Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint

From: Tamir Duberstein
Date: Tue Apr 15 2025 - 16:11:00 EST

Next message: Nicolin Chen: "Re: [PATCH v2 06/11] iommu/arm-smmu-v3: Introduce arm_smmu_s2_parent_tlb_ invalidation helpers"
Previous message: Wolfram Sang: "Re: [PATCH v4 6/7] i2c: core: Deprecate of_node in struct i2c_board_info"
In reply to: Boqun Feng: "Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint"
Next in thread: Boqun Feng: "Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 15, 2025 at 2:18 PM Boqun Feng <boqun.feng@xxxxxxxxx> wrote:
>
> On Tue, Apr 15, 2025 at 01:58:41PM -0400, Tamir Duberstein wrote:
> > Hi Boqun, thanks for having a look!
> >
> > On Tue, Apr 15, 2025 at 1:37 PM Boqun Feng <boqun.feng@xxxxxxxxx> wrote:
> > >
> > > On Wed, Apr 09, 2025 at 10:47:23AM -0400, Tamir Duberstein wrote:
> > > > In Rust 1.78.0, Clippy introduced the `ref_as_ptr` lint [1]:
> > > >
> > > > > Using `as` casts may result in silently changing mutability or type.
> > > >
> > > > While this doesn't eliminate unchecked `as` conversions, it makes such
> > > > conversions easier to scrutinize. It also has the slight benefit of
> > > > removing a degree of freedom on which to bikeshed. Thus apply the
> > > > changes and enable the lint -- no functional change intended.
> > > >
> > > > Link: https://rust-lang.github.io/rust-clippy/master/index.html#ref_as_ptr [1]
> > > > Suggested-by: Benno Lossin <benno.lossin@xxxxxxxxx>
> > > > Link: https://lore.kernel.org/all/D8PGG7NTWB6U.3SS3A5LN4XWMN@xxxxxxxxx/
> > > > Signed-off-by: Tamir Duberstein <tamird@xxxxxxxxx>
> > > > ---
> > > > Makefile | 1 +
> > > > rust/bindings/lib.rs | 1 +
> > > > rust/kernel/device_id.rs | 3 ++-
> > > > rust/kernel/fs/file.rs | 3 ++-
> > > > rust/kernel/str.rs | 6 ++++--
> > > > rust/kernel/uaccess.rs | 10 ++++------
> > > > rust/uapi/lib.rs | 1 +
> > > > 7 files changed, 15 insertions(+), 10 deletions(-)
> > > >
> > > > diff --git a/Makefile b/Makefile
> > > > index eb5a942241a2..2a16e02f26db 100644
> > > > --- a/Makefile
> > > > +++ b/Makefile
> > > > @@ -485,6 +485,7 @@ export rust_common_flags := --edition=2021 \
> > > > -Wclippy::no_mangle_with_rust_abi \
> > > > -Wclippy::ptr_as_ptr \
> > > > -Wclippy::ptr_cast_constness \
> > > > + -Wclippy::ref_as_ptr \
> > > > -Wclippy::undocumented_unsafe_blocks \
> > > > -Wclippy::unnecessary_safety_comment \
> > > > -Wclippy::unnecessary_safety_doc \
> > > > diff --git a/rust/bindings/lib.rs b/rust/bindings/lib.rs
> > > > index b105a0d899cc..2b69016070c6 100644
> > > > --- a/rust/bindings/lib.rs
> > > > +++ b/rust/bindings/lib.rs
> > > > @@ -27,6 +27,7 @@
> > > > #[allow(dead_code)]
> > > > #[allow(clippy::cast_lossless)]
> > > > #[allow(clippy::ptr_as_ptr)]
> > > > +#[allow(clippy::ref_as_ptr)]
> > > > #[allow(clippy::undocumented_unsafe_blocks)]
> > > > mod bindings_raw {
> > > > // Manual definition for blocklisted types.
> > > > diff --git a/rust/kernel/device_id.rs b/rust/kernel/device_id.rs
> > > > index 4063f09d76d9..37cc03d1df4c 100644
> > > > --- a/rust/kernel/device_id.rs
> > > > +++ b/rust/kernel/device_id.rs
> > > > @@ -136,7 +136,8 @@ impl<T: RawDeviceId, U, const N: usize> IdTable<T, U> for IdArray<T, U, N> {
> > > > fn as_ptr(&self) -> *const T::RawType {
> > > > // This cannot be `self.ids.as_ptr()`, as the return pointer must have correct provenance
> > > > // to access the sentinel.
> > > > - (self as *const Self).cast()
> > > > + let this: *const Self = self;
> > >
> > > Hmm.. so this lint usually just requires to use a let statement instead
> > > of as expression when casting a reference to a pointer? Not 100%
> > > convinced this results into better code TBH..
> >
> > The rationale is in the lint description and quoted in the commit
> > message: "Using `as` casts may result in silently changing mutability
> > or type.".
> >
>
> Could you show me how you can silently change the mutability or type? A
> simple try like below doesn't compile:
>
> let x = &42;
> let ptr = x as *mut i32; // <- error
> let another_ptr = x as *const i64; // <- error

