(
hi Jubilee, I'm back at this again!
I know this is not the best time of year to add PRs, so I'm fine with postponing this if you don't feel like tackling it these upcoming weeks.
In any case, have some nice end-of-year festivities, if you celebrate any!
)

ah, and before I forget: a small part of the new test file is commented out because it hits ICE #134587, but there should be more than decent coverage anyway

unfortunately the lint needs to be gutted and rewritten.

Also while I was possibly having a mild case of get-there-itis and thus mostly tried to just make sure things were coherent, I would prefer all new code for the lint be in compiler/rustc_lint/src/types/improper_ctypes.rs.

The version cut happened so there will be less time pressure now.

I have a first version for compiler/rustc_lint/src/types/improper_ctypes.rs if you want.
it's less of a from-the-ground-up rewrite as it is scrapping the original for parts, if the analogy makes sense.

you probably have things to say about its architecture, even if the whole thing still have a bunch of TODO comments
the progress so far looks like this:

• completely separate the type-checking and reporting systems
• (part of the way there) remove some of the special cases and integrate them to the "main logic"
  • check_for_opaque_types is still a "special case" part of the checking logic
  • Cstr and Cstring are also somewhat special-cased because the advice for them depends on the type around them, if any
  • the unit type is handled in multiple places, see if this can be fixed
• (almost complete) compile, pass existing tests
  • only failed tests are for Cstring, due to different error messages
  • one unrelated test had to have a second "#[allow(improper_ctypes)]" added, but it makes more sense for it to need that anyway
• better separation of the different checks in different visit_* methods of ImproperCTypesVisitor
• better tracking of how the currently-checked type is used (static, function argument, function return's inner type, etc...)
  • raises questions about the separation of improper_ctypes and improper_ctypes_definitions versus declared/defined functions, especially when FnPtr:s are involved
• allow single argument check to emit multiple errors (for fnptr:s, structures with multiple FFI-unsafe fields, etc)
• review what is considered FFI-safe or not (once everything else is complete)

If you want to take a look in this state, should I just commit it here? (possibly put the PR in draft mode while I'm at it?)
or send you the files in a different way?

☔ The latest upstream changes (presumably #135525) made this pull request unmergeable. Please resolve the merge conflicts.

aaaand I think I have something that's "first draft" material! (should I put this pull in the "draft" state?)
There's still a bunch of TODOs (...well, they were changed to FIXMEs to be pushed here) for questions I didn't manage to answer (and a bunch of failing tests because I don't know if the error should be here), but yeah.

here's a list of some of my remaining questions and concerns:

• visit_numeric seems too x86_64-specific

• should we revisit the distinction between ImproperCTypes and ImproperCTypesDefinitions?

  • part 1: the output ("external fn" or vs "external block" vs other possibilities)
  • part 2: handling opaque types (there's a high correlation between ImproperCTypesDefinitions and places where we allow FFI-opaque types to be fully specified. do we want this correlation to be 1?)

• more on FFI-opaque types: how do we handle that in the context of the "context switch" between functions and possible FnPtr arguments? The answer that seems correct currently prevents a stage1 compiler from being built

  • should we introduce a std::ffi::FfiOpaquePtr type? (which would be a *const c_void and some phantomdata, on first approximation)

• for indirections whose values may be supplied by non-rust code: do we only allow pointers (and Optionstd::ptr::NonNull), or do we also allow Option<&T> and Option<Box<T>>?

• not sure if the new error messages are intelligible in all cases (especially if there's a type param like Self or <Self as ::std::ops::Add<Self>>::Output that gets resolved in the error message).

• it feels like the current handling of CStr/Cstring and Option-like enums uses special casing, since those are tested for in multiple places.

• if we deny references and boxes in defined functions, what of &self in methods? We don't allow *const Self, last I checked.

☔ The latest upstream changes (presumably #135921) made this pull request unmergeable. Please resolve the merge conflicts.

hmm.

aaaand I think I have something that's "first draft" material! (should I put this pull in the "draft" state?)

