Make deref_nullptr deny by default instead of warn

[saethlin]

This lint was added 4 years ago in #83948 and I cannot find any discussion on that PR or its issue about whether it should be warn or deny by default.

I think keeping this lint to warn was at one point in the past justifiable because of the old bindgen behavior of generating tests that do null pointer derefs. I've certainly heard that argument. I don't think it holds up now, so I think we should be more firm about code that is definitely UB.

We merged #134424 which adds a runtime check for null pointer reads/writes, with very little fanfare. So now we know things like: This lint warns on 111 crates in crater, but 106 crates are encountering the runtime UB check. 65 crates hit both the lint and a runtime check. Of the 46 crates that only hit the lint, 25 look to me like machine-generated bindings, and all hits except https://github.com/Plecra/asm-w-ownership/blob/3a0eff4bd151d8a0ccc076d6b8dea0bbc051e8e8/src/main.rs#L454 are trying to compute a field offset, and should use offset_of!.

Based on the contents of the crater runs for 1.91, I'd expect these crates to go from test-fail to build-fail as a result of this change:

gh/bernardjason/rust-invaders
gh/Leinnan/doppler
gh/Max-E/rust-gl-python-gtk
gh/nslebruh/rust-opengl-glfw
gh/nslebruh/rust_physics_gl_test
gh/oraoto/php-stacktrace
gh/playXE/jsrs
gh/Plecra/asm-w-ownership
gh/TateKennington/ROpenGL
gh/WillFarris/voxel-game
reg/ochre

Most of the crates where the lint fires already don't build for other reasons (note there are a lot of C bindings wrapper crates in the set).

[rustbot]

r? @petrochenkov

rustbot has assigned @petrochenkov.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[scottmcm]

We discussed this in the lang meeting today. Everyone was in favour of moving it to deny, but we did discuss the fact that derefing a null pointer is no longer UB for a ZST pointee: https://doc.rust-lang.org/1.90.0/reference/behavior-considered-undefined.html#r-undefined.dangling.zero-size

---

Thus we propose that this does go to deny, but with an additional update that it not lint if the pointee is known to be a ZST. (So not lint if it's *ptr::null::<()>(), for example.) It would be fine to lint for a generic (or other layout-unknown things) pointee that we don't know for sure is a ZST.

@rfcbot fcp merge

---

The other thing that came up, but is not part of the FCP, is that eventually the cases of reading a known ZST through a pointer might want a new warn (but not deny) lint about them in some form, perhaps suggesting https://doc.rust-lang.org/nightly/std/mem/fn.conjure_zst.html instead as the "blessed" way to create a ZST from nothing. But this PR wouldn't need to wait on having something to lint on the *ptr::null::<()>() cases.

[rust-rfcbot]

Team member @scottmcm has proposed to merge this. The next step is review by the rest of the tagged team members:

• @joshtriplett
• @nikomatsakis
• @scottmcm
• @tmandry
• @traviscross

No concerns currently listed.

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns.
See this document for info about what commands tagged team members can give me.

[tmandry]

@rfcbot reviewed

[traviscross]

@rfcbot reviewed

[rust-rfcbot]

🔔 This is now entering its final comment period, as per the review above. 🔔