Coverage Report

Created: 2019-07-24 05:18

/Users/buildslave/jenkins/workspace/clang-stage2-coverage-R/llvm/tools/clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
Line
Count
Source (jump to first uncovered line)
1
//===-- NullabilityChecker.cpp - Nullability checker ----------------------===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
// This checker tries to find nullability violations. There are several kinds of
10
// possible violations:
11
// * Null pointer is passed to a pointer which has a _Nonnull type.
12
// * Null pointer is returned from a function which has a _Nonnull return type.
13
// * Nullable pointer is passed to a pointer which has a _Nonnull type.
14
// * Nullable pointer is returned from a function which has a _Nonnull return
15
//   type.
16
// * Nullable pointer is dereferenced.
17
//
18
// This checker propagates the nullability information of the pointers and looks
19
// for the patterns that are described above. Explicit casts are trusted and are
20
// considered a way to suppress false positives for this checker. The other way
21
// to suppress warnings would be to add asserts or guarding if statements to the
22
// code. In addition to the nullability propagation this checker also uses some
23
// heuristics to suppress potential false positives.
24
//
25
//===----------------------------------------------------------------------===//
26
27
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
28
29
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
30
#include "clang/StaticAnalyzer/Core/Checker.h"
31
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
32
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
33
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
34
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
35
36
#include "llvm/ADT/StringExtras.h"
37
#include "llvm/Support/Path.h"
38
39
using namespace clang;
40
using namespace ento;
41
42
namespace {
43
44
/// Returns the most nullable nullability. This is used for message expressions
45
/// like [receiver method], where the nullability of this expression is either
46
/// the nullability of the receiver or the nullability of the return type of the
47
/// method, depending on which is more nullable. Contradicted is considered to
48
/// be the most nullable, to avoid false positive results.
49
103
Nullability getMostNullable(Nullability Lhs, Nullability Rhs) {
50
103
  return static_cast<Nullability>(
51
103
      std::min(static_cast<char>(Lhs), static_cast<char>(Rhs)));
52
103
}
53
54
74
const char *getNullabilityString(Nullability Nullab) {
55
74
  switch (Nullab) {
56
74
  case Nullability::Contradicted:
57
0
    return "contradicted";
58
74
  case Nullability::Nullable:
59
74
    return "nullable";
60
74
  case Nullability::Unspecified:
61
0
    return "unspecified";
62
74
  case Nullability::Nonnull:
63
0
    return "nonnull";
64
0
  }
65
0
  llvm_unreachable("Unexpected enumeration.");
66
0
  return "";
67
0
}
68
69
// These enums are used as an index to ErrorMessages array.
70
enum class ErrorKind : int {
71
  NilAssignedToNonnull,
72
  NilPassedToNonnull,
73
  NilReturnedToNonnull,
74
  NullableAssignedToNonnull,
75
  NullableReturnedToNonnull,
76
  NullableDereferenced,
77
  NullablePassedToNonnull
78
};
79
80
class NullabilityChecker
81
    : public Checker<check::Bind, check::PreCall, check::PreStmt<ReturnStmt>,
82
                     check::PostCall, check::PostStmt<ExplicitCastExpr>,
83
                     check::PostObjCMessage, check::DeadSymbols,
84
                     check::Event<ImplicitNullDerefEvent>> {
85
  mutable std::unique_ptr<BugType> BT;
86
87
public:
88
  // If true, the checker will not diagnose nullabilility issues for calls
89
  // to system headers. This option is motivated by the observation that large
90
  // projects may have many nullability warnings. These projects may
91
  // find warnings about nullability annotations that they have explicitly
92
  // added themselves higher priority to fix than warnings on calls to system
93
  // libraries.
94
  DefaultBool NoDiagnoseCallsToSystemHeaders;
95
96
  void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
97
  void checkPostStmt(const ExplicitCastExpr *CE, CheckerContext &C) const;
98
  void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
99
  void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
100
  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
101
  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
102
  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
103
  void checkEvent(ImplicitNullDerefEvent Event) const;
104
105
  void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
106
                  const char *Sep) const override;
107
108
  struct NullabilityChecksFilter {
109
    DefaultBool CheckNullPassedToNonnull;
110
    DefaultBool CheckNullReturnedFromNonnull;
111
    DefaultBool CheckNullableDereferenced;
112
    DefaultBool CheckNullablePassedToNonnull;
113
    DefaultBool CheckNullableReturnedFromNonnull;
114
115
    CheckName CheckNameNullPassedToNonnull;
116
    CheckName CheckNameNullReturnedFromNonnull;
117
    CheckName CheckNameNullableDereferenced;
118
    CheckName CheckNameNullablePassedToNonnull;
119
    CheckName CheckNameNullableReturnedFromNonnull;
120
  };
121
122
  NullabilityChecksFilter Filter;
123
  // When set to false no nullability information will be tracked in
124
  // NullabilityMap. It is possible to catch errors like passing a null pointer
125
  // to a callee that expects nonnull argument without the information that is
126
  // stroed in the NullabilityMap. This is an optimization.
127
  DefaultBool NeedTracking;
128
129
private:
130
  class NullabilityBugVisitor : public BugReporterVisitor {
131
  public:
132
74
    NullabilityBugVisitor(const MemRegion *M) : Region(M) {}
133
134
74
    void Profile(llvm::FoldingSetNodeID &ID) const override {
135
74
      static int X = 0;
136
74
      ID.AddPointer(&X);
137
74
      ID.AddPointer(Region);
138
74
    }
139
140
    std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
141
                                                   BugReporterContext &BRC,
142
                                                   BugReport &BR) override;
143
144
  private:
145
    // The tracked region.
146
    const MemRegion *Region;
147
  };
148
149
  /// When any of the nonnull arguments of the analyzed function is null, do not
150
  /// report anything and turn off the check.
151
  ///
152
  /// When \p SuppressPath is set to true, no more bugs will be reported on this
153
  /// path by this checker.
154
  void reportBugIfInvariantHolds(StringRef Msg, ErrorKind Error,
155
                                 ExplodedNode *N, const MemRegion *Region,
156
                                 CheckerContext &C,
157
                                 const Stmt *ValueExpr = nullptr,
158
                                  bool SuppressPath = false) const;
159
160
  void reportBug(StringRef Msg, ErrorKind Error, ExplodedNode *N,
161
                 const MemRegion *Region, BugReporter &BR,
162
149
                 const Stmt *ValueExpr = nullptr) const {
163
149
    if (!BT)
164
11
      BT.reset(new BugType(this, "Nullability", categories::MemoryError));
165
149
166
149
    auto R = llvm::make_unique<BugReport>(*BT, Msg, N);
167
149
    if (Region) {
168
74
      R->markInteresting(Region);
169
74
      R->addVisitor(llvm::make_unique<NullabilityBugVisitor>(Region));
170
74
    }
171
149
    if (ValueExpr) {
172
117
      R->addRange(ValueExpr->getSourceRange());
173
117
      if (Error == ErrorKind::NilAssignedToNonnull ||
174
117
          
