalDefId};
12 use rustc_span::symbol::Symbol;
17 struct UnsafetyVisitor<'a, 'tcx> {
20 /// The `HirId` of the current scope, which would be the `HirId`
21 /// of the current HIR node, modulo adjustments. Used for lint levels.
22 hir_context: hir::HirId,
23 /// The current "safety context". This notably tracks whether we are in an
24 /// `unsafe` block, and whether it has been used.
25 safety_context: SafetyContext,
26 body_unsafety: BodyUnsafety,
27 /// The `#[target_feature]` attributes of the body. Used for checking
28 /// calls to functions with `#[target_feature]` (RFC 2396).
29 body_target_features: &'tcx Vec<Symbol>,
30 /// When inside the LHS of an assignment to a field, this is the type
31 /// of the LHS and the span of the assignment expression.
32 assignment_info: Option<(Ty<'tcx>, Span)>,
33 in_union_destructure: bool,
34 param_env: ParamEnv<'tcx>,
38 impl<'tcx> UnsafetyVisitor<'_, 'tcx> {
39 fn in_safety_context(&mut self, safety_context: SafetyContext, f: impl FnOnce(&mut Self)) {
41 SafetyContext::UnsafeBlock { span: enclosing_span, .. },
42 SafetyContext::UnsafeBlock { span: block_span, hir_id, .. },
43 ) = (self.safety_context, safety_context)
45 self.warn_unused_unsafe(
48 Some((self.tcx.sess.source_map().guess_head_span(enclosing_span), "block")),
52 let prev_context = self.safety_context;
53 self.safety_context = safety_context;
57 if let SafetyContext::UnsafeBlock { used: false, span, hir_id } = self.safety_context {
58 self.warn_unused_unsafe(
61 if self.unsafe_op_in_unsafe_fn_allowed() {
62 self.body_unsafety.unsafe_fn_sig_span().map(|span| (span, "fn"))
68 self.safety_context = prev_context;
72 fn requires_unsafe(&mut self, span: Span, kind: UnsafeOpKind) {
73 let (description, note) = kind.description_and_note();
74 let unsafe_op_in_unsafe_fn_allowed = self.unsafe_op_in_unsafe_fn_allowed();
75 match self.safety_context {
76 SafetyContext::BuiltinUnsafeBlock => {}
77 SafetyContext::UnsafeBlock { ref mut used, .. } => {
78 if !self.body_unsafety.is_unsafe() || !unsafe_op_in_unsafe_fn_allowed {
79 // Mark this block as useful
83 SafetyContext::UnsafeFn if unsafe_op_in_unsafe_fn_allowed => {}
84 SafetyContext::UnsafeFn => {
85 // unsafe_op_in_unsafe_fn is disallowed
86 self.tcx.struct_span_lint_hir(
87 UNSAFE_OP_IN_UNSAFE_FN,
92 "{} is unsafe and requires unsafe block (error E0133)",
95 .span_label(span, description)
101 SafetyContext::Safe => {
102 let fn_sugg = if unsafe_op_in_unsafe_fn_allowed { " function or" } else { "" };
107 "{} is unsafe and requires unsafe{} block",
111 .span_label(span, description)
118 fn warn_unused_unsafe(
122 enclosing_unsafe: Option<(Span, &'static str)>,
124 let block_span = self.tcx.sess.source_map().guess_head_span(block_span);
125 self.tcx.struct_span_lint_hir(UNUSED_UNSAFE, hir_id, block_span, |lint| {
126 let msg = "unnecessary `unsafe` block";
127 let mut db = lint.build(msg);
128 db.span_label(block_span, msg);
129 if let Some((span, kind)) = enclosing_unsafe {
130 db.span_label(span, format!("because it's nested under this `unsafe` {}", kind));
136 /// Whether the `unsafe_op_in_unsafe_fn` lint is `allow`ed at the current HIR node.
137 fn unsafe_op_in_unsafe_fn_allowed(&self) -> bool {
138 self.tcx.lint_level_at_node(UNSAFE_OP_IN_UNSAFE_FN, self.hir_context).0 == Level::Allow
142 // Searches for accesses to layout constrained fields.
