2022-04-07 18:39:59 +01:00
|
|
|
use clippy_utils::diagnostics::span_lint_and_help;
|
2021-12-06 12:33:31 +01:00
|
|
|
use clippy_utils::is_lint_allowed;
|
2022-04-07 18:39:59 +01:00
|
|
|
use clippy_utils::source::walk_span_to_context;
|
|
|
|
use rustc_data_structures::sync::Lrc;
|
|
|
|
use rustc_hir::{Block, BlockCheckMode, UnsafeSource};
|
|
|
|
use rustc_lexer::{tokenize, TokenKind};
|
|
|
|
use rustc_lint::{LateContext, LateLintPass, LintContext};
|
2021-10-21 13:11:36 +02:00
|
|
|
use rustc_middle::lint::in_external_macro;
|
2022-04-07 18:39:59 +01:00
|
|
|
use rustc_session::{declare_lint_pass, declare_tool_lint};
|
|
|
|
use rustc_span::{BytePos, Pos, SyntaxContext};
|
2021-10-21 13:11:36 +02:00
|
|
|
|
|
|
|
declare_clippy_lint! {
|
|
|
|
/// ### What it does
|
2021-12-30 15:10:43 +01:00
|
|
|
/// Checks for `unsafe` blocks without a `// SAFETY: ` comment
|
2021-10-21 13:11:36 +02:00
|
|
|
/// explaining why the unsafe operations performed inside
|
|
|
|
/// the block are safe.
|
|
|
|
///
|
2022-04-07 18:39:59 +01:00
|
|
|
/// Note the comment must appear on the line(s) preceding the unsafe block
|
|
|
|
/// with nothing appearing in between. The following is ok:
|
|
|
|
/// ```ignore
|
|
|
|
/// foo(
|
|
|
|
/// // SAFETY:
|
|
|
|
/// // This is a valid safety comment
|
|
|
|
/// unsafe { *x }
|
|
|
|
/// )
|
|
|
|
/// ```
|
|
|
|
/// But neither of these are:
|
|
|
|
/// ```ignore
|
|
|
|
/// // SAFETY:
|
|
|
|
/// // This is not a valid safety comment
|
|
|
|
/// foo(
|
|
|
|
/// /* SAFETY: Neither is this */ unsafe { *x },
|
|
|
|
/// );
|
|
|
|
/// ```
|
|
|
|
///
|
2021-10-21 13:11:36 +02:00
|
|
|
/// ### Why is this bad?
|
|
|
|
/// Undocumented unsafe blocks can make it difficult to
|
|
|
|
/// read and maintain code, as well as uncover unsoundness
|
|
|
|
/// and bugs.
|
|
|
|
///
|
|
|
|
/// ### Example
|
|
|
|
/// ```rust
|
|
|
|
/// use std::ptr::NonNull;
|
|
|
|
/// let a = &mut 42;
|
|
|
|
///
|
|
|
|
/// let ptr = unsafe { NonNull::new_unchecked(a) };
|
|
|
|
/// ```
|
|
|
|
/// Use instead:
|
|
|
|
/// ```rust
|
|
|
|
/// use std::ptr::NonNull;
|
|
|
|
/// let a = &mut 42;
|
|
|
|
///
|
2021-12-30 15:10:43 +01:00
|
|
|
/// // SAFETY: references are guaranteed to be non-null.
