This is an archive of the discontinued LLVM Phabricator instance.

Differential D12445

[Static Analyzer] Remove sinks from nullability checks.
ClosedPublic

Authored by xazax.hun on Aug 28 2015, 1:39 PM.

Details

Reviewers
dcoughlin
krememek
zaks.anna
jordan_rose
Commits
rGb47128aaf37b: [Static Analyzer] Remove sinks from nullability checks.
rC246818: [Static Analyzer] Remove sinks from nullability checks.
rL246818: [Static Analyzer] Remove sinks from nullability checks.
Summary

With this patch a nullability violation no longer generates a sink node, so it does not cause any coverage loss for other checkers.
From now on, it also do not warns, when a nullability precondition is violated. These changes are related, because in order to be able to remove the sinks (without generating duplicate reports for the same symbol), there should be a mechanism to turn off this checker for a path.

Diff Detail

Repository
rL LLVM

Event Timeline

xazax.hun updated this revision to Diff 33458.Aug 28 2015, 1:39 PM
xazax.hun retitled this revision from to [Static Analyzer] Remove sinks from nullability checks..
xazax.hun updated this object.
xazax.hun added reviewers: zaks.anna, dcoughlin, krememek, jordan_rose.
xazax.hun added a subscriber: cfe-commits.
zaks.anna added inline comments.Aug 28 2015, 4:44 PM
lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
166 ↗(On Diff #33458)

The difference is not clear by looking at the signature; maybe you should rename the method to make it more clear what the difference is.

Please, use doxygen style comments everywhere!

228 ↗(On Diff #33458)

preconditions -> precondition
I am not sure what you mean by postcondition and where that term is defined.
turned of -> turned off
so this check does not -> so that this checker would not lead to reduced coverage

371 ↗(On Diff #33458)

Looks like you are assuming that you cannot get to this point with OriginalState having the PreconditionViolation bit set. This seems fragile. At minimum, you should assert this, but maybe changing the checkPreconditionViolation API would be better?

395 ↗(On Diff #33458)

Maybe you should only do this if there was at least one symbol with nullability info removed in the loop above? Would that work?

430 ↗(On Diff #33458)

Please, spell check your comments.

We are not dereferencing null.. we are dereferencing a nullable pointer..
Am I wrong?

565 ↗(On Diff #33458)

I do not understand how this works..

Does this ever report an issue? I thought this version of the bugReport will only report an issue if PreconditionViolation is not set. (Same for the code below and above..)

Is this tested?

xazax.hun updated this revision to Diff 33501.Aug 28 2015, 6:03 PM
xazax.hun marked 6 inline comments as done.

Addressed the comments.

lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
395 ↗(On Diff #33458)

That would not work.
Only "nullable" nullability and contradictions are tracked for the symbols right now. If nothing is marked nullable, this branch would never be taken.

430 ↗(On Diff #33458)

You are right.

565 ↗(On Diff #33458)

Yes, it works.

The reason is that, reportBug does report bugs, when PreconditionViolated is set to true. It does not report bugs, when one of the nonnull argument is constrained to be null. PreconditionViolated is used at the beginning of some callbacks to return early.

However I think this behavior might be confusing, so I refactored the code. From now on reportBugConditionally does not report any bug, when PreconditionViolated is set to true, and it does set it to true when a reported bug should suppress other bugs along the path.

xazax.hun updated this revision to Diff 33704.Sep 1 2015, 9:47 AM

Made sure that inlined defensive checks do not generate false positives.

zaks.anna added inline comments.Sep 1 2015, 1:38 PM
lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
166 ↗(On Diff #33704)

It is still not clear what the condition is..
More context in the name would be better; for example, how about reportBugIfNotOnDefensiveCodePath or reportBugIfPreconditionHolds

374 ↗(On Diff #33704)

Shouldn't this be part of checkPreconditionViolation?

806 ↗(On Diff #33704)

Maybe we should only check these at the time the bug is about to be reported..

That way the code would be less error prone..

xazax.hun updated this revision to Diff 33728.Sep 1 2015, 2:26 PM
xazax.hun marked 2 inline comments as done.

Style fixes according to the review.

lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
806 ↗(On Diff #33704)

This is checked before error reporting as well.
The purpose of this check at the beginning of the callbacks is optimization only.

zaks.anna accepted this revision.Sep 3 2015, 12:09 AM
zaks.anna edited edge metadata.

