instantly_dangling_pointer: test for temporaries & fix some false positives

Author: GrigorenkoPV

compiler/rustc_lint/src/dangling.rs

@@ -100,49 +100,48 @@ fn lint_cstring_as_ptr(cx: &LateContext<'_>, source: &rustc_hir::Expr<'_>) -> bo
 
 fn is_temporary_rvalue(expr: &Expr<'_>) -> bool {
     match expr.kind {
-        // We are not interested in these
-        ExprKind::Cast(_, _) | ExprKind::Closure(_) | ExprKind::Tup(_) => false,
-
         // Const is not temporary.
-        ExprKind::ConstBlock(_) | ExprKind::Repeat(_, _) => false,
+        ExprKind::ConstBlock(..) | ExprKind::Repeat(..) | ExprKind::Lit(..) => false,
 
         // This is literally lvalue.
-        ExprKind::Path(_) => false,
+        ExprKind::Path(..) => false,
 
         // Calls return rvalues.
-        ExprKind::Call(_, _) | ExprKind::MethodCall(_, _, _, _) | ExprKind::Binary(_, _, _) => true,
-
-        // Produces lvalue.
-        ExprKind::Unary(_, _) | ExprKind::Index(_, _, _) => false,
+        ExprKind::Call(..) | ExprKind::MethodCall(..) | ExprKind::Binary(..) => true,
 
+        // FIXME: this is probably wrong.
         // Inner blocks are rvalues.
-        ExprKind::If(_, _, _)
-        | ExprKind::Loop(_, _, _, _)
-        | ExprKind::Match(_, _, _)
-        | ExprKind::Block(_, _) => true,
+        ExprKind::If(..) | ExprKind::Loop(..) | ExprKind::Match(..) | ExprKind::Block(..) => true,
+
+        // FIXME: these should probably recurse and typecheck along the way.
+        //        Some false negatives are possible for now.
+        ExprKind::Index(..) | ExprKind::Field(..) | ExprKind::Unary(..) => false,
 
-        ExprKind::DropTemps(inner) => is_temporary_rvalue(inner),
-        ExprKind::Field(parent, _) => is_temporary_rvalue(parent),
+        ExprKind::Struct(..) => true,
 
-        ExprKind::Struct(_, _, _) => true,
-        // These are 'static
-        ExprKind::Lit(_) => false,
-        // FIXME: False negatives are possible, but arrays get promoted to 'static way too often.
-        ExprKind::Array(_) => false,
+        // FIXME: this has false negatives, but I do not want to deal with 'static/const promotion just yet.
+        ExprKind::Array(..) => false,
 
         // These typecheck to `!`
-        ExprKind::Break(_, _) | ExprKind::Continue(_) | ExprKind::Ret(_) | ExprKind::Become(_) => {
+        ExprKind::Break(..) | ExprKind::Continue(..) | ExprKind::Ret(..) | ExprKind::Become(..) => {
             false
         }
 
         // These typecheck to `()`
-        ExprKind::Assign(_, _, _) | ExprKind::AssignOp(_, _, _) | ExprKind::Yield(_, _) => false,
+        ExprKind::Assign(..) | ExprKind::AssignOp(..) | ExprKind::Yield(..) => false,
 
-        // Not applicable
-        ExprKind::Type(_, _) | ExprKind::Err(_) | ExprKind::Let(_) => false,
+        // Compiler-magic macros
+        ExprKind::AddrOf(..) | ExprKind::OffsetOf(..) | ExprKind::InlineAsm(..) => false,
+
+        // We are not interested in these
+        ExprKind::Cast(..)
+        | ExprKind::Closure(..)
+        | ExprKind::Tup(..)
+        | ExprKind::DropTemps(..)
+        | ExprKind::Let(..) => false,
 
