Static rustc_lint_defs::builtin::FUZZY_PROVENANCE_CASTS

pub static FUZZY_PROVENANCE_CASTS: &Lint

The fuzzy_provenance_casts lint detects an as cast between an integer and a pointer.

Example

#![feature(strict_provenance)]
#![warn(fuzzy_provenance_casts)]

fn main() {
    let _dangling = 16_usize as *const u8;
}

{{produces}}

Explanation

This lint is part of the strict provenance effort, see issue #95228. Casting an integer to a pointer is considered bad style, as a pointer contains, besides the address also a provenance, indicating what memory the pointer is allowed to read/write. Casting an integer, which doesn’t have provenance, to a pointer requires the compiler to assign (guess) provenance. The compiler assigns “all exposed valid” (see the docs of ptr::from_exposed_addr for more information about this “exposing”). This penalizes the optimiser and is not well suited for dynamic analysis/dynamic program verification (e.g. Miri or CHERI platforms).

It is much better to use ptr::with_addr instead to specify the provenance you want. If using this function is not possible because the code relies on exposed provenance then there is as an escape hatch ptr::from_exposed_addr.