Lint against empty match on not-known-valid place

Author: Nadrieril

compiler/rustc_lint_defs/src/builtin.rs

@@ -39,6 +39,7 @@ declare_lint_pass! {
         DUPLICATE_MACRO_ATTRIBUTES,
         ELIDED_LIFETIMES_IN_ASSOCIATED_CONSTANT,
         ELIDED_LIFETIMES_IN_PATHS,
+        EMPTY_MATCH_ON_UNSAFE_PLACE,
         EXPORTED_PRIVATE_DEPENDENCIES,
         FFI_UNWIND_CALLS,
         FORBIDDEN_LINT_GROUPS,
@@ -4019,6 +4020,76 @@ declare_lint! {
     @feature_gate = sym::non_exhaustive_omitted_patterns_lint;
 }
 
+declare_lint! {
+    /// The `empty_match_on_unsafe_place` lint detects uses of `match ... {}` on an empty type where
+    /// the matched place could contain invalid data in a well-defined program. These matches are
+    /// considered exhaustive for backwards-compatibility, but they shouldn't be since a `_` arm
+    /// would be reachable.
+    ///
+    /// This will become an error in the future.
+    ///
+    /// ### Example
+    ///
+    /// ```compile_fail
+    /// #![feature(min_exhaustive_patterns)]
+    /// enum Void {}
+    /// let ptr: *const Void = ...;
+    /// unsafe {
+    ///     match *ptr {}
+    /// }
+    /// ```
+    ///
+    /// This will produce:
+    ///
+    /// ```text
+    /// warning: empty match on potentially-invalid data
+    ///   --> $DIR/empty-types.rs:157:9
+    ///    |
+    /// LL |         match *ptr {}
+    ///    |         ^^^^^^^^^^^^^
+    ///    |
+    /// note: this place can hold invalid data, which would make the match reachable
+    ///   --> $DIR/empty-types.rs:157:15
+    ///    |
+    /// LL |         match *ptr {}
+    ///    |               ^^^^
+    ///    = note: `#[warn(empty_match_on_unsafe_place)]` on by default
+    /// help: consider forcing a read of the value
+    ///    |
+    /// LL |         match { *ptr } {}
+    ///    |               +      +
+    /// ```
+    ///
+    /// ### Explanation
+    ///
+    /// Some place expressions (namely pointer dereferences, union field accesses, and
+    /// (conservatively) reference dereferences) can hold invalid data without causing UB. For
+    /// example, the following is a well-defined program that prints "reachable!".
+    ///
+    /// ```rust
+    /// #[derive(Copy, Clone)]
+    /// enum Void {}
+    /// union Uninit<T: Copy> {
+    ///     value: T,
+    ///     uninit: (),
+    /// }
+    /// unsafe {
+    ///     let x: Uninit<Void> = Uninit { uninit: () };
+    ///     match x.value {
+    ///         _ => println!("reachable!"),
+    ///     }
+    /// }
+    /// ```
+    ///
+    /// Therefore when the matched place can hold invalid data, a match with no arm should not be
+    /// considered exhaustive. For backwards-compatibility we consider them exhaustive but warn with
+    /// this lint. It will become an error in the future.
+    pub EMPTY_MATCH_ON_UNSAFE_PLACE,
+    Warn,
+    "warn about empty matches on a place with potentially-invalid data",
+    @feature_gate = sym::min_exhaustive_patterns;
+}
+
 declare_lint! {
     /// The `text_direction_codepoint_in_comment` lint detects Unicode codepoints in comments that
     /// change the visual representation of text on screen in a way that does not correspond to

compiler/rustc_pattern_analysis/messages.ftl

@@ -1,3 +1,10 @@
+pattern_analysis_empty_match_on_unsafe_place =
+    empty match on potentially-invalid data
+    .note = this place can hold invalid data, which would make the match reachable
+
+pattern_analysis_empty_match_on_unsafe_place_wrap_suggestion =
+    consider forcing a read of the value
+
 pattern_analysis_non_exhaustive_omitted_pattern = some variants are not matched explicitly
     .help = ensure that all variants are matched explicitly by adding the suggested match arms
     .note = the matched value is of type `{$scrut_ty}` and the `non_exhaustive_omitted_patterns` attribute was found

compiler/rustc_pattern_analysis/src/errors.rs

@@ -43,6 +43,27 @@ impl<'tcx> Uncovered<'tcx> {
     }
 }
 
+#[derive(LintDiagnostic)]
+#[diag(pattern_analysis_empty_match_on_unsafe_place)]
+pub struct EmptyMatchOnUnsafePlace {
+    #[note]
+    pub scrut_span: Span,
+    #[subdiagnostic]
+    pub suggestion: EmptyMatchOnUnsafePlaceWrapSuggestion,
+}
+
+#[derive(Subdiagnostic)]
+#[multipart_suggestion(
+    pattern_analysis_empty_match_on_unsafe_place_wrap_suggestion,
+    applicability = "maybe-incorrect"
+)]
+pub struct EmptyMatchOnUnsafePlaceWrapSuggestion {
+    #[suggestion_part(code = "{{ ")]
+    pub scrut_start: Span,
+    #[suggestion_part(code = " }}")]
+    pub scrut_end: Span,
+}
+
 #[derive(LintDiagnostic)]
 #[diag(pattern_analysis_overlapping_range_endpoints)]
 #[note]

