Auto merge of #128351 - ChayimFriedman2:lint-transmute-unsafe-cell, r=<try>

[crater] Lint against &T to &mut T and &T to &UnsafeCell<T> transmutes

Needs a (check-only) crater run as per https://rust-lang.zulipchat.com/#narrow/stream/213817-t-lang/topic/Lint.20against.20.60.26.60-.3E.60.26UnsafeCell.60.20transmutes/near/454868964.

r? ghost

Author: bors

compiler/rustc_lint/messages.ftl

@@ -119,6 +119,7 @@ lint_builtin_missing_doc = missing documentation for {$article} {$desc}
 
 lint_builtin_mutable_transmutes =
     transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+    .note = transmute from `{$from}` to `{$to}`
 
 lint_builtin_no_mangle_fn = declaration of a `no_mangle` function
 lint_builtin_no_mangle_generic = functions generic over types or consts must be mangled
@@ -169,6 +170,10 @@ lint_builtin_unreachable_pub = unreachable `pub` {$what}
 
 lint_builtin_unsafe_block = usage of an `unsafe` block
 
+lint_builtin_unsafe_cell_transmutes =
+    transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+    .note = transmute from `{$from}` to `{$to}`
+
 lint_builtin_unsafe_extern_block = usage of an `unsafe extern` block
 
 lint_builtin_unsafe_impl = implementation of an `unsafe` trait
@@ -862,6 +867,11 @@ lint_unsafe_attr_outside_unsafe = unsafe attribute used without unsafe
     .label = usage of unsafe attribute
 lint_unsafe_attr_outside_unsafe_suggestion = wrap the attribute in `unsafe(...)`
 
+lint_unsafe_cell_reference_casting =
+    casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+    .label = casting happend here
+    .note = cast from `{$from}` to `{$to}`
+
 lint_unsupported_group = `{$lint_group}` lint group is not supported with ´--force-warn´
 
 lint_untranslatable_diag = diagnostics should be created using translatable messages

compiler/rustc_lint/src/builtin.rs

@@ -61,12 +61,11 @@ use crate::lints::{
     BuiltinEllipsisInclusiveRangePatternsLint, BuiltinExplicitOutlives,
     BuiltinExplicitOutlivesSuggestion, BuiltinFeatureIssueNote, BuiltinIncompleteFeatures,
     BuiltinIncompleteFeaturesHelp, BuiltinInternalFeatures, BuiltinKeywordIdents,
-    BuiltinMissingCopyImpl, BuiltinMissingDebugImpl, BuiltinMissingDoc, BuiltinMutablesTransmutes,
-    BuiltinNoMangleGeneric, BuiltinNonShorthandFieldPatterns, BuiltinSpecialModuleNameUsed,
-    BuiltinTrivialBounds, BuiltinTypeAliasBounds, BuiltinUngatedAsyncFnTrackCaller,
-    BuiltinUnpermittedTypeInit, BuiltinUnpermittedTypeInitSub, BuiltinUnreachablePub,
-    BuiltinUnsafe, BuiltinUnstableFeatures, BuiltinUnusedDocComment, BuiltinUnusedDocCommentSub,
-    BuiltinWhileTrue, InvalidAsmLabel,
+    BuiltinMissingCopyImpl, BuiltinMissingDebugImpl, BuiltinMissingDoc, BuiltinNoMangleGeneric,
+    BuiltinNonShorthandFieldPatterns, BuiltinSpecialModuleNameUsed, BuiltinTrivialBounds,
+    BuiltinTypeAliasBounds, BuiltinUngatedAsyncFnTrackCaller, BuiltinUnpermittedTypeInit,
+    BuiltinUnpermittedTypeInitSub, BuiltinUnreachablePub, BuiltinUnsafe, BuiltinUnstableFeatures,
+    BuiltinUnusedDocComment, BuiltinUnusedDocCommentSub, BuiltinWhileTrue, InvalidAsmLabel,
 };
 use crate::nonstandard_style::{method_context, MethodLateContext};
 use crate::{
@@ -1100,72 +1099,6 @@ impl<'tcx> LateLintPass<'tcx> for InvalidNoMangleItems {
     }
 }
 
