rust-lang
diff --git a/‎tests/ui/lint/improper-ctypes/allow-improper-ctypes.rs‎
Lines changed: 159 additions & 0 deletions b/‎tests/ui/lint/improper-ctypes/allow-improper-ctypes.rs‎
Lines changed: 159 additions & 0 deletions
diff --git a/‎tests/ui/lint/improper-ctypes/allow-improper-ctypes.stderr‎
Lines changed: 104 additions & 0 deletions b/‎tests/ui/lint/improper-ctypes/allow-improper-ctypes.stderr‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎tests/ui/lint/improper-ctypes/auxiliary/extern_crate_types.rs‎
Lines changed: 85 additions & 0 deletions b/‎tests/ui/lint/improper-ctypes/auxiliary/extern_crate_types.rs‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎tests/ui/lint/improper-ctypes/lint-nonexhaustive.rs‎
Lines changed: 35 additions & 0 deletions b/‎tests/ui/lint/improper-ctypes/lint-nonexhaustive.rs‎
Lines changed: 35 additions & 0 deletions
@@ -0,0 +1,159 @@
+#![deny(improper_ctypes, improper_ctypes_definitions)]
+
+//@ aux-build: extern_crate_types.rs
+//@ compile-flags:--extern extern_crate_types
+extern crate extern_crate_types as ext_crate;
+
+// ////////////////////////////////////////////////////////
+// first, the same bank of types as in the extern crate
+
+// FIXME: maybe re-introduce improper_ctype_definitions (ctype singular)
+// as a way to mark ADTs as "let's ignore that they are not actually FFI-unsafe"
+
+#[repr(C)]
+struct SafeStruct (i32);
+
+#[repr(C)]
+struct UnsafeStruct (String);
+
+#[repr(C)]
+//#[allow(improper_ctype_definitions)]
+struct AllowedUnsafeStruct (String);
+
+// refs are only unsafe if the value comes from the other side of the FFI boundary
+// due to the non-null assumption
+// (technically there are also assumptions about non-dandling, alignment,
+//  aliasing, lifetimes, etc...)
+// the lint is not raised here, but will be if used in the wrong place
+#[repr(C)]
+struct UnsafeFromForeignStruct<'a> (&'a u32);
+
+#[repr(C)]
+//#[allow(improper_ctype_definitions)]
+struct AllowedUnsafeFromForeignStruct<'a> (&'a u32);
+
+
+type SafeFnPtr = extern "C" fn(i32)->i32;
+
+type UnsafeFnPtr = extern "C" fn((i32, i32))->i32;
+//~^ ERROR: `extern` callback uses type `(i32, i32)`
+
+
+// for now, let's not lint on the nonzero assumption,
+// because:
+// - we don't know if the callback is rust-callee-foreign-caller or the other way around
+// - having to cast around function signatures to get function pointers
+//   would be an awful experience
+// so, let's assume that the unsafety in this fnptr
+// will be pointed out indirectly by a lint elsewhere
+// (note: there's one case where the error would be missed altogether:
+//  a rust-caller,non-rust-callee callback where the fnptr
+//  is given as an argument to a rust-callee,non-rust-caller
+//  FFI boundary)
+#[allow(improper_ctypes)]
+type AllowedUnsafeFnPtr = extern "C" fn(&[i32])->i32;
+
+type UnsafeRustCalleeFnPtr = extern "C" fn(i32)->&'static i32;
+
+#[allow(improper_ctypes)]
+type AllowedUnsafeRustCalleeFnPtr = extern "C" fn(i32)->&'static i32;
+
+type UnsafeForeignCalleeFnPtr = extern "C" fn(&i32);
+
+#[allow(improper_ctypes)]
+type AllowedUnsafeForeignCalleeFnPtr = extern "C" fn(&i32);
+
+
+// ////////////////////////////////////////////////////////
+// then, some functions that use them
+
+static INT: u32 = 42;
+
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn1a(e: &String) -> &str {&*e}
+extern "C" fn fn1u(e: &String) -> &str {&*e}
+//~^ ERROR: `extern` fn uses type `&str`
+// | FIXME: not warning about the &String feels wrong, but it's behind a FFI-safe reference so...
