1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
use itertools::Itertools;
use rustc_errors::Applicability;
use rustc_hir::def_id::DefId;
use rustc_middle::mir::visit::Visitor;
use rustc_middle::mir::*;
use rustc_middle::ty::{self, EarlyBinder, GenericArgKind, PredicateKind, SubstsRef, Ty, TyCtxt};
use rustc_session::lint::builtin::FUNCTION_ITEM_REFERENCES;
use rustc_span::{symbol::sym, Span};
use rustc_target::spec::abi::Abi;

use crate::MirLint;

pub struct FunctionItemReferences;

impl<'tcx> MirLint<'tcx> for FunctionItemReferences {
    fn run_lint(&self, tcx: TyCtxt<'tcx>, body: &Body<'tcx>) {
        let mut checker = FunctionItemRefChecker { tcx, body };
        checker.visit_body(&body);
    }
}

struct FunctionItemRefChecker<'a, 'tcx> {
    tcx: TyCtxt<'tcx>,
    body: &'a Body<'tcx>,
}

impl<'tcx> Visitor<'tcx> for FunctionItemRefChecker<'_, 'tcx> {
    /// Emits a lint for function reference arguments bound by `fmt::Pointer` or passed to
    /// `transmute`. This only handles arguments in calls outside macro expansions to avoid double
    /// counting function references formatted as pointers by macros.
    fn visit_terminator(&mut self, terminator: &Terminator<'tcx>, location: Location) {
        if let TerminatorKind::Call {
            func,
            args,
            destination: _,
            target: _,
            cleanup: _,
            from_hir_call: _,
            fn_span: _,
        } = &terminator.kind
        {
            let source_info = *self.body.source_info(location);
            let func_ty = func.ty(self.body, self.tcx);
            if let ty::FnDef(def_id, substs_ref) = *func_ty.kind() {
                // Handle calls to `transmute`
                if self.tcx.is_diagnostic_item(sym::transmute, def_id) {
                    let arg_ty = args[0].ty(self.body, self.tcx);
                    for generic_inner_ty in arg_ty.walk() {
                        if let GenericArgKind::Type(inner_ty) = generic_inner_ty.unpack() {
                            if let Some((fn_id, fn_substs)) =
                                FunctionItemRefChecker::is_fn_ref(inner_ty)
                            {
                                let span = self.nth_arg_span(&args, 0);
                                self.emit_lint(fn_id, fn_substs, source_info, span);
                            }
                        }
                    }
                } else {
                    self.check_bound_args(def_id, substs_ref, &args, source_info);
                }
            }
        }
        self.super_terminator(terminator, location);
    }
}

impl<'tcx> FunctionItemRefChecker<'_, 'tcx> {
    /// Emits a lint for function reference arguments bound by `fmt::Pointer` in calls to the
    /// function defined by `def_id` with the substitutions `substs_ref`.
    fn check_bound_args(
        &self,
        def_id: DefId,
        substs_ref: SubstsRef<'tcx>,
        args: &[Operand<'tcx>],
        source_info: SourceInfo,
    ) {
        let param_env = self.tcx.param_env(def_id);
        let bounds = param_env.caller_bounds();
        for bound in bounds {
            if let Some(bound_ty) = self.is_pointer_trait(&bound.kind().skip_binder()) {
                // Get the argument types as they appear in the function signature.
                let arg_defs = self.tcx.fn_sig(def_id).skip_binder().inputs();
                for (arg_num, arg_def) in arg_defs.iter().enumerate() {
                    // For all types reachable from the argument type in the fn sig
                    for generic_inner_ty in arg_def.walk() {
                        if let GenericArgKind::Type(inner_ty) = generic_inner_ty.unpack() {
                            // If the inner type matches the type bound by `Pointer`
                            if inner_ty == bound_ty {
                                // Do a substitution using the parameters from the callsite
                                let subst_ty = EarlyBinder(inner_ty).subst(self.tcx, substs_ref);
                                if let Some((fn_id, fn_substs)) =
                                    FunctionItemRefChecker::is_fn_ref(subst_ty)
                                {
                                    let mut span = self.nth_arg_span(args, arg_num);
                                    if span.from_expansion() {
                                        // The operand's ctxt wouldn't display the lint since it's inside a macro so
                                        // we have to use the callsite's ctxt.
                                        let callsite_ctxt = span.source_callsite().ctxt();
                                        span = span.with_ctxt(callsite_ctxt);
                                    }
                                    self.emit_lint(fn_id, fn_substs, source_info, span);
                                }
                            }
                        }
                    }
                }
            }
        }
    }

