Warn when casting double indirection pointer to single indirection (e.g. `*const *const i8` to `*const i8`)

[tgross35]

What it does

I just spent about an hour debugging an issue like the following:

let attr_ptrs: *const *const i8 = ...;

// Actually wrote this line
let buf_ptr: *const u8 = attr_ptrs.add(1).cast();
// Should have written this line
let buf_ptr: *const u8 = *attr_ptrs.add(1).cast();

let buf = slice::from_raw_parts(buf_ptr, len);
str::from_utf8(buf)

At first glance it seems reasonable enough - cast a *const i8 (c_char) to a *const u8 so it can be used as a string. However it's easy to miss that the first buf_ptr line is actually casting a *const *const i8 directly to a *const u8 without dereferencing.

This lint would catch casting any double pointer to any single pointer, which is currently very easy to miss. (Would likely also work for ***type to **type/*type)

Lint Name

double_indirection_cast

Category

suspicious

Advantage

• Prevent UB that is very difficult to trace back
• Aid users coming from C who easily miss that replicating something like double_ptr[1] requires a deref *double_ptr.add(1)

Drawbacks

This use may occasionally be intentional (e.g. casting to/from *const c_void). In my experience, these cases are less common than pointer array access.

Example

let attr_ptrs: *const *const i8 = ...;
let buf_ptr: *const u8 = attr_ptrs.add(1).cast();

Could be written as:

let attr_ptrs: *const *const i8 = ...;
let buf_ptr: *const u8 = *attr_ptrs.add(1).cast();

[briansmith]

Maybe any non-single-pointer-to-single-ptr cast that isn't written in the form <*const * const T>::cast<*T>(x) should trigger a warning, including x as *const T and x.cast::<T>() (which is what Clippy ptr-as-ptr suggests now).

In your example,:

let buf_ptr: *const u8 = attr_ptrs.add(1).cast();

The suggestion would be:

let buf_ptr: *const u8 = <*const *const i8>::cast::<u8>(attr_ptrs.add(1));

Note that this suggestion is always correct so it could be MachineApplicable, whereas the original suggested idea for the lint is speculating about the intent, so it would have to always be MaybeIncorrect at best.

Similarly, but separately, there are a bunch of methods on pointers that should be written that way whenever the pointer is a non-single pointer, including addr() and expose_provenance, whenever x isn't a variable with an explicit type annotation, though that's something to consider separately.

[briansmith]

The title of the issue talks about double-to-single pointer casts, but more generally the issue is about N-level-to-M-level pointer casts where N != M.