[analyzer] Refine the diagnostics in the nullability checker to differentiate between nil and null

This is a big deal for ObjC, where nullability annotations are extensively
used. I've also changed

[analyzer] Refine the diagnostics in the nullability checker to differentiate between nil and null

This is a big deal for ObjC, where nullability annotations are extensively
used. I've also changed "Null" -> "null" and removed "is" as this is the
pattern that Sema is using.

Differential Revision: https://reviews.llvm.org/D27600

llvm-svn: 289885

show more ...

[analyzer] Fix typo in nullability checker diagnostic

'infered' --> 'inferred'

llvm-svn: 288922

[analyzer] Fix crash in NullabilityChecker calling block with too few arguments

Fix a crash when checking parameter nullability on a block invocation
with fewer arguments than the block declaration

[analyzer] Fix crash in NullabilityChecker calling block with too few arguments

Fix a crash when checking parameter nullability on a block invocation
with fewer arguments than the block declaration requires.

rdar://problem/29237566

llvm-svn: 286901

show more ...

[analyzer] Small cleanups when checkers retrieving statements from exploded
nodes.

Differential Revision: https://reviews.llvm.org/D23550

llvm-svn: 279037

[analyzer] Nullability: Suppress diagnostic on bind with cast.

Update the nullability checker to allow an explicit cast to nonnull to
suppress a warning on an assignment of nil to a nonnull:

id _No

[analyzer] Nullability: Suppress diagnostic on bind with cast.

Update the nullability checker to allow an explicit cast to nonnull to
suppress a warning on an assignment of nil to a nonnull:

id _Nonnull x = (id _Nonnull)nil; // no-warning

This suppression as already possible for diagnostics on returns and
function/method arguments.

rdar://problem/25381178

llvm-svn: 266219

show more ...

[analyzer] Nullability: Treat nil _Nonnull ivar as invariant violation.

Treat a _Nonnull ivar that is nil as an invariant violation in a similar
fashion to how a nil _Nonnull parameter is treated as

[analyzer] Nullability: Treat nil _Nonnull ivar as invariant violation.

Treat a _Nonnull ivar that is nil as an invariant violation in a similar
fashion to how a nil _Nonnull parameter is treated as a precondition violation.

This avoids warning on defensive returns of nil on defensive internal
checks, such as the following common idiom:

@class InternalImplementation
@interface PublicClass {
InternalImplementation * _Nonnull _internal;
}
-(id _Nonnull)foo;
@end

@implementation PublicClass
-(id _Nonnull)foo {
if (!_internal)
return nil; // no-warning

return [_internal foo];
}
@end

rdar://problem/24485171

llvm-svn: 266157

show more ...

[analyzer] Nullability: Suppress return diagnostics in inlined functions.

The nullability checker can sometimes miss detecting nullability precondition
violations in inlined functions because the bi

[analyzer] Nullability: Suppress return diagnostics in inlined functions.

The nullability checker can sometimes miss detecting nullability precondition
violations in inlined functions because the binding for the parameter
that violated the precondition becomes dead before the return:

int * _Nonnull callee(int * _Nonnull p2) {
if (!p2)
// p2 becomes dead here, so binding removed.
return 0; // warning here because value stored in p2 is symbolic.
else
return p2;
}

int *caller(int * _Nonnull p1) {
return callee(p1);
}

The fix, which is quite blunt, is to not warn about null returns in inlined
methods/functions. This won’t lose much coverage for ObjC because the analyzer
always analyzes each ObjC method at the top level in addition to inlined. It
*will* lose coverage for C — but there aren’t that many codebases with C
nullability annotations.

rdar://problem/25615050

llvm-svn: 266109

show more ...

[analyzer] Nullability: Don't warn along paths where null returned from non-null.

Change the nullability checker to not warn along paths where null is returned from
a method with a non-null return t

[analyzer] Nullability: Don't warn along paths where null returned from non-null.

Change the nullability checker to not warn along paths where null is returned from
a method with a non-null return type, even when the diagnostic for this return
has been suppressed. This prevents warning from methods with non-null return types
that inline methods that themselves return nil but that suppressed the diagnostic.

Also change the PreconditionViolated state component to be called "InvariantViolated"
because it is set when a post-condition is violated, as well.

rdar://problem/25393539

llvm-svn: 264647

show more ...

[analyzer] Nullability: add option to not report on calls to system headers.

Add an -analyzer-config 'nullability:NoDiagnoseCallsToSystemHeaders' option to
the nullability checker. When enabled, thi

[analyzer] Nullability: add option to not report on calls to system headers.

