new lint ptr_to_temporary

Author: Centri3

CHANGELOG.md

@@ -5163,6 +5163,7 @@ Released 2018-09-13
 [`ptr_cast_constness`]: https://rust-lang.github.io/rust-clippy/master/index.html#ptr_cast_constness
 [`ptr_eq`]: https://rust-lang.github.io/rust-clippy/master/index.html#ptr_eq
 [`ptr_offset_with_cast`]: https://rust-lang.github.io/rust-clippy/master/index.html#ptr_offset_with_cast
+[`ptr_to_temporary`]: https://rust-lang.github.io/rust-clippy/master/index.html#ptr_to_temporary
 [`pub_enum_variant_names`]: https://rust-lang.github.io/rust-clippy/master/index.html#pub_enum_variant_names
 [`pub_use`]: https://rust-lang.github.io/rust-clippy/master/index.html#pub_use
 [`pub_with_shorthand`]: https://rust-lang.github.io/rust-clippy/master/index.html#pub_with_shorthand

clippy_lints/src/declared_lints.rs

@@ -544,6 +544,7 @@ pub(crate) static LINTS: &[&crate::LintInfo] = &[
     crate::ptr::MUT_FROM_REF_INFO,
     crate::ptr::PTR_ARG_INFO,
     crate::ptr_offset_with_cast::PTR_OFFSET_WITH_CAST_INFO,
+    crate::ptr_to_temporary::PTR_TO_TEMPORARY_INFO,
     crate::pub_use::PUB_USE_INFO,
     crate::question_mark::QUESTION_MARK_INFO,
     crate::question_mark_used::QUESTION_MARK_USED_INFO,

clippy_lints/src/lib.rs

@@ -262,6 +262,7 @@ mod permissions_set_readonly_false;
 mod precedence;
 mod ptr;
 mod ptr_offset_with_cast;
+mod ptr_to_temporary;
 mod pub_use;
 mod question_mark;
 mod question_mark_used;
@@ -1082,6 +1083,7 @@ pub fn register_plugins(store: &mut rustc_lint::LintStore, sess: &Session, conf:
     store.register_late_pass(|_| Box::new(manual_float_methods::ManualFloatMethods));
     store.register_late_pass(|_| Box::new(four_forward_slashes::FourForwardSlashes));
     store.register_late_pass(|_| Box::new(error_impl_error::ErrorImplError));
+    store.register_late_pass(move |_| Box::new(ptr_to_temporary::PtrToTemporary));
     // add lints here, do not remove this comment, it's used in `new_lint`
 }
 

