Add lint against function pointer comparisons #118833
Conversation
|
r? @cjgillot (rustbot has picked a reviewer for you, use r? to override) |
rustbot
added
S-waiting-on-review
|
Some changes occurred in src/tools/clippy cc @rust-lang/clippy The Miri subtree was changed cc @rust-lang/miri |
rustbot
added
the
I-lang-nominated
This comment has been minimized.
This comment has been minimized.
|
The lint name is very long, it would be nice if we could come up with a shorter name. I don't have a suggestion though. |
Sure, but I don't think it matter that much, I'm not expecting anyone to write the lint name by hand (since it's warn-by-default, people can just copy/paste in the diagnostic output). We also already have some pretty long lint name, like unknown_or_malformed_diagnostic_attributes. But if someone comes up with a name as descriptive but shorter I can integrate it, I'm just not sure it's worth anyone time. |
Urgau
force-pushed
the
lint_function_pointer_comparisons
branch
from
e0a6772
to
4798319
Compare
This comment has been minimized.
This comment has been minimized.
Urgau
force-pushed
the
lint_function_pointer_comparisons
branch
from
444a0b9
to
23214cb
Compare
|
If it's not too much work, could we do a crater run here to find out what kind of places are using this kind of comparison in the wild? |
Sure, I just pushed a commit making the lint deny-by-default. I will let you do the bors craterbot commands. |
|
@bors try |
…ons, r=<try> Add lint against function pointer comparisons This is kind of a follow-up to rust-lang#117758 where we added a lint against wide pointer comparisons for being ambiguous and unreliable; well function pointer comparisons are also unreliable. We should IMO follow a similar logic and warn people about it. ----- ## `unpredictable_function_pointer_comparisons` *warn-by-default* The `unpredictable_function_pointer_comparisons` lint checks comparison of function pointer as the operands. ### Example ```rust fn foo() {} let a = foo as fn(); let _ = a == foo; ``` ### Explanation Function pointers comparisons do not produce meaningful result since they are never guaranteed to be unique and could vary between different code generation units. Furthermore different function could have the same address after being merged together. ---- This PR also uplift the very similar `clippy::fn_address_comparisons` lint, which only linted on if one of the operand was an `ty::FnDef` while this PR lints proposes to lint on all `ty::FnPtr` and `ty::FnDef`. `@rustbot` labels I-lang-nominated
This comment has been minimized.
This comment has been minimized.
|
☀️ Try build successful - checks-actions |
|
@rustbot labels -I-lang-nominated We discussed this in the T-lang meeting today. There was some support for this, but people were concerned about whether there may be legitimate use cases and what we would be suggesting that those people do instead. For wide pointer comparisons, we suggest that people use The consensus was that seeing use cases would help, and that a crater run would help to find those use cases. That's now happening in the comments above. Once the crater run comes back and has been analyzed, please renominate for T-lang discussion. For the analysis, we're looking to find 1) use cases of this that are correct in the sense that they rely only on the actual semantics, and 2) the prevalence of bugs where people are using this in ways that rely on semantics that do not actually hold. |
rustbot
removed
the
I-lang-nominated
There's no such thing, comparing Rust functions for equality is in general just inherently meaningless. That doesn't make code using The flip side of this is that the standard library itself actually relies on such a comparison in the format-args machinery... it's for a special case (a monomorphic function) where the current implementation AFAIK does not generate duplicates (but I don't know how multi-CGU handling works so I am not sure). It's certainly not guaranteed by the language. |
|
@craterbot check |
|
👌 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
craterbot
added
S-waiting-on-crater
One thought expressed in the meeting was as follows: Comparing functions for equality via pointers may yield false negatives but not false positives. The fact that two functions may compare unequal (based on pointers to them) but in fact do the same thing is a rather fundamental property of not just Rust, but of any language. In general, it's impossible to know whether two different functions may in fact do the same thing. In this light, maybe it's OK that these comparisons produce false negatives, and maybe there exist valid use cases that only rely on the property that we will not return false positives. |
That's not true. There are both false negatives and false positives. That's exactly why I wanted the lint description to be clear about this. False positives arise when LLVM merges two functions because they optimized to the same code. |
Crater Analysis ResultSummary
... Note: I stopped at the nes-rs for now, I may continue later but given the trends I don't think anything new will come. HighlightsShivaBhattacharjee/SynthiaVM / Interpreter, very similar pattern in many other projects. impl PartialEq for Object {
fn eq(&self, other: &Self) -> bool {
match (self, other) {
(Object::Number(a), Object::Number(b)) => a == b,
(Object::String(a), Object::String(b)) => a == b,
...