compiler/rustc_pattern_analysis/src/lib.rs

@@ -14,14 +14,17 @@ extern crate rustc_middle;
 
 rustc_fluent_macro::fluent_messages! { "../messages.ftl" }
 
-use lints::PatternColumn;
 use rustc_hir::HirId;
-use rustc_middle::ty::Ty;
-use usefulness::{compute_match_usefulness, UsefulnessReport};
+use rustc_middle::ty::{self, Ty};
+use rustc_session::lint;
 
 use crate::cx::MatchCheckCtxt;
-use crate::lints::{lint_nonexhaustive_missing_variants, lint_overlapping_range_endpoints};
+use crate::errors::{EmptyMatchOnUnsafePlace, EmptyMatchOnUnsafePlaceWrapSuggestion};
+use crate::lints::{
+    lint_nonexhaustive_missing_variants, lint_overlapping_range_endpoints, PatternColumn,
+};
 use crate::pat::DeconstructedPat;
+use crate::usefulness::{compute_match_usefulness, UsefulnessReport};
 
 /// The arm of a match expression.
 #[derive(Clone, Copy, Debug)]
@@ -41,6 +44,40 @@ pub fn analyze_match<'p, 'tcx>(
 ) -> UsefulnessReport<'p, 'tcx> {
     let pat_column = PatternColumn::new(arms);
 
+    if !cx.known_valid_scrutinee && arms.iter().all(|arm| arm.has_guard) {
+        let is_directly_empty = match scrut_ty.kind() {
+            ty::Adt(def, ..) => {
+                def.is_enum()
+                    && def.variants().is_empty()
+                    && !cx.is_foreign_non_exhaustive_enum(scrut_ty)
+            }
+            ty::Never => true,
+            _ => false,
+        };
+        if is_directly_empty {
+            if cx.tcx.features().min_exhaustive_patterns {
+                cx.tcx.emit_spanned_lint(
+                    lint::builtin::EMPTY_MATCH_ON_UNSAFE_PLACE,
+                    cx.match_lint_level,
+                    cx.whole_match_span.unwrap_or(cx.scrut_span),
+                    EmptyMatchOnUnsafePlace {
+                        scrut_span: cx.scrut_span,
+                        suggestion: EmptyMatchOnUnsafePlaceWrapSuggestion {
+                            scrut_start: cx.scrut_span.shrink_to_lo(),
+                            scrut_end: cx.scrut_span.shrink_to_hi(),
+                        },
+                    },
+                );
+            }
+
+            // For backwards compability we allow an empty match in this case.
+            return UsefulnessReport {
+                arm_usefulness: Vec::new(),
+                non_exhaustiveness_witnesses: Vec::new(),
+            };
+        }
+    }
+
     let report = compute_match_usefulness(cx, arms, scrut_ty);
 
     // Lint on ranges that overlap on their endpoints, which is likely a mistake.

compiler/rustc_pattern_analysis/src/usefulness.rs

@@ -1186,23 +1186,19 @@ fn compute_exhaustiveness_and_usefulness<'p, 'tcx>(
 
     debug!("ty: {ty:?}");
     let pcx = &PatCtxt { cx, ty, is_top_level };
-    let ctors_for_ty = &cx.ctors_for_ty(ty);
-    let is_integers = matches!(ctors_for_ty, ConstructorSet::Integers { .. }); // For diagnostics.
 
     // Whether the place/column we are inspecting is known to contain valid data.
     let mut place_validity = matrix.place_validity[0];
-    if !pcx.cx.tcx.features().min_exhaustive_patterns
-        || (is_top_level && matches!(ctors_for_ty, ConstructorSet::NoConstructors))
-    {
-        // For backwards compability we allow omitting some empty arms that we ideally shouldn't.
+    if cx.tcx.features().exhaustive_patterns {
+        // Under `exhaustive_patterns` we allow omitting empty arms even when they aren't redundant.
         place_validity = place_validity.allow_omitting_side_effecting_arms();
     }
 
     // Analyze the constructors present in this column.
+    let ctors_for_ty = &cx.ctors_for_ty(ty);
+    let is_integers = matches!(ctors_for_ty, ConstructorSet::Integers { .. }); // For diagnostics.
     let ctors = matrix.heads().map(|p| p.ctor());
     let split_set = ctors_for_ty.split(pcx, ctors);
-
-    // Decide what constructors to report.
     let all_missing = split_set.present.is_empty();
 
     // Build the set of constructors we will specialize with. It must cover the whole type.