Lint against &T to &mut T and &T to &UnsafeCell<T> transmutes

This adds the lint against `&T`->`&UnsafeCell<T>` transmutes, and also check in struct fields, and reference casts (`&*(&a as *const u8 as *const UnsafeCell<u8>)`).

The code is quite complex; I've tried my best to simplify and comment it.

This is missing one parts: array transmutes. When transmuting an array, this only consider the first element. The reason for that is that the code is already quite complex, and I didn't want to complicate it more.
This catches the most common pattern of transmuting an array into an array of the same length with type of the same size; more complex cases are likely not properly handled.
We could take a bigger sample, for example the first and last elements to increase the chance that the lint will catch mistakes, but then the runtime complexity becomes exponential with the nesting of the arrays (`[[[[[T; 2]; 2]; 2]; 2]; 2]` has complexity of O(2**5), for instance).

Author: ChayimFriedman2

compiler/rustc_lint/messages.ftl

@@ -119,6 +119,12 @@ lint_builtin_missing_doc = missing documentation for {$article} {$desc}
 
 lint_builtin_mutable_transmutes =
     transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+    .note = transmute from `{$from}` to `{$to}`
+
+lint_unsafe_cell_reference_casting =
+    casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+    .label = casting happend here
+    .note = cast from `{$from}` to `{$to}`
 
 lint_builtin_no_mangle_fn = declaration of a `no_mangle` function
 lint_builtin_no_mangle_generic = functions generic over types or consts must be mangled
@@ -169,6 +175,10 @@ lint_builtin_unreachable_pub = unreachable `pub` {$what}
 
 lint_builtin_unsafe_block = usage of an `unsafe` block
 
+lint_builtin_unsafe_cell_transmutes =
+    transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+    .note = transmute from `{$from}` to `{$to}`
+
 lint_builtin_unsafe_extern_block = usage of an `unsafe extern` block
 
 lint_builtin_unsafe_impl = implementation of an `unsafe` trait

compiler/rustc_lint/src/builtin.rs

@@ -29,10 +29,9 @@ use crate::{
         BuiltinEllipsisInclusiveRangePatternsLint, BuiltinExplicitOutlives,
         BuiltinExplicitOutlivesSuggestion, BuiltinFeatureIssueNote, BuiltinIncompleteFeatures,
         BuiltinIncompleteFeaturesHelp, BuiltinInternalFeatures, BuiltinKeywordIdents,
-        BuiltinMissingCopyImpl, BuiltinMissingDebugImpl, BuiltinMissingDoc,
-        BuiltinMutablesTransmutes, BuiltinNoMangleGeneric, BuiltinNonShorthandFieldPatterns,
-        BuiltinSpecialModuleNameUsed, BuiltinTrivialBounds, BuiltinTypeAliasBounds,
-        BuiltinUngatedAsyncFnTrackCaller, BuiltinUnpermittedTypeInit,
+        BuiltinMissingCopyImpl, BuiltinMissingDebugImpl, BuiltinMissingDoc, BuiltinNoMangleGeneric,
+        BuiltinNonShorthandFieldPatterns, BuiltinSpecialModuleNameUsed, BuiltinTrivialBounds,
+        BuiltinTypeAliasBounds, BuiltinUngatedAsyncFnTrackCaller, BuiltinUnpermittedTypeInit,
         BuiltinUnpermittedTypeInitSub, BuiltinUnreachablePub, BuiltinUnsafe,
         BuiltinUnstableFeatures, BuiltinUnusedDocComment, BuiltinUnusedDocCommentSub,
         BuiltinWhileTrue, InvalidAsmLabel,
@@ -1103,72 +1102,6 @@ impl<'tcx> LateLintPass<'tcx> for InvalidNoMangleItems {
     }
 }
 