clippy_lints/src/ptr_to_temporary.rs

@@ -0,0 +1,318 @@
+use clippy_utils::consts::is_promotable;
+use clippy_utils::diagnostics::{span_lint_and_note, span_lint_hir_and_then};
+use clippy_utils::is_from_proc_macro;
+use clippy_utils::mir::{location_to_node, StatementOrTerminator};
+use rustc_data_structures::fx::FxHashMap;
+use rustc_hir::def_id::LocalDefId;
+use rustc_hir::intravisit::FnKind;
+use rustc_hir::{Body, BorrowKind, Expr, ExprKind, FnDecl, ItemKind, OwnerNode};
+use rustc_lint::{LateContext, LateLintPass, LintContext};
+use rustc_middle::lint::in_external_macro;
+use rustc_middle::mir::visit::{MutatingUseContext, PlaceContext, Visitor};
+use rustc_middle::mir::{
+    self, BasicBlock, BasicBlockData, CallSource, Local, Location, Operand, Place, Rvalue, StatementKind,
+    TerminatorKind,
+};
+use rustc_middle::ty::{self, TypeVisitableExt};
+use rustc_session::{declare_lint_pass, declare_tool_lint};
+use rustc_span::{sym, Span};
+
+declare_clippy_lint! {
+    /// ### What it does
+    /// Checks for raw pointers pointing to temporary values that will **not** be promoted to a
+    /// constant through
+    /// [constant promotion](https://doc.rust-lang.org/stable/reference/destructors.html#constant-promotion).
+    ///
+    /// ### Why is this bad?
+    /// Usage of such a pointer will result in Undefined Behavior, as the pointer will stop
+    /// pointing to valid stack memory once the temporary is dropped.
+    ///
+    /// ### Example
+    /// ```rust,ignore
+    /// fn returning_temp() -> *const i32 {
+    ///     let x = 0;
+    ///     &x as *const i32
+    /// }
+    ///
+    /// let px = returning_temp();
+    /// unsafe { *px }; // ⚠️
+    /// let pv = vec![].as_ptr();
+    /// unsafe { *pv }; // ⚠️
+    /// ```
+    #[clippy::version = "1.72.0"]
+    pub PTR_TO_TEMPORARY,
+    // TODO: Let's make it warn-by-default for now, and change this to deny-by-default once we know
+    // there are no major FPs
+    suspicious,
+    "disallows obtaining raw pointers to temporary values"
+}
+declare_lint_pass!(PtrToTemporary => [PTR_TO_TEMPORARY]);
+
+impl<'tcx> LateLintPass<'tcx> for PtrToTemporary {
+    fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'tcx>) {
+        if in_external_macro(cx.sess(), expr.span) {
+            return;
+        }
+
+        _ = check_for_returning_raw_ptr(cx, expr)
+    }
+
+    fn check_fn(
+        &mut self,
+        cx: &LateContext<'tcx>,
+        _: FnKind<'_>,
+        _: &FnDecl<'_>,
+        _: &Body<'_>,
+        _: Span,
+        def_id: LocalDefId,
+    ) {
+        let mir = cx.tcx.optimized_mir(def_id);
+
+        // Collect all local assignments in this body. This is faster than continuously passing over the
+        // body every time we want to get the assignments.
+        let mut assignments = LocalAssignmentsVisitor {
+            results: FxHashMap::default(),
+        };
+        assignments.visit_body(mir);
+
+        let mut v = DanglingPtrVisitor {
+            cx,
+            body: mir,
+            results: vec![],
+            local_assignments: assignments.results,
+        };
+        v.visit_body(mir);
+
+        for dangling_ptr_span in v.results {
+            // TODO: We need to lint on the call in question instead, so lint attributes work fine. I'm not sure
+            // how to though
+            span_lint_hir_and_then(
+                cx,
+                PTR_TO_TEMPORARY,
+                cx.tcx.local_def_id_to_hir_id(def_id),
+                dangling_ptr_span,
+                "calling `TODO` on a temporary value",
+                |diag| {
+                    diag.note(
+                        "usage of this pointer will cause Undefined Behavior as the temporary will be deallocated at \
+                         the end of the statement, yet the pointer will continue pointing to it, resulting in a \
+                         dangling pointer",
+                    );
+                },
+            );
+        }
+    }
+}
+
+/// Check for returning raw pointers to temporaries that are not promoted to a constant
+fn check_for_returning_raw_ptr<'tcx>(cx: &LateContext<'tcx>, expr: &'tcx Expr<'tcx>) -> bool {
+    // Get the final return statement if this is a return statement, or don't lint
+    let expr = if let ExprKind::Ret(Some(expr)) = expr.kind {
+        expr
+    } else if let OwnerNode::Item(parent) = cx.tcx.hir().owner(cx.tcx.hir().get_parent_item(expr.hir_id))
+        && let ItemKind::Fn(_, _, body) = parent.kind
+        && let block = cx.tcx.hir().body(body).value
+        && let ExprKind::Block(block, _) = block.kind
+        && let Some(final_block_expr) = block.expr
+        && final_block_expr.hir_id == expr.hir_id
+    {
+        expr
+    } else {
+        return false;
+    };
+
+    if let ExprKind::Cast(cast_expr, _) = expr.kind
+        && let ExprKind::AddrOf(BorrowKind::Ref, _, e) = cast_expr.kind
+        && !is_promotable(cx, e)
+        && !is_from_proc_macro(cx, expr)
+    {
+        span_lint_and_note(
+            cx,
+            PTR_TO_TEMPORARY,
+            expr.span,
+            "returning a raw pointer to a temporary value that cannot be promoted to a constant",
+            None,
+            "usage of this pointer by callers will cause Undefined Behavior as the temporary will be deallocated at \
+             the end of the statement, yet the pointer will continue pointing to it, resulting in a dangling pointer",
+        );
+
+        return true;
+    }
+
+    false
+}
+
+struct LocalAssignmentsVisitor {
+    results: FxHashMap<Local, Vec<Location>>,
+}
+
+impl Visitor<'_> for LocalAssignmentsVisitor {
+    fn visit_place(&mut self, place: &Place<'_>, ctxt: PlaceContext, loc: Location) {
+        if matches!(
+            ctxt,
+            PlaceContext::MutatingUse(
+                MutatingUseContext::Store | MutatingUseContext::Call | MutatingUseContext::Borrow