-declare_lint! {
-    /// The `mutable_transmutes` lint catches transmuting from `&T` to `&mut
-    /// T` because it is [undefined behavior].
-    ///
-    /// [undefined behavior]: https://doc.rust-lang.org/reference/behavior-considered-undefined.html
-    ///
-    /// ### Example
-    ///
-    /// ```rust,compile_fail
-    /// unsafe {
-    ///     let y = std::mem::transmute::<&i32, &mut i32>(&5);
-    /// }
-    /// ```
-    ///
-    /// {{produces}}
-    ///
-    /// ### Explanation
-    ///
-    /// Certain assumptions are made about aliasing of data, and this transmute
-    /// violates those assumptions. Consider using [`UnsafeCell`] instead.
-    ///
-    /// [`UnsafeCell`]: https://doc.rust-lang.org/std/cell/struct.UnsafeCell.html
-    MUTABLE_TRANSMUTES,
-    Deny,
-    "transmuting &T to &mut T is undefined behavior, even if the reference is unused"
-}
-
-declare_lint_pass!(MutableTransmutes => [MUTABLE_TRANSMUTES]);
-
-impl<'tcx> LateLintPass<'tcx> for MutableTransmutes {
-    fn check_expr(&mut self, cx: &LateContext<'_>, expr: &hir::Expr<'_>) {
-        if let Some((&ty::Ref(_, _, from_mutbl), &ty::Ref(_, _, to_mutbl))) =
-            get_transmute_from_to(cx, expr).map(|(ty1, ty2)| (ty1.kind(), ty2.kind()))
-        {
-            if from_mutbl < to_mutbl {
-                cx.emit_span_lint(MUTABLE_TRANSMUTES, expr.span, BuiltinMutablesTransmutes);
-            }
-        }
-
-        fn get_transmute_from_to<'tcx>(
-            cx: &LateContext<'tcx>,
-            expr: &hir::Expr<'_>,
-        ) -> Option<(Ty<'tcx>, Ty<'tcx>)> {
-            let def = if let hir::ExprKind::Path(ref qpath) = expr.kind {
-                cx.qpath_res(qpath, expr.hir_id)
-            } else {
-                return None;
-            };
-            if let Res::Def(DefKind::Fn, did) = def {
-                if !def_id_is_transmute(cx, did) {
-                    return None;
-                }
-                let sig = cx.typeck_results().node_type(expr.hir_id).fn_sig(cx.tcx);
-                let from = sig.inputs().skip_binder()[0];
-                let to = sig.output().skip_binder();
-                return Some((from, to));
-            }
-            None
-        }
-
-        fn def_id_is_transmute(cx: &LateContext<'_>, def_id: DefId) -> bool {
-            cx.tcx.is_intrinsic(def_id, sym::transmute)
-        }
-    }
-}
-
 declare_lint! {
     /// The `unstable_features` lint detects uses of `#![feature]`.
     ///
@@ -1612,7 +1545,6 @@ declare_lint_pass!(
         UNUSED_DOC_COMMENTS,
         NO_MANGLE_CONST_ITEMS,
         NO_MANGLE_GENERIC_ITEMS,
-        MUTABLE_TRANSMUTES,
         UNSTABLE_FEATURES,
         UNREACHABLE_PUB,
         TYPE_ALIAS_BOUNDS,

compiler/rustc_lint/src/lib.rs

@@ -65,6 +65,7 @@ mod macro_expr_fragment_specifier_2024_migration;
 mod map_unit_fn;
 mod methods;
 mod multiple_supertrait_upcastable;
+mod mutable_transmutes;
 mod non_ascii_idents;
 mod non_fmt_panic;
 mod non_local_def;
@@ -99,6 +100,7 @@ use macro_expr_fragment_specifier_2024_migration::*;
 use map_unit_fn::*;
 use methods::*;
 use multiple_supertrait_upcastable::*;
+use mutable_transmutes::*;
 use non_ascii_idents::*;
 use non_fmt_panic::NonPanicFmt;
 use non_local_def::*;
@@ -209,6 +211,7 @@ late_lint_methods!(
             // Depends on referenced function signatures in expressions
             PtrNullChecks: PtrNullChecks,
             MutableTransmutes: MutableTransmutes,
+            UnsafeCellReferenceCasting: UnsafeCellReferenceCasting,
             TypeAliasBounds: TypeAliasBounds,
             TrivialConstraints: TrivialConstraints,
             TypeLimits: TypeLimits::new(),

compiler/rustc_lint/src/lints.rs

@@ -224,9 +224,34 @@ pub struct BuiltinConstNoMangle {
     pub suggestion: Span,
 }
 
