Static rustc_lint_defs::builtin::FUZZY_PROVENANCE_CASTS
source · pub static FUZZY_PROVENANCE_CASTS: &Lint
Expand description
The fuzzy_provenance_casts
lint detects an as
cast between an integer
and a pointer.
Example
#![feature(strict_provenance)]
#![warn(fuzzy_provenance_casts)]
fn main() {
let _dangling = 16_usize as *const u8;
}
{{produces}}
Explanation
This lint is part of the strict provenance effort, see issue #95228.
Casting an integer to a pointer is considered bad style, as a pointer
contains, besides the address also a provenance, indicating what
memory the pointer is allowed to read/write. Casting an integer, which
doesn’t have provenance, to a pointer requires the compiler to assign
(guess) provenance. The compiler assigns “all exposed valid” (see the
docs of ptr::from_exposed_addr
for more information about this
“exposing”). This penalizes the optimiser and is not well suited for
dynamic analysis/dynamic program verification (e.g. Miri or CHERI
platforms).
It is much better to use ptr::with_addr
instead to specify the
provenance you want. If using this function is not possible because the
code relies on exposed provenance then there is as an escape hatch
ptr::from_exposed_addr
.