Download Raw Diff

Details

Reviewers

NoQ
dcoughlin

Commits

rGefedcdc01078: [analyzer] Do not report NSError null dereference for _Nonnull params.
rG09a1f090509e: [analyzer] Do not report NSError null dereference for _Nonnull params.

Summary

We want to trust user type annotations and stop assuming pointers declared
as _Nonnull still can be null. This functionality is implemented as part
of NullabilityChecker as it tracks non-null types already. It could
be easily implemented as a part of NSError checker, but it would look like
a simple "shut up" plug as opposed to a more generic solution.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

vsavchenko created this revision.Apr 8 2020, 5:20 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 8 2020, 5:20 AM

Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 10 others. · View Herald Transcript

Hi everyone!
I'm thinking about adding support for __attribute((nonnull))__ as well, but it should be handled a bit differently. That annotation is for parameters and not for types, so the corresponding constraints should be generated only when entering the function (as opposed to each load). I'm not sure that it should be a part of this commit though because it will have a completely standalone solution. Another question about __attribute((nonnull))__ is "Where should we put it?". It is quite reasonable to put it into NullabilityChecker, but NonnullParamChecker seems like a good candidate as well.

Harbormaster failed remote builds in B52343: Diff 255982!Apr 8 2020, 5:55 AM

Fix formatting issues in the test file

NonnullParamChecker

Yup, looks like that's actually the one that deals with __attribute__((nonnull)), as opposed to _Nonnull.

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
521	[[ https://llvm.org/docs/CodingStandards.html#use-auto-type-deduction-to-make-code-more-readable \| Too much `auto` ]]!
527	([[ https://reviews.llvm.org/D33672?id=171506#inline-475812 \| this `auto` is good ]])
537	Ok, so we're continuing normally if the value is already known to have been assigned to null. We could sink the analysis instead but presumably it's not our job as another checker must have warned before we get there (let's comment about this maybe).

This revision is now accepted and ready to land.Apr 8 2020, 6:13 AM

vsavchenko marked 2 inline comments as done.Apr 8 2020, 6:26 AM

vsavchenko added inline comments.

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
521	But this auto is also fine IMO as you can clearly see the actual type in the RHS. Mb `const auto *Region` at least?
537	Sure!

Harbormaster completed remote builds in B52347: Diff 255993.Apr 8 2020, 6:28 AM

NoQ added inline comments.Apr 8 2020, 6:28 AM

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
521	Yup, this one should be `const auto *`.

In D77722#1969261, @vsavchenko wrote:

Hi everyone!
I'm thinking about adding support for __attribute((nonnull))__ as well, but it should be handled a bit differently. That annotation is for parameters and not for types, so the corresponding constraints should be generated only when entering the function (as opposed to each load). I'm not sure that it should be a part of this commit though because it will have a completely standalone solution. Another question about __attribute((nonnull))__ is "Where should we put it?". It is quite reasonable to put it into NullabilityChecker, but NonnullParamChecker seems like a good candidate as well.

Wait, we don't already assume nonnull attributed parameters as, well, not null? That's crazy.

In D77722#1969391, @Szelethus wrote:

In D77722#1969261, @vsavchenko wrote:

Hi everyone!
I'm thinking about adding support for __attribute((nonnull))__ as well, but it should be handled a bit differently. That annotation is for parameters and not for types, so the corresponding constraints should be generated only when entering the function (as opposed to each load). I'm not sure that it should be a part of this commit though because it will have a completely standalone solution. Another question about __attribute((nonnull))__ is "Where should we put it?". It is quite reasonable to put it into NullabilityChecker, but NonnullParamChecker seems like a good candidate as well.

Wait, we don't already assume nonnull attributed parameters as, well, not null? That's crazy.

Yep, I was shocked by it as well. Maybe for some warnings it is checked in the end and they are truncated before reporting. However, DereferenceChecker definitely dispatches ImplicitNullDerefEvent for params marked with __attribute__((nonnull)).

Fix review remarks

vsavchenko marked 4 inline comments as done.Apr 8 2020, 6:53 AM

In D77722#1969391, @Szelethus wrote:

Wait, we don't already assume nonnull attributed parameters as, well, not null? That's crazy.