Error == ErrorKind::NilPassedToNonnull102
||
175
117
          
Error == ErrorKind::NilReturnedToNonnull66
)
176
75
        if (const auto *Ex = dyn_cast<Expr>(ValueExpr))
177
75
          bugreporter::trackExpressionValue(N, Ex, *R);
178
117
    }
179
149
    BR.emitReport(std::move(R));
180
149
  }
181
182
  /// If an SVal wraps a region that should be tracked, it will return a pointer
183
  /// to the wrapped region. Otherwise it will return a nullptr.
184
  const SymbolicRegion *getTrackRegion(SVal Val,
185
                                       bool CheckSuperRegion = false) const;
186
187
  /// Returns true if the call is diagnosable in the current analyzer
188
  /// configuration.
189
84
  bool isDiagnosableCall(const CallEvent &Call) const {
190
84
    if (NoDiagnoseCallsToSystemHeaders && 
Call.isInSystemHeader()39
)
191
6
      return false;
192
78
193
78
    return true;
194
78
  }
195
};
196
197
class NullabilityState {
198
public:
199
  NullabilityState(Nullability Nullab, const Stmt *Source = nullptr)
200
94
      : Nullab(Nullab), Source(Source) {}
201
202
130
  const Stmt *getNullabilitySource() const { return Source; }
203
204
3.58k
  Nullability getValue() const { return Nullab; }
205
206
134
  void Profile(llvm::FoldingSetNodeID &ID) const {
207
134
    ID.AddInteger(static_cast<char>(Nullab));
208
134
    ID.AddPointer(Source);
209
134
  }
210
211
0
  void print(raw_ostream &Out) const {
212
0
    Out << getNullabilityString(Nullab) << "\n";
213
0
  }
214
215
private:
216
  Nullability Nullab;
217
  // Source is the expression which determined the nullability. For example in a
218
  // message like [nullable nonnull_returning] has nullable nullability, because
219
  // the receiver is nullable. Here the receiver will be the source of the
220
  // nullability. This is useful information when the diagnostics are generated.
221
  const Stmt *Source;
222
};
223
224
28
bool operator==(NullabilityState Lhs, NullabilityState Rhs) {
225
28
  return Lhs.getValue() == Rhs.getValue() &&
226
28
         Lhs.getNullabilitySource() == Rhs.getNullabilitySource();
227
28
}
228
229
} // end anonymous namespace
230
231
REGISTER_MAP_WITH_PROGRAMSTATE(NullabilityMap, const MemRegion *,
232
                               NullabilityState)
233
234
// We say "the nullability type invariant is violated" when a location with a
235
// non-null type contains NULL or a function with a non-null return type returns
236
// NULL. Violations of the nullability type invariant can be detected either
237
// directly (for example, when NULL is passed as an argument to a nonnull
238
// parameter) or indirectly (for example, when, inside a function, the
239
// programmer defensively checks whether a nonnull parameter contains NULL and
240
// finds that it does).
241
//
242
// As a matter of policy, the nullability checker typically warns on direct
243
// violations of the nullability invariant (although it uses various
244
// heuristics to suppress warnings in some cases) but will not warn if the
245
// invariant has already been violated along the path (either directly or
246
// indirectly). As a practical matter, this prevents the analyzer from
247
// (1) warning on defensive code paths where a nullability precondition is
248
// determined to have been violated, (2) warning additional times after an
249
// initial direct violation has been discovered, and (3) warning after a direct
250
// violation that has been implicitly or explicitly suppressed (for
251
// example, with a cast of NULL to _Nonnull). In essence, once an invariant
252
// violation is detected on a path, this checker will be essentially turned off
253
// for the rest of the analysis
254
//
255
// The analyzer takes this approach (rather than generating a sink node) to
256
// ensure coverage of defensive paths, which may be important for backwards
257
// compatibility in codebases that were developed without nullability in mind.
258
REGISTER_TRAIT_WITH_PROGRAMSTATE(InvariantViolated, bool)
259
260
enum class NullConstraint { IsNull, IsNotNull, Unknown };
261
262
static NullConstraint getNullConstraint(DefinedOrUnknownSVal Val,
263
1.42k
                                        ProgramStateRef State) {
264
1.42k
  ConditionTruthVal Nullness = State->isNull(Val);
265
1.42k
  if (Nullness.isConstrainedFalse())
266
315
    return NullConstraint::IsNotNull;
267
1.11k
  if (Nullness.isConstrainedTrue())
268
318
    return NullConstraint::IsNull;
269
794
  return NullConstraint::Unknown;
270
794
}
271
272
const SymbolicRegion *
273
1.06k
NullabilityChecker::getTrackRegion(SVal Val, bool CheckSuperRegion) const {
274
1.06k
  if (!NeedTracking)
275
74
    return nullptr;
276
987
277
987
  auto RegionSVal = Val.getAs<loc::MemRegionVal>();
278
987
  if (!RegionSVal)
279
151
    return nullptr;
280
836
281
836
  const MemRegion *Region = RegionSVal->getRegion();
282
836
283
836
  if (CheckSuperRegion) {
284
23
    if (auto FieldReg = Region->getAs<FieldRegion>())
285
4
      return dyn_cast<SymbolicRegion>(FieldReg->getSuperRegion());
286
19
    if (auto ElementReg = Region->getAs<ElementRegion>())
287
0
      return dyn_cast<SymbolicRegion>(ElementReg->getSuperRegion());
288
832
  }
289
832
290
832
  return dyn_cast<SymbolicRegion>(Region);
291
832
}
292
293
std::shared_ptr<PathDiagnosticPiece>
294
NullabilityChecker::NullabilityBugVisitor::VisitNode(const ExplodedNode *N,
295
                                                     BugReporterContext &BRC,
296
3.44k
                                                     BugReport &BR) {
297
3.44k
  ProgramStateRef State = N->getState();
298
3.44k
  ProgramStateRef StatePrev = N->getFirstPred()->getState();
299
3.44k
300
3.44k
  const NullabilityState *TrackedNullab = State->get<NullabilityMap>(Region);
301
3.44k
  const NullabilityState *TrackedNullabPrev =
302
3.44k
      StatePrev->get<NullabilityMap>(Region);
303
3.44k
  if (!TrackedNullab)
304
1.76k
    return nullptr;
305
1.68k
306
1.68k
  if (TrackedNullabPrev &&
307
1.68k
      
TrackedNullabPrev->getValue() == TrackedNullab->getValue()1.61k
)
308
1.61k
    return nullptr;
309
74
310
74
  // Retrieve the associated statement.
311
74
  const Stmt *S = TrackedNullab->getNullabilitySource();
312
74
  if (!S || 
S->getBeginLoc().isInvalid()38
) {
313
38
    S = PathDiagnosticLocation::getStmt(N);
314
38
  }
315
74
316
74
  if (!S)
317
0
    return nullptr;
318
74
319
74
  std::string InfoText =
320
74
      (llvm::Twine("Nullability '") +
321
74
       getNullabilityString(TrackedNullab->getValue()) + "' is inferred")
322
74
          .str();
323
74
324
74
  // Generate the extra diagnostic.
325
74
  PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
326
74
                             N->getLocationContext());
327
74
  return std::make_shared<PathDiagnosticEventPiece>(Pos, InfoText, true,
328
74
                                                    nullptr);
329
74
}
330
331
/// Returns true when the value stored at the given location has been
332
/// constrained to null after being passed through an object of nonnnull type.
333
static bool checkValueAtLValForInvariantViolation(ProgramStateRef State,
334
1.68k
                                                  SVal LV, QualType T) {
335
1.68k
  if (getNullabilityAnnotation(T) != Nullability::Nonnull)
336
1.21k
    return false;
337
469
338
469
  auto RegionVal = LV.getAs<loc::MemRegionVal>();
339
469
  if (!RegionVal)
340
0
    return false;
341
469
342
469
  // If the value was constrained to null *after* it was passed through that
343
469
  // location, it could not have been a concrete pointer *when* it was passed.
344
469
  // In that case we would have handled the situation when the value was
345
469
  // bound to that location, by emitting (or not emitting) a report.
346
469
  // Therefore we are only interested in symbolic regions that can be either
347
469
  // null or non-null depending on the value of their respective symbol.
348
469
  auto StoredVal = State->getSVal(*RegionVal).getAs<loc::MemRegionVal>();
349
469
  if (!StoredVal || 
!isa<SymbolicRegion>(StoredVal->getRegion())459
)
350
10
    return false;
351
459
352
459
  if (getNullConstraint(*StoredVal, State) == NullConstraint::IsNull)
353
44
    return true;
354
415
355
415
  return false;
356
415
}
357
358
static bool
359
checkParamsForPreconditionViolation(ArrayRef<ParmVarDecl *> Params,
360
                                    ProgramStateRef State,
361
2.52k
                                    const LocationContext *LocCtxt) {
362
2.52k
  for (const auto *ParamDecl : Params) {
363
1.43k
    if (ParamDecl->isParameterPack())
364
0
      break;
365
1.43k
366
1.43k
    SVal LV = State->getLValue(ParamDecl, LocCtxt);
367
1.43k
    if (checkValueAtLValForInvariantViolation(State, LV,
368
1.43k
                                              ParamDecl->getType())) {
369
36
      return true;
370
36
    }
371
1.43k
  }
372
2.52k
  