|
2021-10-21 13:11:36 +02:00
|
|
|
/// let ptr = unsafe { NonNull::new_unchecked(a) };
|
|
|
|
/// ```
|
2021-12-06 12:33:31 +01:00
|
|
|
#[clippy::version = "1.58.0"]
|
2021-10-21 13:11:36 +02:00
|
|
|
pub UNDOCUMENTED_UNSAFE_BLOCKS,
|
|
|
|
restriction,
|
|
|
|
"creating an unsafe block without explaining why it is safe"
|
|
|
|
}
|
|
|
|
|
2022-04-07 18:39:59 +01:00
|
|
|
declare_lint_pass!(UndocumentedUnsafeBlocks => [UNDOCUMENTED_UNSAFE_BLOCKS]);
|
2021-10-21 13:11:36 +02:00
|
|
|
|
|
|
|
impl LateLintPass<'_> for UndocumentedUnsafeBlocks {
|
|
|
|
fn check_block(&mut self, cx: &LateContext<'_>, block: &'_ Block<'_>) {
|
2022-04-07 18:39:59 +01:00
|
|
|
if block.rules == BlockCheckMode::UnsafeBlock(UnsafeSource::UserProvided)
|
|
|
|
&& !in_external_macro(cx.tcx.sess, block.span)
|
|
|
|
&& !is_lint_allowed(cx, UNDOCUMENTED_UNSAFE_BLOCKS, block.hir_id)
|
|
|
|
&& !is_unsafe_from_proc_macro(cx, block)
|
|
|
|
&& !block_has_safety_comment(cx, block)
|
|
|
|
{
|
|
|
|
let source_map = cx.tcx.sess.source_map();
|
|
|
|
let span = if source_map.is_multiline(block.span) {
|
|
|
|
source_map.span_until_char(block.span, '\n')
|
|
|
|
} else {
|
|
|
|
block.span
|
|
|
|
};
|
2021-10-21 13:11:36 +02:00
|
|
|
|
2022-04-07 18:39:59 +01:00
|
|
|
span_lint_and_help(
|
|
|
|
cx,
|
|
|
|
UNDOCUMENTED_UNSAFE_BLOCKS,
|
|
|
|
span,
|
|
|
|
"unsafe block missing a safety comment",
|
|
|
|
None,
|
|
|
|
"consider adding a safety comment on the preceding line",
|
|
|
|
);
|
2021-10-21 13:11:36 +02:00
|
|
|
}
|
|
|
|
}
|
2022-04-07 18:39:59 +01:00
|
|
|
}
|
2021-10-21 13:11:36 +02:00
|
|
|
|
2022-04-07 18:39:59 +01:00
|
|
|
fn is_unsafe_from_proc_macro(cx: &LateContext<'_>, block: &Block<'_>) -> bool {
|
|
|
|
let source_map = cx.sess().source_map();
|
|
|
|
let file_pos = source_map.lookup_byte_offset(block.span.lo());
|
|
|
|
file_pos
|
|
|
|
.sf
|
|
|
|
.src
|
|
|
|
.as_deref()
|
|
|
|
.and_then(|src| src.get(file_pos.pos.to_usize()..))
|
|
|
|
.map_or(true, |src| !src.starts_with("unsafe"))
|
2021-10-21 13:11:36 +02:00
|
|
|
}
|
|
|
|
|
2022-04-07 18:39:59 +01:00
|
|
|
/// Checks if the lines immediately preceding the block contain a safety comment.
|
|
|
|
fn block_has_safety_comment(cx: &LateContext<'_>, block: &Block<'_>) -> bool {
|
|
|
|
// This intentionally ignores text before the start of a function so something like:
|
|
|
|
// ```
|
|
|
|
// // SAFETY: reason
|
|
|
|
// fn foo() { unsafe { .. } }
|
|
|
|
// ```
|
|
|
|
// won't work. This is to avoid dealing with where such a comment should be place relative to
|
|
|
|
// attributes and doc comments.
|
|
|
|
|
|
|
|
let source_map = cx.sess().source_map();
|
|
|
|
let ctxt = block.span.ctxt();
|
|
|
|
if ctxt != SyntaxContext::root() {
|
|
|
|
// From a macro expansion. Get the text from the start of the macro declaration to start of the unsafe block.
|
|
|
|
// macro_rules! foo { () => { stuff }; (x) => { unsafe { stuff } }; }
|
|
|
|
// ^--------------------------------------------^
|
|
|
|
if let Ok(unsafe_line) = source_map.lookup_line(block.span.lo())
|
|
|
|
&& let Ok(macro_line) = source_map.lookup_line(ctxt.outer_expn_data().def_site.lo())
|
|
|
|
&& Lrc::ptr_eq(&unsafe_line.sf, ¯o_line.sf)
|
|
|
|
&& let Some(src) = unsafe_line.sf.src.as_deref()
|
|
|
|
{
|
|
|
|
macro_line.line < unsafe_line.line && text_has_safety_comment(
|
|
|
|
src,
|
|
|
|
&unsafe_line.sf.lines[macro_line.line + 1..=unsafe_line.line],
|
|
|
|
unsafe_line.sf.start_pos.to_usize(),
|
|
|
|
)
|
|
|
|
} else {
|
|
|
|
// Problem getting source text. Pretend a comment was found.
