Recommend with_exposed_provenance instead of as casts in non-const

Urgau · Urgau · commit f1eb2c4d4501 · 2025-07-29T20:43:17.000+02:00
diff --git a/compiler/rustc_lint/src/lints.rs b/compiler/rustc_lint/src/lints.rs
@@ -1617,10 +1617,27 @@ pub(crate) struct IntegerToPtrTransmutes<'tcx> {
 }
 
 #[derive(Subdiagnostic)]
-// FIXME: recommend `with_exposed_provenance` when it's const-stable
+// FIXME: always recommend `with_exposed_provenance` when it's const-stable
 pub(crate) enum IntegerToPtrTransmutesSuggestion<'tcx> {
     #[multipart_suggestion(lint_suggestion_as, applicability = "machine-applicable")]
     ToPtr {
+        dst: Ty<'tcx>,
+        suffix: &'static str,
+        #[suggestion_part(code = "std::ptr::with_exposed_provenance{suffix}::<{dst}>(")]
+        start_call: Span,
+    },
+    #[multipart_suggestion(lint_suggestion_as, applicability = "machine-applicable")]
+    ToRef {
+        dst: Ty<'tcx>,
+        suffix: &'static str,
+        ref_mutbl: &'static str,
+        #[suggestion_part(
+            code = "&{ref_mutbl}*std::ptr::with_exposed_provenance{suffix}::<{dst}>("
+        )]
+        start_call: Span,
+    },
+    #[multipart_suggestion(lint_suggestion_as, applicability = "machine-applicable")]
+    ToPtrInConst {
         dst: Ty<'tcx>,
         paren_left: &'static str,
         paren_right: &'static str,
@@ -1630,7 +1647,7 @@ pub(crate) enum IntegerToPtrTransmutesSuggestion<'tcx> {
         end_call: Span,
     },
     #[multipart_suggestion(lint_suggestion_as, applicability = "machine-applicable")]
-    ToRef {
+    ToRefInConst {
         dst: Ty<'tcx>,
         ptr_mutbl: &'static str,
         ref_mutbl: &'static str,
diff --git a/compiler/rustc_lint/src/transmute.rs b/compiler/rustc_lint/src/transmute.rs
@@ -90,13 +90,15 @@ declare_lint! {
     /// Any attempt to use the resulting pointers are undefined behavior as the resulting
     /// pointers won't have any provenance.
     ///
-    /// Alternatively, `as` casts should be used, as they do not carry the provenance
-    /// requirement or if the wanting to create pointers without provenance
-    /// `ptr::without_provenance_mut` should be used.
+    /// Alternatively, [`std::ptr::with_exposed_provenance`] or `as` casts should be used,
+    /// as they do not carry the provenance requirement. If the wanting to create pointers
+    /// without provenance [`std::ptr::without_provenance`] should be used instead.
     ///
-    /// See [std::mem::transmute] in the reference for more details.
+    /// See [`std::mem::transmute`] in the reference for more details.
     ///
-    /// [std::mem::transmute]: https://doc.rust-lang.org/std/mem/fn.transmute.html
+    /// [`std::mem::transmute`]: https://doc.rust-lang.org/std/mem/fn.transmute.html
+    /// [`std::ptr::with_exposed_provenance`]: https://doc.rust-lang.org/std/ptr/fn.with_exposed_provenance.html
+    /// [`std::ptr::without_provenance`]: https://doc.rust-lang.org/std/ptr/fn.without_provenance.html
     pub INTEGER_TO_PTR_TRANSMUTES,
     Warn,
     "detects integer to pointer transmutes",
@@ -152,36 +154,56 @@ fn check_int_to_ptr_transmute<'tcx>(
             .layout_of(cx.typing_env().as_query_input(*inner_ty))
             .is_ok_and(|layout| !layout.is_1zst())
     {
-        // does the argument needs parenthesis
-        let mut paren_left = "";
-        let mut paren_right = "";
-        if matches!(arg.kind, hir::ExprKind::Binary(..)) {
-            paren_left = "(";
-            paren_right = ")";
-        }
-
         cx.tcx.emit_node_span_lint(
             INTEGER_TO_PTR_TRANSMUTES,
             expr.hir_id,
             expr.span,
             IntegerToPtrTransmutes {
-                suggestion: if dst.is_ref() {
-                    IntegerToPtrTransmutesSuggestion::ToRef {
-                        dst: *inner_ty,
-                        ref_mutbl: mutbl.prefix_str(),
-                        ptr_mutbl: mutbl.ptr_str(),
-                        paren_left,
-                        paren_right,
-                        start_call: expr.span.shrink_to_lo().until(arg.span),
-                        end_call: arg.span.shrink_to_hi().until(expr.span.shrink_to_hi()),
+                // FIXME: once https://github.com/rust-lang/rust/issues/144538 finishes,
+                // we can recommend the method in const context too.
+                suggestion: if !cx.tcx.hir_is_inside_const_context(expr.hir_id) {
+                    let suffix = if mutbl.is_mut() { "_mut" } else { "" };
+                    if dst.is_ref() {
+                        IntegerToPtrTransmutesSuggestion::ToRef {
+                            dst: *inner_ty,
+                            suffix,
+                            ref_mutbl: mutbl.prefix_str(),
+                            start_call: expr.span.shrink_to_lo().until(arg.span),
+                        }
+                    } else {
+                        IntegerToPtrTransmutesSuggestion::ToPtr {
+                            dst: *inner_ty,
+                            suffix,
+                            start_call: expr.span.shrink_to_lo().until(arg.span),
+                        }
                     }
                 } else {
-                    IntegerToPtrTransmutesSuggestion::ToPtr {
-                        dst,
-                        paren_left,
-                        paren_right,
-                        start_call: expr.span.shrink_to_lo().until(arg.span),
-                        end_call: arg.span.shrink_to_hi().until(expr.span.shrink_to_hi()),
+                    // does the argument needs parenthesis
+                    let mut paren_left = "";
+                    let mut paren_right = "";
+                    if matches!(arg.kind, hir::ExprKind::Binary(..)) {
+                        paren_left = "(";
+                        paren_right = ")";
+                    }
+
+                    if dst.is_ref() {
+                        IntegerToPtrTransmutesSuggestion::ToRefInConst {
+                            dst: *inner_ty,
+                            ref_mutbl: mutbl.prefix_str(),
+                            ptr_mutbl: mutbl.ptr_str(),
+                            paren_left,
+                            paren_right,
+                            start_call: expr.span.shrink_to_lo().until(arg.span),
+                            end_call: arg.span.shrink_to_hi().until(expr.span.shrink_to_hi()),
+                        }
+                    } else {
+                        IntegerToPtrTransmutesSuggestion::ToPtrInConst {
+                            dst,
+                            paren_left,
+                            paren_right,
+                            start_call: expr.span.shrink_to_lo().until(arg.span),
+                            end_call: arg.span.shrink_to_hi().until(expr.span.shrink_to_hi()),
+                        }
                     }
                 },
             },
diff --git a/tests/ui/lint/int_to_ptr.fixed b/tests/ui/lint/int_to_ptr.fixed
@@ -7,21 +7,31 @@
 #![allow(dead_code)]
 