return false2.48k
;
373
2.52k
}
374
375
static bool
376
checkSelfIvarsForInvariantViolation(ProgramStateRef State,
377
2.48k
                                    const LocationContext *LocCtxt) {
378
2.48k
  auto *MD = dyn_cast<ObjCMethodDecl>(LocCtxt->getDecl());
379
2.48k
  if (!MD || 
!MD->isInstanceMethod()624
)
380
1.87k
    return false;
381
609
382
609
  const ImplicitParamDecl *SelfDecl = LocCtxt->getSelfDecl();
383
609
  if (!SelfDecl)
384
0
    return false;
385
609
386
609
  SVal SelfVal = State->getSVal(State->getRegion(SelfDecl, LocCtxt));
387
609
388
609
  const ObjCObjectPointerType *SelfType =
389
609
      dyn_cast<ObjCObjectPointerType>(SelfDecl->getType());
390
609
  if (!SelfType)
391
0
    return false;
392
609
393
609
  const ObjCInterfaceDecl *ID = SelfType->getInterfaceDecl();
394
609
  if (!ID)
395
0
    return false;
396
609
397
609
  for (const auto *IvarDecl : ID->ivars()) {
398
252
    SVal LV = State->getLValue(IvarDecl, SelfVal);
399
252
    if (checkValueAtLValForInvariantViolation(State, LV, IvarDecl->getType())) {
400
8
      return true;
401
8
    }
402
252
  }
403
609
  
return false601
;
404
609
}
405
406
static bool checkInvariantViolation(ProgramStateRef State, ExplodedNode *N,
407
3.14k
                                    CheckerContext &C) {
408
3.14k
  if (State->get<InvariantViolated>())
409
622
    return true;
410
2.52k
411
2.52k
  const LocationContext *LocCtxt = C.getLocationContext();
412
2.52k
  const Decl *D = LocCtxt->getDecl();
413
2.52k
  if (!D)
414
0
    return false;
415
2.52k
416
2.52k
  ArrayRef<ParmVarDecl*> Params;
417
2.52k
  if (const auto *BD = dyn_cast<BlockDecl>(D))
418
15
    Params = BD->parameters();
419
2.50k
  else if (const auto *FD = dyn_cast<FunctionDecl>(D))
420
1.87k
    Params = FD->parameters();
421
638
  else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
422
638
    Params = MD->parameters();
423
0
  else
424
0
    return false;
425
2.52k
426
2.52k
  if (checkParamsForPreconditionViolation(Params, State, LocCtxt) ||
427
2.52k
      
checkSelfIvarsForInvariantViolation(State, LocCtxt)2.48k
) {
428
44
    if (!N->isSink())
429
44
      C.addTransition(State->set<InvariantViolated>(true), N);
430
44
    return true;
431
44
  }
432
2.48k
  return false;
433
2.48k
}
434
435
void NullabilityChecker::reportBugIfInvariantHolds(StringRef Msg,
436
    ErrorKind Error, ExplodedNode *N, const MemRegion *Region,
437
129
    CheckerContext &C, const Stmt *ValueExpr, bool SuppressPath) const {
438
129
  ProgramStateRef OriginalState = N->getState();
439
129
440
129
  if (checkInvariantViolation(OriginalState, N, C))
441
0
    return;
442
129
  if (SuppressPath) {
443
42
    OriginalState = OriginalState->set<InvariantViolated>(true);
444
42
    N = C.addTransition(OriginalState, N);
445
42
  }
446
129
447
129
  reportBug(Msg, Error, N, Region, C.getBugReporter(), ValueExpr);
448
129
}
449
450
/// Cleaning up the program state.
451
void NullabilityChecker::checkDeadSymbols(SymbolReaper &SR,
452
3.01k
                                          CheckerContext &C) const {
453
3.01k
  ProgramStateRef State = C.getState();
454
3.01k
  NullabilityMapTy Nullabilities = State->get<NullabilityMap>();
455
3.01k
  for (NullabilityMapTy::iterator I = Nullabilities.begin(),
456
3.01k
                                  E = Nullabilities.end();
457
3.80k
       I != E; 
++I788
) {
458
788
    const auto *Region = I->first->getAs<SymbolicRegion>();
459
788
    assert(Region && "Non-symbolic region is tracked.");
460
788
    if (SR.isDead(Region->getSymbol())) {
461
238
      State = State->remove<NullabilityMap>(I->first);
462
238
    }
463
788
  }
464
3.01k
  // When one of the nonnull arguments are constrained to be null, nullability
465
3.01k
  // preconditions are violated. It is not enough to check this only when we
466
3.01k
  // actually report an error, because at that time interesting symbols might be
467
3.01k
  // reaped.
468
3.01k
  if (checkInvariantViolation(State, C.getPredecessor(), C))
469
666
    return;
470
2.35k
  C.addTransition(State);
471
2.35k
}
472
473
/// This callback triggers when a pointer is dereferenced and the analyzer does
474
/// not know anything about the value of that pointer. When that pointer is
475
/// nullable, this code emits a warning.
476
23
void NullabilityChecker::checkEvent(ImplicitNullDerefEvent Event) const {
477
23
  if (Event.SinkNode->getState()->get<InvariantViolated>())
478
0
    return;
479
23
480
23
  const MemRegion *Region =
481
23
      getTrackRegion(Event.Location, /*CheckSuperRegion=*/true);
482
23
  if (!Region)
483
2
    return;
484
21
485
21
  ProgramStateRef State = Event.SinkNode->getState();
486
21
  const NullabilityState *TrackedNullability =
487
21
      State->get<NullabilityMap>(Region);
488
21
489
21
  if (!TrackedNullability)
490
1
    return;
491
20
492
20
  if (Filter.CheckNullableDereferenced &&
493
20
      TrackedNullability->getValue() == Nullability::Nullable) {
494
20
    BugReporter &BR = *Event.BR;
495
20
    // Do not suppress errors on defensive code paths, because dereferencing
496
20
    // a nullable pointer is always an error.
497
20
    if (Event.IsDirectDereference)
498
16
      reportBug("Nullable pointer is dereferenced",
499
16
                ErrorKind::NullableDereferenced, Event.SinkNode, Region, BR);
500
4
    else {
501
4
      reportBug("Nullable pointer is passed to a callee that requires a "
502
4
                "non-null", ErrorKind::NullablePassedToNonnull,
503
4
                Event.SinkNode, Region, BR);
504
4
    }
505
20
  }
506
20
}
507
508
/// Find the outermost subexpression of E that is not an implicit cast.
509
/// This looks through the implicit casts to _Nonnull that ARC adds to
510
/// return expressions of ObjC types when the return type of the function or
511
/// method is non-null but the express is not.
512
598
static const Expr *lookThroughImplicitCasts(const Expr *E) {
513
598
  assert(E);
514
598
515
1.12k
  while (auto *ICE = dyn_cast<ImplicitCastExpr>(E)) {
516
527
    E = ICE->getSubExpr();
517
527
  }
518
598
519
598
  return E;
520
598
}
521
522
/// This method check when nullable pointer or null value is returned from a
523
/// function that has nonnull return type.
524
void NullabilityChecker::checkPreStmt(const ReturnStmt *S,
525
338
                                      CheckerContext &C) const {
526
338
  auto RetExpr = S->getRetValue();
527
338
  if (!RetExpr)
528
18
    return;
529
320
530
320
  if (!RetExpr->getType()->isAnyPointerType())
531
4
    return;
532
316
533
316
  ProgramStateRef State = C.getState();
534
316
  if (State->get<InvariantViolated>())
535
82
    return;
536
234
537
234
  auto RetSVal = C.getSVal(S).getAs<DefinedOrUnknownSVal>();
538
234
  if (!RetSVal)
539
0
    return;
540
234
541
234
  bool InSuppressedMethodFamily = false;
542
234
543
234
  QualType RequiredRetType;
544
234
  AnalysisDeclContext *DeclCtxt =
545
234
      C.getLocationContext()->getAnalysisDeclContext();
546
234
  const Decl *D = DeclCtxt->getDecl();
547
234
  if (auto *MD = dyn_cast<ObjCMethodDecl>(D)) {
548
114
    // HACK: This is a big hammer to avoid warning when there are defensive
549
114
    // nil checks in -init and -copy methods. We should add more sophisticated
550
114
    // logic here to suppress on common defensive idioms but still
551
114
    // warn when there is a likely problem.
552
114
    ObjCMethodFamily Family = MD->getMethodFamily();
553
114
    if (OMF_init == Family || 
OMF_copy == Family60
||
OMF_mutableCopy == Family52
)
554
70
      InSuppressedMethodFamily = true;
555
114
556
114
    RequiredRetType = MD->getReturnType();
557
120
  } else if (auto *FD = dyn_cast<FunctionDecl>(D)) {
558
116
    RequiredRetType = FD->getReturnType();
559
116
  } else {
560
4
    return;
561
4
  }
562
230
563
230
  NullConstraint Nullness = getNullConstraint(*RetSVal, State);
564
230
565
230
  Nullability RequiredNullability = getNullabilityAnnotation(RequiredRetType);
566
230
567
230
  // If the returned value is null but the type of the expression
568
230
  // generating it is nonnull then we will suppress the diagnostic.
569
230
  // This enables explicit suppression when returning a nil literal in a
570
230
  // function with a _Nonnull return type:
571
230
  //    return (NSString * _Nonnull)0;
572
230
  Nullability RetExprTypeLevelNullability =
573
230
        getNullabilityAnnotation(lookThroughImplicitCasts(RetExpr)->getType());
574
230
575
230
  bool NullReturnedFromNonNull = (RequiredNullability == Nullability::Nonnull &&
576
230
                                  
