error on a safe fn that uses C-variadics

folkertdev · folkertdev · commit 27bb41f598f0 · 2025-05-29T14:02:45.000+02:00
diff --git a/compiler/rustc_ast_passes/messages.ftl b/compiler/rustc_ast_passes/messages.ftl
@@ -24,8 +24,6 @@ ast_passes_auto_super_lifetime = auto traits cannot have super traits or lifetim
     .label = {ast_passes_auto_super_lifetime}
     .suggestion = remove the super traits or lifetime bounds
 
-ast_passes_bad_c_variadic = only foreign, `unsafe extern "C"`, or `unsafe extern "C-unwind"` functions may have a C-variadic arg
-
 ast_passes_bare_fn_invalid_safety = function pointers cannot be declared with `safe` safety qualifier
     .suggestion = remove safe from this item
 
@@ -36,6 +34,13 @@ ast_passes_body_in_extern = incorrect `{$kind}` inside `extern` block
 
 ast_passes_bound_in_context = bounds on `type`s in {$ctx} have no effect
 
+ast_passes_c_variadic_bad_calling_convention =
+    only foreign, `unsafe extern "C"`, or `unsafe extern "C-unwind"` functions may have a C-variadic arg
+
+ast_passes_c_variadic_safe_foreign_function =
+    foreign functions with a C-variadic argument cannot be safe
+    .suggestion = remove the `safe` keyword from this definition
+
 ast_passes_const_and_c_variadic = functions cannot be both `const` and C-variadic
     .const = `const` because of this
     .variadic = C-variadic because of this
diff --git a/compiler/rustc_ast_passes/src/ast_validation.rs b/compiler/rustc_ast_passes/src/ast_validation.rs
@@ -554,7 +554,16 @@ impl<'a> AstValidator<'a> {
         }
 
         match (fk.ctxt(), fk.header()) {
-            (Some(FnCtxt::Foreign), _) => return,
+            (Some(FnCtxt::Foreign), Some(header)) => match header.safety {
+                Safety::Default | Safety::Unsafe(_) => return,
+                Safety::Safe(safe_span) => {
+                    // The span of the "safe " string that should be removed.
+                    let safe_span = safe_span.with_hi(safe_span.hi() + rustc_span::BytePos(1));
+                    self.dcx().emit_err(errors::CVariadicSafeForeignFunction { safe_span });
+                    return;
+                }
+            },
+
             (Some(FnCtxt::Free), Some(header)) => match header.ext {
                 Extern::Explicit(StrLit { symbol_unescaped: sym::C, .. }, _)
                 | Extern::Explicit(StrLit { symbol_unescaped: sym::C_dash_unwind, .. }, _)
diff --git a/compiler/rustc_ast_passes/src/errors.rs b/compiler/rustc_ast_passes/src/errors.rs
@@ -308,12 +308,25 @@ pub(crate) struct ExternItemAscii {
 }
 
 #[derive(Diagnostic)]
-#[diag(ast_passes_bad_c_variadic)]
+#[diag(ast_passes_c_variadic_bad_calling_convention)]
 pub(crate) struct BadCVariadic {
     #[primary_span]
     pub span: Vec<Span>,
 }
 
+#[derive(Diagnostic)]
+#[diag(ast_passes_c_variadic_safe_foreign_function)]
+pub(crate) struct CVariadicSafeForeignFunction {
+    #[primary_span]
+    #[suggestion(
+        ast_passes_suggestion,
+        applicability = "maybe-incorrect",
+        code = "",
+        style = "verbose"
+    )]
+    pub safe_span: Span,
+}
+
 #[derive(Diagnostic)]
 #[diag(ast_passes_item_underscore)]
 pub(crate) struct ItemUnderscore<'a> {
diff --git a/tests/ui/parser/variadic-ffi-semantic-restrictions.rs b/tests/ui/parser/variadic-ffi-semantic-restrictions.rs
@@ -83,3 +83,8 @@ trait T {
     //~^ ERROR only foreign, `unsafe extern "C"`, or `unsafe extern "C-unwind"` functions may have a C-variadic arg
     //~| ERROR `...` must be the last argument of a C-variadic function
 }
+
+unsafe extern "C" {
+    safe fn s_f1(...);
+    //~^ ERROR foreign functions with a C-variadic argument cannot be safe
+}
diff --git a/tests/ui/parser/variadic-ffi-semantic-restrictions.stderr b/tests/ui/parser/variadic-ffi-semantic-restrictions.stderr
@@ -201,6 +201,18 @@ error: only foreign, `unsafe extern "C"`, or `unsafe extern "C-unwind"` function
 LL |     fn t_f6(..., x: isize);
    |             ^^^
 
+error: foreign functions with a C-variadic argument cannot be safe
+  --> $DIR/variadic-ffi-semantic-restrictions.rs:88:5
+   |
+LL |     safe fn s_f1(...);
+   |     ^^^^^
+   |
+help: remove the `safe` keyword from this definition
+   |
+LL -     safe fn s_f1(...);
+LL +     fn s_f1(...);
+   |
+
 error[E0493]: destructor of `VaListImpl<'_>` cannot be evaluated at compile-time
   --> $DIR/variadic-ffi-semantic-restrictions.rs:32:43
    |
@@ -225,6 +237,6 @@ LL |     const fn i_f5(x: isize, ...) {}
    |                             |
    |                             the destructor for this type cannot be evaluated in constant functions
 
-error: aborting due to 36 previous errors
+error: aborting due to 37 previous errors
 
 For more information about this error, try `rustc --explain E0493`.

Original file line number	Diff line number	Diff line change
`@@ -83,3 +83,8 @@ trait T {`
`83`	`83`	//~^ ERROR only foreign, `unsafe extern "C"`, or `unsafe extern "C-unwind"` functions may have a C-variadic arg
`84`	`84`	//~\| ERROR `...` must be the last argument of a C-variadic function
`85`	`85`	`}`
	`86`	`+`
	`87`	`+unsafe extern "C" {`
	`88`	`+ safe fn s_f1(...);`
	`89`	`+ //~^ ERROR foreign functions with a C-variadic argument cannot be safe`
	`90`	`+}`