Fix-forward for mir-inlining

jyn514 · jyn514 · commit 3a7e4b8c8e75 · 2026-04-27T12:08:16.000+02:00
plus other minor fixes
diff --git a/compiler/rustc_lint/src/ferrocene/post_mono.rs b/compiler/rustc_lint/src/ferrocene/post_mono.rs
@@ -24,7 +24,7 @@ use rustc_hir::def_id::DefId;
 use rustc_hir::{CRATE_HIR_ID, HirId};
 use rustc_middle::mir::visit::Visitor as _;
 use rustc_middle::mir::{
-    self, Body, CastKind, ClearCrossCrate, Location, Rvalue, SourceInfo, Terminator, TerminatorKind,
+    self, Body, CastKind, Location, Rvalue, SourceScope, Terminator, TerminatorKind,
 };
 use rustc_middle::mono::MonoItem;
 use rustc_middle::span_bug;
@@ -126,15 +126,17 @@ impl<'a, 'tcx> mir::visit::Visitor<'tcx> for LintPostMono<'a, 'tcx> {
         if let Some((callee_instance, pre_mono_call)) = self.get_call_def_mir(terminator, location)
         {
             let use_ = self.use_(UseKind::Called(callee_instance), terminator.source_info.span);
-            self.on_edge(use_, &terminator.source_info, pre_mono_call);
+            self.on_edge(use_, terminator.source_info.scope, pre_mono_call);
         }
+        self.super_terminator(terminator, location);
     }
 
     fn visit_rvalue(&mut self, rval: &Rvalue<'tcx>, location: Location) {
         let Some((call_span, use_kind)) = self.find_dynamic_cast(rval) else { return };
         let source_info = self.body.source_info(location);
         let use_ = self.use_(use_kind, call_span);
-        self.on_edge(use_, source_info, use_.def_id());
+        self.on_edge(use_, source_info.scope, use_.def_id());
+        self.super_rvalue(rval, location);
     }
 }
 
@@ -190,16 +192,14 @@ impl<'a, 'tcx> LintPostMono<'a, 'tcx> {
         Use { kind, span, from_instantiation: self.from_instantiation }
     }
 
-    fn on_edge(&mut self, use_: Use<'tcx>, source_info: &SourceInfo, pre_mono_callee: DefId) {
+    fn lint(&mut self, use_: Use<'tcx>, scope: SourceScope) -> HirId {
         // Try to update the lint node if possible, but use the lint node of the caller if the
         // callee is cross-crate.
         // FIXME: we have enough info here to show a backtrace of how the function was instantiated,
         // maybe pass that in so we can show it?
-        let lint_node = match self.body.source_scopes[source_info.scope].local_data.as_ref() {
-            ClearCrossCrate::Set(data) => data.lint_root,
-            // We assume that all roots come from the current crate.
-            // This is checked earlier in `lint_validated_roots`.
-            ClearCrossCrate::Clear => match self.from_instantiation.as_ref() {
+        let lint_node = match scope.lint_root(&self.body.source_scopes) {
+            Some(node) => node,
+            None => match self.from_instantiation.as_ref() {
                 // This is a bit odd - we use the HIR id of the caller function,
                 // not the callee that actually caused the error.
                 // The callee is in another crate so we don't have any choice here.
@@ -213,6 +213,12 @@ impl<'a, 'tcx> LintPostMono<'a, 'tcx> {
         // Lint this use.
         self.linter.check_use(lint_node, use_);
 
+        lint_node
+    }
+
+    fn on_edge(&mut self, use_: Use<'tcx>, scope: SourceScope, pre_mono_callee: DefId) {
+        let lint_node = self.lint(use_, scope);
+
         // Recurse into the instantiated call.
         let callee_instance = match use_.kind {
             UseKind::TraitObjectCast(
@@ -333,10 +339,27 @@ impl<'a, 'tcx> LintPostMono<'a, 'tcx> {
         }
 
