New lint: manual_midpoint

[samueltardieu]

changelog: [manual_midpoint]: new lint

Closes #13849

[rustbot]

r? @dswij

rustbot has assigned @dswij.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[Urgau]

❤️ Thanks for working on it, appreciate it.

Left a few remarks/nits.

[Urgau]

Suggested change

	"manual implementation of `midpoint`",
	"manual implementation of `midpoint` which can overflow",

[samueltardieu]

I'm reluctant to add this on the lint message, because this particular use may well never overflow depending on the context. This is appropriate for the lint short description though, I'll add it there. What do you think?

[Urgau]

We should add it to the lint short description, but I still think we should mention it in the main message as it's the main issue (not the fact that it's a manual implementation). We could reduce the assertion by saying "which may overflow" (instead of "can").

[samueltardieu]

Any addition may overflow, and we do not suggest using .checked_add(). I'll let other weigh in, but I'm not comfortable saying "which may overflow" on (a + b) / 2 if a and b are indices in a vector for example, they will never overflow as they will be nowhere near usize::MAX/2 for any realistic vector.

[Urgau]

(a + b) / 2 if a and b are indices in a vector for example

u8::MAX = 255, u16::MAX = 65536 are fairly realistic numbers to me (which could be indices of custom containers).

they will never overflow as they will be nowhere near usize::MAX/2 for any realistic vector.

reminder of https://research.google/blog/extra-extra-read-all-about-it-nearly-all-binary-searches-and-mergesorts-are-broken/

[samueltardieu]

I was specifically talking about the usize case which is used to index a vector. And let's not confuse the issue: I'm not trying to argue that we should not lint, we will, only that I am not comfortable saying that a particular computation may overflow.

I couldn't find lints that warn about the potential risk when linting an expression if the risk is remote or non-existing for this particular expression, even though they still lint to make it clearer and safer should this code be changed later.

[y21]

I think I agree that it's a good idea to mention this even in the message. IMO it doesn't particularly hurt to mention even if the user knows it could never overflow, but it can definitely help in cases where that's an edge case the user hadn't considered, and I could see how the lint could otherwise be dismissed as 'just a nit like the other manual_* lints, not that important'.

The fact that it's an incorrect implementation due to overflow is the reason why it's deny-by-default/correctness in the first place, right? The current primary message makes this sound more like a complexity or style lint

[Urgau]

I don't if it's in Clippy customs but would be possible to add a help linking to the documentation, something like this (which rustc does to further guide the user):

help: for more information visit <https://doc.rust-lang.org/nightly/std/primitive.u32.html#method.midpoint>

[samueltardieu]

This is done only for niche or complex situations in the existing codebase, such as implementing a local trait for a foreign type (orphan rule).

[Urgau]

There's a first time for everything. :-)

More seriously, I'm fine if the link it's not included.

[Urgau]

Interesting choice of form, I would have probably use the method syntax (ie. .midpoint(..)) instead, as to not have to much shifts from the original code, but that works as well.

[samueltardieu]

I feel that linting (a + b) / 2 as a.midpoint(b) introduces an asymmetry between a and b while u32::midpoint(a, b) doesn't. But I'm not opposed to this change.

What do others think? Please upvote if you prefer a.midpoint(b) and downvote if you prefer u32::midpoint(a, b).

[GuillaumeGomez]

I can't pick between the 2 because the first one is more convenirnt but the second one is more readable...

Well, by writing this comment I realized I prefer more readable code so let's go for 2.

[y21]

I initially preferred a.midpoint(b) but having thought more about it, the latter has some other advantages: u32::midpoint(a, b) doesn't require parentheses in some cases where the LHS is an expression with low precedence like (a + b + c) / 2, and it also sidesteps type inference issues in cases like

let c: u64 = (10 + 5) / 2;

where 10.midpoint(5) would not compile. So the current suggestion LGTM

[samueltardieu]

r? @y21

[y21]

I initially preferred a.midpoint(b) but having thought more about it, the latter has some other advantages: u32::midpoint(a, b) doesn't require parentheses in some cases where the LHS is an expression with low precedence like (a + b + c) / 2, and it also sidesteps type inference issues in cases like

let c: u64 = (10 + 5) / 2;

where 10.midpoint(5) would not compile. So the current suggestion LGTM

[y21]

I think I agree that it's a good idea to mention this even in the message. IMO it doesn't particularly hurt to mention even if the user knows it could never overflow, but it can definitely help in cases where that's an edge case the user hadn't considered, and I could see how the lint could otherwise be dismissed as 'just a nit like the other manual_* lints, not that important'.

The fact that it's an incorrect implementation due to overflow is the reason why it's deny-by-default/correctness in the first place, right? The current primary message makes this sound more like a complexity or style lint

[samueltardieu]

I have eliminated the lint on additions with more than 2 operands, as there is no reason to suggest u32::midpoint(a + b, c) or u32::midpoint(a, b + c) for an expression like (a + b + c) / 2 which is likely not a midpoint computation.

[samueltardieu]

I opened a thread on Zulip to discuss how to handle (x + 1) / 2 which might not semantically be a midpoint() operation, as the user might want to compute a div_ceil() here.

[samueltardieu]

Rebasing because of a new conflict in msrvs.rs.

[y21]

Looks good, going to start the FCP in a bit

[y21]

FCP thread: https://rust-lang.zulipchat.com/#narrow/channel/257328-clippy/topic/FCP.3A.20manual_midpoint

[samueltardieu]

Rebased

[samueltardieu]

Rebased

[samueltardieu]

Thanks, I'll add this. @rustbot author

[samueltardieu]

Thanks, I'll add this.

I'll have to wait until the next rustup until the stabilization of manual_midpoint for integer types is visible. It will be in another PR (the code is ready), and I'll let this one untouched.

@rustbot review

[samueltardieu]

Updated to set the lint version to 1.87.

[samueltardieu]

Rebased, category changed to pedantic, signed integer midpoint integrated as well.