ImproperCTypes: handle uninhabited types

Add some logic to the type checking to refuse uninhabited types as
arguments,
and treat uninhabited variants of an enum as FFI-safe if at least one
variant is inhabited.

Author: niacdoial

compiler/rustc_lint/messages.ftl

@@ -406,6 +406,9 @@ lint_improper_ctypes_struct_zst = `{$ty}` contains only zero-sized fields
 lint_improper_ctypes_tuple_help = consider using a struct instead
 lint_improper_ctypes_tuple_reason = tuples have unspecified layout
 
+lint_improper_ctypes_uninhabited_enum = zero-variant enums and other uninhabited types are not allowed in function arguments and static variables
+lint_improper_ctypes_uninhabited_never = the never type (`!`) and other uninhabited types are not allowed in function arguments and static variables
+
 lint_improper_ctypes_union_consider_transparent = `{$ty}` has exactly one non-zero-sized field, consider making it `#[repr(transparent)]` instead
 lint_improper_ctypes_union_fieldless_help = consider adding a member to this union
 lint_improper_ctypes_union_fieldless_reason = this union has no fields

compiler/rustc_lint/src/types/improper_ctypes.rs

@@ -389,7 +389,6 @@ impl<'tcx> FfiResult<'tcx> {
     /// if the note at their core reason is one in a provided list.
     /// If the FfiResult is not FfiUnsafe, or if no reasons are plucked,
     /// then return FfiSafe.
-    #[expect(unused)]
     fn take_with_core_note(&mut self, notes: &[DiagMessage]) -> Self {
         match self {
             Self::FfiUnsafe(this) => {
@@ -902,6 +901,20 @@ impl<'a, 'tcx> ImproperCTypesVisitor<'a, 'tcx> {
         all_ffires
     }
 
+    /// Checks whether an uninhabited type (one without valid values) is safe-ish to have here.
+    fn visit_uninhabited(&self, state: VisitorState, ty: Ty<'tcx>) -> FfiResult<'tcx> {
+        if state.is_in_function_return() {
+            FfiResult::FfiSafe
+        } else {
+            let desc = match ty.kind() {
+                ty::Adt(..) => fluent::lint_improper_ctypes_uninhabited_enum,
+                ty::Never => fluent::lint_improper_ctypes_uninhabited_never,
+                r @ _ => bug!("unexpected ty_kind in uninhabited type handling: {:?}", r),
+            };
+            FfiResult::new_with_reason(ty, desc, None)
+        }
+    }
+
     /// Return the right help for Cstring and Cstr-linked unsafety.
     fn visit_cstr(&mut self, state: VisitorState, ty: Ty<'tcx>) -> FfiResult<'tcx> {
         debug_assert!(matches!(ty.kind(), ty::Adt(def, _)
@@ -1022,6 +1035,24 @@ impl<'a, 'tcx> ImproperCTypesVisitor<'a, 'tcx> {
             if !matches!(def.adt_kind(), AdtKind::Enum) && def.repr().transparent() {
                 // determine if there is 0 or 1 non-1ZST field, and which it is.
                 // (note: for enums, "transparent" means 1-variant)
+                if ty.is_privately_uninhabited(self.cx.tcx, self.cx.typing_env()) {
+                    // let's consider transparent structs to be maybe unsafe if uninhabited,
+                    // even if that is because of fields otherwise ignored in FFI-safety checks
+                    // FIXME(ctypes): and also maybe this should be "!is_inhabited_from" but from where?
+                    ffires_accumulator += variant
+                        .fields
+                        .iter()
+                        .map(|field| {
+                            let field_ty = get_type_from_field(self.cx, field, args);
+                            let mut field_res = self.visit_type(state.get_next(ty), field_ty);
+                            field_res.take_with_core_note(&[
+                                fluent::lint_improper_ctypes_uninhabited_enum,
+                                fluent::lint_improper_ctypes_uninhabited_never,
+                            ])
+                        })
+                        .reduce(|r1, r2| r1 + r2)
+                        .unwrap() // if uninhabited, then >0 fields
+                }
                 if let Some(field) = super::transparent_newtype_field(self.cx.tcx, variant) {
                     // Transparent newtypes have at most one non-ZST field which needs to be checked later
                     (false, vec![field])
@@ -1212,8 +1243,8 @@ impl<'a, 'tcx> ImproperCTypesVisitor<'a, 'tcx> {
         use FfiResult::*;
 
