Add a lint for the Self tuple struct soundness hole (#318)

Author: thomcc

doc/src/config-lints.md

@@ -264,3 +264,26 @@ foo::<dyn SomeTrait>();
 // Trait object in type default (enum, union, trait, and so on are all also forbidden)
 struct SomeStruct<T = dyn SomeTrait>(...);
 ```
+
+### `plrust_tuple_struct_self_pattern`
+
+This lint forbids use of a tuple struct named `Self` in pattern position. This
+can be used to bypass struct field privacy prior to Rust 1.71.0
+(<https://github.com/rust-lang/rust/issues/111220>). Once PL/Rust depends on
+1.71.0, this lint will be replaced by one that does nothing, as the offending
+pattern will not compile.
+
+For example, this lint will prevent the following code:
+
+```rs
+mod my {
+    pub struct Foo(&'static str);
+}
+
+impl AsRef<str> for my::Foo {
+    fn as_ref(&self) -> &str {
+        let Self(s) = self;
+        s
+    }
+}
+```

plrust/src/lib.rs

@@ -95,6 +95,7 @@ const DEFAULT_LINTS: &'static str = "\
     plrust_print_macros, \
     plrust_stdio, \
     plrust_suspicious_trait_object, \
+    plrust_tuple_struct_self_pattern, \
     unsafe_code, \
     deprecated, \
     suspicious_auto_trait_impls, \

plrustc/plrustc/src/lints/mod.rs

@@ -19,6 +19,7 @@ mod print_macros;
 mod static_impls;
 mod stdio;
 mod sus_trait_object;
+mod tuple_struct_self_pattern;
 
 static INCLUDE_TEST_ONLY_LINTS: Lazy<bool> =
     Lazy::new(|| std::env::var("PLRUSTC_INCLUDE_TEST_ONLY_LINTS").is_ok());
@@ -38,6 +39,7 @@ static PLRUST_LINTS: Lazy<Vec<&'static Lint>> = Lazy::new(|| {
         print_macros::PLRUST_PRINT_MACROS,
         stdio::PLRUST_STDIO,
         sus_trait_object::PLRUST_SUSPICIOUS_TRAIT_OBJECT,
+        tuple_struct_self_pattern::PLRUST_TUPLE_STRUCT_SELF_PATTERN,
     ];
     if *INCLUDE_TEST_ONLY_LINTS {
         let test_only_lints = [force_ice::PLRUST_TEST_ONLY_FORCE_ICE];
@@ -83,6 +85,7 @@ pub fn register(store: &mut LintStore, _sess: &Session) {
     store.register_late_pass(move |_| Box::new(stdio::PlrustPrintFunctions));
     store.register_late_pass(move |_| Box::new(extern_blocks::NoExternBlockPass));
     store.register_late_pass(move |_| Box::new(lifetime_param_trait::LifetimeParamTraitPass));
+    store.register_late_pass(move |_| Box::new(tuple_struct_self_pattern::TupleStructSelfPat));
 
     if *INCLUDE_TEST_ONLY_LINTS {
         store.register_early_pass(move || Box::new(force_ice::PlrustcForceIce));

plrustc/plrustc/src/lints/tuple_struct_self_pattern.rs

@@ -0,0 +1,46 @@
+// Turn this into a no-op once 1.71.0 hits stable
+// (https://github.com/rust-lang/rust/issues/111220)
+use hir::def::Res;
+use rustc_hir as hir;
+use rustc_lint::{LateContext, LateLintPass, LintContext};
+use rustc_middle::ty;
+
+declare_plrust_lint!(
+    pub(crate) PLRUST_TUPLE_STRUCT_SELF_PATTERN,
+    "`Self` patterns for tuple structs",
+);
+
+rustc_lint_defs::declare_lint_pass!(TupleStructSelfPat => [PLRUST_TUPLE_STRUCT_SELF_PATTERN]);
+
+impl<'tcx> LateLintPass<'tcx> for TupleStructSelfPat {
+    fn check_pat(&mut self, cx: &LateContext<'tcx>, pat: &'tcx hir::Pat<'tcx>) {
