use clippy_utils::diagnostics::span_lint_and_then; use clippy_utils::source::snippet; use clippy_utils::ty::{implements_trait, is_copy}; use clippy_utils::{is_lint_allowed, match_def_path, paths}; use rustc_ast::ImplPolarity; use rustc_hir::def_id::DefId; use rustc_hir::{FieldDef, Item, ItemKind, Node}; use rustc_lint::{LateContext, LateLintPass}; use rustc_middle::lint::in_external_macro; use rustc_middle::ty::{self, subst::GenericArgKind, Ty}; use rustc_session::{declare_tool_lint, impl_lint_pass}; use rustc_span::sym; declare_clippy_lint! { /// ### What it does /// This lint warns about a `Send` implementation for a type that /// contains fields that are not safe to be sent across threads. /// It tries to detect fields that can cause a soundness issue /// when sent to another thread (e.g., `Rc`) while allowing `!Send` fields /// that are expected to exist in a `Send` type, such as raw pointers. /// /// ### Why is this bad? /// Sending the struct to another thread effectively sends all of its fields, /// and the fields that do not implement `Send` can lead to soundness bugs /// such as data races when accessed in a thread /// that is different from the thread that created it. /// /// See: /// * [*The Rustonomicon* about *Send and Sync*](https://doc.rust-lang.org/nomicon/send-and-sync.html) /// * [The documentation of `Send`](https://doc.rust-lang.org/std/marker/trait.Send.html) /// /// ### Known Problems /// This lint relies on heuristics to distinguish types that are actually /// unsafe to be sent across threads and `!Send` types that are expected to /// exist in `Send` type. Its rule can filter out basic cases such as /// `Vec<*const T>`, but it's not perfect. Feel free to create an issue if /// you have a suggestion on how this heuristic can be improved. /// /// ### Example /// ```rust,ignore /// struct ExampleStruct { /// rc_is_not_send: Rc, /// unbounded_generic_field: T, /// } /// /// // This impl is unsound because it allows sending `!Send` types through `ExampleStruct` /// unsafe impl Send for ExampleStruct {} /// ``` /// Use thread-safe types like [`std::sync::Arc`](https://doc.rust-lang.org/std/sync/struct.Arc.html) /// or specify correct bounds on generic type parameters (`T: Send`). #[clippy::version = "1.57.0"] pub NON_SEND_FIELDS_IN_SEND_TY, nursery, "there is a field that is not safe to be sent to another thread in a `Send` struct" } #[derive(Copy, Clone)] pub struct NonSendFieldInSendTy { enable_raw_pointer_heuristic: bool, } impl NonSendFieldInSendTy { pub fn new(enable_raw_pointer_heuristic: bool) -> Self { Self { enable_raw_pointer_heuristic, } } } impl_lint_pass!(NonSendFieldInSendTy => [NON_SEND_FIELDS_IN_SEND_TY]); impl<'tcx> LateLintPass<'tcx> for NonSendFieldInSendTy { fn check_item(&mut self, cx: &LateContext<'tcx>, item: &'tcx Item<'_>) { let ty_allowed_in_send = if self.enable_raw_pointer_heuristic { ty_allowed_with_raw_pointer_heuristic } else { ty_allowed_without_raw_pointer_heuristic }; // Checks if we are in `Send` impl item. // We start from `Send` impl instead of `check_field_def()` because // single `AdtDef` may have multiple `Send` impls due to generic // parameters, and the lint is much easier to implement in this way. if_chain! { if !in_external_macro(cx.tcx.sess, item.span); if let Some(send_trait) = cx.tcx.get_diagnostic_item(sym::Send); if let ItemKind::Impl(hir_impl) = &item.kind; if let Some(trait_ref) = &hir_impl.of_trait; if let Some(trait_id) = trait_ref.trait_def_id(); if send_trait == trait_id; if hir_impl.polarity == ImplPolarity::Positive; if let Some(ty_trait_ref) = cx.tcx.impl_trait_ref(item.owner_id); if let self_ty = ty_trait_ref.subst_identity().self_ty(); if let ty::Adt(adt_def, impl_trait_substs) = self_ty.kind(); then { let mut non_send_fields = Vec::new(); let hir_map = cx.tcx.hir(); for variant in adt_def.variants() { for