         if def.variants().is_empty() {
-            // Empty enums are okay... although sort of useless.
-            return FfiSafe;
+            // Empty enums are implicitly handled as the never type:
+            return self.visit_uninhabited(state, ty);
         }
         // Check for a repr() attribute to specify the size of the
         // discriminant.
@@ -1242,7 +1273,6 @@ impl<'a, 'tcx> ImproperCTypesVisitor<'a, 'tcx> {
             nonexhaustive_flag |= nonex_enum;
             nonexhaustive_variant_flag |= nonex_var;
         });
-
         // "nonexhaustive" lints only happen outside of the crate defining the enum, so no CItemKind override
         // (meaning: the fault lies in the function call, not the enum)
         if nonexhaustive_flag {
@@ -1254,18 +1284,33 @@ impl<'a, 'tcx> ImproperCTypesVisitor<'a, 'tcx> {
                 None,
             )
         } else {
-            let ffires = def
+            // small caveat to checking the variants: we authorise up to n-1 invariants
+            // to be unsafe because uninhabited.
+            // so for now let's isolate those unsafeties
+            let mut variants_uninhabited_ffires = vec![FfiSafe; def.variants().len()];
+
+            let mut ffires = def
                 .variants()
                 .iter()
-                .map(|variant| {
-                    let variant_res = self.visit_variant_fields(state, ty, def, variant, args);
+                .enumerate()
+                .map(|(variant_i, variant)| {
+                    let mut variant_res = self.visit_variant_fields(state, ty, def, variant, args);
+                    variants_uninhabited_ffires[variant_i] = variant_res.take_with_core_note(&[
+                        fluent::lint_improper_ctypes_uninhabited_enum,
+                        fluent::lint_improper_ctypes_uninhabited_never,
+                    ]);
                     // FIXME(ctypes): check that enums allow any (up to all) variants to be phantoms?
                     // (previous code says no, but I don't know why? the problem with phantoms is that they're ZSTs, right?)
                     variant_res.forbid_phantom()
                 })
                 .reduce(|r1, r2| r1 + r2)
                 .unwrap(); // always at least one variant if we hit this branch
 
+            if variants_uninhabited_ffires.iter().all(|res| matches!(res, FfiUnsafe(..))) {
+                // if the enum is uninhabited, because all its variants are uninhabited
+                ffires += variants_uninhabited_ffires.into_iter().reduce(|r1, r2| r1 + r2).unwrap();
+            }
+
             // this enum is visited in the middle of another lint,
             // so we override the "cause type" of the lint
             // (for more detail, see comment in ``visit_struct_union`` before its call to ``ffires.with_overrides``)
@@ -1432,7 +1477,7 @@ impl<'a, 'tcx> ImproperCTypesVisitor<'a, 'tcx> {
 
             ty::Foreign(..) => FfiSafe,
 
-            ty::Never => FfiSafe,
+            ty::Never => self.visit_uninhabited(state, ty),
 
             // While opaque types are checked for earlier, if a projection in a struct field
             // normalizes to an opaque type, then it will reach this branch.

tests/ui/lint/improper-ctypes/lint-enum.rs

@@ -78,7 +78,7 @@ struct Field(());
 enum NonExhaustive {}
 
 extern "C" {
-    fn zf(x: Z);
+    fn zf(x: Z); //~ ERROR `extern` block uses type `Z`
     fn uf(x: U); //~ ERROR `extern` block uses type `U`
     fn bf(x: B); //~ ERROR `extern` block uses type `B`
     fn tf(x: T); //~ ERROR `extern` block uses type `T`

tests/ui/lint/improper-ctypes/lint-enum.stderr

@@ -1,3 +1,21 @@
+error: `extern` block uses type `Z`, which is not FFI-safe
+  --> $DIR/lint-enum.rs:81:14
+   |
+LL |     fn zf(x: Z);
+   |              ^ not FFI-safe
+   |
+   = note: zero-variant enums and other uninhabited types are not allowed in function arguments and static variables
+note: the type is defined here
+  --> $DIR/lint-enum.rs:8:1
+   |
+LL | enum Z {}
+   | ^^^^^^
+note: the lint level is defined here
+  --> $DIR/lint-enum.rs:2:9
+   |
+LL | #![deny(improper_ctypes)]
+   |         ^^^^^^^^^^^^^^^
+
 error: `extern` block uses type `U`, which is not FFI-safe
   --> $DIR/lint-enum.rs:82:14
    |
@@ -11,11 +29,6 @@ note: the type is defined here
    |
 LL | enum U {
    | ^^^^^^
-note: the lint level is defined here
-  --> $DIR/lint-enum.rs:2:9
-   |
-LL | #![deny(improper_ctypes)]
-   |         ^^^^^^^^^^^^^^^
 
 error: `extern` block uses type `B`, which is not FFI-safe
   --> $DIR/lint-enum.rs:83:14
@@ -207,5 +220,5 @@ LL |     fn result_unit_t_e(x: Result<(), ()>);
    = help: consider adding a `#[repr(C)]`, `#[repr(transparent)]`, or integer `#[repr(...)]` attribute to this enum
    = note: enum has no representation hint
 
