Skip to content

Lint unannotated transmutes #1660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
clarfonthey opened this issue Apr 5, 2017 · 10 comments
Closed

Lint unannotated transmutes #1660

clarfonthey opened this issue Apr 5, 2017 · 10 comments
Labels
A-lint Area: New lints E-medium Call for participation: Medium difficulty level problem and requires some initial experience. T-middle Type: Probably requires verifiying types

Comments

@clarfonthey
Copy link

I'm thinking of something where you have to either have:

  1. Both types fully annotated
  2. It be the only part of a function body, potentially including an unsafe block.
@oli-obk
Copy link
Contributor

oli-obk commented Apr 6, 2017

related: #715

@oli-obk oli-obk added E-medium Call for participation: Medium difficulty level problem and requires some initial experience. A-lint Area: New lints T-middle Type: Probably requires verifiying types labels Apr 6, 2017
@ndmitchell
Copy link

The first of these rules seems super useful, and I came to request.

The second doesn't seem so useful. Once you have annotated both types, the requirement to put it in its own function is reduced.

@clarfonthey
Copy link
Author

My reasoning for the second part is that you should have dedicated functions for these transmutes that are marked as either safe or unsafe depending on the situation, and use those instead of the transmutes directly.

@ndmitchell
Copy link

@clarfon I have that for some functions, but not others - sometimes exposing that function would make the invariants I'd like to encode harder. Not that your request is unreasonable, just that I'd want to turn on the first lint, and off the second, so they can be treated independently.

@clarfonthey
Copy link
Author

That's very fair, I'd agree with making them separate lints. Curiously, do you have any examples of cases where it makes sense to not have the second?

@ndmitchell
Copy link

I have a structure that reads:

struct Foo {
   bar: SomeReferenceContainingType
   baz: SomePointerWrapper<'bar>
}

Where the pointer wrapper baz points into bar, but that is behind a reference. This pattern might even be supported in Polonius: https://nikomatsakis.github.io/rust-belt-rust-2019/#95

For the moment I encode that with:

struct Foo {
   bar: SomeReferenceContainingType
   baz_wrong: SomePointerWrapper<'static>
}

impl Foo {
   fn baz<'x>(&'x self) -> SomePointerWrapper<'x> {
       transmute(&self.baz_wrong)
   }
}

The transumute both pulls out the field and converts it, which is a nice single atomic operation. Whereas casting any arbitrary SomePointerWrapper would be wrong. Also, missing the types on transmute makes you likely to type transmute(self) and get a segfault (which I did!).

@croker89
Copy link

Restablecer facebook

@xFrednet
Copy link
Member

Hey @croker89, was your comment added on purpose here? :) To me, it's not clear what you mean

@croker89
Copy link

I'm thinking of something where you have to either have:

  1. Both types fully annotated
  2. It be the only part of a function body, potentially including an unsafe block.

@lukaslueg
Copy link
Contributor

missing_transmute_annotations, added in 1.79, resolves this?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-lint Area: New lints E-medium Call for participation: Medium difficulty level problem and requires some initial experience. T-middle Type: Probably requires verifiying types
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@oli-obk @ndmitchell @lukaslueg @clarfonthey @xFrednet @croker89