-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#[allow_internal_unsafe]
evades #![forbid(unsafe_code)]
#56768
Comments
|
@Nemo157 My concern is intended or not, a crate can use it, and that evades the global forbid unsafe-code method I'd like to use. Aside form this, the other issues are generated code and build.rs. I'm requesting for |
Not on the stable or beta channel. (you need Calling a function containing unsafe code is not linted by fn contains_unsafe_code() {
unsafe { *(0 as *mut u8) = 42; }
}
#[forbid(unsafe_code)]
pub mod safe {
pub fn foo() {
crate::contains_unsafe_code();
}
} is just like #![feature(allow_internal_unsafe)]
#[allow_internal_unsafe]
macro_rules! contains_unsafe_code {
() => {
unsafe { *(0 as *mut u8) = 42; }
}
}
pub mod safe {
pub fn foo() {
contains_unsafe_code!();
}
} Also the purpose of
|
@bjorn3 I do recognise the hard requirement on nightly, but many crates do target nightly features (optionally with feature gates). As for your analogy to functions, I already said this:
To clarify, a crate that uses the I'm requesting for this constraint to be added:
|
Maybe the following will be a better example. A crate can use this unstable feature to write unsafe code despite forbidding unsafe code. #![forbid(unsafe_code)]
#![feature(allow_internal_unsafe)]
#[allow_internal_unsafe]
macro_rules! evil {
($e:expr) => {
unsafe {
$e
}
}
}
fn main() {
println!("Hello, world! {}", evil!(*(0 as *const u8)));
} Another option would be to consider Edit: This would be weaker as the crate may allow unsafe code to enable the feature while a module forbids unsafe code - but would still be able to use the attribute; so I'd rather to be safe to make |
I do not understand the cause for concern. Look at the first two lines of that snippet: #![forbid(unsafe_code)]
#![feature(allow_internal_unsafe)] I struggle to picture any form of scenario in which these two clearly contradictory attributes could get added to a crate, go unnoticed, and cause trouble. The feature attribute must be at the root of the crate. The worst you could do is to put the forbid in a submodule so that they're in different files; but I'm not sure who you'd be trying to fool, or how! A crate willing to rely on internal details of the compiler probably has a short shelf life, anyways. |
Ehhehehe... well; https://rocket.rs/ had relied on internal details of the compiler for quite some time ;) |
@ExpHP I'd like a tool that adds the Even if not a crate-wide forbid, it should still be treated exactly as how the The alternative for me is to scan through the source code and look for these things myself, or add my own linter ala clippy; but IMHO this lint should be as official as the internal feature - IOW it isn't official, it is internal, and the compiler should be responsible. |
Steps for implementing this:
|
@oli-obk Thanks. I don't currently have (nor want) a rustc-etc build environment. I don't have a priority for this, but if it isn't resolved when I build the per-crate unsafe whitelist tool, then I'll reconsider the resource costs of a rustc build env. |
I wanna work on this, okay? |
Great! It's all yours. |
@oli-obk Thank you! I'm a newbie and have two question.
Can you give me advice please? |
For 1. you can look at the For 2. I don't know, I haven't looked at the other calls to
|
@oli-obk Thanks for answering! Sorry to bother you again but what do you think this?
|
Why are you iterating over the items? Is reporting on |
Oops, I made a mistake, sorry. Is this good?
|
Probably ;) Don't hesitate to open a PR, then I can comment on the code directly. You can run all the tests and see if any need ajusting ( |
@oli-obk OK! Could I ask you to review? |
Jup |
…bute-1, r=oli-obk Implement `check_attribute` to forbid `#[allow_internal_unsafe]` Fixes rust-lang#56768. r? @oli-obk
https://play.rust-lang.org/?version=nightly&mode=debug&edition=2018&gist=b137113f78a25cec34a258505cf41e3f
I'd like the ability to forbid the use of
unsafe_code
over all dependencies with at least a per-crate whitelist. For a quick PoC I've wrapped rustc to add--cap-lints=forbid
before cargo's arguments and useRUSTFLAGS=-Funsafe-code
to forbid unsafe code. No per-crate (or better) whitelist there.While trying to write some async code I noticed that
await!()
wasn't incore
#56767, so I checked the sources to find it is instd
but uses this scary attribute.I agree
#[allow_internal_unsafe]
should allow crates that forbid unsafe code to call the macro, but a crate with unsafe code forbidden shouldn't be able to use this attribute on its macros.The text was updated successfully, but these errors were encountered: