Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing unsafe_op_in_unsafe_fn for std::{os, sys} #127747

Open
15 of 40 tasks
workingjubilee opened this issue Jul 15, 2024 · 20 comments
Open
15 of 40 tasks

Fixing unsafe_op_in_unsafe_fn for std::{os, sys} #127747

workingjubilee opened this issue Jul 15, 2024 · 20 comments
Labels
A-edition-2024 Area: The 2024 edition A-lint Area: Lints (warnings about flaws in source code) such as unused_mut. C-cleanup Category: PRs that clean code up or issues documenting cleanup. C-tracking-issue Category: A tracking issue for an RFC or an unstable feature. L-unsafe_op_in_unsafe_fn Lint: unsafe_op_in_unsafe_fn T-libs Relevant to the library team, which will review and decide on the PR/issue.

Comments

@workingjubilee
Copy link
Member

workingjubilee commented Jul 15, 2024

In #127744 we begin to deny(unsafe_op_in_unsafe_fn) in the standard library, but there are... many... platforms which all use unsafe code inside unsafe functions. It is unreasonable to fix them all in one step.

Even if it is technically possible to do this in one push that "fixes" it for all the platforms we run tier 1/2 CI on, that would be extremely rude. That would then immediately nuke all tier 3 platforms that aren't a variation on the tier 2 ones. We should at least try to allow people to respond before we do so. After all, we will eventually update the standard library to edition 2024 anyway.

To fix each platform, one at a time, deny(unsafe_op_in_unsafe_fn) should be moved into that platform's support modules (and even individual functions, if necessary). As we can see from the following test sample, you can have a deny, then an allow, then a deny, and it still works correctly. So we will keep the allows at the top level of std::os and std::sys in place.

For now.

In order to not have one giant table of targets that make my eyes blur, I have split the categories in somewhat arbitrary ways. This is primarily based on the heuristic of "if other examples in this category are fixed, are the rest likely to also be fixed?" except for the "uniques" set, which I expect will almost all require individual attention.

berkeley software descendants

  • freebsd
  • netbsd
  • tier 3
    • dragonfly
    • openbsd

darwinian

  • macOS
  • iOS
  • tier 3
    • tvOS
    • visionOS
    • watchOS

linuxen

  • android
  • linux-gnu
  • linux-musl

unixen

embedded unix + newlib

Unix-ish impls mostly intended for embedded-ish usage, all using newlib.

windows-y

uniques

We have a grab bag of others here, some of which are "Unix family" but are... estranged cousins, if so.

@rustbot rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Jul 15, 2024
@workingjubilee workingjubilee added C-cleanup Category: PRs that clean code up or issues documenting cleanup. A-lint Area: Lints (warnings about flaws in source code) such as unused_mut. T-libs Relevant to the library team, which will review and decide on the PR/issue. L-unsafe_op_in_unsafe_fn Lint: unsafe_op_in_unsafe_fn and removed needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. labels Jul 15, 2024
workingjubilee added a commit to workingjubilee/rustc that referenced this issue Jul 15, 2024
…workingjubilee

Make os/windows and pal/windows default to `#![deny(unsafe_op_in_unsafe_fn)]`

This is to prevent regressions in modules that currently pass. I did also fix up a few trivial places where the module contained only one or two simple wrappers. In more complex cases we should try to ensure the `unsafe` blocks are appropriately scoped and have any appropriate safety comments.

This does not fix the windows bits of rust-lang#127747 but it should help prevent regressions until that is done and also make it more obvious specifically which modules need attention.
workingjubilee added a commit to workingjubilee/rustc that referenced this issue Jul 15, 2024
…workingjubilee

Make os/windows and pal/windows default to `#![deny(unsafe_op_in_unsafe_fn)]`

This is to prevent regressions in modules that currently pass. I did also fix up a few trivial places where the module contained only one or two simple wrappers. In more complex cases we should try to ensure the `unsafe` blocks are appropriately scoped and have any appropriate safety comments.

This does not fix the windows bits of rust-lang#127747 but it should help prevent regressions until that is done and also make it more obvious specifically which modules need attention.
@jieyouxu jieyouxu added the C-tracking-issue Category: A tracking issue for an RFC or an unstable feature. label Jul 15, 2024
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Jul 15, 2024
Rollup merge of rust-lang#127750 - ChrisDenton:safe-unsafe-unsafe, r=workingjubilee

Make os/windows and pal/windows default to `#![deny(unsafe_op_in_unsafe_fn)]`

This is to prevent regressions in modules that currently pass. I did also fix up a few trivial places where the module contained only one or two simple wrappers. In more complex cases we should try to ensure the `unsafe` blocks are appropriately scoped and have any appropriate safety comments.

This does not fix the windows bits of rust-lang#127747 but it should help prevent regressions until that is done and also make it more obvious specifically which modules need attention.
@workingjubilee
Copy link
Member Author

My current belief is that, like with every edition update so far, we will eventually fix the lint in all relevant places. By "fixed" I mean actually fixing it. However, it is fine if a platform adds more instances of allow for this lint, but I assume that we will eventually remove such allowances.

Pinging first everyone who has their own std::sys::pal submodule, since those are easiest to add #![deny(unsafe_op_in_unsafe_fn)] into their actual submodule, at the moment. You may have nothing to do! Just confirm that and we can mark it off... but do please actually check. At least one platform has started on using deny(unsafe_op_in_unsafe_fn) in some of its submodules, but has at least one instance of code that should fail that lint, yet is neither specifically denied nor allowed.

Also remember to check std::sys::sync and the other "top level" modules of sys for your platform's code in its submodules.

@workingjubilee workingjubilee added the A-edition-2024 Area: The 2024 edition label Jul 15, 2024
@xobs
Copy link
Contributor

xobs commented Jul 16, 2024

Xous already has #![deny(unsafe_op_in_unsafe_fn)] in sys/pal/xous/mod.rs, and adding it to os/xous/mod.rs does not cause any failures.

Adding it to the top of sys/mod.rs causes failures in:

But otherwise there are no issues for Xous.

@joboet
Copy link
Member

joboet commented Jul 16, 2024

I think we should add #[forbid]s to leaf modules instead and slowly move them up the module tree until we reach the root. Just #[deny]ing the lint stills allows adding new cases of this to modules that have already been fixed.

@Ayush1325
Copy link
Contributor

Adding #![deny(unsafe_op_in_unsafe_fn)] in sys/pal/uefi/mod.rs and os/uefi/mod.rs cause no failures.

@SchmErik
Copy link
Contributor

SchmErik commented Jul 16, 2024

Thanks for @-ing us @workingjubilee! Adding #![deny(unsafe_op_in_unsafe_fn)] in sys/pal/zkvm/mod.rs resulted in one failure. Here's a small PR to address this: #127833

tgross35 added a commit to tgross35/rust that referenced this issue Jul 16, 2024
…kingjubilee

zkvm: add `#[forbid(unsafe_op_in_unsafe_fn)]` in `stdlib`

This also adds an additional `unsafe` block to address compiler errors.
This PR is intended to address rust-lang#127747 for the zkvm target.
@workingjubilee
Copy link
Member Author

workingjubilee commented Jul 17, 2024

Identified and sifted out some targets into their own set.

Hi, you all are currently listed as maintainers for a target that

  • is target_family = "unix"
  • is target_env = "newlib"
  • uses the std::sys support for a "unix" target
  • supports only 32-bit systems
  • is officially tier 3 for all variants of the target

Unfortunately, the way the std::sys::pal::unix logic currently is written, it is very deeply entangled between different Unix targets. I am pinging you all as a group, ahead of most other "Unix" targets, because your targets have no CI coverage (so if someone breaks your target, it won't be noticed) and share some of the same architectural considerations. Even if you have little to do, it might be a good idea to factor out some of your implementations so that later passes by other maintainers don't affect your support code.

tgross35 added a commit to tgross35/rust that referenced this issue Jul 17, 2024
…kingjubilee

zkvm: add `#[forbid(unsafe_op_in_unsafe_fn)]` in `stdlib`

This also adds an additional `unsafe` block to address compiler errors.
This PR is intended to address rust-lang#127747 for the zkvm target.
@kawadakk
Copy link
Contributor

kmc-solid already has #![deny(unsafe_op_in_unsafe_fn)] in std/src/sys/pal/solid/mod.rs and std/src/os/solid/io.rs, and adding it to these target-specific modules causes no failures.