+            )
+        ) {
+            self.results.entry(place.local).or_insert(vec![]).push(loc);
+        }
+    }
+}
+
+struct DanglingPtrVisitor<'a, 'tcx> {
+    cx: &'a LateContext<'tcx>,
+    body: &'tcx mir::Body<'tcx>,
+    local_assignments: FxHashMap<Local, Vec<Location>>,
+    results: Vec<Span>,
+}
+
+impl<'tcx> Visitor<'tcx> for DanglingPtrVisitor<'_, 'tcx> {
+    fn visit_basic_block_data(&mut self, _: BasicBlock, data: &BasicBlockData<'tcx>) {
+        let Self {
+            cx,
+            body,
+            local_assignments,
+            results,
+        } = self;
+
+        if let Some(term) = &data.terminator
+            && let TerminatorKind::Call {
+                func,
+                args,
+                destination,
+                target: Some(target),
+                call_source: CallSource::Normal,
+                ..
+            } = &term.kind
+            && destination.ty(&body.local_decls, cx.tcx).ty.is_unsafe_ptr()
+            && let [recv] = args.as_slice()
+            && let Some(recv) = recv.place()
+            && let Some((def_id, _)) = func.const_fn_def()
+            && let [.., last] = &*cx.tcx.def_path(def_id).data
+            && let Some(ident) = last.data.get_opt_name()
+            && (ident == sym::as_ptr || ident == sym!(as_mut_ptr))
+        {
+            let mut actual_recv = recv;
+            let mut done = false;
+            let mut is_const = false;
+            // TODO: I really don't like this, at the very least we have to extract this.
+            while let Some(recv) = local_assignments.get(&actual_recv.local).and_then(|assignments| {
+                if let [loc] = assignments.as_slice() {
+                    match location_to_node(body, *loc) {
+                        StatementOrTerminator::Statement(stmt)
+                        if let StatementKind::Assign(box (_, rvalue)) = &stmt.kind => {
+                            match rvalue {
+                                Rvalue::Use(op) => {
+                                    if matches!(op, Operand::Constant(_)) {
+                                        is_const = true;
+                                    }
+                                    op.place()
+                                },
+                                Rvalue::Ref(_, _, place) => {
+                                    if !place.has_deref() {
+                                        done = true;
+                                    }
+                                    Some(*place)
+                                },
+                                Rvalue::Cast(_, op, _) => {
+                                    if matches!(op, Operand::Constant(_)) {
+                                        is_const = true;
+                                    }
+                                    op.place()
+                                },
+                                _ => None,
+                            }
+                        },
+                        StatementOrTerminator::Terminator(term) if let TerminatorKind::Call { args, .. } = &term.kind
+                            && let [arg] = args.as_slice() =>
+                        {
+                            arg.place()
+                        }
+                        _ => None,
+                    }
+                } else {
+                    None
+                }
+            }) {
+                if recv == actual_recv {
+                    break;
+                }
+
+                actual_recv = recv;
+
+                if done {
+                    break;
+                }
+            }
+
+            if is_const {
+                return;
+            }
+
+            if let Some([assign]) = local_assignments.get(&actual_recv.local).map(Vec::as_slice)
+                && let StatementOrTerminator::Terminator(term) = location_to_node(body, *assign)
+                && let TerminatorKind::Call {
+                    func,
+                    call_source: CallSource::Normal,
+                    ..
+                } = &term.kind
+                && let Some((def_id, _)) = func.const_fn_def()
+                && let ty = cx.tcx.fn_sig(def_id).subst_identity().skip_binder().output()
+                && ((!ty.has_late_bound_vars() && ty.is_ref())
+                    || matches!(ty.kind(), ty::Ref(region, _, _) if region.is_static()))
+            {
+                return;
+            }
+
+            check_for_dangling(
+                cx,
+                body,
+                *target,
+                &actual_recv,
+                destination,
+                term.source_info.span,
+                results,
+            );
+        }
+    }
+}
+
+fn check_for_dangling<'tcx>(
+    _cx: &LateContext<'tcx>,
+    body: &mir::Body<'tcx>,
+    bb: BasicBlock,
+    recv: &Place<'tcx>,
+    ptr: &Place<'_>,
+    span: Span,
+    results: &mut Vec<Span>,
+) {
+    let data = &body.basic_blocks[bb];
+    let mut recv_dead = false;
+
+    // If there's a `Drop`, we must include the statements in its target so we don't miss any
+    // potentially important `StorageDead`s.
+    let rest = vec![];
+    let rest = if let Some(term) = &data.terminator && let TerminatorKind::Drop { place, target, .. } = term.kind {
+        debug_assert_eq!(place, *recv, "dropped place is not receiver");
+
+        &body.basic_blocks[target].statements
+    } else {
+        &rest
+    };
+
+    for dead_local in data.statements.iter().chain(rest).filter_map(|stmt| {
+        if let StatementKind::StorageDead(local) = stmt.kind {
+            return Some(local);
+        }
+
+        None
+    }) {
+        match (dead_local == recv.local, dead_local == ptr.local) {
+            (true, false) => recv_dead = true,
+            (false, true) if recv_dead => {
+                results.push(span);
+            },
+            _ => continue,
+        }
+    }
+}