That's only for the top frame. For nested stack frames we're not only assuming they're not null, we're also emitting a warning when they're null. But, yeah, it's clearly an unfortunate omission.

NoQ added inline comments.Apr 8 2020, 7:10 AM

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
536	That's still too much auto.

Get rid of nonessential 'auto' in variable declaration

vsavchenko marked an inline comment as done.Apr 8 2020, 7:20 AM

Harbormaster completed remote builds in B52351: Diff 256009.Apr 8 2020, 7:34 AM

Remove more auto's

Thanks!

I'll commit.

In D77722#1969551, @NoQ wrote:

Thanks!

I'll commit.

Awesome! Thanks!

Harbormaster completed remote builds in B52356: Diff 256017.Apr 8 2020, 8:07 AM

Harbormaster completed remote builds in B52358: Diff 256020.Apr 8 2020, 8:40 AM

vsavchenko added a child revision: D77806: [analyzer] Do not report CFError null dereference for nonnull params.Apr 9 2020, 7:23 AM

Closed by commit rG09a1f090509e: [analyzer] Do not report NSError null dereference for _Nonnull params. (authored by vsavchenko, committed by dergachev.a). · Explain WhyApr 20 2020, 3:11 AM

This revision was automatically updated to reflect the committed changes.

Diff 258690

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp

Show First 20 Lines • Show All 75 Lines • ▼ Show 20 Lines	enum class ErrorKind : int {
NullableDereferenced,		NullableDereferenced,
NullablePassedToNonnull		NullablePassedToNonnull
};		};

class NullabilityChecker		class NullabilityChecker
: public Checker<check::Bind, check::PreCall, check::PreStmt<ReturnStmt>,		: public Checker<check::Bind, check::PreCall, check::PreStmt<ReturnStmt>,
check::PostCall, check::PostStmt<ExplicitCastExpr>,		check::PostCall, check::PostStmt<ExplicitCastExpr>,
check::PostObjCMessage, check::DeadSymbols,		check::PostObjCMessage, check::DeadSymbols,
check::Event<ImplicitNullDerefEvent>> {		check::Location, check::Event<ImplicitNullDerefEvent>> {
mutable std::unique_ptr<BugType> BT;		mutable std::unique_ptr<BugType> BT;

public:		public:
// If true, the checker will not diagnose nullabilility issues for calls		// If true, the checker will not diagnose nullabilility issues for calls
// to system headers. This option is motivated by the observation that large		// to system headers. This option is motivated by the observation that large
// projects may have many nullability warnings. These projects may		// projects may have many nullability warnings. These projects may
// find warnings about nullability annotations that they have explicitly		// find warnings about nullability annotations that they have explicitly
// added themselves higher priority to fix than warnings on calls to system		// added themselves higher priority to fix than warnings on calls to system
// libraries.		// libraries.
DefaultBool NoDiagnoseCallsToSystemHeaders;		DefaultBool NoDiagnoseCallsToSystemHeaders;

void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;		void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
void checkPostStmt(const ExplicitCastExpr *CE, CheckerContext &C) const;		void checkPostStmt(const ExplicitCastExpr *CE, CheckerContext &C) const;
void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;		void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;		void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;		void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;		void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;		void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
void checkEvent(ImplicitNullDerefEvent Event) const;		void checkEvent(ImplicitNullDerefEvent Event) const;
		void checkLocation(SVal Location, bool IsLoad, const Stmt *S,
		CheckerContext &C) const;

void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,		void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
const char *Sep) const override;		const char *Sep) const override;

struct NullabilityChecksFilter {		struct NullabilityChecksFilter {
DefaultBool CheckNullPassedToNonnull;		DefaultBool CheckNullPassedToNonnull;
DefaultBool CheckNullReturnedFromNonnull;		DefaultBool CheckNullReturnedFromNonnull;
DefaultBool CheckNullableDereferenced;		DefaultBool CheckNullableDereferenced;
▲ Show 20 Lines • Show All 386 Lines • ▼ Show 20 Lines	if (Filter.CheckNullableDereferenced &&
else {		else {
reportBug("Nullable pointer is passed to a callee that requires a "		reportBug("Nullable pointer is passed to a callee that requires a "
"non-null", ErrorKind::NullablePassedToNonnull,		"non-null", ErrorKind::NullablePassedToNonnull,
Event.SinkNode, Region, BR);		Event.SinkNode, Region, BR);
}		}
}		}
}		}