  • std/src/os/solid/mod.rs
  • std/src/sys/sync/rwlock/solid.rs
  • std/src/sys/sync/mutex/itron.rs
  • std/src/sys/path/unsupported_backslash.rs (contains no unsafe code, shared with cfg(target_os = "uefi"))
Table
Module path Source file
std::sys::pal::solid std/src/sys/pal/solid/mod.rs Has #![deny(unsafe_op_in_unsafe_fn)]
std::sys::pal::solid::itron std/src/sys/pal/solid/mod.rs¹ N/A - submodule of std::sys::pal::solid
std::sys::path::unsupported_backslash std/src/sys/path/unsupported_backslash.rs² #![deny(unsafe_op_in_unsafe_fn)] can be added without causing compilation failure
std::sys::sync::rwlock::solid std/src/sys/sync/rwlock/solid.rs #![deny(unsafe_op_in_unsafe_fn)] can be added without causing compilation failure
std::sys::sync::mutex::itron std/src/sys/sync/mutex/itron.rs #![deny(unsafe_op_in_unsafe_fn)] can be added without causing compilation failure
std::os::solid std/src/os/solid/mod.rs #![deny(unsafe_op_in_unsafe_fn)] can be added without causing compilation failure
std::os::solid::io std/src/os/solid/io.rs Has #![deny(unsafe_op_in_unsafe_fn)]
std::os::solid::ffi std/src/os/solid/ffi.rs #![deny(unsafe_op_in_unsafe_fn)] can be added without causing compilation failure

¹ Inline module. Its submodules are implemented in std/src/sys/pal/itron/*.rs.

² Shared with cfg(target_os = "uefi") (Tier 2 or lower).

rust-timer added a commit to rust-lang-ci/rust that referenced this issue Jul 17, 2024
Rollup merge of rust-lang#127833 - risc0:erik/zkvm-deny-unsafe, r=workingjubilee

zkvm: add `#[forbid(unsafe_op_in_unsafe_fn)]` in `stdlib`

This also adds an additional `unsafe` block to address compiler errors.
This PR is intended to address rust-lang#127747 for the zkvm target.
tgross35 added a commit to tgross35/rust that referenced this issue Jul 17, 2024
…tgross35

Make more Windows functions `#![deny(unsafe_op_in_unsafe_fn)]`

As part of rust-lang#127747, I've evaluated some more Windows functions and added `unsafe` blocks where necessary. Some are just trivial wrappers that "inherit" the full unsafety of their function, but for others I've added some safety comments. A few functions weren't actually unsafe at all. I think they were just using `unsafe fn` to avoid an `unsafe {}` block.

I'm not touching `c.rs` yet because that is partially being addressed by another PR and also I have plans to further reduce the number of wrapper functions we have in there.

r? libs
tgross35 added a commit to tgross35/rust that referenced this issue Jul 17, 2024
…tgross35

Make more Windows functions `#![deny(unsafe_op_in_unsafe_fn)]`

As part of rust-lang#127747, I've evaluated some more Windows functions and added `unsafe` blocks where necessary. Some are just trivial wrappers that "inherit" the full unsafety of their function, but for others I've added some safety comments. A few functions weren't actually unsafe at all. I think they were just using `unsafe fn` to avoid an `unsafe {}` block.

I'm not touching `c.rs` yet because that is partially being addressed by another PR and also I have plans to further reduce the number of wrapper functions we have in there.

r? libs
tgross35 added a commit to tgross35/rust that referenced this issue Jul 17, 2024
…tgross35

Make more Windows functions `#![deny(unsafe_op_in_unsafe_fn)]`

As part of rust-lang#127747, I've evaluated some more Windows functions and added `unsafe` blocks where necessary. Some are just trivial wrappers that "inherit" the full unsafety of their function, but for others I've added some safety comments. A few functions weren't actually unsafe at all. I think they were just using `unsafe fn` to avoid an `unsafe {}` block.

I'm not touching `c.rs` yet because that is partially being addressed by another PR and also I have plans to further reduce the number of wrapper functions we have in there.

r? libs
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Jul 17, 2024
Rollup merge of rust-lang#127763 - ChrisDenton:safe-unsafe-unsafe, r=tgross35

Make more Windows functions `#![deny(unsafe_op_in_unsafe_fn)]`

As part of rust-lang#127747, I've evaluated some more Windows functions and added `unsafe` blocks where necessary. Some are just trivial wrappers that "inherit" the full unsafety of their function, but for others I've added some safety comments. A few functions weren't actually unsafe at all. I think they were just using `unsafe fn` to avoid an `unsafe {}` block.

I'm not touching `c.rs` yet because that is partially being addressed by another PR and also I have plans to further reduce the number of wrapper functions we have in there.

r? libs
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Jul 30, 2024
…e, r=workingjubilee

Fix vita build of std and forbid unsafe in unsafe in the os/vita module

See rust-lang#127747

r? `@workingjubilee`

`@pheki` `@nikarh`
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Jul 30, 2024
Rollup merge of rust-lang#128315 - zetanumbers:psvita-unsafe-in-unsafe, r=workingjubilee

Fix vita build of std and forbid unsafe in unsafe in the os/vita module

See rust-lang#127747

r? `@workingjubilee`

`@pheki` `@nikarh`
@workingjubilee
Copy link
Member Author

workingjubilee commented Jul 30, 2024

Thank you for everyone that has responded and gotten fixes in!