-error: aborting due to 21 previous errors
+error: aborting due to 22 previous errors
 

tests/ui/lint/improper-ctypes/lint_uninhabited.rs

@@ -0,0 +1,75 @@
+#![feature(never_type)]
+
+#![allow(dead_code, unused_variables)]
+#![deny(improper_ctypes)]
+#![deny(improper_c_fn_definitions, improper_c_callbacks)]
+
+use std::mem::transmute;
+
+enum Uninhabited{}
+
+#[repr(C)]
+struct AlsoUninhabited{
+    a: Uninhabited,
+    b: i32,
+}
+
+#[repr(C)]
+enum Inhabited{
+    OhNo(Uninhabited),
+    OhYes(i32),
+}
+
+struct EmptyRust;
+
+#[repr(transparent)]
+struct HalfHiddenUninhabited {
+    is_this_a_tuple: (i8,i8),
+    zst_inh: EmptyRust,
+    zst_uninh: !,
+}
+
+extern "C" {
+
+fn bad_entry(e: AlsoUninhabited); //~ ERROR: uses type `AlsoUninhabited`
+fn bad_exit()->AlsoUninhabited;
+
+fn bad0_entry(e: Uninhabited); //~ ERROR: uses type `Uninhabited`
+fn bad0_exit()->Uninhabited;
+
+fn good_entry(e: Inhabited);
+fn good_exit()->Inhabited;
+
+fn never_entry(e:!); //~ ERROR: uses type `!`
+fn never_exit()->!;
+
+}
+
+extern "C" fn impl_bad_entry(e: AlsoUninhabited) {} //~ ERROR: uses type `AlsoUninhabited`
+extern "C" fn impl_bad_exit()->AlsoUninhabited {
+    AlsoUninhabited{
+        a: impl_bad0_exit(),
+        b: 0,
+    }
+}
+
+extern "C" fn impl_bad0_entry(e: Uninhabited) {} //~ ERROR: uses type `Uninhabited`
+extern "C" fn impl_bad0_exit()->Uninhabited {
+    unsafe{transmute(())} //~ WARN: does not permit zero-initialization
+}
+
+extern "C" fn impl_good_entry(e: Inhabited) {}
+extern "C" fn impl_good_exit() -> Inhabited {
+    Inhabited::OhYes(0)
+}
+
+extern "C" fn impl_never_entry(e:!){} //~ ERROR: uses type `!`
+extern "C" fn impl_never_exit()->! {
+    loop{}
+}
+
+extern "C" fn weird_pattern(e:HalfHiddenUninhabited){}
+//~^ ERROR: uses type `HalfHiddenUninhabited`
+
+
+fn main(){}

