Uplift clippy::invalid_null_ptr_usage lint as invalid_null_arguments
#119220
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
|
Some changes occurred in src/tools/clippy cc @rust-lang/clippy |
rustbot
added
the
I-lang-nominated
This comment has been minimized.
This comment has been minimized.
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
2 times, most recently
from
b25c44c to
7308419
Compare
This comment has been minimized.
This comment has been minimized.
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
from
7308419 to
05aabc1
Compare
|
I think @saethlin has also found plenty of code that hits this in the wild, so this seems like a good lint. |
|
You're probably referring to PyO3/pyo3#2687 and servo/font-kit#197 I don't think either of these would be detected by the lint, but I agree that this is a reasonable lint target. |
apiraino
added
S-waiting-on-team
|
I'll flag this as |
|
☔ The latest upstream changes (presumably #120991) made this pull request unmergeable. Please resolve the merge conflicts. |
|
(Just me, with my lang hat on but not talking for the team.) I wish there was an easier way for these to get added without waiting on us. Would you be interested in making a proposal of some sort for making maybe a It'd be great if, rather than lang needing to approve stuff, it'd just be |
|
That feels similar to what flux and verus are doing but at a smaller scale. Unsure about allowing downstream users to access it but it'd be great to make these kinds of checks more prevalent (and not just for null ptr cases) |
|
I do like refinement types. We should discuss this further, I love the idea of rust expanding its sights of correctness to this, rather than a devtool (what flux does atm) |
|
I would if there was an easier way to add those kind of lints. Using the
That would be awesome, I would love if it were this "simple". I can write something akin to an MCP (for t-lang) but I don't have the time for a full RFC :-) |
This comment was marked as outdated.
This comment was marked as outdated.
|
@traviscross It's been more than a year since I nominated this PR for T-lang, I know it's not high priority/high in the list, and I don't mind waiting, but it's becoming annoying to maintain these kind of PR. This one in particular has nearly all modified files in conflict. Is this something T-lang would accept? Is there a way to gather consensus outside of a nomination? If not I rather close this PR than continue to waste my time maintaining this PR. |
rustbot
added
the
I-lang-easy-decision
traviscross
added
T-lang
|
Team member @traviscross has proposed to merge this. The next step is review by the rest of the tagged team members: Concerns:
Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns. |
rfcbot
added
proposed-final-comment-period
|
Anyone have a better suggestion for the lint name than |
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
from
c82c601 to
6f2c561
Compare
Urgau
added
S-waiting-on-review
|
r=me after the diagnostic is recapitalized to |
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
from
6f2c561 to
aa88480
Compare
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-actions |
What is this?This is an experimental post-merge analysis report that shows differences in test outcomes between the merged PR and its parent PR.Comparing 3c0f722 (parent) -> 7bfd952 (this PR) Test differencesShow 225 test diffsStage 1
(and 120 additional test diffs) Additionally, 5 doctest diffs were found. These are ignored, as they are noisy. Job group index
Job duration changes
How to interpret the job duration changes?Job durations can vary a lot, based on the actual runner instance |
This was referenced Mar 31, 2025
|
Finished benchmarking commit (7bfd952): comparison URL. Overall result: no relevant changes - no action needed@rustbot label: -perf-regression Instruction countThis benchmark run did not return any relevant results for this metric. Max RSS (memory usage)Results (secondary 2.1%)This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
CyclesThis benchmark run did not return any relevant results for this metric. Binary sizeThis benchmark run did not return any relevant results for this metric. Bootstrap: 776.099s -> 776.473s (0.05%) |
tamird
added a commit
to tamird/bpf-linker
that referenced
this pull request
Apr 1, 2025
This was promoted from a clippy lint in nightly. Link: rust-lang/rust#119220
tamird
added a commit
to aya-rs/bpf-linker
that referenced
this pull request
Apr 1, 2025
This was promoted from a clippy lint in nightly. Link: rust-lang/rust#119220
flip1995
pushed a commit
to flip1995/rust
that referenced
this pull request
Apr 3, 2025