It looks like wasm-?-? and wasm-wasi are already deny(unsafe_op_in_unsafe_fn) for their specific code, or obviously conformant, so that's just upgrading a few annotations...

...expect maybe the... threads code?

cc @g0djan @abrown @loganek can you take a look at https://github.com/rust-lang/rust/blob/006c8df322e55c14d845e1fe317ca1445c2f8e6b/library/std/src/sys/pal/wasi/thread.rs and the other threads-on-wasi files and make sure they all conform to forbid(unsafe_op_in_unsafe_fn)?

@workingjubilee
Copy link
Member Author

emscripten is littered throughout the "unix" code, like many others.

@workingjubilee
Copy link
Member Author

Pinging the remaining tier 3 Unix maintainers for this. Please be aware that when this lint is enabled, all code which is only compiled for tier 3 targets, but nonetheless violates this lint, will cease compiling without any check from CI.

As these are all considered "Unix" implementations, it is possible the majority or even all of your unsafe fn are shared with tier 2+ targets, so you may not necessarily have to do anything. However, please also be aware that as this issue is fixed, for the Unix code in particular, code that is deemed not-unsafe will be made into safe functions.

This entire exercise is really a warm-up for actually having the (un)safety in the standard library's platform interfaces properly documented in the actual code and cross-referencing external sources as appropriate.

@ecnelises
Copy link
Contributor

Thanks for reminding. AIX does not have specific parts to change.

@sthibaul
Copy link
Contributor

Thanks for the heads-up. I added #![deny(unsafe_op_in_unsafe_fn)] to library/std/src/os/hurd/{fs,mod,raw}.rs and it built fine.

@semarie
Copy link
Contributor

semarie commented Jul 31, 2024

library/std/src/os/openbsd/*.rs are fine too. but they will be specific changes need for openbsd in unix parts

@g0djan
Copy link
Contributor

g0djan commented Jul 31, 2024

cc @g0djan @abrown @loganek can you take a look at https://github.com/rust-lang/rust/blob/006c8df322e55c14d845e1fe317ca1445c2f8e6b/library/std/src/sys/pal/wasi/thread.rs and the other threads-on-wasi files and make sure they all conform to forbid(unsafe_op_in_unsafe_fn)?

Hey, thanks for reaching out. I see that in this file there're 8 lines which don't compile for wasm32-wasip1-threads when I add #![deny(unsafe_op_in_unsafe_fn)] to it. I'll take a look at the other files and send a PR

@ChrisDenton
Copy link
Member

All the tier 1 Windows targets have the Windows specific stuff taken care of. There are still some shared code that needs handling in library\std\src\sys\sync\condvar\futex.rs.

I've not checked tier 3 Windows targets.

@ivmarkov
Copy link
Contributor

ivmarkov commented Aug 1, 2024

Identified and sifted out some targets into their own set.

Hi, you all are currently listed as maintainers for a target that

  • is target_family = "unix"
  • is target_env = "newlib"
  • uses the std::sys support for a "unix" target
  • supports only 32-bit systems
  • is officially tier 3 for all variants of the target

Unfortunately, the way the std::sys::pal::unix logic currently is written, it is very deeply entangled between different Unix targets. I am pinging you all as a group, ahead of most other "Unix" targets, because your targets have no CI coverage (so if someone breaks your target, it won't be noticed) and share some of the same architectural considerations. Even if you have little to do, it might be a good idea to factor out some of your implementations so that later passes by other maintainers don't affect your support code.

@workingjubilee Regarding the ESP-IDF targets:

  • Module std::os::espidf and its submodules compile fine in the presence of #![deny(unsafe_op_in_unsafe_fn)]
  • However, this was to be expected because it contain 0.0001% of the code for the ESP-IDF targets :)
  • Almost all other ESP-IDF code-paths are indeed intermingled with the other #[cfg(unix)] targets in the std::sys::unix::* and std::os::unix::* modules

Factoring out I wouldn't consider ATM, as it would be a gigantic effort, and so far the "intermingling" had worked well for us actually. We occasionally get a build failure once per a couple of months or so, but since we run a cargo -Z build-std nightly CI against downstream ESP-IDF crates, this CI is also catching issues in the STD for our Tier-3 targets "next day" so to say.
(We might consider putting a proper ./x.py build library/std CI in-place for our targets in future, because - as it turns out - cargo -Z build-std is hiding the STD build warnings from us - and in the meantime - building our targets spits out some unused/deprecation wanings I did not realize are in there.)