I think the point is that the meaning of an `as` cast can change when
the type of `x` changes, which can happen at a distance. The example
shown in the clippy docs uses `as _`, which is where you get into real
trouble.

> also from the link document you shared, looks like the suggestion is to
> use core::ptr::from_{ref,mut}(), was this ever considered?

I considered it, but I thought it was ugly. We don't have a linter to
enforce it, so I'd be surprised if people reached for it.

>
> > >
> > > > + this.cast()
> > > > }
> > > >
> > > > fn id(&self, index: usize) -> &T::RawType {
> > > > diff --git a/rust/kernel/fs/file.rs b/rust/kernel/fs/file.rs
> > > > index 791f493ada10..559a4bfa123f 100644
> > > > --- a/rust/kernel/fs/file.rs
> > > > +++ b/rust/kernel/fs/file.rs
> > > > @@ -359,12 +359,13 @@ impl core::ops::Deref for File {
> > > > type Target = LocalFile;
> > > > #[inline]
> > > > fn deref(&self) -> &LocalFile {
> > > > + let this: *const Self = self;
> > > > // SAFETY: The caller provides a `&File`, and since it is a reference, it must point at a
> > > > // valid file for the desired duration.
> > > > //
> > > > // By the type invariants, there are no `fdget_pos` calls that did not take the
> > > > // `f_pos_lock` mutex.
> > > > - unsafe { LocalFile::from_raw_file((self as *const Self).cast()) }
> > > > + unsafe { LocalFile::from_raw_file(this.cast()) }
> > > > }
> > > > }
> > > >
> > > > diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
> > > > index 40034f77fc2f..75b4a18c67c4 100644
> > > > --- a/rust/kernel/str.rs
> > > > +++ b/rust/kernel/str.rs
> > > > @@ -28,8 +28,9 @@ pub const fn is_empty(&self) -> bool {
> > > > /// Creates a [`BStr`] from a `[u8]`.
> > > > #[inline]
> > > > pub const fn from_bytes(bytes: &[u8]) -> &Self {
> > > > + let bytes: *const [u8] = bytes;
> > > > // SAFETY: `BStr` is transparent to `[u8]`.
> > > > - unsafe { &*(bytes as *const [u8] as *const BStr) }
> > > > + unsafe { &*(bytes as *const BStr) }
> > >
> > > unsafe { &*(bytes.cast::<BStr>()) }
> > >
> > > ? I'm curious why this dodged the other lint (ptr_as_ptr).
> >
> > The reason it has to be written this way is that BStr is !Sized, and
> > `pointer::cast` has an implicit Sized bound.
> >
> > Perhaps the lint is smart enough to avoid the suggestion in that case?
> > Seems like yes:
> > https://github.com/rust-lang/rust-clippy/blob/d3267e9230940757fde2fcb608605bf8dbfd85e1/clippy_lints/src/casts/ptr_as_ptr.rs#L36.
> >
>
> Oh, I see, so fat pointers get their way from this check? Hmm... however
> fat pointers also suffer the same problem that ptr_as_ptr prevents,
> right? How should we avoid that?

Probably the proper solution is to remove the `Sized` bound from
`pointer::cast`. Short of that, I'm not sure how -- but I don't think
this deficiency should prevent us from the benefits of this change,
even if they are a bit limited.

Next message: Nicolin Chen: "Re: [PATCH v2 06/11] iommu/arm-smmu-v3: Introduce arm_smmu_s2_parent_tlb_ invalidation helpers"
Previous message: Wolfram Sang: "Re: [PATCH v4 6/7] i2c: core: Deprecate of_node in struct i2c_board_info"
In reply to: Boqun Feng: "Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint"
Next in thread: Boqun Feng: "Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]