field in &variant.fields { if_chain! { if let Some(field_hir_id) = field .did .as_local() .map(|local_def_id| hir_map.local_def_id_to_hir_id(local_def_id)); if !is_lint_allowed(cx, NON_SEND_FIELDS_IN_SEND_TY, field_hir_id); if let field_ty = field.ty(cx.tcx, impl_trait_substs); if !ty_allowed_in_send(cx, field_ty, send_trait); if let Node::Field(field_def) = hir_map.get(field_hir_id); then { non_send_fields.push(NonSendField { def: field_def, ty: field_ty, generic_params: collect_generic_params(field_ty), }) } } } } if !non_send_fields.is_empty() { span_lint_and_then( cx, NON_SEND_FIELDS_IN_SEND_TY, item.span, &format!( "some fields in `{}` are not safe to be sent to another thread", snippet(cx, hir_impl.self_ty.span, "Unknown") ), |diag| { for field in non_send_fields { diag.span_note( field.def.span, format!("it is not safe to send field `{}` to another thread", field.def.ident.name), ); match field.generic_params.len() { 0 => diag.help("use a thread-safe type that implements `Send`"), 1 if is_ty_param(field.ty) => diag.help(format!("add `{}: Send` bound in `Send` impl", field.ty)), _ => diag.help(format!( "add bounds on type parameter{} `{}` that satisfy `{}: Send`", if field.generic_params.len() > 1 { "s" } else { "" }, field.generic_params_string(), snippet(cx, field.def.ty.span, "Unknown"), )), }; } }, ); } } } } } struct NonSendField<'tcx> { def: &'tcx FieldDef<'tcx>, ty: Ty<'tcx>, generic_params: Vec>, } impl<'tcx> NonSendField<'tcx> { fn generic_params_string(&self) -> String { self.generic_params .iter() .map(ToString::to_string) .collect::>() .join(", ") } } /// Given a type, collect all of its generic parameters. /// Example: `MyStruct>` => `vec![P, Q, R]` fn collect_generic_params(ty: Ty<'_>) -> Vec> { ty.walk() .filter_map(|inner| match inner.unpack() { GenericArgKind::Type(inner_ty) => Some(inner_ty), _ => None, }) .filter(|&inner_ty| is_ty_param(inner_ty)) .collect() } /// Be more strict when the heuristic is disabled fn ty_allowed_without_raw_pointer_heuristic<'tcx>(cx: &LateContext<'tcx>, ty: Ty<'tcx>, send_trait: DefId) -> bool { if implements_trait(cx, ty, send_trait, &[]) { return true; } if is_copy(cx, ty) && !contains_pointer_like(cx, ty) { return true; } false } /// Heuristic to allow cases like `Vec<*const u8>` fn ty_allowed_with_raw_pointer_heuristic<'tcx>(cx: &LateContext<'tcx>, ty: Ty<'tcx>, send_trait: DefId) -> bool { if implements_trait(cx, ty, send_trait, &[]) || is_copy(cx, ty) { return true; } // The type is known to be `!Send` and `!Copy` match ty.kind() { ty::Tuple(fields) => fields .iter() .all(|ty| ty_allowed_with_raw_pointer_heuristic(cx, ty, send_trait)), ty::Array(ty, _) | ty::Slice(ty) => ty_allowed_with_raw_pointer_heuristic(cx, *ty, send_trait), ty::Adt(_, substs) => { if contains_pointer_like(cx, ty) { // descends only if ADT contains any raw pointers substs.iter().all(|generic_arg| match generic_arg.unpack() { GenericArgKind::Type(ty) => ty_allowed_with_raw_pointer_heuristic(cx, ty, send_trait), // Lifetimes and const generics are not solid part of ADT and ignored GenericArgKind::Lifetime(_) | GenericArgKind::Const(_) => true, }) } else { false } }, // Raw pointers are `!Send` but allowed by the heuristic ty::RawPtr(_) => true, _ => false, } } /// Checks if the type contains any pointer-like types in substs (including nested ones) fn contains_pointer_like<'tcx>(cx: &LateContext<'tcx>, target_ty: Ty<'tcx>) -> bool { for ty_node in target_ty.walk() { if let GenericArgKind::Type(inner_ty) = ty_node.unpack() { match inner_ty.kind() { ty::RawPtr(_) => { return true; }, ty::Adt(adt_def, _) => { if match_def_path(cx, adt_def.did(), &paths::PTR_NON_NULL) { return true; } }, _ => (), } } } false } /// Returns `true` if the type is a type parameter such as `T`. fn is_ty_param(target_ty: Ty<'_>) -> bool { matches!(target_ty.kind(), ty::Param(_)) }