+
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn2a(e: UnsafeStruct) {}
+extern "C" fn fn2u(e: UnsafeStruct) {}
+//~^ ERROR: `extern` fn uses type `UnsafeStruct`
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn2oa(e: ext_crate::UnsafeStruct) {}
+extern "C" fn fn2ou(e: ext_crate::UnsafeStruct) {}
+//~^ ERROR: `extern` fn uses type `ext_crate::UnsafeStruct`
+
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn3a(e: AllowedUnsafeStruct) {}
+extern "C" fn fn3u(e: AllowedUnsafeStruct) {}
+//~^ ERROR: `extern` fn uses type `AllowedUnsafeStruct`
+// ^^ FIXME: ...ideally the lint should not trigger here
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn3oa(e: ext_crate::AllowedUnsafeStruct) {}
+extern "C" fn fn3ou(e: ext_crate::AllowedUnsafeStruct) {}
+//~^ ERROR: `extern` fn uses type `ext_crate::AllowedUnsafeStruct`
+// ^^ FIXME: ...ideally the lint should not trigger here
+
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn4a(e: UnsafeFromForeignStruct) {}
+extern "C" fn fn4u(e: UnsafeFromForeignStruct) {}
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn4oa(e: ext_crate::UnsafeFromForeignStruct) {}
+extern "C" fn fn4ou(e: ext_crate::UnsafeFromForeignStruct) {}
+// the block above might become unsafe if/once we lint on the value assumptions of types
+
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn5a() -> UnsafeFromForeignStruct<'static> { UnsafeFromForeignStruct(&INT)}
+extern "C" fn fn5u() -> UnsafeFromForeignStruct<'static> { UnsafeFromForeignStruct(&INT)}
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn5oa() -> ext_crate::UnsafeFromForeignStruct<'static> {
+    ext_crate::UnsafeFromForeignStruct(&INT)
+}
+extern "C" fn fn5ou() -> ext_crate::UnsafeFromForeignStruct<'static> {
+    ext_crate::UnsafeFromForeignStruct(&INT)
+}
+
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn6a() -> AllowedUnsafeFromForeignStruct<'static> {
+    AllowedUnsafeFromForeignStruct(&INT)
+}
+extern "C" fn fn6u() -> AllowedUnsafeFromForeignStruct<'static> {
+    AllowedUnsafeFromForeignStruct(&INT)
+}
+#[allow(improper_ctypes_definitions)]
+extern "C" fn fn6oa() -> ext_crate::AllowedUnsafeFromForeignStruct<'static> {
+    ext_crate::AllowedUnsafeFromForeignStruct(&INT)
+}
+extern "C" fn fn6ou() -> ext_crate::AllowedUnsafeFromForeignStruct<'static> {
+    ext_crate::AllowedUnsafeFromForeignStruct(&INT)
+}
+
+// ////////////////////////////////////////////////////////
+// special cases: struct-in-fnptr and fnptr-in-struct
+
+#[repr(C)]
+struct FakeVTable<A>{
+    make_new: extern "C" fn() -> A,
+    combine: extern "C" fn(&[A]) -> A,
+    //~^ ERROR: `extern` callback uses type `&[A]`
+    drop: extern "C" fn(A),
+    something_else: (A, usize),
+}
+
+type FakeVTableMaker = extern "C" fn() -> FakeVTable<u32>;
+//~^ ERROR: `extern` callback uses type `FakeVTable<u32>`
+
+#[repr(C)]
+#[allow(improper_ctypes)]
+struct FakeVTableAllowed<A>{
+    make_new: extern "C" fn() -> A,
+    combine: extern "C" fn(&[A]) -> A,
+    drop: extern "C" fn(A),
+    something_else: (A, usize),
+}
+
+#[allow(improper_ctypes)]
+type FakeVTableMakerAllowed = extern "C" fn() -> FakeVTable<u32>;
+
+fn main(){}
@@ -0,0 +1,104 @@
+error: `extern` callback uses type `(i32, i32)`, which is not FFI-safe
+  --> $DIR/allow-improper-ctypes.rs:38:34
+   |
+LL | type UnsafeFnPtr = extern "C" fn((i32, i32))->i32;
+   |                                  ^^^^^^^^^^ not FFI-safe
+   |
+   = help: consider using a struct instead
+   = note: tuples have unspecified layout
+note: the lint level is defined here
+  --> $DIR/allow-improper-ctypes.rs:1:9
+   |
+LL | #![deny(improper_ctypes, improper_ctypes_definitions)]
+   |         ^^^^^^^^^^^^^^^
+
+error: `extern` fn uses type `&str`, which is not FFI-safe
+  --> $DIR/allow-improper-ctypes.rs:74:35
+   |
+LL | extern "C" fn fn1u(e: &String) -> &str {&*e}
+   |                                   ^^^^ not FFI-safe
+   |
+   = help: consider using `*const u8` and a length instead
+   = note: this reference to an unsized type contains metadata, which makes it incompatible with a C pointer
+note: the lint level is defined here
+  --> $DIR/allow-improper-ctypes.rs:1:26
+   |
