Uplift clippy::invalid_null_ptr_usage as invalid_null_arguments

Urgau · Urgau · commit fe8a058720a6 · 2025-03-30T12:57:23.000+02:00
diff --git a/compiler/rustc_lint/messages.ftl b/compiler/rustc_lint/messages.ftl
@@ -456,6 +456,10 @@ lint_invalid_nan_comparisons_eq_ne = incorrect NaN comparison, NaN cannot be dir
 
 lint_invalid_nan_comparisons_lt_le_gt_ge = incorrect NaN comparison, NaN is not orderable
 
+lint_invalid_null_arguments = calling this function with a null pointer is Undefined Behavior, even if the result of the function is unused
+    .origin = null pointer originates from here
+    .doc = for more information, visit <https://doc.rust-lang.org/std/ptr/index.html> and <https://doc.rust-lang.org/reference/behavior-considered-undefined.html>
+
 lint_invalid_reference_casting_assign_to_ref = assigning to `&T` is undefined behavior, consider using an `UnsafeCell`
     .label = casting happened here
 
diff --git a/compiler/rustc_lint/src/lints.rs b/compiler/rustc_lint/src/lints.rs
@@ -609,6 +609,14 @@ pub(crate) enum UselessPtrNullChecksDiag<'a> {
     FnRet { fn_name: Ident },
 }
 
+#[derive(LintDiagnostic)]
+#[diag(lint_invalid_null_arguments)]
+#[help(lint_doc)]
+pub(crate) struct InvalidNullArgumentsDiag {
+    #[note(lint_origin)]
+    pub null_span: Option<Span>,
+}
+
 // for_loops_over_fallibles.rs
 #[derive(LintDiagnostic)]
 #[diag(lint_for_loops_over_fallibles)]
diff --git a/compiler/rustc_lint/src/ptr_nulls.rs b/compiler/rustc_lint/src/ptr_nulls.rs
@@ -1,9 +1,11 @@
 use rustc_ast::LitKind;
 use rustc_hir::{BinOpKind, Expr, ExprKind, TyKind};
+use rustc_middle::ty::RawPtr;
 use rustc_session::{declare_lint, declare_lint_pass};
-use rustc_span::sym;
+use rustc_span::{Span, sym};
 
-use crate::lints::UselessPtrNullChecksDiag;
+use crate::lints::{InvalidNullArgumentsDiag, UselessPtrNullChecksDiag};
+use crate::utils::peel_casts;
 use crate::{LateContext, LateLintPass, LintContext};
 
 declare_lint! {
@@ -31,7 +33,30 @@ declare_lint! {
     "useless checking of non-null-typed pointer"
 }
 
-declare_lint_pass!(PtrNullChecks => [USELESS_PTR_NULL_CHECKS]);
+declare_lint! {
+    /// The `invalid_null_arguments` lint checks for invalid usage of null pointers in arguments.
+    ///
+    /// ### Example
+    ///
+    /// ```rust,compile_fail
+    /// # use std::{slice, ptr};
+    /// // Undefined behavior
+    /// # let _slice: &[u8] =
+    /// unsafe { slice::from_raw_parts(ptr::null(), 0) };
+    /// ```
+    ///
+    /// {{produces}}
+    ///
+    /// ### Explanation
+    ///
+    /// Calling methods whos safety invariants requires non-null ptr with a null pointer
+    /// is [Undefined Behavior](https://doc.rust-lang.org/reference/behavior-considered-undefined.html)!
+    INVALID_NULL_ARGUMENTS,
+    Deny,
+    "invalid null pointer in arguments"
+}
+
+declare_lint_pass!(PtrNullChecks => [USELESS_PTR_NULL_CHECKS, INVALID_NULL_ARGUMENTS]);
 
 /// This function checks if the expression is from a series of consecutive casts,
 /// ie. `(my_fn as *const _ as *mut _).cast_mut()` and whether the original expression is either
@@ -85,6 +110,25 @@ fn useless_check<'a, 'tcx: 'a>(
     }
 }
 