|
|
|
|
true
|
2021-10-21 13:11:36 +02:00
|
|
|
}
|
2022-04-07 18:39:59 +01:00
|
|
|
} else if let Ok(unsafe_line) = source_map.lookup_line(block.span.lo())
|
|
|
|
&& let Some(body) = cx.enclosing_body
|
|
|
|
&& let Some(body_span) = walk_span_to_context(cx.tcx.hir().body(body).value.span, SyntaxContext::root())
|
|
|
|
&& let Ok(body_line) = source_map.lookup_line(body_span.lo())
|
|
|
|
&& Lrc::ptr_eq(&unsafe_line.sf, &body_line.sf)
|
|
|
|
&& let Some(src) = unsafe_line.sf.src.as_deref()
|
|
|
|
{
|
|
|
|
// Get the text from the start of function body to the unsafe block.
|
|
|
|
// fn foo() { some_stuff; unsafe { stuff }; other_stuff; }
|
|
|
|
// ^-------------^
|
|
|
|
body_line.line < unsafe_line.line && text_has_safety_comment(
|
|
|
|
src,
|
|
|
|
&unsafe_line.sf.lines[body_line.line + 1..=unsafe_line.line],
|
|
|
|
unsafe_line.sf.start_pos.to_usize(),
|
|
|
|
)
|
|
|
|
} else {
|
|
|
|
// Problem getting source text. Pretend a comment was found.
|
|
|
|
true
|
2021-10-21 13:11:36 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-07 18:39:59 +01:00
|
|
|
/// Checks if the given text has a safety comment for the immediately proceeding line.
|
|
|
|
fn text_has_safety_comment(src: &str, line_starts: &[BytePos], offset: usize) -> bool {
|
|
|
|
let mut lines = line_starts
|
|
|
|
.array_windows::<2>()
|
|
|
|
.rev()
|
|
|
|
.map_while(|[start, end]| {
|
|
|
|
src.get(start.to_usize() - offset..end.to_usize() - offset)
|
|
|
|
.map(|text| (start.to_usize(), text.trim_start()))
|
|
|
|
})
|
|
|
|
.filter(|(_, text)| !text.is_empty());
|
|
|
|
|
|
|
|
let Some((line_start, line)) = lines.next() else {
|
|
|
|
return false;
|
|
|
|
};
|
|
|
|
// Check for a sequence of line comments.
|
|
|
|
if line.starts_with("//") {
|
|
|
|
let mut line = line;
|
|
|
|
loop {
|
|
|
|
if line.to_ascii_uppercase().contains("SAFETY:") {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
match lines.next() {
|
|
|
|
Some((_, x)) if x.starts_with("//") => line = x,
|
|
|
|
_ => return false,
|
2021-10-21 13:11:36 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2022-04-07 18:39:59 +01:00
|
|
|
// No line comments; look for the start of a block comment.
|
|
|
|
// This will only find them if they are at the start of a line.
|
|
|
|
let (mut line_start, mut line) = (line_start, line);
|
|
|
|
loop {
|
|
|
|
if line.starts_with("/*") {
|
|
|
|
let src = src[line_start..line_starts.last().unwrap().to_usize()].trim_start();
|
|
|
|
let mut tokens = tokenize(src);
|
|
|
|
return src[..tokens.next().unwrap().len]
|
|
|
|
.to_ascii_uppercase()
|
|
|
|
.contains("SAFETY:")
|
|
|
|
&& tokens.all(|t| t.kind == TokenKind::Whitespace);
|
2021-10-21 13:11:36 +02:00
|
|
|
}
|
2022-04-07 18:39:59 +01:00
|
|
|
match lines.next() {
|
|
|
|
Some(x) => (line_start, line) = x,
|
|
|
|
None => return false,
|
2021-10-21 13:11:36 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|