dangling_pointers_from_temporaries lint does not warn when as_ptr() result escapes function

[alex]

Consider this basic dangling pointer from a temporary:

use std::ffi::CString;

unsafe extern "C" {
    fn g(v: *const i8);
}

pub fn f1(s: &str) {
    let p = CString::new(s).unwrap().as_ptr();
    unsafe { g(p); }
}

It produces a warning. Very good.

However, if instead we have an Option<&str> and we use some Option methods to convert it to a pointer, we no longer get a warning:

use std::ptr;
use std::ffi::CString;

unsafe extern "C" {
    fn g(v: *const i8);
}

pub fn f2(s: Option<&str>) {
    let p = s.map(|v| CString::new(v).unwrap()).map_or(ptr::null(), |v| v.as_ptr());
    unsafe { g(p); }
}

I believe the closure passed to map_or should be triggering the warning: it takes Option<CString> as an argument, it calls as_ptr(), it drops the Option<CString>, and then it makes use of the pointer (to return it).

[alex]

(This was extracted from real code, so this is not a hypothetical consideration.)

[alex]

Oh, this doesn't actually have anything to do with Option (other than that map_or easily produces this problem), the actual problem has a much simpler reproducer:

use std::ffi::CString;
pub fn f3(s: CString) -> *const i8 {
    s.as_ptr()
}

[alex]

https://rustsec.org/advisories/RUSTSEC-2025-0022.html is a real-world instance of this

[jieyouxu]

Closing in favor of #78691, which had more false positive/negative examples, incl. this issue.