143 struct LayoutConstrainedPlaceVisitor<'a, 'tcx> {
145 thir: &'a Thir<'tcx>,
149 impl<'a, 'tcx> LayoutConstrainedPlaceVisitor<'a, 'tcx> {
150 fn new(thir: &'a Thir<'tcx>, tcx: TyCtxt<'tcx>) -> Self {
151 Self { found: false, thir, tcx }
155 impl<'a, 'tcx> Visitor<'a, 'tcx> for LayoutConstrainedPlaceVisitor<'a, 'tcx> {
156 fn thir(&self) -> &'a Thir<'tcx> {
160 fn visit_expr(&mut self, expr: &Expr<'tcx>) {
162 ExprKind::Field { lhs, .. } => {
163 if let ty::Adt(adt_def, _) = self.thir[lhs].ty.kind() {
164 if (Bound::Unbounded, Bound::Unbounded)
165 != self.tcx.layout_scalar_valid_range(adt_def.did)
170 visit::walk_expr(self, expr);
173 // Keep walking through the expression as long as we stay in the same
174 // place, i.e. the expression is a place expression and not a dereference
175 // (since dereferencing something leads us to a different place).
176 ExprKind::Deref { .. } => {}
177 ref kind if ExprCategory::of(kind).map_or(true, |cat| cat == ExprCategory::Place) => {
178 visit::walk_expr(self, expr);
186 impl<'a, 'tcx> Visitor<'a, 'tcx> for UnsafetyVisitor<'a, 'tcx> {
187 fn thir(&self) -> &'a Thir<'tcx> {
191 fn visit_block(&mut self, block: &Block) {
192 match block.safety_mode {
193 // compiler-generated unsafe code should not count towards the usefulness of
194 // an outer unsafe block
195 BlockSafety::BuiltinUnsafe => {
196 self.in_safety_context(SafetyContext::BuiltinUnsafeBlock, |this| {
197 visit::walk_block(this, block)
200 BlockSafety::ExplicitUnsafe(hir_id) => {
201 self.in_safety_context(
202 SafetyContext::UnsafeBlock { span: block.span, hir_id, used: false },
203 |this| visit::walk_block(this, block),
206 BlockSafety::Safe => {
207 visit::walk_block(self, block);
212 fn visit_pat(&mut self, pat: &Pat<'tcx>) {
213 if self.in_union_destructure {
215 // binding to a variable allows getting stuff out of variable
216 PatKind::Binding { .. }
217 // match is conditional on having this value
218 | PatKind::Constant { .. }
219 | PatKind::Variant { .. }
220 | PatKind::Leaf { .. }
221 | PatKind::Deref { .. }
222 | PatKind::Range { .. }
223 | PatKind::Slice { .. }
224 | PatKind::Array { .. } => {
225 self.requires_unsafe(pat.span, AccessToUnionField);
226 return; // we can return here since this already requires unsafe
228 // wildcard doesn't take anything
230 // these just wrap other patterns
232 PatKind::AscribeUserType { .. } => {}
237 PatKind::Leaf { .. } => {
238 if let ty::Adt(adt_def, ..) = pat.ty.kind() {
239 if adt_def.is_union() {
240 let old_in_union_destructure =
241 std::mem::replace(&mut self.in_union_destructure, true);
242 visit::walk_pat(self, pat);
243 self.in_union_destructure = old_in_union_destructure;
244 } else if (Bound::Unbounded, Bound::Unbounded)
245 != self.tcx.layout_scalar_valid_range(adt_def.did)
247 let old_inside_adt = std::mem::replace(&mut self.inside_adt, true);
248 visit::walk_pat(self, pat);
249 self.inside_adt = old_inside_adt;
251 visit::walk_pat(self, pat);
254 visit::walk_pat(self, pat);
257 PatKind::Binding { mode: BindingMode::ByRef(borrow_kind), ty, .. } => {
259 if let ty::Ref(_, ty, _) = ty.kind() {
261 BorrowKind::Shallow | BorrowKind::Shared | BorrowKind::Unique => {
262 if !ty.is_freeze(self.tcx.at(pat.span), self.param_env) {
263 self.requires_unsafe(pat.span, BorrowOfLayoutConstrainedField);
266 BorrowKind::Mut { .. } => {
267 self.requires_unsafe(pat.span, MutationOfLayoutConstrainedField);
273 "BindingMode::ByRef in pattern, but found non-reference type {}",
278 visit::walk_pat(self, pat);
280 PatKind::Deref { .. } => {
281 let old_inside_adt = std::mem::replace(&mut self.inside_adt, false);
282 visit::walk_pat(self, pat);
283 self.inside_adt = old_inside_adt;
286 visit::walk_pat(self, pat);
291 fn visit_expr(&mut self, expr: &Expr<'tcx>) {
292 // could we be in the LHS of an assignment to a field?