Add an -analyzer-config 'nullability:NoDiagnoseCallsToSystemHeaders' option to
the nullability checker. When enabled, this option causes the analyzer to not
report about passing null/nullable values to functions and methods declared
in system headers.

This option is motivated by the observation that large projects may have many
nullability warnings. These projects may find warnings about nullability
annotations that they have explicitly added themselves higher priority to fix
than warnings on calls to system libraries.

llvm-svn: 262763

show more ...

[analyzer] Improve Nullability checker diagnostics

- Include the position of the argument on which the nullability is violated
- Differentiate between a 'method' and a 'function' in the message word

[analyzer] Improve Nullability checker diagnostics

- Include the position of the argument on which the nullability is violated
- Differentiate between a 'method' and a 'function' in the message wording
- Test for the error message text in the tests
- Fix a bug with setting 'IsDirectDereference' which resulted in regular dereferences assumed to have call context.

llvm-svn: 259221

show more ...

[analyzer] NullabilityChecker: Remove unused isReturnSelf() function.

Remove the now-unused isReturnSelf() function so we don't get a compiler
warning. Apologies for not doing this in r259099.

llvm

[analyzer] NullabilityChecker: Remove unused isReturnSelf() function.

Remove the now-unused isReturnSelf() function so we don't get a compiler
warning. Apologies for not doing this in r259099.

llvm-svn: 259118

show more ...

[analyzer] Suppress nullability warnings in copy, mutableCopy, and init families.

There are multiple, common idioms of defensive nil-checks in copy,
mutableCopy, and init methods in ObjC. The analyz

[analyzer] Suppress nullability warnings in copy, mutableCopy, and init families.

There are multiple, common idioms of defensive nil-checks in copy,
mutableCopy, and init methods in ObjC. The analyzer doesn't currently have the
capability to distinguish these idioms from true positives, so suppress all
warnings about returns in those families. This is a pretty blunt suppression
that we should improve later.

rdar://problem/24395811

llvm-svn: 259099

show more ...

[analyzer] Suppress nullability warning for defensive super initializer idiom.

A common idiom in Objective-C initializers is for a defensive nil-check on the
result of a call to a super initializer:

[analyzer] Suppress nullability warning for defensive super initializer idiom.

A common idiom in Objective-C initializers is for a defensive nil-check on the
result of a call to a super initializer:
if (self = [super init]) {
...
}
return self;

To avoid warning on this idiom, the nullability checker now suppress diagnostics
for returns of nil on syntactic 'return self' even in initializers with non-null
return types.

llvm-svn: 258461

show more ...

[analyzer] Nullability: Look through implicit casts when suppressing warnings on return.

In r256567 I changed the nullability checker to suppress warnings about returning a null
value from a functio

[analyzer] Nullability: Look through implicit casts when suppressing warnings on return.

In r256567 I changed the nullability checker to suppress warnings about returning a null
value from a function/method with a non-null return type when the type of the returned
expression is itself nonnull. This enables the programmer to silence nullability warnings
by casting to _Nonnull:

return (SomeObject * _Nonnull)nil;

Unfortunately, under ObjC automated reference counting, Sema adds implicit casts to
_Nonnull to return expressions of nullable or unspecified types in functions with
non-null function/method return types. With r256567, these casts cause all nullability
warnings for returns of reference-counted types to be suppressed under ARC, leading to
false negatives.

This commit updates the nullability checker to look through implicit casts before
determining the type of the returned expression. It also updates the tests to turn on
ARC for the nullability_nullonly.mm testfile and adds a new testfile to test when ARC
is turned off.

rdar://problem/24200117

llvm-svn: 258061

show more ...

[analyzer] Check for return of nil in ObjC methods with nonnull return type.

Update NullabilityChecker so that it checks return statements in ObjC methods.
Previously it was returning early because

[analyzer] Check for return of nil in ObjC methods with nonnull return type.

Update NullabilityChecker so that it checks return statements in ObjC methods.
Previously it was returning early because methods do not have a function type.

Also update detection of violated parameter _Nonnull preconditions to handle
ObjC methods.

rdar://problem/24200560

llvm-svn: 257938

show more ...

[analyzer] Suppress nullability warning for _Nonnull locals zero-initialized by ObjC ARC.

Prevent the analyzer from warning when a _Nonnnull local variable is implicitly
zero-initialized because of

[analyzer] Suppress nullability warning for _Nonnull locals zero-initialized by ObjC ARC.

Prevent the analyzer from warning when a _Nonnnull local variable is implicitly
zero-initialized because of Objective-C automated reference counting. This avoids false
positives in cases where a _Nonnull local variable cannot be initialized with an
initialization expression, such as:
NSString * _Nonnull s; // no-warning
@autoreleasepool {
s = ...;
}

The nullability checker will still warn when a _Nonnull local variable is explicitly
initialized with nil.