(Object::Fn(a, b, c), Object::Fn(d, e, f)) => a == d && b == e && c == f,
(Object::Inbuilt(a), Object::Inbuilt(b)) => a == b,
...
_ => false,
}
}
}ZachClayburn/CompilerDesign-Project2Rely on function NOT being duplicated. pub fn get_reduction_name(function_pointer: &ReductionOp) -> &'static str {
match *function_pointer {
x if x == reduce_value => "reduce_value()",
x if x == reduce_binary_op => "reduce_binary_op()",
x if x == reduce_parenthetical => "reduce_parenthetical()",
x if x == reduce_unary_operator => "reduce_unary_operator()",
x if x == reduce_program => "reduce_program()",
x if x == reduce_statement_list => "reduce_statement_list()",
x if x == reduce_declaration => "reduce_declaration()",
x if x == reduce_param_spec => "reduce_param_spec()",
x if x == reduce_return_statement => "reduce_return_statement()",
x if x == reduce_procedure_declaration => "reduce_procedure_declaration()",
x if x == reduce_procedure_call => "reduce_procedure_call()",
_ => panic!("unknown reduction"),
}
}HugoBelotDeloro/rloxCompare functions pointers derived from the same list. *p = p.iter().filter(|&&f2| f2 != f).copied().collect::<Vec<&OpFn>>();Observation
Requiring that one of the operands is an fn-def may be a good compromise. Note: I think I remember Josh mentioning a caching pattern that involved fn-ptrs, but I haven't seen any evidence that this pattern is used and affected by this lint. @rustbot label I-lang-nominated -S-waiting-on-review S-waiting-on-team T-lang |
rustbot
added
I-lang-nominated
Urgau
force-pushed
the
lint_function_pointer_comparisons
branch
from
6c5c546
to
05eef1b
Compare
|
The standard library also uses function pointer comparison to implement |
|
I'm concerned about this if there isn't a way to say "I know, I want to do it anyway" other than I consider the fat pointer lint to be about "you should be clearer about whether you intended to compare the metadata or not", not "comparing metadata is bad". It would be entirely correct to memoize based on function pointer equality, for example. If that means that To me a "be sure you know what this does" lint like this is a clippy lint, not a |
The T-lang triage meeting consensus was to suggest a method (in the same way that was done for thin ptr comparisons lint with |
|
The fact that the result can never be meaningful beyond "definitely runs the same code if true" makes comparing function pointers a lot like |
It also compares them here, in dubious ways: rust/library/core/src/fmt/rt.rs Lines 146 to 158 in 7b45674 |
|
☔ The latest upstream changes (presumably #120881) made this pull request unmergeable. Please resolve the merge conflicts. |
Dylan-DPC
added
S-blocked
|
For the record the T-lib-api ACP#323 about adding |
Dylan-DPC
added
S-waiting-on-review
|
@Urgau this is no longer blocked so if you can resolve the conflicts we can push this forward for a review. Thanks |
Urgau
force-pushed
the
lint_function_pointer_comparisons
branch
from
05eef1b
to
ab73468
Compare
|
Looks like on the lang side we still need to make a decision about whether we want this. That's easier now that the libs-api prerequisite happened (on nightly). This is more actionable now, so we'll bump it up the agenda. |
Urgau
added
S-waiting-on-review
This is kind of a follow-up to #117758 where we added a lint against wide pointer comparisons for being ambiguous and unreliable; well function pointer comparisons are also unreliable. We should IMO follow a similar logic and warn people about it.
unpredictable_function_pointer_comparisonswarn-by-default
The
unpredictable_function_pointer_comparisonslint checks comparison of function pointer as the operands.Example
Explanation
Function pointers comparisons do not produce meaningful result since they are never guaranteed to be unique and could vary between different code generation units. Furthermore different function could have the same address after being merged together.
This PR also uplift the very similar
clippy::fn_address_comparisonslint, which only linted on if one of the operand was anty::FnDefwhile this PR lints proposes to lint on allty::FnPtrandty::FnDef.@rustbot labels I-lang-nominated
Edit: Blocked on rust-lang/libs-team#323 being accepted and it's follow-up pr