294 ExprKind::Field { .. }
295 | ExprKind::VarRef { .. }
296 | ExprKind::UpvarRef { .. }
297 | ExprKind::Scope { .. }
298 | ExprKind::Cast { .. } => {}
300 ExprKind::AddressOf { .. }
301 | ExprKind::Adt { .. }
302 | ExprKind::Array { .. }
303 | ExprKind::Binary { .. }
304 | ExprKind::Block { .. }
305 | ExprKind::Borrow { .. }
306 | ExprKind::Literal { .. }
307 | ExprKind::ConstBlock { .. }
308 | ExprKind::Deref { .. }
309 | ExprKind::Index { .. }
310 | ExprKind::NeverToAny { .. }
311 | ExprKind::PlaceTypeAscription { .. }
312 | ExprKind::ValueTypeAscription { .. }
313 | ExprKind::Pointer { .. }
314 | ExprKind::Repeat { .. }
315 | ExprKind::StaticRef { .. }
316 | ExprKind::ThreadLocalRef { .. }
317 | ExprKind::Tuple { .. }
318 | ExprKind::Unary { .. }
319 | ExprKind::Call { .. }
320 | ExprKind::Assign { .. }
321 | ExprKind::AssignOp { .. }
322 | ExprKind::Break { .. }
323 | ExprKind::Closure { .. }
324 | ExprKind::Continue { .. }
325 | ExprKind::Return { .. }
326 | ExprKind::Yield { .. }
327 | ExprKind::Loop { .. }
328 | ExprKind::Let { .. }
329 | ExprKind::Match { .. }
330 | ExprKind::Box { .. }
331 | ExprKind::If { .. }
332 | ExprKind::InlineAsm { .. }
333 | ExprKind::LlvmInlineAsm { .. }
334 | ExprKind::LogicalOp { .. }
335 | ExprKind::Use { .. } => {
336 // We don't need to save the old value and restore it
337 // because all the place expressions can't have more
339 self.assignment_info = None;
343 ExprKind::Scope { value, lint_level: LintLevel::Explicit(hir_id), region_scope: _ } => {
344 let prev_id = self.hir_context;
345 self.hir_context = hir_id;
346 self.visit_expr(&self.thir[value]);
347 self.hir_context = prev_id;
348 return; // don't visit the whole expression
350 ExprKind::Call { fun, ty: _, args: _, from_hir_call: _, fn_span: _ } => {
351 if self.thir[fun].ty.fn_sig(self.tcx).unsafety() == hir::Unsafety::Unsafe {
352 self.requires_unsafe(expr.span, CallToUnsafeFunction);
353 } else if let &ty::FnDef(func_did, _) = self.thir[fun].ty.kind() {
354 // If the called function has target features the calling function hasn't,
355 // the call requires `unsafe`. Don't check this on wasm
356 // targets, though. For more information on wasm see the
357 // is_like_wasm check in typeck/src/collect.rs
358 if !self.tcx.sess.target.options.is_like_wasm
361 .codegen_fn_attrs(func_did)
364 .all(|feature| self.body_target_features.contains(feature))
366 self.requires_unsafe(expr.span, CallToFunctionWith);
370 ExprKind::Deref { arg } => {
371 if let ExprKind::StaticRef { def_id, .. } = self.thir[arg].kind {
372 if self.tcx.is_mutable_static(def_id) {
373 self.requires_unsafe(expr.span, UseOfMutableStatic);
374 } else if self.tcx.is_foreign_item(def_id) {
375 self.requires_unsafe(expr.span, UseOfExternStatic);
377 } else if self.thir[arg].ty.is_unsafe_ptr() {
378 self.requires_unsafe(expr.span, DerefOfRawPointer);
381 ExprKind::InlineAsm { .. } | ExprKind::LlvmInlineAsm { .. } => {
382 self.requires_unsafe(expr.span, UseOfInlineAssembly);
384 ExprKind::Adt(box Adt {
391 }) => match self.tcx.layout_scalar_valid_range(adt_def.did) {
392 (Bound::Unbounded, Bound::Unbounded) => {}
393 _ => self.requires_unsafe(expr.span, InitializingTypeWith),
402 let closure_id = closure_id.expect_local();
403 let closure_def = if let Some((did, const_param_id)) =
404 ty::WithOptConstParam::try_lookup(closure_id, self.tcx)
406 ty::WithOptConstParam { did, const_param_did: Some(const_param_id) }
408 ty::WithOptConstParam::unknown(closure_id)
410 let (closure_thir, expr) = self.tcx.thir_body(closure_def);
411 let closure_thir = &closure_thir.borrow();
412 let hir_context = self.tcx.hir().local_def_id_to_hir_id(closure_id);
413 let mut closure_visitor =
414 UnsafetyVisitor { thir: closure_thir, hir_context, ..*self };
415 closure_visitor.visit_expr(&closure_thir[expr]);
416 // Unsafe blocks can be used in closures, make sure to take it into account
417 self.safety_context = closure_visitor.safety_context;
419 ExprKind::Field { lhs, .. } => {
420 let lhs = &self.thir[lhs];
421 if let ty::Adt(adt_def, _) = lhs.ty.kind() {
422 if adt_def.is_union() {
423 if let Some((assigned_ty, assignment_span)) = self.assignment_info {
424 // To avoid semver hazard, we only consider `Copy` and `ManuallyDrop` non-dropping.
