add lint deref_nullptr detecting when a null ptr is dereferenced #83948
Conversation
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @lcnr (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
rust-highfive
added
the
S-waiting-on-review
ABouttefeux
changed the title
This comment has been minimized.
This comment has been minimized.
|
I thought the plan was to uplift the existing clippy lint? |
|
r? @RalfJung |
|
Thanks a lot. :) The CI failure is caused by that file crossing the threshold of 3000 lines... I am not sure what to do about that though, so adding |
Yeah it is at least the easiest option I think... @ABouttefeux did you use the clippy lint as a basis or write this from scratch? It would be good to at least ensure that we catch all the same cases. Clippy will likely have tests that you can also use as inspiration. |
|
I wrote it from scratch. I will look at the clippy lint. |
|
Also from what I see the lint
|
|
@ABouttefeux good point, that lint is not what we are looking for. Thanks for checking. :) |
Would be good to also mention |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
ABouttefeux
force-pushed
the
lint-nullprt-deref
branch
from
fed2e52 to
e1a1bbc
Compare
This comment has been minimized.
This comment has been minimized.
ABouttefeux
force-pushed
the
lint-nullprt-deref
branch
from
e1a1bbc to
3d215bd
Compare
This comment has been minimized.
This comment has been minimized.
|
Btw, does this also detect if not, that could be an interesting future extension of this lint. :) If yes, please add a test. :D |
|
I think it should detect that. I will add a test |
|
@scottmcm which team the (thanks for the additional context) |
|
I was told lints are lang team territory so setting the flag accordingly. |
|
@scottmcm wrote on Zulip
So, let's go with this then. :) @bors r+ |
|
📌 Commit 7f0f83a has been approved by |
bors
added
S-waiting-on-bors
…alfJung add lint deref_nullptr detecting when a null ptr is dereferenced fixes rust-lang#83856 changelog: add lint that detect code like ```rust unsafe { &*core::ptr::null::<i32>() }; unsafe { addr_of!(std::ptr::null::<i32>()) }; let x: i32 = unsafe {*core::ptr::null()}; let x: i32 = unsafe {*core::ptr::null_mut()}; unsafe {*(0 as *const i32)}; unsafe {*(core::ptr::null() as *const i32)}; ``` ``` warning: Dereferencing a null pointer causes undefined behavior --> src\main.rs:5:26 | 5 | let x: i32 = unsafe {*core::ptr::null()}; | ^^^^^^^^^^^^^^^^^^ | | | a null pointer is dereferenced | this code causes undefined behavior when executed | = note: `#[warn(deref_nullptr)]` on by default ``` Limitation: It does not detect code like ```rust const ZERO: usize = 0; unsafe {*(ZERO as *const i32)}; ``` or code where `0` is not directly a literal
|
☀️ Test successful - checks-actions |
Tested on commit rust-lang/rust@7537b20. Direct link to PR: <rust-lang/rust#83948> 💔 miri on windows: test-pass → test-fail (cc @oli-obk @RalfJung @eddyb). 💔 miri on linux: test-pass → test-fail (cc @oli-obk @RalfJung @eddyb).
|
PR description is a bit missleading: unsafe {
addr_of!(std::ptr::null::<i32>())
};Doesn't trigger the lint (there is no dereference), moreover this doesn't compile ( What does trigger the lint is unsafe {
addr_of!(*std::ptr::null::<i32>())
// ^ deref
}; |
|
@WaffleLapkin thanks for pointing that out, I fixed the PR description. |
…rochenkov Make deref_nullptr deny by default instead of warn This lint was added 4 years ago in rust-lang#83948 and I cannot find any discussion on that PR or its issue about whether it should be warn or deny by default. I think keeping this lint to warn was at one point in the past justifiable because of the old bindgen behavior of generating tests that do null pointer derefs. I've certainly heard that argument. I don't think it holds up now, so I think we should be more firm about code that is definitely UB. We merged rust-lang#134424 which adds a runtime check for null pointer reads/writes, with very little fanfare. So now we know things like: This lint warns on 111 crates in crater, but 106 crates are encountering the runtime UB check. 65 crates hit both the lint and a runtime check. Of the 46 crates that only hit the lint, 25 look to me like machine-generated bindings, and all hits except https://github.com/Plecra/asm-w-ownership/blob/3a0eff4bd151d8a0ccc076d6b8dea0bbc051e8e8/src/main.rs#L454 are trying to compute a field offset, and should use `offset_of!`. Based on the contents of the crater runs for 1.91, I'd expect these crates to go from test-fail to build-fail as a result of this change: ``` gh/bernardjason/rust-invaders gh/Leinnan/doppler gh/Max-E/rust-gl-python-gtk gh/nslebruh/rust-opengl-glfw gh/nslebruh/rust_physics_gl_test gh/oraoto/php-stacktrace gh/playXE/jsrs gh/Plecra/asm-w-ownership gh/TateKennington/ROpenGL gh/WillFarris/voxel-game reg/ochre ``` Most of the crates where the lint fires already don't build for other reasons (note there are a lot of C bindings wrapper crates in the set).
Make deref_nullptr deny by default instead of warn This lint was added 4 years ago in #83948 and I cannot find any discussion on that PR or its issue about whether it should be warn or deny by default. I think keeping this lint to warn was at one point in the past justifiable because of the old bindgen behavior of generating tests that do null pointer derefs. I've certainly heard that argument. I don't think it holds up now, so I think we should be more firm about code that is definitely UB. We merged #134424 which adds a runtime check for null pointer reads/writes, with very little fanfare. So now we know things like: This lint warns on 111 crates in crater, but 106 crates are encountering the runtime UB check. 65 crates hit both the lint and a runtime check. Of the 46 crates that only hit the lint, 25 look to me like machine-generated bindings, and all hits except https://github.com/Plecra/asm-w-ownership/blob/3a0eff4bd151d8a0ccc076d6b8dea0bbc051e8e8/src/main.rs#L454 are trying to compute a field offset, and should use `offset_of!`. Based on the contents of the crater runs for 1.91, I'd expect these crates to go from test-fail to build-fail as a result of this change: ``` gh/bernardjason/rust-invaders gh/Leinnan/doppler gh/Max-E/rust-gl-python-gtk gh/nslebruh/rust-opengl-glfw gh/nslebruh/rust_physics_gl_test gh/oraoto/php-stacktrace gh/playXE/jsrs gh/Plecra/asm-w-ownership gh/TateKennington/ROpenGL gh/WillFarris/voxel-game reg/ochre ``` Most of the crates where the lint fires already don't build for other reasons (note there are a lot of C bindings wrapper crates in the set).
11 participants
fixes #83856
changelog: add lint that detect code like
Limitation:
It does not detect code like
or code where
0is not directly a literal