+/// Checks if the given expression is a null pointer (modulo casting)
+fn is_null_ptr<'tcx>(cx: &LateContext<'tcx>, expr: &'tcx Expr<'_>) -> Option<Span> {
+    let (expr, _) = peel_casts(cx, expr);
+
+    if let ExprKind::Call(path, []) = expr.kind
+        && let ExprKind::Path(ref qpath) = path.kind
+        && let Some(def_id) = cx.qpath_res(qpath, path.hir_id).opt_def_id()
+        && let Some(diag_item) = cx.tcx.get_diagnostic_name(def_id)
+    {
+        (diag_item == sym::ptr_null || diag_item == sym::ptr_null_mut).then_some(expr.span)
+    } else if let ExprKind::Lit(spanned) = expr.kind
+        && let LitKind::Int(v, _) = spanned.node
+    {
+        (v == 0).then_some(expr.span)
+    } else {
+        None
+    }
+}
+
 impl<'tcx> LateLintPass<'tcx> for PtrNullChecks {
     fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'_>) {
         match expr.kind {
@@ -102,6 +146,81 @@ impl<'tcx> LateLintPass<'tcx> for PtrNullChecks {
                 cx.emit_span_lint(USELESS_PTR_NULL_CHECKS, expr.span, diag)
             }
 
