fix(dc): Enable panic clippy lints in s2n-quic-dc (#3116)

Author: Mark-Simulacrum

.clippy.toml

@@ -1,3 +1,7 @@
 msrv = "1.88.0"
 # // https://github.com/aws/s2n-quic/pull/2251
 too-many-arguments-threshold = 100
+# Avoid linting on unwraps in consts and tests where they can't bubble into production panics.
+allow-unwrap-in-consts = true
+allow-unwrap-in-tests = true
+allow-panic-in-tests = true

dc/s2n-quic-dc/Cargo.toml

@@ -82,3 +82,12 @@ tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 [lints.rust.unexpected_cfgs]
 level = "warn"
 check-cfg = ['cfg(future)', 'cfg(fuzzing)', 'cfg(kani)', 'cfg(todo)']
+
+[lints.clippy]
+panic = "deny"
+panicking_unwrap = "deny"
+panicking_overflow_checks = "deny"
+panic_in_result_fn = "deny"
+large_futures = "deny"
+unwrap_used = "deny"
+unwrap_in_result = "deny"

dc/s2n-quic-dc/src/control.rs

@@ -11,6 +11,11 @@ pub struct Control {
 }
 
 impl Control {
+    #[expect(
+        clippy::unwrap_used,
+        clippy::unwrap_in_result,
+        reason = "FIXME: local_addr is a fallible socket op and should propagate the error rather than unwrap"
+    )]
     pub fn new(address: SocketAddr, map: Map) -> std::io::Result<Self> {
         let socket = Arc::new(std::net::UdpSocket::bind(address)?);
         let port = socket.local_addr().unwrap().port();

dc/s2n-quic-dc/src/credentials.rs

@@ -14,6 +14,13 @@ use s2n_codec::{
 pub use s2n_quic_core::varint::VarInt as KeyId;
 
 #[cfg(any(test, feature = "testing"))]
+#[allow(
+    clippy::unwrap_used,
+    clippy::unwrap_in_result,
+    clippy::panic,
+    clippy::panic_in_result_fn,
+    reason = "test-support helpers may panic to surface setup failures"
+)]
 pub mod testing;
 
 #[derive(Clone, Copy, Default, PartialEq, Eq, FromBytes, IntoBytes, Unaligned, PartialOrd, Ord)]
@@ -29,6 +36,10 @@ impl Id {
         // The ID has very high quality entropy already, so write just one half of it to keep hash
         // costs as low as possible. For the main use of the Hash impl in the fixed-size ID map
         // this translates to just directly using these bytes for the indexing.
+        #[expect(
+            clippy::unwrap_used,
+            reason = "slicing exactly 8 bytes always converts to [u8; 8]"
+        )]
         u64::from_ne_bytes(self.0[..8].try_into().unwrap())
     }
 }
@@ -79,6 +90,10 @@ impl s2n_quic_core::probe::Arg for Id {
     fn into_usdt(self) -> isize {
         // we have to truncate the bytes, but 64 bits should be unique enough for these purposes
         let slice = &self.0[..core::mem::size_of::<usize>()];
+        #[expect(
+            clippy::unwrap_used,
+            reason = "slice length equals size_of::<usize>() so the conversion always succeeds"
+        )]
         let bytes = slice.try_into().unwrap();
         usize::from_ne_bytes(bytes).into_usdt()
     }

dc/s2n-quic-dc/src/crypto/awslc.rs

@@ -22,6 +22,10 @@ pub mod seal {
     impl Application {
         #[inline]
         pub fn new(key: &[u8], iv: [u8; NONCE_LEN], algorithm: &'static Algorithm) -> Self {
+            #[expect(
+                clippy::unwrap_used,
+                reason = "key sizes are statically known, moving the panic into callers isn't helpful"
+            )]
             let key = UnboundKey::new(algorithm, key).unwrap();
             let key = LessSafeKey::new(key);
             Self { key, iv: Iv(iv) }
@@ -151,6 +155,10 @@ pub mod open {
     impl Application {
         #[inline]
         pub fn new(key: &[u8], iv: [u8; NONCE_LEN], algorithm: &'static Algorithm) -> Self {
+            #[expect(
+                clippy::unwrap_used,
+                reason = "key sizes are statically known, moving the panic into callers isn't helpful"
+            )]
             let key = UnboundKey::new(algorithm, key).unwrap();
             let key = LessSafeKey::new(key);
             Self { key, iv: Iv(iv) }

dc/s2n-quic-dc/src/event.rs

@@ -26,6 +26,15 @@ impl Meta for api::EndpointMeta {
     }
 }
 
+// The generated code is not currently held to the panic lints; suppress them here at the
+// module level rather than annotating each generated site (which would be lost on regeneration).
+#[allow(
+    clippy::panic,
+    clippy::unwrap_used,
+    clippy::unwrap_in_result,
+    clippy::panic_in_result_fn,
+    reason = "FIXME: generated event code is not yet audited for the panic lints"
+)]
 mod generated;
 pub use generated::*;
 

dc/s2n-quic-dc/src/lib.rs

@@ -25,6 +25,13 @@ pub mod task;
 pub mod uds;
 
 #[cfg(any(test, feature = "testing"))]
+#[allow(
+    clippy::unwrap_used,
+    clippy::unwrap_in_result,
+    clippy::panic,
+    clippy::panic_in_result_fn,
+    reason = "test-support helpers may panic to surface setup failures"
+)]
 pub mod testing;
 
 pub use s2n_quic_core::dc::{Version, SUPPORTED_VERSIONS};

dc/s2n-quic-dc/src/msg/send.rs

@@ -65,6 +65,10 @@ impl allocator::Segment for Segment {
 
 #[cfg(debug_assertions)]
 impl Drop for Segment {
+    #[expect(
+        clippy::panic,
+        reason = "debug-only leak detector that fires only when a segment was dropped without being freed"
+    )]
     fn drop(&mut self) {
         if self.idx != Idx::MAX && !std::thread::panicking() {
             panic!("message segment {} leaked", self.idx);
@@ -122,6 +126,10 @@ impl Retransmission {
 
 #[cfg(debug_assertions)]
 impl Drop for Retransmission {
+    #[expect(
+        clippy::panic,
+        reason = "debug-only leak detector that fires only when a segment was dropped without being freed"
+    )]
     fn drop(&mut self) {
         if self.idx.get() != Idx::MAX && !std::thread::panicking() {
             panic!("message segment {} leaked", self.idx.get());

dc/s2n-quic-dc/src/packet/control/encoder.rs

@@ -80,6 +80,10 @@ where
 
     if cfg!(debug_assertions) {
         let decoder = s2n_codec::DecoderBufferMut::new(slice);
+        #[expect(
+            clippy::unwrap_used,
+            reason = "debug-assertions-only round-trip check that the packet we just encoded decodes successfully"
+        )]
         let _ = super::decoder::Packet::decode(decoder, (), crypto.tag_len()).unwrap();
     }
 

dc/s2n-quic-dc/src/packet/datagram/encoder.rs

@@ -96,6 +96,10 @@ where
     if tag.is_connected() || tag.ack_eliciting() {
         unsafe {
             assume!(encoder.remaining_capacity() >= 8);
+            #[expect(
+                clippy::unwrap_used,
+                reason = "FIXME: change API to enforce both packet number and next_expected_control_packet either both passed or neither is passed"
+            )]
             encoder.encode(&packet_number.unwrap());
         }
     }