Skip to content

refactor(payload): retire remaining .expect() sites and drop quarantine#1893

Draft
goxberry wants to merge 1 commit into
goxberry/fix-payload-arbitrary-zero-blockfrom
goxberry/expect-cleanup-payload-remaining
Draft

refactor(payload): retire remaining .expect() sites and drop quarantine#1893
goxberry wants to merge 1 commit into
goxberry/fix-payload-arbitrary-zero-blockfrom
goxberry/expect-cleanup-payload-remaining

Conversation

@goxberry
Copy link
Copy Markdown
Contributor

@goxberry goxberry commented May 22, 2026
edited
Loading

What does this PR do?

Closes out the lading_payload .expect() cleanup stack. The crate-root #![allow(clippy::expect_used)] quarantine is removed from lading_payload/src/lib.rs, and the remaining 17 production .expect() sites are addressed. lading_payload is now fully covered by the workspace-level clippy::expect_used = "deny".

Sites covered

13 sites → .unwrap_or_else(... unreachable!("...")) (structural infallibles)

File:line Site Why infallible
templated_json/generator.rs:186 NonZeroI64::new(new_ms) Existing // the error branch is unreachable in practice comment documents the positivity invariant
templated_json/config.rs:288 serde_json::to_string(s) on a &str serde_json cannot fail on a string
templated_json/config.rs:443 parts.last() after str::split str::split always yields ≥1 part
dogstatsd/metric.rs:149 ZeroToOne::try_from(sample_rate) after clamp(0.0, 1.0) Clamp guarantees range membership
dogstatsd/metric.rs:263 values.pop() after a known values.push(value) 100+ lines above Vec has ≥1 element
syslog.rs:75-76 OffsetDateTime::from_unix_timestamp(base_ts + offset) Range [2020, 2030] is well inside the valid OffsetDateTime range
syslog.rs:77 .format(&Rfc3339) of a valid OffsetDateTime RFC-3339 formatting cannot fail on a constructed date
syslog.rs:87 serde_json::to_string(&rng.random::<Message>()) Message is a struct of primitive fields with derived Serialize
datadog_logs.rs:57 str_pool.of_size_range(rng, 1_u8..16) Pool is constructed with size 1_000_000 (datadog_logs.rs:101); 1..16 always fits
datadog_logs.rs:60 serde_json::to_string(&rng.random::<Structured>()) Same shape as Message
fluent.rs:129, 135 str_pool.of_size_range(rng, 1_u8..16) Same pool pattern
common/strings/random_string_pool.rs:189 pool.of_size(rng, sz) Caller convention: pool is sized larger than length_range

4 sites → fn-level #[expect(clippy::expect_used, reason = "...")] (panic is the documented contract)

Function Why the panic is intentional
dogstatsd/metric.rs::MetricGenerator::generate self.templates is validated non-empty at construction; an empty templates vec here is a serious logic bug, as documented by the existing SAFETY: comment
dogstatsd/service_check.rs::ServiceCheckGenerator::generate Same shape: self.names is validated non-empty at construction
dogstatsd/common.rs::NumValueGenerator::new Uniform::new_inclusive(min, max) fails when min > max. ConfRange::Inclusive { min, max } does not validate min ≤ max at deserialization; a misconfigured config panics here with the existing diagnostic message

Quarantine removed

The #![allow(clippy::expect_used)] line is removed from lading_payload/src/lib.rs. From here on, any new .expect() in production code in this crate is a hard CI failure.