         let body = tcx.instance_mir(instance.def);
+        trace!(body = ?body, "visiting body");
         let mut this = LintPostMono { linter, visited, roots, instance, body, from_instantiation };
-        for (bb, data) in mir::traversal::reachable(body) {
+        for (bb, data) in mir::traversal::preorder(body) {
             this.visit_basic_block_data(bb, data);
         }
+
+        // If the MIR inliner ran, we may not see all original function calls.
+        // Usually these are preserved in the source scopes for each statement,  but if the
+        // inliner has completely deleted every statement in the body we can't rely on that.
+        // Iterate through every source scope we know about just in case.
+        for (scope, scope_data) in body.source_scopes.iter_enumerated() {
+            trace!("saw scope {scope_data:?}");
+            if let Some((instance, span)) = scope_data.inlined {
+                debug!("saw inlined instance {instance:?}");
+                let use_ = this.use_(UseKind::Called(instance), span);
+                // NOTE: we can't use `on_edge` here because it won't properly substitute generic
+                // parameters when it recurses. That's ok: since we're visiting every source scope in
+                // this body, we'll catch all the other inlined calls when we see their `scope_data`.
+                this.lint(use_, scope);
+            }
+        }
     }
 
     fn get_call_def_mir(
diff --git a/tests/ui/ferrocene/lint-prevalidated/mir-inlining.post-mono-inlining.stderr b/tests/ui/ferrocene/lint-prevalidated/mir-inlining.post-mono-inlining.stderr
@@ -0,0 +1,33 @@
+error: validated function calls an unvalidated method
+  --> $DIR/mir-inlining.rs:17:5
+   |
+LL |     f(x);
+   |     ^^^^
+   |
+  --> $SRC_DIR/core/src/ops/function.rs:LL:COL
+   |
+   = note: `<fn(u32) -> u32 {trailing_ones} as FnOnce<(u32,)>>::call_once` is unvalidated
+   |
+   = help: contact Ferrocene support to see if this method is possible to certify
+note: `main` is validated
+  --> $DIR/mir-inlining.rs:25:4
+   |
+LL | fn main() {
+   |    ^^^^
+   = note: main functions are assumed to be validated
+note: the lint level is defined here
+  --> $DIR/mir-inlining.rs:8:9
+   |
+LL | #![deny(ferrocene::unvalidated)]
+   |         ^^^^^^^^^^^^^^^^^^^^^^
+
+error: validated function calls an unvalidated function
+  --> $SRC_DIR/core/src/ops/function.rs:LL:COL
+   |
+  ::: $DIR/mir-inlining.rs:11:14
+   |
+LL | pub const fn trailing_ones(_: u32) -> u32 {
+   |              ------------- `trailing_ones` is unvalidated
+
+error: aborting due to 2 previous errors
+
diff --git a/tests/ui/ferrocene/lint-prevalidated/mir-inlining.post-mono.stderr b/tests/ui/ferrocene/lint-prevalidated/mir-inlining.post-mono.stderr
@@ -0,0 +1,25 @@
+error: validated function calls an unvalidated function
+  --> $DIR/mir-inlining.rs:17:5
+   |
+LL | pub const fn trailing_ones(_: u32) -> u32 {
+   |              ------------- `trailing_ones` is unvalidated
+...
+LL |     f(x);
+   |     ^^^^
+   |
+note: `main` is validated
+  --> $DIR/mir-inlining.rs:25:4
+   |
+LL | fn main() {
+   |    ^^^^
+LL |     call(123_u32, trailing_ones);
+   |     ---------------------------- generic function `call` instantiated by `main`
+   = note: main functions are assumed to be validated
+note: the lint level is defined here
+  --> $DIR/mir-inlining.rs:8:9
+   |
+LL | #![deny(ferrocene::unvalidated)]
+   |         ^^^^^^^^^^^^^^^^^^^^^^
+
+error: aborting due to 1 previous error
+
diff --git a/tests/ui/ferrocene/lint-prevalidated/mir-inlining.rs b/tests/ui/ferrocene/lint-prevalidated/mir-inlining.rs
@@ -0,0 +1,27 @@
+//@ revisions: thir post-mono post-mono-inlining
+//@[thir] check-pass
+//@[post-mono] build-fail
+//@[post-mono] compile-flags: -Z inline-mir=no
+//@[post-mono-inlining] build-fail
+//@[post-mono-inlining] compile-flags: -Z inline-mir=yes
+
+#![deny(ferrocene::unvalidated)]
+
+#[inline(always)]
+pub const fn trailing_ones(_: u32) -> u32 {
+    0
+}
+
+#[ferrocene::prevalidated]
+fn call(x: u32, f: impl FnOnce(u32) -> u32) {
+    f(x);
+    //[post-mono]~^ ERROR unvalidated
+    //[post-mono-inlining]~^^ ERROR unvalidated
+    // This error points to `<{trailing_ones} as FnOnce>::call_once`, which kinda sucks, but it's
+    // ok for now.
+    //[post-mono-inlining]~? ERROR unvalidated
+}
+
+fn main() {
+    call(123_u32, trailing_ones);
+}