+LL | #![deny(improper_ctypes, improper_ctypes_definitions)]
+   |                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+error: `extern` fn uses type `UnsafeStruct`, which is not FFI-safe
+  --> $DIR/allow-improper-ctypes.rs:80:23
+   |
+LL | extern "C" fn fn2u(e: UnsafeStruct) {}
+   |                       ^^^^^^^^^^^^ not FFI-safe
+   |
+   = note: this struct/enum/union (`UnsafeStruct`) is FFI-unsafe due to a `String` field
+note: the type is defined here
+  --> $DIR/allow-improper-ctypes.rs:17:1
+   |
+LL | struct UnsafeStruct (String);
+   | ^^^^^^^^^^^^^^^^^^^
+   = help: consider adding a `#[repr(C)]` (not `#[repr(C,packed)]`) or `#[repr(transparent)]` attribute to `String`
+   = note: `String` has unspecified layout
+
+error: `extern` fn uses type `ext_crate::UnsafeStruct`, which is not FFI-safe
+  --> $DIR/allow-improper-ctypes.rs:84:24
+   |
+LL | extern "C" fn fn2ou(e: ext_crate::UnsafeStruct) {}
+   |                        ^^^^^^^^^^^^^^^^^^^^^^^ not FFI-safe
+   |
+   = note: this struct/enum/union (`ext_crate::UnsafeStruct`) is FFI-unsafe due to a `String` field
+   = help: consider adding a `#[repr(C)]` (not `#[repr(C,packed)]`) or `#[repr(transparent)]` attribute to `String`
+   = note: `String` has unspecified layout
+
+error: `extern` fn uses type `AllowedUnsafeStruct`, which is not FFI-safe
+  --> $DIR/allow-improper-ctypes.rs:89:23
+   |
+LL | extern "C" fn fn3u(e: AllowedUnsafeStruct) {}
+   |                       ^^^^^^^^^^^^^^^^^^^ not FFI-safe
+   |
+   = note: this struct/enum/union (`AllowedUnsafeStruct`) is FFI-unsafe due to a `String` field
+note: the type is defined here
+  --> $DIR/allow-improper-ctypes.rs:21:1
+   |
+LL | struct AllowedUnsafeStruct (String);
+   | ^^^^^^^^^^^^^^^^^^^^^^^^^^
+   = help: consider adding a `#[repr(C)]` (not `#[repr(C,packed)]`) or `#[repr(transparent)]` attribute to `String`
+   = note: `String` has unspecified layout
+
+error: `extern` fn uses type `ext_crate::AllowedUnsafeStruct`, which is not FFI-safe
+  --> $DIR/allow-improper-ctypes.rs:94:24
+   |
+LL | extern "C" fn fn3ou(e: ext_crate::AllowedUnsafeStruct) {}
+   |                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ not FFI-safe
+   |
+   = note: this struct/enum/union (`ext_crate::AllowedUnsafeStruct`) is FFI-unsafe due to a `String` field
+   = help: consider adding a `#[repr(C)]` (not `#[repr(C,packed)]`) or `#[repr(transparent)]` attribute to `String`
+   = note: `String` has unspecified layout
+
+error: `extern` callback uses type `&[A]`, which is not FFI-safe
+  --> $DIR/allow-improper-ctypes.rs:138:28
+   |
+LL |     combine: extern "C" fn(&[A]) -> A,
+   |                            ^^^^ not FFI-safe
+   |
+   = help: consider using a raw pointer to the slice's first element (and a length) instead
+   = note: this reference to an unsized type contains metadata, which makes it incompatible with a C pointer
+
+error: `extern` callback uses type `FakeVTable<u32>`, which is not FFI-safe
+  --> $DIR/allow-improper-ctypes.rs:144:43
+   |
+LL | type FakeVTableMaker = extern "C" fn() -> FakeVTable<u32>;
+   |                                           ^^^^^^^^^^^^^^^ not FFI-safe
+   |
+   = note: this struct/enum/union (`FakeVTable<u32>`) is FFI-unsafe due to a `(u32, usize)` field
+note: the type is defined here
+  --> $DIR/allow-improper-ctypes.rs:136:1
+   |
+LL | struct FakeVTable<A>{
+   | ^^^^^^^^^^^^^^^^^^^^
+   = help: consider using a struct instead
+   = note: tuples have unspecified layout
+
+error: aborting due to 8 previous errors
+
@@ -0,0 +1,85 @@
+/// a bank of types (structs, function pointers) that are safe or unsafe for whatever reason,
+/// with or without said unsafety being explicitely ignored
+
+#[repr(C)]
+pub struct SafeStruct (pub i32);
+
+#[repr(C)]
+pub struct UnsafeStruct (pub String);
+
+#[repr(C)]
+//#[allow(improper_ctype_definitions)]
+pub struct AllowedUnsafeStruct (pub String);
+
+// refs are only unsafe if the value comes from the other side of the FFI boundary
+// due to the non-null assumption
+// (technically there are also assumptions about non-dandling, alignment, aliasing,
+//  lifetimes, etc...)