LGTM. Thanks!
Anna.

This revision is now accepted and ready to land.Sep 3 2015, 12:09 AM
Closed by commit rL246818: [Static Analyzer] Remove sinks from nullability checks. (authored by xazax). · Explain WhySep 3 2015, 4:17 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
172 lines
test/
Analysis/
62 lines

Diff 33987

cfe/trunk/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp

Show First 20 LinesShow All 155 Lines▼ Show 20 Lines PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
BugReporterContext &BRC, BugReporterContext &BRC,
BugReport &BR) override; BugReport &BR) override;
private: private:
// The tracked region. // The tracked region.
const MemRegion *Region; const MemRegion *Region;
}; };
/// When any of the nonnull arguments of the analyzed function is null, do not
/// report anything and turn off the check.
///
/// When \p SuppressPath is set to true, no more bugs will be reported on this
/// path by this checker.
void reportBugIfPreconditionHolds(ErrorKind Error, ExplodedNode *N,
const MemRegion *Region, CheckerContext &C,
const Stmt *ValueExpr = nullptr,
bool SuppressPath = false) const;
void reportBug(ErrorKind Error, ExplodedNode *N, const MemRegion *Region, void reportBug(ErrorKind Error, ExplodedNode *N, const MemRegion *Region,
BugReporter &BR, const Stmt *ValueExpr = nullptr) const { BugReporter &BR, const Stmt *ValueExpr = nullptr) const {
if (!BT) if (!BT)
BT.reset(new BugType(this, "Nullability", "Memory error")); BT.reset(new BugType(this, "Nullability", "Memory error"));
const char *Msg = ErrorMessages[static_cast<int>(Error)]; const char *Msg = ErrorMessages[static_cast<int>(Error)];
assert(Msg); assert(Msg);
std::unique_ptr<BugReport> R(new BugReport(*BT, Msg, N)); std::unique_ptr<BugReport> R(new BugReport(*BT, Msg, N));
if (Region) { if (Region) {
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines return Lhs.getValue() == Rhs.getValue() &&
Lhs.getNullabilitySource() == Rhs.getNullabilitySource(); Lhs.getNullabilitySource() == Rhs.getNullabilitySource();
} }
} // end anonymous namespace } // end anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(NullabilityMap, const MemRegion *, REGISTER_MAP_WITH_PROGRAMSTATE(NullabilityMap, const MemRegion *,
NullabilityState) NullabilityState)
// If the nullability precondition of a function is violated, we should not
// report nullability related issues on that path. For this reason once a
// precondition is not met on a path, this checker will be esentially turned off
// for the rest of the analysis. We do not want to generate a sink node however,
// so this checker would not lead to reduced coverage.
REGISTER_TRAIT_WITH_PROGRAMSTATE(PreconditionViolated, bool)
enum class NullConstraint { IsNull, IsNotNull, Unknown }; enum class NullConstraint { IsNull, IsNotNull, Unknown };
static NullConstraint getNullConstraint(DefinedOrUnknownSVal Val, static NullConstraint getNullConstraint(DefinedOrUnknownSVal Val,
ProgramStateRef State) { ProgramStateRef State) {
ConditionTruthVal Nullness = State->isNull(Val); ConditionTruthVal Nullness = State->isNull(Val);
if (Nullness.isConstrainedFalse()) if (Nullness.isConstrainedFalse())
return NullConstraint::IsNotNull; return NullConstraint::IsNotNull;
if (Nullness.isConstrainedTrue()) if (Nullness.isConstrainedTrue())
▲ Show 20 LinesShow All 66 Lines▼ Show 20 Lines if (!AttrType)
return Nullability::Unspecified; return Nullability::Unspecified;
if (AttrType->getAttrKind() == AttributedType::attr_nullable) if (AttrType->getAttrKind() == AttributedType::attr_nullable)
return Nullability::Nullable; return Nullability::Nullable;
else if (AttrType->getAttrKind() == AttributedType::attr_nonnull) else if (AttrType->getAttrKind() == AttributedType::attr_nonnull)
return Nullability::Nonnull; return Nullability::Nonnull;
return Nullability::Unspecified; return Nullability::Unspecified;
} }
template <typename ParamVarDeclRange>
static bool
checkParamsForPreconditionViolation(const ParamVarDeclRange &Params,
ProgramStateRef State,
const LocationContext *LocCtxt) {
for (const auto *ParamDecl : Params) {
if (ParamDecl->isParameterPack())
break;
if (getNullabilityAnnotation(ParamDecl->getType()) != Nullability::Nonnull)
continue;
auto RegVal = State->getLValue(ParamDecl, LocCtxt)
.template getAs<loc::MemRegionVal>();
if (!RegVal)
