Allow to customize // TODO: comment for deprecated safe autofix

Relevant for the deprecation of `CommandExt::before_exit` in rust-lang#125970.

Author: tbu-

compiler/rustc_feature/src/builtin_attrs.rs

@@ -644,8 +644,8 @@ pub const BUILTIN_ATTRIBUTES: &[BuiltinAttribute] = &[
         through unstable paths"
     ),
     rustc_attr!(
-        rustc_deprecated_safe_2024, Normal, template!(Word), WarnFollowing,
-        EncodeCrossCrate::Yes,
+        rustc_deprecated_safe_2024, Normal, template!(List: r#"todo = "...""#),
+        ErrorFollowing, EncodeCrossCrate::Yes,
         "rustc_deprecated_safe_2024 is supposed to be used in libstd only",
     ),
 

compiler/rustc_mir_build/messages.ftl

@@ -32,7 +32,7 @@ mir_build_call_to_deprecated_safe_fn_requires_unsafe =
     call to deprecated safe function `{$function}` is unsafe and requires unsafe block
     .note = consult the function's documentation for information on how to avoid undefined behavior
     .label = call to unsafe function
-    .suggestion = you can wrap the call in an `unsafe` block if you can guarantee the code is only ever called from single-threaded code
+    .suggestion = you can wrap the call in an `unsafe` block if you can guarantee its unsafe preconditions
 
 mir_build_call_to_fn_with_requires_unsafe =
     call to function `{$function}` with `#[target_feature]` is unsafe and requires unsafe block

compiler/rustc_mir_build/src/check_unsafety.rs

@@ -1,6 +1,7 @@
 use crate::build::ExprCategory;
 use crate::errors::*;
 
+use rustc_ast::Attribute;
 use rustc_errors::DiagArgValue;
 use rustc_hir::def::DefKind;
 use rustc_hir::{self as hir, BindingMode, ByRef, HirId, Mutability};
@@ -90,14 +91,37 @@ impl<'tcx> UnsafetyVisitor<'_, 'tcx> {
     }
 
     fn emit_deprecated_safe_fn_call(&self, span: Span, kind: &UnsafeOpKind) -> bool {
+        fn parse_rustc_deprecated_safe_2024_attr(attr: &Attribute) -> Option<Symbol> {
+            for item in attr.meta_item_list().unwrap_or_default() {
+                if item.has_name(sym::todo) {
+                    return Some(
+                        item.value_str().expect(
+                            "`#[rustc_deprecated_safe_2024(todo)]` must have a string value",
+                        ),
+                    );
+                }
+            }
+            None
+        }
+
         match kind {
             // Allow calls to deprecated-safe unsafe functions if the caller is
             // from an edition before 2024.
             &UnsafeOpKind::CallToUnsafeFunction(Some(id))
                 if !span.at_least_rust_2024()
                     && self.tcx.has_attr(id, sym::rustc_deprecated_safe_2024) =>
             {
+                let attr = self.tcx.get_attr(id, sym::rustc_deprecated_safe_2024).unwrap();
+                let suggestion = parse_rustc_deprecated_safe_2024_attr(attr);
+
                 let sm = self.tcx.sess.source_map();
+                let suggestion = suggestion
+                    .and_then(|suggestion| {
+                        sm.indentation_before(span)
+                            .map(|indent| format!("{}// TODO: {}\n", indent, suggestion)) // ignore-tidy-todo
+                    })
+                    .unwrap_or_default();
+
                 self.tcx.emit_node_span_lint(
                     DEPRECATED_SAFE,
                     self.hir_context,
@@ -106,7 +130,7 @@ impl<'tcx> UnsafetyVisitor<'_, 'tcx> {
                         span,
                         function: with_no_trimmed_paths!(self.tcx.def_path_str(id)),
                         sub: CallToDeprecatedSafeFnRequiresUnsafeSub {
-                            indent: sm.indentation_before(span).unwrap_or_default(),
+                            start_of_line_suggestion: suggestion,
                             start_of_line: sm.span_extend_to_line(span).shrink_to_lo(),
                             left: span.shrink_to_lo(),
                             right: span.shrink_to_hi(),

