Missing pointer null checks

[marco-vassena]

Functions set_boxed_mut_ptr and set_arc_mut_ptr assume that the caller pass non-null pointers. It'd be safer to explicitly check that the pointers are not null and return rustls_result.

[jsha]

One thing that's tricky here: ideally we want all our NULL checks to be at the top of the function, so we can avoid doing any work or allocating anything before potentially bailing out. But set_boxed_mut_ptr / set_arc_mut_ptr are generally called at the end of the function.

One way to do this would be to keep the requirement that set_boxed_mut_ptr / set_arc_mut_ptr must not be called with NULL pointers, but additionally enforce that invariant with a panic. For functions that correctly check for NULL at the top, presumably the compiler would be smart enough to eliminate the second check. And for functions that forget to check for NULL, there would be a panic rather than undefined behavior.

Another possibility would be to take &mut *mut T instead of *mut *mut T, and rely on our existing try_ macros to produce the reference, which we would then know is non-NULL.

[jsha]

Yet another way to do this would be to make inner functions that return T and then have a helper function that (a) checks the out pointer for NULL, (b) calls the inner function, and (c) assigns the result to the target of the out pointer.

[ctz]

Another possibility would be to take &mut *mut T instead of *mut *mut T, and rely on our existing try_ macros to produce the reference, which we would then know is non-NULL.

I like this option. We can produce the reference at the top of the function (with the NULL check and early return), and that will eliminate the late failures.

[cpu]

@marco-vassena Thanks for the report. We've implemented a fix in #402 that should make this a harder trap to fall into going forward.