		// Whenever we see a load from a typed memory region that's been annotated as
		// 'nonnull', we want to trust the user on that and assume that it is is indeed
		// non-null.
		//
		// We do so even if the value is known to have been assigned to null.
		// The user should be warned on assigning the null value to a non-null pointer
		// as opposed to warning on the later dereference of this pointer.
		//
		// \code
		// int * _Nonnull var = 0; // we want to warn the user here...
		// // . . .
		// *var = 42; // ...and not here
		// \endcode
		void NullabilityChecker::checkLocation(SVal Location, bool IsLoad,
		NoQUnsubmitted Done Reply Inline Actions [[ https://llvm.org/docs/CodingStandards.html#use-auto-type-deduction-to-make-code-more-readable \| Too much `auto` ]]! NoQ: [[ https://llvm.org/docs/CodingStandards.html#use-auto-type-deduction-to-make-code-more…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions But this auto is also fine IMO as you can clearly see the actual type in the RHS. Mb `const auto Region` at least? vsavchenko:* But this auto is also fine IMO as you can clearly see the actual type in the RHS. Mb `const…
		NoQUnsubmitted Done Reply Inline Actions Yup, this one should be `const auto `. NoQ:* Yup, this one should be `const auto *`.
		const Stmt *S,
		CheckerContext &Context) const {
		// We should care only about loads.
		// The main idea is to add a constraint whenever we're loading a value from
		// an annotated pointer type.
		if (!IsLoad)
		NoQUnsubmitted Done Reply Inline Actions ([[ https://reviews.llvm.org/D33672?id=171506#inline-475812 \| this `auto` is good ]]) NoQ: ([[ https://reviews.llvm.org/D33672?id=171506#inline-475812 \| this `auto` is good ]])
		return;

		// Annotations that we want to consider make sense only for types.
		const auto *Region =
		dyn_cast_or_null<TypedValueRegion>(Location.getAsRegion());
		if (!Region)
		return;

		ProgramStateRef State = Context.getState();
		NoQUnsubmitted Done Reply Inline Actions That's still too much auto. NoQ: That's still too much auto.

		NoQUnsubmitted Done Reply Inline Actions Ok, so we're continuing normally if the value is already known to have been assigned to null. We could sink the analysis instead but presumably it's not our job as another checker must have warned before we get there (let's comment about this maybe). NoQ: Ok, so we're continuing normally if the value is already known to have been assigned to null.
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Sure! vsavchenko: Sure!
		auto StoredVal = State->getSVal(Region).getAs<loc::MemRegionVal>();
		if (!StoredVal)
		return;

		Nullability NullabilityOfTheLoadedValue =
		getNullabilityAnnotation(Region->getValueType());

		if (NullabilityOfTheLoadedValue == Nullability::Nonnull) {
		// It doesn't matter what we think about this particular pointer, it should
		// be considered non-null as annotated by the developer.
		if (ProgramStateRef NewState = State->assume(*StoredVal, true)) {
		Context.addTransition(NewState);
		}
		}
		}

/// Find the outermost subexpression of E that is not an implicit cast.		/// Find the outermost subexpression of E that is not an implicit cast.
/// This looks through the implicit casts to _Nonnull that ARC adds to		/// This looks through the implicit casts to _Nonnull that ARC adds to
/// return expressions of ObjC types when the return type of the function or		/// return expressions of ObjC types when the return type of the function or
/// method is non-null but the express is not.		/// method is non-null but the express is not.
static const Expr lookThroughImplicitCasts(const Expr E) {		static const Expr lookThroughImplicitCasts(const Expr E) {
return E->IgnoreImpCasts();		return E->IgnoreImpCasts();
}		}