+// mutable_transmutes.rs
 #[derive(LintDiagnostic)]
 #[diag(lint_builtin_mutable_transmutes)]
-pub struct BuiltinMutablesTransmutes;
+#[note]
+pub struct BuiltinMutablesTransmutes {
+    pub from: String,
+    pub to: String,
+}
+
+// mutable_transmutes.rs
+#[derive(LintDiagnostic)]
+#[diag(lint_builtin_unsafe_cell_transmutes)]
+#[note]
+pub struct BuiltinUnsafeCellTransmutes {
+    pub from: String,
+    pub to: String,
+}
+
+// mutable_transmutes.rs
+#[derive(LintDiagnostic)]
+#[diag(lint_unsafe_cell_reference_casting)]
+#[note]
+pub struct UnsafeCellReferenceCastingDiag {
+    #[label]
+    pub orig_cast: Option<Span>,
+    pub from: String,
+    pub to: String,
+}
 
 #[derive(LintDiagnostic)]
 #[diag(lint_builtin_unstable_features)]

compiler/rustc_lint/src/mutable_transmutes.rs

@@ -1,5 +1,6 @@
 // Should not rely on the aliasing model for its failure.
 //@compile-flags: -Zmiri-disable-stacked-borrows
+#![allow(unsafe_cell_reference_casting)]
 
 use std::sync::atomic::{AtomicI32, Ordering};
 

src/tools/miri/tests/fail/concurrency/read_only_atomic_cmpxchg.rs

@@ -1,5 +1,6 @@
 // Should not rely on the aliasing model for its failure.
 //@compile-flags: -Zmiri-disable-stacked-borrows
+#![allow(unsafe_cell_reference_casting)]
 
 use std::sync::atomic::{AtomicI32, Ordering};
 

src/tools/miri/tests/fail/concurrency/read_only_atomic_load_acquire.rs

@@ -2,6 +2,7 @@
 //@compile-flags: -Zmiri-disable-stacked-borrows
 // Needs atomic accesses larger than the pointer size
 //@ignore-64bit
+#![allow(unsafe_cell_reference_casting)]
 
 use std::sync::atomic::{AtomicI64, Ordering};
 

src/tools/miri/tests/fail/concurrency/read_only_atomic_load_large.rs

@@ -1,5 +1,6 @@
 // Stacked Borrows doesn't like this.
 //@compile-flags: -Zmiri-tree-borrows
+#![allow(unsafe_cell_reference_casting)]
 
 use std::sync::atomic::*;
 

src/tools/miri/tests/pass/atomic-readonly-load.rs

@@ -1,4 +1,5 @@
 //@compile-flags: -Zmiri-tree-borrows
+#![allow(unsafe_cell_transmutes)]
 
 //! Testing `mem::transmute` between types with and without interior mutability.
 //! All transmutations should work, as long as we don't do any actual accesses

src/tools/miri/tests/pass/tree_borrows/transmute-unsafecell.rs

@@ -4,6 +4,7 @@ warning: transmuting &T to &mut T is undefined behavior, even if the reference i
 LL |         let y = std::mem::transmute::<&i32, &mut i32>(&5);
    |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
+   = note: transmute from `&i32` to `&mut i32`
    = note: requested on the command line with `--force-warn mutable-transmutes`
 
 warning: 1 warning emitted

tests/ui/lint/force-warn/allowed-cli-deny-by-default-lint.stderr

@@ -4,6 +4,7 @@ warning: transmuting &T to &mut T is undefined behavior, even if the reference i
 LL |         let y = std::mem::transmute::<&i32, &mut i32>(&5);
    |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
+   = note: transmute from `&i32` to `&mut i32`
    = note: requested on the command line with `--force-warn mutable-transmutes`
 
 warning: 1 warning emitted

tests/ui/lint/force-warn/allowed-deny-by-default-lint.stderr

@@ -4,6 +4,7 @@ warning: transmuting &T to &mut T is undefined behavior, even if the reference i
 LL |         let y = std::mem::transmute::<&i32, &mut i32>(&5);
    |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
+   = note: transmute from `&i32` to `&mut i32`
    = note: requested on the command line with `--force-warn mutable-transmutes`
 
 warning: 1 warning emitted

tests/ui/lint/force-warn/deny-by-default-lint.stderr

@@ -0,0 +1,7 @@
+//@ check-pass
+
+use std::mem::transmute;
+
+fn main() {
+    let _a: &mut u8 = unsafe { transmute(&mut 0u8) };
+}