-declare_lint! {
-    /// The `mutable_transmutes` lint catches transmuting from `&T` to `&mut
-    /// T` because it is [undefined behavior].
-    ///
-    /// [undefined behavior]: https://doc.rust-lang.org/reference/behavior-considered-undefined.html
-    ///
-    /// ### Example
-    ///
-    /// ```rust,compile_fail
-    /// unsafe {
-    ///     let y = std::mem::transmute::<&i32, &mut i32>(&5);
-    /// }
-    /// ```
-    ///
-    /// {{produces}}
-    ///
-    /// ### Explanation
-    ///
-    /// Certain assumptions are made about aliasing of data, and this transmute
-    /// violates those assumptions. Consider using [`UnsafeCell`] instead.
-    ///
-    /// [`UnsafeCell`]: https://doc.rust-lang.org/std/cell/struct.UnsafeCell.html
-    MUTABLE_TRANSMUTES,
-    Deny,
-    "transmuting &T to &mut T is undefined behavior, even if the reference is unused"
-}
-
-declare_lint_pass!(MutableTransmutes => [MUTABLE_TRANSMUTES]);
-
-impl<'tcx> LateLintPass<'tcx> for MutableTransmutes {
-    fn check_expr(&mut self, cx: &LateContext<'_>, expr: &hir::Expr<'_>) {
-        if let Some((&ty::Ref(_, _, from_mutbl), &ty::Ref(_, _, to_mutbl))) =
-            get_transmute_from_to(cx, expr).map(|(ty1, ty2)| (ty1.kind(), ty2.kind()))
-        {
-            if from_mutbl < to_mutbl {
-                cx.emit_span_lint(MUTABLE_TRANSMUTES, expr.span, BuiltinMutablesTransmutes);
-            }
-        }
-
-        fn get_transmute_from_to<'tcx>(
-            cx: &LateContext<'tcx>,
-            expr: &hir::Expr<'_>,
-        ) -> Option<(Ty<'tcx>, Ty<'tcx>)> {
-            let def = if let hir::ExprKind::Path(ref qpath) = expr.kind {
-                cx.qpath_res(qpath, expr.hir_id)
-            } else {
-                return None;
-            };
-            if let Res::Def(DefKind::Fn, did) = def {
-                if !def_id_is_transmute(cx, did) {
-                    return None;
-                }
-                let sig = cx.typeck_results().node_type(expr.hir_id).fn_sig(cx.tcx);
-                let from = sig.inputs().skip_binder()[0];
-                let to = sig.output().skip_binder();
-                return Some((from, to));
-            }
-            None
-        }
-
-        fn def_id_is_transmute(cx: &LateContext<'_>, def_id: DefId) -> bool {
-            cx.tcx.is_intrinsic(def_id, sym::transmute)
-        }
-    }
-}
-
 declare_lint! {
     /// The `unstable_features` lint detects uses of `#![feature]`.
     ///
@@ -1615,7 +1548,6 @@ declare_lint_pass!(
         UNUSED_DOC_COMMENTS,
         NO_MANGLE_CONST_ITEMS,
         NO_MANGLE_GENERIC_ITEMS,
-        MUTABLE_TRANSMUTES,
         UNSTABLE_FEATURES,
         UNREACHABLE_PUB,
         TYPE_ALIAS_BOUNDS,

compiler/rustc_lint/src/lib.rs

@@ -65,6 +65,7 @@ mod macro_expr_fragment_specifier_2024_migration;
 mod map_unit_fn;
 mod methods;
 mod multiple_supertrait_upcastable;
+mod mutable_transmutes;
 mod non_ascii_idents;
 mod non_fmt_panic;
 mod non_local_def;
@@ -105,6 +106,7 @@ use macro_expr_fragment_specifier_2024_migration::*;
 use map_unit_fn::*;
 use methods::*;
 use multiple_supertrait_upcastable::*;
+use mutable_transmutes::*;
 use non_ascii_idents::*;
 use non_fmt_panic::NonPanicFmt;
 use non_local_def::*;
@@ -209,6 +211,7 @@ late_lint_methods!(
             // Depends on referenced function signatures in expressions
             PtrNullChecks: PtrNullChecks,
             MutableTransmutes: MutableTransmutes,
+            UnsafeCellReferenceCasting: UnsafeCellReferenceCasting,
             TypeAliasBounds: TypeAliasBounds,
             TrivialConstraints: TrivialConstraints,
             TypeLimits: TypeLimits::new(),

compiler/rustc_lint/src/lints.rs

@@ -225,9 +225,34 @@ pub struct BuiltinConstNoMangle {
     pub suggestion: Span,
 }
 