… r=fee1-dead Uplift `clippy::invalid_null_ptr_usage` lint as `invalid_null_arguments` This PR aims at uplifting the `clippy::invalid_null_ptr_usage` lint into rustc, this is similar to the [`clippy::invalid_utf8_in_unchecked` uplift](rust-lang#111543) a few months ago, in the sense that those two lints lint on invalid parameter(s), here a null pointer where it is unexpected and UB to pass one. *For context: GitHub Search reveals that just for `slice::from_raw_parts{_mut}` [~20 invalid usages](hhttps://github.com/search?q=lang%3Arust+%2Fslice%3A%3Afrom_raw_parts%28_mut%29%3F%5C%28ptr%3A%3Anull%2F+NOT+path%3A%2F%5Eclippy_lints%5C%2Fsrc%5C%2F%2F+NOT+path%3A%2F%5Erust%5C%2Fsrc%5C%2Ftools%5C%2Fclippy%5C%2Fclippy_lints%5C%2Fsrc%5C%2F%2F+NOT+path%3A%2F%5Esrc%5C%2Ftools%5C%2Fclippy%5C%2Fclippy_lints%5C%2Fsrc%5C%2F%2F&type=code) with `ptr::null` and an additional [4 invalid usages](https://github.com/search?q=lang%3Arust+%2Fslice%3A%3Afrom_raw_parts%5C%280%28%5C%29%7C+as%29%2F+NOT+path%3A%2F%5Eclippy_lints%5C%2Fsrc%5C%2F%2F+NOT+path%3A%2F%5Erust%5C%2Fsrc%5C%2Ftools%5C%2Fclippy%5C%2Fclippy_lints%5C%2Fsrc%5C%2F%2F+NOT+path%3A%2F%5Esrc%5C%2Ftools%5C%2Fclippy%5C%2Fclippy_lints%5C%2Fsrc%5C%2F%2F+NOT+path%3A%2F%5Eutils%5C%2Ftinystr%5C%2Fsrc%5C%2F%2F+NOT+path%3A%2F%5Eutils%5C%2Fzerovec%5C%2Fsrc%5C%2F%2F+NOT+path%3A%2F%5Eprovider%5C%2Fcore%5C%2Fsrc%5C%2F%2F&type=code) with `0 as *const ...`-ish casts.* ----- ## `invalid_null_arguments` (deny-by-default) The `invalid_null_arguments` lint checks for invalid usage of null pointers. ### Example ```rust // Undefined behavior unsafe { std::slice::from_raw_parts(ptr::null(), 1); } ``` Produces: ``` error: calling this function with a null pointer is Undefined Behavior, even if the result of the function is unused --> $DIR/invalid_null_args.rs:21:23 | LL | let _: &[usize] = std::slice::from_raw_parts(ptr::null_mut(), 0); | ^^^^^^^^^^^^^^^^^^^^^^^^^^^---------------^^^^ | | | null pointer originates from here | = help: for more information, visit <https://doc.rust-lang.org/std/ptr/index.html> and <https://doc.rust-lang.org/reference/behavior-considered-undefined.html> ``` ### Explanation Calling methods whose safety invariants requires non-null pointer with a null pointer is undefined behavior. ----- The lint use a list of functions to know which functions and arguments to checks, this could be improved in the future with a rustc attribute, or maybe even with a `#[diagnostic]` attribute. This PR also includes some small refactoring to avoid some ambiguities in naming, those can be done in another PR is desired. `@rustbot` label: +I-lang-nominated r? compiler
apiraino
removed
the
I-lang-nominated
wip-sync
pushed a commit
to NetBSD/pkgsrc-wip
that referenced
this pull request
Jun 29, 2025
Pkgsrc changes: * Adjust patches to adapt to upstream changes and new versions. * associated checksums Upstream changes relative to 1.87.0: Version 1.88.0 (2025-06-26) ========================== Language -------- - [Stabilize `#![feature(let_chains)]` in the 2024 edition.] (rust-lang/rust#132833) This feature allows `&&`-chaining `let` statements inside `if` and `while`, allowing intermixture with boolean expressions. The patterns inside the `let` sub-expressions can be irrefutable or refutable. - [Stabilize `#![feature(naked_functions)]`.] (rust-lang/rust#134213) Naked functions allow writing functions with no compiler-generated epilogue and prologue, allowing full control over the generated assembly for a particular function. - [Stabilize `#![feature(cfg_boolean_literals)]`.] (rust-lang/rust#138632) This allows using boolean literals as `cfg` predicates, e.g. `#[cfg(true)]` and `#[cfg(false)]`. - [Fully de-stabilize the `#[bench]` attribute] (rust-lang/rust#134273). Usage of `#[bench]` without `#![feature(custom_test_frameworks)]` already triggered a deny-by-default future-incompatibility lint since Rust 1.77, but will now become a hard error. - [Add warn-by-default `dangerous_implicit_autorefs` lint against implicit autoref of raw pointer dereference.] (rust-lang/rust#123239) The lint [will be bumped to deny-by-default] (rust-lang/rust#141661) in the next version of Rust. - [Add `invalid_null_arguments` lint to prevent invalid usage of null pointers.] (rust-lang/rust#119220) This lint is uplifted from `clippy::invalid_null_ptr_usage`. - [Change trait impl candidate preference for builtin impls and trivial where-clauses.] (rust-lang/rust#138176) - [Check types of generic const parameter defaults] (rust-lang/rust#139646) Compiler -------- - [Stabilize `-Cdwarf-version` for selecting the version of DWARF debug information to generate.] (rust-lang/rust#136926) Platform Support ---------------- - [Demote `i686-pc-windows-gnu` to Tier 