1 //== Nullabilityhecker.cpp - Nullability checker ----------------*- C++ -*--==//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This checker tries to find nullability violations. There are several kinds of
11 // possible violations:
12 // * Null pointer is passed to a pointer which has a _Nonnull type.
13 // * Null pointer is returned from a function which has a _Nonnull return type.
14 // * Nullable pointer is passed to a pointer which has a _Nonnull type.
15 // * Nullable pointer is returned from a function which has a _Nonnull return
17 // * Nullable pointer is dereferenced.
19 // This checker propagates the nullability information of the pointers and looks
20 // for the patterns that are described above. Explicit casts are trusted and are
21 // considered a way to suppress false positives for this checker. The other way
22 // to suppress warnings would be to add asserts or guarding if statements to the
23 // code. In addition to the nullability propagation this checker also uses some
24 // heuristics to suppress potential false positives.
26 //===----------------------------------------------------------------------===//
28 #include "ClangSACheckers.h"
29 #include "llvm/Support/Path.h"
30 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
31 #include "clang/StaticAnalyzer/Core/Checker.h"
32 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
33 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
34 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
36 using namespace clang;
40 // Do not reorder! The getMostNullable method relies on the order.
41 // Optimization: Most pointers expected to be unspecified. When a symbol has an
42 // unspecified or nonnull type non of the rules would indicate any problem for
43 // that symbol. For this reason only nullable and contradicted nullability are
44 // stored for a symbol. When a symbol is already contradicted, it can not be
45 // casted back to nullable.
46 enum class Nullability : char {
47 Contradicted, // Tracked nullability is contradicted by an explicit cast. Do
48 // not report any nullability related issue for this symbol.
49 // This nullability is propagated agressively to avoid false
50 // positive results. See the comment on getMostNullable method.
56 /// Returns the most nullable nullability. This is used for message expressions
57 /// like [reciever method], where the nullability of this expression is either
58 /// the nullability of the receiver or the nullability of the return type of the
59 /// method, depending on which is more nullable. Contradicted is considered to
60 /// be the most nullable, to avoid false positive results.
61 Nullability getMostNullable(Nullability Lhs, Nullability Rhs) {
62 return static_cast<Nullability>(
63 std::min(static_cast<char>(Lhs), static_cast<char>(Rhs)));
66 const char *getNullabilityString(Nullability Nullab) {
68 case Nullability::Contradicted:
69 return "contradicted";
70 case Nullability::Nullable:
72 case Nullability::Unspecified:
74 case Nullability::Nonnull:
77 llvm_unreachable("Unexpected enumeration.");
81 // These enums are used as an index to ErrorMessages array.
82 enum class ErrorKind : int {
86 NullableAssignedToNonnull,
87 NullableReturnedToNonnull,
89 NullablePassedToNonnull
92 const char *const ErrorMessages[] = {
93 "Null is assigned to a pointer which is expected to have non-null value",
94 "Null passed to a callee that requires a non-null argument",
95 "Null is returned from a function that is expected to return a non-null "
97 "Nullable pointer is assigned to a pointer which is expected to have "
99 "Nullable pointer is returned from a function that is expected to return a "
101 "Nullable pointer is dereferenced",
102 "Nullable pointer is passed to a callee that requires a non-null argument"};
104 class NullabilityChecker
105 : public Checker<check::Bind, check::PreCall, check::PreStmt<ReturnStmt>,
106 check::PostCall, check::PostStmt<ExplicitCastExpr>,
107 check::PostObjCMessage, check::DeadSymbols,
108 check::Event<ImplicitNullDerefEvent>> {
109 mutable std::unique_ptr<BugType> BT;
112 void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
113 void checkPostStmt(const ExplicitCastExpr *CE, CheckerContext &C) const;
114 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
115 void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
116 void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
117 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
118 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
119 void checkEvent(ImplicitNullDerefEvent Event) const;
121 void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
122 const char *Sep) const override;
124 struct NullabilityChecksFilter {
125 DefaultBool CheckNullPassedToNonnull;
126 DefaultBool CheckNullReturnedFromNonnull;
127 DefaultBool CheckNullableDereferenced;
128 DefaultBool CheckNullablePassedToNonnull;
129 DefaultBool CheckNullableReturnedFromNonnull;
131 CheckName CheckNameNullPassedToNonnull;
132 CheckName CheckNameNullReturnedFromNonnull;
133 CheckName CheckNameNullableDereferenced;
134 CheckName CheckNameNullablePassedToNonnull;
135 CheckName CheckNameNullableReturnedFromNonnull;
138 NullabilityChecksFilter Filter;
139 // When set to false no nullability information will be tracked in
140 // NullabilityMap. It is possible to catch errors like passing a null pointer
141 // to a callee that expects nonnull argument without the information that is
142 // stroed in the NullabilityMap. This is an optimization.
