Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deny transmute of &[T] into &[U] where U is larger than T #10285

Closed
KisaragiEffective opened this issue Feb 4, 2023 · 1 comment · Fixed by #11849
Closed

deny transmute of &[T] into &[U] where U is larger than T #10285

KisaragiEffective opened this issue Feb 4, 2023 · 1 comment · Fixed by #11849
Assignees
@KisaragiEffective
Labels
A-lint Area: New lints

Comments

@KisaragiEffective
Copy link
Contributor

KisaragiEffective commented Feb 4, 2023
edited by rustbot
Loading

What it does

This prevents a kind of UB.

Examples:

let bytes = &[1u8, 2u8, 3u8, 4u8] as &[u8];
let alt_slice: &[u32] = unsafe { core::mem::transmute(bytes) };
// expected to be expanded
assert_eq!(alt_slice[0], 1);
assert_eq!(alt_slice[1], 2);
assert_eq!(alt_slice[2], 3);
assert_eq!(alt_slice[3], 4);

This is not true. alt_slice[0] have (mostly) 0x01020304 or 0x04030201 depending on byte-order, and left is looks like garbage and user thinks it is not what (s)he wanted.

Also, this contains UB. Miri reports call to transmute is UB.

I believe: mem::transmute::<&[T], &[U]> is UB if and only if mem::size_of<T> < mem::size_of<U>.

Alternatives:

This may not be MachineApplicable, because:
If user is expected to keep length and transmute each element:

// let original_slice: &[T] = ...
let alt_slice: &[U] = original_slice
    .iter()
    .map(|original| unsafe { core::mem::transmute(original) })
    .collect::<Vec<_>>()
    .as_slice()

If user is expected to transmute entire bit pattern of pointing bit-pattern:

// let original_slice: &[T] = ...
let (prefix, align_result, suffix) = original_slice.align_to::<U>();
assert_eq!(prefix.len(), 0);
assert_eq!(suffix.len(), 0);

Lint Name

transmute_to_larger_element_slice

Category

correctness

Advantage

  • Prevents a kind of UB.

Drawbacks

No response

Example

// let bytes = &[1u8, 2u8, 3u8, 4u8] as &[u8];
let alt_slice: &[u32] = unsafe { core::mem::transmute(bytes) };

Could be written as:

let alt_slice: &[u32] = original_slice
    .iter()
    .map(|original| unsafe { core::mem::transmute(original) })
    .collect::<Vec<_>>()
    .as_slice()

or

let (prefix, align_result, suffix) = original_slice.align_to::<u32>();
assert_eq!(prefix.len(), 0);
assert_eq!(suffix.len(), 0);
@KisaragiEffective KisaragiEffective added the A-lint Area: New lints label Feb 4, 2023
@KisaragiEffective KisaragiEffective mentioned this issue Feb 4, 2023
Open
@KisaragiEffective
Copy link
Contributor Author

@rustbot claim

@KisaragiEffective KisaragiEffective mentioned this issue Feb 10, 2023
Closed
7 tasks
GuillaumeGomez added a commit to GuillaumeGomez/rust-clippy that referenced this issue Nov 21, 2023
@GuillaumeGomez
Add tests for issues rust-lang#10285, rust-lang#10286, rust-lang#10289,
2fa87fb 
rust-lang#10287
@GuillaumeGomez GuillaumeGomez mentioned this issue Nov 21, 2023
Merged
@bors bors closed this as completed in b21c9d4 Nov 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KisaragiEffective KisaragiEffective

Labels
A-lint Area: New lints
Projects
None yet
Milestone
No milestone
1 participant
@KisaragiEffective