+// mutable_transmutes.rs
 #[derive(LintDiagnostic)]
 #[diag(lint_builtin_mutable_transmutes)]
-pub struct BuiltinMutablesTransmutes;
+#[note]
+pub struct BuiltinMutablesTransmutes {
+    pub from: String,
+    pub to: String,
+}
+
+// mutable_transmutes.rs
+#[derive(LintDiagnostic)]
+#[diag(lint_builtin_unsafe_cell_transmutes)]
+#[note]
+pub struct BuiltinUnsafeCellTransmutes {
+    pub from: String,
+    pub to: String,
+}
+
+// mutable_transmutes.rs
+#[derive(LintDiagnostic)]
+#[diag(lint_unsafe_cell_reference_casting)]
+#[note]
+pub struct UnsafeCellReferenceCastingDiag {
+    #[label]
+    pub orig_cast: Option<Span>,
+    pub from: String,
+    pub to: String,
+}
 
 #[derive(LintDiagnostic)]
 #[diag(lint_builtin_unstable_features)]

compiler/rustc_lint/src/mutable_transmutes.rs

@@ -1,5 +1,6 @@
 // Should not rely on the aliasing model for its failure.
 //@compile-flags: -Zmiri-disable-stacked-borrows
+#![allow(unsafe_cell_reference_casting)]
 
 use std::sync::atomic::{AtomicI32, Ordering};
 

src/tools/miri/tests/fail/concurrency/read_only_atomic_cmpxchg.rs

@@ -1,5 +1,6 @@
 // Should not rely on the aliasing model for its failure.
 //@compile-flags: -Zmiri-disable-stacked-borrows
+#![allow(unsafe_cell_reference_casting)]
 
 use std::sync::atomic::{AtomicI32, Ordering};
 

src/tools/miri/tests/fail/concurrency/read_only_atomic_load_acquire.rs

@@ -1,5 +1,6 @@
 // Stacked Borrows doesn't like this.
 //@compile-flags: -Zmiri-tree-borrows
+#![allow(unsafe_cell_reference_casting)]
 
 use std::sync::atomic::*;
 

src/tools/miri/tests/pass/atomic-readonly-load.rs

@@ -1,4 +1,5 @@
 //@compile-flags: -Zmiri-tree-borrows
+#![allow(unsafe_cell_transmutes)]
 
 //! Testing `mem::transmute` between types with and without interior mutability.
 //! All transmutations should work, as long as we don't do any actual accesses

src/tools/miri/tests/pass/tree_borrows/transmute-unsafecell.rs

@@ -4,6 +4,7 @@ warning: transmuting &T to &mut T is undefined behavior, even if the reference i
 LL |         let y = std::mem::transmute::<&i32, &mut i32>(&5);
    |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
+   = note: transmute from `&i32` to `&mut i32`
    = note: requested on the command line with `--force-warn mutable-transmutes`
 
 warning: 1 warning emitted

tests/ui/lint/force-warn/allowed-cli-deny-by-default-lint.stderr

@@ -4,6 +4,7 @@ warning: transmuting &T to &mut T is undefined behavior, even if the reference i
 LL |         let y = std::mem::transmute::<&i32, &mut i32>(&5);
    |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
+   = note: transmute from `&i32` to `&mut i32`
    = note: requested on the command line with `--force-warn mutable-transmutes`
 