This suppression introduces the potential for false negatives if the local variable
is used before it is assigned a _Nonnull value. Based on a discussion with Anna Zaks,
Jordan Rose, and John McCall, I've added a FIXME to treat implicitly zero-initialized
_Nonnull locals as uninitialized in Sema's UninitializedValues analysis to avoid these
false negatives.

rdar://problem/23522311

llvm-svn: 256603

show more ...

[analyzer] Nullability: allow cast to _Nonnull to suppress warning about returning nil.

The nullability checker currently allows casts to suppress warnings when a nil
literal is passed as an argumen

[analyzer] Nullability: allow cast to _Nonnull to suppress warning about returning nil.

The nullability checker currently allows casts to suppress warnings when a nil
literal is passed as an argument to a parameter annotated as _Nonnull:

foo((NSString * _Nonnull)nil); // no-warning

It does so by suppressing the diagnostic when the *type* of the argument expression
is _Nonnull -- even when the symbolic value returned is known to be nil.

This commit updates the nullability checker to similarly honor such casts in the analogous
scenario when nil is returned from a function with a _Nonnull return type:

return (NSString * _Nonnull)nil; // no-warning

This commit also normalizes variable naming between the parameter and return cases and
adds several tests demonstrating the limitations of this suppression mechanism (such as
when nil is cast to _Nonnull and then stored into a local variable without a nullability
qualifier). These tests are marked with FIXMEs.

rdar://problem/23176782

llvm-svn: 256567

show more ...

[analyzer] Pass value expression for inlined defensive checks when binding null to nonnull.

The nullability checker was not suppressing false positives resulting from
inlined defensive checks when n

[analyzer] Pass value expression for inlined defensive checks when binding null to nonnull.

The nullability checker was not suppressing false positives resulting from
inlined defensive checks when null was bound to a nonnull variable because it
was passing the entire bind statement rather than the value expression to
trackNullOrUndefValue().

This commit changes that checker to synactically match on the bind statement to
extract the value expression so it can be passed to trackNullOrUndefValue().

rdar://problem/23575439

llvm-svn: 254007

show more ...

[analyzer] Add generateErrorNode() APIs to CheckerContext.

The analyzer trims unnecessary nodes from the exploded graph before reporting
path diagnostics. However, in some cases it can trim all node

[analyzer] Add generateErrorNode() APIs to CheckerContext.

The analyzer trims unnecessary nodes from the exploded graph before reporting
path diagnostics. However, in some cases it can trim all nodes (including the
error node), leading to an assertion failure (see
https://llvm.org/bugs/show_bug.cgi?id=24184).

This commit addresses the issue by adding two new APIs to CheckerContext to
explicitly create error nodes. Unless the client provides a custom tag, these
APIs tag the node with the checker's tag -- preventing it from being trimmed.
The generateErrorNode() method creates a sink error node, while
generateNonFatalErrorNode() creates an error node for a path that should
continue being explored.

The intent is that one of these two methods should be used whenever a checker
creates an error node.

This commit updates the checkers to use these APIs. These APIs
(unlike addTransition() and generateSink()) do not take an explicit Pred node.
This is because there are not any error nodes in the checkers that were created
with an explicit different than the default (the CheckerContext's Pred node).

It also changes generateSink() to require state and pred nodes (previously
these were optional) to reduce confusion.

Additionally, there were several cases where checkers did check whether a
generated node could be null; we now explicitly check for null in these places.

This commit also includes a test case written by Ying Yi as part of
http://reviews.llvm.org/D12163 (that patch originally addressed this issue but
was reverted because it introduced false positive regressions).

Differential Revision: http://reviews.llvm.org/D12780

llvm-svn: 247859

show more ...

[Static Analyzer] Nullability checker optimization.

Differential Revision: http://reviews.llvm.org/D12848

llvm-svn: 247612

[Static Analyzer] Moving nullability checkers to a top level package.

Differential Revision: http://reviews.llvm.org/D12852

llvm-svn: 247590

[Static Analyzer] Fixed a typo in a diagnostic message.

llvm-svn: 247444

[Static Analyzer] Minor cleanups for the nullability checker.

Differential Revision: http://reviews.llvm.org/D12619

llvm-svn: 247423

[Static Analyzer] Remove sinks from nullability checks.

Differential Revision: http://reviews.llvm.org/D12445

llvm-svn: 246818

[Static Analyzer] Make NonNullParamChecker emit implicit null dereference events.

Differential Revision: http://reviews.llvm.org/D11433

llvm-svn: 246182