continue;
auto ParamValue = State->getSVal(RegVal->getRegion())
.template getAs<DefinedOrUnknownSVal>();
if (!ParamValue)
continue;
if (getNullConstraint(*ParamValue, State) == NullConstraint::IsNull) {
return true;
}
}
return false;
}
static bool checkPreconditionViolation(ProgramStateRef State, ExplodedNode *N,
CheckerContext &C) {
if (State->get<PreconditionViolated>())
return true;
const LocationContext *LocCtxt = C.getLocationContext();
const Decl *D = LocCtxt->getDecl();
if (!D)
return false;
if (const auto *BlockD = dyn_cast<BlockDecl>(D)) {
if (checkParamsForPreconditionViolation(BlockD->parameters(), State,
LocCtxt)) {
if (!N->isSink())
C.addTransition(State->set<PreconditionViolated>(true), N);
return true;
}
return false;
}
if (const auto *FuncDecl = dyn_cast<FunctionDecl>(D)) {
if (checkParamsForPreconditionViolation(FuncDecl->parameters(), State,
LocCtxt)) {
if (!N->isSink())
C.addTransition(State->set<PreconditionViolated>(true), N);
return true;
}
return false;
}
return false;
}
void NullabilityChecker::reportBugIfPreconditionHolds(
ErrorKind Error, ExplodedNode *N, const MemRegion *Region,
CheckerContext &C, const Stmt *ValueExpr, bool SuppressPath) const {
ProgramStateRef OriginalState = N->getState();
if (checkPreconditionViolation(OriginalState, N, C))
return;
if (SuppressPath) {
OriginalState = OriginalState->set<PreconditionViolated>(true);
N = C.addTransition(OriginalState, N);
}
reportBug(Error, N, Region, C.getBugReporter(), ValueExpr);
}
/// Cleaning up the program state. /// Cleaning up the program state.
void NullabilityChecker::checkDeadSymbols(SymbolReaper &SR, void NullabilityChecker::checkDeadSymbols(SymbolReaper &SR,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
NullabilityMapTy Nullabilities = State->get<NullabilityMap>(); NullabilityMapTy Nullabilities = State->get<NullabilityMap>();
for (NullabilityMapTy::iterator I = Nullabilities.begin(), for (NullabilityMapTy::iterator I = Nullabilities.begin(),
E = Nullabilities.end(); E = Nullabilities.end();
I != E; ++I) { I != E; ++I) {
if (!SR.isLiveRegion(I->first)) { if (!SR.isLiveRegion(I->first)) {
State = State->remove<NullabilityMap>(I->first); State = State->remove<NullabilityMap>(I->first);
} }
} }
// When one of the nonnull arguments are constrained to be null, nullability
// preconditions are violated. It is not enough to check this only when we
// actually report an error, because at that time interesting symbols might be
// reaped.
if (checkPreconditionViolation(State, C.getPredecessor(), C))
return;
C.addTransition(State);
} }
/// This callback triggers when a pointer is dereferenced and the analyzer does /// This callback triggers when a pointer is dereferenced and the analyzer does
/// not know anything about the value of that pointer. When that pointer is /// not know anything about the value of that pointer. When that pointer is
/// nullable, this code emits a warning. /// nullable, this code emits a warning.
void NullabilityChecker::checkEvent(ImplicitNullDerefEvent Event) const { void NullabilityChecker::checkEvent(ImplicitNullDerefEvent Event) const {
if (Event.SinkNode->getState()->get<PreconditionViolated>())
return;
const MemRegion *Region = const MemRegion *Region =
getTrackRegion(Event.Location, /*CheckSuperregion=*/true); getTrackRegion(Event.Location, /*CheckSuperregion=*/true);
if (!Region) if (!Region)
return; return;
ProgramStateRef State = Event.SinkNode->getState(); ProgramStateRef State = Event.SinkNode->getState();
const NullabilityState *TrackedNullability = const NullabilityState *TrackedNullability =
State->get<NullabilityMap>(Region); State->get<NullabilityMap>(Region);
if (!TrackedNullability) if (!TrackedNullability)
return; return;
if (Filter.CheckNullableDereferenced && if (Filter.CheckNullableDereferenced &&
TrackedNullability->getValue() == Nullability::Nullable) { TrackedNullability->getValue() == Nullability::Nullable) {
BugReporter &BR = *Event.BR; BugReporter &BR = *Event.BR;
// Do not suppress errors on defensive code paths, because dereferencing
// a nullable pointer is always an error.
if (Event.IsDirectDereference) if (Event.IsDirectDereference)
reportBug(ErrorKind::NullableDereferenced, Event.SinkNode, Region, BR); reportBug(ErrorKind::NullableDereferenced, Event.SinkNode, Region, BR);
else else