143 DefaultBool NeedTracking;
146 class NullabilityBugVisitor
147 : public BugReporterVisitorImpl<NullabilityBugVisitor> {
149 NullabilityBugVisitor(const MemRegion *M) : Region(M) {}
151 void Profile(llvm::FoldingSetNodeID &ID) const override {
154 ID.AddPointer(Region);
157 PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
158 const ExplodedNode *PrevN,
159 BugReporterContext &BRC,
160 BugReport &BR) override;
163 // The tracked region.
164 const MemRegion *Region;
167 /// When any of the nonnull arguments of the analyzed function is null, do not
168 /// report anything and turn off the check.
170 /// When \p SuppressPath is set to true, no more bugs will be reported on this
171 /// path by this checker.
172 void reportBugIfPreconditionHolds(ErrorKind Error, ExplodedNode *N,
173 const MemRegion *Region, CheckerContext &C,
174 const Stmt *ValueExpr = nullptr,
175 bool SuppressPath = false) const;
177 void reportBug(ErrorKind Error, ExplodedNode *N, const MemRegion *Region,
178 BugReporter &BR, const Stmt *ValueExpr = nullptr) const {
180 BT.reset(new BugType(this, "Nullability", "Memory error"));
181 const char *Msg = ErrorMessages[static_cast<int>(Error)];
182 std::unique_ptr<BugReport> R(new BugReport(*BT, Msg, N));
184 R->markInteresting(Region);
185 R->addVisitor(llvm::make_unique<NullabilityBugVisitor>(Region));
188 R->addRange(ValueExpr->getSourceRange());
189 if (Error == ErrorKind::NilAssignedToNonnull ||
190 Error == ErrorKind::NilPassedToNonnull ||
191 Error == ErrorKind::NilReturnedToNonnull)
192 bugreporter::trackNullOrUndefValue(N, ValueExpr, *R);
194 BR.emitReport(std::move(R));
197 /// If an SVal wraps a region that should be tracked, it will return a pointer
198 /// to the wrapped region. Otherwise it will return a nullptr.
199 const SymbolicRegion *getTrackRegion(SVal Val,
200 bool CheckSuperRegion = false) const;
203 class NullabilityState {
205 NullabilityState(Nullability Nullab, const Stmt *Source = nullptr)
206 : Nullab(Nullab), Source(Source) {}
208 const Stmt *getNullabilitySource() const { return Source; }
210 Nullability getValue() const { return Nullab; }
212 void Profile(llvm::FoldingSetNodeID &ID) const {
213 ID.AddInteger(static_cast<char>(Nullab));
214 ID.AddPointer(Source);
217 void print(raw_ostream &Out) const {
218 Out << getNullabilityString(Nullab) << "\n";
223 // Source is the expression which determined the nullability. For example in a
224 // message like [nullable nonnull_returning] has nullable nullability, because
225 // the receiver is nullable. Here the receiver will be the source of the
226 // nullability. This is useful information when the diagnostics are generated.
230 bool operator==(NullabilityState Lhs, NullabilityState Rhs) {
231 return Lhs.getValue() == Rhs.getValue() &&
232 Lhs.getNullabilitySource() == Rhs.getNullabilitySource();
235 } // end anonymous namespace
237 REGISTER_MAP_WITH_PROGRAMSTATE(NullabilityMap, const MemRegion *,
240 // If the nullability precondition of a function is violated, we should not
241 // report nullability related issues on that path. For this reason once a
242 // precondition is not met on a path, this checker will be esentially turned off
243 // for the rest of the analysis. We do not want to generate a sink node however,
244 // so this checker would not lead to reduced coverage.