Yes, it's a good marker for "I don't want this merged yet, even if it looks done".

visit_numeric seems too x86_64-specific

It probably is.

should we revisit the distinction between ImproperCTypes and ImproperCTypesDefinitions?

Yes, but in particular, not to just repartition them between: I think breaking them into as many conceptually-smaller lints as possible is good, as long as each one is a distinct idea (no splitting just for the sake of splitting!).

more on FFI-opaque types: how do we handle that in the context of the "context switch" between functions and possible FnPtr arguments? The answer that seems correct currently prevents a stage1 compiler from being built

I'm not sure what you mean?

for indirections whose values may be supplied by non-rust code: do we only allow pointers (and Option<std::ptr::NonNull>), or do we also allow Option<&T> and Option<Box<T>>?

We must allow Rust code to declare a pointer in a C signature to be Option<&T> or a number of things about our FFI story fall apart.

it feels like the current handling of CStr/CString and Option-like enums uses special casing, since those are tested for in multiple places.

Yes, probably.

alright, sorry for taking a while!

I'm currently planning what changes I'll do in terms of splitting the lint(s)
my current idea is to separate based on the nature of the thing being (presumably) propped up against a FFI boundary

• improper_ctypes: what's definitely an interface to an outside library (extern statics, extern function declarations)
• improper_ctypes_fn_definitions: functions written in rust intended to be exported
• improper_ctypes_callbacks: FnPtr arguments, no matter in what function they are being used
• improper_ctypes_ty_definitions: repr(C) structs/enums(/unions)?

more on FFI-opaque types: how do we handle that in the context of the "context switch" between functions and possible FnPtr arguments? The answer that seems correct currently prevents a stage1 compiler from being built

I'm not sure what you mean?

well, this is more or less answered in what I said before that, but my question was about how to deal with "switching" from checking arguments for, say, a function definition, to checking the arguments of a FnPtr argument?

1. should the nature of the lint change?
   (temptative answer: yes)
2. how should FFI-Safe-pointers-to-FFI-Unsafe-pointees work in FnPtr arguments? Should it be the rules for extern fn declarations? (throw the lint because one should use *const c_void, an extern type declaration, etc...) or the rules for extern fn definitions? (allow that, the function's body needs the full type even if it's opaque to the other side of the FFI boundary)
   (temptative answer: it should be the former, but parts of the rustc codebase doesn't follow this rule, so I can't get a stage1 compiler if I make that the rule)

// you would think that int-range pattern types that exclude 0 would have Option layout optimisation
// they don't (see tests/ui/type/pattern_types/range_patterns.stderr)
// so there's no need to allow Option<pattern_type!(u32 in 1..)>.

oh, I should fix that probably

I... maybe? I can't for the life of me find the link to that again but I think I saw a discussion about that and type covariance/contravariance,
where i32 is 1.. is a subtype of i32 (well that was under consideration), meaning fn(Option<i32>) is a type of fn(Option<i32 is 1..>) and it might have impacts on whether there should be an optimisation because of transmutation?

Though you'll definitely know more than me on all the moving parts.
Especially assuming you might have looked at this more in the past week.

As for the rest of your advice, I already took all this in!
thanks for shedding light on my code, one nit at a time!

Some changes occurred in compiler/rustc_codegen_cranelift

cc @bjorn3

This PR modifies tests/auxiliary/minicore.rs.

cc @jieyouxu

This PR changes a file inside tests/crashes. If a crash was fixed, please move into the corresponding ui subdir and add 'Fixes #' to the PR description to autoclose the issue upon merge.

Some changes occurred in src/tools/clippy

cc @rust-lang/clippy

These commits modify the Cargo.lock file. Unintentional changes to Cargo.lock can be introduced when switching branches and rebasing PRs.