reportBug(ErrorKind::NullablePassedToNonnull, Event.SinkNode, Region, BR); reportBug(ErrorKind::NullablePassedToNonnull, Event.SinkNode, Region, BR);
} }
} }
/// This method check when nullable pointer or null value is returned from a /// This method check when nullable pointer or null value is returned from a
/// function that has nonnull return type. /// function that has nonnull return type.
/// ///
/// TODO: when nullability preconditons are violated, it is ok to violate the /// TODO: when nullability preconditons are violated, it is ok to violate the
/// nullability postconditons (i.e.: when one of the nonnull parameters are null /// nullability postconditons (i.e.: when one of the nonnull parameters are null
/// this check should not report any nullability related issue). /// this check should not report any nullability related issue).
void NullabilityChecker::checkPreStmt(const ReturnStmt *S, void NullabilityChecker::checkPreStmt(const ReturnStmt *S,
CheckerContext &C) const { CheckerContext &C) const {
auto RetExpr = S->getRetValue(); auto RetExpr = S->getRetValue();
if (!RetExpr) if (!RetExpr)
return; return;
if (!RetExpr->getType()->isAnyPointerType()) if (!RetExpr->getType()->isAnyPointerType())
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (State->get<PreconditionViolated>())
return;
auto RetSVal = auto RetSVal =
State->getSVal(S, C.getLocationContext()).getAs<DefinedOrUnknownSVal>(); State->getSVal(S, C.getLocationContext()).getAs<DefinedOrUnknownSVal>();
if (!RetSVal) if (!RetSVal)
return; return;
AnalysisDeclContext *DeclCtxt = AnalysisDeclContext *DeclCtxt =
C.getLocationContext()->getAnalysisDeclContext(); C.getLocationContext()->getAnalysisDeclContext();
const FunctionType *FuncType = DeclCtxt->getDecl()->getFunctionType(); const FunctionType *FuncType = DeclCtxt->getDecl()->getFunctionType();
if (!FuncType) if (!FuncType)
return; return;
NullConstraint Nullness = getNullConstraint(*RetSVal, State); NullConstraint Nullness = getNullConstraint(*RetSVal, State);
Nullability StaticNullability = Nullability StaticNullability =
getNullabilityAnnotation(FuncType->getReturnType()); getNullabilityAnnotation(FuncType->getReturnType());
if (Filter.CheckNullReturnedFromNonnull && if (Filter.CheckNullReturnedFromNonnull &&
Nullness == NullConstraint::IsNull && Nullness == NullConstraint::IsNull &&
StaticNullability == Nullability::Nonnull) { StaticNullability == Nullability::Nonnull) {
static CheckerProgramPointTag Tag(this, "NullReturnedFromNonnull"); static CheckerProgramPointTag Tag(this, "NullReturnedFromNonnull");
ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag); ExplodedNode *N = C.generateSink(State, C.getPredecessor(), &Tag);
reportBug(ErrorKind::NilReturnedToNonnull, N, nullptr, C.getBugReporter(), reportBugIfPreconditionHolds(ErrorKind::NilReturnedToNonnull, N, nullptr, C,
S); RetExpr);
return; return;
} }
const MemRegion *Region = getTrackRegion(*RetSVal); const MemRegion *Region = getTrackRegion(*RetSVal);
if (!Region) if (!Region)
return; return;
const NullabilityState *TrackedNullability = const NullabilityState *TrackedNullability =
State->get<NullabilityMap>(Region); State->get<NullabilityMap>(Region);
if (TrackedNullability) { if (TrackedNullability) {
Nullability TrackedNullabValue = TrackedNullability->getValue(); Nullability TrackedNullabValue = TrackedNullability->getValue();
if (Filter.CheckNullableReturnedFromNonnull && if (Filter.CheckNullableReturnedFromNonnull &&
Nullness != NullConstraint::IsNotNull && Nullness != NullConstraint::IsNotNull &&
TrackedNullabValue == Nullability::Nullable && TrackedNullabValue == Nullability::Nullable &&
StaticNullability == Nullability::Nonnull) { StaticNullability == Nullability::Nonnull) {
static CheckerProgramPointTag Tag(this, "NullableReturnedFromNonnull"); static CheckerProgramPointTag Tag(this, "NullableReturnedFromNonnull");
ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag); ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag);
reportBug(ErrorKind::NullableReturnedToNonnull, N, Region, reportBugIfPreconditionHolds(ErrorKind::NullableReturnedToNonnull, N,
C.getBugReporter()); Region, C);
} }
return; return;
} }
if (StaticNullability == Nullability::Nullable) { if (StaticNullability == Nullability::Nullable) {