245 REGISTER_TRAIT_WITH_PROGRAMSTATE(PreconditionViolated, bool)
247 enum class NullConstraint { IsNull, IsNotNull, Unknown };
249 static NullConstraint getNullConstraint(DefinedOrUnknownSVal Val,
250 ProgramStateRef State) {
251 ConditionTruthVal Nullness = State->isNull(Val);
252 if (Nullness.isConstrainedFalse())
253 return NullConstraint::IsNotNull;
254 if (Nullness.isConstrainedTrue())
255 return NullConstraint::IsNull;
256 return NullConstraint::Unknown;
259 const SymbolicRegion *
260 NullabilityChecker::getTrackRegion(SVal Val, bool CheckSuperRegion) const {
264 auto RegionSVal = Val.getAs<loc::MemRegionVal>();
268 const MemRegion *Region = RegionSVal->getRegion();
270 if (CheckSuperRegion) {
271 if (auto FieldReg = Region->getAs<FieldRegion>())
272 return dyn_cast<SymbolicRegion>(FieldReg->getSuperRegion());
273 if (auto ElementReg = Region->getAs<ElementRegion>())
274 return dyn_cast<SymbolicRegion>(ElementReg->getSuperRegion());
277 return dyn_cast<SymbolicRegion>(Region);
280 PathDiagnosticPiece *NullabilityChecker::NullabilityBugVisitor::VisitNode(
281 const ExplodedNode *N, const ExplodedNode *PrevN, BugReporterContext &BRC,
283 ProgramStateRef State = N->getState();
284 ProgramStateRef StatePrev = PrevN->getState();
286 const NullabilityState *TrackedNullab = State->get<NullabilityMap>(Region);
287 const NullabilityState *TrackedNullabPrev =
288 StatePrev->get<NullabilityMap>(Region);
292 if (TrackedNullabPrev &&
293 TrackedNullabPrev->getValue() == TrackedNullab->getValue())
296 // Retrieve the associated statement.
297 const Stmt *S = TrackedNullab->getNullabilitySource();
299 ProgramPoint ProgLoc = N->getLocation();
300 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) {
308 std::string InfoText =
309 (llvm::Twine("Nullability '") +
310 getNullabilityString(TrackedNullab->getValue()) + "' is infered")
313 // Generate the extra diagnostic.
314 PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
315 N->getLocationContext());
316 return new PathDiagnosticEventPiece(Pos, InfoText, true, nullptr);
319 static Nullability getNullabilityAnnotation(QualType Type) {
320 const auto *AttrType = Type->getAs<AttributedType>();
322 return Nullability::Unspecified;
323 if (AttrType->getAttrKind() == AttributedType::attr_nullable)
324 return Nullability::Nullable;
325 else if (AttrType->getAttrKind() == AttributedType::attr_nonnull)
326 return Nullability::Nonnull;
327 return Nullability::Unspecified;
330 template <typename ParamVarDeclRange>
332 checkParamsForPreconditionViolation(const ParamVarDeclRange &Params,
333 ProgramStateRef State,
334 const LocationContext *LocCtxt) {
335 for (const auto *ParamDecl : Params) {
336 if (ParamDecl->isParameterPack())
339 if (getNullabilityAnnotation(ParamDecl->getType()) != Nullability::Nonnull)
342 auto RegVal = State->getLValue(ParamDecl, LocCtxt)
343 .template getAs<loc::MemRegionVal>();
347 auto ParamValue = State->getSVal(RegVal->getRegion())
348 .template getAs<DefinedOrUnknownSVal>();
352 if (getNullConstraint(*ParamValue, State) == NullConstraint::IsNull) {
359 static bool checkPreconditionViolation(ProgramStateRef State, ExplodedNode *N,
361 if (State->get<PreconditionViolated>())
364 const LocationContext *LocCtxt = C.getLocationContext();
365 const Decl *D = LocCtxt->getDecl();
369 if (const auto *BlockD = dyn_cast<BlockDecl>(D)) {
370 if (checkParamsForPreconditionViolation(BlockD->parameters(), State,
373 C.addTransition(State->set<PreconditionViolated>(true), N);
379 if (const auto *FuncDecl = dyn_cast<FunctionDecl>(D)) {
380 if (checkParamsForPreconditionViolation(FuncDecl->parameters(), State,
383 C.addTransition(State->set<PreconditionViolated>(true), N);
391 void NullabilityChecker::reportBugIfPreconditionHolds(
392 ErrorKind Error, ExplodedNode *N, const MemRegion *Region,
393 CheckerContext &C, const Stmt *ValueExpr, bool SuppressPath) const {
394 ProgramStateRef OriginalState = N->getState();
396 if (checkPreconditionViolation(OriginalState, N, C))
399 OriginalState = OriginalState->set<PreconditionViolated>(true);
400 N = C.addTransition(OriginalState, N);
403 reportBug(Error, N, Region, C.getBugReporter(), ValueExpr);
406 /// Cleaning up the program state.