+            // Catching:
+            // <path>(arg...) where `arg` is null-ptr and `path` is a fn that expect non-null-ptr
+            ExprKind::Call(path, args)
+                if let ExprKind::Path(ref qpath) = path.kind
+                    && let Some(def_id) = cx.qpath_res(qpath, path.hir_id).opt_def_id()
+                    && let Some(diag_name) = cx.tcx.get_diagnostic_name(def_id) =>
+            {
+                // `arg` positions where null would cause U.B.
+                //
+                // We should probably have a `rustc` attribute, but checking them is costly,
+                // maybe if we checked for null ptr first, it would be acceptable?
+                let arg_indices: &[_] = match diag_name {
+                    sym::ptr_read
+                    | sym::ptr_read_unaligned
+                    | sym::ptr_read_volatile
+                    | sym::ptr_replace
+                    | sym::ptr_write
+                    | sym::ptr_write_bytes
+                    | sym::ptr_write_unaligned
+                    | sym::ptr_write_volatile
+                    | sym::slice_from_raw_parts
+                    | sym::slice_from_raw_parts_mut => &[0],
+                    sym::ptr_copy
+                    | sym::ptr_copy_nonoverlapping
+                    | sym::ptr_swap
+                    | sym::ptr_swap_nonoverlapping => &[0, 1],
+                    _ => return,
+                };
+
+                // Are Zero-Sized Types fine with null ptr for this method.
+                let zst_are_fine = match diag_name {
+                    sym::ptr_read
+                    | sym::ptr_read_unaligned
+                    | sym::ptr_read_volatile
+                    | sym::ptr_replace
+                    | sym::ptr_write
+                    | sym::ptr_write_bytes
+                    | sym::ptr_write_unaligned
+                    | sym::ptr_write_volatile
+                    | sym::ptr_copy
+                    | sym::ptr_copy_nonoverlapping
+                    | sym::ptr_swap
+                    | sym::ptr_swap_nonoverlapping => true,
+                    sym::slice_from_raw_parts | sym::slice_from_raw_parts_mut => false,
+                    _ => return,
+                };
+
+                for &arg_idx in arg_indices {
+                    if let Some(arg) = args.get(arg_idx)
+                        && let Some(null_span) = is_null_ptr(cx, arg)
+                        && let Some(ty) = cx.typeck_results().expr_ty_opt(arg)
+                        && let RawPtr(ty, _mutbl) = ty.kind()
+                    {
+                        // If ZST are fine, don't lint on them
+                        let typing_env = cx.typing_env();
+                        if zst_are_fine
+                            && cx
+                                .tcx
+                                .layout_of(typing_env.as_query_input(*ty))
+                                .is_ok_and(|layout| layout.is_1zst())
+                        {
+                            break;
+                        }
+
+                        let null_span = if arg.span != null_span { Some(null_span) } else { None };
+
+                        cx.emit_span_lint(
+                            INVALID_NULL_ARGUMENTS,
+                            expr.span,
+                            InvalidNullArgumentsDiag { null_span },
+                        )
+                    }
+                }
+            }
+
             // Catching:
             // (fn_ptr as *<const/mut> <ty>).is_null()
             ExprKind::MethodCall(_, receiver, _, _)
diff --git a/compiler/rustc_lint/src/utils.rs b/compiler/rustc_lint/src/utils.rs
@@ -6,7 +6,7 @@ use crate::LateContext;
 /// Given an expression, peel all of casts (`<expr> as ...`, `<expr>.cast{,_mut,_const}()`,
 /// `ptr::from_ref(<expr>)`, ...) and init expressions.
 ///
-/// Returns the outermost expression and a boolean representing if one of the casts was
+/// Returns the innermost expression and a boolean representing if one of the casts was
 /// `UnsafeCell::raw_get(<expr>)`
 pub(crate) fn peel_casts<'tcx>(
     cx: &LateContext<'tcx>,
diff --git a/tests/ui/lint/invalid_null_args.rs b/tests/ui/lint/invalid_null_args.rs
@@ -0,0 +1,136 @@
+// check-fail
+// run-rustfix
+
+use std::ptr;
+use std::mem;
+
+unsafe fn null_ptr() {
+    ptr::write(
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+        ptr::null_mut() as *mut u32,
+        mem::transmute::<[u8; 4], _>([0, 0, 0, 255]),
+    );
+
+    let null_ptr = ptr::null_mut();
+    ptr::write(
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+        null_ptr as *mut u32,
+        mem::transmute::<[u8; 4], _>([0, 0, 0, 255]),
+    );
+
+    let _: &[usize] = std::slice::from_raw_parts(ptr::null(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    let _: &[usize] = std::slice::from_raw_parts(ptr::null_mut(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    let _: &[usize] = std::slice::from_raw_parts(0 as *mut _, 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    let _: &[usize] = std::slice::from_raw_parts(mem::transmute(0usize), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    let _: &[usize] = std::slice::from_raw_parts_mut(ptr::null_mut(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    ptr::copy::<usize>(ptr::null(), ptr::NonNull::dangling().as_ptr(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    ptr::copy::<usize>(ptr::NonNull::dangling().as_ptr(), ptr::null_mut(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    ptr::copy_nonoverlapping::<usize>(ptr::null(), ptr::NonNull::dangling().as_ptr(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    ptr::copy_nonoverlapping::<usize>(
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+        ptr::NonNull::dangling().as_ptr(),
+        ptr::null_mut(),
+        0
+    );
+
+    #[derive(Copy, Clone)]
+    struct A(usize);
+    let mut v = A(200);
+
+    let _a: A = ptr::read(ptr::null());
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    let _a: A = ptr::read(ptr::null_mut());
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    let _a: A = ptr::read_unaligned(ptr::null());
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    let _a: A = ptr::read_unaligned(ptr::null_mut());
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    let _a: A = ptr::read_volatile(ptr::null());
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    let _a: A = ptr::read_volatile(ptr::null_mut());
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    let _a: A = ptr::replace(ptr::null_mut(), v);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    ptr::swap::<A>(ptr::null_mut(), &mut v);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    ptr::swap::<A>(&mut v, ptr::null_mut());
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    ptr::swap_nonoverlapping::<A>(ptr::null_mut(), &mut v, 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    ptr::swap_nonoverlapping::<A>(&mut v, ptr::null_mut(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    ptr::write(ptr::null_mut(), v);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    ptr::write_unaligned(ptr::null_mut(), v);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    ptr::write_volatile(ptr::null_mut(), v);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    ptr::write_bytes::<usize>(ptr::null_mut(), 42, 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    // with indirections
+    let const_ptr = null_ptr as *const u8;
+    let _a: u8 = ptr::read(const_ptr);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+}
+
+unsafe fn zst() {
+    struct A; // zero-sized type
+
+    std::slice::from_raw_parts::<()>(ptr::null(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    std::slice::from_raw_parts::<A>(ptr::null(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    std::slice::from_raw_parts_mut::<()>(ptr::null_mut(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+    std::slice::from_raw_parts_mut::<A>(ptr::null_mut(), 0);
+    //~^ ERROR calling this function with a null pointer is Undefined Behavior
+
+    ptr::read::<()>(ptr::null());
+    ptr::read::<A>(ptr::null());
+
+    ptr::write(ptr::null_mut(), ());
+    ptr::write(ptr::null_mut(), A);
+
+    ptr::copy(ptr::null::<()>(), ptr::null_mut::<()>(), 1);
+    ptr::copy(ptr::null::<A>(), ptr::null_mut::<A>(), 1);
+}
+
+unsafe fn not_invalid() {
+    // Simplified false-positive from std quicksort implementation
+
+    let mut a = ptr::null_mut();
+    let mut b = ();
+
+    loop {
+        if false {
+            break;
+        }
+
+        a = &raw mut b;
+    }
+
+    ptr::write(a, ());
+}
+
+fn main() {}
diff --git a/tests/ui/lint/invalid_null_args.stderr b/tests/ui/lint/invalid_null_args.stderr
