From 8f3e876e522f9ecc8f855485bb4857163c0f86e4 Mon Sep 17 00:00:00 2001
From: Wim Looman <git@nemo157.com>
Date: Sat, 27 May 2023 22:20:14 +0200
Subject: [PATCH] Add note about unsafe functions body not being unsafe

---
 compiler/rustc_mir_transform/messages.ftl     |  1 +
 .../rustc_mir_transform/src/check_unsafety.rs |  7 ++-
 compiler/rustc_mir_transform/src/errors.rs    | 10 +++-
 ...rfc-2585-unsafe_op_in_unsafe_fn.mir.stderr | 10 ++++
 .../unsafe/wrapping-unsafe-block-sugg.fixed   | 17 ++++++-
 tests/ui/unsafe/wrapping-unsafe-block-sugg.rs | 17 ++++++-
 .../unsafe/wrapping-unsafe-block-sugg.stderr  | 49 ++++++++++++-------
 7 files changed, 89 insertions(+), 22 deletions(-)

diff --git a/compiler/rustc_mir_transform/messages.ftl b/compiler/rustc_mir_transform/messages.ftl
index 300e592a6b4..2598eb2ed09 100644
--- a/compiler/rustc_mir_transform/messages.ftl
+++ b/compiler/rustc_mir_transform/messages.ftl
@@ -56,6 +56,7 @@ mir_transform_union_access_label = access to union field
 mir_transform_union_access_note = the field may not be properly initialized: using uninitialized data will cause undefined behavior
 mir_transform_unsafe_op_in_unsafe_fn = {$details} is unsafe and requires unsafe block (error E0133)
     .suggestion = consider wrapping the function body in an unsafe block
+    .note = an unsafe function restricts its caller, but its body is safe by default
 
 mir_transform_unused_unsafe = unnecessary `unsafe` block
     .label = because it's nested under this `unsafe` block
diff --git a/compiler/rustc_mir_transform/src/check_unsafety.rs b/compiler/rustc_mir_transform/src/check_unsafety.rs
index fd8e02ebeab..41e31df77cb 100644
--- a/compiler/rustc_mir_transform/src/check_unsafety.rs
+++ b/compiler/rustc_mir_transform/src/check_unsafety.rs
@@ -571,11 +571,16 @@ pub fn check_unsafety(tcx: TyCtxt<'_>, def_id: LocalDefId) {
                     errors::UnsafeOpInUnsafeFn {
                         details,
                         suggest_unsafe_block: suggest_unsafe_block.then(|| {
+                            let hir_id = tcx.hir().local_def_id_to_hir_id(def_id);
+                            let fn_sig = tcx
+                                .hir()
+                                .fn_sig_by_hir_id(hir_id)
+                                .expect("this violation only occurs in fn");
                             let body = tcx.hir().body_owned_by(def_id);
                             let body_span = tcx.hir().body(body).value.span;
                             let start = tcx.sess.source_map().start_point(body_span).shrink_to_hi();
                             let end = tcx.sess.source_map().end_point(body_span).shrink_to_lo();
-                            (start, end)
+                            (start, end, fn_sig.span)
                         }),
                     },
                 );
diff --git a/compiler/rustc_mir_transform/src/errors.rs b/compiler/rustc_mir_transform/src/errors.rs
index 6570da51bcc..05a27f853b8 100644
--- a/compiler/rustc_mir_transform/src/errors.rs
+++ b/compiler/rustc_mir_transform/src/errors.rs
@@ -131,7 +131,12 @@ fn label(self) -> DiagnosticMessage {
 
 pub(crate) struct UnsafeOpInUnsafeFn {
     pub details: RequiresUnsafeDetail,
-    pub suggest_unsafe_block: Option<(Span, Span)>,
+
+    /// These spans point to:
+    ///  1. the start of the function body
+    ///  2. the end of the function body
+    ///  3. the function signature
+    pub suggest_unsafe_block: Option<(Span, Span, Span)>,
 }
 
 impl<'a> DecorateLint<'a, ()> for UnsafeOpInUnsafeFn {
@@ -146,7 +151,8 @@ fn decorate_lint<'b>(
         diag.span_label(self.details.span, self.details.label());
         diag.note(self.details.note());
 
