c-variadic: reject non-unsafe functions

author: Folkert de Vries <folkert@folkertdev.nl> 2025-09-08 18:45:41 +0200
committer: Folkert de Vries <folkert@folkertdev.nl> 2025-09-09 21:30:38 +0200
commit: 0c96200f268df10d4f3ac102f3161c67e5e67221 (patch)
tree: bfb8cc16075c6a8f1e8a0e53368fae4d2b89c4bb /compiler
parent: 5de9bc73e76f60ee27c37f20d0a9530e5a957df7 (diff)
download: rust-0c96200f268df10d4f3ac102f3161c67e5e67221.tar.gz
rust-0c96200f268df10d4f3ac102f3161c67e5e67221.zip
4 files changed, 56 insertions, 9 deletions
diff --git a/compiler/rustc_ast/src/ast.rs b/compiler/rustc_ast/src/ast.rs
index 2733a2603d6..915bae9e5f5 100644
--- a/compiler/rustc_ast/src/ast.rs
+++ b/compiler/rustc_ast/src/ast.rs
@@ -2309,6 +2309,22 @@ impl FnSig {
 
         self.span.shrink_to_lo()
     }
+
+    /// The span of the header's safety, or where to insert it if empty.
+    pub fn safety_span(&self) -> Span {
+        match self.header.safety {
+            Safety::Unsafe(span) | Safety::Safe(span) => span,
+            Safety::Default => {
+                // Insert after the `coroutine_kind` if available.
+                if let Some(extern_span) = self.header.ext.span() {
+                    return extern_span.shrink_to_lo();
+                }
+
+                // Insert right at the front of the signature.
+                self.header_span().shrink_to_hi()
+            }
+        }
+    }
 }
 
 /// A constraint on an associated item.
@@ -3553,6 +3569,13 @@ impl Extern {
             None => Extern::Implicit(span),
         }
     }
+
+    pub fn span(self) -> Option<Span> {
+        match self {
+            Extern::None => None,
+            Extern::Implicit(span) | Extern::Explicit(_, span) => Some(span),
+        }
+    }
 }
 
 /// A function header.
diff --git a/compiler/rustc_ast_passes/messages.ftl b/compiler/rustc_ast_passes/messages.ftl
index 958797a6089..1aa38a1beda 100644
--- a/compiler/rustc_ast_passes/messages.ftl
+++ b/compiler/rustc_ast_passes/messages.ftl
@@ -68,6 +68,10 @@ ast_passes_bound_in_context = bounds on `type`s in {$ctx} have no effect
 
 ast_passes_c_variadic_associated_function = associated functions cannot have a C variable argument list
 
+ast_passes_c_variadic_must_be_unsafe =
+    functions with a C variable argument list must be unsafe
+    .suggestion = add the `unsafe` keyword to this definition
+
 ast_passes_c_variadic_no_extern = `...` is not supported for non-extern functions
 
 ast_passes_const_and_c_variadic = functions cannot be both `const` and C-variadic
diff --git a/compiler/rustc_ast_passes/src/ast_validation.rs b/compiler/rustc_ast_passes/src/ast_validation.rs
index f425acda358..7b32778ddf0 100644
--- a/compiler/rustc_ast_passes/src/ast_validation.rs
+++ b/compiler/rustc_ast_passes/src/ast_validation.rs
@@ -698,20 +698,25 @@ impl<'a> AstValidator<'a> {
             FnCtxt::Foreign => return,
             FnCtxt::Free => match sig.header.ext {
                 Extern::Implicit(_) => {
-                    if matches!(sig.header.safety, Safety::Unsafe(_)) {
-                        return;
+                    // Implicitly defaults to C.
+                    if !matches!(sig.header.safety, Safety::Unsafe(_)) {
+                        self.dcx().emit_err(errors::CVariadicMustBeUnsafe {
+                            span: variadic_param.span,
+                            unsafe_span: sig.safety_span(),
+                        });
                     }
-
-                    self.dcx().emit_err(errors::BadCVariadic { span: variadic_param.span });
                 }
                 Extern::Explicit(StrLit { symbol_unescaped, .. }, _) => {
-                    if matches!(symbol_unescaped, sym::C | sym::C_dash_unwind) {
-                        if matches!(sig.header.safety, Safety::Unsafe(_)) {
-                            return;
-                        }
+                    if !matches!(symbol_unescaped, sym::C | sym::C_dash_unwind) {
+                        self.dcx().emit_err(errors::BadCVariadic { span: variadic_param.span });
                     }
 
-                    self.dcx().emit_err(errors::BadCVariadic { span: variadic_param.span });
+                    if !matches!(sig.header.safety, Safety::Unsafe(_)) {
+                        self.dcx().emit_err(errors::CVariadicMustBeUnsafe {
+                            span: variadic_param.span,
+                            unsafe_span: sig.safety_span(),
+                        });
+                    }
                 }
                 Extern::None => {
                     let err = errors::CVariadicNoExtern { span: variadic_param.span };
diff --git a/compiler/rustc_ast_passes/src/errors.rs b/compiler/rustc_ast_passes/src/errors.rs
index 6b57e5ef376..946a22d2e75 100644
--- a/compiler/rustc_ast_passes/src/errors.rs
+++ b/compiler/rustc_ast_passes/src/errors.rs
@@ -333,6 +333,21 @@ pub(crate) struct CVariadicNoExtern {
 }
 
 #[derive(Diagnostic)]
+#[diag(ast_passes_c_variadic_must_be_unsafe)]
+pub(crate) struct CVariadicMustBeUnsafe {
+    #[primary_span]
+    pub span: Span,
+
+    #[suggestion(
+        ast_passes_suggestion,
+        applicability = "maybe-incorrect",
+        code = "unsafe ",
+        style = "verbose"
+    )]
+    pub unsafe_span: Span,
+}
+
+#[derive(Diagnostic)]
 #[diag(ast_passes_bad_c_variadic)]
 pub(crate) struct BadCVariadic {
     #[primary_span]
author	Folkert de Vries <folkert@folkertdev.nl>	2025-09-08 18:45:41 +0200
committer	Folkert de Vries <folkert@folkertdev.nl>	2025-09-09 21:30:38 +0200
commit	0c96200f268df10d4f3ac102f3161c67e5e67221 (patch)
tree	bfb8cc16075c6a8f1e8a0e53368fae4d2b89c4bb /compiler
parent	5de9bc73e76f60ee27c37f20d0a9530e5a957df7 (diff)
download	rust-0c96200f268df10d4f3ac102f3161c67e5e67221.tar.gz rust-0c96200f268df10d4f3ac102f3161c67e5e67221.zip