407 void NullabilityChecker::checkDeadSymbols(SymbolReaper &SR,
408 CheckerContext &C) const {
409 if (!SR.hasDeadSymbols())
412 ProgramStateRef State = C.getState();
413 NullabilityMapTy Nullabilities = State->get<NullabilityMap>();
414 for (NullabilityMapTy::iterator I = Nullabilities.begin(),
415 E = Nullabilities.end();
417 const auto *Region = I->first->getAs<SymbolicRegion>();
418 assert(Region && "Non-symbolic region is tracked.");
419 if (SR.isDead(Region->getSymbol())) {
420 State = State->remove<NullabilityMap>(I->first);
423 // When one of the nonnull arguments are constrained to be null, nullability
424 // preconditions are violated. It is not enough to check this only when we
425 // actually report an error, because at that time interesting symbols might be
427 if (checkPreconditionViolation(State, C.getPredecessor(), C))
429 C.addTransition(State);
432 /// This callback triggers when a pointer is dereferenced and the analyzer does
433 /// not know anything about the value of that pointer. When that pointer is
434 /// nullable, this code emits a warning.
435 void NullabilityChecker::checkEvent(ImplicitNullDerefEvent Event) const {
436 if (Event.SinkNode->getState()->get<PreconditionViolated>())
439 const MemRegion *Region =
440 getTrackRegion(Event.Location, /*CheckSuperregion=*/true);
444 ProgramStateRef State = Event.SinkNode->getState();
445 const NullabilityState *TrackedNullability =
446 State->get<NullabilityMap>(Region);
448 if (!TrackedNullability)
451 if (Filter.CheckNullableDereferenced &&
452 TrackedNullability->getValue() == Nullability::Nullable) {
453 BugReporter &BR = *Event.BR;
454 // Do not suppress errors on defensive code paths, because dereferencing
455 // a nullable pointer is always an error.
456 if (Event.IsDirectDereference)
457 reportBug(ErrorKind::NullableDereferenced, Event.SinkNode, Region, BR);
459 reportBug(ErrorKind::NullablePassedToNonnull, Event.SinkNode, Region, BR);
463 /// This method check when nullable pointer or null value is returned from a
464 /// function that has nonnull return type.
466 /// TODO: when nullability preconditons are violated, it is ok to violate the
467 /// nullability postconditons (i.e.: when one of the nonnull parameters are null
468 /// this check should not report any nullability related issue).
469 void NullabilityChecker::checkPreStmt(const ReturnStmt *S,
470 CheckerContext &C) const {
471 auto RetExpr = S->getRetValue();
475 if (!RetExpr->getType()->isAnyPointerType())
478 ProgramStateRef State = C.getState();
479 if (State->get<PreconditionViolated>())
483 State->getSVal(S, C.getLocationContext()).getAs<DefinedOrUnknownSVal>();
487 AnalysisDeclContext *DeclCtxt =
488 C.getLocationContext()->getAnalysisDeclContext();
489 const FunctionType *FuncType = DeclCtxt->getDecl()->getFunctionType();
493 NullConstraint Nullness = getNullConstraint(*RetSVal, State);
495 Nullability RequiredNullability =
496 getNullabilityAnnotation(FuncType->getReturnType());
498 // If the returned value is null but the type of the expression
499 // generating it is nonnull then we will suppress the diagnostic.
500 // This enables explicit suppression when returning a nil literal in a
501 // function with a _Nonnull return type:
502 // return (NSString * _Nonnull)0;
503 Nullability RetExprTypeLevelNullability =
504 getNullabilityAnnotation(RetExpr->getType());
506 if (Filter.CheckNullReturnedFromNonnull &&
507 Nullness == NullConstraint::IsNull &&
508 RetExprTypeLevelNullability != Nullability::Nonnull &&
509 RequiredNullability == Nullability::Nonnull) {
510 static CheckerProgramPointTag Tag(this, "NullReturnedFromNonnull");
511 ExplodedNode *N = C.generateErrorNode(State, &Tag);
514 reportBugIfPreconditionHolds(ErrorKind::NilReturnedToNonnull, N, nullptr, C,
519 const MemRegion *Region = getTrackRegion(*RetSVal);
523 const NullabilityState *TrackedNullability =
524 State->get<NullabilityMap>(Region);
525 if (TrackedNullability) {
526 Nullability TrackedNullabValue = TrackedNullability->getValue();
527 if (Filter.CheckNullableReturnedFromNonnull &&
528 Nullness != NullConstraint::IsNotNull &&
529 TrackedNullabValue == Nullability::Nullable &&
530 RequiredNullability == Nullability::Nonnull) {
531 static CheckerProgramPointTag Tag(this, "NullableReturnedFromNonnull");
532 ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag);
533 reportBugIfPreconditionHolds(ErrorKind::NullableReturnedToNonnull, N,
538 if (RequiredNullability == Nullability::Nullable) {
539 State = State->set<NullabilityMap>(Region,
540 NullabilityState(RequiredNullability,
542 C.addTransition(State);
546 /// This callback warns when a nullable pointer or a null value is passed to a
547 /// function that expects its argument to be nonnull.