State = State->set<NullabilityMap>(Region, State = State->set<NullabilityMap>(Region,
NullabilityState(StaticNullability, S)); NullabilityState(StaticNullability, S));
C.addTransition(State); C.addTransition(State);
} }
} }
/// This callback warns when a nullable pointer or a null value is passed to a /// This callback warns when a nullable pointer or a null value is passed to a
/// function that expects its argument to be nonnull. /// function that expects its argument to be nonnull.
void NullabilityChecker::checkPreCall(const CallEvent &Call, void NullabilityChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (!Call.getDecl()) if (!Call.getDecl())
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (State->get<PreconditionViolated>())
return;
ProgramStateRef OrigState = State; ProgramStateRef OrigState = State;
unsigned Idx = 0; unsigned Idx = 0;
for (const ParmVarDecl *Param : Call.parameters()) { for (const ParmVarDecl *Param : Call.parameters()) {
if (Param->isParameterPack()) if (Param->isParameterPack())
break; break;
const Expr *ArgExpr = nullptr; const Expr *ArgExpr = nullptr;
Show All 11 Lines for (const ParmVarDecl *Param : Call.parameters()) {
Nullability ParamNullability = getNullabilityAnnotation(Param->getType()); Nullability ParamNullability = getNullabilityAnnotation(Param->getType());
Nullability ArgStaticNullability = Nullability ArgStaticNullability =
getNullabilityAnnotation(ArgExpr->getType()); getNullabilityAnnotation(ArgExpr->getType());
if (Filter.CheckNullPassedToNonnull && Nullness == NullConstraint::IsNull && if (Filter.CheckNullPassedToNonnull && Nullness == NullConstraint::IsNull &&
ArgStaticNullability != Nullability::Nonnull && ArgStaticNullability != Nullability::Nonnull &&
ParamNullability == Nullability::Nonnull) { ParamNullability == Nullability::Nonnull) {
static CheckerProgramPointTag Tag(this, "NullPassedToNonnull"); ExplodedNode *N = C.generateSink(State);
ExplodedNode *N = C.generateSink(State, C.getPredecessor(), &Tag); reportBugIfPreconditionHolds(ErrorKind::NilPassedToNonnull, N, nullptr, C,
reportBug(ErrorKind::NilPassedToNonnull, N, nullptr, C.getBugReporter(),
ArgExpr); ArgExpr);
return; return;
} }
const MemRegion *Region = getTrackRegion(*ArgSVal); const MemRegion *Region = getTrackRegion(*ArgSVal);
if (!Region) if (!Region)
continue; continue;
const NullabilityState *TrackedNullability = const NullabilityState *TrackedNullability =
State->get<NullabilityMap>(Region); State->get<NullabilityMap>(Region);
if (TrackedNullability) { if (TrackedNullability) {
if (Nullness == NullConstraint::IsNotNull || if (Nullness == NullConstraint::IsNotNull ||
TrackedNullability->getValue() != Nullability::Nullable) TrackedNullability->getValue() != Nullability::Nullable)
continue; continue;
if (Filter.CheckNullablePassedToNonnull && if (Filter.CheckNullablePassedToNonnull &&
ParamNullability == Nullability::Nonnull) { ParamNullability == Nullability::Nonnull) {
static CheckerProgramPointTag Tag(this, "NullablePassedToNonnull"); ExplodedNode *N = C.addTransition(State);
ExplodedNode *N = C.generateSink(State, C.getPredecessor(), &Tag); reportBugIfPreconditionHolds(ErrorKind::NullablePassedToNonnull, N,
reportBug(ErrorKind::NullablePassedToNonnull, N, Region, Region, C, ArgExpr, /*SuppressPath=*/true);
C.getBugReporter(), ArgExpr);
return; return;
} }
if (Filter.CheckNullableDereferenced && if (Filter.CheckNullableDereferenced &&
Param->getType()->isReferenceType()) { Param->getType()->isReferenceType()) {
static CheckerProgramPointTag Tag(this, "NullableDereferenced"); ExplodedNode *N = C.addTransition(State);
ExplodedNode *N = C.generateSink(State, C.getPredecessor(), &Tag); reportBugIfPreconditionHolds(ErrorKind::NullableDereferenced, N, Region,
reportBug(ErrorKind::NullableDereferenced, N, Region, C, ArgExpr, /*SuppressPath=*/true);
C.getBugReporter(), ArgExpr);
return; return;
} }
continue; continue;
} }
// No tracked nullability yet. // No tracked nullability yet.
if (ArgStaticNullability != Nullability::Nullable) if (ArgStaticNullability != Nullability::Nullable)
continue; continue;
State = State->set<NullabilityMap>( State = State->set<NullabilityMap>(
Show All 13 Linesvoid NullabilityChecker::checkPostCall(const CallEvent &Call,
if (Call.getKind() == CE_ObjCMessage) if (Call.getKind() == CE_ObjCMessage)
return; return;