If this was unintentional then you should revert the changes before this PR is merged.
Otherwise, you can ignore this comment.

rust-analyzer is developed in its own repository. If possible, consider making this change to rust-lang/rust-analyzer instead.

cc @rust-lang/rust-analyzer

Some changes occurred in compiler/rustc_codegen_llvm/src/llvm/enzyme_ffi.rs

cc @ZuseZ4

The Miri subtree was changed

cc @rust-lang/miri

...ok that's what I get for clicking a button at 1h30 am. I'll fix all this new stuff tomorrow

as an answer to those automated warnings:

things that might need further changes

clippy, rust-analyzer, miri:

mostly changes to add the new lints to the documentation, and some expected lint reshuffling in the tests
though, the fact that they are in subtrees could cause a problem.
Should I still move that piece of the PR on the individual repos, with some #[allow(unknown_lints)] trickery to ensure stuff doesn't break when they are merged prior to this?

things with no further changes needed IMO

rustc_codegen_cranelift

just a lint rename

This PR modifies tests/auxiliary/minicore.rs.

yes. I was removing #[allow(improper_ctypes_definitions)] to change to one of the new lints, but it turns out there is not need to #[allow()] anything

file in tests/crashes

done

Cargo.lock

the only change is an added dependency of rustc_lint on rustc_type_ir

compiler/rustc_codegen_llvm/src/llvm/enzyme_ffi.rs (and rustc_codegen_llvm in general)

the changes are basically to wrap the extern "C" { fn(_) -> &ReturnType } functions' return types into options, then actually .unwrap() this option, in order to change UB into proper panics

☔ The latest upstream changes (presumably #141824) made this pull request unmergeable. Please resolve the merge conflicts.

at this point I think I'll deal with this (merge conflicts) when reviews have occurred. Probably the same amount of human work on my side, but it prevents changes of code mid-review, and will save a bunch of compute time running all tests every two days

Sorry, had taken a bit to claw through review backlog accumulated during RustWeek!

Uninhabited types are now deemed unsafe in function arguments and static variables. For function returns, only ! and empty enums are allowed. (e.g. structs with uninhabited fields are not)

So, an odd thing happened: We discovered that "a struct with uninhabited fields" is actually how we model the ABI of functions that are marked [[noreturn]] but nonetheless have a possibly-complex return type that would require e.g. allocation on the stack. So uninhabitedness should probably just be allowed, without linting, if the rest of the type is C-compatible? We can dial in from there.

Specifically, we fixed "#[repr(transparent)] types containing uninhabited 1-ZSTs as the non-transparent-wrapped field" so that they uphold the ABI-compatibily guarantee implied by #[repr(transparent)].

[...] So uninhabitedness should probably just be allowed, without linting, if the rest of the type is C-compatible? We can dial in from there.

Specifically, we fixed "#[repr(transparent)] types containing uninhabited 1-ZSTs as the non-transparent-wrapped field" so that they uphold the ABI-compatibily guarantee implied by #[repr(transparent)].

so... option 1 (all uninhabited returns allowed) for now, and later restrict this to option 2 (only !, EmptyEnum and #[repr(transparent)] structs with one of those as one of its 1-ZSTs)?

Sorry, had taken a bit to claw through review backlog accumulated during RustWeek!

oh, right I should have anticipated this. still, no problem! I kinda expected you to have a lot of other things taking your time (especially if some are more critical than a lint revamp)

Adding this pull that just landed and causes a few merge conflicts as required reading for myself, eventhough I started reading parts of it.

(I should have seen this while it was in RFC... at least this gives me a slight clarification about the PowerAlignment lint thing)
I guess I forgot about visit_numeric's x86_64-centricity in my summary comment. At least removing the u128/i128 lint altogether will make this a clean slate if/when it gets revisited to be architecture-dependant in the future.
(RalfJung, if you see this, I'm mostly sure the ImproperCTypes lints do in fact look into dependencies, so it should be fine to add something architecture-dependant. In any case, I'll double-check that statement if I do something about it)

I opened #142310 to handle the power alignment lint problem.