548 void NullabilityChecker::checkPreCall(const CallEvent &Call,
549 CheckerContext &C) const {
553 ProgramStateRef State = C.getState();
554 if (State->get<PreconditionViolated>())
557 ProgramStateRef OrigState = State;
560 for (const ParmVarDecl *Param : Call.parameters()) {
561 if (Param->isParameterPack())
564 const Expr *ArgExpr = nullptr;
565 if (Idx < Call.getNumArgs())
566 ArgExpr = Call.getArgExpr(Idx);
567 auto ArgSVal = Call.getArgSVal(Idx++).getAs<DefinedOrUnknownSVal>();
571 if (!Param->getType()->isAnyPointerType() &&
572 !Param->getType()->isReferenceType())
575 NullConstraint Nullness = getNullConstraint(*ArgSVal, State);
577 Nullability RequiredNullability =
578 getNullabilityAnnotation(Param->getType());
579 Nullability ArgExprTypeLevelNullability =
580 getNullabilityAnnotation(ArgExpr->getType());
582 if (Filter.CheckNullPassedToNonnull && Nullness == NullConstraint::IsNull &&
583 ArgExprTypeLevelNullability != Nullability::Nonnull &&
584 RequiredNullability == Nullability::Nonnull) {
585 ExplodedNode *N = C.generateErrorNode(State);
588 reportBugIfPreconditionHolds(ErrorKind::NilPassedToNonnull, N, nullptr, C,
593 const MemRegion *Region = getTrackRegion(*ArgSVal);
597 const NullabilityState *TrackedNullability =
598 State->get<NullabilityMap>(Region);
600 if (TrackedNullability) {
601 if (Nullness == NullConstraint::IsNotNull ||
602 TrackedNullability->getValue() != Nullability::Nullable)
605 if (Filter.CheckNullablePassedToNonnull &&
606 RequiredNullability == Nullability::Nonnull) {
607 ExplodedNode *N = C.addTransition(State);
608 reportBugIfPreconditionHolds(ErrorKind::NullablePassedToNonnull, N,
609 Region, C, ArgExpr, /*SuppressPath=*/true);
612 if (Filter.CheckNullableDereferenced &&
613 Param->getType()->isReferenceType()) {
614 ExplodedNode *N = C.addTransition(State);
615 reportBugIfPreconditionHolds(ErrorKind::NullableDereferenced, N, Region,
616 C, ArgExpr, /*SuppressPath=*/true);
621 // No tracked nullability yet.
622 if (ArgExprTypeLevelNullability != Nullability::Nullable)
624 State = State->set<NullabilityMap>(
625 Region, NullabilityState(ArgExprTypeLevelNullability, ArgExpr));
627 if (State != OrigState)
628 C.addTransition(State);
631 /// Suppress the nullability warnings for some functions.
632 void NullabilityChecker::checkPostCall(const CallEvent &Call,
633 CheckerContext &C) const {
634 auto Decl = Call.getDecl();
637 // ObjC Messages handles in a different callback.
638 if (Call.getKind() == CE_ObjCMessage)
640 const FunctionType *FuncType = Decl->getFunctionType();
643 QualType ReturnType = FuncType->getReturnType();
644 if (!ReturnType->isAnyPointerType())
646 ProgramStateRef State = C.getState();
647 if (State->get<PreconditionViolated>())
650 const MemRegion *Region = getTrackRegion(Call.getReturnValue());
654 // CG headers are misannotated. Do not warn for symbols that are the results
656 const SourceManager &SM = C.getSourceManager();
657 StringRef FilePath = SM.getFilename(SM.getSpellingLoc(Decl->getLocStart()));
658 if (llvm::sys::path::filename(FilePath).startswith("CG")) {
659 State = State->set<NullabilityMap>(Region, Nullability::Contradicted);
660 C.addTransition(State);
664 const NullabilityState *TrackedNullability =
665 State->get<NullabilityMap>(Region);
667 if (!TrackedNullability &&
668 getNullabilityAnnotation(ReturnType) == Nullability::Nullable) {
669 State = State->set<NullabilityMap>(Region, Nullability::Nullable);
670 C.addTransition(State);
674 static Nullability getReceiverNullability(const ObjCMethodCall &M,
675 ProgramStateRef State) {
676 if (M.isReceiverSelfOrSuper()) {
677 // For super and super class receivers we assume that the receiver is
679 return Nullability::Nonnull;
681 // Otherwise look up nullability in the state.