clippy_utils/src/consts.rs

@@ -1,7 +1,8 @@
 #![allow(clippy::float_cmp)]
 
 use crate::source::{get_source_text, walk_span_to_context};
-use crate::{clip, is_direct_expn_of, sext, unsext};
+use crate::visitors::for_each_expr;
+use crate::{clip, is_ctor_or_promotable_const_function, is_direct_expn_of, path_res, sext, unsext};
 use if_chain::if_chain;
 use rustc_ast::ast::{self, LitFloatType, LitKind};
 use rustc_data_structures::sync::Lrc;
@@ -17,6 +18,7 @@ use rustc_span::SyntaxContext;
 use std::cmp::Ordering::{self, Equal};
 use std::hash::{Hash, Hasher};
 use std::iter;
+use std::ops::ControlFlow;
 
 /// A `LitKind`-like enum to fold constant `Expr`s into.
 #[derive(Debug, Clone)]
@@ -736,3 +738,29 @@ fn field_of_struct<'tcx>(
         None
     }
 }
+
+/// Returns whether a certain `Expr` will be promoted to a constant.
+pub fn is_promotable<'tcx>(cx: &LateContext<'tcx>, start: &'tcx Expr<'tcx>) -> bool {
+    let ty = cx.typeck_results().expr_ty(start);
+    for_each_expr(start, |expr| {
+        match expr.kind {
+            ExprKind::Binary(_, _, _) => ControlFlow::Break(()),
+            ExprKind::Unary(UnOp::Deref, e) if !matches!(path_res(cx, e), Res::Def(DefKind::Const, _)) => {
+                ControlFlow::Break(())
+            },
+            ExprKind::Call(_, _) if !is_ctor_or_promotable_const_function(cx, expr) => ControlFlow::Break(()),
+            ExprKind::MethodCall(..) if let Some(def_id) = cx.typeck_results().type_dependent_def_id(expr.hir_id)
+                && !cx.tcx.is_promotable_const_fn(def_id) =>
+            {
+                ControlFlow::Break(())
+            },
+            ExprKind::Path(qpath) if let Res::Local(_) = cx.qpath_res(&qpath, expr.hir_id) => {
+                ControlFlow::Break(())
+            },
+            _ => ControlFlow::Continue(()),
+        }
+    })
+    .is_none()
+        && ty.is_freeze(cx.tcx, cx.param_env)
+        && !ty.needs_drop(cx.tcx, cx.param_env)
+}