const FunctionType *FuncType = Decl->getFunctionType(); const FunctionType *FuncType = Decl->getFunctionType();
if (!FuncType) if (!FuncType)
return; return;
QualType ReturnType = FuncType->getReturnType(); QualType ReturnType = FuncType->getReturnType();
if (!ReturnType->isAnyPointerType()) if (!ReturnType->isAnyPointerType())
return; return;
ProgramStateRef State = C.getState();
if (State->get<PreconditionViolated>())
return;
const MemRegion *Region = getTrackRegion(Call.getReturnValue()); const MemRegion *Region = getTrackRegion(Call.getReturnValue());
if (!Region) if (!Region)
return; return;
ProgramStateRef State = C.getState();
// CG headers are misannotated. Do not warn for symbols that are the results // CG headers are misannotated. Do not warn for symbols that are the results
// of CG calls. // of CG calls.
const SourceManager &SM = C.getSourceManager(); const SourceManager &SM = C.getSourceManager();
StringRef FilePath = SM.getFilename(SM.getSpellingLoc(Decl->getLocStart())); StringRef FilePath = SM.getFilename(SM.getSpellingLoc(Decl->getLocStart()));
if (llvm::sys::path::filename(FilePath).startswith("CG")) { if (llvm::sys::path::filename(FilePath).startswith("CG")) {
State = State->set<NullabilityMap>(Region, Nullability::Contradicted); State = State->set<NullabilityMap>(Region, Nullability::Contradicted);
C.addTransition(State); C.addTransition(State);
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Linesvoid NullabilityChecker::checkPostObjCMessage(const ObjCMethodCall &M,
CheckerContext &C) const { CheckerContext &C) const {
auto Decl = M.getDecl(); auto Decl = M.getDecl();
if (!Decl) if (!Decl)
return; return;
QualType RetType = Decl->getReturnType(); QualType RetType = Decl->getReturnType();
if (!RetType->isAnyPointerType()) if (!RetType->isAnyPointerType())
return; return;
ProgramStateRef State = C.getState();
if (State->get<PreconditionViolated>())
return;
const MemRegion *ReturnRegion = getTrackRegion(M.getReturnValue()); const MemRegion *ReturnRegion = getTrackRegion(M.getReturnValue());
if (!ReturnRegion) if (!ReturnRegion)
return; return;
ProgramStateRef State = C.getState();
auto Interface = Decl->getClassInterface(); auto Interface = Decl->getClassInterface();
auto Name = Interface ? Interface->getName() : ""; auto Name = Interface ? Interface->getName() : "";
// In order to reduce the noise in the diagnostics generated by this checker, // In order to reduce the noise in the diagnostics generated by this checker,
// some framework and programming style based heuristics are used. These // some framework and programming style based heuristics are used. These
// heuristics are for Cocoa APIs which have NS prefix. // heuristics are for Cocoa APIs which have NS prefix.
if (Name.startswith("NS")) { if (Name.startswith("NS")) {
// Developers rely on dynamic invariants such as an item should be available // Developers rely on dynamic invariants such as an item should be available
// in a collection, or a collection is not empty often. Those invariants can // in a collection, or a collection is not empty often. Those invariants can
▲ Show 20 LinesShow All 91 Lines▼ Show 20 Linesvoid NullabilityChecker::checkPostStmt(const ExplicitCastExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
QualType OriginType = CE->getSubExpr()->getType(); QualType OriginType = CE->getSubExpr()->getType();
QualType DestType = CE->getType(); QualType DestType = CE->getType();
if (!OriginType->isAnyPointerType()) if (!OriginType->isAnyPointerType())
return; return;
if (!DestType->isAnyPointerType()) if (!DestType->isAnyPointerType())
return; return;
ProgramStateRef State = C.getState();
if (State->get<PreconditionViolated>())
return;
Nullability DestNullability = getNullabilityAnnotation(DestType); Nullability DestNullability = getNullabilityAnnotation(DestType);
// No explicit nullability in the destination type, so this cast does not // No explicit nullability in the destination type, so this cast does not
// change the nullability. // change the nullability.
if (DestNullability == Nullability::Unspecified) if (DestNullability == Nullability::Unspecified)
return; return;
ProgramStateRef State = C.getState();
auto RegionSVal = auto RegionSVal =
State->getSVal(CE, C.getLocationContext()).getAs<DefinedOrUnknownSVal>(); State->getSVal(CE, C.getLocationContext()).getAs<DefinedOrUnknownSVal>();