+#[repr(C)]
+pub struct UnsafeFromForeignStruct<'a> (pub &'a u32);
+
+#[repr(C)]
+//#[allow(improper_ctype_definitions)]
+pub struct AllowedUnsafeFromForeignStruct<'a> (pub &'a u32);
+
+
+pub type SafeFnPtr = extern "C" fn(i32)->i32;
+
+pub type UnsafeFnPtr = extern "C" fn((i32,i32))->i32;
+
+#[allow(improper_c_callbacks)]
+pub type AllowedUnsafeFnPtr = extern "C" fn(&[i32])->i32;
+
+pub type UnsafeRustCalleeFnPtr = extern "C" fn(i32)->&'static i32;
+
+#[allow(improper_c_callbacks)]
+pub type AllowedUnsafeRustCalleeFnPtr = extern "C" fn(i32)->&'static i32;
+
+pub type UnsafeForeignCalleeFnPtr = extern "C" fn(&i32);
+
+#[allow(improper_c_callbacks)]
+pub type AllowedUnsafeForeignCalleeFnPtr = extern "C" fn(&i32);
+
+
+// ////////////////////////////////////
+/// types used in specific issue-based tests that need extern-crate types
+
+#[repr(C)]
+#[non_exhaustive]
+pub struct NonExhaustiveStruct {
+    pub field: u8
+}
+
+#[repr(C)]
+#[non_exhaustive]
+pub enum NonExhaustiveEnum {
+    variant(u8),
+}
+
+#[repr(C)]
+#[non_exhaustive]
+pub enum NonExhaustiveCEnum {
+    variant1,
+    variant2(()),
+}
+
+#[repr(C)]
+pub enum NonExhaustiveEnumVariant {
+    variant1,
+    #[non_exhaustive]
+    variant2((u32,)),
+}
+
+extern "C" {
+    pub fn nonexhaustivestruct_create() -> *mut NonExhaustiveStruct;
+    pub fn nonexhaustivestruct_destroy(s: *mut NonExhaustiveStruct);
+    pub fn nonexhaustiveenum_create() -> *mut NonExhaustiveEnum;
+    pub fn nonexhaustiveenum_destroy(s: *mut NonExhaustiveEnum);
+    pub fn nonexhaustivecenum_create() -> *mut NonExhaustiveCEnum;
+    pub fn nonexhaustivecenum_destroy(s: *mut NonExhaustiveCEnum);
+    pub fn nonexhaustiveenumvariant_create() -> *mut NonExhaustiveEnumVariant;
+    pub fn nonexhaustiveenumvariant_destroy(s: *mut NonExhaustiveEnumVariant);
+
+    pub fn nonexhaustivestruct_onstack() -> NonExhaustiveStruct;
+    pub fn nonexhaustivestruct_owned() -> NonExhaustiveStruct;
+}
@@ -0,0 +1,35 @@
+//@ check-pass
+#![deny(improper_ctypes)]
+
+//@ aux-build: extern_crate_types.rs
+//@ compile-flags:--extern extern_crate_types
+extern crate extern_crate_types as ext_crate;
+
+// Properly deal with non_exhaustive types:
+// the thorny logic is expressed in https://github.com/rust-lang/rust/issues/44109#issuecomment-537583344
+// and its linked comments
+//
+
+// Issue: https://github.com/rust-lang/rust/issues/132699
+// FFI-safe pointers to nonexhaustive structs should be FFI-safe too
+
+// BEGIN: this is the exact same code as in ext_crate, to compare the lints
+#[repr(C)]
+#[non_exhaustive]
+pub struct OtherNonExhaustiveStruct {
+    pub field: u8
+}
+
+extern "C" {
+    pub fn othernonexhaustivestruct_create() -> *mut OtherNonExhaustiveStruct;
+    pub fn othernonexhaustivestruct_destroy(s: *mut OtherNonExhaustiveStruct);
+}
+// END
+
+use ext_crate::NonExhaustiveStruct;
+
+extern "C" {
+    pub fn use_struct(s: *mut NonExhaustiveStruct);
+}
+
+fn main() {}