Add new linter: npecheck

[chenfeining]

Check for potential nil pointer reference exceptions to compensate for go linter's shortcomings in this area. This linter is supposed to be the most rigorous and complete NPE solution.

1. linter repository

https://github.com/chenfeining/go-npecheck

2. description

1. Focus on detecting potential nil pointer reference issues
2. Support detecting potential nil pointer references for function ptr parameters and external function assignments. For example, inputPtr.v, assignedPtr.v, the inputPtr, assignedPtr can be nil pointers
3. If the ancestor node is an external assignment pointer, it supports detecting chained variable references and whether there are potential nil pointer references. For example, p1.p2.v, the p1, p2 may be nil pointers
4. If the parent node is an external assignment pointer, it supports detecting the problem of nil pointer reference of chained functions. For example, m.getFunc().v, both m and the m.GetFunc() may be a nil pointer
5. In the case of slice including ptr elements from external assignment, support detection of slice ptr elements' potential nil pointer reference problem
6. More details can see the linters' test case in go-npecheck testdata.

[CLAassistant]

All committers have signed the CLA.

[ldez]

In order for a pull request adding a linter to be reviewed, the linter and the PR must follow some requirements.

• The CLA must be signed

Pull Request Description

• It must have a link to the linter repository.
• It must provide a short description of the linter.

Linter

• It must not be a duplicate of another linter or a rule of a linter. (the team will help to verify that)
• It must have a valid license (AGPL is not allowed) and the file must contain the required information by the license, ex: author, year, etc.
• The linter repository must have a CI and tests.
• It must use go/analysis.
• It must have a valid tag, ex: v1.0.0, v0.1.0.
• It must not contain init().
• It must not contain panic().
• It must not contain log.fatal(), os.exit(), or similar.
• It must not modify the AST.
• It must not have false positives/negatives. (the team will help to verify that)
• It must have tests inside golangci-lint.

The Linter Tests Inside Golangci-lint

• They must have at least one std lib import.
• They must work with T=<name of the linter test file>.go make test_linters. (the team will help to verify that)

.golangci.reference.yml

• The linter must be added to the list of available linters (alphabetical case-insensitive order).
  • enable and disable options
• If the linter has a configuration, the exhaustive configuration of the linter must be added (alphabetical case-insensitive order)
  • The values must be different from the default ones.
  • The default values must be defined in a comment.
  • The option must have a short description.

Others Requirements

• The files (tests and linter) inside golangci-lint must have the same name as the linter.
• The .golangci.yml of golangci-lint itself must not be edited and the linter must not be added to this file.
• The linters must be sorted in the alphabetical order (case-insensitive) in the Manager.GetAllSupportedLinterConfigs(...) and .golangci.reference.yml.
• The load mode (WithLoadMode(...)):
  • if the linter doesn't use types: goanalysis.LoadModeSyntax
  • goanalysis.LoadModeTypesInfo required WithLoadForGoAnalysis() in the Manager.GetAllSupportedLinterConfigs(...)
• The version in WithSince(...) must be the next minor version (v1.X.0) of golangci-lint.
• WithURL() must contain the URL of the repository.

Recommendations

• The linter should not use SSA. (SSA can be a problem with generics)
• The linter repository should have a readme and linting.
• The linter should be published as a binary. (useful to diagnose bug origins)

---

The golangci-lint team will edit this comment to check the boxes before and during the review.

The code review will start after the completion of those checkboxes (except for the specific items that the team will help to verify).

If the author of the PR is a member of the golangci-lint team, he should not edit this message.

This checklist does not imply that we will accept the linter.

[ldez]

The requirements defined in the checklist are still not met.

[ldez]

There are many false positives (99,999999%).
The use of a pointer doesn't mean there is an NPE.
This linter is just a pointer detector.

By design, this linter can not meet our requirement for false positives.
I would recommend that you create a plugin.

[chenfeining]

In fact, it should not be understood this way. This npecheck linter is also not enabled by default, and users can decide whether to turn it on or not for themselves. Currently, this linter is already can be used as a plugin in the IDE, in our private projects. In fact, many people need this npecheck's linter function.  Why not give that choice to the user? Only a simple configuration is required, such as the following：

…

------------------ 原始邮件 ------------------ 发件人: "golangci/golangci-lint" ***@***.***>; 发送时间: 2023年7月23日(星期天) 晚上9:20 ***@***.***>; ***@***.******@***.***>; 主题: Re: [golangci/golangci-lint] Add new linter: npecheck (PR #3969) There are many false positives (99,999999%). The use of a pointer doesn't mean there is an NPE. By design, this linter can not meet our requirement for false positives. I would recommend that you create a plugin. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

[ldez]

In fact, it should not be understood this way.

The problem is not how I understand this linter, but how you understand what is a linter.

This npecheck linter is also not enabled by default

This sentence is partially wrong because all the linters are enabled when using enable-all.

In fact, many people need this npecheck's linter function. Why not give that choice to the user?

Because your analyzer detects "potential" NPE. The majority of the reports are not NPE (false positives).
Your analyzer is not a linter but a pointer detector.
And there is already linter that detects real NPE.

Only a simple configuration is required, such as the following：

I think you have forgotten to add the configuration but it's not important because your analyzer is just offtopic.

[chenfeining]

What project need to  enable-all linters ? From the many projects I've worked on, almost none of them are enable-all. With enable-all, the project is dead. Why do you always consider most scenarios? Why aren't we allowed to take a small part of the situation.

…

------------------ 原始邮件 ------------------ 发件人: "golangci/golangci-lint" ***@***.***>; 发送时间: 2023年7月23日(星期天) 晚上11:10 ***@***.***>; ***@***.******@***.***>; 主题: Re: [golangci/golangci-lint] Add new linter: npecheck (PR #3969) In fact, it should not be understood this way. The problem is not how I understand this linter, but how you understand what is a linter. This npecheck linter is also not enabled by default This sentence is partially wrong because all the linters are enabled when using enable-all. In fact, many people need this npecheck's linter function. Why not give that choice to the user? Because your analyzer detects "potential" NPE, the majority of the reports are false positives. Your analyzer is not a linter but a pointer detector. Only a simple configuration is required, such as the following： I think you have forgotten to add the configuration. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

[chenfeining]

And this small part of the situation may be the most central thing for some business scenarios.

…

------------------ 原始邮件 ------------------ 发件人: "flyman" ***@***.***>; 发送时间: 2023年7月23日(星期天) 晚上11:17 ***@***.******@***.***>; ***@***.***>; 主题: 回复： [golangci/golangci-lint] Add new linter: npecheck (PR #3969) What project need to  enable-all linters ? From the many projects I've worked on, almost none of them are enable-all. With enable-all, the project is dead. Why do you always consider most scenarios? Why aren't we allowed to take a small part of the situation.

------------------ 原始邮件 ------------------ 发件人: "golangci/golangci-lint" ***@***.***>; 发送时间: 2023年7月23日(星期天) 晚上11:10 ***@***.***>; ***@***.******@***.***>; 主题: Re: [golangci/golangci-lint] Add new linter: npecheck (PR #3969) In fact, it should not be understood this way. The problem is not how I understand this linter, but how you understand what is a linter. This npecheck linter is also not enabled by default This sentence is partially wrong because all the linters are enabled when using enable-all. In fact, many people need this npecheck's linter function. Why not give that choice to the user? Because your analyzer detects "potential" NPE, the majority of the reports are false positives. Your analyzer is not a linter but a pointer detector. Only a simple configuration is required, such as the following： I think you have forgotten to add the configuration. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

[ldez]

With enable-all, the project is dead.

I use enable-all on ALL my projects, so all my projects are dead?

enable-all is never a problem when your CI uses a fixed version of golangci-lint.

Why do you always consider most scenarios? Why aren't we allowed to take a small part of the situation.
And this small part of the situation may be the most central thing for some business scenarios.

I don't understand your sentences.

[chenfeining]

Why your projects need to enable-all ?  What is your purpose? Test each linter? Or test your code ？ As an open source project, I think you should look at how other users are using it. And not how you use it.  No further progress can be made if it is only for the convenience of your own projects. 

…

------------------ 原始邮件 ------------------ 发件人: "golangci/golangci-lint" ***@***.***>; 发送时间: 2023年7月23日(星期天) 晚上11:25 ***@***.***>; ***@***.******@***.***>; 主题: Re: [golangci/golangci-lint] Add new linter: npecheck (PR #3969) With enable-all, the project is dead. I use enable-all on ALL my projects, so all my projects are dead? Why do you always consider most scenarios? Why aren't we allowed to take a small part of the situation. And this small part of the situation may be the most central thing for some business scenarios. I don't understand your sentences. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

[ldez]

I think my explanations are clear: your analyzer is not an NPE linter but a pointer detector, which leads to a majority of useless reports (false positives).
Based on that your analyzer cannot be a part of golangci-lint.

Feel free to not agree but my decision is based on our organization's criteria defined by a team (and not just me as you suggest), they are the same criteria for all linters.

So now I will stop answering because this is a waste of time for you and me.

[chenfeining]

Well. Let me also fill you in on the background of our linter. There is a development, add a line of debug logs, the result of the null pointer reference panic, resulting in interface unavailable. It's hard to control these things with manual code review. It is also difficult to write a UT that deliberately covers all use cases, so the npecheck linter is useful in some strict scenarios.

…

------------------ 原始邮件 ------------------ 发件人: "golangci/golangci-lint" ***@***.***>; 发送时间: 2023年7月23日(星期天) 晚上11:33 ***@***.***>; ***@***.******@***.***>; 主题: Re: [golangci/golangci-lint] Add new linter: npecheck (PR #3969) I think my explanations are clear: your analyzer is not a linter but a pointer detector, which leads to a majority of useless reports (false positives). Based on that your analyzer cannot be a part of golangci-lint. Feel free to not agree but my decision is based on our organization's criteria, they are the same criteria for all linters. So now I will stop answering because this is a waste of time for you and me. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>