Warn when passing pointers to asm! with nomem/readonly options

[Soveu]

I think these warnings would help a lot finding weird bugs caused by improper options inside asm!, while allowing existing code to compile.

[rustbot]

r? @BoxyUwU

rustbot has assigned @BoxyUwU.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[BoxyUwU]

r? @Amanieu

[workingjubilee]

why is a usize preferable?

[Soveu]

That was just what came to my mind when writing this at midnight. The warning and note could definitely be better, for example now I'm thinking of this:

warning: passing a pointer to asm! block with `nomem` option
 --> $PATH:$LINE
  |
  | core::arch::asm!("mov {p}, {p}", p = in(reg) p, options(nomem, nostack, preserves_flags));
  |                                  ^
  = note: `nomem` must be only used when no memory read or write happens inside the asm! block.
  = note: This is not limited to global variables, it also includes passed pointers.
  = note: If this is intentional, consider casting the pointer to an integer.
  = note: If not, change the `nomem` attribute to `readonly`

Warning is concise and note explains in more detail what is going on and how to fix the issue. Of course, depending on the pointer mutability and asm options, they will be a bit different.

[workingjubilee]

I think this is probably underexplained and should be omitted:

  = note: If this is intentional, consider casting the pointer to an integer.

Assembly is unsafe and we should be careful to eschew recommendations that aren't clearly applicable, because people will blindly take recommendations without thinking hard (no matter how much we would like to believe otherwise).

Further, people who work with assembly often have the interesting belief that pointers and integers are the same thing, so I can imagine someone misunderstanding this and the next line as somehow equivalent:

  = note: If this is intentional, consider casting the pointer to an integer.
  = note: If not, change the `nomem` attribute to `readonly`

So I think the suggestions should be more conservative, only including:

• remove nomem (as this is safest)
• replace nomem with readonly (less safe, but may be sound)
• allow this lint (would require moving this into the linting framework, but clearly has no soundness impacts)

[workingjubilee]

It is probably fine if there's a good way to explain why the cast to integer would be okay (so that people don't do it if it's not okay), but it seems sus, honestly.

[Soveu]

@workingjubilee @Amanieu ?

[Amanieu]

I don't think this message is appropriate: if passing a mutable pointer is intentional, we should only suggest something which suppresses the warning, not something that changes the semantics of the asm!.

The problem here is that I don't see an obvious way to suppress the warning. Perhaps this lint would be better in clippy instead rather than something that generally applies to all Rust code?

[Soveu]

Hmm, now that I'm thinking about it, maybe you're right - *mut pointer should anyway implicitly cast to *const one. What do you think about the other case with *const/mut and nomem?

[Amanieu]

Same thing here, if passing the pointer is intentional then our recommendation should not involve changing the semantics of asm!.

[Soveu]

#127063 (comment)

The problem here is that I don't see an obvious way to suppress the warning. Perhaps this lint would be better in clippy instead rather than something that generally applies to all Rust code?

At first, I wanted to make it an error, but probably some code would break and asm! is stable (could we jump on the edition2024 bandwagon?). Yeah, this is unsafe, and we can do a lot of stuff inside the asm! block, including freestyle transmute, however transmute does one job and it is dangerous, we can't do much with it besides "being smart" and looking for surrounding context, which is what clippy does with eager_transmute for example.

Here we could impose impose a simple rule that would help avoiding bugs with unintentional nomem. I can agree that the case with *mut T and readonly could be allowed, because we could pretend that the pointer is implicitly cast to *const T (like when calling functions that take *const T) and also the difference between *mut and *const is mostly cosmetic, but I don't see the same applying to nomem + *const/mut T.

Why would someone pass a pointer and do nothing with the data? If they need just the address, maybe they also need to consider if the provenance should be exposed or not. Idk, I think you know better than me how asm! is used, so if the final decision will be to not implement it here, then I won't insist. 🤔

[workingjubilee]

just noting that there's like two, maybe three versions of "intended/intention" floating around in this discussion. let me see if I can name all of them:

• "I intended to pass *mut T + nomem: I will basically ptr.addr() it or something."
• "I intended to pass *mut T but I meant readonly: just .cast_const() it."
• "I intended to pass *mut T, and I'm totally gonna read it, lol, GIMME DAT UB!!! (no plz don't, let me remove nomem...)"

[Amanieu]

Considering the fact that this suggestion isn't always applicable, I think this makes more sense as clippy lint than a built-in rustc lint. I would encourage you to submit it there.