Raw access to an union field was unsafe before Rust 1.92

Author: samueltardieu

book/src/lint_configuration.md

@@ -892,6 +892,7 @@ The minimum rust version that the project supports. Defaults to the `rust-versio
 * [`mem_replace_option_with_some`](https://rust-lang.github.io/rust-clippy/master/index.html#mem_replace_option_with_some)
 * [`mem_replace_with_default`](https://rust-lang.github.io/rust-clippy/master/index.html#mem_replace_with_default)
 * [`missing_const_for_fn`](https://rust-lang.github.io/rust-clippy/master/index.html#missing_const_for_fn)
+* [`multiple_unsafe_ops_per_block`](https://rust-lang.github.io/rust-clippy/master/index.html#multiple_unsafe_ops_per_block)
 * [`needless_borrow`](https://rust-lang.github.io/rust-clippy/master/index.html#needless_borrow)
 * [`non_std_lazy_statics`](https://rust-lang.github.io/rust-clippy/master/index.html#non_std_lazy_statics)
 * [`option_as_ref_deref`](https://rust-lang.github.io/rust-clippy/master/index.html#option_as_ref_deref)

clippy_config/src/conf.rs

@@ -781,6 +781,7 @@ define_Conf! {
         mem_replace_option_with_some,
         mem_replace_with_default,
         missing_const_for_fn,
+        multiple_unsafe_ops_per_block,
         needless_borrow,
         non_std_lazy_statics,
         option_as_ref_deref,

clippy_lints/src/lib.rs

@@ -725,7 +725,7 @@ pub fn register_lint_passes(store: &mut rustc_lint::LintStore, conf: &'static Co
     store.register_late_pass(move |_| Box::new(semicolon_block::SemicolonBlock::new(conf)));
     store.register_late_pass(|_| Box::new(permissions_set_readonly_false::PermissionsSetReadonlyFalse));
     store.register_late_pass(|_| Box::new(size_of_ref::SizeOfRef));
-    store.register_late_pass(|_| Box::new(multiple_unsafe_ops_per_block::MultipleUnsafeOpsPerBlock));
+    store.register_late_pass(move |_| Box::new(multiple_unsafe_ops_per_block::MultipleUnsafeOpsPerBlock::new(conf)));
     store.register_late_pass(move |_| Box::new(extra_unused_type_parameters::ExtraUnusedTypeParameters::new(conf)));
     store.register_late_pass(|_| Box::new(no_mangle_with_rust_abi::NoMangleWithRustAbi));
     store.register_late_pass(|_| Box::new(collection_is_never_read::CollectionIsNeverRead));

clippy_lints/src/multiple_unsafe_ops_per_block.rs

@@ -1,6 +1,8 @@
-use clippy_utils::desugar_await;
+use clippy_config::Conf;
 use clippy_utils::diagnostics::span_lint_and_then;
+use clippy_utils::msrvs::Msrv;
 use clippy_utils::visitors::{Descend, Visitable, for_each_expr};
+use clippy_utils::{desugar_await, msrvs};
 use core::ops::ControlFlow::Continue;
 use hir::def::{DefKind, Res};
 use hir::{BlockCheckMode, ExprKind, QPath, UnOp};
@@ -9,7 +11,7 @@ use rustc_data_structures::fx::FxHashSet;
 use rustc_hir as hir;
 use rustc_lint::{LateContext, LateLintPass};
 use rustc_middle::ty;
-use rustc_session::declare_lint_pass;
+use rustc_session::impl_lint_pass;
 use rustc_span::{DesugaringKind, Span};
 
 declare_clippy_lint! {
@@ -61,7 +63,18 @@ declare_clippy_lint! {
     restriction,
     "more than one unsafe operation per `unsafe` block"
 }
-declare_lint_pass!(MultipleUnsafeOpsPerBlock => [MULTIPLE_UNSAFE_OPS_PER_BLOCK]);
+
+pub struct MultipleUnsafeOpsPerBlock {
+    msrv: Msrv,
+}
+
+impl_lint_pass!(MultipleUnsafeOpsPerBlock => [MULTIPLE_UNSAFE_OPS_PER_BLOCK]);
+
+impl MultipleUnsafeOpsPerBlock {
+    pub fn new(conf: &Conf) -> Self {
+        Self { msrv: conf.msrv }
+    }
+}
 