-        // These are compiler-magic macros
-        ExprKind::AddrOf(_, _, _) | ExprKind::OffsetOf(_, _) | ExprKind::InlineAsm(_) => false,
+        // Not applicable
+        ExprKind::Type(..) | ExprKind::Err(..) => false,
     }
 }
 

tests/ui/lint/dangling-ptr/instantly-dangling-pointer-temporaries.rs

@@ -0,0 +1,129 @@
+#![allow(unused)]
+#![deny(instantly_dangling_pointer)]
+
+fn string() -> String {
+    "hello".into()
+}
+
+struct Wrapper(String);
+
+fn main() {
+    // ConstBlock
+    const { String::new() }.as_ptr();
+
+    // Array
+    {
+        [string()].as_ptr(); // False negative
+        [true].as_ptr();
+    }
+
+    // Call
+    string().as_ptr(); //~ ERROR [instantly_dangling_pointer]
+
+    // MethodCall
+    "hello".to_string().as_ptr(); //~ ERROR [instantly_dangling_pointer]
+
+    // Tup
+    // impossible
+
+    // Binary
+    (string() + "hello").as_ptr(); //~ ERROR [instantly_dangling_pointer]
+
+    // Path
+    {
+        let x = string();
+        x.as_ptr();
+    }
+
+    // Unary
+    {
+        let x = string();
+        let x: &String = &x;
+        (*x).as_ptr();
+        (&[0u8]).as_ptr();
+        (&string()).as_ptr(); // False negative
+        (*&string()).as_ptr(); // False negative
+    }
+
+    // Lit
+    "hello".as_ptr();
+
+    // Cast
+    // impossible
+
+    // Type
+    // impossible
+
+    // DropTemps
+    // impossible
+
+    // Let
+    // impossible
+
+    // If
+    {
+        (if true { String::new() } else { "hello".into() }).as_ptr();
+        //~^ ERROR [instantly_dangling_pointer]
+    }
+
+    // Loop
+    {
+        (loop {
+            break String::new();
+        })
+        .as_ptr(); //~ ERROR [instantly_dangling_pointer]
+    }
+
+    // Match
+    {
+        match string() {
+            s => s,
+        }
+        .as_ptr(); //~ ERROR [instantly_dangling_pointer]
+    }
+
+    // Closure
+    // impossible
+
+    // Block
+    { string() }.as_ptr(); //~ ERROR [instantly_dangling_pointer]
+
+    // Assign, AssignOp
+    // impossible
+
+    // Field
+    {
+        Wrapper(string()).0.as_ptr(); // False negative
+        let x = Wrapper(string());
+        x.0.as_ptr();
+    }
+
+    // Index
+    {
+        vec![string()][0].as_ptr(); // False negative
+        let x = vec![string()];
+        x[0].as_ptr();
+    }
+
+    // AddrOf, InlineAsm, OffsetOf
+    // impossible
+
+    // Break, Continue, Ret
+    // are !
+
+    // Become, Yield
+    // unstable, are !
+
+    // Repeat
+    [0u8; 100].as_ptr();
+    [const { String::new() }; 100].as_ptr();
+
+    // Struct
+    // Cannot test this without access to private fields of the linted types.
+
+    // Err
+    // impossible
+
+    // Macro
+    vec![0u8].as_ptr(); //~ ERROR [instantly_dangling_pointer]
+}