Motivation

Final PR in the lading_payload cleanup sub-stack. The stack started by #1882:

  1. chore(clippy): forbid .expect() in production code #1882 — workspace lint + crate-root quarantines
  2. chore(clippy): drop expect_used quarantine for lading_throttle #1883 — drop lading_throttle quarantine
  3. refactor(payload): mark infallible .expect() sites as unreachable!() #1884 — Cat-3 (26 infallible sites)
  4. refactor(payload): mark fallible-context infallibles as unreachable!() #1885 — Group A (5 ?-context infallibles)
  5. refactor(payload): mark in-function invariants as unreachable!() #1890 — Group B (6 in-function invariants)
  6. refactor(payload): annotate intentional-panic .expect() sites #1891 — Group C (11 fn-level #[expect] for handle contracts)
  7. fix(payload): reject zero-byte arbitrary input for Block #1892 — Group D (real bug fix in Block::arbitrary)
  8. refactor(payload): retire remaining .expect() sites and drop quarantine #1893 — Group E + drop lading_payload quarantine (this PR)

After this lands, the only crates still carrying a quarantine are lading_capture (149 sites) and lading (243 sites), which are addressed in later sub-stacks.

Related issues

Stacked on #1892.

Additional Notes

  • cargo build --all-targets --all-features
  • bash ci/validate ✓ (full: shellcheck, fmt, check, custom lints, clippy, deny, config validation, nextest, loom, kani, buf)
  • cargo clippy -p lading-payload --all-targets --all-features 2>&1 | grep -c expect_used0 (verifies the quarantine drop is safe)
  • Diff: 13 files, +69 −42.

Note on parent PRs

While preparing this PR I noticed PRs #1885, #1890, #1891, and #1892 had fmt CI failures from earlier (cargo fmt --check whitespace) that I missed by running ci/clippy instead of ci/validate per branch. Those PRs have been force-pushed with formatting fixes. The changes are pure whitespace and don't touch semantics.

@goxberry @claude
refactor(payload): retire remaining .expect() sites and drop quarantine
2fd3b16 
Closes out the `lading_payload` Cat-2 cleanup. 17 production `.expect()`
sites are addressed and the crate-root `#![allow(clippy::expect_used)]`
quarantine is removed from `lading_payload/src/lib.rs`. The workspace
`clippy::expect_used = "deny"` now applies in full.

13 sites become `.unwrap_or_else(... unreachable!("..."))`:

- `templated_json/generator.rs:186` (NonZeroI64 after documented
  positivity invariant)
- `templated_json/config.rs:288` (serde_json on a `&str`)
- `templated_json/config.rs:443` (parts.last() after `str::split`)
- `dogstatsd/metric.rs:149` (ZeroToOne after `clamp(0.0, 1.0)`)
- `dogstatsd/metric.rs:263` (Vec::pop after known push)
- `syslog.rs:75-76` (timestamp in [2020, 2030] within OffsetDateTime range)
- `syslog.rs:77` (RFC-3339 format of valid OffsetDateTime)
- `syslog.rs:87` (serde_json on primitive-field struct)
- `datadog_logs.rs:57` (str_pool of_size_range; pool sized 1_000_000)
- `datadog_logs.rs:60` (serde_json on primitive-field struct)
- `fluent.rs:129,135` (same pool pattern)
- `random_string_pool.rs:189` (pool sized by caller convention)

4 sites in `dogstatsd/` are annotated `#[expect(clippy::expect_used,
reason = "...")]` at the function level because the panic is the
documented contract when upstream config validation is too loose:

- `dogstatsd/metric.rs::MetricGenerator::generate` — choose template_idx
  from `0..self.templates.len()`; empty `templates` is a serious logic
  bug, matching the existing `SAFETY:` comment.
- `dogstatsd/service_check.rs::ServiceCheckGenerator::generate` — same
  shape for `self.names`.
- `dogstatsd/common.rs::NumValueGenerator::new` — `Uniform::new_inclusive`
  on `ConfRange::Inclusive { min, max }`, which does not validate
  `min <= max` at deserialization; a misconfigured config panics here
  with the existing diagnostic message.

No runtime behavior change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 22, 2026
Draft
Draft
Draft
Draft
Draft
Draft
@goxberry Graphite App
Copy link
Copy Markdown
Contributor Author

goxberry commented May 22, 2026
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

This was referenced May 22, 2026
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@goxberry