Nullness == NullConstraint::IsNull184
);
577
230
  if (Filter.CheckNullReturnedFromNonnull &&
578
230
      NullReturnedFromNonNull &&
579
230
      
RetExprTypeLevelNullability != Nullability::Nonnull72
&&
580
230
      
!InSuppressedMethodFamily56
&&
581
230
      
C.getLocationContext()->inTopFrame()28
) {
582
24
    static CheckerProgramPointTag Tag(this, "NullReturnedFromNonnull");
583
24
    ExplodedNode *N = C.generateErrorNode(State, &Tag);
584
24
    if (!N)
585
0
      return;
586
24
587
24
    SmallString<256> SBuf;
588
24
    llvm::raw_svector_ostream OS(SBuf);
589
24
    OS << (RetExpr->getType()->isObjCObjectPointerType() ? 
"nil"8
:
"Null"16
);
590
24
    OS << " returned from a " << C.getDeclDescription(D) <<
591
24
          " that is expected to return a non-null value";
592
24
    reportBugIfInvariantHolds(OS.str(),
593
24
                              ErrorKind::NilReturnedToNonnull, N, nullptr, C,
594
24
                              RetExpr);
595
24
    return;
596
24
  }
597
206
598
206
  // If null was returned from a non-null function, mark the nullability
599
206
  // invariant as violated even if the diagnostic was suppressed.
600
206
  if (NullReturnedFromNonNull) {
601
48
    State = State->set<InvariantViolated>(true);
602
48
    C.addTransition(State);
603
48
    return;
604
48
  }
605
158
606
158
  const MemRegion *Region = getTrackRegion(*RetSVal);
607
158
  if (!Region)
608
18
    return;
609
140
610
140
  const NullabilityState *TrackedNullability =
611
140
      State->get<NullabilityMap>(Region);
612
140
  if (TrackedNullability) {
613
36
    Nullability TrackedNullabValue = TrackedNullability->getValue();
614
36
    if (Filter.CheckNullableReturnedFromNonnull &&
615
36
        Nullness != NullConstraint::IsNotNull &&
616
36
        TrackedNullabValue == Nullability::Nullable &&
617
36
        
RequiredNullability == Nullability::Nonnull24
) {
618
8
      static CheckerProgramPointTag Tag(this, "NullableReturnedFromNonnull");
619
8
      ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag);
620
8
621
8
      SmallString<256> SBuf;
622
8
      llvm::raw_svector_ostream OS(SBuf);
623
8
      OS << "Nullable pointer is returned from a " << C.getDeclDescription(D) <<
624
8
            " that is expected to return a non-null value";
625
8
626
8
      reportBugIfInvariantHolds(OS.str(),
627
8
                                ErrorKind::NullableReturnedToNonnull, N,
628
8
                                Region, C);
629
8
    }
630
36
    return;
631
36
  }
632
104
  if (RequiredNullability == Nullability::Nullable) {
633
2
    State = State->set<NullabilityMap>(Region,
634
2
                                       NullabilityState(RequiredNullability,
635
2
                                                        S));
636
2
    C.addTransition(State);
637
2
  }
638
104
}
639
640
/// This callback warns when a nullable pointer or a null value is passed to a
641
/// function that expects its argument to be nonnull.
642
void NullabilityChecker::checkPreCall(const CallEvent &Call,
643
671
                                      CheckerContext &C) const {
644
671
  if (!Call.getDecl())
645
0
    return;
646
671
647
671
  ProgramStateRef State = C.getState();
648
671
  if (State->get<InvariantViolated>())
649
98
    return;
650
573
651
573
  ProgramStateRef OrigState = State;
652
573
653
573
  unsigned Idx = 0;
654
573
  for (const ParmVarDecl *Param : Call.parameters()) {
655
297
    if (Param->isParameterPack())
656
0
      break;
657
297
658
297
    if (Idx >= Call.getNumArgs())
659
0
      break;
660
297
661
297
    const Expr *ArgExpr = Call.getArgExpr(Idx);
662
297
    auto ArgSVal = Call.getArgSVal(Idx++).getAs<DefinedOrUnknownSVal>();
663
297
    if (!ArgSVal)
664
0
      continue;
665
297
666
297
    if (!Param->getType()->isAnyPointerType() &&
667
297
        
!Param->getType()->isReferenceType()11
)
668
3
      continue;
669
294
670
294
    NullConstraint Nullness = getNullConstraint(*ArgSVal, State);
671
294
672
294
    Nullability RequiredNullability =
673
294
        getNullabilityAnnotation(Param->getType());
674
294
    Nullability ArgExprTypeLevelNullability =
675
294
        getNullabilityAnnotation(ArgExpr->getType());
676
294
677
294
    unsigned ParamIdx = Param->getFunctionScopeIndex() + 1;
678
294
679
294
    if (Filter.CheckNullPassedToNonnull && Nullness == NullConstraint::IsNull &&
680
294
        
ArgExprTypeLevelNullability != Nullability::Nonnull66
&&
681
294
        
RequiredNullability == Nullability::Nonnull48
&&
682
294
        
isDiagnosableCall(Call)38
) {
683
36
      ExplodedNode *N = C.generateErrorNode(State);
684
36
      if (!N)
685
0
        return;
686
36
687
36
      SmallString<256> SBuf;
688
36
      llvm::raw_svector_ostream OS(SBuf);
689
36
      OS << (Param->getType()->isObjCObjectPointerType() ? 
"nil"6
:
"Null"30
);
690
36
      OS << " passed to a callee that requires a non-null " << ParamIdx
691
36
         << llvm::getOrdinalSuffix(ParamIdx) << " parameter";
692
36
      reportBugIfInvariantHolds(OS.str(), ErrorKind::NilPassedToNonnull, N,
693
36
                                nullptr, C,
694
36
                                ArgExpr, /*SuppressPath=*/false);
695
36
      return;
696
36
    }
697
258
698
258
    const MemRegion *Region = getTrackRegion(*ArgSVal);
699
258
    if (!Region)
700
57
      continue;
701
201
702
201
    const NullabilityState *TrackedNullability =
703
201
        State->get<NullabilityMap>(Region);
704
201
705
201
    if (TrackedNullability) {
706
106
      if (Nullness == NullConstraint::IsNotNull ||
707
106
          