tests/ui/lint/mutable_transmutes/allow_mut_to_mut.rs

@@ -0,0 +1,9 @@
+//@ check-pass
+
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+fn main() {
+    let _a: &mut UnsafeCell<u8> = unsafe { transmute(&mut 0u8) };
+    let _a: &UnsafeCell<u8> = unsafe { transmute(&mut 0u8) };
+}

tests/ui/lint/mutable_transmutes/allow_mut_to_unsafecell.rs

@@ -0,0 +1,25 @@
+//@ check-pass
+
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+#[repr(C)]
+struct A {
+    a: u32,
+    b: UnsafeCell<u32>,
+}
+
+#[repr(C)]
+struct B {
+    a: u32,
+    b: UnsafeCell<u32>,
+}
+
+#[repr(transparent)]
+struct AWrapper(A);
+
+fn main() {
+    let _a: &UnsafeCell<u8> = unsafe { transmute(&UnsafeCell::new(0u8)) };
+    let _a: &B = unsafe { transmute(&A { a: 0, b: UnsafeCell::new(0) }) };
+    let _a: &AWrapper = unsafe { transmute(&A { a: 0, b: UnsafeCell::new(0) }) };
+}

tests/ui/lint/mutable_transmutes/allow_unsafecell_to_unsafecell.rs

@@ -0,0 +1,6 @@
+use std::mem::transmute;
+
+fn main() {
+    let _a: [&mut u8; 2] = unsafe { transmute([&1u8; 2]) };
+    //~^ ERROR transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+}

tests/ui/lint/mutable_transmutes/array.rs

@@ -0,0 +1,11 @@
+error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+  --> $DIR/array.rs:4:37
+   |
+LL |     let _a: [&mut u8; 2] = unsafe { transmute([&1u8; 2]) };
+   |                                     ^^^^^^^^^
+   |
+   = note: transmute from `[&u8; 2][0]` to `[&mut u8; 2][0]`
+   = note: `#[deny(mutable_transmutes)]` on by default
+
+error: aborting due to 1 previous error
+

tests/ui/lint/mutable_transmutes/array.stderr

@@ -0,0 +1,45 @@
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+#[repr(transparent)]
+struct A {
+    a: B,
+}
+#[repr(transparent)]
+struct B {
+    b: C,
+}
+#[repr(transparent)]
+struct C {
+    c: &'static D,
+}
+#[repr(transparent)]
+struct D {
+    d: UnsafeCell<u8>,
+}
+
+#[repr(transparent)]
+struct E {
+    e: F,
+}
+#[repr(transparent)]
+struct F {
+    f: &'static G,
+}
+#[repr(transparent)]
+struct G {
+    g: H,
+}
+#[repr(transparent)]
+struct H {
+    h: u8,
+}
+
+fn main() {
+    let _: A = unsafe { transmute(&1u8) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+    let _: A = unsafe { transmute(E { e: F { f: &G { g: H { h: 0 } } } }) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+    let _: &'static UnsafeCell<u8> = unsafe { transmute(E { e: F { f: &G { g: H { h: 0 } } } }) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/lint/mutable_transmutes/diag_includes_field_names.rs

@@ -0,0 +1,27 @@
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/diag_includes_field_names.rs:39:25
+   |
+LL |     let _: A = unsafe { transmute(&1u8) };
+   |                         ^^^^^^^^^
+   |
+   = note: transmute from `*&u8` to `(*A.a.b.c).d`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/diag_includes_field_names.rs:41:25
+   |
+LL |     let _: A = unsafe { transmute(E { e: F { f: &G { g: H { h: 0 } } } }) };
+   |                         ^^^^^^^^^
+   |
+   = note: transmute from `(*E.e.f).g.h` to `(*A.a.b.c).d`
+
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/diag_includes_field_names.rs:43:47
+   |
+LL |     let _: &'static UnsafeCell<u8> = unsafe { transmute(E { e: F { f: &G { g: H { h: 0 } } } }) };
+   |                                               ^^^^^^^^^
+   |
+   = note: transmute from `(*E.e.f).g.h` to `*&UnsafeCell<u8>`
+
+error: aborting due to 3 previous errors
+

tests/ui/lint/mutable_transmutes/diag_includes_field_names.stderr

@@ -1,9 +1,10 @@
 error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
-  --> $DIR/transmute-imut-to-mut.rs:6:32
+  --> $DIR/imm_to_mut.rs:6:32
    |
 LL |     let _a: &mut u8 = unsafe { transmute(&1u8) };
    |                                ^^^^^^^^^
    |
+   = note: transmute from `&u8` to `&mut u8`
    = note: `#[deny(mutable_transmutes)]` on by default
 
 error: aborting due to 1 previous error

tests/ui/transmute/transmute-imut-to-mut.rs renamed to tests/ui/lint/mutable_transmutes/imm_to_mut.rs

