Lint against getting pointers from immediately dropped temporaries

[GrigorenkoPV]

Fixes #123613

Changes:

1. New lint: dangling_pointers_from_temporaries. Is a generalization of temporary_cstring_as_ptr for more types and more ways to get a temporary.
2. temporary_cstring_as_ptr is removed and marked as renamed to dangling_pointers_from_temporaries.
3. clippy::temporary_cstring_as_ptr is marked as renamed to dangling_pointers_from_temporaries.
4. Fixed a false positive¹ for when the pointer is not actually dangling because of lifetime extension for function/method call arguments.
5. core::cell::Cell is now rustc_diagnostic_item = "Cell"

Questions:

• Instead of manually checking for a list of known methods and diagnostic items, maybe add some sort of annotation to those methods in library and check for the presence of that annotation? Lint against getting pointers from immediately dropped temporaries #128985 (comment)

Known limitations:

False negatives²:

See the comments in compiler/rustc_lint/src/dangling.rs

1. Method calls that are not checked for:
   • temporary_unsafe_cell.get()
   • temporary_sync_unsafe_cell.get()
2. Ways to get a temporary that are not recognized:
   • owning_temporary.field
   • owning_temporary[index]
3. No checks for ref-to-ptr conversions:
   • &raw [mut] temporary
   • &temporary as *(const|mut) _
   • ptr::from_ref(&temporary) and friends

Footnotes

1. lint should not be emitted, but is ↩

2. lint should be emitted, but is not ↩

[rustbot]

r? @wesleywiser

rustbot has assigned @wesleywiser.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[jieyouxu]

FYI this probably needs T-lang approval and a crater run

[GrigorenkoPV]

This probably needs a crater run. Check-only should suffice. However, the lint should probably be denied for the run, but I am not sure if crater has such an option. Maybe I will just temporary change the default level in code.

Anyways, neither do I have permissions for bors try, nor for a crater run.

[Urgau]

I wonder if it would make sense to suggest introducing a second binding in those simple let cases, aka.

    let str1 = String::with_capacity(MAX_PATH);
    let str1 = str1.as_mut_ptr();

[GrigorenkoPV]

Probably yes, but I would prefer to do this as a separate follow-up PR if possible

[GrigorenkoPV]

I wonder if it would make sense to suggest introducing a second binding in those simple let cases, aka.

    let str1 = String::with_capacity(MAX_PATH);
    let str1 = str1.as_mut_ptr();

After looking at the "regressed" code from crater, I can say that a lot of the time this suggestion will not fix the problem, and will just result in code like

let vec = some_iter.collect();
let ptr = vec.as_ptr();
return ptr;

or similar where the pointer still dangles eventually, even though we binded the temporary for now.

Sometimes it would make sense to suggest things like .into_raw_parts() instead of .as_ptr(), but then the user has to remember to do ::from_raw_parts() if they want to avoid leaking...

Most of the places where this lint fires are not trivial to fix and actually require the person writing the code to be more cautious & knowledgeable about what they are doing, which can only be achieved through more experience of writing unsafe, as well as some punches from the compiler, miri, or sanitizers.

I think that not providing this suggestion in places where it would help is less bad than improperly providing it in places where it wouldn't help but would just further obscure and hide the issue.

[rustbot]

Some changes occurred in src/tools/clippy

cc @rust-lang/clippy

[GrigorenkoPV]

Looks like this caught an actual mistake in miri tests. However, the test in question was added after this PR had been opened, so I will have to rebase now to be able to fix the test.

[GrigorenkoPV]

Rebased

[rustbot]

The Miri subtree was changed

cc @rust-lang/miri

[RalfJung]

Looks like this caught an actual mistake in miri tests. However, the test in question was added after this PR had been opened, so I will have to rebase now to be able to fix the test.

It did. That's a good demo for the lint being quite useful indeed. :)