TrackedNullability->getValue() != Nullability::Nullable82
)
708
32
        continue;
709
74
710
74
      if (Filter.CheckNullablePassedToNonnull &&
711
74
          RequiredNullability == Nullability::Nonnull &&
712
74
          
isDiagnosableCall(Call)46
) {
713
42
        ExplodedNode *N = C.addTransition(State);
714
42
        SmallString<256> SBuf;
715
42
        llvm::raw_svector_ostream OS(SBuf);
716
42
        OS << "Nullable pointer is passed to a callee that requires a non-null "
717
42
           << ParamIdx << llvm::getOrdinalSuffix(ParamIdx) << " parameter";
718
42
        reportBugIfInvariantHolds(OS.str(),
719
42
                                  ErrorKind::NullablePassedToNonnull, N,
720
42
                                  Region, C, ArgExpr, /*SuppressPath=*/true);
721
42
        return;
722
42
      }
723
32
      if (Filter.CheckNullableDereferenced &&
724
32
          Param->getType()->isReferenceType()) {
725
0
        ExplodedNode *N = C.addTransition(State);
726
0
        reportBugIfInvariantHolds("Nullable pointer is dereferenced",
727
0
                                  ErrorKind::NullableDereferenced, N, Region,
728
0
                                  C, ArgExpr, /*SuppressPath=*/true);
729
0
        return;
730
0
      }
731
32
      continue;
732
32
    }
733
95
    // No tracked nullability yet.
734
95
    if (ArgExprTypeLevelNullability != Nullability::Nullable)
735
95
      continue;
736
0
    State = State->set<NullabilityMap>(
737
0
        Region, NullabilityState(ArgExprTypeLevelNullability, ArgExpr));
738
0
  }
739
573
  
if (495
State != OrigState495
)
740
0
    C.addTransition(State);
741
495
}
742
743
/// Suppress the nullability warnings for some functions.
744
void NullabilityChecker::checkPostCall(const CallEvent &Call,
745
642
                                       CheckerContext &C) const {
746
642
  auto Decl = Call.getDecl();
747
642
  if (!Decl)
748
0
    return;
749
642
  // ObjC Messages handles in a different callback.
750
642
  if (Call.getKind() == CE_ObjCMessage)
751
176
    return;
752
466
  const FunctionType *FuncType = Decl->getFunctionType();
753
466
  if (!FuncType)
754
4
    return;
755
462
  QualType ReturnType = FuncType->getReturnType();
756
462
  if (!ReturnType->isAnyPointerType())
757
338
    return;
758
124
  ProgramStateRef State = C.getState();
759
124
  if (State->get<InvariantViolated>())
760
12
    return;
761
112
762
112
  const MemRegion *Region = getTrackRegion(Call.getReturnValue());
763
112
  if (!Region)
764
4
    return;
765
108
766
108
  // CG headers are misannotated. Do not warn for symbols that are the results
767
108
  // of CG calls.
768
108
  const SourceManager &SM = C.getSourceManager();
769
108
  StringRef FilePath = SM.getFilename(SM.getSpellingLoc(Decl->getBeginLoc()));
770
108
  if (llvm::sys::path::filename(FilePath).startswith("CG")) {
771
0
    State = State->set<NullabilityMap>(Region, Nullability::Contradicted);
772
0
    C.addTransition(State);
773
0
    return;
774
0
  }
775
108
776
108
  const NullabilityState *TrackedNullability =
777
108
      State->get<NullabilityMap>(Region);
778
108
779
108
  if (!TrackedNullability &&
780
108
      
getNullabilityAnnotation(ReturnType) == Nullability::Nullable92
) {
781
56
    State = State->set<NullabilityMap>(Region, Nullability::Nullable);
782
56
    C.addTransition(State);
783
56
  }
784
108
}
785
786
static Nullability getReceiverNullability(const ObjCMethodCall &M,
787
103
                                          ProgramStateRef State) {
788
103
  if (M.isReceiverSelfOrSuper()) {
789
43
    // For super and super class receivers we assume that the receiver is
790
43
    // nonnull.
791
43
    return Nullability::Nonnull;
792
43
  }
793
60
  // Otherwise look up nullability in the state.
794
60
  SVal Receiver = M.getReceiverSVal();
795
60
  if (auto DefOrUnknown = Receiver.getAs<DefinedOrUnknownSVal>()) {
796
60
    // If the receiver is constrained to be nonnull, assume that it is nonnull
797
60
    // regardless of its type.
798
60
    NullConstraint Nullness = getNullConstraint(*DefOrUnknown, State);
799
60
    if (Nullness == NullConstraint::IsNotNull)
800
48
      return Nullability::Nonnull;
801
12
  }
802
12
  auto ValueRegionSVal = Receiver.getAs<loc::MemRegionVal>();
803
12
  if (ValueRegionSVal) {
804
0
    const MemRegion *SelfRegion = ValueRegionSVal->getRegion();
805
0
    assert(SelfRegion);
806
0
807
0
    const NullabilityState *TrackedSelfNullability =
808
0
        State->get<NullabilityMap>(SelfRegion);
809
0
    if (TrackedSelfNullability)
810
0
      return TrackedSelfNullability->getValue();
811
12
  }
812
12
  return Nullability::Unspecified;
813
12
}
814
815
/// Calculate the nullability of the result of a message expr based on the
816
/// nullability of the receiver, the nullability of the return value, and the
817
/// constraints.
818
void NullabilityChecker::checkPostObjCMessage(const ObjCMethodCall &M,
819
176
                                              CheckerContext &C) const {
820
176
  auto Decl = M.getDecl();
821
176
  if (!Decl)
822
0
    return;
823
176
  QualType RetType = Decl->getReturnType();
824
176
  if (!RetType->isAnyPointerType())
825
53
    return;
826
123
827
123
  ProgramStateRef State = C.getState();
828
123
  if (State->get<InvariantViolated>())
829
16
    return;
830
107
831
107
  const MemRegion *ReturnRegion = getTrackRegion(M.getReturnValue());
832
107
  if (!ReturnRegion)
833
4
    return;
834
103
835
103
  auto Interface = Decl->getClassInterface();
836
103
  auto Name = Interface ? 
Interface->getName()48
:
""55
;
837
103
  // In order to reduce the noise in the diagnostics generated by this checker,
838
103
  // some framework and programming style based heuristics are used. These
839
103
  // heuristics are for Cocoa APIs which have NS prefix.
840
103
  if (Name.startswith("NS")) {
841
0
    // Developers rely on dynamic invariants such as an item should be available
842
0
    // in a collection, or a collection is not empty often. Those invariants can
843
0
    // not be inferred by any static analysis tool. To not to bother the users
844
0
    // with too many false positives, every item retrieval function should be
845
0
    // ignored for collections. The instance methods of dictionaries in Cocoa
846
0
    // are either item retrieval related or not interesting nullability wise.
847
0
    // Using this fact, to keep the code easier to read just ignore the return
848
0
    // value of every instance method of dictionaries.
849
0
    if (M.isInstanceMessage() && Name.contains("Dictionary")) {
850
0
      State =
851
0
          State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted);
852
0
      C.addTransition(State);
853
0
      return;
854
0
    }
855
0
    // For similar reasons ignore some methods of Cocoa arrays.
856
0
    StringRef FirstSelectorSlot = M.getSelector().getNameForSlot(0);
857
0
    if (Name.contains("Array") &&
858
0
        (FirstSelectorSlot == "firstObject" ||
859
0
         FirstSelectorSlot == "lastObject")) {
860
0
      State =
861
0
          State->set<NullabilityMap>(ReturnRegion, Nullability::Contradicted);
862
0
      C.addTransition(State);
863
0
      return;
864
0
    }
865
0
866
0
    // Encoding related methods of string should not fail when lossless
867
0
    // encodings are used. Using lossless encodings is so frequent that ignoring
868
0
    // this class of methods reduced the emitted diagnostics by about 30% on
869
0
    // some projects (and all of that was false positives).
870
0
    if (Name.contains("String")) {
871
0
      for (auto Param : M.parameters()) {
872
0
        if (Param->getName() == "encoding") {
873
0
          State = State->set<NullabilityMap>(ReturnRegion,
874
0
                                             Nullability::Contradicted);
875
0
          C.addTransition(State);
876
0
          return;
877
0
        }
878
0
      }
879
0
    }
880
0
  }
881
103
882
103
  const ObjCMessageExpr *Message = M.getOriginExpr();
883
103
  Nullability SelfNullability = getReceiverNullability(M, State);
884
103
885
103
  const NullabilityState *NullabilityOfReturn =
886
103
      State->get<NullabilityMap>(ReturnRegion);
887
103
888
103
  if (NullabilityOfReturn) {
889
2
    // When we have a nullability tracked for the return value, the nullability
890
2
    // of the expression will be the most nullable of the receiver and the
891
2
    // return value.
892
2
    Nullability RetValTracked = NullabilityOfReturn->getValue();
893
2
    Nullability ComputedNullab =
894
2
        getMostNullable(RetValTracked, SelfNullability);
895
2
    if (ComputedNullab != RetValTracked &&
896
2
        