682 SVal Receiver = M.getReceiverSVal();
683 if (auto DefOrUnknown = Receiver.getAs<DefinedOrUnknownSVal>()) {
684 // If the receiver is constrained to be nonnull, assume that it is nonnull
685 // regardless of its type.
686 NullConstraint Nullness = getNullConstraint(*DefOrUnknown, State);
687 if (Nullness == NullConstraint::IsNotNull)
688 return Nullability::Nonnull;
690 auto ValueRegionSVal = Receiver.getAs<loc::MemRegionVal>();
691 if (ValueRegionSVal) {
692 const MemRegion *SelfRegion = ValueRegionSVal->getRegion();
695 const NullabilityState *TrackedSelfNullability =
696 State->get<NullabilityMap>(SelfRegion);
697 if (TrackedSelfNullability)
698 return TrackedSelfNullability->getValue();
700 return Nullability::Unspecified;
703 /// Calculate the nullability of the result of a message expr based on the
704 /// nullability of the receiver, the nullability of the return value, and the
706 void NullabilityChecker::checkPostObjCMessage(const ObjCMethodCall &M,
707 CheckerContext &C) const {
708 auto Decl = M.getDecl();
711 QualType RetType = Decl->getReturnType();
712 if (!RetType->isAnyPointerType())
715 ProgramStateRef State = C.getState();
716 if (State->get<PreconditionViolated>())
719 const MemRegion *ReturnRegion = getTrackRegion(M.getReturnValue());
723 auto Interface = Decl->getClassInterface();
724 auto Name = Interface ? Interface->getName() : "";
725 // In order to reduce the noise in the diagnostics generated by this checker,
726 // some framework and programming style based heuristics are used. These
727 // heuristics are for Cocoa APIs which have NS prefix.
728 if (Name.startswith("NS")) {
729 // Developers rely on dynamic invariants such as an item should be available
730 // in a collection, or a collection is not empty often. Those invariants can
731 // not be inferred by any static analysis tool. To not to bother the users
732 // with too many false positives, every item retrieval function should be
733 // ignored for collections. The instance methods of dictionaries in Cocoa
734 // are either item retrieval related or not interesting nullability wise.
735 // Using this fact, to keep the code easier to read just ignore the return
736 // value of every instance method of dictionaries.
737 if (M.isInstanceMessage() && Name.find("Dictionary") != StringRef::npos) {
739 State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted);
740 C.addTransition(State);
743 // For similar reasons ignore some methods of Cocoa arrays.
744 StringRef FirstSelectorSlot = M.getSelector().getNameForSlot(0);
745 if (Name.find("Array") != StringRef::npos &&
746 (FirstSelectorSlot == "firstObject" ||
747 FirstSelectorSlot == "lastObject")) {
749 State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted);
750 C.addTransition(State);
754 // Encoding related methods of string should not fail when lossless
755 // encodings are used. Using lossless encodings is so frequent that ignoring
756 // this class of methods reduced the emitted diagnostics by about 30% on
757 // some projects (and all of that was false positives).
758 if (Name.find("String") != StringRef::npos) {
759 for (auto Param : M.parameters()) {
760 if (Param->getName() == "encoding") {
761 State = State->set<NullabilityMap>(ReturnRegion,
762 Nullability::Contradicted);
763 C.addTransition(State);
770 const ObjCMessageExpr *Message = M.getOriginExpr();
771 Nullability SelfNullability = getReceiverNullability(M, State);
773 const NullabilityState *NullabilityOfReturn =
774 State->get<NullabilityMap>(ReturnRegion);
776 if (NullabilityOfReturn) {
777 // When we have a nullability tracked for the return value, the nullability
778 // of the expression will be the most nullable of the receiver and the
780 Nullability RetValTracked = NullabilityOfReturn->getValue();
781 Nullability ComputedNullab =
782 getMostNullable(RetValTracked, SelfNullability);
783 if (ComputedNullab != RetValTracked &&
784 ComputedNullab != Nullability::Unspecified) {
785 const Stmt *NullabilitySource =
786 ComputedNullab == RetValTracked
787 ? NullabilityOfReturn->getNullabilitySource()
788 : Message->getInstanceReceiver();
789 State = State->set<NullabilityMap>(
790 ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource));
791 C.addTransition(State);
796 // No tracked information. Use static type information for return value.
