Nullable Contracts Enforcement

Adopt explicit, consistent nullability contracts for pointer/optional-field parameters and honor them at every call site. Practical rules: - **Document/decide whether a parameter may be NULL**. If it can’t, keep the check out; if it can, guard and define behavior.

copy reviewer prompt

Prompt

Reviewer Prompt
Deploy Agent

Adopt explicit, consistent nullability contracts for pointer/optional-field parameters and honor them at every call site.

Practical rules:

  • Document/decide whether a parameter may be NULL. If it can’t, keep the check out; if it can, guard and define behavior.
  • Align new helpers with existing conventions (e.g., get*From*Object patterns) so developers don’t guess whether NULL is legal.
  • Guard before dereference when an optional field can be absent (e.g., if (obj->field) { use }).
  • Avoid UB from “meaningless” fields: don’t read dict values when the dict is configured for no_value; pass/handle the correct canonical value (NULL for absent value).
  • Prefer correctness via interface contracts over defensive checks inside low-level helpers (unless the team has a specific safety requirement). If a helper would UB with bad inputs (e.g., memcpy(dst,NULL,n>0)), enforce the precondition at call sites.
  • After invalidation/nullification, treat pointers as unusable (prevent accidental use-after-invalidate by structuring code flow so dereferences are impossible).

Example pattern:

/* Optional pointer is truly nullable; guard before use */
if (nack->consumer) {
    addReplyBulkCBuffer(c, nack->consumer->name,
                        sdslen(nack->consumer->name));
} else {
    addReplyBulkCBuffer(c, "", 0);
}

/* Dict configured with no_value: never read dictGetVal() */
if (dictAdd(dst, key, NULL) == DICT_OK) {
    /* ... */
}

This standard prevents ambiguous NULL expectations, avoids undefined behavior, and keeps null-safety practical instead of scattered defensive code.

Source discussions