So I would say I prefer to "take the hit", wait until the Tier-1/2 target maintainers fix the #[cfg(unix)] space, and if there are regressions specific to ESP-IDF after that, we'll submit PRs in a day or two after the regressions pop up in our nightly CI. Given that the "fixes" are basically putting extra unsafe {} blocks here and there, I think we should be able to react very fast. :)

matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 1, 2024
…fe_fn, r=joboet

fix(hermit): `deny(unsafe_op_in_unsafe_fn)`

Tracking issue: rust-lang#127747

r? workingjubilee

CC: `@stlankes`
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 1, 2024
…fe_fn, r=joboet

fix(hermit): `deny(unsafe_op_in_unsafe_fn)`

Tracking issue: rust-lang#127747

r? workingjubilee

CC: ``@stlankes``
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Aug 1, 2024
Rollup merge of rust-lang#128433 - hermit-os:hermit-unsafe_op_in_unsafe_fn, r=joboet

fix(hermit): `deny(unsafe_op_in_unsafe_fn)`

Tracking issue: rust-lang#127747

r? workingjubilee

CC: ``@stlankes``
@workingjubilee
Copy link
Member Author

As you wish. :^)

@biabbas
Copy link
Contributor

biabbas commented Aug 2, 2024

As seen in pr #128539, deny_unsafeop_in_unsafe_fn in VxWorks specific files does not affect the build( No code where this lint can be applied is present in VxWorks specific files). VxWorks uses most of Unix library code.

matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 6, 2024
Forbid unused unsafe in vxworks-specific std modules

Tracking issue rust-lang#127747
Adding deny(unsafe_op_in_unsafe_fn) in VxWorks specific files did not cause any error.
Most of VxWorks falls back on Unix libraries. So we'll have to wait for Unix changes.

r? `@workingjubilee`
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 6, 2024
Forbid unused unsafe in vxworks-specific std modules

Tracking issue rust-lang#127747
Adding deny(unsafe_op_in_unsafe_fn) in VxWorks specific files did not cause any error.
Most of VxWorks falls back on Unix libraries. So we'll have to wait for Unix changes.

r? ``@workingjubilee``
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 6, 2024
Forbid unused unsafe in vxworks-specific std modules

Tracking issue rust-lang#127747
Adding deny(unsafe_op_in_unsafe_fn) in VxWorks specific files did not cause any error.
Most of VxWorks falls back on Unix libraries. So we'll have to wait for Unix changes.

r? ```@workingjubilee```
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Aug 7, 2024
Rollup merge of rust-lang#128539 - biabbas:deny_unsafe, r=workingjubilee

Forbid unused unsafe in vxworks-specific std modules

Tracking issue rust-lang#127747
Adding deny(unsafe_op_in_unsafe_fn) in VxWorks specific files did not cause any error.
Most of VxWorks falls back on Unix libraries. So we'll have to wait for Unix changes.

r? ```@workingjubilee```
bors added a commit to rust-lang-ci/rust that referenced this issue Aug 21, 2024
…_unsafe, r=<try>

WASI: foirbid `unsafe_op_in_unsafe_fn` for `std::{os, sys}`

Part of rust-lang#127747 for WASI

try-job: test-various
tgross35 added a commit to tgross35/rust that referenced this issue Aug 21, 2024
…it_unsafe, r=tgross35

WASI: forbid `unsafe_op_in_unsafe_fn` for `std::{os, sys}`

Part of rust-lang#127747 for WASI

try-job: test-various
jieyouxu added a commit to jieyouxu/rust that referenced this issue Aug 22, 2024
…it_unsafe, r=tgross35

WASI: forbid `unsafe_op_in_unsafe_fn` for `std::{os, sys}`

Part of rust-lang#127747 for WASI

try-job: test-various
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 22, 2024
…it_unsafe, r=tgross35

WASI: forbid `unsafe_op_in_unsafe_fn` for `std::{os, sys}`

Part of rust-lang#127747 for WASI

try-job: test-various
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Aug 22, 2024
Rollup merge of rust-lang#128432 - g0djan:godjan/wasi_prohibit_implicit_unsafe, r=tgross35

WASI: forbid `unsafe_op_in_unsafe_fn` for `std::{os, sys}`

Part of rust-lang#127747 for WASI

try-job: test-various
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-edition-2024 Area: The 2024 edition A-lint Area: Lints (warnings about flaws in source code) such as unused_mut. C-cleanup Category: PRs that clean code up or issues documenting cleanup. C-tracking-issue Category: A tracking issue for an RFC or an unstable feature. L-unsafe_op_in_unsafe_fn Lint: unsafe_op_in_unsafe_fn T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Development

No branches or pull requests