797 Nullability RetNullability = getNullabilityAnnotation(RetType);
799 // Properties might be computed. For this reason the static analyzer creates a
800 // new symbol each time an unknown property is read. To avoid false pozitives
801 // do not treat unknown properties as nullable, even when they explicitly
803 if (M.getMessageKind() == OCM_PropertyAccess && !C.wasInlined)
804 RetNullability = Nullability::Nonnull;
806 Nullability ComputedNullab = getMostNullable(RetNullability, SelfNullability);
807 if (ComputedNullab == Nullability::Nullable) {
808 const Stmt *NullabilitySource = ComputedNullab == RetNullability
810 : Message->getInstanceReceiver();
811 State = State->set<NullabilityMap>(
812 ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource));
813 C.addTransition(State);
817 /// Explicit casts are trusted. If there is a disagreement in the nullability
818 /// annotations in the destination and the source or '0' is casted to nonnull
819 /// track the value as having contraditory nullability. This will allow users to
820 /// suppress warnings.
821 void NullabilityChecker::checkPostStmt(const ExplicitCastExpr *CE,
822 CheckerContext &C) const {
823 QualType OriginType = CE->getSubExpr()->getType();
824 QualType DestType = CE->getType();
825 if (!OriginType->isAnyPointerType())
827 if (!DestType->isAnyPointerType())
830 ProgramStateRef State = C.getState();
831 if (State->get<PreconditionViolated>())
834 Nullability DestNullability = getNullabilityAnnotation(DestType);
836 // No explicit nullability in the destination type, so this cast does not
837 // change the nullability.
838 if (DestNullability == Nullability::Unspecified)
842 State->getSVal(CE, C.getLocationContext()).getAs<DefinedOrUnknownSVal>();
843 const MemRegion *Region = getTrackRegion(*RegionSVal);
847 // When 0 is converted to nonnull mark it as contradicted.
848 if (DestNullability == Nullability::Nonnull) {
849 NullConstraint Nullness = getNullConstraint(*RegionSVal, State);
850 if (Nullness == NullConstraint::IsNull) {
851 State = State->set<NullabilityMap>(Region, Nullability::Contradicted);
852 C.addTransition(State);
857 const NullabilityState *TrackedNullability =
858 State->get<NullabilityMap>(Region);
860 if (!TrackedNullability) {
861 if (DestNullability != Nullability::Nullable)
863 State = State->set<NullabilityMap>(Region,
864 NullabilityState(DestNullability, CE));
865 C.addTransition(State);
869 if (TrackedNullability->getValue() != DestNullability &&
870 TrackedNullability->getValue() != Nullability::Contradicted) {
871 State = State->set<NullabilityMap>(Region, Nullability::Contradicted);
872 C.addTransition(State);
876 /// For a given statement performing a bind, attempt to syntactically
877 /// match the expression resulting in the bound value.
878 static const Expr * matchValueExprForBind(const Stmt *S) {
879 // For `x = e` the value expression is the right-hand side.
880 if (auto *BinOp = dyn_cast<BinaryOperator>(S)) {
881 if (BinOp->getOpcode() == BO_Assign)
882 return BinOp->getRHS();
885 // For `int x = e` the value expression is the initializer.
886 if (auto *DS = dyn_cast<DeclStmt>(S)) {
887 if (DS->isSingleDecl()) {
888 auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
892 if (const Expr *Init = VD->getInit())
900 /// Returns true if \param S is a DeclStmt for a local variable that
901 /// ObjC automated reference counting initialized with zero.
902 static bool isARCNilInitializedLocal(CheckerContext &C, const Stmt *S) {
903 // We suppress diagnostics for ARC zero-initialized _Nonnull locals. This
904 // prevents false positives when a _Nonnull local variable cannot be
905 // initialized with an initialization expression:
906 // NSString * _Nonnull s; // no-warning
907 // @autoreleasepool {
911 // FIXME: We should treat implicitly zero-initialized _Nonnull locals as
912 // uninitialized in Sema's UninitializedValues analysis to warn when a use of
913 // the zero-initialized definition will unexpectedly yield nil.
915 // Locals are only zero-initialized when automated reference counting
917 if (!C.getASTContext().getLangOpts().ObjCAutoRefCount)
920 auto *DS = dyn_cast<DeclStmt>(S);
921 if (!DS || !DS->isSingleDecl())
924 auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
928 // Sema only zero-initializes locals with ObjCLifetimes.
929 if(!VD->getType().getQualifiers().hasObjCLifetime())
932 const Expr *Init = VD->getInit();
933 assert(Init && "ObjC local under ARC without initializer");
935 // Return false if the local is explicitly initialized (e.g., with '= nil').
936 if (!isa<ImplicitValueInitExpr>(Init))
942 /// Propagate the nullability information through binds and warn when nullable
943 /// pointer or null symbol is assigned to a pointer with a nonnull type.
