Taking a raw pointer on a union field is a safe operation

Author: samueltardieu

clippy_lints/src/multiple_unsafe_ops_per_block.rs

@@ -4,7 +4,8 @@ use clippy_utils::visitors::{Descend, Visitable, for_each_expr};
 use core::ops::ControlFlow::Continue;
 use hir::def::{DefKind, Res};
 use hir::{BlockCheckMode, ExprKind, QPath, UnOp};
-use rustc_ast::Mutability;
+use rustc_ast::{BorrowKind, Mutability};
+use rustc_data_structures::fx::FxHashSet;
 use rustc_hir as hir;
 use rustc_lint::{LateContext, LateLintPass};
 use rustc_middle::ty;
@@ -96,6 +97,7 @@ fn collect_unsafe_exprs<'tcx>(
     node: impl Visitable<'tcx>,
     unsafe_ops: &mut Vec<(&'static str, Span)>,
 ) {
+    let mut ignored_union_field = FxHashSet::default();
     for_each_expr(cx, node, |expr| {
         match expr.kind {
             // The `await` itself will desugar to two unsafe calls, but we should ignore those.
@@ -107,8 +109,15 @@ fn collect_unsafe_exprs<'tcx>(
 
             ExprKind::InlineAsm(_) => unsafe_ops.push(("inline assembly used here", expr.span)),
 
+            // Taking a raw reference on a place is a safe operation. While the inner expression should
+            // still be checked, it should not trigger if the place is a union field. The prefix of the field
+            // access should still be checked, so it is necessary to descend.
+            ExprKind::AddrOf(BorrowKind::Raw, _, inner_expr) if matches!(inner_expr.kind, ExprKind::Field(..)) => {
+                ignored_union_field.insert(inner_expr.hir_id);
+            },
+
             ExprKind::Field(e, _) => {
-                if cx.typeck_results().expr_ty(e).is_union() {
+                if cx.typeck_results().expr_ty(e).is_union() && !ignored_union_field.contains(&expr.hir_id) {
                     unsafe_ops.push(("union field access occurs here", expr.span));
                 }
             },

tests/ui/multiple_unsafe_ops_per_block.rs

@@ -209,4 +209,34 @@ async fn issue13879() {
     }
 }
 
+fn issue16076() {
+    union U {
+        i: u32,
+        f: f32,
+    }
+
+    let u = U { i: 0 };
+
+    // Taking a raw pointer to a place is safe
+    unsafe {
+        _ = &raw const u.i;
+        _ = &raw const u.i;
+    }
+
+    // Taking a reference to a union field is not safe
+    unsafe {
+        //~^ multiple_unsafe_ops_per_block
+        _ = &u.i;
+        _ = &u.i;
+    }
+
+    // Check that we still check and lint the prefix of the raw pointer to a field access
+    #[expect(clippy::deref_addrof)]
+    unsafe {
+        //~^ multiple_unsafe_ops_per_block
+        _ = &raw const (*&raw const u).i;
+        _ = &raw const (*&raw const u).i;
+    }
+}
+
 fn main() {}

tests/ui/multiple_unsafe_ops_per_block.stderr

@@ -255,5 +255,47 @@ note: unsafe function call occurs here
 LL |         Some(foo_unchecked()).unwrap_unchecked().await;
    |              ^^^^^^^^^^^^^^^
 
-error: aborting due to 11 previous errors
+error: this `unsafe` block contains 2 unsafe operations, expected only one
+  --> tests/ui/multiple_unsafe_ops_per_block.rs:227:5
+   |
+LL | /     unsafe {
+LL | |
+LL | |         _ = &u.i;
+LL | |         _ = &u.i;
+LL | |     }
+   | |_____^
+   |
+note: union field access occurs here
+  --> tests/ui/multiple_unsafe_ops_per_block.rs:229:14
+   |
+LL |         _ = &u.i;
+   |              ^^^
+note: union field access occurs here
+  --> tests/ui/multiple_unsafe_ops_per_block.rs:230:14
+   |
+LL |         _ = &u.i;
+   |              ^^^
+
+error: this `unsafe` block contains 2 unsafe operations, expected only one
+  --> tests/ui/multiple_unsafe_ops_per_block.rs:235:5
+   |
+LL | /     unsafe {
+LL | |
+LL | |         _ = &raw const (*&raw const u).i;
+LL | |         _ = &raw const (*&raw const u).i;
+LL | |     }
+   | |_____^
+   |
+note: raw pointer dereference occurs here
+  --> tests/ui/multiple_unsafe_ops_per_block.rs:237:24
+   |
+LL |         _ = &raw const (*&raw const u).i;
+   |                        ^^^^^^^^^^^^^^^
+note: raw pointer dereference occurs here
+  --> tests/ui/multiple_unsafe_ops_per_block.rs:238:24
+   |
+LL |         _ = &raw const (*&raw const u).i;
+   |                        ^^^^^^^^^^^^^^^
+
+error: aborting due to 13 previous errors