 unsafe fn should_lint(a: usize) {
-    let _ptr = unsafe { a as *const u8 };
+    let _ptr: *const u8 = unsafe { std::ptr::with_exposed_provenance::<u8>(a) };
     //~^ WARN transmuting an integer to a pointer
-    let _ptr = unsafe { &*(a as *const u8) };
+    let _ptr: *mut u8 = unsafe { std::ptr::with_exposed_provenance_mut::<u8>(a) };
     //~^ WARN transmuting an integer to a pointer
-    let _ptr = unsafe { 42usize as *const u8 };
+    let _ref: &'static u8 = unsafe { &*std::ptr::with_exposed_provenance::<u8>(a) };
     //~^ WARN transmuting an integer to a pointer
-    let _ptr = unsafe { (a + a) as *const u8 };
+    let _ref: &'static mut u8 = unsafe { &mut *std::ptr::with_exposed_provenance_mut::<u8>(a) };
+    //~^ WARN transmuting an integer to a pointer
+
+    let _ptr = unsafe { std::ptr::with_exposed_provenance::<u8>(42usize) };
+    //~^ WARN transmuting an integer to a pointer
+    let _ptr = unsafe { std::ptr::with_exposed_provenance::<u8>(a + a) };
     //~^ WARN transmuting an integer to a pointer
 }
 
 const unsafe fn should_lintin_const(a: usize) {
-    let _ptr = unsafe { a as *const u8 };
+    let _ptr: *const u8 = unsafe { a as *const u8 };
+    //~^ WARN transmuting an integer to a pointer
+    let _ptr: *mut u8 = unsafe { a as *mut u8 };
     //~^ WARN transmuting an integer to a pointer
-    let _ptr = unsafe { &*(a as *const u8) };
+    let _ref: &'static u8 = unsafe { &*(a as *const u8) };
     //~^ WARN transmuting an integer to a pointer
+    let _ref: &'static mut u8 = unsafe { &mut *(a as *mut u8) };
+    //~^ WARN transmuting an integer to a pointer
+
     let _ptr = unsafe { 42usize as *const u8 };
     //~^ WARN transmuting an integer to a pointer
     let _ptr = unsafe { (a + a) as *const u8 };
diff --git a/tests/ui/lint/int_to_ptr.rs b/tests/ui/lint/int_to_ptr.rs
@@ -7,21 +7,31 @@
 #![allow(dead_code)]
 
 unsafe fn should_lint(a: usize) {
-    let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a) };
+    let _ptr: *const u8 = unsafe { std::mem::transmute::<usize, *const u8>(a) };
     //~^ WARN transmuting an integer to a pointer
-    let _ptr = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
+    let _ptr: *mut u8 = unsafe { std::mem::transmute::<usize, *mut u8>(a) };
     //~^ WARN transmuting an integer to a pointer
+    let _ref: &'static u8 = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
+    //~^ WARN transmuting an integer to a pointer
+    let _ref: &'static mut u8 = unsafe { std::mem::transmute::<usize, &'static mut u8>(a) };
+    //~^ WARN transmuting an integer to a pointer
+
     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(42usize) };
     //~^ WARN transmuting an integer to a pointer
     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a + a) };
     //~^ WARN transmuting an integer to a pointer
 }
 
 const unsafe fn should_lintin_const(a: usize) {
-    let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a) };
+    let _ptr: *const u8 = unsafe { std::mem::transmute::<usize, *const u8>(a) };
     //~^ WARN transmuting an integer to a pointer
-    let _ptr = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
+    let _ptr: *mut u8 = unsafe { std::mem::transmute::<usize, *mut u8>(a) };
     //~^ WARN transmuting an integer to a pointer
+    let _ref: &'static u8 = unsafe { std::mem::transmute::<usize, &'static u8>(a) };
+    //~^ WARN transmuting an integer to a pointer
+    let _ref: &'static mut u8 = unsafe { std::mem::transmute::<usize, &'static mut u8>(a) };
+    //~^ WARN transmuting an integer to a pointer
+
     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(42usize) };
     //~^ WARN transmuting an integer to a pointer
     let _ptr = unsafe { std::mem::transmute::<usize, *const u8>(a + a) };
diff --git a/tests/ui/lint/int_to_ptr.stderr b/tests/ui/lint/int_to_ptr.stderr