 warning: 1 warning emitted

tests/ui/lint/force-warn/allowed-deny-by-default-lint.stderr

@@ -4,6 +4,7 @@ warning: transmuting &T to &mut T is undefined behavior, even if the reference i
 LL |         let y = std::mem::transmute::<&i32, &mut i32>(&5);
    |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
+   = note: transmute from `&i32` to `&mut i32`
    = note: requested on the command line with `--force-warn mutable-transmutes`
 
 warning: 1 warning emitted

tests/ui/lint/force-warn/deny-by-default-lint.stderr

@@ -0,0 +1,7 @@
+//@ check-pass
+
+use std::mem::transmute;
+
+fn main() {
+    let _a: &mut u8 = unsafe { transmute(&mut 0u8) };
+}

tests/ui/lint/mutable_transmutes/allow_mut_to_mut.rs

@@ -0,0 +1,9 @@
+//@ check-pass
+
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+fn main() {
+    let _a: &mut UnsafeCell<u8> = unsafe { transmute(&mut 0u8) };
+    let _a: &UnsafeCell<u8> = unsafe { transmute(&mut 0u8) };
+}

tests/ui/lint/mutable_transmutes/allow_mut_to_unsafecell.rs

@@ -0,0 +1,8 @@
+//@ check-pass
+
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+fn main() {
+    let _a: &UnsafeCell<u8> = unsafe { transmute(&UnsafeCell::new(0u8)) };
+}

tests/ui/lint/mutable_transmutes/allow_unsafecell_to_unsafecell.rs

@@ -0,0 +1,6 @@
+use std::mem::transmute;
+
+fn main() {
+    let _a: [&mut u8; 2] = unsafe { transmute([&1u8; 2]) };
+    //~^ ERROR transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+}

tests/ui/lint/mutable_transmutes/array.rs

@@ -0,0 +1,11 @@
+error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+  --> $DIR/array.rs:4:37
+   |
+LL |     let _a: [&mut u8; 2] = unsafe { transmute([&1u8; 2]) };
+   |                                     ^^^^^^^^^
+   |
+   = note: transmute from `[&u8; 2][0]` to `[&mut u8; 2][0]`
+   = note: `#[deny(mutable_transmutes)]` on by default
+
+error: aborting due to 1 previous error
+

tests/ui/lint/mutable_transmutes/array.stderr

@@ -0,0 +1,45 @@
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+#[repr(transparent)]
+struct A {
+    a: B,
+}
+#[repr(transparent)]
+struct B {
+    b: C,
+}
+#[repr(transparent)]
+struct C {
+    c: &'static D,
+}
+#[repr(transparent)]
+struct D {
+    d: UnsafeCell<u8>,
+}
+
+#[repr(transparent)]
+struct E {
+    e: F,
+}
+#[repr(transparent)]
+struct F {
+    f: &'static G,
+}
+#[repr(transparent)]
+struct G {
+    g: H,
+}
+#[repr(transparent)]
+struct H {
+    h: u8,
+}
+
+fn main() {
+    let _: A = unsafe { transmute(&1u8) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+    let _: A = unsafe { transmute(E { e: F { f: &G { g: H { h: 0 } } } }) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+    let _: &'static UnsafeCell<u8> = unsafe { transmute(E { e: F { f: &G { g: H { h: 0 } } } }) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/lint/mutable_transmutes/diag_includes_field_names.rs

@@ -0,0 +1,27 @@
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/diag_includes_field_names.rs:39:25
+   |
+LL |     let _: A = unsafe { transmute(&1u8) };
+   |                         ^^^^^^^^^
+   |
+   = note: transmute from `*&u8` to `(*A.a.b.c).d`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/diag_includes_field_names.rs:41:25
+   |
+LL |     let _: A = unsafe { transmute(E { e: F { f: &G { g: H { h: 0 } } } }) };
+   |                         ^^^^^^^^^
+   |
+   = note: transmute from `(*E.e.f).g.h` to `(*A.a.b.c).d`
+
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/diag_includes_field_names.rs:43:47
+   |
+LL |     let _: &'static UnsafeCell<u8> = unsafe { transmute(E { e: F { f: &G { g: H { h: 0 } } } }) };
+   |                                               ^^^^^^^^^
+   |
+   = note: transmute from `(*E.e.f).g.h` to `*&UnsafeCell<u8>`
+
+error: aborting due to 3 previous errors
+