    /// If the given predicate is the trait `fmt::Pointer`, returns the bound parameter type.
    fn is_pointer_trait(&self, bound: &PredicateKind<'tcx>) -> Option<Ty<'tcx>> {
        if let ty::PredicateKind::Trait(predicate) = bound {
            if self.tcx.is_diagnostic_item(sym::Pointer, predicate.def_id()) {
                Some(predicate.trait_ref.self_ty())
            } else {
                None
            }
        } else {
            None
        }
    }

    /// If a type is a reference or raw pointer to the anonymous type of a function definition,
    /// returns that function's `DefId` and `SubstsRef`.
    fn is_fn_ref(ty: Ty<'tcx>) -> Option<(DefId, SubstsRef<'tcx>)> {
        let referent_ty = match ty.kind() {
            ty::Ref(_, referent_ty, _) => Some(referent_ty),
            ty::RawPtr(ty_and_mut) => Some(&ty_and_mut.ty),
            _ => None,
        };
        referent_ty
            .map(|ref_ty| {
                if let ty::FnDef(def_id, substs_ref) = *ref_ty.kind() {
                    Some((def_id, substs_ref))
                } else {
                    None
                }
            })
            .unwrap_or(None)
    }

    fn nth_arg_span(&self, args: &[Operand<'tcx>], n: usize) -> Span {
        match &args[n] {
            Operand::Copy(place) | Operand::Move(place) => {
                self.body.local_decls[place.local].source_info.span
            }
            Operand::Constant(constant) => constant.span,
        }
    }

    fn emit_lint(
        &self,
        fn_id: DefId,
        fn_substs: SubstsRef<'tcx>,
        source_info: SourceInfo,
        span: Span,
    ) {
        let lint_root = self.body.source_scopes[source_info.scope]
            .local_data
            .as_ref()
            .assert_crate_local()
            .lint_root;
        let fn_sig = self.tcx.fn_sig(fn_id);
        let unsafety = fn_sig.unsafety().prefix_str();
        let abi = match fn_sig.abi() {
            Abi::Rust => String::from(""),
            other_abi => {
                let mut s = String::from("extern \"");
                s.push_str(other_abi.name());
                s.push_str("\" ");
                s
            }
        };
        let ident = self.tcx.item_name(fn_id).to_ident_string();
        let ty_params = fn_substs.types().map(|ty| format!("{}", ty));
        let const_params = fn_substs.consts().map(|c| format!("{}", c));
        let params = ty_params.chain(const_params).join(", ");
        let num_args = fn_sig.inputs().map_bound(|inputs| inputs.len()).skip_binder();
        let variadic = if fn_sig.c_variadic() { ", ..." } else { "" };
        let ret = if fn_sig.output().skip_binder().is_unit() { "" } else { " -> _" };
        self.tcx.struct_span_lint_hir(
            FUNCTION_ITEM_REFERENCES,
            lint_root,
            span,
            "taking a reference to a function item does not give a function pointer",
            |lint| {
                lint.span_suggestion(
                    span,
                    format!("cast `{}` to obtain a function pointer", ident),
                    format!(
                        "{} as {}{}fn({}{}){}",
                        if params.is_empty() { ident } else { format!("{}::<{}>", ident, params) },
                        unsafety,
                        abi,
                        vec!["_"; num_args].join(", "),
                        variadic,
                        ret,
                    ),
                    Applicability::Unspecified,
                )
            },
        );
    }
}