427 .map_or(false, |adt| adt.is_manually_drop())
429 .is_copy_modulo_regions(self.tcx.at(expr.span), self.param_env))
431 self.requires_unsafe(assignment_span, AssignToDroppingUnionField);
433 // write to non-drop union field, safe
436 self.requires_unsafe(expr.span, AccessToUnionField);
441 ExprKind::Assign { lhs, rhs } | ExprKind::AssignOp { lhs, rhs, .. } => {
442 let lhs = &self.thir[lhs];
443 // First, check whether we are mutating a layout constrained field
444 let mut visitor = LayoutConstrainedPlaceVisitor::new(self.thir, self.tcx);
445 visit::walk_expr(&mut visitor, lhs);
447 self.requires_unsafe(expr.span, MutationOfLayoutConstrainedField);
450 // Second, check for accesses to union fields
451 // don't have any special handling for AssignOp since it causes a read *and* write to lhs
452 if matches!(expr.kind, ExprKind::Assign { .. }) {
453 self.assignment_info = Some((lhs.ty, expr.span));
454 visit::walk_expr(self, lhs);
455 self.assignment_info = None;
456 visit::walk_expr(self, &self.thir()[rhs]);
457 return; // we have already visited everything by now
460 ExprKind::Borrow { borrow_kind, arg } => {
461 let mut visitor = LayoutConstrainedPlaceVisitor::new(self.thir, self.tcx);
462 visit::walk_expr(&mut visitor, expr);
465 BorrowKind::Shallow | BorrowKind::Shared | BorrowKind::Unique
468 .is_freeze(self.tcx.at(self.thir[arg].span), self.param_env) =>
470 self.requires_unsafe(expr.span, BorrowOfLayoutConstrainedField)
472 BorrowKind::Mut { .. } => {
473 self.requires_unsafe(expr.span, MutationOfLayoutConstrainedField)
475 BorrowKind::Shallow | BorrowKind::Shared | BorrowKind::Unique => {}
479 ExprKind::Let { expr: expr_id, .. } => {
480 let let_expr = &self.thir[expr_id];
481 if let ty::Adt(adt_def, _) = let_expr.ty.kind() {
482 if adt_def.is_union() {
483 self.requires_unsafe(expr.span, AccessToUnionField);
489 visit::walk_expr(self, expr);
493 #[derive(Clone, Copy)]
498 UnsafeBlock { span: Span, hir_id: hir::HirId, used: bool },
501 #[derive(Clone, Copy)]
503 /// The body is not unsafe.
505 /// The body is an unsafe function. The span points to
506 /// the signature of the function.
511 /// Returns whether the body is unsafe.
512 fn is_unsafe(&self) -> bool {
513 matches!(self, BodyUnsafety::Unsafe(_))
516 /// If the body is unsafe, returns the `Span` of its signature.