tests/ui/lint/mutable_transmutes/diag_includes_field_names.stderr

@@ -1,9 +1,10 @@
 error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
-  --> $DIR/transmute-imut-to-mut.rs:6:32
+  --> $DIR/imm_to_mut.rs:6:32
    |
 LL |     let _a: &mut u8 = unsafe { transmute(&1u8) };
    |                                ^^^^^^^^^
    |
+   = note: transmute from `&u8` to `&mut u8`
    = note: `#[deny(mutable_transmutes)]` on by default
 
 error: aborting due to 1 previous error

tests/ui/transmute/transmute-imut-to-mut.rs renamed to tests/ui/lint/mutable_transmutes/imm_to_mut.rs

@@ -0,0 +1,7 @@
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+fn main() {
+    let _a: &UnsafeCell<u8> = unsafe { transmute(&1u8) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/transmute/transmute-imut-to-mut.stderr renamed to tests/ui/lint/mutable_transmutes/imm_to_mut.stderr

@@ -0,0 +1,11 @@
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/imm_to_unsafecelll.rs:5:40
+   |
+LL |     let _a: &UnsafeCell<u8> = unsafe { transmute(&1u8) };
+   |                                        ^^^^^^^^^
+   |
+   = note: transmute from `*&u8` to `*&UnsafeCell<u8>`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: aborting due to 1 previous error
+

tests/ui/lint/mutable_transmutes/imm_to_unsafecelll.rs

@@ -0,0 +1,22 @@
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+#[repr(C)]
+struct Foo<T> {
+    a: u32,
+    b: Bar<T>,
+}
+#[repr(C)]
+struct Bar<T>(Baz<T>);
+#[repr(C)]
+struct Baz<T>(T);
+
+#[repr(C)]
+struct Other(&'static u8, &'static u8);
+
+fn main() {
+    let _: Foo<&'static mut u8> = unsafe { transmute(Other(&1u8, &1u8)) };
+    //~^ ERROR transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+    let _: Foo<&'static UnsafeCell<u8>> = unsafe { transmute(Other(&1u8, &1u8)) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/lint/mutable_transmutes/imm_to_unsafecelll.stderr

@@ -0,0 +1,20 @@
+error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+  --> $DIR/nested_field.rs:18:44
+   |
+LL |     let _: Foo<&'static mut u8> = unsafe { transmute(Other(&1u8, &1u8)) };
+   |                                            ^^^^^^^^^
+   |
+   = note: transmute from `Other.1` to `Foo<&mut u8>.b.0.0`
+   = note: `#[deny(mutable_transmutes)]` on by default
+
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/nested_field.rs:20:52
+   |
+LL |     let _: Foo<&'static UnsafeCell<u8>> = unsafe { transmute(Other(&1u8, &1u8)) };
+   |                                                    ^^^^^^^^^
+   |
+   = note: transmute from `*Other.1` to `*Foo<&UnsafeCell<u8>>.b.0.0`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: aborting due to 2 previous errors
+

tests/ui/lint/mutable_transmutes/nested_field.rs

@@ -0,0 +1,18 @@
+// This test checks that transmuting part of `&T` to part of `&mut T` errors.
+// I don't think this is necessary or common, but this is what the current code does.
+
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+#[repr(C, packed)]
+struct Foo<T>(u8, T);
+
+#[repr(C, packed)]
+struct Bar(&'static u8, u8);
+
+fn main() {
+    let _: Foo<&'static mut u8> = unsafe { transmute(Bar(&1u8, 0)) };
+    //~^ ERROR transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+    let _: Foo<&'static UnsafeCell<u8>> = unsafe { transmute(Bar(&1u8, 0)) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/lint/mutable_transmutes/nested_field.stderr