▲ Show 20 Lines • Show All 701 Lines • Show Last 20 Lines

clang/test/Analysis/CheckNSError.m

	// RUN: %clang_analyze_cc1 -analyzer-checker=core,osx.cocoa.NSError,osx.coreFoundation.CFError -analyzer-store=region -verify -Wno-objc-root-class %s			// RUN: %clang_analyze_cc1 -verify -Wno-objc-root-class %s \
				// RUN: -analyzer-checker=core \
				// RUN: -analyzer-checker=nullability \
				// RUN: -analyzer-checker=osx.cocoa.NSError \
				// RUN: -analyzer-checker=osx.coreFoundation.CFError

	typedef signed char BOOL;			typedef signed char BOOL;
	typedef int NSInteger;			typedef int NSInteger;
	typedef struct _NSZone NSZone;			typedef struct _NSZone NSZone;
	@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;			@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;
	@protocol NSObject - (BOOL)isEqual:(id)object; @end			@protocol NSObject - (BOOL)isEqual:(id)object; @end
	@protocol NSCopying - (id)copyWithZone:(NSZone *)zone; @end			@protocol NSCopying - (id)copyWithZone:(NSZone *)zone; @end
	@protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; @end			@protocol NSCoding - (void)encodeWithCoder:(NSCoder *)aCoder; @end
	@interface NSObject <NSObject> {} @end			@interface NSObject <NSObject> {} @end
	@class NSDictionary;			@class NSDictionary;
	@interface NSError : NSObject <NSCopying, NSCoding> {}			@interface NSError : NSObject <NSCopying, NSCoding> {}
	+ (id)errorWithDomain:(NSString )domain code:(NSInteger)code userInfo:(NSDictionary )dict;			+ (id)errorWithDomain:(NSString )domain code:(NSInteger)code userInfo:(NSDictionary )dict;
	@end			@end
	extern NSString * const NSXMLParserErrorDomain ;			extern NSString * const NSXMLParserErrorDomain ;

	@interface A			@interface A
	- (void)myMethodWhichMayFail:(NSError **)error;			- (void)myMethodWhichMayFail:(NSError **)error;
	- (BOOL)myMethodWhichMayFail2:(NSError **)error;			- (BOOL)myMethodWhichMayFail2:(NSError **)error;
				- (BOOL)myMethodWhichMayFail3:(NSError **_Nonnull)error;
	@end			@end

	@implementation A			@implementation A
	- (void)myMethodWhichMayFail:(NSError )error { // expected-warning {{Method accepting NSError should have a non-void return value to indicate whether or not an error occurred}}			- (void)myMethodWhichMayFail:(NSError )error { // expected-warning {{Method accepting NSError should have a non-void return value to indicate whether or not an error occurred}}
	*error = [NSError errorWithDomain:@"domain" code:1 userInfo:0]; // expected-warning {{Potential null dereference}}			*error = [NSError errorWithDomain:@"domain" code:1 userInfo:0]; // expected-warning {{Potential null dereference}}
	}			}

	- (BOOL)myMethodWhichMayFail2:(NSError **)error { // no-warning			- (BOOL)myMethodWhichMayFail2:(NSError **)error { // no-warning
	if (error) *error = [NSError errorWithDomain:@"domain" code:1 userInfo:0]; // no-warning			if (error) *error = [NSError errorWithDomain:@"domain" code:1 userInfo:0]; // no-warning
	return 0;			return 0;
	}			}

				- (BOOL)myMethodWhichMayFail3:(NSError **_Nonnull)error { // no-warning
				*error = [NSError errorWithDomain:@"domain" code:1 userInfo:0]; // no-warning
				return 0;
				}
	@end			@end

	struct __CFError {};			struct __CFError {};
	typedef struct __CFError* CFErrorRef;			typedef struct __CFError* CFErrorRef;

	void foo(CFErrorRef* error) { // expected-warning {{Function accepting CFErrorRef* should have a non-void return value to indicate whether or not an error occurred}}			void foo(CFErrorRef* error) { // expected-warning {{Function accepting CFErrorRef* should have a non-void return value to indicate whether or not an error occurred}}
	*error = 0; // expected-warning {{Potential null dereference}}			*error = 0; // expected-warning {{Potential null dereference}}
	}			}
	Show All 17 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Do not report NSError null dereference for _Nonnull params
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 258690

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp

clang/test/Analysis/CheckNSError.m

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Do not report NSError null dereference for _Nonnull paramsClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 258690

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp

clang/test/Analysis/CheckNSError.m

[analyzer] Do not report NSError null dereference for _Nonnull params
ClosedPublic