tests/ui/lint/improper-ctypes/lint_uninhabited.stderr

@@ -0,0 +1,121 @@
+error: `extern` block uses type `AlsoUninhabited`, which is not FFI-safe
+  --> $DIR/lint_uninhabited.rs:34:17
+   |
+LL | fn bad_entry(e: AlsoUninhabited);
+   |                 ^^^^^^^^^^^^^^^ not FFI-safe
+   |
+   = help: `AlsoUninhabited` has exactly one non-zero-sized field, consider making it `#[repr(transparent)]` instead
+   = note: this struct/enum/union (`AlsoUninhabited`) is FFI-unsafe due to a `Uninhabited` field
+note: the type is defined here
+  --> $DIR/lint_uninhabited.rs:12:1
+   |
+LL | struct AlsoUninhabited{
+   | ^^^^^^^^^^^^^^^^^^^^^^
+   = note: zero-variant enums and other uninhabited types are not allowed in function arguments and static variables
+note: the type is defined here
+  --> $DIR/lint_uninhabited.rs:9:1
+   |
+LL | enum Uninhabited{}
+   | ^^^^^^^^^^^^^^^^
+note: the lint level is defined here
+  --> $DIR/lint_uninhabited.rs:4:9
+   |
+LL | #![deny(improper_ctypes)]
+   |         ^^^^^^^^^^^^^^^
+
+error: `extern` block uses type `Uninhabited`, which is not FFI-safe
+  --> $DIR/lint_uninhabited.rs:37:18
+   |
+LL | fn bad0_entry(e: Uninhabited);
+   |                  ^^^^^^^^^^^ not FFI-safe
+   |
+   = note: zero-variant enums and other uninhabited types are not allowed in function arguments and static variables
+note: the type is defined here
+  --> $DIR/lint_uninhabited.rs:9:1
+   |
+LL | enum Uninhabited{}
+   | ^^^^^^^^^^^^^^^^
+
+error: `extern` block uses type `!`, which is not FFI-safe
+  --> $DIR/lint_uninhabited.rs:43:18
+   |
+LL | fn never_entry(e:!);
+   |                  ^ not FFI-safe
+   |
+   = note: the never type (`!`) and other uninhabited types are not allowed in function arguments and static variables
+
+error: `extern` fn uses type `AlsoUninhabited`, which is not FFI-safe
+  --> $DIR/lint_uninhabited.rs:48:33
+   |
+LL | extern "C" fn impl_bad_entry(e: AlsoUninhabited) {}
+   |                                 ^^^^^^^^^^^^^^^ not FFI-safe
+   |
+   = help: `AlsoUninhabited` has exactly one non-zero-sized field, consider making it `#[repr(transparent)]` instead
+   = note: this struct/enum/union (`AlsoUninhabited`) is FFI-unsafe due to a `Uninhabited` field
+note: the type is defined here
+  --> $DIR/lint_uninhabited.rs:12:1
+   |
+LL | struct AlsoUninhabited{
+   | ^^^^^^^^^^^^^^^^^^^^^^
+   = note: zero-variant enums and other uninhabited types are not allowed in function arguments and static variables
+note: the type is defined here
+  --> $DIR/lint_uninhabited.rs:9:1
+   |
+LL | enum Uninhabited{}
+   | ^^^^^^^^^^^^^^^^
+note: the lint level is defined here
+  --> $DIR/lint_uninhabited.rs:5:9
+   |
+LL | #![deny(improper_c_fn_definitions, improper_c_callbacks)]
+   |         ^^^^^^^^^^^^^^^^^^^^^^^^^
+
+error: `extern` fn uses type `Uninhabited`, which is not FFI-safe
+  --> $DIR/lint_uninhabited.rs:56:34
+   |
+LL | extern "C" fn impl_bad0_entry(e: Uninhabited) {}
+   |                                  ^^^^^^^^^^^ not FFI-safe
+   |
+   = note: zero-variant enums and other uninhabited types are not allowed in function arguments and static variables
+note: the type is defined here
+  --> $DIR/lint_uninhabited.rs:9:1
+   |
+LL | enum Uninhabited{}
+   | ^^^^^^^^^^^^^^^^
+
+warning: the type `Uninhabited` does not permit zero-initialization
+  --> $DIR/lint_uninhabited.rs:58:12
+   |
+LL |     unsafe{transmute(())}
+   |            ^^^^^^^^^^^^^ this code causes undefined behavior when executed
+   |
+note: enums with no inhabited variants have no valid value
+  --> $DIR/lint_uninhabited.rs:9:1
+   |
+LL | enum Uninhabited{}
+   | ^^^^^^^^^^^^^^^^
+   = note: `#[warn(invalid_value)]` on by default
+
+error: `extern` fn uses type `!`, which is not FFI-safe
+  --> $DIR/lint_uninhabited.rs:66:34
+   |
+LL | extern "C" fn impl_never_entry(e:!){}
+   |                                  ^ not FFI-safe
+   |
+   = note: the never type (`!`) and other uninhabited types are not allowed in function arguments and static variables
+
+error: `extern` fn uses type `HalfHiddenUninhabited`, which is not FFI-safe
+  --> $DIR/lint_uninhabited.rs:71:31
+   |
+LL | extern "C" fn weird_pattern(e:HalfHiddenUninhabited){}
+   |                               ^^^^^^^^^^^^^^^^^^^^^ not FFI-safe
+   |
+   = note: this struct/enum/union (`HalfHiddenUninhabited`) is FFI-unsafe due to a `!` field
+note: the type is defined here
+  --> $DIR/lint_uninhabited.rs:26:1
+   |
+LL | struct HalfHiddenUninhabited {
+   | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   = note: the never type (`!`) and other uninhabited types are not allowed in function arguments and static variables
+
+error: aborting due to 7 previous errors; 1 warning emitted
+