-        if let Some((start, end)) = self.suggest_unsafe_block {
+        if let Some((start, end, fn_sig)) = self.suggest_unsafe_block {
+            diag.span_note(fn_sig, crate::fluent_generated::mir_transform_note);
             diag.tool_only_multipart_suggestion(
                 crate::fluent_generated::mir_transform_suggestion,
                 vec![(start, " unsafe {".into()), (end, "}".into())],
diff --git a/tests/ui/unsafe/rfc-2585-unsafe_op_in_unsafe_fn.mir.stderr b/tests/ui/unsafe/rfc-2585-unsafe_op_in_unsafe_fn.mir.stderr
index 6f005fe8958..0c0826c1cfb 100644
--- a/tests/ui/unsafe/rfc-2585-unsafe_op_in_unsafe_fn.mir.stderr
+++ b/tests/ui/unsafe/rfc-2585-unsafe_op_in_unsafe_fn.mir.stderr
@@ -5,6 +5,11 @@ LL |     unsf();
    |     ^^^^^^ call to unsafe function
    |
    = note: consult the function's documentation for information on how to avoid undefined behavior
+note: an unsafe function restricts its caller, but its body is safe by default
+  --> $DIR/rfc-2585-unsafe_op_in_unsafe_fn.rs:11:1
+   |
+LL | unsafe fn deny_level() {
+   | ^^^^^^^^^^^^^^^^^^^^^^
 note: the lint level is defined here
   --> $DIR/rfc-2585-unsafe_op_in_unsafe_fn.rs:4:9
    |
@@ -46,6 +51,11 @@ LL |     unsf();
    |     ^^^^^^ call to unsafe function
    |
    = note: consult the function's documentation for information on how to avoid undefined behavior
+note: an unsafe function restricts its caller, but its body is safe by default
+  --> $DIR/rfc-2585-unsafe_op_in_unsafe_fn.rs:27:1
+   |
+LL | unsafe fn warning_level() {
+   | ^^^^^^^^^^^^^^^^^^^^^^^^^
 note: the lint level is defined here
   --> $DIR/rfc-2585-unsafe_op_in_unsafe_fn.rs:26:8
    |
diff --git a/tests/ui/unsafe/wrapping-unsafe-block-sugg.fixed b/tests/ui/unsafe/wrapping-unsafe-block-sugg.fixed
index c36aabb7c92..8fdc21ee109 100644
--- a/tests/ui/unsafe/wrapping-unsafe-block-sugg.fixed
+++ b/tests/ui/unsafe/wrapping-unsafe-block-sugg.fixed
@@ -1,23 +1,38 @@
 // run-rustfix
 
-#![deny(unsafe_op_in_unsafe_fn)]
+#![deny(unsafe_op_in_unsafe_fn)] //~ NOTE
 
 unsafe fn unsf() {}
 
 pub unsafe fn foo() { unsafe {
+    //~^ NOTE an unsafe function restricts its caller, but its body is safe by default
     unsf(); //~ ERROR call to unsafe function is unsafe
+    //~^ NOTE
+    //~| NOTE
     unsf(); //~ ERROR call to unsafe function is unsafe
+    //~^ NOTE
+    //~| NOTE
 }}
 
 pub unsafe fn bar(x: *const i32) -> i32 { unsafe {
+    //~^ NOTE an unsafe function restricts its caller, but its body is safe by default
     let y = *x; //~ ERROR dereference of raw pointer is unsafe and requires unsafe block
+    //~^ NOTE
+    //~| NOTE
     y + *x //~ ERROR dereference of raw pointer is unsafe and requires unsafe block
+    //~^ NOTE
+    //~| NOTE
 }}
 
 static mut BAZ: i32 = 0;
 pub unsafe fn baz() -> i32 { unsafe {
+    //~^ NOTE an unsafe function restricts its caller, but its body is safe by default
     let y = BAZ; //~ ERROR use of mutable static is unsafe and requires unsafe block
+    //~^ NOTE
+    //~| NOTE
     y + BAZ //~ ERROR use of mutable static is unsafe and requires unsafe block
+    //~^ NOTE
+    //~| NOTE
 }}
 
 fn main() {}
diff --git a/tests/ui/unsafe/wrapping-unsafe-block-sugg.rs b/tests/ui/unsafe/wrapping-unsafe-block-sugg.rs
index 95e22d1bc4d..0c6feee4ff2 100644
--- a/tests/ui/unsafe/wrapping-unsafe-block-sugg.rs
+++ b/tests/ui/unsafe/wrapping-unsafe-block-sugg.rs
@@ -1,23 +1,38 @@
 // run-rustfix
 
-#![deny(unsafe_op_in_unsafe_fn)]
+#![deny(unsafe_op_in_unsafe_fn)] //~ NOTE
 
 unsafe fn unsf() {}
 
 pub unsafe fn foo() {
+    //~^ NOTE an unsafe function restricts its caller, but its body is safe by default
     unsf(); //~ ERROR call to unsafe function is unsafe
+    //~^ NOTE
+    //~| NOTE
     unsf(); //~ ERROR call to unsafe function is unsafe
+    //~^ NOTE
+    //~| NOTE
 }
 
 pub unsafe fn bar(x: *const i32) -> i32 {
+    //~^ NOTE an unsafe function restricts its caller, but its body is safe by default
     let y = *x; //~ ERROR dereference of raw pointer is unsafe and requires unsafe block
+    //~^ NOTE
+    //~| NOTE
     y + *x //~ ERROR dereference of raw pointer is unsafe and requires unsafe block
+    //~^ NOTE
+    //~| NOTE
 }
 