@@ -0,0 +1,20 @@
+error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+  --> $DIR/partially_overlapping.rs:14:44
+   |
+LL |     let _: Foo<&'static mut u8> = unsafe { transmute(Bar(&1u8, 0)) };
+   |                                            ^^^^^^^^^
+   |
+   = note: transmute from `Bar.0` to `Foo<&mut u8>.1`
+   = note: `#[deny(mutable_transmutes)]` on by default
+
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/partially_overlapping.rs:16:52
+   |
+LL |     let _: Foo<&'static UnsafeCell<u8>> = unsafe { transmute(Bar(&1u8, 0)) };
+   |                                                    ^^^^^^^^^
+   |
+   = note: transmute from `*Bar.0` to `*Foo<&UnsafeCell<u8>>.1`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: aborting due to 2 previous errors
+

tests/ui/lint/mutable_transmutes/partially_overlapping.rs

@@ -0,0 +1,12 @@
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+#[repr(C)]
+struct Foo(&'static u8, &'static u8);
+#[repr(C)]
+struct Bar(&'static UnsafeCell<u8>, &'static mut u8);
+
+fn main() {
+    let _a: Bar = unsafe { transmute(Foo(&0, &0)) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/lint/mutable_transmutes/partially_overlapping.stderr

@@ -0,0 +1,11 @@
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/report_only_first_error.rs:10:28
+   |
+LL |     let _a: Bar = unsafe { transmute(Foo(&0, &0)) };
+   |                            ^^^^^^^^^
+   |
+   = note: transmute from `*Foo.0` to `*Bar.0`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: aborting due to 1 previous error
+

tests/ui/lint/mutable_transmutes/report_only_first_error.rs

@@ -0,0 +1,21 @@
+use std::cell::UnsafeCell;
+
+#[repr(C)]
+struct A {
+    a: u64,
+    b: u32,
+    c: u32,
+}
+
+#[repr(C)]
+struct B {
+    a: u64,
+    b: UnsafeCell<u32>,
+    c: u32,
+}
+
+fn main() {
+    let a = A { a: 0, b: 0, c: 0 };
+    let _b = unsafe { &*(&a as *const A as *const B) };
+    //~^ ERROR casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+}

tests/ui/lint/mutable_transmutes/report_only_first_error.stderr

@@ -0,0 +1,11 @@
+error: casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+  --> $DIR/unsafe_cell_reference_casting.rs:19:23
+   |
+LL |     let _b = unsafe { &*(&a as *const A as *const B) };
+   |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: cast from `A.b` to `B.b`
+   = note: `#[deny(unsafe_cell_reference_casting)]` on by default
+
+error: aborting due to 1 previous error
+

tests/ui/lint/mutable_transmutes/unsafe_cell_reference_casting.rs

@@ -0,0 +1,19 @@
+use std::cell::UnsafeCell;
+
+#[repr(C)]
+struct A<T: ?Sized> {
+    a: u32,
+    b: T,
+}
+
+#[repr(C)]
+struct B {
+    a: UnsafeCell<u32>,
+    b: [u32],
+}
+
+fn main() {
+    let a = &A { a: 0, b: [0_u32, 0] } as &A<[u32]>;
+    let _b = unsafe { &*(a as *const A<[u32]> as *const B) };
+    //~^ ERROR casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+}

tests/ui/lint/mutable_transmutes/unsafe_cell_reference_casting.stderr

@@ -0,0 +1,11 @@
+error: casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+  --> $DIR/unsized.rs:17:23
+   |
+LL |     let _b = unsafe { &*(a as *const A<[u32]> as *const B) };
+   |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: cast from `A<[u32]>.a` to `B.a`
+   = note: `#[deny(unsafe_cell_reference_casting)]` on by default
+
+error: aborting due to 1 previous error
+