ComputedNullab != Nullability::Unspecified0
) {
897
0
      const Stmt *NullabilitySource =
898
0
          ComputedNullab == RetValTracked
899
0
              ? NullabilityOfReturn->getNullabilitySource()
900
0
              : Message->getInstanceReceiver();
901
0
      State = State->set<NullabilityMap>(
902
0
          ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource));
903
0
      C.addTransition(State);
904
0
    }
905
2
    return;
906
2
  }
907
101
908
101
  // No tracked information. Use static type information for return value.
909
101
  Nullability RetNullability = getNullabilityAnnotation(RetType);
910
101
911
101
  // Properties might be computed. For this reason the static analyzer creates a
912
101
  // new symbol each time an unknown property  is read. To avoid false pozitives
913
101
  // do not treat unknown properties as nullable, even when they explicitly
914
101
  // marked nullable.
915
101
  if (M.getMessageKind() == OCM_PropertyAccess && 
!C.wasInlined0
)
916
0
    RetNullability = Nullability::Nonnull;
917
101
918
101
  Nullability ComputedNullab = getMostNullable(RetNullability, SelfNullability);
919
101
  if (ComputedNullab == Nullability::Nullable) {
920
16
    const Stmt *NullabilitySource = ComputedNullab == RetNullability
921
16
                                        ? Message
922
16
                                        : 
Message->getInstanceReceiver()0
;
923
16
    State = State->set<NullabilityMap>(
924
16
        ReturnRegion, NullabilityState(ComputedNullab, NullabilitySource));
925
16
    C.addTransition(State);
926
16
  }
927
101
}
928
929
/// Explicit casts are trusted. If there is a disagreement in the nullability
930
/// annotations in the destination and the source or '0' is casted to nonnull
931
/// track the value as having contraditory nullability. This will allow users to
932
/// suppress warnings.
933
void NullabilityChecker::checkPostStmt(const ExplicitCastExpr *CE,
934
98
                                       CheckerContext &C) const {
935
98
  QualType OriginType = CE->getSubExpr()->getType();
936
98
  QualType DestType = CE->getType();
937
98
  if (!OriginType->isAnyPointerType())
938
0
    return;
939
98
  if (!DestType->isAnyPointerType())
940
16
    return;
941
82
942
82
  ProgramStateRef State = C.getState();
943
82
  if (State->get<InvariantViolated>())
944
8
    return;
945
74
946
74
  Nullability DestNullability = getNullabilityAnnotation(DestType);
947
74
948
74
  // No explicit nullability in the destination type, so this cast does not
949
74
  // change the nullability.
950
74
  if (DestNullability == Nullability::Unspecified)
951
6
    return;
952
68
953
68
  auto RegionSVal = C.getSVal(CE).getAs<DefinedOrUnknownSVal>();
954
68
  const MemRegion *Region = getTrackRegion(*RegionSVal);
955
68
  if (!Region)
956
52
    return;
957
16
958
16
  // When 0 is converted to nonnull mark it as contradicted.
959
16
  if (DestNullability == Nullability::Nonnull) {
960
16
    NullConstraint Nullness = getNullConstraint(*RegionSVal, State);
961
16
    if (Nullness == NullConstraint::IsNull) {
962
0
      State = State->set<NullabilityMap>(Region, Nullability::Contradicted);
963
0
      C.addTransition(State);
964
0
      return;
965
0
    }
966
16
  }
967
16
968
16
  const NullabilityState *TrackedNullability =
969
16
      State->get<NullabilityMap>(Region);
970
16
971
16
  if (!TrackedNullability) {
972
0
    if (DestNullability != Nullability::Nullable)
973
0
      return;
974
0
    State = State->set<NullabilityMap>(Region,
975
0
                                       NullabilityState(DestNullability, CE));
976
0
    C.addTransition(State);
977
0
    return;
978
0
  }
979
16
980
16
  if (TrackedNullability->getValue() != DestNullability &&
981
16
      TrackedNullability->getValue() != Nullability::Contradicted) {
982
12
    State = State->set<NullabilityMap>(Region, Nullability::Contradicted);
983
12
    C.addTransition(State);
984
12
  }
985
16
}
986
987
/// For a given statement performing a bind, attempt to syntactically
988
/// match the expression resulting in the bound value.
989
368
static const Expr * matchValueExprForBind(const Stmt *S) {
990
368
  // For `x = e` the value expression is the right-hand side.
991
368
  if (auto *BinOp = dyn_cast<BinaryOperator>(S)) {
992
136
    if (BinOp->getOpcode() == BO_Assign)
993
136
      return BinOp->getRHS();
994
232
  }
995
232
996
232
  // For `int x = e` the value expression is the initializer.
997
232
  if (auto *DS = dyn_cast<DeclStmt>(S))  {
998
232
    if (DS->isSingleDecl()) {
999
232
      auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
1000
232
      if (!VD)
1001
0
        return nullptr;
1002
232
1003
232
      if (const Expr *Init = VD->getInit())
1004
232
        return Init;
1005
0
    }
1006
232
  }
1007
0
1008
0
  return nullptr;
1009
0
}
1010
1011
/// Returns true if \param S is a DeclStmt for a local variable that
1012
/// ObjC automated reference counting initialized with zero.
1013
15
static bool isARCNilInitializedLocal(CheckerContext &C, const Stmt *S) {
1014
15
  // We suppress diagnostics for ARC zero-initialized _Nonnull locals. This
1015
15
  // prevents false positives when a _Nonnull local variable cannot be
1016
15
  // initialized with an initialization expression:
1017
15
  //    NSString * _Nonnull s; // no-warning
1018
15
  //    @autoreleasepool {
1019
15
  //      s = ...
1020
15
  //    }
1021
15
  //
1022
15
  // FIXME: We should treat implicitly zero-initialized _Nonnull locals as
1023
15
  // uninitialized in Sema's UninitializedValues analysis to warn when a use of
1024
15
  // the zero-initialized definition will unexpectedly yield nil.
1025
15
1026
15
  // Locals are only zero-initialized when automated reference counting
1027
15
  // is turned on.
1028
15
  if (!C.getASTContext().getLangOpts().ObjCAutoRefCount)
1029
7
    return false;
1030
8
1031
8
  auto *DS = dyn_cast<DeclStmt>(S);
1032
8
  if (!DS || 
!DS->isSingleDecl()4
)
1033
4
    return false;
1034
4
1035
4
  auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
1036
4
  if (!VD)
1037
0
    return false;
1038
4
1039
4
  // Sema only zero-initializes locals with ObjCLifetimes.
1040
4
  if(!VD->getType().getQualifiers().hasObjCLifetime())
1041
2
    return false;
1042
2
1043
2
  const Expr *Init = VD->getInit();
1044
2
  assert(Init && "ObjC local under ARC without initializer");
1045
2
1046
2
  // Return false if the local is explicitly initialized (e.g., with '= nil').
1047
2
  if (!isa<ImplicitValueInitExpr>(Init))
1048
2
    return false;
1049
0
1050
0
  return true;
1051
0
}
1052
1053
/// Propagate the nullability information through binds and warn when nullable
1054
/// pointer or null symbol is assigned to a pointer with a nonnull type.
1055
void NullabilityChecker::checkBind(SVal L, SVal V, const Stmt *S,
1056
510
                                   CheckerContext &C) const {
1057
510
  const TypedValueRegion *TVR =
1058
510
      dyn_cast_or_null<TypedValueRegion>(L.getAsRegion());
1059
510
  if (!TVR)
1060
5
    return;
1061
505
1062
505
  QualType LocType = TVR->getValueType();
1063
505
  if (!LocType->isAnyPointerType())
1064
58
    return;
1065
447
1066
447
  ProgramStateRef State = C.getState();
1067
447
  if (State->get<InvariantViolated>())
1068
79
    return;
1069
368
1070
368
  auto ValDefOrUnknown = V.getAs<DefinedOrUnknownSVal>();
1071
368
  if (!ValDefOrUnknown)
1072
0
    return;
1073
368
1074
368
  NullConstraint RhsNullness = getNullConstraint(*ValDefOrUnknown, State);
1075
368
1076
368
  Nullability ValNullability = Nullability::Unspecified;
1077
368
  if (SymbolRef Sym = ValDefOrUnknown->getAsSymbol())
1078
225
    ValNullability = getNullabilityAnnotation(Sym->getType());
1079
368
1080
368
  Nullability LocNullability = getNullabilityAnnotation(LocType);
1081
368
1082
368
  // If the type of the RHS expression is nonnull, don't warn. This
1083
368
  // enables explicit suppression with a cast to nonnull.
1084
368
  Nullability ValueExprTypeLevelNullability = Nullability::Unspecified;
1085
368
  const Expr *ValueExpr = matchValueExprForBind(S);
1086
368
  if (ValueExpr) {
1087
368
    ValueExprTypeLevelNullability =
1088
368
      getNullabilityAnnotation(lookThroughImplicitCasts(ValueExpr)->getType());
1089
368
  }
1090
368
1091
368
  bool NullAssignedToNonNull = (LocNullability == Nullability::Nonnull &&
1092
368
                                