tests/ui/lint/dangling-ptr/instantly-dangling-pointer-temporaries.stderr

@@ -0,0 +1,99 @@
+error: getting a pointer from a temporary `String` will result in a dangling pointer
+  --> $DIR/instantly-dangling-pointer-temporaries.rs:21:14
+   |
+LL |     string().as_ptr();
+   |     -------- ^^^^^^ this pointer will immediately be invalid
+   |     |
+   |     this `String` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
+   |
+   = note: pointers do not have a lifetime; when calling `as_ptr` the `String` will be deallocated at the end of the statement because nothing is referencing it as far as the type system is concerned
+   = help: for more information, see https://doc.rust-lang.org/reference/destructors.html
+note: the lint level is defined here
+  --> $DIR/instantly-dangling-pointer-temporaries.rs:2:9
+   |
+LL | #![deny(instantly_dangling_pointer)]
+   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+error: getting a pointer from a temporary `String` will result in a dangling pointer
+  --> $DIR/instantly-dangling-pointer-temporaries.rs:24:25
+   |
+LL |     "hello".to_string().as_ptr();
+   |     ------------------- ^^^^^^ this pointer will immediately be invalid
+   |     |
+   |     this `String` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
+   |
+   = note: pointers do not have a lifetime; when calling `as_ptr` the `String` will be deallocated at the end of the statement because nothing is referencing it as far as the type system is concerned
+   = help: for more information, see https://doc.rust-lang.org/reference/destructors.html
+
+error: getting a pointer from a temporary `String` will result in a dangling pointer
+  --> $DIR/instantly-dangling-pointer-temporaries.rs:30:26
+   |
+LL |     (string() + "hello").as_ptr();
+   |     -------------------- ^^^^^^ this pointer will immediately be invalid
+   |     |
+   |     this `String` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
+   |
+   = note: pointers do not have a lifetime; when calling `as_ptr` the `String` will be deallocated at the end of the statement because nothing is referencing it as far as the type system is concerned
+   = help: for more information, see https://doc.rust-lang.org/reference/destructors.html
+
+error: getting a pointer from a temporary `String` will result in a dangling pointer
+  --> $DIR/instantly-dangling-pointer-temporaries.rs:65:61
+   |
+LL |         (if true { String::new() } else { "hello".into() }).as_ptr();
+   |         --------------------------------------------------- ^^^^^^ this pointer will immediately be invalid
+   |         |
+   |         this `String` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
+   |
+   = note: pointers do not have a lifetime; when calling `as_ptr` the `String` will be deallocated at the end of the statement because nothing is referencing it as far as the type system is concerned
+   = help: for more information, see https://doc.rust-lang.org/reference/destructors.html
+
+error: getting a pointer from a temporary `String` will result in a dangling pointer
+  --> $DIR/instantly-dangling-pointer-temporaries.rs:74:10
+   |
+LL | /         (loop {
+LL | |             break String::new();
+LL | |         })
+   | |__________- this `String` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
+LL |           .as_ptr();
+   |            ^^^^^^ this pointer will immediately be invalid
+   |
+   = note: pointers do not have a lifetime; when calling `as_ptr` the `String` will be deallocated at the end of the statement because nothing is referencing it as far as the type system is concerned
+   = help: for more information, see https://doc.rust-lang.org/reference/destructors.html
+
+error: getting a pointer from a temporary `String` will result in a dangling pointer
+  --> $DIR/instantly-dangling-pointer-temporaries.rs:82:10
+   |
+LL | /         match string() {
+LL | |             s => s,
+LL | |         }
+   | |_________- this `String` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
+LL |           .as_ptr();
+   |            ^^^^^^ this pointer will immediately be invalid
+   |
+   = note: pointers do not have a lifetime; when calling `as_ptr` the `String` will be deallocated at the end of the statement because nothing is referencing it as far as the type system is concerned
+   = help: for more information, see https://doc.rust-lang.org/reference/destructors.html
+
+error: getting a pointer from a temporary `String` will result in a dangling pointer
+  --> $DIR/instantly-dangling-pointer-temporaries.rs:89:18
+   |
+LL |     { string() }.as_ptr();
+   |     ------------ ^^^^^^ this pointer will immediately be invalid
+   |     |
+   |     this `String` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
+   |
+   = note: pointers do not have a lifetime; when calling `as_ptr` the `String` will be deallocated at the end of the statement because nothing is referencing it as far as the type system is concerned
+   = help: for more information, see https://doc.rust-lang.org/reference/destructors.html
+
+error: getting a pointer from a temporary `Vec<u8>` will result in a dangling pointer
+  --> $DIR/instantly-dangling-pointer-temporaries.rs:128:15
+   |
+LL |     vec![0u8].as_ptr();
+   |     --------- ^^^^^^ this pointer will immediately be invalid
+   |     |
+   |     this `Vec<u8>` is deallocated at the end of the statement, bind it to a variable to extend its lifetime
+   |
+   = note: pointers do not have a lifetime; when calling `as_ptr` the `Vec<u8>` will be deallocated at the end of the statement because nothing is referencing it as far as the type system is concerned
+   = help: for more information, see https://doc.rust-lang.org/reference/destructors.html
+
+error: aborting due to 8 previous errors
+