const MemRegion *Region = getTrackRegion(*RegionSVal); const MemRegion *Region = getTrackRegion(*RegionSVal);
if (!Region) if (!Region)
return; return;
// When 0 is converted to nonnull mark it as contradicted. // When 0 is converted to nonnull mark it as contradicted.
if (DestNullability == Nullability::Nonnull) { if (DestNullability == Nullability::Nonnull) {
Show All 32 Lines const TypedValueRegion *TVR =
dyn_cast_or_null<TypedValueRegion>(L.getAsRegion()); dyn_cast_or_null<TypedValueRegion>(L.getAsRegion());
if (!TVR) if (!TVR)
return; return;
QualType LocType = TVR->getValueType(); QualType LocType = TVR->getValueType();
if (!LocType->isAnyPointerType()) if (!LocType->isAnyPointerType())
return; return;
ProgramStateRef State = C.getState();
if (State->get<PreconditionViolated>())
return;
auto ValDefOrUnknown = V.getAs<DefinedOrUnknownSVal>(); auto ValDefOrUnknown = V.getAs<DefinedOrUnknownSVal>();
if (!ValDefOrUnknown) if (!ValDefOrUnknown)
return; return;
ProgramStateRef State = C.getState();
NullConstraint RhsNullness = getNullConstraint(*ValDefOrUnknown, State); NullConstraint RhsNullness = getNullConstraint(*ValDefOrUnknown, State);
Nullability ValNullability = Nullability::Unspecified; Nullability ValNullability = Nullability::Unspecified;
if (SymbolRef Sym = ValDefOrUnknown->getAsSymbol()) if (SymbolRef Sym = ValDefOrUnknown->getAsSymbol())
ValNullability = getNullabilityAnnotation(Sym->getType()); ValNullability = getNullabilityAnnotation(Sym->getType());
Nullability LocNullability = getNullabilityAnnotation(LocType); Nullability LocNullability = getNullabilityAnnotation(LocType);
if (Filter.CheckNullPassedToNonnull && if (Filter.CheckNullPassedToNonnull &&
RhsNullness == NullConstraint::IsNull && RhsNullness == NullConstraint::IsNull &&
ValNullability != Nullability::Nonnull && ValNullability != Nullability::Nonnull &&
LocNullability == Nullability::Nonnull) { LocNullability == Nullability::Nonnull) {
static CheckerProgramPointTag Tag(this, "NullPassedToNonnull"); static CheckerProgramPointTag Tag(this, "NullPassedToNonnull");
ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag); ExplodedNode *N = C.generateSink(State, C.getPredecessor(), &Tag);
reportBug(ErrorKind::NilAssignedToNonnull, N, nullptr, C.getBugReporter(), reportBugIfPreconditionHolds(ErrorKind::NilAssignedToNonnull, N, nullptr, C,
S); S);
return; return;
} }
// Intentionally missing case: '0' is bound to a reference. It is handled by // Intentionally missing case: '0' is bound to a reference. It is handled by
// the DereferenceChecker. // the DereferenceChecker.
const MemRegion *ValueRegion = getTrackRegion(*ValDefOrUnknown); const MemRegion *ValueRegion = getTrackRegion(*ValDefOrUnknown);
if (!ValueRegion) if (!ValueRegion)
return; return;
const NullabilityState *TrackedNullability = const NullabilityState *TrackedNullability =
State->get<NullabilityMap>(ValueRegion); State->get<NullabilityMap>(ValueRegion);
if (TrackedNullability) { if (TrackedNullability) {
if (RhsNullness == NullConstraint::IsNotNull || if (RhsNullness == NullConstraint::IsNotNull ||
TrackedNullability->getValue() != Nullability::Nullable) TrackedNullability->getValue() != Nullability::Nullable)
return; return;
if (Filter.CheckNullablePassedToNonnull && if (Filter.CheckNullablePassedToNonnull &&
LocNullability == Nullability::Nonnull) { LocNullability == Nullability::Nonnull) {
static CheckerProgramPointTag Tag(this, "NullablePassedToNonnull"); static CheckerProgramPointTag Tag(this, "NullablePassedToNonnull");
ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag); ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag);
reportBug(ErrorKind::NullableAssignedToNonnull, N, ValueRegion, reportBugIfPreconditionHolds(ErrorKind::NullableAssignedToNonnull, N,
C.getBugReporter()); ValueRegion, C);
} }
return; return;
} }
const auto *BinOp = dyn_cast<BinaryOperator>(S); const auto *BinOp = dyn_cast<BinaryOperator>(S);
if (ValNullability == Nullability::Nullable) { if (ValNullability == Nullability::Nullable) {
// Trust the static information of the value more than the static // Trust the static information of the value more than the static
▲ Show 20 LinesShow All 45 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/nullability.mm