517 fn unsafe_fn_sig_span(self) -> Option<Span> {
519 BodyUnsafety::Unsafe(span) => Some(span),
520 BodyUnsafety::Safe => None,
525 #[derive(Clone, Copy, PartialEq)]
527 CallToUnsafeFunction,
529 InitializingTypeWith,
533 AssignToDroppingUnionField,
535 MutationOfLayoutConstrainedField,
536 BorrowOfLayoutConstrainedField,
543 pub fn description_and_note(&self) -> (&'static str, &'static str) {
545 CallToUnsafeFunction => (
546 "call to unsafe function",
547 "consult the function's documentation for information on how to avoid undefined \
550 UseOfInlineAssembly => (
551 "use of inline assembly",
552 "inline assembly is entirely unchecked and can cause undefined behavior",
554 InitializingTypeWith => (
555 "initializing type with `rustc_layout_scalar_valid_range` attr",
556 "initializing a layout restricted type's field with a value outside the valid \
557 range is undefined behavior",
559 UseOfMutableStatic => (
560 "use of mutable static",
561 "mutable statics can be mutated by multiple threads: aliasing violations or data \
562 races will cause undefined behavior",
564 UseOfExternStatic => (
565 "use of extern static",
566 "extern statics are not controlled by the Rust type system: invalid data, \
567 aliasing violations or data races will cause undefined behavior",
569 DerefOfRawPointer => (
570 "dereference of raw pointer",
571 "raw pointers may be null, dangling or unaligned; they can violate aliasing rules \
572 and cause data races: all of these are undefined behavior",
574 AssignToDroppingUnionField => (
575 "assignment to union field that might need dropping",
576 "the previous content of the field will be dropped, which causes undefined \
577 behavior if the field was not properly initialized",
579 AccessToUnionField => (
580 "access to union field",
581 "the field may not be properly initialized: using uninitialized data will cause \
584 MutationOfLayoutConstrainedField => (
585 "mutation of layout constrained field",
586 "mutating layout constrained fields cannot statically be checked for valid values",
588 BorrowOfLayoutConstrainedField => (
589 "borrow of layout constrained field with interior mutability",
590 "references to fields of layout constrained fields lose the constraints. Coupled \
591 with interior mutability, the field can be changed to invalid values",
593 CallToFunctionWith => (
594 "call to function with `#[target_feature]`",
595 "can only be called if the required target features are available",
601 pub fn check_unsafety<'tcx>(tcx: TyCtxt<'tcx>, def: ty::WithOptConstParam<LocalDefId>) {
602 // THIR unsafeck is gated under `-Z thir-unsafeck`
603 if !tcx.sess.opts.debugging_opts.thir_unsafeck {
607 // Closures are handled by their owner, if it has a body
608 if tcx.is_closure(def.did.to_def_id()) {
610 let owner = hir.enclosing_body_owner(hir.local_def_id_to_hir_id(def.did));
611 tcx.ensure().thir_check_unsafety(hir.local_def_id(owner));
615 let (thir, expr) = tcx.thir_body(def);
616 let thir = &thir.borrow();
617 // If `thir` is empty, a type error occured, skip this body.
618 if thir.exprs.is_empty() {
622 let hir_id = tcx.hir().local_def_id_to_hir_id(def.did);
623 let body_unsafety = tcx.hir().fn_sig_by_hir_id(hir_id).map_or(BodyUnsafety::Safe, |fn_sig| {
624 if fn_sig.header.unsafety == hir::Unsafety::Unsafe {
625 BodyUnsafety::Unsafe(fn_sig.span)
630 let body_target_features = &tcx.codegen_fn_attrs(def.did).target_features;
632 if body_unsafety.is_unsafe() { SafetyContext::UnsafeFn } else { SafetyContext::Safe };
633 let mut visitor = UnsafetyVisitor {
639 body_target_features,
640 assignment_info: None,
641 in_union_destructure: false,
642 param_env: tcx.param_env(def.did),
645 visitor.visit_expr(&thir[expr]);
648 crate fn thir_check_unsafety<'tcx>(tcx: TyCtxt<'tcx>, def_id: LocalDefId) {
649 if let Some(def) = ty::WithOptConstParam::try_lookup(def_id, tcx) {
650 tcx.thir_check_unsafety_for_const_arg(def)
652 check_unsafety(tcx, ty::WithOptConstParam::unknown(def_id))
656 crate fn thir_check_unsafety_for_const_arg<'tcx>(
658 (did, param_did): (LocalDefId, DefId),
660 check_unsafety(tcx, ty::WithOptConstParam { did, const_param_did: Some(param_did) })
projects / rust.git / blob