RhsNullness == NullConstraint::IsNull110
);
1093
368
  if (Filter.CheckNullPassedToNonnull &&
1094
368
      NullAssignedToNonNull &&
1095
368
      
ValNullability != Nullability::Nonnull33
&&
1096
368
      
ValueExprTypeLevelNullability != Nullability::Nonnull33
&&
1097
368
      
!isARCNilInitializedLocal(C, S)15
) {
1098
15
    static CheckerProgramPointTag Tag(this, "NullPassedToNonnull");
1099
15
    ExplodedNode *N = C.generateErrorNode(State, &Tag);
1100
15
    if (!N)
1101
0
      return;
1102
15
1103
15
1104
15
    const Stmt *ValueStmt = S;
1105
15
    if (ValueExpr)
1106
15
      ValueStmt = ValueExpr;
1107
15
1108
15
    SmallString<256> SBuf;
1109
15
    llvm::raw_svector_ostream OS(SBuf);
1110
15
    OS << (LocType->isObjCObjectPointerType() ? 
"nil"3
:
"Null"12
);
1111
15
    OS << " assigned to a pointer which is expected to have non-null value";
1112
15
    reportBugIfInvariantHolds(OS.str(),
1113
15
                              ErrorKind::NilAssignedToNonnull, N, nullptr, C,
1114
15
                              ValueStmt);
1115
15
    return;
1116
15
  }
1117
353
1118
353
  // If null was returned from a non-null function, mark the nullability
1119
353
  // invariant as violated even if the diagnostic was suppressed.
1120
353
  if (NullAssignedToNonNull) {
1121
18
    State = State->set<InvariantViolated>(true);
1122
18
    C.addTransition(State);
1123
18
    return;
1124
18
  }
1125
335
1126
335
  // Intentionally missing case: '0' is bound to a reference. It is handled by
1127
335
  // the DereferenceChecker.
1128
335
1129
335
  const MemRegion *ValueRegion = getTrackRegion(*ValDefOrUnknown);
1130
335
  if (!ValueRegion)
1131
114
    return;
1132
221
1133
221
  const NullabilityState *TrackedNullability =
1134
221
      State->get<NullabilityMap>(ValueRegion);
1135
221
1136
221
  if (TrackedNullability) {
1137
66
    if (RhsNullness == NullConstraint::IsNotNull ||
1138
66
        TrackedNullability->getValue() != Nullability::Nullable)
1139
4
      return;
1140
62
    if (Filter.CheckNullablePassedToNonnull &&
1141
62
        LocNullability == Nullability::Nonnull) {
1142
4
      static CheckerProgramPointTag Tag(this, "NullablePassedToNonnull");
1143
4
      ExplodedNode *N = C.addTransition(State, C.getPredecessor(), &Tag);
1144
4
      reportBugIfInvariantHolds("Nullable pointer is assigned to a pointer "
1145
4
                                "which is expected to have non-null value",
1146
4
                                ErrorKind::NullableAssignedToNonnull, N,
1147
4
                                ValueRegion, C);
1148
4
    }
1149
62
    return;
1150
62
  }
1151
155
1152
155
  const auto *BinOp = dyn_cast<BinaryOperator>(S);
1153
155
1154
155
  if (ValNullability == Nullability::Nullable) {
1155
8
    // Trust the static information of the value more than the static
1156
8
    // information on the location.
1157
8
    const Stmt *NullabilitySource = BinOp ? 
BinOp->getRHS()0
: S;
1158
8
    State = State->set<NullabilityMap>(
1159
8
        ValueRegion, NullabilityState(ValNullability, NullabilitySource));
1160
8
    C.addTransition(State);
1161
8
    return;
1162
8
  }
1163
147
1164
147
  if (LocNullability == Nullability::Nullable) {
1165
0
    const Stmt *NullabilitySource = BinOp ? BinOp->getLHS() : S;
1166
0
    State = State->set<NullabilityMap>(
1167
0
        ValueRegion, NullabilityState(LocNullability, NullabilitySource));
1168
0
    C.addTransition(State);
1169
0
  }
1170
147
}
1171
1172
void NullabilityChecker::printState(raw_ostream &Out, ProgramStateRef State,
1173
0
                                    const char *NL, const char *Sep) const {
1174
0
1175
0
  NullabilityMapTy B = State->get<NullabilityMap>();
1176
0
1177
0
  if (State->get<InvariantViolated>())
1178
0
    Out << Sep << NL
1179
0
        << "Nullability invariant was violated, warnings suppressed." << NL;
1180
0
1181
0
  if (B.isEmpty())
1182
0
    return;
1183
0
1184
0
  if (!State->get<InvariantViolated>())
1185
0
    Out << Sep << NL;
1186
0
1187
0
  for (NullabilityMapTy::iterator I = B.begin(), E = B.end(); I != E; ++I) {
1188
0
    Out << I->first << " : ";
1189
0
    I->second.print(Out);
1190
0
    Out << NL;
1191
0
  }
1192
0
}
1193
1194
23
void ento::registerNullabilityBase(CheckerManager &mgr) {
1195
23
  mgr.registerChecker<NullabilityChecker>();
1196
23
}
1197
1198
6
bool ento::shouldRegisterNullabilityBase(const LangOptions &LO) {
1199
6
  return true;
1200
6
}
1201
1202
#define REGISTER_CHECKER(name, trackingRequired)                               \
1203
81
  void ento::register##name##Checker(CheckerManager &mgr) {                    \
1204
81
    NullabilityChecker *checker = mgr.getChecker<NullabilityChecker>();        \
1205
81
    checker->Filter.Check##name = true;                                        \
1206
81
    checker->Filter.CheckName##name = mgr.getCurrentCheckName();               \
1207
81
    checker->NeedTracking = checker->NeedTracking || 
trackingRequired57
; \
1208
81
    checker->NoDiagnoseCallsToSystemHeaders =                                  \
1209
81
        checker->NoDiagnoseCallsToSystemHeaders ||                             \
1210
81
        mgr.getAnalyzerOptions().getCheckerBooleanOption(                      \
1211
72
                      checker, "NoDiagnoseCallsToSystemHeaders", true);        \
1212
81
  }                                                                            \
clang::ento::registerNullPassedToNonnullChecker(clang::ento::CheckerManager&)
Line
Count
Source
1203
22
  void ento::register##name##Checker(CheckerManager &mgr) {                    \
1204
22
    NullabilityChecker *checker = mgr.getChecker<NullabilityChecker>();        \
1205
22
    checker->Filter.Check##name = true;                                        \
1206
22
    checker->Filter.CheckName##name = mgr.getCurrentCheckName();               \
1207
22
    checker->NeedTracking = checker->NeedTracking || trackingRequired;         \
1208
22
    checker->NoDiagnoseCallsToSystemHeaders =                                  \
1209
22
        checker->NoDiagnoseCallsToSystemHeaders ||                             \
1210
22
        mgr.getAnalyzerOptions().getCheckerBooleanOption(                      \
1211
22
                      checker, "NoDiagnoseCallsToSystemHeaders", true);        \
