Make extern blocks without unsafe warn in edition < 2024 and fail afterwards

Author: spastorino

.gitmodules

@@ -20,7 +20,7 @@
 	shallow = true
 [submodule "library/stdarch"]
 	path = library/stdarch
-	url = https://github.com/rust-lang/stdarch.git
+	url = https://github.com/spastorino/stdarch.git
 	shallow = true
 [submodule "src/doc/rustc-dev-guide"]
 	path = src/doc/rustc-dev-guide

compiler/rustc_ast_passes/messages.ftl

@@ -76,6 +76,8 @@ ast_passes_extern_item_ascii = items in `extern` blocks cannot use non-ascii ide
 
 ast_passes_extern_keyword_link = for more information, visit https://doc.rust-lang.org/std/keyword.extern.html
 
+ast_passes_extern_missing_unsafe = extern blocks should be unsafe
+
 ast_passes_extern_types_cannot = `type`s inside `extern` blocks cannot have {$descr}
     .suggestion = remove the {$remove_descr}
     .label = `extern` block begins here

compiler/rustc_ast_passes/src/ast_validation.rs

@@ -15,7 +15,8 @@ use rustc_data_structures::fx::FxIndexMap;
 use rustc_feature::Features;
 use rustc_parse::validate_attr;
 use rustc_session::lint::builtin::{
-    DEPRECATED_WHERE_CLAUSE_LOCATION, MISSING_ABI, PATTERNS_IN_FNS_WITHOUT_BODY,
+    DEPRECATED_WHERE_CLAUSE_LOCATION, MISSING_ABI, MISSING_UNSAFE_ON_EXTERN,
+    PATTERNS_IN_FNS_WITHOUT_BODY,
 };
 use rustc_session::lint::{BuiltinLintDiag, LintBuffer};
 use rustc_session::Session;
@@ -1021,12 +1022,23 @@ impl<'a> Visitor<'a> for AstValidator<'a> {
                 walk_list!(self, visit_attribute, &item.attrs);
                 return; // Avoid visiting again.
             }
-            ItemKind::ForeignMod(ForeignMod { abi, .. }) => {
+            ItemKind::ForeignMod(ForeignMod { abi, unsafety, .. }) => {
                 let old_item = mem::replace(&mut self.extern_mod, Some(item));
                 self.visibility_not_permitted(
                     &item.vis,
                     errors::VisibilityNotPermittedNote::IndividualForeignItems,
                 );
+
+                if &Unsafe::No == unsafety {
+                    self.lint_buffer.buffer_lint_with_diagnostic(
+                        MISSING_UNSAFE_ON_EXTERN,
+                        item.id,
+                        item.span,
+                        fluent::ast_passes_extern_missing_unsafe,
+                        BuiltinLintDiag::Normal,
+                    );
+                }
+
                 if abi.is_none() {
                     self.maybe_lint_missing_abi(item.span, item.id);
                 }

compiler/rustc_lint_defs/src/builtin.rs

@@ -67,6 +67,7 @@ declare_lint_pass! {
         META_VARIABLE_MISUSE,
         MISSING_ABI,
         MISSING_FRAGMENT_SPECIFIER,
+        MISSING_UNSAFE_ON_EXTERN,
         MUST_NOT_SUSPEND,
         NAMED_ARGUMENTS_USED_POSITIONALLY,
         NON_CONTIGUOUS_RANGE_ENDPOINTS,
@@ -4741,3 +4742,31 @@ declare_lint! {
     };
     crate_level_only
 }
+
+declare_lint! {
+    /// The `missing_unsafe_on_extern` lint detects missing unsafe keyword on extern declarations.
+    ///
+    /// ### Example
+    ///
+    /// ```rust
+    /// extern "C" {
+    ///     fn foo(_: i32);
+    /// }
+    /// ```
+    ///
+    /// {{produces}}
+    ///
+    /// ### Explanation
+    ///
+    /// Declaring extern items, even without ever using them, can cause Undefined Behavior. We
+    /// should consider all sources of Undefined Behavior to be unsafe.
+    ///
+    /// This is a [future-incompatible] lint to transition this to a
+    /// hard error in the future.
+    ///
+    /// [future-incompatible]: ../index.md#future-incompatible-lints
+    pub MISSING_UNSAFE_ON_EXTERN,
+    Warn,
+    "detects missing unsafe keyword on extern declarations",
+    @edition Edition2024 => Deny;
+}

library/alloc/src/lib.rs

@@ -90,6 +90,7 @@
 //
 // Library features:
 // tidy-alphabetical-start
+#![cfg_attr(not(bootstrap), allow(missing_unsafe_on_extern))]
 #![cfg_attr(not(no_global_oom_handling), feature(const_alloc_error))]
 #![cfg_attr(not(no_global_oom_handling), feature(const_btree_len))]
 #![cfg_attr(test, feature(is_sorted))]

library/core/src/lib.rs

@@ -103,6 +103,7 @@
 #![allow(incomplete_features)]
 #![warn(multiple_supertrait_upcastable)]
 #![allow(internal_features)]
+#![cfg_attr(not(bootstrap), allow(missing_unsafe_on_extern))]
 #![deny(ffi_unwind_calls)]
 // Do not check link redundancy on bootstraping phase
 #![allow(rustdoc::redundant_explicit_links)]

library/panic_unwind/src/lib.rs

@@ -28,6 +28,8 @@
 // `real_imp` is unused with Miri, so silence warnings.
 #![cfg_attr(miri, allow(dead_code))]
 #![allow(internal_features)]
+#![allow(unknown_lints)]
+#![allow(missing_unsafe_on_extern)]
 
 use alloc::boxed::Box;
 use core::any::Any;

library/std/src/lib.rs

@@ -247,6 +247,7 @@
 #![warn(deprecated_in_future)]
 #![warn(missing_docs)]
 #![warn(missing_debug_implementations)]
+#![cfg_attr(not(bootstrap), allow(missing_unsafe_on_extern))]
 #![allow(explicit_outlives_requirements)]
 #![allow(unused_lifetimes)]
 #![allow(internal_features)]

library/stdarch

@@ -11,6 +11,8 @@
     feature(link_llvm_intrinsics)
 )]
 #![allow(internal_features)]
+#![allow(unknown_lints)]
+#![allow(missing_unsafe_on_extern)]
 
 // Force libc to be included even if unused. This is required by many platforms.
 #[cfg(not(all(windows, target_env = "msvc")))]

library/unwind/src/lib.rs

@@ -2625,6 +2625,9 @@ impl<'test> TestCx<'test> {
             rustc.args(&["-A", "unused"]);
         }
 
+        // FIXME: add unsafe to all extern blocks in tests
+        rustc.args(&["-A", "missing_unsafe_on_extern"]);
+
         // Allow tests to use internal features.
         rustc.args(&["-A", "internal_features"]);