2.] (https://blog.rust-lang.org/2025/05/26/demoting-i686-pc-windows-gnu/) Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. [platform-support-doc]: https://doc.rust-lang.org/rustc/platform-support.html Libraries --------- - [Remove backticks from `#[should_panic]` test failure message.] (rust-lang/rust#136160) - [Guarantee that `[T; N]::from_fn` is generated in order of increasing indices.] (rust-lang/rust#139099), for those passing it a stateful closure. - [The libtest flag `--nocapture` is deprecated in favor of the more consistent `--no-capture` flag.] (rust-lang/rust#139224) - [Guarantee that `{float}::NAN` is a quiet NaN.] (rust-lang/rust#139483) Stabilized APIs --------------- - [`Cell::update`] (https://doc.rust-lang.org/stable/std/cell/struct.Cell.html#method.update) - [`impl Default for *const T`] (https://doc.rust-lang.org/nightly/std/primitive.pointer.html#impl-Default-for-*const+T) - [`impl Default for *mut T`] (https://doc.rust-lang.org/nightly/std/primitive.pointer.html#impl-Default-for-*mut+T) - [`HashMap::extract_if`] (https://doc.rust-lang.org/stable/std/collections/struct.HashMap.html#method.extract_if) - [`HashSet::extract_if`] (https://doc.rust-lang.org/stable/std/collections/struct.HashSet.html#method.extract_if) - [`proc_macro::Span::line`] (https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.line) - [`proc_macro::Span::column`] (https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.column) - [`proc_macro::Span::start`] (https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.start) - [`proc_macro::Span::end`] (https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.end) - [`proc_macro::Span::file`] (https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.file) - [`proc_macro::Span::local_file`] (https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.local_file) These previously stable APIs are now stable in const contexts: - [`NonNull<T>::replace`] (https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.replace) - [`<*mut T>::replace`] (https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.replace) - [`std::ptr::swap_nonoverlapping`] (rust-lang/rust#137280) - [`Cell::{replace, get, get_mut, from_mut, as_slice_of_cells}`] (rust-lang/rust#137928) Cargo ----- - [Stabilize automatic garbage collection.] (rust-lang/cargo#14287) - [use `zlib-rs` for gzip compression in rust code] (rust-lang/cargo#15417) Rustdoc ----- - [Doctests can be ignored based on target names using `ignore-*` attributes.] (rust-lang/rust#137096) - [Stabilize the `--test-runtool` and `--test-runtool-arg` CLI options to specify a program (like qemu) and its arguments to run a doctest.] (rust-lang/rust#137096) Compatibility Notes ------------------- - [Finish changing the internal representation of pasted tokens] (rust-lang/rust#124141). Certain invalid declarative macros that were previously accepted in obscure circumstances are now correctly rejected by the compiler. Use of a `tt` fragment specifier can often fix these macros. - [Fully de-stabilize the `#[bench]` attribute] (rust-lang/rust#134273). Usage of `#[bench]` without `#![feature(custom_test_frameworks)]` already triggered a deny-by-default future-incompatibility lint since Rust 1.77, but will now become a hard error. - [Fix borrow checking some always-true patterns.] (rust-lang/rust#139042) The borrow checker was overly permissive in some cases, allowing programs that shouldn't have compiled. - [Update the minimum external LLVM to 19.] (rust-lang/rust#139275) - [Make it a hard error to use a vector type with a non-Rust ABI without enabling the required target feature.] (rust-lang/rust#139309)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR aims at uplifting the
clippy::invalid_null_ptr_usagelint into rustc, this is similar to theclippy::invalid_utf8_in_uncheckeduplift a few months ago, in the sense that those two lints lint on invalid parameter(s), here a null pointer where it is unexpected and UB to pass one.For context: GitHub Search reveals that just for
slice::from_raw_parts{_mut}~20 invalid usages withptr::nulland an additional 4 invalid usages with0 as *const ...-ish casts.invalid_null_arguments(deny-by-default)
The
invalid_null_argumentslint checks for invalid usage of null pointers.Example
Produces:
Explanation
Calling methods whose safety invariants requires non-null pointer with a null pointer is undefined behavior.
The lint use a list of functions to know which functions and arguments to checks, this could be improved in the future with a rustc attribute, or maybe even with a
#[diagnostic]attribute.This PR also includes some small refactoring to avoid some ambiguities in naming, those can be done in another PR is desired.
@rustbot label: +I-lang-nominated
r? compiler