Show First 20 LinesShow All 173 Lines▼ Show 20 Linesvoid testCast() {
takesNonnull(p); takesNonnull(p);
} }
void testInvalidPropagation() { void testInvalidPropagation() {
Dummy *p = returnsUnspecified(); Dummy *p = returnsUnspecified();
takesNullable(p); takesNullable(p);
takesNonnull(p); takesNonnull(p);
} }
void onlyReportFirstPreconditionViolationOnPath() {
Dummy *p = returnsNullable();
takesNonnull(p); // expected-warning {{}}
takesNonnull(p); // No warning.
// The first warning was not a sink. The analysis expected to continue.
int i = 0;
i = 5 / i; // expected-warning {{Division by zero}}
(void)i;
}
Dummy *_Nonnull doNotWarnWhenPreconditionIsViolatedInTopFunc(
Dummy *_Nonnull p) {
if (!p) {
Dummy *ret =
0; // avoid compiler warning (which is not generated by the analyzer)
if (getRandom())
return ret; // no warning
else
return p; // no warning
} else {
return p;
}
}
Dummy *_Nonnull doNotWarnWhenPreconditionIsViolated(Dummy *_Nonnull p) {
if (!p) {
Dummy *ret =
0; // avoid compiler warning (which is not generated by the analyzer)
if (getRandom())
return ret; // no warning
else
return p; // no warning
} else {
return p;
}
}
void testPreconditionViolationInInlinedFunction(Dummy *p) {
doNotWarnWhenPreconditionIsViolated(p);
}
void inlinedNullable(Dummy *_Nullable p) {
if (p) return;
}
void inlinedNonnull(Dummy *_Nonnull p) {
if (p) return;
}
void inlinedUnspecified(Dummy *p) {
if (p) return;
}
Dummy *_Nonnull testDefensiveInlineChecks(Dummy * p) {
switch (getRandom()) {
case 1: inlinedNullable(p); break;
case 2: inlinedNonnull(p); break;
case 3: inlinedUnspecified(p); break;
}
if (getRandom())
takesNonnull(p);
return p;
}