NilAway: Practical nil panic detection for Go

I do like the approach of static code analysis.<p>I found it a little funny that their big &quot;win&quot; for the nilness checker was some code logging nil panics thousands of time a day. Literally an example where their checker wasn&#x27;t needed because it was being logged at runtime.<p>It&#x27;s a good idea but they need some examples where their product beats running &quot;grep panic&quot;.

Just tried this out on some of my own code and it nails the warts that I had flagged as TODOs (and a few more...). The tool gives helpful info about the source of the nil, too. This is great.

Building a type checker on global inference is the kind of thing that sounds romantic in academia - &quot;no type definitions and yet get type checking!&quot; - but ends up being a nightmare to use in practice.<p>Nilability of return values should be part of functions public interface. It shouldn&#x27;t come as a surprise under certain circumstances of using the code. The problem of global inference is that it targets both the producer and the consumer of the interface at the same time, without a mediating interface definition deciding who is correct. If a producer starts returning nil and a consumer five levels downstream the call-stack happens to be using it, both the producer and caller is called out, even if that was documented public api before, just never executed. Or vice versa.<p>For anyone who had the great pleasure of deciphering error messages from C++ templates, you know what I&#x27;m talking about.<p>I understand the compromises they had to take due to language constraints and I&#x27;m sure this will be plenty useful anyway. Just sad to see that a language, often called modern and safe, having these idiosyncrasies and need such workarounds.

I got a nil pointer deref panic trying to use this tool:<p>$ nilaway .&#x2F;...<p>panic: runtime error: invalid memory address or nil pointer dereference [recovered]<p>panic: runtime error: invalid memory address or nil pointer dereference<p>[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x100c16a58]

Is there any movement in the language spec to address this in the future with Nil types or something?

Wonderful job.<p>I am toying around with a similar project, with the same goal, and it is DIFFICULT.<p>I&#x27;ll definitely get to learn from their implementation.

Very interesting work. I wonder what were the difficulties encountered. Aliasing? Variable reassignment wrt short declaration shadowing?<p>Hopefully with time, when exploring union types and perhaps a limited form of generalized subtyping (currently it&#x27;s only interface types) we&#x27;ll be able to deal with nil for good.<p>Nil is useful, as long as correctly reined in.

Plenty of Go commentary in this thread but can I just say I&#x27;m glad to have learned about nilness? Suffered through a few nil pointer dereferences after deploying and having this analyser enabled in gopls (off by default for me at least) is a nice change.<p>Tested via vim and looks good!

I tried it but got too many false positives to be useful.

cool... what does this mean the best linter &#x2F; correctness checking is at the moment?<p>I have some code that eventually core dumps and honestly I don&#x27;t know what I&#x27;m doing wrong, and neither do any golang tools I&#x27;ve tried :(<p>maaaaaybe there&#x27;s something that&#x27;ll check that your code never closes a channel or always blocks after a specific order of events happens...

I&#x27;m not sure if that was the best example to showcase NilAway. I understand there&#x27;s a lot of context omitted to focus on NilAway&#x27;s impact, but why is foo returning a channel to bar if bar is just going to block on it anyway? Why not just return a *U? If foo&#x27;s function signature was func foo() (*U, error) {}, this wouldn&#x27;t be a problem to begin with.

The code:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;uber-go&#x2F;nilaway">https:&#x2F;&#x2F;github.com&#x2F;uber-go&#x2F;nilaway</a>

I have been thinking about this problem for a long time as well.<p>But I think that focusing on nils is a wrong analysis. The problem is the default zero-values dogma, and that is not going to change anytime soon.<p>Sometimes you also need a legitimate empty string or 0 integer, but the language cannot distinguish it from the absence of value.<p>In my codebase, I was able to improve the readability of those cases a lot by using mo.Option, but that has a readability cost and does not offer the same guarantees than a compiler would. The positive side is that I get a panic and clear stack trace whenever I try to read an absent value, which is better than nothing, but still not as good as having those cases at compile time.<p>No amount of lint checkers (however smart) will workaround the fact that the language cannot currently express those constraints. And I don&#x27;t see it evolving past it&#x27;s current dogmas unfortunately, unless someone forks it or create something like typescript for go.

&gt; Nil panics are found to be an especially pervasive form of runtime errors in Go programs. Uber’s Go monorepo is no exception to this, and has witnessed several runtime errors in production because of nil panics, with effects ranging from incorrect program behavior to app outages, affecting Uber customers.<p>Insane that Go had decades of programming mistakes to learn from but it chose this path.<p>Anyway, at least Uber is out there putting out solid bandaids. Their equivalent for Java is definitely a must-have for any project.

&quot;The Go monorepo is the largest codebase at Uber, comprising 90 million lines of code (and growing)&quot;<p>Is this just a symptom of having a lot of engineers and they keep churning code, Golang being verbose or something else. Hard time wrapping my head around Uber needing 90+ million lines of code(!). What would be some large components of this codebase look like?

It amazes me that in 2023 this is not a solved problem by design of the language. Why go doesn’t adapt the “optional” notion of other languages so that if you have a variable you either <i>know</i> it is not null or <i>know</i> that you must check for nullness. The technology exists

90 million lines of code to .. call a cab?<p>Genuinely curious what&#x27;s so much of business logic is for.

how in the hell does uber need engineering problems solved?<p>mad

I don’t really buy the usefulness of trying to statically detect possible nil panics. In their example of a service panicing 3000+ times a day why didn’t they just check the logs to get the stack trace of the panic and fix it there? I don’t see why static analysis was needed to fix that panic in runtime.<p>What I would really like golang to have is way to send a “last gasp” packet to notify some other system that the runtime is panicing. Ideally at large scales it would be really nice to see what is panicing where and at what time with also stack traces and maybe core dumps. I think that would be much more useful for fixing panics in production.<p>There was a proposal to add this to the runtime, but it got turned down: <a href="https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;issues&#x2F;32333">https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;issues&#x2F;32333</a> Most of the arguments against the proposal seem to be that it is hard to determine what is safe to run in a global panic handler. I think the more reasonable option is to tell the go runtime that you want it to send a UDP packet to some address when it panics. That allows the runtime to not support calling arbitrary functions during panicing as it only has to send a UDP packet and then crash.<p>I could see the static analyzer being useful for helping prevent the introduction of new panics, but I would much rather have better runtime detection.

Can we not link to scammy engineering blog articles with ads for scammy restaurant apps on top please?<p>Link to the source, or better yet, never link at all to anything related to Uber.

As a language that’s focused on backward compatibility than features oriented this is the best and optimal way to reduce some of Go’s loopholes. The problem of using developer tooling to solve the innate problems is that they lack awareness<p>I do recommend the Go team to find a way to these tools to run before it complies, just doing go build while going through these tools first goes a long way than just using scripts