1212
22
  }                                                                            \
clang::ento::registerNullReturnedFromNonnullChecker(clang::ento::CheckerManager&)
Line
Count
Source
1203
23
  void ento::register##name##Checker(CheckerManager &mgr) {                    \
1204
23
    NullabilityChecker *checker = mgr.getChecker<NullabilityChecker>();        \
1205
23
    checker->Filter.Check##name = true;                                        \
1206
23
    checker->Filter.CheckName##name = mgr.getCurrentCheckName();               \
1207
23
    checker->NeedTracking = checker->NeedTracking || trackingRequired;         \
1208
23
    checker->NoDiagnoseCallsToSystemHeaders =                                  \
1209
23
        checker->NoDiagnoseCallsToSystemHeaders ||                             \
1210
23
        mgr.getAnalyzerOptions().getCheckerBooleanOption(                      \
1211
20
                      checker, "NoDiagnoseCallsToSystemHeaders", true);        \
1212
23
  }                                                                            \
clang::ento::registerNullableDereferencedChecker(clang::ento::CheckerManager&)
Line
Count
Source
1203
12
  void ento::register##name##Checker(CheckerManager &mgr) {                    \
1204
12
    NullabilityChecker *checker = mgr.getChecker<NullabilityChecker>();        \
1205
12
    checker->Filter.Check##name = true;                                        \
1206
12
    checker->Filter.CheckName##name = mgr.getCurrentCheckName();               \
1207
12
    checker->NeedTracking = checker->NeedTracking || trackingRequired;         \
1208
12
    checker->NoDiagnoseCallsToSystemHeaders =                                  \
1209
12
        checker->NoDiagnoseCallsToSystemHeaders ||                             \
1210
12
        mgr.getAnalyzerOptions().getCheckerBooleanOption(                      \
1211
10
                      checker, "NoDiagnoseCallsToSystemHeaders", true);        \
1212
12
  }                                                                            \
clang::ento::registerNullablePassedToNonnullChecker(clang::ento::CheckerManager&)
Line
Count
Source
1203
12
  void ento::register##name##Checker(CheckerManager &mgr) {                    \
1204
12
    NullabilityChecker *checker = mgr.getChecker<NullabilityChecker>();        \
1205
12
    checker->Filter.Check##name = true;                                        \
1206
12
    checker->Filter.CheckName##name = mgr.getCurrentCheckName();               \
1207
12
    checker->NeedTracking = checker->NeedTracking || 
trackingRequired0
; \
1208
12
    checker->NoDiagnoseCallsToSystemHeaders =                                  \
1209
12
        checker->NoDiagnoseCallsToSystemHeaders ||                             \
1210
12
        mgr.getAnalyzerOptions().getCheckerBooleanOption(                      \
1211
10
                      checker, "NoDiagnoseCallsToSystemHeaders", true);        \
1212
12
  }                                                                            \
clang::ento::registerNullableReturnedFromNonnullChecker(clang::ento::CheckerManager&)
Line
Count
Source
1203
12
  void ento::register##name##Checker(CheckerManager &mgr) {                    \
1204
12
    NullabilityChecker *checker = mgr.getChecker<NullabilityChecker>();        \
1205
12
    checker->Filter.Check##name = true;                                        \
1206
12
    checker->Filter.CheckName##name = mgr.getCurrentCheckName();               \
1207
12
    checker->NeedTracking = checker->NeedTracking || 
trackingRequired0
; \
1208
12
    checker->NoDiagnoseCallsToSystemHeaders =                                  \
1209
12
        checker->NoDiagnoseCallsToSystemHeaders ||                             \
1210
12
        mgr.getAnalyzerOptions().getCheckerBooleanOption(                      \
1211
10
                      checker, "NoDiagnoseCallsToSystemHeaders", true);        \
1212
12
  }                                                                            \
1213
                                                                               \
1214
81
  bool ento::shouldRegister##name##Checker(const LangOptions &LO) {            \
1215
81
    return true;                                                               \
1216
81
  }
clang::ento::shouldRegisterNullPassedToNonnullChecker(clang::LangOptions const&)
Line
Count
Source
1214
22
  bool ento::shouldRegister##name##Checker(const LangOptions &LO) {            \
1215
22
    return true;                                                               \
1216
22
  }
clang::ento::shouldRegisterNullReturnedFromNonnullChecker(clang::LangOptions const&)
Line
Count
Source
1214
23
  bool ento::shouldRegister##name##Checker(const LangOptions &LO) {            \
1215
23
    return true;                                                               \
1216
23
  }
clang::ento::shouldRegisterNullableDereferencedChecker(clang::LangOptions const&)
Line
Count
Source
1214
12
  bool ento::shouldRegister##name##Checker(const LangOptions &LO) {            \
1215
12
    return true;                                                               \
1216
12
  }
clang::ento::shouldRegisterNullablePassedToNonnullChecker(clang::LangOptions const&)
Line
Count
Source
1214
12
  bool ento::shouldRegister##name##Checker(const LangOptions &LO) {            \
1215
12
    return true;                                                               \
1216
12
  }
clang::ento::shouldRegisterNullableReturnedFromNonnullChecker(clang::LangOptions const&)
Line
Count
Source
1214
12
  bool ento::shouldRegister##name##Checker(const LangOptions &LO) {            \
1215
12
    return true;                                                               \
1216
12
  }
1217
1218
// The checks are likely to be turned on by default and it is possible to do
1219
// them without tracking any nullability related information. As an optimization
1220
// no nullability information will be tracked when only these two checks are
1221
// enables.
1222
REGISTER_CHECKER(NullPassedToNonnull, false)
1223
REGISTER_CHECKER(NullReturnedFromNonnull, false)
1224
1225
REGISTER_CHECKER(NullableDereferenced, true)
1226
REGISTER_CHECKER(NullablePassedToNonnull, true)
1227
REGISTER_CHECKER(NullableReturnedFromNonnull, true)