@@ -0,0 +1,7 @@
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+fn main() {
+    let _a: &UnsafeCell<u8> = unsafe { transmute(&1u8) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/transmute/transmute-imut-to-mut.stderr renamed to tests/ui/lint/mutable_transmutes/imm_to_mut.stderr

@@ -0,0 +1,11 @@
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/imm_to_unsafecelll.rs:5:40
+   |
+LL |     let _a: &UnsafeCell<u8> = unsafe { transmute(&1u8) };
+   |                                        ^^^^^^^^^
+   |
+   = note: transmute from `*&u8` to `*&UnsafeCell<u8>`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: aborting due to 1 previous error
+

tests/ui/lint/mutable_transmutes/imm_to_unsafecelll.rs

@@ -0,0 +1,22 @@
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+#[repr(C)]
+struct Foo<T> {
+    a: u32,
+    b: Bar<T>,
+}
+#[repr(C)]
+struct Bar<T>(Baz<T>);
+#[repr(C)]
+struct Baz<T>(T);
+
+#[repr(C)]
+struct Other(&'static u8, &'static u8);
+
+fn main() {
+    let _: Foo<&'static mut u8> = unsafe { transmute(Other(&1u8, &1u8)) };
+    //~^ ERROR transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+    let _: Foo<&'static UnsafeCell<u8>> = unsafe { transmute(Other(&1u8, &1u8)) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/lint/mutable_transmutes/imm_to_unsafecelll.stderr

@@ -0,0 +1,20 @@
+error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+  --> $DIR/nested_field.rs:18:44
+   |
+LL |     let _: Foo<&'static mut u8> = unsafe { transmute(Other(&1u8, &1u8)) };
+   |                                            ^^^^^^^^^
+   |
+   = note: transmute from `Other.1` to `Foo<&mut u8>.b.0.0`
+   = note: `#[deny(mutable_transmutes)]` on by default
+
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/nested_field.rs:20:52
+   |
+LL |     let _: Foo<&'static UnsafeCell<u8>> = unsafe { transmute(Other(&1u8, &1u8)) };
+   |                                                    ^^^^^^^^^
+   |
+   = note: transmute from `*Other.1` to `*Foo<&UnsafeCell<u8>>.b.0.0`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: aborting due to 2 previous errors
+

tests/ui/lint/mutable_transmutes/nested_field.rs

@@ -0,0 +1,23 @@
+//@ check-pass
+//@ compile-flags: -Zrandomize-layout -Zlayout-seed=2464363
+
+use std::cell::UnsafeCell;
+
+#[derive(Default)]
+struct A {
+    a: u32,
+    b: u32,
+    c: u32,
+    d: u32,
+    e: UnsafeCell<u32>,
+    f: UnsafeCell<u32>,
+    g: UnsafeCell<u32>,
+    h: UnsafeCell<u32>,
+}
+
+#[repr(transparent)]
+struct B(A);
+
+fn main() {
+    let _b: &B = unsafe { std::mem::transmute(&A::default()) };
+}

tests/ui/lint/mutable_transmutes/nested_field.stderr

@@ -0,0 +1,18 @@
+// This test checks that transmuting part of `&T` to part of `&mut T` errors.
+// I don't think this is necessary or common, but this is what the current code does.
+
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+#[repr(C, packed)]
+struct Foo<T>(u8, T);
+
+#[repr(C, packed)]
+struct Bar(&'static u8, u8);
+
+fn main() {
+    let _: Foo<&'static mut u8> = unsafe { transmute(Bar(&1u8, 0)) };
+    //~^ ERROR transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+    let _: Foo<&'static UnsafeCell<u8>> = unsafe { transmute(Bar(&1u8, 0)) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/lint/mutable_transmutes/non_c_layout.rs