 impl<'tcx> LateLintPass<'tcx> for MultipleUnsafeOpsPerBlock {
     fn check_block(&mut self, cx: &LateContext<'tcx>, block: &'tcx hir::Block<'_>) {
@@ -72,7 +85,7 @@ impl<'tcx> LateLintPass<'tcx> for MultipleUnsafeOpsPerBlock {
             return;
         }
         let mut unsafe_ops = vec![];
-        collect_unsafe_exprs(cx, block, &mut unsafe_ops);
+        collect_unsafe_exprs(cx, block, &mut unsafe_ops, self.msrv);
         if unsafe_ops.len() > 1 {
             span_lint_and_then(
                 cx,
@@ -96,14 +109,15 @@ fn collect_unsafe_exprs<'tcx>(
     cx: &LateContext<'tcx>,
     node: impl Visitable<'tcx>,
     unsafe_ops: &mut Vec<(&'static str, Span)>,
+    msrv: Msrv,
 ) {
     let mut ignored_field = FxHashSet::default();
     for_each_expr(cx, node, |expr| {
         match expr.kind {
             // The `await` itself will desugar to two unsafe calls, but we should ignore those.
             // Instead, check the expression that is `await`ed
             _ if let Some(e) = desugar_await(expr) => {
-                collect_unsafe_exprs(cx, e, unsafe_ops);
+                collect_unsafe_exprs(cx, e, unsafe_ops, msrv);
                 return Continue(Descend::No);
             },
 
@@ -113,7 +127,15 @@ fn collect_unsafe_exprs<'tcx>(
             // still be checked, it should not trigger if the place is a union field. The prefix of the field
             // access should still be checked, so it is necessary to descend.
             ExprKind::AddrOf(BorrowKind::Raw, _, mut inner_expr) => {
+                // Checking current MSRV might be expensive, do it only if necessary
+                let mut msrv_checked = false;
                 while let ExprKind::Field(e, _) = inner_expr.kind {
+                    if !msrv_checked {
+                        if !msrv.meets(cx, msrvs::SAFE_RAW_PTR_TO_UNION_FIELD) {
+                            break;
+                        }
+                        msrv_checked = true;
+                    }
                     ignored_field.insert(inner_expr.hir_id);
                     inner_expr = e;
                 }
@@ -186,7 +208,7 @@ fn collect_unsafe_exprs<'tcx>(
                     ))
                 ) {
                     unsafe_ops.push(("modification of a mutable static occurs here", expr.span));
-                    collect_unsafe_exprs(cx, rhs, unsafe_ops);
+                    collect_unsafe_exprs(cx, rhs, unsafe_ops, msrv);
                     return Continue(Descend::No);
                 }
             },

clippy_utils/src/msrvs.rs

@@ -23,6 +23,7 @@ macro_rules! msrv_aliases {
 
 // names may refer to stabilized feature flags or library items
 msrv_aliases! {
+    1,92,0 { SAFE_RAW_PTR_TO_UNION_FIELD }
     1,88,0 { LET_CHAINS }
     1,87,0 { OS_STR_DISPLAY, INT_MIDPOINT, CONST_CHAR_IS_DIGIT, UNSIGNED_IS_MULTIPLE_OF, INTEGER_SIGN_CAST }
     1,85,0 { UINT_FLOAT_MIDPOINT, CONST_SIZE_OF_VAL }

tests/ui/multiple_unsafe_ops_per_block.rs

@@ -1,5 +1,6 @@
 //@needs-asm-support
 //@aux-build:proc_macros.rs
+#![feature(stmt_expr_attributes)]
 #![expect(
     dropping_copy_types,
     clippy::unnecessary_operation,
@@ -218,12 +219,21 @@ fn issue16076() {
 
     let u = U { i: 0 };
 
-    // Taking a raw pointer to a place is safe
+    // Taking a raw pointer to a place is safe since Rust 1.92
+    #[clippy::msrv = "1.92"]
     unsafe {
         _ = &raw const u.i;
         _ = &raw const u.i;
     }
 
+    // However it was not the case before Rust 1.92
+    #[clippy::msrv = "1.91"]
+    unsafe {
+        //~^ multiple_unsafe_ops_per_block
+        _ = &raw const u.i;
+        _ = &raw const u.i;
+    }
+
     // Taking a reference to a union field is not safe
     unsafe {
         //~^ multiple_unsafe_ops_per_block