944 void NullabilityChecker::checkBind(SVal L, SVal V, const Stmt *S,
945 CheckerContext &C) const {
946 const TypedValueRegion *TVR =
947 dyn_cast_or_null<TypedValueRegion>(L.getAsRegion());
951 QualType LocType = TVR->getValueType();
952 if (!LocType->isAnyPointerType())
955 ProgramStateRef State = C.getState();
956 if (State->get<PreconditionViolated>())
959 auto ValDefOrUnknown = V.getAs<DefinedOrUnknownSVal>();
960 if (!ValDefOrUnknown)
963 NullConstraint RhsNullness = getNullConstraint(*ValDefOrUnknown, State);
965 Nullability ValNullability = Nullability::Unspecified;
966 if (SymbolRef Sym = ValDefOrUnknown->getAsSymbol())
967 ValNullability = getNullabilityAnnotation(Sym->getType());
969 Nullability LocNullability = getNullabilityAnnotation(LocType);
970 if (Filter.CheckNullPassedToNonnull &&
971 RhsNullness == NullConstraint::IsNull &&
972 ValNullability != Nullability::Nonnull &&
973 LocNullability == Nullability::Nonnull &&
974 !isARCNilInitializedLocal(C, S)) {
975 static CheckerProgramPointTag Tag(this, "NullPassedToNonnull");
976 ExplodedNode *N = C.generateErrorNode(State, &Tag);
980 const Stmt *ValueExpr = matchValueExprForBind(S);
984 reportBugIfPreconditionHolds(ErrorKind::NilAssignedToNonnull, N, nullptr, C,
988 // Intentionally missing case: '0' is bound to a reference. It is handled by
989 // the DereferenceChecker.
991 const MemRegion *ValueRegion = getTrackRegion(*ValDefOrUnknown);
995 const NullabilityState *TrackedNullability =
996 State->get<NullabilityMap>(ValueRegion);
998 if (TrackedNullability) {
999 if (RhsNullness == NullConstraint::IsNotNull ||
1000 TrackedNullability->getValue() != Nullability::Nullable)
1002 if (Filter.CheckNullablePassedToNonnull &&
1003 LocNullability == Nullability::Nonnull) {
1004 static CheckerProgramPointTag Tag(this, "NullablePassedToNonnull");
1005 ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag);
1006 reportBugIfPreconditionHolds(ErrorKind::NullableAssignedToNonnull, N,
1012 const auto *BinOp = dyn_cast<BinaryOperator>(S);
1014 if (ValNullability == Nullability::Nullable) {
1015 // Trust the static information of the value more than the static
1016 // information on the location.
1017 const Stmt *NullabilitySource = BinOp ? BinOp->getRHS() : S;
1018 State = State->set<NullabilityMap>(
1019 ValueRegion, NullabilityState(ValNullability, NullabilitySource));
1020 C.addTransition(State);
1024 if (LocNullability == Nullability::Nullable) {
1025 const Stmt *NullabilitySource = BinOp ? BinOp->getLHS() : S;
1026 State = State->set<NullabilityMap>(
1027 ValueRegion, NullabilityState(LocNullability, NullabilitySource));
1028 C.addTransition(State);
1032 void NullabilityChecker::printState(raw_ostream &Out, ProgramStateRef State,
1033 const char *NL, const char *Sep) const {
1035 NullabilityMapTy B = State->get<NullabilityMap>();
1042 for (NullabilityMapTy::iterator I = B.begin(), E = B.end(); I != E; ++I) {
1043 Out << I->first << " : ";
1044 I->second.print(Out);
1049 #define REGISTER_CHECKER(name, trackingRequired) \
1050 void ento::register##name##Checker(CheckerManager &mgr) { \
1051 NullabilityChecker *checker = mgr.registerChecker<NullabilityChecker>(); \
1052 checker->Filter.Check##name = true; \
1053 checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
1054 checker->NeedTracking = checker->NeedTracking || trackingRequired; \
1057 // The checks are likely to be turned on by default and it is possible to do
1058 // them without tracking any nullability related information. As an optimization
1059 // no nullability information will be tracked when only these two checks are
1061 REGISTER_CHECKER(NullPassedToNonnull, false)
1062 REGISTER_CHECKER(NullReturnedFromNonnull, false)
1064 REGISTER_CHECKER(NullableDereferenced, true)
1065 REGISTER_CHECKER(NullablePassedToNonnull, true)
1066 REGISTER_CHECKER(NullableReturnedFromNonnull, true)
projects / FreeBSD / FreeBSD.git / blob