 static mut BAZ: i32 = 0;
 pub unsafe fn baz() -> i32 {
+    //~^ NOTE an unsafe function restricts its caller, but its body is safe by default
     let y = BAZ; //~ ERROR use of mutable static is unsafe and requires unsafe block
+    //~^ NOTE
+    //~| NOTE
     y + BAZ //~ ERROR use of mutable static is unsafe and requires unsafe block
+    //~^ NOTE
+    //~| NOTE
 }
 
 fn main() {}
diff --git a/tests/ui/unsafe/wrapping-unsafe-block-sugg.stderr b/tests/ui/unsafe/wrapping-unsafe-block-sugg.stderr
index b22c5b74b56..76f86b09d68 100644
--- a/tests/ui/unsafe/wrapping-unsafe-block-sugg.stderr
+++ b/tests/ui/unsafe/wrapping-unsafe-block-sugg.stderr
@@ -1,16 +1,3 @@
-error: call to unsafe function is unsafe and requires unsafe block (error E0133)
-  --> $DIR/wrapping-unsafe-block-sugg.rs:8:5
-   |
-LL |     unsf();
-   |     ^^^^^^ call to unsafe function
-   |
-   = note: consult the function's documentation for information on how to avoid undefined behavior
-note: the lint level is defined here
-  --> $DIR/wrapping-unsafe-block-sugg.rs:3:9
-   |
-LL | #![deny(unsafe_op_in_unsafe_fn)]
-   |         ^^^^^^^^^^^^^^^^^^^^^^
-
 error: call to unsafe function is unsafe and requires unsafe block (error E0133)
   --> $DIR/wrapping-unsafe-block-sugg.rs:9:5
    |
@@ -18,17 +5,40 @@ LL |     unsf();
    |     ^^^^^^ call to unsafe function
    |
    = note: consult the function's documentation for information on how to avoid undefined behavior
+note: an unsafe function restricts its caller, but its body is safe by default
+  --> $DIR/wrapping-unsafe-block-sugg.rs:7:1
+   |
+LL | pub unsafe fn foo() {
+   | ^^^^^^^^^^^^^^^^^^^
+note: the lint level is defined here
+  --> $DIR/wrapping-unsafe-block-sugg.rs:3:9
+   |
+LL | #![deny(unsafe_op_in_unsafe_fn)]
+   |         ^^^^^^^^^^^^^^^^^^^^^^
+
+error: call to unsafe function is unsafe and requires unsafe block (error E0133)
+  --> $DIR/wrapping-unsafe-block-sugg.rs:12:5
+   |
+LL |     unsf();
+   |     ^^^^^^ call to unsafe function
+   |
+   = note: consult the function's documentation for information on how to avoid undefined behavior
 
 error: dereference of raw pointer is unsafe and requires unsafe block (error E0133)
-  --> $DIR/wrapping-unsafe-block-sugg.rs:13:13
+  --> $DIR/wrapping-unsafe-block-sugg.rs:19:13
    |
 LL |     let y = *x;
    |             ^^ dereference of raw pointer
    |
    = note: raw pointers may be null, dangling or unaligned; they can violate aliasing rules and cause data races: all of these are undefined behavior
+note: an unsafe function restricts its caller, but its body is safe by default
+  --> $DIR/wrapping-unsafe-block-sugg.rs:17:1
+   |
+LL | pub unsafe fn bar(x: *const i32) -> i32 {
+   | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 error: dereference of raw pointer is unsafe and requires unsafe block (error E0133)
-  --> $DIR/wrapping-unsafe-block-sugg.rs:14:9
+  --> $DIR/wrapping-unsafe-block-sugg.rs:22:9
    |
 LL |     y + *x
    |         ^^ dereference of raw pointer
@@ -36,15 +46,20 @@ LL |     y + *x
    = note: raw pointers may be null, dangling or unaligned; they can violate aliasing rules and cause data races: all of these are undefined behavior
 
 error: use of mutable static is unsafe and requires unsafe block (error E0133)
-  --> $DIR/wrapping-unsafe-block-sugg.rs:19:13
+  --> $DIR/wrapping-unsafe-block-sugg.rs:30:13
    |
 LL |     let y = BAZ;
    |             ^^^ use of mutable static
    |
    = note: mutable statics can be mutated by multiple threads: aliasing violations or data races will cause undefined behavior
+note: an unsafe function restricts its caller, but its body is safe by default
+  --> $DIR/wrapping-unsafe-block-sugg.rs:28:1
+   |
+LL | pub unsafe fn baz() -> i32 {
+   | ^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 error: use of mutable static is unsafe and requires unsafe block (error E0133)
-  --> $DIR/wrapping-unsafe-block-sugg.rs:20:9
+  --> $DIR/wrapping-unsafe-block-sugg.rs:33:9
    |
 LL |     y + BAZ
    |         ^^^ use of mutable static