@@ -0,0 +1,20 @@
+error: transmuting &T to &mut T is undefined behavior, even if the reference is unused, consider instead using an UnsafeCell
+  --> $DIR/partially_overlapping.rs:14:44
+   |
+LL |     let _: Foo<&'static mut u8> = unsafe { transmute(Bar(&1u8, 0)) };
+   |                                            ^^^^^^^^^
+   |
+   = note: transmute from `Bar.0` to `Foo<&mut u8>.1`
+   = note: `#[deny(mutable_transmutes)]` on by default
+
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/partially_overlapping.rs:16:52
+   |
+LL |     let _: Foo<&'static UnsafeCell<u8>> = unsafe { transmute(Bar(&1u8, 0)) };
+   |                                                    ^^^^^^^^^
+   |
+   = note: transmute from `*Bar.0` to `*Foo<&UnsafeCell<u8>>.1`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: aborting due to 2 previous errors
+

tests/ui/lint/mutable_transmutes/partially_overlapping.rs

@@ -0,0 +1,12 @@
+use std::cell::UnsafeCell;
+use std::mem::transmute;
+
+#[repr(C)]
+struct Foo(&'static u8, &'static u8);
+#[repr(C)]
+struct Bar(&'static UnsafeCell<u8>, &'static mut u8);
+
+fn main() {
+    let _a: Bar = unsafe { transmute(Foo(&0, &0)) };
+    //~^ ERROR transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+}

tests/ui/lint/mutable_transmutes/partially_overlapping.stderr

@@ -0,0 +1,11 @@
+error: transmuting &T to &UnsafeCell<T> is undefined behavior, even if the reference is unused, consider using UnsafeCell on the original data
+  --> $DIR/report_only_first_error.rs:10:28
+   |
+LL |     let _a: Bar = unsafe { transmute(Foo(&0, &0)) };
+   |                            ^^^^^^^^^
+   |
+   = note: transmute from `*Foo.0` to `*Bar.0`
+   = note: `#[deny(unsafe_cell_transmutes)]` on by default
+
+error: aborting due to 1 previous error
+

tests/ui/lint/mutable_transmutes/report_only_first_error.rs

@@ -0,0 +1,21 @@
+use std::cell::UnsafeCell;
+
+#[repr(C)]
+struct A {
+    a: u64,
+    b: u32,
+    c: u32,
+}
+
+#[repr(C)]
+struct B {
+    a: u64,
+    b: UnsafeCell<u32>,
+    c: u32,
+}
+
+fn main() {
+    let a = A { a: 0, b: 0, c: 0 };
+    let _b = unsafe { &*(&a as *const A as *const B) };
+    //~^ ERROR casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+}

tests/ui/lint/mutable_transmutes/report_only_first_error.stderr

@@ -0,0 +1,11 @@
+error: casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+  --> $DIR/unsafe_cell_reference_casting.rs:19:23
+   |
+LL |     let _b = unsafe { &*(&a as *const A as *const B) };
+   |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: cast from `A.b` to `B.b`
+   = note: `#[deny(unsafe_cell_reference_casting)]` on by default
+
+error: aborting due to 1 previous error
+

tests/ui/lint/mutable_transmutes/unsafe_cell_reference_casting.rs

@@ -0,0 +1,19 @@
+use std::cell::UnsafeCell;
+
+#[repr(C)]
+struct A<T: ?Sized> {
+    a: u32,
+    b: T,
+}
+
+#[repr(C)]
+struct B {
+    a: UnsafeCell<u32>,
+    b: [u32],
+}
+
+fn main() {
+    let a = &A { a: 0, b: [0_u32, 0] } as &A<[u32]>;
+    let _b = unsafe { &*(a as *const A<[u32]> as *const B) };
+    //~^ ERROR casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+}

tests/ui/lint/mutable_transmutes/unsafe_cell_reference_casting.stderr

@@ -0,0 +1,11 @@
+error: casting `&T` to `&UnsafeCell<T>` is undefined behavior, even if the reference is unused, consider using an `UnsafeCell` on the original data
+  --> $DIR/unsized.rs:17:23
+   |
+LL |     let _b = unsafe { &*(a as *const A<[u32]> as *const B) };
+   |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: cast from `A<[u32]>.a` to `B.a`
+   = note: `#[deny(unsafe_cell_reference_casting)]` on by default
+
+error: aborting due to 1 previous error
+