compiler/rustc_mir_build/src/errors.rs

@@ -33,10 +33,8 @@ pub(crate) struct CallToDeprecatedSafeFnRequiresUnsafe {
 #[derive(Subdiagnostic)]
 #[multipart_suggestion(mir_build_suggestion, applicability = "machine-applicable")]
 pub(crate) struct CallToDeprecatedSafeFnRequiresUnsafeSub {
-    pub(crate) indent: String,
-    #[suggestion_part(
-        code = "{indent}// TODO: Audit that the environment access only happens in single-threaded code.\n" // ignore-tidy-todo
-    )]
+    pub(crate) start_of_line_suggestion: String,
+    #[suggestion_part(code = "{start_of_line_suggestion}")]
     pub(crate) start_of_line: Span,
     #[suggestion_part(code = "unsafe {{ ")]
     pub(crate) left: Span,

compiler/rustc_span/src/symbol.rs

@@ -1888,6 +1888,7 @@ symbols! {
         to_string,
         to_string_method,
         to_vec,
+        todo,
         todo_macro,
         tool_attributes,
         tool_lints,

library/std/src/env.rs

@@ -357,7 +357,13 @@ impl Error for VarError {
 /// }
 /// assert_eq!(env::var(key), Ok("VALUE".to_string()));
 /// ```
-#[rustc_deprecated_safe_2024]
+#[cfg_attr(bootstrap, rustc_deprecated_safe_2024)]
+#[cfg_attr(
+    not(bootstrap),
+    rustc_deprecated_safe_2024(
+        todo = "Audit that the environment access only happens in single-threaded code."
+    )
+)]
 #[stable(feature = "env", since = "1.0.0")]
 pub unsafe fn set_var<K: AsRef<OsStr>, V: AsRef<OsStr>>(key: K, value: V) {
     let (key, value) = (key.as_ref(), value.as_ref());
@@ -421,7 +427,13 @@ pub unsafe fn set_var<K: AsRef<OsStr>, V: AsRef<OsStr>>(key: K, value: V) {
 /// }
 /// assert!(env::var(key).is_err());
 /// ```
-#[rustc_deprecated_safe_2024]
+#[cfg_attr(bootstrap, rustc_deprecated_safe_2024)]
+#[cfg_attr(
+    not(bootstrap),
+    rustc_deprecated_safe_2024(
+        todo = "Audit that the environment access only happens in single-threaded code."
+    )
+)]
 #[stable(feature = "env", since = "1.0.0")]
 pub unsafe fn remove_var<K: AsRef<OsStr>>(key: K) {
     let key = key.as_ref();

tests/ui/rust-2024/unsafe-env-suggestion.stderr

@@ -11,7 +11,7 @@ note: the lint level is defined here
    |
 LL | #![deny(deprecated_safe)]
    |         ^^^^^^^^^^^^^^^
-help: you can wrap the call in an `unsafe` block if you can guarantee the code is only ever called from single-threaded code
+help: you can wrap the call in an `unsafe` block if you can guarantee its unsafe preconditions
    |
 LL +     // TODO: Audit that the environment access only happens in single-threaded code.
 LL ~     unsafe { env::set_var("FOO", "BAR") };
@@ -25,7 +25,7 @@ LL |     env::remove_var("FOO");
    |
    = warning: this is accepted in the current edition (Rust 2015) but is a hard error in Rust 2024!
    = note: for more information, see issue #27970 <https://github.com/rust-lang/rust/issues/27970>
-help: you can wrap the call in an `unsafe` block if you can guarantee the code is only ever called from single-threaded code
+help: you can wrap the call in an `unsafe` block if you can guarantee its unsafe preconditions
    |
 LL +     // TODO: Audit that the environment access only happens in single-threaded code.
 LL ~     unsafe { env::remove_var("FOO") };