+        let hir::PatKind::TupleStruct(hir::QPath::Resolved(_, path), ..) = pat.kind else {
+            return;
+        };
+        let Res::SelfCtor(ctor_did) = path.res else {
+            return;
+        };
+        let o: Option<ty::TraitRef> = cx.tcx.impl_trait_ref(ctor_did);
+        let Some(trait_ref) = o else {
+            return;
+        };
+        let self_ty = trait_ref.self_ty();
+        let ty::Adt(adt_def, _) = self_ty.kind() else {
+            return;
+        };
+        let Some(ctor) = adt_def.non_enum_variant().ctor_def_id() else {
+            return;
+        };
+        if !cx
+            .tcx
+            .visibility(ctor)
+            .is_accessible_from(cx.tcx.parent_module(pat.hir_id).to_def_id(), cx.tcx)
+        {
+            cx.lint(
+                PLRUST_TUPLE_STRUCT_SELF_PATTERN,
+                "`Self` pattern on tuple struct used to access private field",
+                |b| b.set_span(pat.span),
+            );
+        }
+    }
+}

plrustc/plrustc/src/main.rs

@@ -7,6 +7,7 @@ extern crate rustc_interface;
 
 extern crate rustc_lint;
 extern crate rustc_lint_defs;
+extern crate rustc_middle;
 extern crate rustc_session;
 extern crate rustc_span;
 

plrustc/plrustc/uitests/tuple_struct_self_pat_box.rs

@@ -0,0 +1,26 @@
+#![crate_type = "lib"]
+
+use core::ptr::NonNull;
+
+trait Bad {
+    fn bad(&mut self);
+}
+impl<T> Bad for Box<T> {
+    fn bad(&mut self) {
+        let Self(ptr, _) = self;
+
+        fn dangling<T, U>() -> U
+        where
+            U: From<NonNull<T>>,
+        {
+            NonNull::dangling().into()
+        }
+
+        *ptr = dangling();
+    }
+}
+
+fn main() {
+    let mut foo = Box::new(123);
+    foo.bad();
+}

plrustc/plrustc/uitests/tuple_struct_self_pat_box.stderr

@@ -0,0 +1,10 @@
+error: `Self` pattern on tuple struct used to access private field
+  --> $DIR/tuple_struct_self_pat_box.rs:10:13
+   |
+LL |         let Self(ptr, _) = self;
+   |             ^^^^^^^^^^^^
+   |
+   = note: `-F plrust-tuple-struct-self-pattern` implied by `-F plrust-lints`
+
+error: aborting due to previous error
+

plrustc/plrustc/uitests/tuple_struct_self_pat_local_priv.rs

@@ -0,0 +1,11 @@
+#![crate_type = "lib"]
+
+mod my {
+    pub struct Foo(&'static str);
+}
+impl AsRef<str> for my::Foo {
+    fn as_ref(&self) -> &str {
+        let Self(s) = self;
+        s
+    }
+}

plrustc/plrustc/uitests/tuple_struct_self_pat_local_priv.stderr

@@ -0,0 +1,10 @@
+error: `Self` pattern on tuple struct used to access private field
+  --> $DIR/tuple_struct_self_pat_local_priv.rs:8:13
+   |
+LL |         let Self(s) = self;
+   |             ^^^^^^^
+   |
+   = note: `-F plrust-tuple-struct-self-pattern` implied by `-F plrust-lints`
+
+error: aborting due to previous error
+

plrustc/plrustc/uitests/tuple_struct_self_pat_should_pass.rs

@@ -0,0 +1,10 @@
+#![crate_type = "lib"]
+
+pub struct Foo(&'static str);
+
+impl AsRef<str> for Foo {
+    fn as_ref(&self) -> &str {
+        let Self(s) = self;
+        s
+    }
+}